InTrust 11.4.2 - Preparing for Auditing TPAM

Usage Scenarios

This chapter describes typical situations in a production environment and how InTrust with the TPAM Knowledge Pack help handle them, as follows:

• Observing TPAM Session Requests
• Tracking User Activity in Environment

Information in this section implies that you are familiar with InTrust repositories and Repository Viewer. For detailed information on browsing InTrust repositories with Repository Viewer, refer to Understanding InTrust Repositories and Searching for Events in Repository Viewer.

Observing TPAM Session Requests

Suppose for a security reason you need to check whether and when (if applicable) a specific user had access to a particular host through TPAM session. Given that you have configured TPAM and InTrust intercommunication as described in the Getting Started topic, you can solve this task as follows:

1. Open Repository Viewer to browse data stored in your repository
2. Use the predefined search named TPAM session requests (last 24 hours) located under Auditing Unix and Linux | Auditing TPAM. This search will find all events related to TPAM session requests which were generated during last 24 hours. Events are grouped by the Target field which represent managed host the request was referred to.
3. To look for a particular user, target or time period, or for all of them at the same time, you need to narrow down the search scope by configuring the following parameters of the search filter:
   • To define a user or a set of users, use the Who field from Normalized Strings
   • To set managed hosts requests were referred to, use the Target field from Named Insertion Strings.
   • To limit time period, use the When field from Normalized Strings
4. Finally, to execute search, click the Go button. The events providing all necessary information according to your search criteria will be shown in the events grid.

Tracking User Activity in Environment

One of the greatest benefits of using InTrust in your environment is that you get the ability to consolidate various log sources and view them in InTrust Repository Viewer.

Information on user and admin activity from TPAM complements information from the other sources such as events from Active Directory domain controllers where TPAM users reside, the user session events tracked on workstations or any other sources supported by InTrust for log collection. Combining such information sources together allows getting complete trace of user activity in your environment.

Suppose you need to correlate Syslog events from TPAM with events from Windows event log to completely track activity of a particular user in your environment, such as

• Account logon and authentication events
• Events from TPAM Syslog and from Syslog of managed systems

For that purpose, you can create a custom Search Folder which includes all necessary data sources in InTrust Repository Viewer and use the Who field from Normalized Strings as well as any other filter parameters as follows:

1. In InTrust Repository Viewer create a new search folder. For that, right-click Custom Search Folders and select Create Search Folder.
2. Add a Custom filter parameter and specify the following query as its value:
   ((striequ(Log,"security")) and ((striequ(What,"logon")) or (striequ(What,"Kerberos Authentication")))) or (striequ(Log,"syslog")) or (striequ(Log,"TPAM"))
3. Select users you are interested in using the Who field.
4. After that configure layout according to your needs using fields from Normalized Strings, such as When, What, Where from, and other fields.

Now you can track when the selected users logon to their Windows computers, when they access TPAM and which activities they perform through TPAM.