Search the Trail Flow Manually

To filter events that match specific character strings or patterns, you can type an expression in the search box to refine results using the Boolean operators *, AND, and OR. You can encapsulate OR statements with parentheses to modify search priority. The search looks for any specific value in an Active Directory attribute.

To search the Trail Flow manually:

  1. In Tenable Identity Exposure, click Trail Flow to open the Trail Flow page.

  2. In the Search box, type a query expression.

  3. You can filter the search results as follows:

    • Click on the Calendar box to select a start date and an end date.

    • Click on n/n Domains to select forests and domains.

  1. Click Search.

    Tenable Identity Exposure updates the list with the results matching your search criteria.

Example:

The following example searches for:

  • Deactivated user accounts that can endanger monitored AD infrastructures.

  • Suspicious activities and anomalous account use.

Grammar and Syntax

A manual query expression uses the following grammar and syntax:

  • Grammar: EXPRESSION [OPERATOR EXPRESSION]*

  • Syntax: __KEY__ __SELECTOR__ __VALUE__

    where:

    • __KEY__ refers to the AD object attribute to search (such as CN, userAccountControl, members, etc.)

    • __SELECTOR__ refers to the operator: :, >, <, >=, <=.

    • __VALUE__ refers to value to search for.

      You can use more keys to look for specific content:

    • isDeviant looks for events that created a deviance.

You can combine multiple Trail Flow query expressions using the AND and OR operators.

Examples:

  • Look for all objects containing the string alice into the common name attribute: cn:"alice"

  • Look for all objects containing the string alice in the common name attribute and which created a specific deviance: isDeviant:"true" and cn:"alice"

  • Look for a GPO named Default Domain Policy: objectClass:"groupPolicyContainer" and displayname:"Default Domain Policy"

  • Look for all deactivated accounts with a SID containing S-1-5-21: userAccountControl:"DISABLE" and objectSid:"S-1-5-21"

  • Look for all script.ini files in Sysvol: globalpath:"sysvol" and types:"SCRIPTSini"

    Note: Here, types refers to the object attribute and not the column header.