Enterprise Vault Discovery Accelerator User Guide

To run a search for audit records

1. In the left navigation pane, click Audit viewer. The Audit Viewer screen is displayed.
2. In the Date range section, specify the date range for the audit records that fall in this duration. The options are as follows:

   • Specific date range - Specify the date and time duration to search audit records that were sent or received during the selected period.

   • Today / Yesterday / Last 7 days / Last 14 days / Last 28 days - Search audit records that are created today, yesterday, or in last 7/14/28 days.

   • Do not filter - Do not search for audit records based on date range.

3. To search by cases, select the appropriate option:

   • All cases - Search for audit records generated at the case level for all cases where the logged-in user has permission to view audit information

   • Select case(s) - Search for audit records for specific cases or folders. If you select this option, the Selected cases section appears. Only those cases where the logged-in user has permission to view audit information are displayed. Click Add to search and add cases. You can remove the listed cases from the list using the Remove link.

   • Do not include cases - Select this option if you do not want to search for audit information generated at the case level. If this option is selected, you must select either Include application level records or Include historical data option.

4. Select the Include application level records check box if you want to search for audit records generated at the application level.
5. Select the Include historical data check box if you want to include audit information at the following level:

   • Deleted case or folder

   • Closed case

   Note:

   You can select the Include application level records and Include historical records if you have the View Audit information permission at the application level.

6. Use Advanced search options to narrow the search for audit records. The following additional options, such as operation type, user, and property, are available. You can add a new search row by clicking the + icon.

   Search option	Description
   Module name	Select the modules for which you want to search the audit records. For details on the available modules and their supported operations for audit records, see Audit Settings Overview Note: You can search for multiple modules in a single search; however, you cannot search for the module name twice.
   Operation type	Select operations such as Create, Update, and Delete.
   User	Select audit records based on users. You can enter one user per line. Press the Enter key to add another user on next line. Audit records having any of these usernames are returned. The Username field supports wildcards * and ?. You can use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character. Wildcards can be escaped using \. Therefore, \* represents the character * whereas * represents the wildcard. All the provided values are matched if the search is present anywhere in the data. You cannot use special characters in the Username field. Also, special characters which appear in the middle of the text using wildcard cannot be matched. For example, a search term MyDomain*vsa will not match the data MyDomain\user1, but will match the below search terms: Mydomain\user1 Mydomain user1 Mydomain user
   Changed Property	Search for a property changed in an audit event using the following options. Press the Enter key to add another entry on next line. Property name: The name of the changed property whose value you want to search. For example, Case name or Role name. You can use a wildcard to match multiple properties. Previous value: The previous value (before modification) of an audit record's changed property. This field supports wildcards and partial matches. Current value: The current value of an audit record's changed property. This field supports wildcards and partial matches. Note: You can search for multiple changed properties in a single search; however, you cannot search for the same changed property twice. All the provided values are matched if the search is present anywhere in the data. You can use special characters in your search. These fields support the use of wildcard characters * and ?. You can use an asterisk (*) wildcard to represent zero or more characters in your search. Use a question mark (?) wildcard to represent any single character. Wildcards can be escaped using \. Therefore, \* represents the character * and not wildcard *. Since \ is an escape sequence, you can escape \ by using \\. For example, if a username in the Current value or Previous value fields of the property is Acme\John Doe. To search for this, you can provide any of the following search terms: Acme* Acme\\John Doe Acme*John Doe *John Note that wildcards present in the middle of search terms can match special characters. For example, in the above example, Acme*John Doe search terms match Acme\John.

7. Click Search to perform the search for audit records.

   When the search is executed, the search results are displayed. A maximum of 10,000 audit records can be displayed.

   In the left panel, the audit records matching the search criteria are displayed. The newest audit records are displayed first. You can sort the records in ascending or descending order by using the sort arrow icon in the header of the columns. When you select an audit record in the left panel, its changed properties are displayed in the right pane.

8. From the Actions menu, click Export as CSV if you want to export the search results.