Search Organization Activity

When you are viewing the list of an organization's activity, you can also search within the list. There are two types of search available:

  • Simple text search. Like with web search engines, enter a term and it will be found if it exists. For example, you could enter a username to see just that user's activity in the organization.
  • Query keys. You can enter specific keywords to narrow the list to specific actions. For example, every time a report request was created.

Query Keys

Put simply, query keys represent the items tracked by DMARC Protection's audit trail. They represent various objects, and can also be combined with verbs, connected by a dot (.). Because query keys define an action on a specific object, when you use a query key in the Search field, you always preface it with action:.

Most query key objects can be combined with create, update, and destroy verbs. In technical terms, "CRUD" actions, minus the "R." Several keys also have additional verbs.

The search format is action:object[.verb]

This means that action: is required, followed by an object name (with no space after the :, followed optionally by a dot (.) and valid verb.

The following is a list of all query keys:

Additional Verbs: None

Description: Any changes to BIMI (see Brand Indicators for Message Identification) records.

Example: A search for action:bimi_record_source.create might include "123 Inc. (admin@123.com) created the BIMI record 123.com" in the results.

Additional Verbs: None

Description: Any changes to DKIM (see DomainKeys Identified Mail) records.

Example: A search for action:dkim_record_source.update might include "123 Inc. (admin@123.com) updated the DKIM record abc123.com" in the results.

Additional Verbs: None

Description: Any changes to domain records.

Example: A search for action:domain.destroy might include "123, Inc. (admin@123.com) deleted the domain ABC123.com" in the results.

Additional Verbs: None

Description: Any changes to sender approval records. This object is created when a sender is approved for a domain and is deleted when the approval is revoked. This is often because of automated processes, but it is possible for a user to manually approve a sender for a domain, and if the sender was manually approved, it can manually be unapproved. This is especially relevant for a hosted SPF record where all domain/sender relationships are handled manually.

Example: A search for action:domain_sender.create might include "123, Inc. automatically created the domain sender #<DomainSender:hash>" in the results.

Additional Verbs: add_domains, remove_domains

Description: Any changes to domain group (see Domain Groups) records.

Example: A search for action:domain_set.remove_domains might include "123, Inc. (admin@123.com) modified the domain group third party" in the results.

Additional Verbs: accept_agreement, reject_agreement, add_netblock_source, remove_netblock_source

Description: Any changes to organization information or settings.

NOTE: Create and destroy actions are actions performed only by affiliate organizations, that is, organizations with sub-organizations, so only affiliate organizations will see those actions in their audit trails.

Example: A search for action:organization.accept agreement might include "123, Inc. (admin@123.com) accepted the End_User License Agreement ABC123.com" in the results.

Additional Verbs: None

Description: Any changes to the relationship between an organization and a sender.

NOTE: There is no explicit action a user can take to affect this object. An organization_sender is created as a secondary object based exclusively on domain/sender relationships. It is created when a domain is the first to be related to a sender in an org (when the sender is approved for the domain); it is deleted when there are no longer any domains in the org related to the sender. It is updated when domains gain or lose their relationship with a sender.

Example: A search for action:organization_sender.destroy might include "123, Inc. (admin@123.com) removed the sender New Sender" in the results.

Additional Verbs: None

Description: Any changes to a report request.

Example: A search for action:report_request.destroy might include "123, Inc. (admin@123.com) deleted the report request Daily Domain Diagnostic Report (123, Inc.) (csv, pdf)" in the results.

Additional Verbs: None

Description: Any changes to the definition of a sender (see Senders).

Example: A search for action:sender.destroy might include "123, Inc. (admin@123.com) deleted the sender New Sender" in the results.

Additional Verbs:

Description: Any creation or deletion of a netblock.

NOTE: The sender_netblock object does not have an update verb.

Example: A search for action:sender_netblock.create might include "123 Inc. (admin@123.com) created the sender netblock ###.###.###.###" (where # are digits in a netblock) in the results.

Additional Verbs: None

Description: Any change to the sender inventory.

Example: A search for action:sender_netblock_source with any verb might include "123, Inc. (automatically) modified ABC's Sender Inventory" in the results.

Additional Verbs: activated, login, logout, update_roles

Description: Any change to a user account, a user account activation, or a user logs in or out.

Example: A search for action:user.update or action:user.update_roles might include "123, Inc. (admin@123.com) changed the roles for newuser123.com" in the results.

How Search Works

When you type characters into the Search field, DMARC Protection starts searching when you pause or stop typing. In technical terms, it's a "starts with" search. This concept is important to understand the search results you're seeing, especially because several objects begin with the same characters.

For example, as mentioned above, the .verb is optional. But if you search for action:sender_netblock, with the goal of seeing all of the audit trail entries for that object, you will get results that also include audit trail entries for the sender_netblock_source object. To see just the sender_netblock object entries, add a . without a verb, like this: action:sender_netblock..