Skip to main content
Version: 2.9.0

How to Define and Submit Audit Queries

Introduction

This guide outlines how to search for audit events using the Report Query Builder. It covers steps for setting search parameters such as user, file path, extension, and time range to ensure efficient and accurate audit results. It also includes information for how to refine your search scope, save queries for future use, and run reports on demand or on a schedule.

Define and Submit Audit Queries

  1. Open the Report Query Builder

    Navigate to the Eyeglass Superna Dashboard and open the Easy Auditor module using the desktop icon or Eyeglass Main Menu. From the sidebar, find and select Report Query Builder from the Query section.

  2. Configure Search Filters

    Enter the relevant data into the available fields to focus your query.

    1. User Name: Leave this field empty to search across all users.

      To search for a specific user, input the username in the format user@domain or DOMAIN\user (note: the domain must be in uppercase). This will resolve the user to their Active Directory Security Identifier (SID) and supports auditing for SMB protocol users.

    2. Path: Specify the cluster and directory path for the audit.

      For better performance, select a path as close as possible to the location of the audit events. Avoid broad paths (e.g., /ifs) as this increases search times.

    3. Event Type: The search defaults to the most commonly used event types. To refine your search, use the dropdown menu to view and select from all available event types. Reducing the number of event types will improve search performance by narrowing the scope. Leave this field empty to search across all event types.

    4. Extension Field:

      Use this field to filter files by their extension (e.g., docx, xlsx, pdf).

      Specifying file types will reduce search times by eliminating irrelevant results. Only enter the file extension - without the preceding period. (For example, enter pdfinstead of .pdf)

    5. Time Range:

      Define the time range by selecting one of the following:

      • Days in the past
      • A specific day
      • A custom date and time range

      Always aim to reduce the time window for faster searches. If the first search doesn’t provide the needed data, break the search into smaller time ranges.

    6. Max Results:

      The default maximum is set to 50,000 records. Once this limit is reached, the search concludes.

      Best practice is to refine your search criteria to avoid excessive data collection. The system supports up to 1 million events, though large result sets may significantly slow down the search process and generate large CSV files.

  3. Email Notification (Optional)

    If enabled, an email will be sent regardless of whether the query returns any data.

    Disable this option if you do not need a notification when no data is found. This is most useful for scheduled or recurring queries.

  4. Run Report Using Query

    Select "Run Report Using Query" to start the search.

  5. Save Queries for Future Use

    Select the "Save Query As" to store the query under the Saved Queries tab for future reference or reuse. To run a saved query, select the "Load Saved Query" option.

    Saved Queries can be scheduled under the Report Schedule tab.

    To schedule a query:

    1. Choose a saved query to run on schedule.
    2. Choose how often to run the report.
    3. Click "Schedule it" to save and schedule the query.

See Also

For instructions on using the Robo Audit feature, see the Robo Audit document.