Previous Topic: Security EventsNext Topic: Account Administration

Viewing Security Object Data in the InvestigatorSecurity EventsObject Accesses

Object Accesses

The Investigator displays the following searchable object access event records related to all data set, resource, and database access:

Successful Object Access

Includes a record for each time a user accesses an object.

Event Code: 21

Object Access Audit

Includes a record for each event that is tied to a user whom you are auditing.

Event Code: 22

Object Access Violation

Includes a record for each time a user tries to modify a user account, but is denied.

Event Code: 23

Note: For a comprehensive list of security events and the event triggers, see the security events chapter in your external security manager documentation.

Example: Identify object access audit events for an exiting employee

A finance employee with a significant scope of responsibility at your company has submitted a letter of resignation. This employee plans to work two more weeks and then leave your company. To monitor the actions of this employee, you enable an object access audit. The object access audit produces a record for each user action against objects for your one system. As the two-week period ends, you want to review the records to confirm that no breach has occurred.

  1. Add the Investigator module to your dashboard, and click Start New Investigation.
  2. Select Security from the drop-down list.
  3. Select Events, Object Accesses from the folder list.
  4. Click View Filter (magnifying glass icon).
  5. Filter the data by completing the following steps:
    1. Select User ID from the first drop-down list from the center pane.
    2. Select = from the second drop-down, and type the exiting employee user ID.
    3. Click the plus icon.
    4. Select AND from the first drop-down list.
    5. Select Event Category Description from the second drop-down list from the center pane.
    6. Select = from the second drop-down list, and type Object Access Audit.
    7. Specify the two-week time period in the Select Time Range pane.
    8. Click Search.

    The object access events for this employee appear for the last two weeks.

  6. Use this information to compare with historical trends or drill into each record, if necessary.