IT Security Search 11.4.1 - User Guide

Recovery Manager for Active Directory Server

Recovery Manager for Active Directory performs Active Directory recovery at any level: from individual objects and attributes to entire domains and, in the case of Recovery Manager for Active Directory Forest Edition, even Active Directory forests. IT Security Search lets you track recovery-related activity. Enabling the Recovery Manager for Active Directory data link makes it possible to list available backup states and restore objects to any of them.

To start configuring the Recovery Manager for Active Directory data link, select the Connector enabled option. To set up connection to Recovery Manager for Active Directory, configure the following:

1. Recovery Manager connection settings
   Specify the Recovery Manager server to connect to and the credentials to use for running PowerShell cmdlets on that server. The account you supply must have local administrator privileges on the server.
2. Active Directory connection settings
   Specify the Active Directory domain or a particular domain controller and the credentials to use for working with backup data. The account you supply must be powerful enough to both read the backup configuration and perform recovery by applying backup states.

For up-to-date details about the permissions required for access to Recovery Manager for Active Directory, see the Recovery Manager for Active Directory Deployment Guide.

To make sure that you have specified valid account or accounts, click the Test connection link. This verifies that the credentials are valid and suitable for running searches. However, it does not ensure that the Active Directory access account can perform recovery operations.

Active Roles

Active Roles simplifies and streamlines creation and ongoing management of user accounts, groups and other objects in Active Directory. Generally, whenever you are looking for an answer to the question “What is known about this user or group?” in IT Security Search, the data can be provided by Active Roles.

Active Roles brings information about the following:

• Users
• Groups
• Computers
• OUs
• Active Directory change events as logged by Active Roles
• Active Roles-specific information:
  • Virtual attributes of objects
  • Dynamic groups and their membership rules
  • Management history
  • Managed units

To start configuring the Active Roles data link, select the Connector enabled option. To set up connection to the Active Roles server, configure the following settings:

• Server name
• User name and password
  The account you supply must be powerful enough to do the following:
  • Read Active Directory data
  • Run PowerShell cmdlets on the Active Roles server

To verify that your Active Roles server access works, click the Test Connection link.

Finally, click Apply.

Management History Synchronization Specifics

Management history synchronization between IT Security Search and Active Roles does not happen directly. IT Security Search uses its own “warehouse” component as an intermediary data store. The first synchronization can take a long time, because all available history has to be processed. After that, synchronization involves only the most recent data.

IT Security Search Warehouse

IT Security Search Warehouse receives and stores data that is forwarded by data-providing systems. At this time, only Enterprise Reporter supports forwarding of data to IT Security Search.

To start configuring the Warehouse data link, select the Connector enabled option. However, most of the configuration occurs on the pushing end.

Setting Up Forwarding in Enterprise Reporter

1. In Enterprise Reporter Configuration Manager, under System in the left pane, click Configuration.
2. In the System Configuration view, click IT Security Search.
3. In the Add IT Security Search Configuration dialog box that opens, configure the connection to your IT Security Search server. The account that you supply must be an IT Security Search administrator, meaning a member of the computer local IT Security Search Administrators group on the IT Security Search server. For details about administrative privileges, see Who Can Do What in IT Security Search.

The next push will occur after the next Enterprise Reporter discovery.

What Happens with Active Roles Data

If you use the Active Roles connector, then IT Security Search Warehouse is used for storing Active Roles management history and searching in it. For that data, it doesn't matter if your Warehouse connector is enabled.

Splunk

The Splunk connector retrieves searchable data from Splunk.

The connector has the following minimal configuration options:

• Splunk server URI
• The user name and password of the account to use for access to Splunk

One additional setting that you may want to configure is the number of retrieved Splunk results. By default, Splunk returns 50,000 objects, whereas IT Security Search shows 100,000 per page. To make these limits consistent, take the following steps:

1. On the Splunk server, open (or create if necessary) the %programfiles%\Splunk\etc\system\local\limits.conf file (on Windows) or /opt/splunk/etc/system/local/limits.conf file (on Linux) in a text editor.
2. Add the following lines to the file:
   
   [restapi]
   
   maxresultrows = 100000
3. Restart Splunk.

A predefined Splunk-to-IT Security Search field mapping is provided out of the box. If you find that this mapping doesn't suit you, call Quest Support. This will help improve Splunk integration for you and everyone else.