Submit Search

Creating Search Queries

QUICK TIP: Try asking yourself, "What am I looking for?" and spell out your query in filters or exclusions.

For example: I'm looking for all modifications (What) Ian Rush (Who) made during the last 24 hours (When). Or I'm looking for changes made by members of the Domain Admins group (Who) except for a trustworthy administrator called James Good (exclude Who).

To search for audit data:

Note: The procedure below applies to the Active Directory source. Running search may vary slightly for other sources.

On the home page, select a source.
Select Search.

Customize your search—create a search query tailored to look for the information you are specifically interested in. Make sure to use full names as filters are designed to search for exact entries (e.g., cygnalabsdemo.com\ian.rush instead of ian.rush). To retrieve all activity, keep the search filters blank.

On the Filter tab, specify parameters to narrow down your search results (for example, specify a user name in the Who filter to narrow down your search to activity of a specific user).

More about filters

FILTER	DESCRIPTION	EXAMPLE
Domain	The domain where the activity took place. Specify a domain name.	cygnalabsdemo.com
Who	The user who made the change. Specify a username in the DOMAIN\username (FQDN) or user@domain (UPN) format.	cygnalabsdemo.com\cygna cygna@cygnalabsdemo.com
What	The action performed in your domain environment. Specify one or more actions from the drop-down list.	Create
Object type	The type of the object that was changed.	Group
Attributes	Details related to changes. Specify an attribute's AD name to search for a specific change. For a complete list of AD attributes, check out: Microsoft documentation.	pwdLastSet
Where	The domain controller where the action took place; or AD group or any path where the changed object belongs to. Tip: Use %name% to search for group names.	%Domain Admins%
When	The timeframe when the action took place. Specify the interval from the drop-down list.	Last 24 hours

On the Exclusions tab, specify entities you do not care about at the moment and do not want to show up in this search query (for example, a trustworthy administrators group).

On the Grouping tab, update your grouping preferences if you want to bundle change records based on a certain rule (for example, by user or by action type).

You can run search without filters or exclusions to get all change records for your source.

Show me example

Select Search. Cygna Auditor will run your query and list all records found based on parameters you specified. For more information on how to view search results, refer to Reading Search Results.

QUICK TIP: Do you like your search query? Save it as a custom report and run it any time you like. Click the Save as report button in the upper right corner of your search results. Click Export to download the results as a pdf or xml document.