Skip to main content

Settings

To open administration settings in the AIDR console, click Settings in the top menu. The dropdown menu shows the available Settings pages:

  • Usage - View usage metrics and statistics.

  • Activity - View activity logs for your organization.

  • Alias Mapping - Manage custom labels for AIDR entity attributes.

Select a page from the dropdown to open it. The selected page and other Settings pages appear as tabs in a second row at the top of the console.

Activity logs

On the Settings > Activity page, you can view activity logs for your AIDR account.

Overview

Organization activity logs include the following types of events:

  • Membership changes and other organization-level updates
  • User sign-ins
  • Collectors and Policies configuration changes
  • Updates to AIDR service configuration

Each logged event contains:

  • Time - Date and time of the event
  • Actor - User who performed the action
  • Action - Description of the action performed
  • Target - ID of the affected resource
  • Message - Short summary of the event
  • Old - Previous value of the resource
  • New - Updated value of the resource

Changed values in the Old and New fields appear highlighted in yellow.

You can filter activity logs by date range and attributes. The search bar helps you refine results with:

  • Completion suggestions for available attributes and their values
  • Filter dialog (funnel icon)
  • Date range control

Click the gear icon in the top right to choose which columns are visible in the log table.

You can sort the table by clicking column headers.

By default, the log viewer displays events from the past two hours.

To customize your search:

  • Click the funnel icon to open the filter dialog, enter your criteria, and click Search. The search syntax appears in the search bar, and matching results display in the table.
  • Place your cursor in the search bar to view a dropdown of available search parameters. Start typing to filter the list and use autocompletion to build your query.
  • Enter your query manually. Learn more about the search syntax in the Secure Audit Log documentation.

Date range

All searches must include a time range, with the default set to the most recent two hours.

The date range selector next to the search button provides several options:

  • Quick selections - Choose a relative range of 1, 7, or 30 days.
  • Relative - Define a custom relative date range.
  • Between - Search for log events between two specific dates.
  • Before - Search for events that occurred before a specific date.
  • After - Search for events that occurred after a specific date.

You can apply a time range filter directly from the log table. Hover over a timestamp in a result row or in the expanded details view, then click the icon next to it to filter by that exact date or set it as the upper or lower limit of your range.

Event details

To view all fields for an event, click its row in the search results. The row expands to show every event field, including those not currently visible in the table.

If a field (such as Old or New) contains JSON data, it displays as an interactive JSON tree.

Alias Mapping

Alias mappings assign custom labels to AIDR entity attributes displayed on the Visibility and Findings pages.

Manage alias mappings in Settings

On the Settings > Alias Mapping page, click Create to add a new mapping with the following details:

  • Field - Attribute to map, such as User, Application ID, or Provider
  • Source Identifier - Original value of the selected attribute
  • Alias - Custom label that will be displayed instead of the original value

Click Save to create the mapping.

To edit or delete an existing mapping, click the menu icon () in its row.

Manage alias mappings on Visibility and Findings pages

On the Visibility and Findings pages, you can add or edit alias mappings directly by hovering over an attribute value and clicking the pencil () icon.

Aliased values are highlighted.

Appendix

Search syntax

The Search feature provides a simple search grammar for finding specific events in the logs.

note:

The search queries are case sensitive.

The search query can be either key-value pairs to search a specific field or plain text to search across all fields. A query of accessed will search for the term accessed across all fields and help find events when a user read configuration.

Use the format <field_name>:<value> for a single field search. The field name must exactly match the field name to be searched. The search performs a partial match of data in the specified field matching the search term.

For example: user:"nedry" will initiate the search for any event where the user field contains the word nedry.

You can exclude specific values and return everything that does not match the search term by including a minus (-) prefix. For example, -user:"nedry" returns all results where the user field does not include the word nedry.

tip:

You can use > or < operators to filter by date. For example, received_at<"2025-11-29".

Using multiple search terms

Multiple search terms can be joined using the AND and OR operators. For example, to search for events where the user field contains nedry and the action contains accessed, the following search string would be used:

user:"nedry" AND action:"accessed"

Grouping search terms

Search terms can be logically grouped using parentheses. For example, to search for events where the user is "nedry" or "murphy" and the action is "accessed", the following would be used:

(user:"nedry" OR user:"murphy") AND action:"accessed"

Escaping characters

Escape backslash \ and the quotation mark " in your search criteria using the backslash symbol. For example:

message:"Project \"Production\" accessed by dennis.nedry@ingen.com"

636 Ramona St Palo Alto, CA 94301

Guides
Services
SDKs & APIs

©2026 CrowdStrike. All rights reserved.

PrivacyYour Privacy ChoicesTerms of UseLegal Notices
Contact Us