Creating New Session Queries

You can create your own queries from existing queries or based on the criteria you define. Depending on the type of information you want to define as search criteria and whether you want to make the queries private or public, there are different type of queries you can define.

To search for audited sessions, you can create:

  • Quick queries
  • Private queries
  • Shared queries

If you create a quick, private, or shared query, a new node is added to the Audit Analyzer console for that type of query under the Audit Sessions node. If you want to search for audit trail events, you can also create queries for audit events, which are added to Audit Analyzer under the Audit Events node.

Creating a new quick query

A quick query is a full-text search of the audit store database for a simple string or keyword. With a quick query, you can start typing the search string and see a list of potential matches from which you can select an item to look for sessions that contain the item. You should use quick queries when you want to find sessions based on a simple text string, such as a captured input or output, or based on a particular attributes, such as a user name or application, rather than using complex expressions.

To create a new quick query:

  1. Open Audit Analyzer, select Audit Sessions, right-click, then select New Quick Query.

  2. Type a search string into the search field.

    As you type, the Quick Query displays a list of possible matches that start with the text you are typing. For example, if you start typing the string “da” as the search term, the Quick Query list displays captured commands such as dacontrol, dad, and dadebug as potential matches:

    If a text string in the list is what you are looking for, select it. By default, the query will search for sessions that contain all of the text specified. If you want to search for any portion of the text specified, select Find sessions containing ANY instead of ALL of the search terms.

  3. Click Find to display the matching logon sessions in the right pane.

Searching for a specific string

If you want to search for a specific string, you can enclose the command line string with quotation marks. For example, you can type “dacontrol i” to only return sessions that captured dacontrol with the -i option. If you type the same search string without quotation marks and select Find sessions containing ANY instead of ALL of the search terms, the quick query will return sessions that include dacontrol with and without the -i option.

Modifying a quick query

You can edit a quick query by selecting the query in the left pane, right-clicking, then selecting Properties. You can change the name and add a description on the General tab. Click the Definition tab to change the query text.

Creating a new private query

A private query is a set of search criteria that you define for your own use. Private queries are only visible to the auditor who creates them. You create private queries by selecting options in Audit Analyzer dialog boxes. Your selections are translated into complex expressions in the SQL Server query language. You can also save any predefined or shared query as a private query if you want to modify an existing query for private use.

To create a new private query:

  1. Open Audit Analyzer, select Audit Sessions, right-click, then select New Private Query.

  2. Type a name and description for the query.

    After you save the query, this information is available for viewing and editing on the General tab when you display the query’s properties.

  3. Select the type of sessions that you want the query to find.

    You can search for UNIX sessions, Windows sessions, and Linux Desktop sessions. By default, new queries search for all types of sessions.

  4. Select an attribute for grouping query results, if applicable.

    You can select one or more attributes for grouping query results. If you specify more than one attribute, results are displayed as nested groups according to the order in which you specified the attributes. For example, if you select audit store, then user, then date, the query results are grouped by audit store, then by user for each audit store, then by date for each user.

  5. Select an attribute for ordering query results within each group, if applicable.

    You can select ascending or descending sort order for each attribute. For example, you might group query results by user name and set the sort order for user to ascending, but the sort order for time to descending.

  6. Click Add to add search criteria to filter the results of the query.

  7. Select an appropriate attribute from the Attribute list based on the sessions you want to find.

    For example, you can search for sessions based on the period of time in which they were active or based on a specific state. You can also search for sessions based on the activity that took place during the session. For example, you can find sessions where specific UNIX commands or Windows applications were used.

  8. Select the appropriate criteria for the attribute you have selected, then click OK.

    The specific selections you can make depend on the attribute selected. For example, if the attribute is Review Status, you can choose between “Equals” and “Not equals” and the specific review status you want to find., such as “To be Reviewed.” If you select the attribute Comment, you can specify “Contains any of” and type the text string that you want to find any part of.

    When creating queries for user names or computers, you might want to use the “Starts with” option. If you use the default to match “Is (exactly)”, you must include the fully qualified domain name of the user or computer.

  9. Click Add to add another filter to the criteria for the query, or click OK to save the query and find the sessions that match the criteria you have specified.

Adding multiple filters to the query criteria

If you have more than one filter, different criteria attributes, such as Time and State, are separated by an implicit AND operation. Only sessions that match both criteria are returned. If you have repeated criteria attributes, for example, if you have two Time filters (time is not in past 10 days; time is in last month), the attributes are separated by an implicit OR operation. Sessions that match either criteria are returned.

Editing and removing filters from the query criteria

You can edit and remove any of the filters you specify. For example, if you are not finding the appropriate sessions, you might need to change or remove the criteria you have defined. After you have saved a query, you can right-click the query name, then select Properties to modify the query definition.

Specifying command or application filters in the query criteria

When you specify criteria for commands, applications, or outputs, the entry field displays a list of possible matches from audited sessions based on the text you are typing. For example, if you select “Windows Applications” as the attribute and “Contains any of” and start typing “word” as the text string, the entry field displays a list of possible matches that contain “word” in the application name. You can select a potential match or continue typing to specify the application by its display name or the executable file name. For example, you can specify winword.exe, Microsoft Word, or both.

Creating a New Shared Query

A shared query is a set of search criteria that you define for other auditors to use. Shared queries are visible to the auditors you specify. Only the auditor who creates a query can grant permission to other auditors to use the query. You create shared queries by selecting options in Audit Analyzer dialog boxes in exactly the same way as you create private queries. Your selections are then translated into complex expressions in the SQL Server query language. You can also convert a private or quick query to a shared query.

To create a new shared query:

  1. Open Audit Analyzer, select Audit Sessions, right-click, then select New Shared Query.

  2. Type the query name and select the session type, grouping, ordering, and other criteria for the query.

    If you need more information about specifying information for any field in the new query, press F1 to display context-sensitive help.

  3. Click Add to add another filter to the criteria for the query, or click OK to save the query and find the sessions that match the criteria you have specified.

  4. Expand Shared Queries, select the query name you specified in Step 2, right-click, then select Properties.

  5. Click the Security tab.

  6. Click Add.

  7. Type the user or group name to identify the auditors who should have permission to use this query, then click OK.

    You can add multiple users or groups from the Select Users or Groups dialog box. You can also type part of the name, then click Check Names to look up user and group names.

  8. Select each user or group, then select the appropriate permissions.

Searching for shared queries

After you publish queries and give other users permission to access them, other auditors can search for and select the shared queries they want to use. The shared queries are not automatically visible to users who have permission to use them.

To find shared queries you have permission to use:

  1. Open Audit Analyzer, select Audit Sessions, right-click, then select Open Shared Queries.
  2. Type the query name or click Show existing queries, then click Find Now.
  3. Select one or more queries from the results returned, then click OK to add the query to your list of Shared Queries.