Creating queries for audit events

In addition to the predefined queries for audit events, you can create your own queries based on the criteria you define. Audit events are recorded for many activities, including both successful and failed operations. For example, you can search for events that are recorded when users attempt to log on and authentication fails or when users run commands or use applications with a role that grants elevated privileges. Audit trail events are also recorded when there are changes to the auditing infrastructure, and when there are changes to Centrify zones.

To specify the search criteria for a new audit event query:

  1. Open Audit Analyzer, select Audit Events, right-click, then select Query Audit Events.
  2. Type the query name and, optionally a description for the query.
  3. Type a user name if you want to filter the event query by user name.

    You can specify one or more user names in userPrincipalName format (user@domain). Use semi-colons (;) to separate multiple user names. For example, to limit the search for audit events to events recorded for actions taken by the users ben, maya, and fred, you could type the following:

    ben;maya;fred
  4. Type a computer name if you want to filter the event query by computer.

    You can specify multiple computer names separated by semi-colons.

  5. Select the Event time option if you want to specify a time frame to filter the query based on when the event occurred.

    If you select this option, you can search for events that occurred:

    • before, not before, after, not after, between, or not between specific dates and times.
    • in or not in the last specified number of days, hours, or minutes.
    • during the specified period of time.
  6. Select the Type option to search for events based on the type of activity performed.

    If you select this option, you must click > to view and select the event categories in which you are interested. For details about the type of events recorded in each category, select the category and review the Description displayed for that category.

  7. Select the Result option to search for events based on the result of the activity performed.

    For example, you can use this option in combination with other options to search for only successful or failed operations.

  8. Select the Role option, then a role name and zone if you want to filter the event query by role.

  9. Select the Parameter option if you want to filter the query based on a specific parameter.

    If you select this option, you must click > to view and select the event parameters that are currently available and in which you are interested.

  10. Click OK to save and run the new query.

After you create a new query, you can export the query definition or its results, email it to others, or modify its properties.