To search for audit data:
Note: The procedure below applies to the Active Directory source. Running search may vary slightly for other sources.
- On the home page, select a source.
- Select Search.
Customize your search—create a search query tailored to look for the information you are specifically interested in. Make sure to use full names as filters are designed to search for exact entries (e.g., cygnalabsdemo.com\ian.rush instead of ian.rush). To retrieve all activity, keep the search filters blank.
On the Filter tab, specify parameters to narrow down your search results (for example, specify a user name in the Who filter to narrow down your search to activity of a specific user).
The domain where the activity took place. Specify a domain name.
The user who made the change. Specify a username in the DOMAIN\username (FQDN) or user@domain (UPN) format.
The action performed in your domain environment. Specify one or more actions from the drop-down list.
The type of the object that was changed.
Details related to changes. Specify an attribute's AD name to search for a specific change.
The domain controller where the change was logged.
The timeframe when the action took place. Specify the interval from the drop-down list.
Last 24 hours
- On the Exclusions tab, specify entities you do not care about at the moment and do not want to show up in this search query (for example, a trustworthy administrators group).
- On the Grouping tab, update your grouping preferences if you want to bundle change records based on a certain rule (for example, by user or by action type).
You can run search without filters or exclusions to get all change records for your source.
- Select Search. Cygna Auditor will run your query and list all records found based on parameters you specified. For more information on how to view search results, refer to Reading Search Results.