Audit and Compliance Page
The Audit and Compliance page in the Investigations interface list of saved out-of-the-box investigations with applied filters for commonly used Audit and Compliance activity reports.
Click Investigate in the application header bar to open the Investigations interface. Then click Audit and Compliance in the navigation pane. This expands the menu to display a list of investigations for Audit and Compliance. To get this list in the adjacent pane, hover your mouse over the Audit and Compliance option and click the icon that is displayed.
The table displays the list of investigations with the following columns:
- Name – The name of the investigation
- Favorite – The check mark indicates that the investigation has been tagged as a favorite for the logged in user
Click an investigation to view it. You can run the query, modify the configuration, add a subscription, or export the report. See the Investigation Options topic for additional information on saved investigation options.
Every report generated by an investigation query displays the same type of information. See the Investigation Reports topic for additional information.
By default, this folder contains the following saved investigations:
| Investigation | Description | Filters |
|---|---|---|
| AD Changes | All Active Directory changes | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Change |
| AD Changes by Domain Admins | All Active Directory changes by Domain Admins | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Change AND - Attribute 2 = Tag (Effective) - Operator 2 = Equals - Filter 2 = Domain Admin |
| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Authentication |
| All Events | New Investigation | No filters set |
| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Authentication AND - Attribute 2 = Success - Operator 2 = Equals - Filter 2 = false |
| LDAP Search | All LDAP search events | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = LDAP Search |
| Privileged Account Activity | All activity by privileged accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Privileged |
| Service Account Activity | All activity by service accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Service Account |
| Watchlist User Activity | All activity by watchlist users | One filter statement set: - Attribute = Tag (Effective) - Operator = Equals - Filter = Watchlist |
You can save additional investigations to this folder.