When to run an on-demand scan:

Prerequisites:

Before running an on-demand scan, confirm the following:

• At least one PII Scanner client agent is Online in the PII Scanner Server web UI
• The agent has read access to the path you want to scan
• At least one target host (LT Auditor ^MP) is configured in Admin → Target Hosts
• The PII detection rules relevant to your scan are enabled in Admin → PII Patterns
• No firewall is blocking communication between the agent and the PII Scanner Server or between the PII Scanner Server and LT Auditor ^MP

Running an on-demand scan:

Log in to the PII Scanner Server web UI at:

https://<PII_Scanner_Server_IP>:52766

2. Navigate to Admin → Jobs
   
3. Click Add Job
   
4. Configure the job:
   
   Job Name Use a name that clearly identifies this as an on-demand scan and captures its context:
   
   • On-Demand — HR Share Audit Prep — May 2026
   • Incident Response Scan — FileServer01 — 2026-05-15
   • New Share Baseline — Finance Q2 2026

Client Select the agent that has access to the path you want to scan. Confirm the agent shows as Online in the dropdown.

Path to Scan Enter the full path to the directory or share to scan:

Windows:

\\fileserver01\departments\hr

C:\SensitiveData

 Linux:

/mnt/shares/finance

/home/shared/legal

 Include Extensions (optional) For a focused on-demand scan, limit to the most relevant file types to reduce scan time:

*.docx, *.xlsx, *.pdf, *.txt, *.csv

5.  Leave blank to scan all file types for a comprehensive sweep.
   
   PII Classes Select the PII detection patterns relevant to this scan. For an incident response or audit scan, consider enabling all available classes for maximum coverage.
   
   Target Host Select your LT Auditor ^MP server as the destination for scan results.
   
6. Click Queue Job
   

The job is submitted immediately with a status of Queued. The assigned agent will claim it on its next poll cycle (default: every 1 minute) and begin scanning.

Monitoring the scan in progress:

1. Navigate to Admin → Jobs
2. Locate your job — the status will update from Queued to Running once the agent claims it
3. Review the job progress:
   • Started — the time the agent began scanning
   • Records Processed — the number of files scanned so far
   • Status — current state of the job
4. Refresh the page periodically to see updated progress

For large directories, scans can take a significant amount of time. The agent scans files sequentially and forwards matches to LT Auditor ^MP in real time as they are found — you do not need to wait for the scan to complete to begin reviewing results.

Viewing results as the scan runs:

Because PII matches are forwarded to LT Auditor ^MP in real time, you can begin reviewing results before the scan completes:

1. Log in to the LT Auditor ^MP Web UI in a separate browser tab
2. Navigate to View
3. Select the environment and category configured to receive PII Scanner data
4. Set the date range to Today or Last Hour
5. Filter by Source — PII Scanner
6. Results will populate as the agent finds and forwards matches
7. Click any result row to view full details:
   • File Path — where the PII was found
   • PII Class — the type of sensitive data matched
   • Line Number and Context — the location and surrounding content in the file
   • Timestamp — when the match was detected
   • Agent — which client agent performed the scan

Confirming scan completion:

1. Return to the PII Scanner Server web UI
2. Navigate to Admin → Jobs
3. Locate your scan job
4. Confirm the status has updated to Succeeded
5. Note the Completed timestamp and Records Processed count for your records

If the job status shows Failed:

1. Review the error details in the job record
   

Check the agent logs for more specific error information:

Linux:

cat /opt/bluelance/scanner/scanner.log

 Windows:

C:\Program Files\Blue Lance 2-0\LTA_PII_Scanner\logs\

3. Resolve the identified issue and requeue the job if needed
   

Documenting on-demand scan results:

For scans run in response to audits, incidents, or compliance queries, document the scan and its results:

1. Note the job name, scan path, date, time, agent, and PII classes used
2. In LT Auditor ^MP, navigate to View and filter for the scan results
3. Export the results:
   • Click Export
   • Choose PDF for audit submission or CSV for detailed analysis
   • Click Download
4. Retain the export as evidence of the data discovery activity

[Your administrator should establish a standard process for documenting and retaining on-demand scan records, particularly those run in response to security incidents or compliance audits.]

Best practices:

• Always confirm the assigned agent is online before queuing an on-demand scan — a job assigned to an offline agent will remain in Queued status until the agent comes back online
• For incident response scans, enable all PII classes for maximum coverage rather than limiting to a subset
• Use specific, descriptive job names that capture the date, scope, and reason for the scan so the jobs list serves as an auditable record
• For very large directories, consider breaking the scan into multiple smaller jobs by subdirectory — this makes progress easier to monitor and reduces the impact of a failure partway through
• Begin reviewing results in LT Auditor ^MP as the scan runs rather than waiting for completion — this is especially important during incident response when time is critical
• Export and retain scan results immediately after completion, particularly for incident response or audit-driven scans

[Your administrator should document the on-demand scan process as part of your organization’s incident response and compliance procedures so it can be followed consistently by any team member.]

Understanding scan results:

Each result record forwarded to LT Auditor ^MP represents a single PII match found in a scanned file. A single file may generate multiple result records if it contains multiple types of PII or multiple instances of the same PII type.

Each result record includes:

• File Path — the full path to the file where the match was found
• PII Class — the type of sensitive data detected (e.g., Social Security Number, Credit Card Number)
• Severity — the severity level assigned to the detected PII class (Critical, High, Medium, Low)
• Line Number — the line in the file where the match was found
• Context — a snippet of the surrounding content to help identify the match
• Timestamp — when the match was detected during the scan
• Agent — the client agent that performed the scan
• Job Name — the scan job that generated the result
• Target Host — the LT Auditor ^MP instance the result was forwarded to

Accessing scan results in LT Auditor ^MP:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to View in the main navigation menu
3. Select the view configured for PII Scanner data, or create a new one:
   • Click Create View
   • Set the Environment to your PII Scanner environment
   • Set the Category to PII Scan Results
   • Set a default date range
   • Click Save
4. The log table populates with PII match records from your scans

Filtering scan results:

Filter by scan job:

1. Click Advanced Filters
2. Add a condition:
   • Field — Job Name
   • Operator — Equals
   • Value — the name of the specific scan job
3. Click Apply Filters

Filter by PII class:

1. Click Advanced Filters
2. Add a condition:
   • Field — PII Class
   • Operator — Equals or In
   • Value — the PII class to focus on (e.g., Social Security Number)
3. Click Apply Filters

Filter by severity:

1. Click Advanced Filters
2. Add a condition:
   • Field — Severity
   • Operator — Equals
   • Value — Critical, High, Medium, or Low
3. Click Apply Filters

Filter by file path:

1. Click Advanced Filters
2. Add a condition:
   • Field — File Path
   • Operator — Starts With or Contains
   • Value — the directory path to focus on (e.g., \\fileserver01\shares\HR)
3. Click Apply Filters

Filter by agent:

1. Click Advanced Filters
2. Add a condition:
   • Field — Agent
   • Operator — Equals
   • Value — the hostname of the agent that performed the scan
3. Click Apply Filters

Interpreting scan results:

When reviewing results, focus on the following questions:

Is the sensitive data in an expected location? PII found in designated, access-controlled directories (e.g., an HR file server with appropriate permissions) is expected. PII found in unexpected locations (e.g., a public share, a developer’s home directory, or a temporary folder) requires immediate attention and remediation.

Is the PII class appropriate for the location? Credit card numbers in a Finance share may be expected. Credit card numbers in a Marketing share are not. Review whether the type of PII found makes sense for the location it was discovered in.

How severe is the finding? Prioritize Critical and High severity findings for immediate review. Medium and Low severity findings should be reviewed but may not require urgent action.

How many files are affected? A single match in one file is very different from thousands of matches across hundreds of files. Use grouping and aggregation in LT Auditor ^MP reports to understand the scale of findings across a scan.

Viewing full result details:

1. Click on any result row in the log table
2. The detail panel opens and displays:
   • File Path — full path to the affected file
   • PII Class — the type of sensitive data detected
   • Severity — the assigned severity level
   • Line Number — where in the file the match was found
   • Context — surrounding content to help identify and validate the match
   • Timestamp — when the match was detected
   • Agent — which client agent found the match
   • Job Name — which scan job generated this result
   • Raw Log — the original forwarded syslog record
3. Click Close to return to the results table

Identifying false positives:

Not every match is a genuine PII finding. Some patterns may produce false positives — matches that technically satisfy the regex pattern but do not represent real sensitive data. For example:

• A 9-digit product code that matches an SSN pattern
• A test file containing sample data used for development
• A log file containing IP addresses matched by an IP address pattern

When reviewing results, use the Context field to validate whether a match represents real sensitive data. If a pattern is consistently generating false positives from a specific file type or location:

1. Review the detection rule in Admin → PII Patterns on the PII Scanner Server
2. Consider tightening the regex pattern to reduce false positives
3. Consider excluding the relevant file extension from future scan jobs if it consistently produces noise

Acting on scan results:

When genuine PII is found in an unexpected or unauthorized location, take the following steps:

1. Document the finding:

• Export the relevant results from LT Auditor ^MP as a PDF or CSV
• Note the file path, PII class, severity, scan date, and agent

2. Assess the risk:

• Determine who has access to the location where the PII was found
• Review access logs in LT Auditor ^MP to determine whether the file has been accessed recently
• Assess whether the finding represents a compliance violation that must be reported

3. Remediate:

• Work with the file owner or relevant department to relocate, encrypt, or delete the sensitive file
• Review and update access controls on the affected location
• Confirm remediation by running a follow-up on-demand scan of the same path after the file has been addressed

4. Report:

• If the finding represents a compliance violation, follow your organization’s incident response and breach notification procedures
• Retain scan results and remediation records as evidence for compliance audits

[Your administrator should define a standard remediation workflow for PII findings and ensure all team members know how to follow it.]

Generating PII scan reports in LT Auditor ^MP:

For compliance documentation and management reporting, generate structured reports from PII scan results:

1. Navigate to Report in the LT Auditor ^MP Web UI
2. Click Create Report
3. Configure the report:
   • Environment — PII Scanner environment
   • Category — PII Scan Results
   • Date Range — the period to cover
4. Under Columns, include:
   • File Path
   • PII Class
   • Severity
   • Timestamp
   • Agent
   • Job Name
5. Under Grouping, consider grouping by:
   • PII Class — to see a breakdown of finding types
   • Severity — to prioritize remediation efforts
   • File Path — to identify the most affected locations
6. Click Save and then Generate Report
7. Download the report as PDF for audit submission or CSV for detailed analysis

Setting up alerts for critical PII findings:

Configure LT Auditor ^MP to alert your team immediately when Critical or High severity PII is detected during a scan:

1. Navigate to Manage in the LT Auditor ^MP Web UI
2. Select the PII Scanner environment and category
3. Click Add Filter
4. Configure the filter:
   • Filter Name — e.g., Critical PII Finding Alert
   • Condition — Severity Equals Critical
   • Action — Alert
   • Recipients — your security or compliance team email addresses
5. Click Save and set to Active

Repeat for High severity findings if needed.

[Your administrator should also configure an alert for PII found in specific sensitive or unexpected locations, such as public shares or temporary directories.]

Best practices:

• Review scan results promptly after each scan completes — sensitive data findings should not sit unaddressed
• Prioritize Critical and High severity findings for immediate investigation and remediation
• Use the Context field to validate matches before acting on them — not every match is a genuine PII finding
• Export and retain scan results as part of your compliance evidence library, particularly for GDPR, HIPAA, and PCI-DSS audits
• Run a follow-up on-demand scan after remediation to confirm that sensitive data has been successfully removed from the affected location
• Track remediation progress for all findings to demonstrate to auditors that your organization acts on data discovery results
• Set up alert rules for Critical severity findings so your team is notified immediately rather than discovering findings during a scheduled review

[Your administrator should establish a regular cadence for reviewing accumulated scan results in LT Auditor ^MP — not just immediately after scans, but as part of an ongoing data governance review process.]

Accessing the execution log:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to Configure → PowerShell Orchestrator → Execution Log
3. The execution log displays all script runs with the following information:

Filtering the execution log:

To narrow down the execution log to specific runs:

1. Use the filter bar at the top of the execution log
2. Filter by any combination of:
   • Script Name — view runs for a specific script
   • Target — view runs against a specific endpoint or cloud target
   • Trigger Type — filter by Scheduled, Manual, or Alert
   • Status — filter by Success, Failed, or Running
   • Date Range — limit results to a specific time period
3. Click Apply Filters

Viewing execution details and output:

To view the full details and output of a specific script run:

1. Locate the execution entry in the log
2. Click the entry to open the detail panel
3. The detail panel displays:
   • Execution Status — Success, Failed, or Running
   • Start and End Time — exact timestamps for the run
   • Target — the endpoint or cloud target the script ran against
   • Trigger — what initiated the execution (schedule name, user, or alert rule)
   • Script Output — the full output returned by the script
   • Error Messages — any errors encountered during execution
   • Exit Code — the PowerShell exit code returned by the script

Understanding execution statuses:

Investigating failed executions:

If a script shows a status of Failed, use the following steps to diagnose the issue:

1. Open the failed execution entry in the log
2. Review the Error Messages section for details on what went wrong
3. Check the Exit Code — a non-zero exit code indicates a PowerShell error

Common failure causes:

Viewing assessment results in LT Auditor ^MP:

Script output forwarded to LT Auditor ^MP is available in the View module alongside event data from other modules:

1. Navigate to View in the Web UI
2. Select the environment and category relevant to your assessment (e.g., Active Directory, Entra ID)
3. Set the date range to cover the time of the script execution
4. Filter by:
   • Source — select PowerShell Orchestrator
   • Script Name — filter by the specific script if needed
5. Review the structured assessment data returned by the script

Exporting execution history:

To export the execution log for reporting or audit purposes:

1. Apply your desired filters and date range
2. Click the Export button
3. Choose your format:
   • CSV — for Excel or data analysis
   • Excel — native Excel format
   • PDF — for audit documentation
4. Click Download

Monitoring scheduled script health:

Use the execution log to confirm that scheduled scripts are running as expected:

1. Filter the execution log by Trigger Type — Scheduled
2. Review the most recent run for each scheduled script
3. Confirm:
   • The last run time matches the expected schedule
   • The status shows as Success
   • The output contains the expected assessment data
4. If a scheduled script has not run at its expected time, check:
   • The script is set to Active in the script library
   • The PowerShell Orchestrator service is running
   • The target endpoint is reachable

Best practices:

• Review the execution log at least weekly to confirm all scheduled assessments are running successfully
• Investigate any failed executions promptly — a failing assessment script means a gap in your security posture visibility
• Use the execution log as part of incident response to confirm that alert-linked scripts fired correctly and produced useful output
• Retain execution history exports as supporting evidence for compliance audits
• Set up an alert rule in LT Auditor ^MP to notify your team when a critical assessment script fails so issues are caught quickly rather than discovered during a log review

[Your administrator should define which assessment scripts are considered critical and ensure alert notifications are configured for any failures in those scripts.]

Checking agent status:

The Clients page is the primary health dashboard for EventLogCentral. Check it regularly to confirm all expected agents are online and reporting.

1. Navigate to Clients in the left navigation menu
2. Review the Status column for each client:
   • Online — the agent is running and checking in normally
   • Offline — the agent has not checked in recently
3. Review the Last Heartbeat column to identify agents that have not reported recently even if they show as Online
4. Use the search bar to filter by group name or machine name when managing large environments

If any agent shows as Offline:

Confirm the EventLogAgent service is running on that machine:
sc query LTA_EventLogAgent

• Confirm network connectivity between the agent and the EventLogCentral server

Review the agent logs for errors:
C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs

Verifying effective configuration:

After making configuration changes to a group, verify that the correct configuration has been applied to individual clients:

1. Navigate to Clients
2. Click on the client name
3. Click View Effective Configuration
4. Confirm the following are correctly reflected:
   • Applied audit policies
   • Event log collection settings
   • File audit rules
   • Assigned forwarding target

Forcing a configuration sync:

By default, agents retrieve configuration updates from EventLogCentral on their next heartbeat cycle (default: every 5 minutes). If a configuration change needs to be applied immediately:

1. Navigate to Clients
2. Locate the relevant client
3. Click the ⋮ menu
4. Select Force Configuration Sync

The agent will retrieve and apply the latest configuration immediately rather than waiting for the next scheduled heartbeat.

Reassigning a client to a different group:

If a machine’s role changes and it needs to be moved to a different group:

1. Navigate to Clients
2. Locate the client to reassign
3. Click the ⋮ menu
4. Select Reassign Group
5. Select the new group from the available list
6. Confirm the reassignment

The client will receive the new group’s configuration — including audit policies, event log settings, file audit rules, and sender assignment — on its next heartbeat cycle.

Testing target connectivity:

Periodically confirm that all configured syslog targets are reachable to ensure event forwarding is not silently failing:

1. Navigate to Targets
2. For each configured target, click the ⋮ menu
3. Select Test Connection
4. Review the test result — confirm the target is reachable
5. If a target test fails:
   • Confirm the syslog server is running and accepting connections
   • Confirm no firewall is blocking outbound traffic on the configured port
   • Confirm the server address and port are correct in the target configuration

Reviewing configuration change history:

EventLogCentral maintains an audit log of configuration changes made to each client. Use this to review what changes have been made and when:

1. Navigate to Clients
2. Click the ⋮ menu next to the relevant client
3. Select View Audit Log
4. Review the history of configuration changes with timestamps

Routine administration checklist:

[Your administrator should assign ownership of routine administration tasks to specific team members and document the results of regular checks so the administration history is auditable.]

Accessing the Reports module:

1. In the main navigation menu, click Report
2. You will see the following tabs:
   • All Reports — every report you have access to
   • My Reports — reports you created
   • System Reports — pre-configured reports included with LT Auditor ^MP
   • Shared Reports — reports created and shared by other users

Creating a new report:

1. Click Create Report
2. Configure the basic report information:
   • Report Name — a clear, descriptive name
   • Description — a summary of the report’s purpose and content
   • Environment — the monitored environment to report on
   • Category — the log category to include
   • Report Type — Standard, Summary, or Detailed
3. Navigate to the Columns tab and select which fields to include:
   • Drag columns to reorder them
   • Set column widths
   • Configure sorting (ascending or descending)
4. Navigate to the Operations tab and select which event types to include using the checkbox tree
5. Configure the date range filter:
   • Fixed Range — specific start and end dates
   • Relative Range — Last 7 Days, Last 30 Days, Last 90 Days, etc.
   • Custom Range — dynamic ranges such as Previous Month or Current Quarter
6. Optionally configure grouping and aggregation under the Grouping tab:
   • Select fields to group by (e.g., User, Date, Operation)
   • Configure aggregations such as Count, Sum, Average, Min, or Max
   • Choose a display format — table, chart, or both
7. Click Save

Running a report on demand:

1. Open the report from the reports list
2. Select the date range for this run if not already set
3. Click Generate Report
4. Wait for generation to complete — a progress indicator will display for larger reports
5. Download the report in your preferred format:
   • CSV — for use in Excel or data analysis tools
   • Excel — native Excel format with formatting applied
   • PDF — formatted document suitable for auditor submission or printing

Viewing report history:

Every time a report is generated, the result is saved so you can retrieve it later without regenerating.

1. Open the report
2. Click View History
3. Browse past report runs, each showing:
   • Generation date and time
   • Date range covered
   • Number of records included
   • Whether it was generated manually or by a scheduled job
4. Click any historical entry to download that report file

Scheduling reports for automatic delivery:

1. Open the report configuration
2. Navigate to the Schedule tab
3. Click Add Schedule
4. Configure the schedule:
   • Frequency — Daily, Weekly, Monthly, Quarterly, or Yearly
   • Day and Time — when the report should generate
   • Time Zone — the timezone for schedule execution
   • Date Range — what time period each scheduled run should cover
5. Configure delivery options:
   • Email Recipients — the addresses to send the report to
   • Format — CSV, Excel, or PDF
   • Subject Line — the email subject template
   • Message — optional body text for the delivery email
6. Click Save

Avoid scheduling many reports to run at exactly the same time. Staggering report schedules helps maintain system performance.

Sharing reports:

1. Open the report
2. Click Share
3. Choose who to share with:
   • Specific Users — select individual users from the list
   • Roles — share with all users assigned to a specific role
   • Public — available to all users (if permitted by your administrator)
4. Set the permission level:
   • View Only — users can view and generate the report but cannot modify it
   • Edit — users can modify the report configuration
5. Click Save

Using report templates:

Templates save a report configuration so it can be reused as the starting point for new reports.

Saving a report as a template:

1. Configure a report with the desired filters, columns, and settings
2. Click Save as Template
3. Provide a template name, description, and category
4. Set visibility to Private or Shared
5. Click Save

Creating a report from a template:

1. Click New Report from Template
2. Select a template from the list
3. Customize as needed for this specific report
4. Click Save

Duplicating reports:

To create a similar report quickly without starting from scratch:

1. Select the report to duplicate from the reports list
2. Click Duplicate
3. Modify the name and any settings as needed
4. Click Save

Marking reports as favorites:

1. Locate the report in the reports list
2. Click the Star icon to add it to your favorites
3. Access your favorite reports quickly from the Favorites tab

Best practices:

• Test new reports with a small date range before scheduling them for regular delivery
• Use descriptive names and descriptions, especially for shared reports, so other users understand the purpose without needing to open the configuration
• Use report templates for recurring report types to save setup time
• Review and clean up obsolete reports periodically to keep the reports list manageable
• For very large datasets, use grouping and aggregation to produce summary reports rather than full detail exports
• Retain compliance reports according to your organization’s regulatory requirements

[Your administrator should set up a standard library of reports for common compliance frameworks and share them with the relevant team members so everyone is working from the same baseline.]

Accessing the View module:

1. In the main navigation menu, click View
2. Select a saved view from the list, or create a new one
3. The log table displays audit records matching your current filters and date range

Creating a new view:

If no saved views exist yet, or you need a view tailored to a specific purpose:

1. Click Create View
2. Configure the view settings:
   • View Name — a descriptive name for the view
   • Description — the purpose of this view
   • Environment — the monitored environment to display logs from
   • Category — the log category to focus on
   • Default Date Range — the initial date range shown when the view is opened
3. Navigate to the Columns tab and select which fields to display:
   • Drag columns to reorder them
   • Set column widths for optimal display
   • Enable sorting and filtering per column
4. Click Save

Filtering events:

Quick filters:

1. Use the filter bar at the top of the view
2. Enter search terms in the quick search box
3. Select filter criteria from the available dropdown menus
4. Results update in real time as you type

Advanced filters:

1. Click Advanced Filters
2. Add one or more filter conditions:
   • Select a field from the log schema (e.g., User, Event Type, Severity)
   • Choose an operator (e.g., Equals, Contains, Starts With, Greater Than, Is Null)
   • Enter a comparison value
3. Combine conditions using AND/OR logic:
   • AND — all conditions must match
   • OR — any condition must match
   • Nest condition groups for complex logic (e.g., (A OR B) AND (C OR D))
4. Click Apply Filters

Date range filter:

1. Use the date range picker at the top of the view
2. Choose from:
   • Quick ranges — Today, Yesterday, Last 7 Days, Last 30 Days, etc.
   • Custom range — specific start and end dates
   • Relative range — dynamic ranges that update automatically (e.g., Previous Month)
3. The log table refreshes automatically when the date range is changed

Searching log data:

Perform full-text searches across all collected log data:

1. Enter search terms in the search box
2. Choose the search scope:
   • All Fields — searches across every field in the log schema
   • Specific Field — searches within a single selected field
3. Use search operators for more precise results:

4. Press Enter or click Search

Sorting and navigating results:

• Click any column header to sort by that field
• Click again to reverse the sort direction
• Hold Shift and click multiple column headers for multi-level sorting
• Use the page size selector to control how many records display per page (20, 50, 100, or 200)
• Use Previous and Next to navigate between pages

Viewing full event details:

1. Click on any log row in the table
2. A detail panel opens showing:
   • All Fields — complete field values for the event
   • Raw Log — the original unprocessed log entry
   • Metadata — timestamp, source, and receiver information
   • Related Logs — links to related audit events
3. Click Close to return to the table view

Exporting log data:

1. Apply your desired filters and date range
2. Click the Export button
3. Choose an export format:
   • CSV — for use in Excel or data analysis tools
   • Excel — native Excel format with formatting applied
   • PDF — formatted document suitable for printing or sharing
4. Configure export options:
   • All Columns or Visible Columns Only
   • Include or exclude column headers
   • Set a maximum record limit if needed
5. Click Download

For very large exports, the system may queue the export and deliver it via email when complete. For datasets that regularly require large exports, consider scheduling a report instead.

Saving and sharing views:

• Click Save at any time to save your current filter and column configuration as a named view
• Click Duplicate View to create a copy of an existing view as a starting point for a new one
• Click Share to share a view with other users or roles, with either View Only or Edit permissions
• Click the Star icon on any view to add it to your favorites for quick access

Auto-refreshing views:

For real-time monitoring, enable auto-refresh to keep the view updated automatically:

1. Click the Auto-Refresh control
2. Select a refresh interval: 5s, 10s, 30s, or 1 minute
3. The view will reload at the selected interval

Use auto-refresh cautiously with large datasets or broad date ranges, as frequent reloads can impact performance.

Best practices:

• Set a reasonable default date range on saved views to avoid loading excessive data on open
• Display only the columns you need for faster load times
• Use named, saved views for recurring investigation tasks rather than rebuilding filters each time
• For large-scale data analysis, schedule a report rather than exporting directly from a view
• Use descriptive view names so other team members can understand the purpose at a glance

[Your administrator should create and share a set of standard views for common investigation scenarios so the team has a consistent starting point.]

Dashboard overview:

The dashboard is organized into several key areas:

[Your administrator should add a labeled screenshot of the dashboard here to help users orient themselves.]

Navigating the dashboard:

The main navigation menu runs along the left side of the screen and provides access to all modules:

Customizing your dashboard view:

1. Use the date range selector at the top of the dashboard to adjust the time period displayed
2. Click on any metric or chart element to drill down into the underlying event data
3. Use the environment selector (if available) to filter the dashboard to a specific monitored environment
4. Click Refresh to manually update the dashboard with the latest data

Understanding the activity trend graph:

The activity trend graph displays event volume over the selected time period. Use it to:

• Identify spikes in activity that may indicate a security incident
• Spot drops in activity that may indicate a collection or connectivity issue
• Establish a baseline of normal activity in your environment over time

If you notice an unexpected spike or flatline, navigate to View to investigate the underlying events in more detail.

Switching between monitored environments:

If your deployment monitors multiple environments (e.g., Windows, eDirectory, Azure), you can switch between environment-specific dashboards:

1. Navigate to the relevant environment from the dashboard or View menu
2. The dashboard will update to reflect activity for the selected environment only

Best practices:

• Check the dashboard at the start of each shift or workday as a quick health check
• Investigate any alert notifications visible on the dashboard before moving on to other tasks
• Use the activity trend graph to establish a sense of normal traffic patterns — this makes anomalies easier to spot over time
• If the Last Refresh timestamp is significantly behind the current time, check that all services and agents are running correctly