Search Library
The Search Library provides a comprehensive collection of pre-built queries and reports designed to help security teams quickly access critical identity data without building custom searches. Each query is optimized for specific use cases spanning security investigations, compliance reporting, operational management, and risk analysis.
Overview
The Search Library dashboard organizes queries into functional categories, making it easy to find relevant reports for your specific needs. All queries are production-ready and leverage the same powerful filtering, sorting, and export capabilities as Global Search.
Key Benefits:
- Instant Access: No query building required—click and view results immediately
- Best Practice Queries: Professionally designed queries based on identity security best practices
- Customizable Views: All reports support filtering, column customization, and sorting
- Export Ready: Export any report to CSV for offline analysis, compliance evidence, or integration with other tools
- Framework Aligned: Queries mapped to security frameworks (CIS, NIST, CRI) for compliance reporting
Access Methods:
- Search Library Page: Navigate directly to the Search Library dashboard
- Global Search: Select the Library tab in Global Search to access all queries
- Dashboard Widgets: Click through from dashboard widgets to open filtered reports
How to Use Search Library
Accessing Reports
- Navigate to Search Library: Click Search Library in the main navigation
- Select Category Tile: Browse tiles organized by functional area
- Click Query Name: Click any query in the tile to open the report
- View Results: Report opens with pre-configured columns and default sorting
Customizing Reports
Once a report is open:
- Apply Filters: Use column filters to narrow results
- Adjust Columns: Show/hide columns via the Columns panel
- Sort Data: Click column headers to sort ascending or descending
- Export Results: Click Export CSV to download current view
- Save Modified Query: Save your customized view as a new saved search
Export Options
The Export CSV button allows all reports to be exported for further analysis:
- Exports respect current filters and column selections
- Standard CSV format compatible with Excel, Google Sheets, and analytics tools
- Large datasets are paginated automatically (typically 1000 records per batch)
Query Categories and Reports
The Search Library organizes queries into nine functional categories, each addressing specific identity security and compliance requirements.
NOTE
If you are using a macOS system to access the Hydden UI, the scroll bar on tiles with more than 5 reports might only become visible when moving the mouse to the outer right side of the tile.
NOTE
Depending on the amount of data collected for your organization, accessing a report via query might show a loading indicator. Large datasets are paginated for optimal performance.
Owners & Accounts
Queries for investigating individual identities and accounts across all connected systems.
| Query | Description | Use Cases |
|---|---|---|
| General Account Query | Comprehensive report on all account data | Full account inventory, bulk data analysis, baseline reporting |
| Accounts Created by Date | Account data filtered by creation date range | New account audits, onboarding tracking, temporal analysis |
| Owners | Owner properties with full details from all collection sources | Identity consolidation, account-to-owner mapping review, contact information |
| Insights and Recommendations | Threat score correlations with security framework recommendations | Compliance gap analysis, risk prioritization, framework alignment |
Insights and Recommendations queries align with major cybersecurity frameworks:
- CIS v8: CIS Controls version 8 recommendations
- CRI v2 Tier4: Cyber Resilience Institute framework
- NIST CSF v2.0: NIST Cybersecurity Framework version 2.0
These reports are also visualized on the Insights and Recommendations page, accessible via click-through from the main Threat Score widget on the Identity Posture Dashboard.
Groups
Queries for analyzing security groups, distribution lists, and nested group structures.
| Query | Description | Use Cases |
|---|---|---|
| General Group Query | Report on all groups across all platforms | Group inventory, platform comparison, membership analysis |
| Expanded Group Membership | Report on expanded (nested) group memberships | Privilege escalation paths, indirect access analysis, nested group audits |
| Direct Group Membership | Report on direct group members only | First-level membership review, direct assignment verification |
Understanding Group Membership Types:
- Direct Members: Accounts explicitly added to a group
- Expanded Members: Accounts that inherit membership through nested groups (groups within groups)
- Example: If Group A contains Group B, and Group B contains User1, then User1 is a direct member of Group B but an expanded member of Group A
Detections
Security-focused queries for identifying risks, anomalies, and compromised accounts.
| Query | Description | Use Cases |
|---|---|---|
| Account Z-Score | Statistical anomaly detection for account behavior | Outlier identification, behavioral analysis, anomaly investigation |
| Account Threat Scores | Account-specific threat scores from all detection rules | Individual account risk assessment, remediation prioritization |
| Owner Threat Scores | Identity-level aggregated threat scores (highest first) | Executive reporting, high-risk identity identification, SOC investigations |
| Threat Scores | Comprehensive threat scores for all accounts | Organization-wide risk posture, trend analysis, compliance reporting |
| Compromised Accounts | Accounts flagged as compromised with password details | Incident response, breach investigation, credential hygiene |
Threat Score Methodology:
- Scores aggregate multiple threat detection rules weighted by severity
- Higher scores indicate greater security risk
- Scores update automatically as new data is collected
- Custom threat rules contribute to overall scores
Passwords, Secrets & Certificates
Queries for credential hygiene, secret management, and authentication method analysis.
| Query | Description | Use Cases |
|---|---|---|
| Account Secrets & Certificates | Account credentials including secrets and certificate data | Credential inventory, certificate expiration tracking, secret management review |
| Password/Secret Age | Password or secret age with oldest listed first | Password rotation audits, policy compliance, stale credential identification |
| Password/Secret Never Set | Accounts with no password set since creation | Configuration issues, incomplete provisioning, security gap identification |
| Account SSH Key - Authorized Public Keys | Public SSH key details for discovered accounts | SSH access audits, key inventory, authorized key management |
| Account SSH Key - Private Keys | Private SSH key details for discovered accounts | Private key discovery, security risk assessment, key rotation planning |
| Account MFA | Multi-factor authentication details (type, provider, device) | MFA coverage analysis, compliance verification, authentication method inventory |
Credential Hygiene:
- Enforce password rotation policies
- Identify accounts with aging credentials
- Detect configuration or provisioning issues
- Support compliance requirements for credential management
- Track certificate expiration dates for renewal planning
Vault Integrations
Queries for analyzing vaulted credentials, secrets, and PAM integration status.
| Query | Description | Use Cases |
|---|---|---|
| Account Vault Objects | Key vault data from integrated vault systems | Vaulted credential inventory, vault coverage analysis, secret management review |
| Secrets by Account | Vault secrets associated with individual accounts | Account-level secret management, credential hygiene |
| Secrets by Group | Vault secrets associated with groups | Group-level secret access, shared credential review |
| Secrets by Group (Expanded) | Vault secrets with nested group membership | Indirect secret access, expanded privilege analysis |
| Vaulted Account Management | Discovered and/or vaulted/managed accounts | PAM coverage analysis, vault onboarding workflow |
Vaulted Account Management details:
The most important columns for this report are:
PAM Status, which reflects either:
- N/A
- CyberArk Discovered, specific to the CyberArk integration discovery workflow.
- Not Vaulted
- Vaulted, through an integrated password/secrets vaults.
- Password Managed, through an IGA solution.
Vault/Safe, which list the name of the Vault or Safe as specified in the vault integration configuration.
Actions, which can be used to add accounts to discovery or to vaults/safes, if available. Mouse over hover provides help text to indicate available options:
- Add To CyberArk Discovery
- Cannot Add To CyberArk Discovery
- Add To Vault
- Cannot Add To Vault
NOTE
Accounts that are already vaulted, will indicate "Cannot Add To Vault". Accounts that are already known to the CyberArk Discovery workflow, will indicate "Cannot Add To CyberArk Discovery".
Refer to the CyberArk Integration - Onboarding Discovered Accounts to CyberArk for an example.
User Activity
Queries for tracking authentication events, login patterns, and account activity.
| Query | Description | Use Cases |
|---|---|---|
| Authentication by Date | Authentication events filtered by date range | Login pattern analysis, access audits, authentication timeline investigation |
| Stale Accounts | Accounts with no recent login activity | Dormant account identification, cleanup initiatives, license optimization |
| Login Audit | Comprehensive report on all login events | Security investigations, compliance audits, access pattern analysis |
Activity Analysis:
- Track when accounts last authenticated
- Identify dormant accounts for deprovisioning
- Investigate suspicious login patterns
- Support compliance requirements for access logging
Resources & Entitlements
Queries for analyzing systems, applications, and fine-grained permissions.
| Query | Description | Use Cases |
|---|---|---|
| General Resource Query | All discovered resources (systems, applications, databases) | Resource inventory, platform coverage analysis, asset management |
| Groups Extended Attributes Export | Extended group attributes and custom properties | Detailed group analysis, attribute validation, integration with external tools |
| Users Extended Attributes Export | Extended user/account attributes and custom properties | Detailed account analysis, custom attribute reporting, data enrichment |
| Resource Entitlements | (Work in progress - not currently active) | Future: Fine-grained permission analysis |
Classification & Certification
Queries for reviewing account classification, certification status, and compliance mapping.
| Query | Description | Use Cases |
|---|---|---|
| Account Classification | Account data based on Classification Rules | Service account identification, account type audits, classification rule validation |
| SailPoint Certification | SailPoint IIQ certification data (if integrated) | IGA integration verification, certification status tracking |
Privileges
Queries for analyzing elevated permissions and privileged access across the organization.
| Query | Description | Use Cases |
|---|---|---|
| Privileged Group Query | All groups with elevated permissions | Privileged access inventory, least privilege reviews, administrative group audits |
| Privileged Role Query | Role-based permissions and assignments | Cloud role audits, permission set reviews, elevated access tracking |
| Permissions and Roles | (Work in progress - not currently active) | Future: Comprehensive permission analysis |
Privilege Management:
- Identify all accounts with elevated permissions
- Review administrative group memberships
- Track cloud IAM roles and permission sets
- Support least privilege principle enforcement
Query Architecture
Built-In Query System
The Search Library leverages Hydden's query engine with pre-configured:
- Column Definitions: Optimized column sets for each report type
- Filter Models: Default filters appropriate to the query purpose
- Sort Orders: Logical sorting (e.g., highest threat first, oldest password first)
- Report IDs: Unique identifiers for each query enabling API access
Query Execution Flow
- User Selection: User clicks a query name in the Search Library
- Query Retrieval: System loads pre-defined query configuration
- Server-Side Execution: Query executes against entity store with pagination
- Result Rendering: Results display with configured columns and sorting
- Interactive Refinement: User applies additional filters, exports, or saves custom view
Performance Optimization
- Pagination: Results load in batches (typically 1000 records) for fast initial response
- Server-Side Processing: All filtering and sorting happens on the server
- Indexed Attributes: Common query fields are indexed for rapid retrieval
- Caching: Frequently accessed queries may be cached for improved performance
Common Workflows
Security Investigation
- Start with Owner Threat Scores to identify high-risk identities
- Drill into Account Threat Scores for specific accounts
- Use Compromised Accounts to find potential breaches
- Review Login Audit for suspicious authentication patterns
- Export findings to CSV for incident documentation
Compliance Reporting
- Run Insights and Recommendations for framework-specific gaps
- Use Privileged Group Query for elevated access inventory
- Check Account MFA for multi-factor authentication coverage
- Review Password/Secret Age for policy compliance
- Export all reports as compliance evidence
Operational Management
- Run Stale Accounts to identify dormant accounts for cleanup
- Use General Account Query for full account inventory
- Check Password/Secret Never Set for provisioning issues
- Review Vaulted Account Management for vault coverage
- Export for ticketing system integration or cleanup initiatives
Vault Integration Analysis
- Start with Vaulted Account Management for overall status
- Review Secrets by Account for account-level vault data
- Check Secrets by Group for group-based vault coverage
- Identify gaps using PAM Status filters (Not Vaulted, N/A)
- Use Add To Vault actions for discovered accounts
Best Practices
Query Selection
- Start Broad: Begin with general queries (General Account Query, Owners)
- Refine with Filters: Use column filters to narrow results
- Use Specialized Queries: Switch to targeted queries (Compromised Accounts, Stale Accounts) for specific investigations
Export Strategy
- Filter First: Apply filters before exporting to reduce file size
- Select Relevant Columns: Hide unnecessary columns for cleaner exports
- Schedule Large Exports: For very large datasets, consider off-peak hours
- Automate with API: Use API endpoints for recurring export needs
Performance Tips
- Paginate Large Results: Don't attempt to scroll through thousands of rows
- Limit Time Ranges: For date-based queries, use specific date ranges
- Bookmark Favorites: Save frequently-used queries as saved searches
- Use Dashboards: Access queries via dashboard widgets for common workflows
Troubleshooting
| Issue | Solution |
|---|---|
| Query taking too long | Check dataset size; consider using filters to reduce scope |
| No results returned | Verify data collections have run; check date range filters |
| Export fails | Reduce result set with filters; verify export size limits |
| Missing query in library | Check product version; some queries may be version-specific |
| Incorrect data displayed | Refresh browser cache; verify data collection status |
Related Topics
- Global Search - Interactive search interface
- Insights and Recommendations - Framework-aligned security recommendations
- Threat Detection - Understanding threat detection rules
- Account Classification - Classification rule configuration
- Account Z-Score - Statistical anomaly detection
- CyberArk Integration - Vaulting discovered accounts