Filtering the audit events
The following procedure explains how to filter the events displayed in the Audit Events table. By default, the audit events for the current date are displayed.
|
|
NOTE: Refreshing the screen removes filtering and returns the Auditing page to its default settings. |
- From the left pane, click Reports to open the Reports page.
- From the Reports page, click Auditing to open the Auditing page.
- In the From field, click anywhere in the field to display a calendar and select the start date. You can also manually edit the date in the field (mm/dd/yyyy).
- In the To field, click anywhere in the field to display a calendar and select the end date. You can also manually edit the date in the field (mm/dd/yyyy).
- In the Application(s) field, select to display auditing information for all applications or a specific application.
- In the Max Records field, set the maximum number of records (1 to 10000) to return for the search. By default, this is 1000 records.
- Click the Search button to update the Audit Events table.
- To further filter the list of events, use the
buttons to the right of each column heading. For more information, see To filter data.
Displaying details for an individual audit event
The following procedure explains how to view a detailed explanation of the conditions that were evaluated during an audit event.
|
|
NOTE: In some cases, if the user fails to enter valid credentials the authentication event message notes that it was a failed authentication and there will be no event details nor associated risk score event for the access attempt. |
To display details for an individual audit event
- From the left pane, click Reports to open the Reports page.
-
From the Reports page, click Auditing to open the Auditing page. By default, the audit events for the current day are displayed.
The following types of audit events appear:
- Risk score events - This type of event displays the risk score information for the audit event. This event precedes its associated authentication event. See Step 3 for information on displaying details for this type of event.
- Authentication events - This type of event displays whether authentication was successful. This event will appear after its associated risk score event, except in cases where there was no risk score event generated since a user failed to use valid credentials. See Step 7 for information on displaying details for this type of event.
-
Click a risk score event to open a panel displaying the details about the event (see Filtering the audit events for information on locating a specific event and/or an event from a previous date). By default, this panel displays the conditions and any associated modifiers which were triggered during the access attempt. The score listed to the right of the condition name is the score assigned to the triggered condition with any triggered modifiers also taken into account. Use the expand properties button (right arrow) to the left of a condition name to view the modifiers that were triggered marked with an icon depicting their effect on the condition score (
for increased,
for decreased, and
for no effect).
Switching the Conditions filter to Show All will display all conditions and modifiers that were monitored during the access attempt regardless of whether they returned true or false.
- Clicking a condition or modifier from the list populates the right-hand side of the panel with a brief explanation of why the condition score occurred. Hovering over the
icon displays information regarding the condition parameters.
- From this right-hand section, select any of the items to display additional information regarding why the score occurred.
- To close the panel, reselect the highlighted risk score event.
- Click an authentication event to open a panel displaying information regarding the authentication (see Filtering the audit events for information on locating a specific event and/or an event from a previous date).
- Click the Show Policy Evaluation button to view the risk policy information. This displays information about the risk score associated with the authentication event.
- To close the panel, reselect the highlighted authentication event.
Downloading audit events information
The following procedure explains how to download a summary of the audit events information.
To download audit events information
- (Optional) Use the From, To, and Application(s) filtering options to download audit events from a particular time period. No other filtering options are available.
- Once the audit events table is displaying the desired events, in the bottom left of the Auditing page click the
button.
- Click the link of your desired file type (Csv, Excel, Word or Pdf) to download the audit events report. Follow any further instructions that may appear as a result of your selection and environment.
Adding and managing overrides on the Auditing page
From the Auditing page, you can create overrides for users that are receiving high risk scores. For example, if a user is on a business trip they might be triggering conditions due to their change in location, time of access and as a result their risk score would increase. And if their risk score is too high or they are unable to provide secondary authentication, an override can be created for the user which means the Security Analytics Engine returns a risk score of zero for the user. To avoid allowing a malicious user access to applications, only create an override when you are positive the user is legitimate.
|
|
NOTE: After being created, policy overrides can also be managed on the Policy Overrides page. See Policy Overrides page for more information. |
|
|
NOTE: In cases where overrides have been disabled for a risk policy, the risk score will always be reported regardless of whether there is an override in place for the user. |
See the following sections for more information: