Open topic with navigation

Viewing a Case’s Internal Audit Events

Requirement:

To view audit events, you must belong to a group that has the following enforced filter:

/All Filters/ArcSight Administration/ESM/System Health/Events/Audit/ArcSight Audit Events

This event filter is added to the group’s ACL Editor settings on the Events tab and applies to audit events for all resources. Refer to Adding or Removing Enforced Filters for instructions.

To view internal audit events on cases:

  1. Through an active channel, query viewer, or data monitor using the proper filter, you can view details on modifications done to cases.

    Refer to Monitoring Events for the different ways to create an event viewer.

  2. Use the following fields in your event viewer to capture audit events related to the case:

    Fields for Case Internal Audit Events

    Field or Column

    Displayed Information

    Name

    Event name, for example, Case updated or Note inserted.

    File Name

    The case’s name

    Target User Name

    The user who made the change

    Device Custom String3
    (Label: AttachedTo)

    For the “Note inserted” event, the resource type, Case, to which the note is attached

    Device CustomString4
    (Label: AttachedToID)

    For the “Note inserted” event, the resource ID of the case to which the note is attached

    Device CustomString5
    (Label: AttachedToName)

    For the “Note inserted” event, the display name of the case to which the note is attached

Tip: After the event viewer retrieves the data:

  1. Copy the resource ID of interest displayed in Device Custom String4.AttachedToID).

  2. Paste the ID into the Console’s search box and go to the actual case resource on the Navigator panel.