Tutorial: Mastering the Global Search
This tutorial will teach you how to get the most out of collected audit data with Cygna Auditor's Global Search. It contains easy and practical tasks that will help you get fluent with Global Search techniques and create queries of different complexity.
Upon completing this tutorial, you'll become familiar with Global Search and be ready to investigate activity in your environment. If you are looking for general information about the feature, refer to Global Search.
For this tutorial, you are encouraged to perform test changes in your environment. These changes will be used demonstrate how the Global Search works and replicate a typical administration workflow in a small organization. Or you can skip the changes and just keep up with examples and images provided in this tutorial.
Preparing Test Data
First and foremost, ensure Cygna Auditor is deployed and configured to collect Active Directory and File System audit data. Then, check you've got an Active Directory account with extended permissions that allows creating users, groups, etc.
Perform the following test actions—you can revert them after completing this tutorial:
|
|
SERVER |
PERFORM AS |
TEST ACTION |
|---|---|---|---|
|
1. |
Domain controller |
Admin user (e.g., cygna) |
Create a new account called cygna.user (display name Cygna User). |
|
2. |
Domain controller |
Admin user (e.g., cygna) |
Create an Active Directory group "Office managers". |
|
3. |
Domain controller |
Admin user (e.g., cygna) |
Add the "cygna.user" user to the "Office managers" group. |
|
4. |
File server |
Admin user (e.g., cygna) |
Create a folder "Office documents" and grant "Full control" permissions to the "Office managers" group. |
|
5. |
File server |
Regular user (e.g., cygna.user) |
Create a file called "Clients" inside the "Office documents" folder and add some contacts inside. |
|
6. |
File server |
Regular user (e.g., cygna.user) |
Rename the "Office documents" folder into "Office payment data". |
|
7. |
File server |
Admin user (e.g., cygna) |
Rename the folder "Office payment data" back to "Office documents". |
Now, you have sufficient amount of changes to start exploring Global Search.
In this tutorial:
Task: Reviewing All Changes and Sorting
Task: Limiting Search to Specific Events
Task: Excluding Changes from Search
Tips and Tricks: Including vs Excluding
Task: Creating a Basic Search Query
