Audit rules specify the events to be pulled in to the Compliance Auditor for viewing and authorization. You can specify:
The filters to display the type of event
The number of events
The time and frequency when the events are pulled in
An audit role to restrict access to records of events pulled in by a specific rule
To add or modify a rule, see Section 7.2.1, Adding or Modifying an Audit Rule.
You can add, modify, and disable audit rules, but you cannot delete them.
Click
on the home page of the console.Click
in the task pane.Select one of the following:
To add a new rule, click
in the task paneTo modify an existing rule, select the rule, then click
.To copy an existing rule and modify it, select the rule, then click
.Configure the following fields:
Rule Name: Specify a name for your rule.
Disable: Select the check box to disable the rule.
By default, disabled rules are not shown in the rule list. You cannot delete a rule.
Records and All Records: To collect all records, enable the
check box, or deselect the option and set the number of records to be collected on each audit run.Audit Role: (Optional) Specify the audit role that has been assigned to a group. For configuration information, see Step 5 in Section 7.1, Controlling Access to the Compliance Auditor.
Run Filter: To determine the time and frequency of each audit run, use the calendar to set the initial date, then set the frequency as required.
Audit Category: Select the category of events to audit.
Add Filter: (Optional) Select one or more filters from the
drop-down list for the type of event you want this rule to pull in, and configure them as requiredThe filters and configuration options depend on the
selected. For example, you can choose to pull in only those Command Control events that have been submitted by a particular user and that include a session capture.You can add more than one filter of the same type for filters such as the Command Control Submit User, then select the logic you require from AND or OR. You can also set these filters to be inclusive or exclusive using
or .You can remove a filter by clicking the button to the left of the filter.
Click
.