Go Up
You are here: Integration APIPost DataSearch ParametersReference for Creating Search Parameters File

Reference for Creating Search Parameters File

Review this section to learn more about operators and how to apply them to Activity Record filters to create a unique search. You can:

  • Add different filters to your search. Search results will be sorted by all selected filters since they work as a logical AND.

    Format Example

    XML

    <Who Operator="Equals">Admin</Who>
    <DataSource Operator="NotEqualTo">Active Directory</DataSource>
    <What>User</What>

    JSON

    "Who" : { "Equals" : "Admin" },
    "DataSource" : { "NotEqualTo" : "Active Directory" },
    "What" : "User"
  • Specify several values for the same filter. To do this, add two entries one after another.

    Entries with Equals, Contains, StartsWith, and EndsWith operators work as a logical OR (Activity Records with either of following values will be returned). Entries with DoesNotContain and NotEqualTo operators work as a logical AND (Activity Records with neither of the following values will be returned).

    Format Example

    XML

    <Who>Admin</Who>
    <Who>Analyst</Who>

    JSON

    "Who" : [ "Admin" , "Analyst" ]

    NOTE: Use square brackets to add several values for the entry.

Review the following for additional information:

The table below shows filters and Activity Records matching them.

Filters Matching Activity Records
  • XML:
<Who>Administrator</Who>
<DataSource>
SharePoint
</DataSource>
<Action Operator="NotEqualTo">
Read
</Action>
  • JSON:
"Who" : "Admin",
"DataSource" : "SharePoint",
"Action" : {
"NotEqualTo" : "Read" 
}

Retrieves all activity records where administrator made any actions on SharePoint, except Read.

  • XML:
<ActivityRecord>
<Action>Added</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>SharePoint</DataSource>
<Item>
<Name>http://demolabsp:8080 (SharePoint farm)</Name>
</Item>
<ObjectType>List</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>http://demolabsp/lists/Taskslist</What>
<When>2017-02-17T09:28:35Z</When>
<Where>http://demolabsp</Where>
<Who>Enterprise\Administrator</Who>
<Workstation>172.28.15.126</Workstation>
</ActivityRecord>
<ActivityRecord>
<Action>Removed</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>SharePoint</DataSource>
<Item>
<Name>http://demolabsp:8080 (SharePoint farm)</Name>
</Item>
<ObjectType>List</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D15857</RID>
<What>http://demolabsp/lists/Old/Taskslist</What>
<When>2017-02-17T09:28:35Z</When>
<Where>http://demolabsp</Where>
<Who>Enterprise\Administrator</Who>
<Workstation>172.28.15.126</Workstation>
</ActivityRecord>
  • JSON:
{
"Action": "Added",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "SharePoint",
"Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"},
"ObjectType" : "List",
"RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7",
"What" : "http://demolabsp/lists/Taskslist",
"When" : "2017-02-17T09:28:35Z",
"Where" : "http://demolabsp",
"Who" : "Enterprise\\Administrator",
"Workstation" : "172.28.15.126"
},
{
"Action" : "Removed",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "SharePoint",
"Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"},
"ObjectType" : "List",
"RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857",
"What" : "http://demolabsp/lists/Old/Taskslist",
"When" : "2017-02-17T09:28:35Z",
"Where" : "http://demolabsp",
"Who" : "Enterprise\\Administrator",
"Workstation" : "172.28.15.126"
}
  • XML:
<Who>Administrator</Who>
<Action>Added</Action>
  • JSON:
"Who" : "Administrator",
"Action" : "Added"

Retrieves all activity records where administrator added an object within any data source.

  • XML:
<ActivityRecord>
<Action>Added</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>SharePoint</DataSource>
<Item>
<Name>http://demolabsp:8080 (SharePoint farm)</Name>
</Item>
<ObjectType>List</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>http://demolabsp/lists/Taskslist</What>
<When>2017-02-17T09:28:35Z</When>
<Where>http://demolabsp</Where>
<Who>Enterprise\Administrator</Who>
<Workstation>172.28.15.126</Workstation>
</ActivityRecord>
<ActivityRecord>
<Action>Added</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Exchange</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>Mailbox</ObjectType>
<RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3</RID>
<What>Shared Mailbox</What>
<When>2017-02-10T14:46:00Z</When>
<Where>eswks.enterprise.local</Where>
<Who>Enterprise\Administrator</Who>
</ActivityRecord>
  • JSON:
{
"Action" : "Added",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "SharePoint",
"Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"},
"ObjectType": "List",
"RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7",
"What": "http://demolabsp/lists/Taskslist",
"When": "2017-02-17T09:28:35Z",
"Where": "http://demolabsp",
"Who": "Enterprise\\Administrator",
"Workstation": "172.28.15.126"
},
{
"Action" : "Added",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource" : "Exchange",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType" : "Mailbox",
"RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3",
"What": "Shared Mailbox",
"When": "2017-02-10T14:46:00Z",
"Where": "eswks.enterprise.local",
"Who": "Enterprise\\Administrator"
}
  • XML:
<Who>Admin</Who>
<Who>Analyst</Who>
  • JSON:
"Who" : [ "Admin" , "Analyst" ]

Retrieves all activity records where admin or analyst made any changes within any data source.

  • XML:
<ActivityRecord>
<Action>Added</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>File Servers</DataSource>
<Item>
<Name>wks.enterprise.local (Computer)</Name>
</Item>
<ObjectType>Folder</ObjectType>
<RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3</RID>
<What>Annual_Reports</What>
<When>2017-02-10T14:46:00Z</When>
<Where>wks.enterprise.local</Where>
<Who>Enterprise\Admin</Who>
</ActivityRecord>
<ActivityRecord>
<Action>Removed</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Active Directory</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>User</ObjectType>
<RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3</RID>
<What>Anna.Smith</What>
<When>2017-02-10T10:46:00Z</When>
<Where>dc1.enterprise.local</Where>
<Who>Enterprise\Analyst</Who>
<Workstation>172.28.6.15</Workstation>
</ActivityRecord>
  • JSON:
{
"Action": "Added",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource" : "File Servers",
"Item": {"Name": "wks.enterprise.local (Computer)"},
"ObjectType": "Folder",
"RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3",
"What": "Annual_Reports",
"When": "2017-02-10T14:46:00Z",
"Where": "wks.enterprise.local",
"Who": "Enterprise\\Admin"
},
{
"Action": "Removed",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Active Directory",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType": "User",
"RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3",
"What": "Anna.Smith",
"When": "2017-02-10T10:46:00Z",
"Where": "dc1.enterprise.local",
"Who": "Enterprise\\Analyst",
"Workstation": "172.28.6.15"
}
  • XML:
<When>
<LastSevenDays/>
</When>
<When>
<From>
2017-01-16T16:30:00Z
</From>
<To>
2017-02-01T00:00:00Z
</To>
</When>
  • JSON:
"When" : [
"LastSevenDays",
{
"From" : "2017-01-16T16:30:00Z",
"To" : "2017-02-01T00:00:00Z"
}
]

Retrieves all activity records for all data sources and users within a specified data range:

  • January 16, 2017 — February 1, 2017
  • March 11, 2017 — March 17, 2017 (assume, today is March, 17).

 

  • XML:
<ActivityRecord>
<Action>Modified</Action>
<MonitoringPlna>My Cloud</MonitoringPlan>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23701}</ID>
<Name>My Cloud</Name>
</MonitoringPlan>
<DataSource>Exchange Online</DataSource>
<Item>
<Name>mail@corp.onmicrosoft.com (Office 365 tenant)</Name>
</Item>
<ObjectType>Mailbox</ObjectType>
<RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID>
<What>Shared Mailbox</What>
<When>2017-03-17T09:37:11Z</When>
<Where>BLUPR05MB1940</Where>
<Who>admin@corp.onmicrosoft.com</Who>
</ActivityRecord>
<ActivityRecord>
<Action>Successful Logon</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Logon Activity</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>Logon</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>stationexchange.enterprise.local</What>
<When>2017-02-17T09:28:35Z</When>
<Where>enterprisedc1.enterprise.local</Where>
<Who>ENTERPRISE\Administrator</Who>
<Workstation>stwin12R2.enterprise.local</Workstation>
</ActivityRecord>
  • JSON:
{
"Action" : "Modified",
"MonitoringPlan" : "My Cloud",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}",
"Name": "My Cloud"
},
"DataSource": "Exchange Online",
"Item": {
"Name": "mail@corp.onmicrosoft.com (Office 365 tenant)"
},
"ObjectType" : "Mailbox",
"RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A",
"What" : "Shared Mailbox",
"When" : "2017-03-17T09:37:11Z",
"Where" : "BLUPR05MB1940",
"Who" : "admin@corp.onmicrosoft.com"
},
{
"Action" : "Successful Logon",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Logon Activity",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType": "Logon",
"RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7",
"What" : "stationexchange.enterprise.local",
"When" : "2017-02-17T09:28:35Z",
"Where" : "enterprisedc1.enterprise.local",
"Who" : "ENTERPRISE\\Administrator",
"Workstation" : "stwin12R2.enterprise.local"
}
  • XML:
<DataSource>
Logon Activity
</DataSource>
  • JSON:
"DataSource" : "Logon Activity"

Retrieves all activity records for Logon Activity data source irrespective of who made logon attempt and when it was made.

  • XML:
<ActivityRecord>
<Action>Successful Logon</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Logon Activity</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>Logon</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>stationexchange.enterprise.local</What>
<When>2017-02-17T09:28:35Z</When>
<Where>enterprisedc1.enterprise.local</Where>
<Who>ENTERPRISE\Administrator</Who>
<Workstation>stwin12R2.enterprise.local</Workstation>
</ActivityRecord>
<ActivityRecord>
<Action>Successful Logon</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Logon Activity</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>Logon</ObjectType>
<RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID>
<What>stationwin12r2.enterprise.local</What>
<When>2017-02-17T09:37:11Z</When>
<Where>enterprisedc2.enterprise.local</Where>
<Who>ENTERPRISE\Analyst</Who>
<Workstation>stwin12R2.enterprise.local</Workstation>
</ActivityRecord>
  • JSON:
{
"Action" : "Successful Logon",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Logon Activity",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType" : "Logon",
"RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7",
"What" : "stationexchange.enterprise.local",
"When" : "2017-02-17T09:28:35Z",
"Where" : "enterprisedc1.enterprise.local",
"Who" : "ENTERPRISE\\Administrator",
"Workstation" : "stwin12R2.enterprise.local"
},
{
"Action" : "Successful Logon",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Logon Activity",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType" : "Logon",
"RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A",
"What" : "stationwin12r2.enterprise.local",
"When" : "2017-02-17T09:37:11Z",
"Where" : "enterprisedc2.enterprise.local",
"Who" : "ENTERPRISE\\Analyst",
"Workstation" : "stwin12R2.enterprise.local"
}

Go Up