Where the Data Comes From
IT Security Search relies on data provided by auditing and operations management systems. At this time, the following systems are supported:
- InTrust
- Change Auditor
- Enterprise Reporter
- Recovery Manager for Active Directory
- Active Roles
- Splunk
You can connect to any combination of these systems. However, to make the most of IT Security Search, you should establish links with all of them that are available to you. IT Security Search is designed to correlate the data they supply, sparing you the effort of trying to match disparate bits of information to build up a picture.
For example, an event captured by InTrust can prompt you to examine the initiator user account closely; user information is provided by Enterprise Reporter. Next, you might be interested in recent changes to the user account; this information comes from Change Auditor. With all three systems interconnected, these transitions from one piece of data to another are quick and seamless.
Support for Recovery Manager for Active Directory lets you perform recovery directly from the IT Security Search interface in addition to viewing a list of available backup states. For each of them, a link is provided that lets you restore that particular state. If the object was changed rather than deleted, you can select specific modified attributes to restore. If it was deleted, you can only restore it to a full state.
Specifying Data Sources
To configure the connections between IT Security Search and any of the supported systems available in your environment, go to the IT Security Search settings page. To open this page, click Settings in the upper right corner.
See the following topics for details about connection configuration for each of the systems:
- InTrust
- Change Auditor
- Enterprise Reporter
- Recovery Manager for Active Directory
- Active Roles
- Warehouse
- Splunk
Change Auditor Database
Change Auditor produces information about what is happening to critical resources such as Active Directory, Exchange or files on file servers, or in cloud environments such as Azure and Office 365. Generally, whenever you are looking for an answer to the question “What changed in the environment?” in IT Security Search, the data is likely provided by Change Auditor.
To start configuring the Change Auditor database data link, select the Connector enabled option. To set up connection to the Change Auditor database, configure the standard SQL Server database access settings:
- Server name
- Database name
- Authentication type
The following options are available:- Windows authentication
Make sure the Active Directory account you specify is granted Read and Execute permissions on the database. - SQL Server authentication
Specifies that SQL Server-specific credentials are used.
- Windows authentication
- User name and password
To verify that your Change Auditor database access works, click the Test Connection link.
Finally, click Apply.
|
|
Caution: To make Change Auditor generate the events you want to see in IT Security Search, configure monitoring of the Active Directory attributes you are interested in. For that, in the configuration of the Auditing task, in the AD Attribute Auditing page, go to Forest Attributes. Select the object class and enable monitoring for the necessary attributes. For details about working with Change Auditor tasks, see the Change Auditor User Guide. |
InTrust Repository
InTrust collects audit events from a wide range of logs on a variety of platforms. Generally, whenever you are looking for an answer to the question “What happened?” in IT Security Search, the data is provided by InTrust.
To start configuring the InTrust repository data link, select the Connector enabled option. To set up connection to one or more InTrust repositories with audit data, configure the following:
- InTrust server name and credentials
This is an InTrust server in the InTrust organization where the repository is registered. There can be multiple servers in an InTrust organization, and any of them is accepted.
Make sure access to repositories is configured for the account you supply:- The account must be a member of the computer local AMS Readers group on the InTrust server.
- The account must have Read permissions on the network share that makes the repository available.
- The repository or repositories to connect to
|
NOTES:
|
To verify that your repository access works, click the Test Connection link.
Finally, click Apply.
Enterprise Reporter Database
Enterprise Reporter retains information about the configuration of critical systems. Generally, whenever you are looking for an answer to the question “What settings are configured for this?” in IT Security Search, the data is provided by Enterprise Reporter.
|
IMPORTANT: The Enterprise Reporter connector is being phased out. In future versions, support for Enterprise Reporter data will be provided only in the IT Security Search Warehouse connector, which will have all the features of the current Enterprise Reporter connector and more. Currently, using the Enterprise Reporter connector is recommended only if you work with information about effective permissions. Otherwise, consider switching to the IT Security Search Warehouse connector. |
To start configuring the Enterprise Reporter database data link, select the Connector enabled option. To set up connection to the Enterprise Reporter database, configure the standard SQL Server database access settings:
- Server name
- Database name
- Authentication type
The following options are available:- Windows authentication
- SQL Server authentication
Specifies that SQL Server-specific credentials are used.
- User name and password
Make sure the Active Directory account you specify is granted Read and Execute permissions on the database.
To verify that your Enterprise Reporter database access works, click the Test Connection link.
Finally, click Apply.
Keeping the Index Up to Date
Before you can use data from the Enterprise Reporter database, you need to wait until IT Security Search builds an index of objects that are loaded from the database.
To track the database indexing progress, check the Enterprise Reporter connector settings page. If any errors occur during indexing, they are displayed on the page.
By default, the index is updated every 24 hours. You can force an update by clicking Refresh Data Now.
Making All Data Cohesive with Enterprise Reporter
IT Security Search provides the Who, Whom and Where smart aliases for record fields in the data it analyzes. This ensures that you get associated data from unrelated sources using the same terms in your search queries.
The necessary field mapping is created from Enterprise Reporter data. For example, if the Enterprise Reporter connector is configured, you can proceed from the user details page directly to a list of events initiated by the user. Otherwise, the Activity initiated by this user link may not even be available in the details, or it may produce fewer results than it should.
To make sure Enterprise Reporter provides the data for the mapping, configure a recurring Active Directory discovery that includes users and computers in its scope. Set the frequency of the discovery according to the policies in your environment.
Ensuring Correct Object Counts for OUs
By default, the Do not collect object counts option is enabled for Active Directory discoveries in Enterprise Reporter. If IT Security Search uses data obtained by such discoveries, it shows zeros for the number of users, groups and so on in the details of OUs. To make IT Security Search show the correct object counts, make sure the Do not collect object counts option is cleared for your Active Directory discoveries.