Recovery Manager for Active Directory performs Active Directory recovery at any level: from individual objects and attributes to entire domains and, in the case of Recovery Manager for Active Directory Forest Edition, even Active Directory forests. IT Security Search lets you track recovery-related activity. Enabling the Recovery Manager for Active Directory data link makes it possible to list available backup states and restore objects to any of them.
NOTE: You cannot perform forest-level recovery from IT Security Search. |
To start configuring the Recovery Manager for Active Directory data link, select the Connector enabled option. To set up connection to Recovery Manager for Active Directory, configure the following:
For up-to-date details about the permissions required for access to Recovery Manager for Active Directory, see the Recovery Manager for Active Directory Deployment Guide.
To make sure that you have specified valid account or accounts, click the Test connection link. This verifies that the credentials are valid and suitable for running searches. However, it does not ensure that the Active Directory access account can perform recovery operations.
Active Roles simplifies and streamlines creation and ongoing management of user accounts, groups and other objects in Active Directory. Generally, whenever you are looking for an answer to the question “What is known about this user or group?” in IT Security Search, the data can be provided by Active Roles.
Active Roles brings information about the following:
To start configuring the Active Roles data link, select the Connector enabled option. To set up connection to the Active Roles server, configure the following settings:
To verify that your Active Roles server access works, click the Test Connection link.
Finally, click Apply.
Caution: For the connection to the Active Roles server to work, make sure that port 15172 is opened for both inbound and outbound traffic on that server. |
Management history synchronization between IT Security Search and Active Roles does not happen directly. IT Security Search uses its own “warehouse” component as an intermediary data store. The first synchronization can take a long time, because all available history has to be processed. After that, synchronization involves only the most recent data.
The Splunk connector retrieves searchable data from Splunk.
The connector has the following minimal configuration options:
One additional setting that you may want to configure is the number of retrieved Splunk results. By default, Splunk returns 50,000 objects, whereas IT Security Search shows 100,000 per page. To make these limits consistent, take the following steps:
A predefined Splunk-to-IT Security Search field mapping is provided out of the box. If you find that this mapping doesn't suit you, call Quest Support. This will help improve Splunk integration for you and everyone else.
To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.
A search involves all available item types (events, users, files, computers and so on) at once, no matter which item type is currently highlighted. By default, the number of results returned is limited to 100,000. For Recovery Manager for Active Directory items, the limit is fixed at 5,000.
IT Security Search groups the discovered data by object type:
Various other object types for which only Enterprise Reporter provides data, such as those related to Exchange, Azure and Office 365.
You can restrict the view to these object types by clicking the corresponding tab at the top of the grid; for miscellaneous object types provided only by Enterprise Reporter, click the More tab. On this tab, you have the option to make a dedicated tab for any such object type. For that, locate its item in the Object Type list on the left and click the pin icon on that item; this pins a new tab for the object type next to the More tab. When you don't need the tab any more, you can close it; you can pin it again later at any time.
NOTE: The number of items displayed on pinned tabs is limited to 100,000, as for predefined tabs. On the More tab, it is limited to 1000 items per object type. |
The object type is also switched when you use links in the context of some object's details, such as Activity initiated by this user or Who granted permissions to this file.
To display events from only a specific time period, use the time range filter. For that, click the clock icon in the search box. If you choose not to specify a time range, the search will involve all available data.
When you view events of a particular kind, you may want to see a specific set of fields, including fields unique to such events. You may also want to hide fields that don't matter to you. To make such changes to the event layout, use the tools in the Columns drop-down menu to the right of the grid.
To add a field as a column, type its name in the text box provided in the drop-down menu and click Add. You can specify any name. To look up the correct field names, use the details view for any relevant event.
To remove an existing column, click the trash can icon next to its name.
To restore the default set of fields, click Reset to defaults.
To reorder columns, drag their headings around in the grid.
Your custom layout settings are used when you export events to PDF or CVS (using the Export to drop-down menu).
The event timeline is a bar graph representation of search results, where you can quickly spot event patterns. For example, it helps you find out the peak hours for the events you are interested in or easily track activity outside business hours.
When you select an item from the result list, the right pane shows brief details about the item. To go to the full details view for this item, click View Details.
The details view also suggests links to related data which you might be interested in and which you might be trying to find in the first place. Clicking such a link starts a search in an automatically supplied context. For example, when you are viewing the details of a folder in a network share, the following links are ready for you:
Information about users, groups, computers and organizational units can come from more than one source. At this time, the following systems provide data about them: Enterprise Reporter, Recovery Manager for Active Directory and Active Roles. When multiple sources have information about the same object, IT Security Search shows data from the source that submitted it first, so that the results can be displayed sooner. A warning is shown about additional data that may be available. If you want these results, click the run a full scan link in the warning text. This will cause IT Security Search to retrieve the data from the remaining sources and correlate it.
As you work with the search results, your search path is saved as a breadcrumb sequence. This helps you go back to any previous step in your session without retracing the steps.
Facets are quick view filters by property value. When you apply a facet, IT Security Search shows only matching items. You can apply multiple facets at once, progressively limiting the number of results; you can also remove any of the facets you have applied.
Facets are shown to the left of the result pane. To apply a facet, click an available value link. For example, if you are viewing the details of a deleted user account (where the value of State is Deleted) and want to focus on other deleted users, click the Deleted link.
Alternatively, you can use the item's properties to work with facets. The properties that support this have funnel icons next to them in the details pane. To apply a facet, click such a property.
Simple searches produce results where the term you specify is contained anywhere in the discovered data. To make your searches less broad and more relevant, you can use hints—for example, by prefixing the field names to look in. For details, see Search Term Syntax.
Some search workflow ideas are best expressed as multi-stage search queries where data produced by a search is automatically streamed into the next search in a chain. The pipe operator (|) helps you achieve this, and field names in curly braces specify which fields to analyse in that data.
Example 1: Find the managers of all users who have created or deleted files on the \\FILESRV1\Software network share
"\\FILESRV1\Software" | Description:{SharePath} AND (What="File Created" OR What="File Deleted") | Who={Who} | DisplayName="{ManagedByDisplayName}"
Example 2: Find events by users from the Milwaukee office on computer FILESRV1
Office="Milwaukee" | Who:{SAMAccountName} AND Where:filesrv1
Example 3: Find computers where members of the Accounting group have logged in
"Accounting" | Who:{SAMAccountName} AND What:logon | Where={Where}
Example 4: Find all users from the same office as user dshaw
Who="dshaw" | Office="{Office}"
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center