Audit Search
Use the Audit Search tab to generate searches for audit records for specific time periods and for specific actions, sources, and targets. These searches can find and track events. The information included in the audit logs is different than application activity because the events in the audit log are not associated with an application or data source and may not be associated with a specific identity.
Before the audit logs collect any data to use in an audit search, IdentityIQ must be configured for auditing. Because collecting and storing event information in the audit logs can impact performance, a system administrator must specify the general actions and class actions to audit.
Search results can be saved as reports to reuse at a later time. When you save a search as a report, you can schedule the search on an ongoing basis for monitoring and tracking purposes. See Report Use(LINK IN DOC).
Use Advanced Search to create detailed, multi-layered filters to identify specific populations of users in your enterprise. To create complex queries into your Identity Cubes, you can create multiple filters and then group and layer them using And / Or operations.
See Using Advanced Search Options.
When a previous search is saved to use later, the Saved Searches section displays at the top of the page. A saved search has the following information:
| Field | Description |
| Saved Searches: | |
| Search Name | The names of past searches that you saved to reuse at a later time. To view the search results page, click the name of the saved search to view the search results page. These Saved Searches are only available for your use. To make identity searches available to users with Report access, save the search as a report. |
| Loaded Saved Search: | |
| The name and description of your current saved query. | |
Audit Search Criteria
The search fields are inclusive or "AND" type searches. Only actions matching values specified in all fields are included in the search results.
To limit the search results, use search criteria. If you do not type information or make a selection in a search criteria field, all possible choices are included. For example, if you do not provide a type in the Type field, events with any action type are included.
Specify the search criteria and columns to display and click Run Search to display the search results. From the search results page, you can review the results of your search and save the search. See Search Results.
The Audit Search tab has the following information:
| Criteria | Description |
| Saved Searches: | |
| Search Name | The names of past searches that you saved to reuse at a later time. These Saved Searches are only available for your use. To make searches available to users with Report access, save the search as a report. |
| Loaded Saved Search: | |
| The name and description of your current saved query. | |
| Run Search | Run the search with the criteria displayed on the current page. If you have modified the criteria of the Loaded Saved Search, the modified criteria is used for the search. |
| Clear Search | Unload the Loaded Saved Search and clear all query options. |
| Delete Search | Delete the specified Loaded Saved Query. |
| Audit Attributes: | |
| Action | The action that was performed, for example, login, delete or signoff. |
| Source | The string that identifies the source of the event. The source is generally the name of an Identity object. The source can also be a less specific name such as, "scheduler" or "system." When the event occurs during an interactive session with the IdentityIQ Web application, identity names are used. When background tasks or anonymous requests are not run for a specific identity, abstract names are used. |
| Application | Type manually or use the dropdown list to select an audited application. |
| Instance | Type manually or use the dropdown list to select an instance of a specified audited application. |
| Attribute Name | Type manually or use the dropdown list to select an audited attribute name. |
| Attribute Value | Type manually or use the dropdown list to select a value of a specific audited attribute. |
| Target | The object that was acted upon. For example, a machine name for a login or a file name for a create action. |
| Account Name | Type manually or use the dropdown list to select an audited account name. |
| Filter by Date: | |
| Start Date | Include information on events that occurred on or after this date in the search results. You can type the date manually or click the [...] icon to select a date from the calendar. |
| End Date | Include information on events that occurred on or before this date in the search results. You can type the date manually or click the [...] icon to select a date from the calendar. |
| Fields to Display | Specify the information displayed on the Audit Search Results page associated with this search. Each field defines a column on the results table. You must select at least one field to display on the results page. |