Filter:
Submit Search

Task: Excluding Changes from Search

Goal: Learn how to exclude bias from your search results. For example, when you have many similar events that make overall activity landscape difficult to understand, you may want to exclude these events from search and focus on those you are interested in at the moment.

Steps:

  1. Start with all changes on the screen and identify those that make your search look biased. Assume, you are not interested in Active Directory changes right now.

  2. Hover a mouse over the Active Directory icon and click a red cross next to it.

  3. See the updated search. Now, you only see File System activity on the screen. Activity coming from other sources (in this example, Active Directory) is hidden. Also, have a look at the search conditions area above the data. Cygna Auditor automatically added a new condition to exclude Active Directory changes.

    The condition can be interpreted as follows: show all changes that are made not in Active Directory. Or you can rephrase it as: show activity from all sources except Active Directory.

    There are more ways to achieve the same results! Curious? Check out these tasks within the "Mastering the Global Search" tutorial:

    Task: Limiting Search to Specific Events

    Task: Creating a Basic Search Query

  4. Go forward and exclude changes made by the "cygna" user. Let's say, "cygna" is your trustworthy admin account and there is no need to justify its activity while activity of less privileged "cygna.user" should be examined and verified.

  5. Have a look at the updated search. You've got just a few changes left on the screen and two conditions applied.

  6. Revert the search to show all events. To do it, hover a mouse over the search conditions and click the X sign.

Result: Now you have learned how to adjust your search right from the data area and exclude records that make your data look biased. Excluding excessive actions, sources, or users from your search facilitates and speeds up security investigations.

Looking for more exercises?

  • As you can see, you've got four Rename actions. Examine them in close detail. You will find that some Renames are basically a part of creating a folder and changing its name. Exclude these actions.

 

Previous parts:

Tutorial: Mastering the Global Search

Task: Reviewing All Changes and Sorting

Task: Limiting Search to Specific Events

Continue reading:

Task: Creating a Basic Search Query

Tips and Tricks: Including vs Excluding

CYGNA AUDITOR

Product Tour

Platform Overview

DOCUMENTATION

Home

Resources

Complete User Guide

SUPPORT

Cygna Portal

COMPANY

Blog

Newsroom

Webinars

About Us

© 2019 Cygna Labs Corp. | Privacy Policy | EULA | Terms of Use