Reference for Creating Search Parameters File

Review this section to learn more about operators and how to apply them to Activity Record filters to create a unique search. You can:

Add different filters to your search. Search results will be sorted by all selected filters since they work as a logical AND.

Format	Example
XML	`<Who Operator="Equals">Admin</Who> <DataSource Operator="NotEqualTo">Active Directory</DataSource> <What>User</What>`
JSON	`"Who" : { "Equals" : "Admin" }, "DataSource" : { "NotEqualTo" : "Active Directory" }, "What" : "User"`

Specify several values for the same filter. To do this, add two entries one after another.

Entries with Equals, Contains, StartsWith, EndsWith, and InGroup operators work as a logical OR (Activity Records with either of following values will be returned). Entries with DoesNotContain and NotEqualTo operators work as a logical AND (Activity Records with neither of the following values will be returned).

Format Example
XML <Who>Admin</Who> <Who>Analyst</Who>
JSON "Who" : [ "Admin" , "Analyst" ] Use square brackets to add several values for the entry.

Format	Example
XML	`<Who>Admin</Who> <Who>Analyst</Who>`
JSON	`"Who" : [ "Admin" , "Analyst" ]` Use square brackets to add several values for the entry.

Review the following for additional information:

The table below shows filters and Activity Records matching them.

Filters	Matching Activity Records
- XML: `<Who>Administrator</Who> <DataSource> SharePoint </DataSource> <Action Operator="NotEqualTo"> Read </Action> JSON: "Who" : "Admin", "DataSource" : "SharePoint", "Action" : { "NotEqualTo" : "Read" }`	Retrieves all activity records where administrator made any actions on SharePoint, except Read. - XML: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> `<Name>`http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>http://demolabsp/lists/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord> <ActivityRecord> <Action>Removed</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> `<Name>`http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D15857</RID> <What>http://demolabsp/lists/Old/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord> - JSON: { "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType" : "List", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "http://demolabsp/lists/Taskslist", "When" : "2017-02-17T09:28:35Z", "Where" : "http://demolabsp", "Who" : "Enterprise\\Administrator", "Workstation" : "172.28.15.126" }, { "Action" : "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType" : "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857", "What" : "http://demolabsp/lists/Old/Taskslist", "When" : "2017-02-17T09:28:35Z", "Where" : "http://demolabsp", "Who" : "Enterprise\\Administrator", "Workstation" : "172.28.15.126" }
- XML: `<Who>Administrator</Who> <Action>Added</Action>` - JSON: `"Who" : "Administrator", "Action" : "Added"`	Retrieves all activity records where administrator added an object within any data source. - XML: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> `<Name>`http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>http://demolabsp/lists/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord> <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Exchange</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Mailbox</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3</RID> <What>Shared Mailbox</What> <When>2017-02-10T14:46:00Z</When> <Where>eswks.enterprise.local</Where> <Who>Enterprise\Administrator</Who> </ActivityRecord> - JSON: { "Action" : "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType": "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What": "http://demolabsp/lists/Taskslist", "When": "2017-02-17T09:28:35Z", "Where": "http://demolabsp", "Who": "Enterprise\\Administrator", "Workstation": "172.28.15.126" }, { "Action" : "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource" : "Exchange", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Mailbox", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3", "What": "Shared Mailbox", "When": "2017-02-10T14:46:00Z", "Where": "eswks.enterprise.local", "Who": "Enterprise\\Administrator" }
- XML: `<Who>Admin</Who> <Who>Analyst</Who>` - JSON: `"Who" : [ "Admin" , "Analyst" ]`	Retrieves all activity records where admin or analyst made any changes within any data source. - XML: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>File Servers</DataSource> <Item> `<Name>`wks.enterprise.local (Computer)</Name> </Item> <ObjectType>Folder</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3</RID> <What>Annual_Reports</What> <When>2017-02-10T14:46:00Z</When> <Where>wks.enterprise.local</Where> <Who>Enterprise\Admin</Who> </ActivityRecord> <ActivityRecord> <Action>Removed</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Active Directory</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>User</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3</RID> <What>Anna.Smith</What> <When>2017-02-10T10:46:00Z</When> <Where>dc1.enterprise.local</Where> <Who>Enterprise\Analyst</Who> <Workstation>172.28.6.15</Workstation> </ActivityRecord> - JSON: { "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource" : "File Servers", "Item": {"Name": "wks.enterprise.local (Computer)"}, "ObjectType": "Folder", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3", "What": "Annual_Reports", "When": "2017-02-10T14:46:00Z", "Where": "wks.enterprise.local", "Who": "Enterprise\\Admin" }, { "Action": "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Active Directory", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "User", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3", "What": "Anna.Smith", "When": "2017-02-10T10:46:00Z", "Where": "dc1.enterprise.local", "Who": "Enterprise\\Analyst", "Workstation": "172.28.6.15" }
- XML: `<When> <LastSevenDays/> </When> <When> <From> 2017-01-16T16:30:00Z </From> <To> 2017-02-01T00:00:00Z </To> </When>` - JSON: `"When" : [ {"LastSevenDays" : ""}, { "From" : "2017-01-16T16:30:00Z", "To" : "2017-02-01T00:00:00Z" } ]`	Retrieves all activity records for all data sources and users within a specified data range: - January 16, 2017 — February 1, 2017 - March 11, 2017 — March 17, 2017 (assume, today is March, 17). - XML: <ActivityRecord> <Action>Modified</Action> <MonitoringPlna>My Cloud</MonitoringPlan> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23701}</ID> `<Name>`My Cloud</Name> </MonitoringPlan> <DataSource>Exchange Online</DataSource> <Item> `<Name>`mail@corp.onmicrosoft.com (Microsoft 365 tenant)</Name> </Item> <ObjectType>Mailbox</ObjectType> <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> <What>Shared Mailbox</What> <When>2017-03-17T09:37:11Z</When> <Where>BLUPR05MB1940</Where> <Who>admin@corp.onmicrosoft.com</Who> </ActivityRecord> <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>stationexchange.enterprise.local</What> <When>2017-02-17T09:28:35Z</When> <Where>enterprisedc1.enterprise.local</Where> <Who>ENTERPRISE\Administrator</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord> - JSON: { "Action" : "Modified", "MonitoringPlan" : "My Cloud", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}", "Name": "My Cloud" }, "DataSource": "Exchange Online", "Item": { "Name": "mail@corp.onmicrosoft.com (Microsoft 365 tenant)" }, "ObjectType" : "Mailbox", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "Shared Mailbox", "When" : "2017-03-17T09:37:11Z", "Where" : "BLUPR05MB1940", "Who" : "admin@corp.onmicrosoft.com" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }
- XML: `<DataSource> Logon Activity </DataSource>` - JSON: `"DataSource" : "Logon Activity"`	Retrieves all activity records for Logon Activity data source irrespective of who made logon attempt and when it was made. - XML: <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>stationexchange.enterprise.local</What> <When>2017-02-17T09:28:35Z</When> <Where>enterprisedc1.enterprise.local</Where> <Who>ENTERPRISE\Administrator</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord> <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> <What>stationwin12r2.enterprise.local</What> <When>2017-02-17T09:37:11Z</When> <Where>enterprisedc2.enterprise.local</Where> <Who>ENTERPRISE\Analyst</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord> - JSON: { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "stationwin12r2.enterprise.local", "When" : "2017-02-17T09:37:11Z", "Where" : "enterprisedc2.enterprise.local", "Who" : "ENTERPRISE\\Analyst", "Workstation" : "stwin12R2.enterprise.local" }