Reference for Creating Search Parameters File

Review this section to learn more about operators and how to apply them to Activity Record filters to create a unique search. You can:

Add different filters to your search. Search results will be sorted by all selected filters since they work as a logical AND.

Format	Example
XML	<Who Operator="Equals">Admin</Who> `````` <DataSource Operator="NotEqualTo">Active Directory</DataSource> `````` <What>User</What>
JSON	"Who" : { "Equals" : "Admin" }, `````` "DataSource" : { "NotEqualTo" : "Active Directory" }, `````` "What" : "User"

Specify several values for the same filter. To do this, add two entries one after another.

Entries with Equals, Contains, StartsWith, EndsWith, and InGroup operators work as a logical OR (Activity Records with either of following values will be returned). Entries with DoesNotContain and NotEqualTo operators work as a logical AND (Activity Records with neither of the following values will be returned).

Format Example
XML <Who>Admin</Who> `````` <Who>Analyst</Who>
JSON "Who" : [ "Admin" , "Analyst" ] Use square brackets to add several values for the entry.

Format	Example
XML	<Who>Admin</Who> `````` <Who>Analyst</Who>
JSON	`"Who" : [ "Admin" , "Analyst" ]` Use square brackets to add several values for the entry.

Review the following for additional information:

The table below shows filters and Activity Records matching them.

Filters	Matching Activity Records
- XML: <Who>Administrator</Who> `````` <DataSource> `````` SharePoint `````` </DataSource> `````` <Action Operator="NotEqualTo"> `````` Read `````` </Action> - JSON: "Who" : "Admin", `````` "DataSource" : "SharePoint", `````` "Action" : { `````` "NotEqualTo" : "Read" `````` }	Retrieves all activity records where administrator made any actions on SharePoint, except Read. - XML: <ActivityRecord> `````` <Action>Added</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>SharePoint</DataSource> `````` <Item> `````` <Name>http://demolabsp:8080 (SharePoint farm)</Name> `````` </Item> `````` <ObjectType>List</ObjectType> `````` <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> `````` <What>http://demolabsp/lists/Taskslist</What> `````` <When>2017-02-17T09:28:35Z</When> `````` <Where>http://demolabsp</Where> `````` <Who>Enterprise\Administrator</Who> `````` <Workstation>172.28.15.126</Workstation> `````` </ActivityRecord> `````` <ActivityRecord> `````` <Action>Removed</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>SharePoint</DataSource> `````` <Item> `````` <Name>http://demolabsp:8080 (SharePoint farm)</Name> `````` </Item> `````` <ObjectType>List</ObjectType> `````` <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D15857</RID> `````` <What>http://demolabsp/lists/Old/Taskslist</What> `````` <When>2017-02-17T09:28:35Z</When> `````` <Where>http://demolabsp</Where> `````` <Who>Enterprise\Administrator</Who> `````` <Workstation>172.28.15.126</Workstation> `````` </ActivityRecord> - JSON: { `````` "Action": "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "SharePoint", `````` "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, `````` "ObjectType" : "List", `````` "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What" : "http://demolabsp/lists/Taskslist", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "http://demolabsp", `````` "Who" : "Enterprise\\Administrator", `````` "Workstation" : "172.28.15.126" `````` }, `````` { `````` "Action" : "Removed", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "SharePoint", `````` "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, `````` "ObjectType" : "List", `````` "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857", `````` "What" : "http://demolabsp/lists/Old/Taskslist", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "http://demolabsp", `````` "Who" : "Enterprise\\Administrator", `````` "Workstation" : "172.28.15.126" `````` }
- XML: <Who>Administrator</Who> `````` <Action>Added</Action> - JSON: "Who" : "Administrator", `````` "Action" : "Added"	Retrieves all activity records where administrator added an object within any data source. - XML: <ActivityRecord> `````` <Action>Added</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>SharePoint</DataSource> `````` <Item> `````` <Name>http://demolabsp:8080 (SharePoint farm)</Name> `````` </Item> `````` <ObjectType>List</ObjectType> `````` <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> `````` <What>http://demolabsp/lists/Taskslist</What> `````` <When>2017-02-17T09:28:35Z</When> `````` <Where>http://demolabsp</Where> `````` <Who>Enterprise\Administrator</Who> `````` <Workstation>172.28.15.126</Workstation> `````` </ActivityRecord> `````` <ActivityRecord> `````` <Action>Added</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>Exchange</DataSource> `````` <Item> `````` <Name>enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>Mailbox</ObjectType> `````` <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3</RID> `````` <What>Shared Mailbox</What> `````` <When>2017-02-10T14:46:00Z</When> `````` <Where>eswks.enterprise.local</Where> `````` <Who>Enterprise\Administrator</Who> `````` </ActivityRecord> - JSON: { `````` "Action" : "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "SharePoint", `````` "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, `````` "ObjectType": "List", `````` "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What": "http://demolabsp/lists/Taskslist", `````` "When": "2017-02-17T09:28:35Z", `````` "Where": "http://demolabsp", `````` "Who": "Enterprise\\Administrator", `````` "Workstation": "172.28.15.126" `````` }, `````` { `````` "Action" : "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource" : "Exchange", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType" : "Mailbox", `````` "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3", `````` "What": "Shared Mailbox", `````` "When": "2017-02-10T14:46:00Z", `````` "Where": "eswks.enterprise.local", `````` "Who": "Enterprise\\Administrator" `````` }
- XML: <Who>Admin</Who> `````` <Who>Analyst</Who> - JSON: `"Who" : [ "Admin" , "Analyst" ]`	Retrieves all activity records where admin or analyst made any changes within any data source. - XML: <ActivityRecord> `````` <Action>Added</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>File Servers</DataSource> `````` <Item> `````` <Name>wks.enterprise.local (Computer)</Name> `````` </Item> `````` <ObjectType>Folder</ObjectType> `````` <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3</RID> `````` <What>Annual_Reports</What> `````` <When>2017-02-10T14:46:00Z</When> `````` <Where>wks.enterprise.local</Where> `````` <Who>Enterprise\Admin</Who> `````` </ActivityRecord> `````` <ActivityRecord> `````` <Action>Removed</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>Active Directory</DataSource> `````` <Item> `````` <Name>enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>User</ObjectType> `````` <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3</RID> `````` <What>Anna.Smith</What> `````` <When>2017-02-10T10:46:00Z</When> `````` <Where>dc1.enterprise.local</Where> `````` <Who>Enterprise\Analyst</Who> `````` <Workstation>172.28.6.15</Workstation> `````` </ActivityRecord> - JSON: { `````` "Action": "Added", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource" : "File Servers", `````` "Item": {"Name": "wks.enterprise.local (Computer)"}, `````` "ObjectType": "Folder", `````` "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3", `````` "What": "Annual_Reports", `````` "When": "2017-02-10T14:46:00Z", `````` "Where": "wks.enterprise.local", `````` "Who": "Enterprise\\Admin" `````` }, `````` { `````` "Action": "Removed", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "User", `````` "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3", `````` "What": "Anna.Smith", `````` "When": "2017-02-10T10:46:00Z", `````` "Where": "dc1.enterprise.local", `````` "Who": "Enterprise\\Analyst", `````` "Workstation": "172.28.6.15" `````` }
- XML: <When> `````` <LastSevenDays/> `````` </When> `````` <When> `````` <From> `````` 2017-01-16T16:30:00Z `````` </From> `````` <To> `````` 2017-02-01T00:00:00Z `````` </To> `````` </When> - JSON: "When" : [ `{"LastSevenDays" : ""}`, `{` "From" : "2017-01-16T16:30:00Z", "To" : "2017-02-01T00:00:00Z" `}` ]	Retrieves all activity records for all data sources and users within a specified data range: - January 16, 2017 — February 1, 2017 - March 11, 2017 — March 17, 2017 (assume, today is March, 17). - XML: <ActivityRecord> `````` <Action>Modified</Action> `````` <MonitoringPlna>My Cloud</MonitoringPlan> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23701}</ID> `````` <Name>My Cloud</Name> `````` </MonitoringPlan> `````` <DataSource>Exchange Online</DataSource> `````` <Item> `````` <Name>mail@corp.onmicrosoft.com (Office 365 tenant)</Name> `````` </Item> `````` <ObjectType>Mailbox</ObjectType> `````` <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> `````` <What>Shared Mailbox</What> `````` <When>2017-03-17T09:37:11Z</When> `````` <Where>BLUPR05MB1940</Where> `````` <Who>admin@corp.onmicrosoft.com</Who> `````` </ActivityRecord> `````` <ActivityRecord> `````` <Action>Successful Logon</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>Logon Activity</DataSource> `````` <Item> `````` <Name>enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>Logon</ObjectType> `````` <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> `````` <What>stationexchange.enterprise.local</What> `````` <When>2017-02-17T09:28:35Z</When> `````` <Where>enterprisedc1.enterprise.local</Where> `````` <Who>ENTERPRISE\Administrator</Who> `````` <Workstation>stwin12R2.enterprise.local</Workstation> `````` </ActivityRecord> - JSON: { `````` "Action" : "Modified", `````` "MonitoringPlan" : "My Cloud", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}", `````` "Name": "My Cloud" `````` }, `````` "DataSource": "Exchange Online", `````` "Item": { `````` "Name": "mail@corp.onmicrosoft.com (Office 365 tenant)" `````` }, `````` "ObjectType" : "Mailbox", `````` "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", `````` "What" : "Shared Mailbox", `````` "When" : "2017-03-17T09:37:11Z", `````` "Where" : "BLUPR05MB1940", `````` "Who" : "admin@corp.onmicrosoft.com" `````` }, `````` { `````` "Action" : "Successful Logon", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Logon Activity", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "Logon", `````` "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What" : "stationexchange.enterprise.local", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "enterprisedc1.enterprise.local", `````` "Who" : "ENTERPRISE\\Administrator", `````` "Workstation" : "stwin12R2.enterprise.local" `````` }
- XML: <DataSource> `````` Logon Activity `````` </DataSource> - JSON: `"DataSource" : "Logon Activity"`	Retrieves all activity records for Logon Activity data source irrespective of who made logon attempt and when it was made. - XML: <ActivityRecord> `````` <Action>Successful Logon</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>Logon Activity</DataSource> `````` <Item> `````` <Name>enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>Logon</ObjectType> `````` <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> `````` <What>stationexchange.enterprise.local</What> `````` <When>2017-02-17T09:28:35Z</When> `````` <Where>enterprisedc1.enterprise.local</Where> `````` <Who>ENTERPRISE\Administrator</Who> `````` <Workstation>stwin12R2.enterprise.local</Workstation> `````` </ActivityRecord> `````` <ActivityRecord> `````` <Action>Successful Logon</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>Logon Activity</DataSource> `````` <Item> `````` <Name>enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>Logon</ObjectType> `````` <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> `````` <What>stationwin12r2.enterprise.local</What> `````` <When>2017-02-17T09:37:11Z</When> `````` <Where>enterprisedc2.enterprise.local</Where> `````` <Who>ENTERPRISE\Analyst</Who> `````` <Workstation>stwin12R2.enterprise.local</Workstation> `````` </ActivityRecord> - JSON: { `````` "Action" : "Successful Logon", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Logon Activity", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType" : "Logon", `````` "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", `````` "What" : "stationexchange.enterprise.local", `````` "When" : "2017-02-17T09:28:35Z", `````` "Where" : "enterprisedc1.enterprise.local", `````` "Who" : "ENTERPRISE\\Administrator", `````` "Workstation" : "stwin12R2.enterprise.local" `````` }, `````` { `````` "Action" : "Successful Logon", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Logon Activity", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType" : "Logon", `````` "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", `````` "What" : "stationwin12r2.enterprise.local", `````` "When" : "2017-02-17T09:37:11Z", `````` "Where" : "enterprisedc2.enterprise.local", `````` "Who" : "ENTERPRISE\\Analyst", `````` "Workstation" : "stwin12R2.enterprise.local" `````` }