Use Audit Views

Cygna Auditor for File System audit views provide a way to filter and interactively view collected file information. A best practice approach is to segment the permission information into multiple audit views based on meaningful criteria, such as location and event type.

Under the Audit Views node you will see the folder labeled My Audit Views. This is a private user account folder. Any views or subfolders created under this folder are only accessible to the user who created them.

Create an Audit View

Note: If you do not configure any settings for the Account, Computers, Objects, and Events pages, all of the collected file system information is available in the viewer.

This can result in slow enumeration due to the potentially large amount of information collected.

  1. Start the console.
  2. Expand the Cygna Auditing & Security Suite node.
  3. Expand the Cygna Auditor for File System node.
  1. Right-click Audit Views and then select New > Audit View.
  1. On the General page, enter a name for the audit view. Optionally, provide a description.

Account Filter :: Accounts

  1. On the Who page, click Add and add users to filter file system activity based on user accounts.

    2. If you do not configure any settings for the Account filter, audit activity for all users is included in the audit view.

Computers :: Computers page

  1. On the Computers tab, click Add and add one or more computers to filter file system activity by machine. Click OK to close the dialog box.

    2. If you do not configure any settings for the Computer filter, audit activity for all computers will be included in the audit view.

  1. On the Where tab, select one of the following options from the Scope menu to filter file system information based on files and folders
    • Return all objects: This is the default selection, and returns all objects.
    • Return specified objects: Click Add to open the file/folder browser. Select the files and folders. Click OK.
    • Return objects with activity in the last: Enter the number of days you want to see activity for.

New Audit View - Events page

  1. Check the events to include. If you do not check any events, all are included.
  1. To include or exclude processes, check the appropriate box. Browse to select the process to include or exclude. Click OK.

    2. By default, all processes are included. However, if you were to specify explorer.exe in the Include processes list, then the view only shows audit entries from explorer.exe; all other processes are excluded. Alternatively, if the Include processes box is unchecked, and added notepad.exe to the Excluded processes list, then audit entries performed by any process except notepad.exeare included in the audit view.

New Audit View :: Time Range

  1. On the When page, set a date or range of the information to show file system activity over time. The three options are:
    • Return all logged events: Returns all events.
    • Return all events between: Dates can be entered or selected from the calendar.
    • Return events that occurred in the last x days: Select the number of hours, days, weeks or months to show in the console.
  1. When you finish setting your options, click OK.

Open an Audit View

Cygna Auditor for File System audit views provide a way to filter and interactively view the collected file system activity information. The audit view opens in the Cygna Auditor for File System Viewer.

  1. Start the console.
  2. Expand the Cygna Auditing & Security Suite node.
  3. Expand the Cygna Auditor for File System node.
  1. Select the Audits Views node.
  2. Right-click an audit view, and then select Open.

Note: If there is any filtering defined in the audit view, you will only see a subset of the data in the console.

The Viewer is divided into three sections:

  • Object navigation pane: Expand the server node to display subfolders and files included in the audit.
  • Contents pane: Select an object in the navigation pane to display the contents collected from the audit. The pane is empty when the selected object contains no subfolders or files, or no file activity is gathered by the agent.
  • Activity pane: Select a folder or file in the Contents pane to display the event details collected.

Group Events

right-click in the list, click Group By, and choose a criteria

You can group events by column. Right-click anywhere in the list area, click Group By, and select a criteria. This changes the list and graph views.

View Security Details on an Event

In the Cygna Auditor for File System Viewer, you can view, remove, and rollback permission changes.

Security change audit entries

  • View security changes: Security change audit entries are blue. To show a specific security Access Control List (ACL) assigned, double-click an entry or right-click the entry and click Details.
  • If Privilege Explorer is installed and licensed, additional security functionality is available. From the Show menu, switch to the All security changes for this object view.

Right-click any permission entry in black and click Remove Permission

  • Remove permission changes: Right-click a permission entry in black and click Remove Permission.

Security Details > Rollback

  • Rollback permission changes: Right-click a permission entry in red or green and click Rollback.
    • Red: Indicates the entry has been removed.
    • Green: Indicates the entry has been added.

Change the Properties for an Audit View

You can temporarily change the properties for an audit view you created. When you change the properties on the Audit Viewer window, you can refresh the search results to display the values that meet the newly selected criteria.

The changes are not permanently saved to the audit view.

Plan your auditing activities. To view relevant data, it is important to know the object types you want to monitor and the attributes for the objects.

  1. In the Cygna Auditor for File System Viewer, click Show Filter Details.

View Details window

  1. The View Details window opens. The current settings for the audit view are displayed.
  1. Click Refine to temporarily change filters for the audit view.

To apply a permanent change to a filter, you must modify the audit view from the Cygna Auditor for File System node.

For more information, please see Modify an Audit View.

Run a Report in the Viewer

When first selected, click Reports to deploy the built-in Microsoft S SQL Server Reporting Services (SSRS) reports to the server. After reports are deployed to SSRS, click Reports to start SSRS Report Manager. For more information, please see Work with Reports.

Modify an Audit View

  1. Start the console.
  2. Expand the Cygna Auditing & Security Suite node.
  3. Expand the Cygna Auditor for File System node.
  1. Click the Audit View node.
  2. Right-click the audit view, and then select Properties.
  3. Change the options as necessary.
  4. Click OK.

For more information, please see Create an Audit View.

Delete an Audit View

  1. Start the console.
  2. Expand the Cygna Auditing & Security Suite node.
  3. Expand the Cygna Auditor for File System node.
  1. Click the Audit View node.
  2. Right-click the audit view, and then select Delete.
  3. When prompted, click Yes to confirm the action.