Veritas Advanced Supervision User Guide
- Introducing Advanced Supervision
- Getting started
- Working with dashboard widgets
- Managing departments
- Managing department users
- Managing department searches
- Managing department-specific hotword sets
- Managing department-specific trash rules
- Managing department-specific allowlist rules
- Viewing employees associated with departments
- Managing application-level users, roles, and permissions
- Managing application-specific hotword sets
- Managing application-specific trash rules
- Managing application-specific allowlist rules
- Managing data requests
- Managing search schedules
- Managing export operations
- Managing reviews
- Working with reports
- Managing Audit Settings
- Working with Audit viewer
Performing a search for audit records
To run a search for audit records
- In the left navigation pane, click Audit viewer.
The Audit Viewer screen is displayed.
- In the Date range section, specify the date range for the audit records that fall in this duration.
The options are as follows:
Specific date range - Specify the date and time duration to search audit records that were sent or received during the selected period.
Today / Yesterday / Last 7 days / Last 14 days / Last 28 days - Search audit records that are created today, yesterday, or in last 7/14/28 days.
Do not filter - Do not search for audit records based on date range.
- To search by departments, select the appropriate option:
All departments - Search for audit records generated at the department level for all departments where the logged-in user has permission to view audit information
Select department(s) - Search for audit records for specific departments or exception departments. If you select this option, the Selected departments section appears. Only those departments where the logged-in user has permission to view audit information are displayed. Click Add to search and add departments. You can remove the listed departments from the list using the Remove link.
Do not include departments - Select this option if you do not want to search for audit information generated at the department level. If this option is selected, you must select either Include application level records or Include historical data option.
- Select the Include application level records check box if you want to search for audit records generated at the application level.
- Select the Include historical data check box if you want to include audit information at the following level:
Monitored employees whose exception status is removed
You can select the Include application level records and Include historical records if you have the View Audit information permission at the application level.
- Use Advanced search options to narrow the search for audit records. The following additional options, such as operation type, user, and property, are available. You can add a new search row by clicking the + icon.
Select operations such as Create, Update, and Delete.
Select audit records based on users. You can enter one user per line. Press the Enter key to add another user on next line. Audit records having any of these usernames are returned.
The Username field supports wildcards * and ?. You can use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character.
Wildcards can be escaped using \. Therefore, \* represents the character * whereas * represents the wildcard. All the provided values are matched if the search is present anywhere in the data. You cannot use special characters in the Username field. Also, special characters which appear in the middle of the text using wildcard cannot be matched.
For example, a search term MyDomain*vsa will not match the data MyDomain\user1, but will match the below search terms:
Search for a property changed in an audit event using the following options. Press the Enter key to add another entry on next line.
Property name: The name of the changed property whose value you want to search. For example, Department parent or Role name. You can use a wildcard to match multiple properties.
Previous value: The previous value (before modification) of an audit record's changed property. This field supports wildcards and partial matches.
Current value: The current value of an audit record's changed property. This field supports wildcards and partial matches.
You can search for multiple changed properties in a single search; however, you cannot search for the same changed property twice.
All the provided values are matched if the search is present anywhere in the data. You can use special characters in your search. These fields support the use of wildcard characters * and ?. You can use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character. Wildcards can be escaped using \. Therefore, \* represents the character * and not wildcard *. Since \ is an escape sequence, you can escape \ by using \\.
For example, if a username in the Current value or Previous value fields of the property is Acme\John Doe. To search for this, you can provide any of the following search terms:
Note that wildcards present in the middle of search terms can match special characters. For example, in the above example, Acme*John Doe search terms match Acme\John.
- Click Search to perform the search for audit records.
When the search is executed, the search results are displayed. A maximum of 10000 audit records can be displayed.
In the left panel, the audit records matching the search criteria are displayed. The newest audit records are displayed first. You can sort the records in ascending or descending order by using the sort arrow icon in the header of the columns. When you select an audit record in the left panel, its changed properties are displayed in the right pane.
- From the Actions menu, click Export as CSV if you want to export the search results.
An advanced search always ANDs the criteria specified for each of the, , and fields, whereas multiple values in the same field are always ORed. Multiple fields are always ANDed.
For example, the advanced search options are used as displayed in the following diagram:
Here, the search can be interpreted as below
ModuleName is Role OR RoleAssignment AND OperationType is Create OR Update AND User contains SOFIA\VSA AND Changed property - PropertyName contains "Role", the Previous value contains dep*, the Current value can be anything.
These search criteria return all audit records which have Module name as either Role or role assignment, and Operation type as Create or Update and change done by user SOFIA\VSA and where Property - Role is changed with the previous value that contains dep