The best advice is to filter with audit filters, if you are not interested in SSO application events for example, it should not be audited. You can only learn about password changes in applications, etc.
What may be of value to you is the password changes, the successful and failed primary authentication, but the SSO in the applications is not very important and it represents the vast majority of audits that are not filtered.
Audit filters must be positioned on user profiles, AP profile, and applications. It is not necessary to audit what, in any case, what you will not treat as information, so those successful SSO can be ignored, except perhaps for sensitive applications, in this case it is necessary to put a filter a little different for these applications.
Information on Audit Events and Filters
When an audit event is generated:
- The event is generated on a given access point.
- The event logs an operation made by a user.
- In some cases, it relates to an application (this applies to SSO-related events).
- In some cases, it logs an operation made by an administrator.
Before the event is submitted to WGSS (for further storage), the following filters are applied:
- The audit filter associated with the user's security profile.
- The audit filter associated with the user's access point security profile.
- In case of an SSO-related event, the audit filter associated with the application for which the SSO operation is performed.
- In case of an administration-related event, the audit filter associated with the user's administration profile
When no audit filter is defined, it means "always audit the event".
As a consequence, once you defined an audit filter with the list of events you want to be audited, make sure the audit filter is associated with the user's security profile, AND with the access point security profile, AND with the application (for SSO-related events), AND with the user's administration profile (for administration-related events).
For authentication-related events, if either the user's security profile or the access point security profile is not associated with an audit filter, then the audit event will be submitted to WGSS. If both the user's security profile AND the access point security profile are associated with the same audit filter, then the audit event will only be submitted to WGSS if it matches the contents of that audit filter.