Change Auditor for Active Directory Data Fields
The following are lists of fields that occur in Change Auditor for Active Directory events, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.
|
Field Name |
Example Value |
Details |
|---|---|---|
|
AAD_City |
"Halifax", "New York City" |
Azure sign-in city |
|
AAD_Country |
"Canada", "US" |
Azure sign-in country |
|
AAD_ActivityStatusReason |
User successfully reset password |
Reason for activity status |
|
AAD_OnPremisesTarget |
RHSOFTWARE\AD_Admin |
Azure AD on premises target name |
|
AAD_OnPremisesUserName |
RHSOFTWARE\AD_Admin |
Azure AD on premises user name |
|
AAD_State |
"Nova Scotia", "New York" |
Azure sign-in state |
|
AAD_TargetDisplayName |
AD_Admin@RHSoftware.Net |
Azure AD Target object display name |
|
AAD_TenantDefaultDomain |
QAMyProduct.onmicrosoft.com |
Azure AD tenant default domain name |
|
AAD_TenantDisplayName |
QA QAMyProduct.onmicrosoft.com My Product |
Azure AD tenant display name |
|
ActionName |
Modify Attribute |
Name of action |
|
Activity Details |
User successfully reset password |
Same as AAD_ActivityStatusReason |
|
After |
E:\NewName.txt |
Same as ValueNew |
|
Azure - Activity Name |
Set Company Information |
Same as O365_Operation |
|
Before |
E:\OldName.txt |
Same as ValueOld |
|
Description |
User AD Admin in the directory had their password reset |
Event's description |
|
DomainName |
PROD |
Domain where operation was performed |
|
FacilityName |
Local User Monitoring |
Name of Facility |
|
LDAP - Attributes |
canonicalName, co, company, department, displayName |
Attributes that were queried |
|
LDAP - Elapsed |
8094 |
How long the AD query took to run, in milliseconds; zero (0) indicates that it took less than a millisecond to complete |
|
LDAP - Filter |
(&(objectClass=user)(!(objectClass=computer))) |
Filter string used in the AD query |
|
LDAP - Occurrences |
1 |
Number of times the AD query occurred during the specified interval |
|
LDAP - Results |
52 |
Number of results returned for the query |
|
LDAP - Scope |
This object and all children |
Scope of coverage: (This object only, This object and all children) |
|
LDAP - Since |
2018-01-15T09:42:01.3672010Z |
Date and time when the AD query was first initiated |
|
Log |
ChangeAuditor |
Name of event log |
|
Log name |
ChangeAuditor |
Same as Log |
|
O365_Operation |
Set Company Information |
Office 365 operation |
|
O365_SiteUrl |
https://qa.sharepoint.com/sites/Certification/ |
URL of Office 365 site |
|
Office 365 Site URL |
https://qa.sharepoint.com/sites/Certification/ |
Same as O365_SiteUrl |
|
On premises target |
RHSOFTWARE\AD_Admin |
Same as AAD_OnPremisesTarget |
|
On premises user name |
RHSOFTWARE\AD_Admin |
Same as AAD_OnPremisesUserName |
|
RelatedOU |
RHSoftware.Net/AzureAD Accounts |
Same as RelatedOUWhom |
|
RelatedOUWhere |
OU=Domain Controllers,DC=RHSoftware,DC=Net |
Ou where operation was performed |
|
RelatedOUWhom |
RHSoftware.Net/AzureAD Accounts |
OU of target object |
|
Result |
None |
Operation result |
|
SiteName |
EMEA-SPB |
Site where operation was performed |
|
Target display name |
AD_Admin@RHSoftware.Net |
Same as AAD_TargetDisplayName |
|
Tenant |
QAMyProduct.onmicrosoft.com |
Same as AAD_TenantDisplayName |
|
Tenant initial domain |
QAMyProduct.onmicrosoft.com |
Same as AAD_TenantDefaultDomain |
|
UserName |
SPB9983\Administrator |
Event initiator |
|
ValueNew |
E:\NewName.txt |
new value of changed attribute |
|
ValueOld |
E:\OldName.txt |
old value of changed attribute |
|
What |
Local user logged on |
Event class name |
|
When |
2016-11-12T06:00:00.0460000Z |
When the operation was performed |
|
Where |
wst9983 |
Where the operation was performed |
|
Where_From |
wst9943.sales.mycompany.com |
Same as Workstation |
|
Who |
Administrator |
Display name or name of initiator |
|
WhoId |
S-1-5-21-1763487455-1171009733-2095814533-500 |
SID of initiator |
|
Whom |
WST9983\TestUser |
Target object of operation |
|
Whom_ObjectClass |
Users |
Target object's class |
|
Workstation |
wst9983.sales.mycompany.com |
Workstationn from that operation was initiated |
Active Roles Data Fields
The following are lists of fields that occur in Active Roles data, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.
|
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. For events, all fields are displayed. |
Events
|
Field Name |
Example Value |
Details |
|---|---|---|
|
AR_ClientComputerName |
ITSEARCHTEST3 |
Host with Active Roles client software |
|
AR_ClientVersion_Build |
2 |
Version build number of Active Roles client software |
|
AR_ClientVersion_Major |
7 |
Version major number of Active Roles client software |
|
AR_ClientVersion_Minor |
1 |
Version minor number of Active Roles client software |
|
AR_ClientVersion_Revision |
3406 |
Revision of Active Roles client software |
|
AR_Server |
arsit |
Active Roles Server host |
|
Attribute_* |
New description1 |
New value of attribute |
|
ChangedAttributes |
description,streetAddress |
List of attributes |
|
Completed |
2017-05-04T07:18:57.9741631Z |
Timestamp of operation when that was completed |
|
Control_OperationReason |
Reason for modification |
Reason of operation |
|
Description |
Modified attributes: |
Description of event |
|
ID |
1-107540 |
ID of operation |
|
Initiated |
2017-05-04T07:18:57.9116595Z |
Timestamp of operation when that was initiated |
|
Initiator_DN |
CN=Zakhar Shkonda, |
DN of initiator |
|
Initiator_Guid |
b58c2906-ad0b-4682- |
GUID of initiator |
|
Initiator_Host |
ARSIT.it.sales.mycompany |
Host of Initiator |
|
Initiator_IsDSAdmin |
True |
True if initiator is DS administrator |
|
Initiator_NTAccountName |
IT\zs |
NT Account name of initiator |
|
Initiator_ObjectClass |
user |
Class of initiator |
|
Initiator_Sid |
S-1-5-21-4039273466- |
SID of initiator |
|
Initiator_Site |
Default-First-Site-Name |
Site of initiator |
|
Log |
Active Roles |
Log name |
|
Logon_Site |
Default-First-Site-Name |
Same as Initiator_Site |
|
Operation_GUID |
9b3c5524-065d-418a-9511- |
GUID of operation |
|
Operation_Type |
Delete |
Type of operation |
|
Operation_TypeID |
1 |
Type ID of operation |
|
Reason |
Reason for modification |
Same as Control_OperationReason |
|
RelatedOU |
it.sales.mycompany/AutotestOU/ARS/FIT2711055222_0E7C |
Same as TargetObject_OUCanonical |
|
Result |
Completed |
Same as Status |
|
Status |
Completed |
Operation status |
|
StatusID |
1 |
Operation status ID |
|
TargetObject_DN |
CN=ArsCHUser1_0E7C, |
DN of target object |
|
TargetObject_Guid |
b6a8b5d0-e003-4421- |
GUID of target object |
|
TargetObject_NTAccountName |
IT\ArsCHUser1_0E7C |
NT Account name of target object |
|
TargetObject_ObjectClass |
user |
Class of target object |
|
TargetObject_OUCanonical |
it.mycompany.com/AutotestOU/ARS/FIT2711055222_0E7C |
Canonical name of object's OU |
|
TargetObject_Sid |
S-1-5-21-4039273466- |
SID of target object |
|
TargetObject_SimpleName |
ArsCHUser1_0E7C |
Name of target object |
|
What |
Delete |
Same as Operation_Type |
|
When |
2017-05-10T08:38:58.0000000Z |
Same as Completed |
|
Where |
dc2.it.sales.mycompany |
Host where this operation was performed |
|
Who |
IT\zs |
Same as Initiator_NTAccountName |
|
Who_DN |
CN=Caroline Abbage, |
Same as Initiator_DN |
|
Who_Guid |
b58c2906-ad0b-4682- |
Same as Initiator_Guid |
|
Who_IsDSAdmin |
True |
Initiator_IsDSAdmin |
|
Who_ObjectClass |
user |
Same as Initiator_ObjectClass |
|
Who_Sid |
S-1-5-21-4039273466- |
Same as Initiator_Sid |
|
WhoId |
S-1-5-21-4039273466- |
Same as Initiator_Sid |
|
Whom |
ArsTestDynamicGroup_CB79 |
Same as TargetObject_SimpleName |
|
Whom_DN |
CN=ArsTestTemporalGroup_CB79, |
Same as TargetObject_DN |
|
Whom_Guid |
eff86e4b-7800-44ce- |
Same as TargetObject_Guid |
|
Whom_NTAccountName |
IT\ArsCHUser1_0E7C |
Same as TargetObject_NTAccountName |
|
Whom_ObjectClass |
Groups |
Same as TargetObject_ObjectClass |
|
Whom_Sid |
S-1-5-21-4039273466- |
Same as TargetObject_Sid |
|
WhomId |
CN=ArsTestDynamicGroup_CB79, |
Same as TargetObject_DN |
|
WhomSimple |
ArsTestDynamicGroup_CB79 |
Same as TargetObject_SimpleName |
|
Workstation |
ARSIT.it.sales.mycompany |
Same as Initiator_Host |
Computers
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
Yes |
S-1-5-21-4039273466- 3631535243-455089366-89812 |
Computer account SID |
|
Description |
Yes |
Storage Server |
Description of computer |
|
DistinguishedName |
No |
CD=DC1, |
Computer account distinguished name; search by full value only |
|
DNSHostName |
Yes |
DC1.it.sales.mycompany |
DNS host name |
|
Location |
Yes |
Houston |
Location of computer |
|
ManagedBy |
No |
CN=Caroline Abbage, |
Same as ManagedByFullName |
|
ManagedByFullName |
No |
CN=Caroline Abbage, |
Distinguished name of manager of the computer account; search by full value only |
|
Name |
Yes |
DC1 |
Same as NetBiosName |
|
NetBiosName |
Yes |
DC1 |
NetBIOS name of computer |
|
NumLogons |
Yes |
12656 |
Logon count |
|
ObjectCategory |
Yes |
computer |
Object class = computer |
|
ObjectGUID |
No |
ddd94ab4-5de6-4696- a93c-433cf9827c28 |
Object GUID of computer account |
|
OSName |
Yes |
Windows Server 2008 R2 Enterprise |
OS name |
|
OSServicePack |
Yes |
Service Pack 1 |
OS service pack |
|
OSVersion |
Yes |
6.1 (7601) |
OS version |
|
Where |
Yes |
DC1 |
Same as NetBiosName |
|
Who |
Yes |
CN=Caroline Abbage, |
Same as ManagedByFullName |
Groups
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
CN |
Yes |
Users |
Common name of group |
|
Description |
Yes |
Houston internal group for notification |
Description of group |
|
DisplayName |
Yes |
Users |
Display name of group |
|
DistinguishedName |
No |
CN=MCDL.RD.Notification, OU=RD, OU=Groups, DC=it, DC=sales, DC=mycompany |
Distinguished name of group;. search by full value only |
|
|
Yes |
MCDL.RD.Notification@it.sales.mycompany |
Email address of group |
|
GroupType |
No |
-2147483640 |
Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx) |
|
HomePage |
Yes |
http://homepage |
Home page of group |
|
Info |
Yes |
Some info |
Additional information about group |
|
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the group; search by full value only |
|
Name |
Yes |
Users |
Name of group |
|
ObjectCategory |
Yes |
group |
Object class = group |
|
ObjectGUID |
No |
80b090a2-968f-42e6- bc76-6e2505f43759 |
GUID of group object |
|
SAMAccountName |
Yes |
Users |
SAMAccount name of group |
|
Url |
Yes |
http://groupname |
URL of group |
|
Who |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
OUs
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Description |
Yes |
Default container for Defender objects |
Description of OU |
|
DistinguishedName |
No |
OU=BestEmployees, DC=it, DC=sales, DC=mycompany |
Distinguished name of group; search by full value only |
|
ManagedBy |
No |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
Yes |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the OU; search by full value only |
|
Name |
Yes |
Users |
Name of OU |
|
ObjectCategory |
Yes |
organizationalUnit |
Object class = organizationalUnit or container |
|
ObjectGUID |
No |
675205fb-4d29-44b6- 9284-69e867689f38 |
GUID of OU |
|
USNChanged |
No |
9296605 |
USN-Changed attribute of OU; search by full value only |
Users
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
No |
S-1-5-21-4039273466- |
User SID; search by full value only |
|
Company |
Yes |
MyCompany |
Company name |
|
Country |
Yes |
United States |
Country name |
|
Department |
Yes |
Sales |
Department name |
|
DisplayName |
No |
Caroline Abbage |
User display name |
|
DistinguishedName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
User distinguished name; search by full value only |
|
EmailAddress |
Yes |
Caroline.Abbage@sales.mycompany.com |
Email address |
|
HomePhoneNumber |
Yes |
+1 410 531 0638 |
Home telephone number |
|
Logon Name |
Yes |
|
Same as LogonName |
|
LogonName |
No |
SVC-Scanner@main.mycompany.corp |
Logon name for the domain user |
|
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of user; search by full value only |
|
Mobile |
Yes |
+ 911 9 769 8889 |
Mobile phone number |
|
Name |
Yes |
Caroline Abbage |
User name |
|
ObjectCategory |
Yes |
user |
Object class = user |
|
ObjectGUID |
No |
861205fb-4d29-44b6- |
User object GUID; search by full value only |
|
Office |
Yes |
Ludlow st. 80, suite 200 |
Physical delivery office name |
|
SAMAccountName |
Yes |
jcdenton |
SAMAccountName of user |
|
StreetAddress |
Yes |
Ludlow st. 80 |
Street address |
|
TelephoneNumber |
Yes |
+ 123 4 567 8900 |
Telephone number |
|
Title |
Yes |
Mgr, Sales |
User job title |
|
USNChanged |
No |
9296605 |
USN-Changed attribute of user; search by full value only |
|
Who |
No |
Administrator |
Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName |
Recovery Manager for Active Directory Data Fields
The following are lists of fields that occur in Recovery Manager for Active Directory data, organized by type of returned object.
|
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Computers
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
Yes |
S-1-5-21-4039273466- 3631535243-455089366-89812 |
Computer account SID |
|
Description |
Yes |
Storage Server |
Description of computer |
|
DistinguishedName |
No |
CD=DC1, |
Computer account distinguished name; search by full value only |
|
DNSHostName |
Yes |
DC1.it.sales.mycompany |
DNS host name |
|
Location |
Yes |
Houston |
Location of computer |
|
ManagedBy |
No |
CN=Caroline Abbage, |
Same as ManagedByFullName |
|
ManagedByFullName |
No |
CN=Caroline Abbage, |
Distinguished name of manager of the computer account; search by full value only |
|
Name |
Yes |
DC1 |
Same as NetBiosName |
|
NetBiosName |
Yes |
DC1 |
NetBIOS name of computer |
|
NumLogons |
Yes |
12656 |
Logon count |
|
ObjectCategory |
Yes |
computer |
Object class = computer |
|
ObjectGUID |
No |
ddd94ab4-5de6-4696- a93c-433cf9827c28 |
Object GUID of computer account |
|
OSName |
Yes |
Windows Server 2008 R2 Enterprise |
OS name |
|
OSServicePack |
Yes |
Service Pack 1 |
OS service pack |
|
OSVersion |
Yes |
6.1 (7601) |
OS version |
|
Where |
Yes |
DC1 |
Same as NetBiosName |
|
Who |
Yes |
CN=Caroline Abbage, |
Same as ManagedByFullName |
Groups
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
CN |
Yes |
Users |
Common name of group |
|
Description |
Yes |
Houston internal group for notification |
Description of group |
|
DisplayName |
Yes |
Users |
Display name of group |
|
DistinguishedName |
No |
CN=MCDL.RD.Notification, OU=RD, OU=Groups, DC=it, DC=sales, DC=mycompany |
Distinguished name of group;. search by full value only |
|
|
Yes |
MCDL.RD.Notification@it.sales.mycompany |
Email address of group |
|
GroupType |
No |
-2147483640 |
Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx) |
|
HomePage |
Yes |
http://homepage |
Home page of group |
|
Info |
Yes |
Some info |
Additional information about group |
|
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the group; search by full value only |
|
Name |
Yes |
Users |
Name of group |
|
ObjectCategory |
Yes |
group |
Object class = group |
|
ObjectGUID |
No |
80b090a2-968f-42e6- bc76-6e2505f43759 |
GUID of group object |
|
SAMAccountName |
Yes |
Users |
SAMAccount name of group |
|
Url |
Yes |
http://groupname |
URL of group |
|
Who |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
OUs
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Description |
Yes |
Default container for Defender objects |
Description of OU |
|
DistinguishedName |
No |
OU=BestEmployees, DC=it, DC=sales, DC=mycompany |
Distinguished name of group; search by full value only |
|
ManagedBy |
No |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
Yes |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the OU; search by full value only |
|
Name |
Yes |
Users |
Name of OU |
|
ObjectCategory |
Yes |
organizationalUnit |
Object class = organizationalUnit or container |
|
ObjectGUID |
No |
675205fb-4d29-44b6- 9284-69e867689f38 |
GUID of OU |
|
USNChanged |
No |
9296605 |
USN-Changed attribute of OU; search by full value only |
Users
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
No |
S-1-5-21-4039273466- |
User SID; search by full value only |
|
Company |
Yes |
MyCompany |
Company name |
|
Country |
Yes |
United States |
Country name |
|
Department |
Yes |
Sales |
Department name |
|
DisplayName |
No |
Caroline Abbage |
User display name |
|
DistinguishedName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
User distinguished name; search by full value only |
|
EmailAddress |
Yes |
Caroline.Abbage@sales.mycompany.com |
Email address |
|
HomePhoneNumber |
Yes |
+1 410 531 0638 |
Home telephone number |
|
Logon Name |
No |
|
Same as LogonName |
|
LogonName |
No |
SVC-Scanner@main.mycompany.corp |
Logon name for the domain user |
|
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of user; search by full value only |
|
Mobile |
Yes |
+ 911 9 769 8889 |
Mobile phone number |
|
Name |
Yes |
Caroline Abbage |
User name |
|
ObjectCategory |
Yes |
user |
Object class = user |
|
ObjectGUID |
No |
861205fb-4d29-44b6- |
User object GUID; search by full value only |
|
Office |
Yes |
Ludlow st. 80, suite 200 |
Physical delivery office name |
|
SAMAccountName |
Yes |
jcdenton |
SAMAccountName of user |
|
StreetAddress |
Yes |
Ludlow st. 80 |
Street address |
|
TelephoneNumber |
Yes |
+ 123 4 567 8900 |
Telephone number |
|
Title |
Yes |
Mgr, Sales |
User job title |
|
USNChanged |
No |
9296605 |
USN-Changed attribute of user; search by full value only |
|
Who |
No |
Administrator |
Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName |
Saving Searches and Running Saved Searches
You can save any search for later reuse. Any IT Security Search operator or administrator can save searches and run saved searches, but only administrators can make them public for shared use.
Saving Searches
To save a search, click the drop-down icon at the left edge of the search box and click Save Current Search. Proceed to configure your search in the popup that appears:
- Give the search a meaningful name.
- Add tags so that users can easily find the search by category.
- Select which parameters you want to make customizable, if necessary.
All field names that occur in your search string are listed. Select the check boxes next to the ones that you want to make customizable. Whenever this saved search is used in the future, it will prompt for the values of all of the fields you select.
|
|
For example, Domain:{{Domain}} will make IT Security Search prompt you for the value of the Domain field, labeled "Domain"; Domain:{{Active Directory Domain}} will also prompt you for the value of Domain, but the label will be "Active Directory Domain". You can manually construct search strings that include this syntax, without using the field selector. This helps you provide descriptive labels for parameters. |
- Specify the time period that the search must cover.
For that, select one of the options at the right edge of the search box. These times are relative to the moment the saved search is run.
When you have configured these options, click Save.
Running a Saved Search
To run an existing saved search, click the drop-down icon at the left edge of the search box; the available saved searches are listed at the bottom of the popup that appears. You can filter the list by clicking tag buttons in the Saved Search Categories drop-down.
Making a Saved Search Public or Private
You can publish a search to make it available to all operators only if you are an IT Security Search administrator.
In the saved search list, the items have a lock icon showing their state. A private search has a closed lock icon; click the icon to make it public. A public search has an open lock icon; click the icon to make it private.
Deleting a Saved Search
To delete a saved search, highlight it in the saved search list and click the cross icon.
Importing and Exporting Searches
Saved search import and export capabilities help you back up and restore your IT data analysis knowledge and share it with other IT Security Search users.
To use the Import and Export actions, click the drop-down icon at the left edge of the search box; these actions are available at the top of the drop-down menu.
When you click Export, you are prompted to save a *.yaml file. The resulting file will contain all saved searches created under your account plus any saved searches made public by administrators.
|
NOTE: This action saves not only searches but also any custom action links defined in your IT Security Search deployment. For details about making custom action links, see Customizing Action Links. |
When you click Import, you are prompted to select a previously exported *.yaml file. If the file includes any searches with the same names as your existing searches, you have the option to collectively skip, overwrite or automatically rename such searches.
|
IMPORTANT: Overwriting administrator-created public saved searches is disallowed for IT Security Search operators, but not for administrators; in this situation, if you are an operator, the search in the source file is silently skipped instead. |