Reference for Creating Search Parameters File

Review this section to learn more about operators and how to apply them to Activity Record filters to create a unique search. You can:

Add different filters to your search. Search results will be sorted by all selected filters since they work as a logical AND.

Format	Example
XML	`<Who Operator="Equals">Admin</Who> <DataSource Operator="NotEqualTo">Active Directory</DataSource> <What>User</What>`
JSON	`"Who": { "Equals": "Admin" }, "DataSource": { "NotEqualTo": "Active Directory" }, "What": "User"`

Specify several values for the same filter. To do this, add two entries one after another.

Entries with Equals, Contains, StartsWith, EndsWith, and InGroup operators work as a logical OR (Activity Records with either of following values will be returned). Entries with DoesNotContain and NotEqualTo operators work as a logical AND (Activity Records with neither of the following values will be returned).

Format Example
XML <Who>Admin</Who> <Who>Analyst</Who>
JSON "Who" : [ "Admin" , "Analyst" ] Use square brackets to add several values for the entry.

Format	Example
XML	`<Who>Admin</Who> <Who>Analyst</Who>`
JSON	`"Who" : [ "Admin" , "Analyst" ]` Use square brackets to add several values for the entry.

Review the following for additional information:

The table below shows filters and Activity Records matching them.

Filters	Matching Activity Records
XML: `<Who Operator="Equals">Admin</Who> <DataSource Operator="NotEqualTo">Active Directory</DataSource> <What>User</What>`	Retrieves all activity records where the administrator made any actions on SharePoint, except Read. Examples of XML activity record: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> <Name>http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>http://demolabsp/lists/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord> <ActivityRecord> <Action>Removed</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> <Name>http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D15857</RID> <What>http://demolabsp/lists/Old/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord>
JSON: `"Who" : "Admin", "DataSource" : "SharePoint", "Action" : { "NotEqualTo" : "Read" }`	JSON representation for filtering actions by the administrator on SharePoint. Examples of JSON activity record: { "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType": "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What": "http://demolabsp/lists/Taskslist", "When": "2017-02-17T09:28:35Z", "Where": "http://demolabsp", "Who": "Enterprise\\Administrator", "Workstation": "172.28.15.126" }, { "Action" : "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType": "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857", "What": "http://demolabsp/lists/Old/Taskslist", "When": "2017-02-17T09:28:35Z", "Where": "http://demolabsp", "Who": "Enterprise\\Administrator", "Workstation": "172.28.15.126" }
XML: `<Who>Admin</Who> <Who>Analyst</Who>`	XML example of filtering for multiple users (Admin and Analyst). Example of XML activity record: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>File Servers</DataSource> <Item> <Name>wks.enterprise.local (Computer)</Name> </Item> <ObjectType>Folder</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3</RID> <What>Annual_Reports</What> <When>2017-02-10T14:46:00Z</When> <Where>wks.enterprise.local</Where> <Who>Enterprise\Admin</Who> </ActivityRecord> <ActivityRecord> <Action>Removed</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>Active Directory</DataSource> <Item> <Name>enterprise.local (Domain)</Name> </Item> <ObjectType>User</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3</RID> <What>Anna.Smith</What> <When>2017-02-10T10:46:00Z</When> <Where>dc1.enterprise.local</Where> <Who>Enterprise\Analyst</Who> <Workstation>172.28.6.15</Workstation> </ActivityRecord>
JSON: `"Who" : [ "Admin" , "Analyst" ]`	JSON format for multiple user records. Example JSON activity record: { "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource" : "File Servers", "Item": {"Name": "wks.enterprise.local (Computer)"}, "ObjectType": "Folder", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3", "What": "Annual_Reports", "When": "2017-02-10T14:46:00Z", "Where": "wks.enterprise.local", "Who": "Enterprise\\Admin" }, { "Action": "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Active Directory", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "User", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3", "What": "Anna.Smith", "When": "2017-02-10T10:46:00Z", "Where": "dc1.enterprise.local", "Who": "Enterprise\\Analyst", "Workstation": "172.28.6.15" }
XML: `<When> <LastSevenDays/> </When> <When> <From>2017-01-16T16:30:00Z</From> <To>2017-02-01T00:00:00Z</To> </When>`	XML example of date filtering. Example of XML activity record: <ActivityRecord> <Action>Modified</Action> <MonitoringPlan>My Cloud</MonitoringPlan> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23701}</ID> <Name>My Cloud</Name> </MonitoringPlan> <DataSource>Exchange Online</DataSource> <Item> <Name>mail@corp.onmicrosoft.com (Office 365 tenant)</Name> </Item> <ObjectType>Mailbox</ObjectType> <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> <What>Shared Mailbox</What> <When>2017-03-17T09:37:11Z</When> <Where>BLUPR05MB1940</Where> <Who>admin@corp.onmicrosoft.com</Who> </ActivityRecord> <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> <Name>enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>stationexchange.enterprise.local</What> <When>2017-02-17T09:28:35Z</When> <Where>enterprisedc1.enterprise.local</Where> <Who>ENTERPRISE\Administrator</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord>
JSON: `"When" : [ {"LastSevenDays" : ""}, {"From" : "2017-01-16T16:30:00Z", "To" : "2017-02-01T00:00:00Z" } ]`	JSON representation of filtering by date range. Example JSON activity record: { "Action" : "Modified", "MonitoringPlan" : "My Cloud", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}", "Name": "My Cloud" }, "DataSource": "Exchange Online", "Item": { "Name": "mail@corp.onmicrosoft.com (Office 365 tenant)" }, "ObjectType" : "Mailbox", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "Shared Mailbox", "When" : "2017-03-17T09:37:11Z", "Where" : "BLUPR05MB1940", "Who" : "admin@corp.onmicrosoft.com" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }
XML: `<DataSource> Logon Activity </DataSource>`	Retrieves all activity records for Logon Activity data source irrespective of who made logon attempt and when it was made. Example of XML activity record: <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> <Name>enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>stationexchange.enterprise.local</What> <When>2017-02-17T09:28:35Z</When> <Where>enterprisedc1.enterprise.local</Where> <Who>ENTERPRISE\Administrator</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord> <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> <Name>enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> <What>stationwin12r2.enterprise.local</What> <When>2017-02-17T09:37:11Z</When> <Where>enterprisedc2.enterprise.local</Where> <Who>ENTERPRISE\Analyst</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord>
JSON: `"DataSource" : "Logon Activity"`	Example JSON retrieval for Logon Activity records. Example JSON activity record: { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "stationwin12r2.enterprise.local", "When" : "2017-02-17T09:37:11Z", "Where" : "enterprisedc2.enterprise.local", "Who" : "ENTERPRISE\\Analyst", "Workstation" : "stwin12R2.enterprise.local" }