Audit Analyzer includes many predefined queries that you can use to find the sessions in which you are interested. To access the predefined queries, expand Audit Sessions. You can then select a predefined query to display a list of the audited sessions that meet the conditions of that query. For example, if you want to search for sessions by user, you can use the All, Grouped by User, then select the specific user whose sessions are of interest to see a list of all the sessions captured for that user. For example, in the right pane, you would select a user from the list
After you select the user, Audit Analyzer displays detailed information about each of that user’s sessions. For each session, Audit Analyzer lists the user name who started the session, the user display name, the account name used during the session, the name of the audited computer, the audit store where the session is stored, the start and end time for the session, current state, whether the audited session is a console or terminal client session, the review status of the session, any comments that have been added to the session, and the session size.
Note that only completed sessions display the session size in Audit Analyzer.
Depending on the permissions associated with your audit role, you can right-click any session to view an indexed list of the activity captured, export the session activity to a comma-separated values file, update the review status for the session, or delete the session. If you have video capture auditing enabled for the installation, you can also select a session, right-click, then select Replay to review the session in the session player.
To view a description and definition for any predefined query, select the query, right-click, then select Properties. You can also export the query definition or the results from a query and perform other tasks on predefined queries. To perform any of these additional tasks, select the predefined query, right-click, then select the action you want to take.