Audit rules specify the events to be pulled in to the Compliance Auditor for viewing and authorization. You can specify:
The filters to display the type of event
The number of events
The time and frequency when the events are pulled in
An audit role to restrict access to records of events pulled in by a specific rule
To add or modify a rule, see Adding or Modifying an Audit Rule.
You can add, modify, and disable audit rules, but you cannot delete them.
Click Compliance Auditor on the home page of the console.
Click Audit Rules in the task pane.
Select one of the following:
To add a new rule, click Add in the task pane
To modify an existing rule, select the rule, then click Modify
To copy an existing rule and modify it, select the rule, then click Copy.
Configure the following fields:
Rule Name: Specify a name for your rule.
Disabled: Select the check box to disable the rule.
By default, disabled rules are not shown in the rule list. You cannot delete a rule.
Records and All Records: To collect all records, enable the All Records check box, or deselect the All Records option and set the number of records to be collected on each audit run.
Audit Role: (Optional) Specify the audit role that has been assigned to a group. For configuration information, see Step 5 in Controlling Access to the Compliance Auditor.
Run Filter: To determine the time and frequency of each audit run, use the calendar to set the initial date, then set the frequency as required.
Audit Category: Select the category of events to audit.
Add Filter: (Optional) Select one or more filters from the Add Filter drop-down list for the type of event you want this rule to pull in, and configure them as required
The filters and configuration options depend on the Audit Category selected. For example, you can choose to pull in only those Command Control events that have been submitted by a particular user and that include a session capture.
Filters: Filters section displays all the filters added by you. You can add more than one filter of the same type for filters such as the Command Control Submit User, then select the logic you require from AND or OR. You can also set these filters to be inclusive or exclusive using matches or does not match.
You can remove a filter by clicking the button to the right of the filter.
Click Finish.