Task: Creating a Basic Search Query
Goal: Learn how to construct a basic search leveraging conditions. Understand how conditions work together and facilitate your security investigations.
Steps:
-
Start with all changes on the screen. If you are interested in specific changes, you are encouraged to construct a search query to get to these changes faster.
-
Let's say you are interested in File System changes made by cygnalabsdemo\cygna account on March 20, 2019 or later. Start building your search query and add the following filters:
First, you select the filter (source, user who made the change, event that took place, etc.), then you specify the match case and the value to be searched. The conjunction "and" indicates that Cygna Auditor will search for records that comply with all these conditions at once (as logical AND).
-
Inspect the results. Your search was limited to 4 records. Each event was made on the file server by cygnalabsdemo\cygna on 03/21/2019.
There are more ways to achieve the same results! Curious? Check out these tasks within the "Mastering the Global Search" tutorial:
- Click the Save as new custom report link to create a report that you can run later.
Results: Now you've learned how to create a simple search query. Adding filters speeds up auditing procedures and helps you get your work done faster.
Looking for more exercises?
- Adjust your search query—add a new condition that will limit your results to "Rename" activity.
Previous parts:
Tutorial: Mastering the Global Search
Task: Reviewing All Changes and Sorting
Task: Limiting Search to Specific Events
Task: Excluding Changes from Search
Continue reading:
