If the predefined Repository Viewer searches do not cover your specific needs, use custom searches: either based on the predefined ones or created from scratch.
|
IMPORTANT: To create custom searches, you need to make sure your account is an InTrust organization administrator. To view and edit the list of organization administrators, do one of the following:
The default organization administrators are the accounts used for installing InTrust and for running InTrust services. |
To run an ad-hoc search with parameters, use the Search Filter tab, which is under the event list in the default layout. The Add or Remove Parameters button lets you customize your search, as follows:
If you expect to use the same set of parameters in the future, you can save it as a custom search. For details, see Custom Searches below.
Any search filter configuration can be saved as a search. You can make custom searches:
To create a search based on your current filter configuration and place in the navigation tree, click Save As in the Search Filter tab when it shows your filter settings, and specify the name of the new search in the dialog box that appears.
|
Note: The Save As button is available only when the filter parameters are configured from scratch. When an existing search is selected, the button is labeled Copy To. |
Mind that the node currently selected in the navigation tree can affect the set of parameters defined for the search. For example, if a particular computer is selected, an additional parameter will be automatically added to show events only from this computer. If you want to avoid this, create searches while the root folder of the repository is selected.
|
Note: Each user's custom searches are saved in the InTrust configuration database. They are available to all InTrust organization administrators (for reading and writing) and members of the AMS Readers local group on the repository-managing InTrust server (for reading). |
To logically nest searches, organize them into folders:
If you want to find specific information no matter which event field it is in, use the Any Field parameter for your search term. This is especially helpful if you are not familiar with the information layout in the events you are working with.
To find this parameter in the Select Filter Parameters dialog box, select the Primary option in the drop-down list. Any Field is the first item in the list.
Generally, this is a good starting point for refining a search: it let you exclude the fields where you don't want the term to occur instead of trying to include all the fields where it might occur.
After you have opened a repository group in Repository Viewer, you can manage its membership as follows:
The shortcut menu for a repository group also contains the Rename Repository Group and Delete Repository Group commands. The Delete Repository Group command erases the group from InTrust configuration. The other place where you can delete a repository group is in the Open Repositories wizard; all existing repository groups in the InTrust organization are listed there.
|
IMPORTANT: Whenever a repository is added to a group or removed from it, the change is immediately applied in all instanced of Repository Viewer connected to an InTrust organization. In addition, removing a repository group also deletes all scheduled reports that use the repository group. These changes should be made responsibly. |
Repository Viewer provides a variety of fields to look in. To list all of them, select All in the drop-down list in the Select Filter Parameters toolbar. By default, only the normalized fields (such as Who, When or What) are shown.
The parameters include:
When you have added a parameter to the Search Filter tab, specify the following:
|
Note: In the current version of Repository Viewer, the following issues are known to exist in search filters:
|
All the parameters you include in the filter are combined using logical AND—they must all match for the filter as a whole to match. For details about using OR operations, see Advanced Expression-Based Filters.
|
Caution: For some search filter operators, there is no search speedup if the repository is indexed. The following operators cannot take advantage of the index:
|
Selecting Custom in the parameter value combo box opens a dialog box that lets you set up multiple matching conditions and manage their flow with the AND and OR operators.
Note that this logic is processed for values of a single parameter. If you want to analyze multiple parameters, see Advanced Expression-Based Filters for details.
These fields are not present in the original events; they are filled in by InTrust based on knowledge about the contents of regular fields in various types of events. Normalized fields make it easier to retrieve the most important information from the event; you do not have to know which particular original fields contain which kind of information.
The current set of supported normalized fields is as follows:
FIELD |
MEANING |
---|---|
What |
A brief description of what the event is about. It is related to such fields as Description and Category. Example: For all events that have to do with logging on, the What field says Logon, regardless of the event category, platform where it occurred, or nature of the logon. |
When | When the event was generated. The time is automatically converted to the local time on the computer where Repository Viewer is running. |
Where | The computer where the event happened (had effect). |
Where From | The name or IP address of the computer from which the activity (such as a logon, or a configuration change) was performed. This is not necessarily the same computer as the one where the activity had effect. |
Who |
Plain user name of the account that caused the event. Example: Using this field helps you track user activity across platforms: Windows, Unix, VMware and so on. |
WhoDomain |
The Active Directory domain of the account that caused the event, where applicable. |
Whom |
The user account that was affected by the event, where applicable. Example: In password change events, this field shows whose password was changed. |
|
Note: Use Event-o-Pedia |
The Custom filter parameter lets you specify expressions for very specific filtering needs that cannot be covered by the built-in options (for example, complex time ranges). The parameter accepts expressions in the REL expression language, which is used for event analysis throughout InTrust. The language is described in the InTrust Customization Kit document.
The immediate and intuitive advantage of custom expressions is the ability to use logical OR across multiple fields to branch your matching conditions. Effectively, this lets you combine multiple searches.
The default catch-all expression is true. In real-world use, you need to provide a REL expression that evaluates to true only if your specific conditions are met.
Examples of expression-based filters:
What you want to find |
Expression |
---|---|
Events where the Computer field is "SRV01" or the User Name field is "DOMAIN1\jdoe", but not necessarily both at once. |
(Computer = "SRV01") or (UserName = "DOMAIN1\\jdoe") |
Events where the Who field is an account that is a member of the Domain Admins group. |
member_of( Who, 'Domain Admins', true) Important: This expression works only for global and universal groups, not for domain local groups. It is suitable in this case, because Domain Admins is a global group. |
For more advanced expression techniques, refer to the REL-specific topics in the InTrust Customization Kit.
The Business Hours and Non-Business Hours parameters define fixed time patterns, and no user interface is provided for editing these patterns. If you need to adjust the hours for a particular search, you can do so using native SQL Server tools, as follows:
|
Note: It is assumed that the times you specify are in the time zones of the computers where the events were logged. If you want these original timestamps to appear in Repository Viewer and scheduled reports, make sure the Local Time column is displayed in the grid. This column is hidden by default. For details about changing the grid, see Configuring the Result Layout. |
To view the details of a selected event, use the Event Details tab. Double-click the event to open this tab.
In addition to displaying event details, this view provides some useful functionality. Click anywhere in the Event Details tab to open the shortcut menu with the additional options:
Investigate in IT Security Search and Set Up IT Security Search Link
See Drilling Down with IT Security Search below for details.
You can use the event whose details you are viewing as a starting point for an event analysis session in IT Security Search.
Before you can use this functionality, you need to configure the link between Repository Viewer and IT Security Search. Repository Viewer needs to know the URL where IT Security Search is available in your environment and which event fields to use for generating search queries. Click Set Up IT Security Search Link in the shortcut menu to specify these settings.
After you have configured the link, you can use the Investigate in IT Security Search action with any event currently opened in the Event Details tab.
For details about using IT Security Search, see the IT Security Search User Guide.
© ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center