Task: Limiting Search to Specific Events
Goal: Learn how to limit you search to changes you are interested in. For example, to activity of a specific user.
Steps:
-
Start with all changes on the screen and identify those that need your special attention. Let's say, you are concerned about cygna.user actions and want to narrow down your search to this account's activity.
-
Hover a mouse over the account name until it gets green and click the name.
-
See the updated search. Now, you only see the activity performed by cygna.user. Activity by other users is hidden since only this user is included in the search. To ensure there is no mistake here, have a look at the search conditions area above the data. Cygna Auditor automatically added a new condition to narrow down your search to activity of a specific user. The condition you see can interpreted as follows: show me all records where "user" is exactly "cygnalabsdemo\cygna.user".
There are more ways to achieve the same results! Curious? Check out these tasks within the "Mastering the Global Search" tutorial:
-
Revert the search to show events by all users. To do it, hover a mouse over the search condition and click the X sign.
Looking for more exercises?
- Limit your search to Rename actions only.
- Include only Active Directory events in your search.
Result: Now you have learned how to adjust your search right from the data area and focus on changes that matter the most to you. Including certain actions or users in your search facilitates and speeds up security investigations when you have to go through and justify similar events.
Previous parts:
Tutorial: Mastering the Global Search
Task: Reviewing All Changes and Sorting
Continue reading:
