Audit Events table
The following information is displayed for each event in the Audit Events table. By default, the audit events for the current date are displayed.
Date/Time
This column displays the date and time the event was detected.
Application
This column displays the name of the application.
Resource
This column displays the name of the requested resource. It appears blank when an attribute specifying the resource is not returned by the application.
Message
This column displays the message associated with the event and, when applicable, the risk score assigned to the access attempt. If an override is in place for the user, the message notes that the risk score was overridden resulting in a score of 0 for the access attempt.
Policy
This column displays the risk policy that was evaluated.
User Name
This column displays the name of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.
IP Address
This column displays the IP address of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.
Event details
On the Auditing page, there are two types of audit events displayed in the table related to each access attempt. The first event generated displays the risk score information for the audit event while the second displays whether authentication was successful. For more information, see To display details for an individual audit event.
|
|
NOTE: In some cases, if the user fails to enter valid credentials the authentication event message notes that it was a failed authentication and there will be no event details nor associated risk score event for the access attempt. |
Risk score events
When selected, a risk score event displays the following information and options:
Conditions filter
The Conditions filter drop-down is used to select the type of information to display concerning the risk score. The following options are available:
- True only - (Default) This option displays the conditions and modifiers evaluated for the application that returned true, and thus impacted the risk score sent to the application.
- Show all - This option displays all conditions and modifiers in the evaluated risk policy.
View Policy
Click this button to open the Policy Viewer dialog which displays the risk policy that was evaluated during the access attempt. Click Close to close the dialog and return to the Auditing page.
Override
If there is no override currently assigned to the user, clicking this button opens the Add Override dialog. If there is an override currently assigned to the user, this option opens the Modify Override dialog. See Adding and managing overrides on the Auditing page for more information.
Score
This displays the risk score, which is the combined value of the triggered conditions and modifiers.
Condition/Modifier list
Based on the condition filter specified, the left pane displays the conditions evaluated in the selected access attempt event.
The score listed to the right of a condition name is the score resulting from both the condition and any triggered modifiers. Use the expand properties button (right arrow) to the left of a condition name to also display any modifiers for that condition marked with an icon depicting their effect on the condition score (
Selecting a condition or modifier from the list populates the right-hand side of the panel with the settings information. From this section, you can select any of the items to display a brief explanation of why the condition score occurred and hovering over the 
Authentication events
When selected, an authentication event displays the following information and button:
Authenticated
This column displays whether authentication was successful.
Authentication Method
This column displays the type of authentication used.
Authorization
This column displays the authorization action taken by an application based on the risk score calculated by the Security Analytics Engine (for example, step up authentication may have been required due to a moderately high risk score).
Summary
This column summarizes why the access attempt failed or succeeded.
Policy
Click the Show Policy Evaluation button in this column to display information about the risk score associated with the authentication event.
|
|
NOTE: The Show Policy Details button is grayed out if incorrect credentials were entered during the access attempt. |
Download options
A summary of the information on the Auditing page (excluding any column filtering values) can be downloaded in order to save or print a list of the audit events appearing in the table.
Hover over the 
- Csv
- Excel
- Word
For more information, see To download audit events information.
Filtering the audit events
The following procedure explains how to filter the events displayed in the Audit Events table. By default, the audit events for the current date are displayed.
|
|
NOTE: Refreshing the screen removes filtering and returns the Auditing page to its default settings. |
- From the left pane, click Reports to open the Reports page.
- From the Reports page, click Auditing to open the Auditing page.
- In the From field, click anywhere in the field to display a calendar and select the start date. You can also manually edit the date in the field (mm/dd/yyyy).
- In the To field, click anywhere in the field to display a calendar and select the end date. You can also manually edit the date in the field (mm/dd/yyyy).
- In the Application(s) field, select to display auditing information for all applications or a specific application.
- In the Max Records field, set the maximum number of records (1 to 10000) to return for the search. By default, this is 1000 records.
- Click the Search button to update the Audit Events table.
- To further filter the list of events, use the
buttons to the right of each column heading. For more information, see To filter data.