Submit Search

Task: Getting Fluent with Match Types

Goal: Learn how the match types can modify your search query and make it versatile. Unlike including and excluding values right from the data area, adding filtering conditions and leveraging different match type will help you get more broad search results.

Steps:

Start with all changes on the screen. If you are interested in specific changes, you are encouraged construct a search query to get to these changes faster.
Let's say you are interested in all modification activity that occurred on March 21, 2019 or later. Start building your search query and add the following conditions:

First, you select the parameters to search for (the date, what action, etc.), then you specify the match case and the value to be searched. The conjunction "and" indicates that Cygna Auditor will search for records that comply with all these conditions at once (as logical AND).

Since you are looking for events that occurred on March 21, 2019 or later, the right match case for the When parameter "is after". As you want to get all modification events (modify computer, modify user, modify group, etc.), you set the match type for the What parameter to "starts with".
Inspect the results. You can see six records, where the activity in the What column is displayed as "Modify group" and "Modify user".

Discussion point 1: Would you get the same results if you selected these three conditions instead of "What – starts with – modify"?

The answer is that you wouldn't get any records at all. The "and" conjunction indicates that a record should match all these conditions at the same time that is simply impossible. A change cannot be a modification of a computer and a user at the same time, it is either-or situation.

Discussion point 2: Would you get the same results if you selected Modify with the "is" exact match type?

The answer is that you wouldn't get any records at all. The "is" match type tells Cygna Auditor to search for exact entries and not for broad results such as "Modify compute" or "Modify group".

Takeout: Match types such as "contains", "does not contain", "starts with", and "ends with" make search more flexible and allow searching for similar values with the same search query.
Discard your search query and let's start from scratch once again. Now, you are looking for any activity from any source that had something to do with the office. Add the following condition to search for and then review the results.

As you can see, Cygna Auditor retrieved several records where the item name contains "office".
Discard your search query and start a new search. This time, you are investigating why some files or folders were renamed. When you create a new folder and update its standard name, this activity is reported as Create and subsequent Rename of the "New folder". To exclude these safe Renames and focus on potentially harmful Renames, be sure to search for files and folders (items) that don't contain "new" in their names.

Results: Now you've learned how and when to apply match types to your search parameters and how they affect the search query. Match types can make your search queries more flexible and facilitate your security investigations.

Looking for more exercises?

Create a new search query and make sure to use match types—search for domain users' activity.
Try updating conditions. For example, first check if cygnalabsdemo\cygna changed permissions for any object. Then, update the match type or value to check if cygnalabsdemo\cygna.user made similar actions.
Try creating a search with sources. Pay attention to the match types — the source filter has a unique set of match types and enables you to select sources from a drop-down.
Save a search as a custom report.

Previous parts:

Tutorial: Mastering the Global Search

Task: Reviewing All Changes and Sorting

Task: Limiting Search to Specific Events

Task: Excluding Changes from Search

Task: Creating a Basic Search Query

Continue reading:

Task: Mixing & Matching Search Techniques