Chatta subito con l'assistenza
Chat con il supporto

InTrust 11.6 - InTrust Reports

Auditing Exchange Servers

All Events (Based on ChangeAuditor for Exchange Data)

All Exchange-related audit events from Windows event logs

This report requires the InTrust Plug-in for Active Directory Service to be installed on domain controllers. This report contains combined Exchange-related information from the InTrust for Exchange event log, the InTrust for AD event log, and the Application log.

Exchange events statistics (Application log only)

This report shows general Exchange event statistics. You can click a number in the report to view a sub-report with details of the events that the number represents.

Configuration Changes (Based on ChangeAuditor for Exchange Data)

Exchange-related configuration object modifications

This report shows changes to the configuration of the Exchange organization in Active Directory. This report requires ChangeAuditor for Active Directory to be installed on domain controllers.

Logons (Based on Windows Logs)

Administrative logons (Security log only)

This InTrust report shows successful and failed logons of all types by the specified privileged users. By default, only the "Admin" and "Administrator" user names are included. Change the filters to include any other privileged users you need. For failed logons, reasons are displayed. The report uses only Security log events.

Failed logons (Security log only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only Security log events.

Multiple failed logons (Security log only)

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. The report uses only Security log events. Click a number in the Attempts column to view the details of logon failures in a subreport.

Non-network logons (Security log only)

This InTrust report shows successful and failed logons of all types except 'Network'. For failed logons, reasons are displayed. The report uses only Security log events.

Mailbox Access (Based on ChangeAuditor for Exchange Data)

Store operations

This report shows store operations.

Use of Send privileges

This InTrust report helps you monitor how Send permissions are used. Set the MS Exchange diagnostics logging on the 'Send as' and 'Send on behalf of' on Exchange server to minimum level.

Mailbox Logons (Based on ChangeAuditor for Exchange Data)

Logons (Application log only)

This report shows successful MAPI logons to mailboxes in your Exchange environment. The MAPI protocol is used by clients such as Microsoft Outlook. The report helps you find out who uses which personal or shared mailboxes. This report requires setting the MS Exchange diagnostics logging on the MSExchangeIS at least to minimum level on Exchange server.

Permission Changes (Based on ChangeAuditor for Exchange Data)

Delegate management - brief

This report provides information about delegate assignment, including delegate creation, delegate removal, and changes to permissions granted to delegates via Microsoft Outlook.

Delegate management - detailed

This report provides information about delegate assignment, including delegate creation, delegate removal, and changes to permissions granted to delegates.

Folder permission changes - brief

This report shows changes to folder permissions in mailboxes (client permissions changes). The report contains old permissions value and new permission value.

Mailbox permission changes

This report shows details about changes to user mailbox security settings. The report displays Access Control Entries that were added, deleted, or modified in the ACL of the mailbox. The report helps identity which permissions on which mailboxes were granted to or revoked from which accounts. This report requires ChangeAuditor for Active Directory to be installed on domain controllers.

Public folder permission changes

This report shows Folder Permission changes.

Protection Group Configuration (Based on ChangeAuditor for Exchange Data)

Protection group object modifications

This report shows changes to the configuration of the Exchange organization in Active Directory. This report requires ChangeAuditor for Active Directory to be installed on domain controllers.

Summary (Based on ChangeAuditor for Exchange Data)

Mailbox access

This report shows a color-coded summary of all mailbox access events that occurred in your environment. The baseline is configured in a report parameter. From each section you can drill down to a list of changes associated with the selected number. Comparing the actual number within a particular category with the specified baseline can help detect abnormal administrative activity, discover violations, and improve procedures established in the environment.

Mailbox permissions

This report shows a color-coded summary of all mailbox permissions changes events that occurred in your environment. The baseline is configured in a report parameter. From each section you can drill down to a list of changes associated with the selected number. Comparing the actual number within a particular category with the specified baseline can help detect abnormal administrative activity, discover violations, and improve procedures established in the environment.

Protected groups

This report shows a color-coded summary of all protected groups changes events that occurred in your environment. The baseline is configured in a report parameter. From each section you can drill down to a list of changes associated with the selected number. Comparing the actual number within a particular category with the specified baseline can help detect abnormal administrative activity, discover violations, and improve procedures established in the environment.

Auditing File Servers

Recent Content Operations (Based on ChangeAuditor for File Servers Data)

Shadow copy modifications

This InTrust report shows details about actions preformed with shadow copies. Report contains information about create, delete and rollback actions.

Activity Research (Based on ChangeAuditor for File Servers Data)

Content Activity Research

This InTrust report shows who gained what type of access to files and folders that ChangeAuditor for Windows File Servers monitors. Data in the report is grouped by file server.

User Activity Research

This InTrust report shows who gained what type of access to files and folders that ChangeAuditor for Windows File Servers monitors. Data in the report is grouped by user, then by file server.

Content Usage Statistics (Based on ChangeAuditor for File Servers Data)

Most accessed objects

This InTrust report shows files and folders for which the largest number of access attempts occurred. The time of the last access attempt is included.

Most active content users

This InTrust report shows statistics for users who access monitored files and folders most actively. The time of the last access attempt is included.

Most modified objects

This InTrust report shows files and folders which were modified the most times. The time of the last modification and the user responsible are displayed.

Objects with most failed access attempts

This InTrust report shows files and folders for which the largest number of failed access attempts occurred.

Top active users per operation

This InTrust report shows statistics for users who access monitored files and folders most actively. The time of the last access attempt is included. Access attempts are grouped by operation.

Users with most failed access attempts

This InTrust report shows users with the largest number of failed attempts to access files and folders that ChangeAuditor for Windows File Servers monitors. The time of the last failed access attempt is included.

EMC Events (Based on ChangeAuditor for File Servers Data)

All ChangeAuditor for EMC events by action

This report shows all events from ChangeAuditor for EMC log

All ChangeAuditor for EMC events by IP address

This report shows all events from ChangeAuditor for EMC log

Logons (Based on Windows Logs)

Administrative logons (Security log only)

This InTrust report shows successful and failed logons of all types by the specified privileged users. By default, only the "Admin" and "Administrator" user names are included. Change the filters to include any other privileged users you need. For failed logons, reasons are displayed. The report uses only Security log events.

Failed logons (Security log only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only Security log events.

Multiple failed logons (Security log only)

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. The report uses only Security log events. Click a number in the Attempts column to view the details of logon failures in a subreport.

Non-network logons (Security log only)

This InTrust report shows successful and failed logons of all types except 'Network'. For failed logons, reasons are displayed. The report uses only Security log events.

NetApp Events (Based on ChangeAuditor for File Servers Data)

All ChangeAuditor for NetApp events by action

This report shows all events from Change Auditor for NetApp log

All ChangeAuditor for NetApp events by IP address

This report shows all events from Change Auditor for NetApp log

Recent Share Operations (Based on ChangeAuditor for File Servers Data)

Recent share operations

This InTrust report shows who and when recently changed shares.

Auditing Workstations

Activity on Workstations (Based on Windows Logs)

Concurrent user logon sessions

This report displays user logon sessions from different computers that overlapped in time. The report uses advanced logon events generate

d by InTrust agents.

Daily total duration of interactive logon sessions

This report shows how long users' interactive logon sessions lasted each day. The report uses advanced logon events generated by InTrust agents.

Local audit policy changes

This InTrust report shows audit policy changes. Audit policy should be modified by administrative accounts only; otherwise these changes can indicate a security breach. Failure of the administrator to duly perform audit policy management tasks may lead to security violations.

Local group management

This InTrust report shows local group changes. Groups should be created, deleted, or changed by administrators. If the administrator fails to duly perform group management tasks, this may lead to user rights misrule and security violations.

Local group membership management

This InTrust report shows local group membership changes. User accounts should be added to or removed from groups by administrators. If the administrator fails to duly perform group membership management tasks, this may lead to user rights misrule and security violations.

Local user account management

This InTrust report shows changes to local user accounts. User accounts should be created, deleted, enabled, or disabled by administrators. If the administrator fails to duly perform account management tasks, this may lead to account misrule and even security violations.

Logons to workstations

This InTrust report shows successful and failed logons of all types. For failed logons, reasons are displayed. This helps analyze who tried to log on to which computers from which workstations.

Removable media attach-detach by workstation

For correct results, this report relies on the "Workstations: Removable devices attached/detached" real-time monitoring policy and real-time monitoring rules from "Use of removable media" folder.

User account lockouts and unlocks by workstation

This InTrust report shows user account locked out and unlocked. A user account can be locked in accordance with the Account Lockout Policy (as a rule, after an incorrect password is entered several times in a row). Such a situation may mean password-guessing, especially if an administrative account gets locked. Click a user account in the report to view its details.

User logon session duration by day

For each interactive logon session this report shows its start and termination time and how long it lasted. The report uses advanced logon events generated by InTrust agents.

Workstation process tracking

This InTrust report shows whether the applications you specify were started. If an application is prohibited, its launch may indicate a security issue. What is more, running restricted software often means corporate policy violations.

Workstation registry access

This InTrust report shows attempts to access registry keys. Access to some registry keys (particularly the startup keys) may be unwarranted.

Workstation registry value modifications (Windows Vista and later)

This InTrust report shows modifications of the registry values on Windows Vista (and later) machines. The report is based on EventID=4657. Note: Some value changes cannot be displayed due to specific data type.

Workstation software installation

This InTrust report helps track what software products are installed or failed to install on which computers. The report shows only those products whose setup programs use Windows Installer. Using the Grouping filter, you can organize the information as necessary. To see what software was installed on particular computers, use grouping by computer. To find out where certain software products were installed, use grouping by software product.

Logons (Based on Windows Logs)

Administrative logons (Security log only)

This InTrust report shows successful and failed logons of all types by the specified privileged users. By default, only the "Admin" and "Administrator" user names are included. Change the filters to include any other privileged users you need. For failed logons, reasons are displayed. The report uses only Security log events.

Failed logons (Security log only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only Security log events.

Multiple failed logons (Security log only)

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. The report uses only Security log events. Click a number in the Attempts column to view the details of logon failures in a subreport.

Non-network logons (Security log only)

This InTrust report shows successful and failed logons of all types except 'Network'. For failed logons, reasons are displayed. The report uses only Security

Reports_ACS

Reports for ACS

This section contains a list of reports intended for viewing via Microsoft System Center Operations Manager console; they are based on data from Windows security log collected using Audit Collection Services (ACS) and then stored to InTrust Audit database for analysis and reporting.

The special 'InTrust for ACS management pack deployment status' report displays the status of Quest InTrust for ACS Management Pack deployment to Operations Manager agents.

Reports for Operations Manager Console

Computer accounts changes

This InTrust report shows computer accounts changes. Computer accounts should be created, deleted, renamed, or changed by administrative accounts only. If the administrator fails to duly perform computer account management tasks, this may lead to security violations.

Domain Trusts Changes

This InTrust report shows domain trust changes. Domain trusts should be added, removed, or modified by administrative accounts only. If the administrator does not duly perform domain trust management tasks, this may lead to security violations.

File Access

This InTrust report shows file access attempts. Access to certain files may be unwarranted.

Group Management

This InTrust report shows group changes. Groups should be created, deleted, or changed by administrators. If the administrator fails to duly perform group management tasks, this may lead to user rights misrule and security violations.

Group Policy Object access

This InTrust report shows Group Policy objects access attempts. Access to this type of objects may be unwarranted. Such events often indicate changes to the policies, and they need to be tracked. Note This report is based on object access events from the Security log.

InTrust for ACS management pack deployment status

This report displays the status of Quest InTrust for ACS Management Pack deployment to Operations Manager agents (ACS-forwarders). The Management Pack provides for complementing ACS database records with the information required to comply with InTrust repository and Audit database format.

Logon activity trends

This InTrust chart graphically represents logon activity in your network, visualizing, for example, statistics for logons that failed due to different reasons (for example, bad password, disabled user account, etc.). The chart allows you to detect trends in logon activity and analyze anomalies.

Logon Statistics

In the Windows environment different logon types are registered by the system depending on what kind of resource a user accesses. This InTrust report shows all logon types such as interactive logons to domains, access to shared folders, dial-up connections to the network, and so on, and groups logon statistics.

Password resets

This InTrust report shows when account passwords were reset and who reset them. An entry in the report means that the password was either reset or changed. By default, only user accounts are included, but you can use the User Accounts filter if you want to include computer accounts as well.

User Accounts Management

This InTrust report shows changes to user accounts. User accounts should be created, deleted, enabled, or disabled by administrators. If the administrator fails to duly perform account management tasks, this may lead to account misrule and even security violations.

User rights management

This InTrust report shows changes to user rights. User rights should be assigned or removed by administrators. If the administrator fails to duly perform user rights management tasks, this may lead to user rights misrule and security violations.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione