Predefined Queries for Reports
Audit Analyzer includes predefined queries for generating reports. By default, the reports include information for all audited users, computers, and sessions. Select the type of report you are interested in generating, then specify additional criteria for filtering the report output. You can then save the modified report query or show the report.
If you click Show Report, the report is generated and displayed in a new window. You can then save the report as an HTML, PDF, CSV, or XML document.
User Activity Report
The default User Activity Report provides a detailed record of user actions for all audited users. The report includes the user name, the computer where the activity occurred, the time at which the activity occurred, and the event recorded. For example, if a user opened a Windows application or ran a UNIX command, the event would be recorded and included in the report you generate.
You should note that the User Activity Report does not include all desktop changes, such as navigation through directories using Windows Explorer. Instead, the report provides information about specific events. For example, the report will include information about when an application is opened, operations are performed, and when the application is closed. For more detailed information about user activity, you can enable video capture auditing for the installation and for specific desktops, applications, or commands using roles in Access Manager.
For information about enabling video capture auditing, see Enabling or disabling video capture auditing.
You can customize and filter the information included in a User Activity Report by specifying the query criteria and saving the report definition.
Privileged Activity Report
The default Privileged Activity Report provides a record of all actions taken with elevated privileges for all audited users and computers. The report includes the user name, the computer where the activity occurred, the time at which the activity occurred, and the event recorded. For example, if a user selected a role with administrative privileges, the event would be recorded and included in the report you generate.
You can customize and filter the information included in a Privileged Activity Report by specifying the query criteria and saving the report definition.
Delinea Zone Administration Activity Report
The default Delinea Zone Administration Activity Report provides a record of all zone related administrative actions taken for all audited users and computers. The report includes the user name, the computer where the activity occurred, the time at which the activity occurred, the client name, and the event recorded. For example, if an administrator created a new zone or delegated a management task to another user or group, the event would be recorded and included in the report you generate.
You can customize and filter the information included in a Delinea Zone Administration Activity Report by specifying the query criteria and saving the report definition.
Login by User Report
The default Login By User Report provides a record of both successful and failed login attempts for all audited users, computers, and sessions. The report includes the user name, the computer where the user attempted to log on, the time of the login attempt, and whether access was granted.
You can customize and filter the information included in a Login By User Report by specifying the query criteria and saving the report definition.
Login by Computer Report
The default Login By Computer Report provides a record of both successful and failed login attempts for all audited users, computers, and sessions. The report includes the user name, the computer where the user attempted to log on, the time of the login attempt, and whether access was granted.
You can customize and filter the information included in a Login By Computer Report by specifying the query criteria and saving the report definition.
Authorization Failure Report
The default Authorization Failure Report provides a record of authorization failure events for all audited users, computers, and sessions. The report includes the user name, the computer where the user attempted to log on or use a role, the time of the attempt, and the reason the user was denied access.
You can customize and filter the information included in a Authorization Failure Report by specifying the query criteria and saving the report definition.
Monitored Execution Report
If you have configured your auditing installation for advanced monitoring, then this Monitored Execution report shows the monitored commands being executed on the audited computers. This report includes information on commands that are run individually or as part of scripts. This report shows who ran one of the monitored commands even if that person is not an audited user.
The Monitored Execution report includes the user name, the computer where the commands were run, the time the command was run, the name of the command and the command arguments used, the process and parent process IDs, the “run as” user, the directory in which the command run, and whether the command was successful.
In the report, the Access Status column lists out whether the command was started successfully or not. This field does not describe whether the command completed successfully or not.
Advanced monitoring does not generate an audit trail event for commands for which you’ve enabled per-command auditing.
You can customize and filter the information included in a Monitored Execution report by specifying the query criteria and saving the report definition.
Detailed Execution Report
If you have configured your auditing installation to perform advanced monitoring, then this Detailed Execution report shows all of the commands being executed on the audited machines—including commands that are run as part of scripts or other commands.
The Detailed Execution report includes the user name, the computer where the activity occurred, the time at which the activity occurred, the command that was entered, the process and parent process IDs, the current directory, the actual command that was executed, the command arguments, the “run as” user, whether the command started or not (access status), and any additional access status details (such as “permission denied” if the access status is “failed”).
In the report, the Access Status column lists out whether the command was started successfully or not. This field does not describe whether the command completed successfully or not.
Advanced monitoring does not generate an audit trail event for commands for which you’ve enabled per-command auditing.
You can customize and filter the information included in a Detailed Execution report by specifying the query criteria and saving the report definition.
File Monitor Report
If you have configured your auditing installation to perform advanced monitoring, the File Monitor report shows the sensitive files being modified by users on the audited machines. The File Monitor report includes any activity by any user (except root, -1) in the following protected areas on audited machines:
-
/etc/
-
/var/centrify/
-
/var/centrifydc/
-
/var/centrifyda/
The report includes the user name, the computer where the activity occurred, the time at which the activity occurred, the filename, the current directory, the kind of file access was attempted, if the file access was successful or not, the command that was used, the process and parent process IDs, and the “run as” user.
If a monitored file is renamed, the report displays both the original and new filename. The order of filenames may differ slightly on each operating system.
MFA Failure Report
The default MFA Failure Report provides a record of multi-factor authentication (MFA) failure events for all audited users, computers, and sessions. The report includes the user’s name, the computer where the user attempted to log on or use a role, the time of the attempt, and the reason that MFA authentication failed.
You can filter the information included in a MFA Failure Report by specifying the query criteria and saving the report definition.
