Chat now with support
Chat with Support

IT Security Search 11.5 - User Guide

Recovery Manager for Active Directory Server

Recovery Manager for Active Directory performs Active Directory recovery at any level: from individual objects and attributes to entire domains and, in the case of Recovery Manager for Active Directory Forest Edition, even Active Directory forests. IT Security Search lets you track recovery-related activity. Enabling the Recovery Manager for Active Directory data link makes it possible to list available backup states and restore objects to any of them.

NOTE: You cannot perform forest-level recovery from IT Security Search.

To start configuring the Recovery Manager for Active Directory data link, select the Connector enabled option. To set up connection to Recovery Manager for Active Directory, configure the following:

  1. Recovery Manager connection settings
    Specify the Recovery Manager server to connect to and the credentials to use for running PowerShell cmdlets on that server. The account you supply must have local administrator privileges on the server.
  2. Active Directory connection settings
    Specify the Active Directory domain or a particular domain controller and the credentials to use for working with backup data. The account you supply must be powerful enough to both read the backup configuration and perform recovery by applying backup states.

For up-to-date details about the permissions required for access to Recovery Manager for Active Directory, see the Recovery Manager for Active Directory Deployment Guide.

To make sure that you have specified valid account or accounts, click the Test connection link. This verifies that the credentials are valid and suitable for running searches. However, it does not ensure that the Active Directory access account can perform recovery operations.

Active Roles

Active Roles simplifies and streamlines creation and ongoing management of user accounts, groups and other objects in Active Directory. Generally, whenever you are looking for an answer to the question “What is known about this user or group?” in IT Security Search, the data can be provided by Active Roles.

Active Roles brings information about the following:

  • Users
  • Groups
  • Computers
  • OUs
  • Active Directory change events as logged by Active Roles
  • Active Roles-specific information:
    • Virtual attributes of objects
    • Dynamic groups and their membership rules
    • Management history
    • Managed units

To start configuring the Active Roles data link, select the Connector enabled option. To set up connection to the Active Roles server, configure the following settings:

  • Server name
  • User name and password
    The account you supply must be powerful enough to do the following:
    • Read Active Directory data
    • Run PowerShell cmdlets on the Active Roles server

To verify that your Active Roles server access works, click the Test Connection link.

Finally, click Apply.

Caution: For the connection to the Active Roles server to work, make sure that port 15172 is opened for both inbound and outbound traffic on that server.

Management History Synchronization Specifics

Management history synchronization between IT Security Search and Active Roles does not happen directly. IT Security Search uses its own “warehouse” component as an intermediary data store. The first synchronization can take a long time, because all available history has to be processed. After that, synchronization involves only the most recent data.

Splunk

The Splunk connector retrieves searchable data from Splunk.

The connector has the following minimal configuration options:

  • Splunk server URI
  • The user name and password of the account to use for access to Splunk

One additional setting that you may want to configure is the number of retrieved Splunk results. By default, Splunk returns 50,000 objects, whereas IT Security Search shows 100,000 per page. To make these limits consistent, take the following steps:

  1. On the Splunk server, open (or create if necessary) the %programfiles%\Splunk\etc\system\local\limits.conf file (on Windows) or /opt/splunk/etc/system/local/limits.conf file (on Linux) in a text editor.
  2. Add the following lines to the file:

    [restapi]

    maxresultrows = 100000
  3. Restart Splunk.

A predefined Splunk-to-IT Security Search field mapping is provided out of the box. If you find that this mapping doesn't suit you, call Quest Support. This will help improve Splunk integration for you and everyone else.

Running Searches

To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.

A search involves all available item types (events, users, files, computers and so on) at once, no matter which item type is currently highlighted. By default, the number of results returned is limited to 100,000. For Recovery Manager for Active Directory items, the limit is fixed at 5,000.

Viewing Data by Object Type

IT Security Search groups the discovered data by object type:

  • Computers
  • Events
  • Files
  • Groups
  • OUs
  • Shares
  • Users
  • Various other object types for which only Enterprise Reporter provides data, such as those related to Exchange, Azure and Office 365.

You can restrict the view to these object types by clicking the corresponding tab at the top of the grid; for miscellaneous object types provided only by Enterprise Reporter, click the More tab. On this tab, you have the option to make a dedicated tab for any such object type. For that, locate its item in the Object Type list on the left and click the pin icon on that item; this pins a new tab for the object type next to the More tab. When you don't need the tab any more, you can close it; you can pin it again later at any time.

NOTE: The number of items displayed on pinned tabs is limited to 100,000, as for predefined tabs. On the More tab, it is limited to 1000 items per object type.

The object type is also switched when you use links in the context of some object's details, such as Activity initiated by this user or Who granted permissions to this file.

Specifying a Time Range for Events

To display events from only a specific time period, use the time range filter. For that, click the clock icon in the search box. If you choose not to specify a time range, the search will involve all available data.

Customizing the Event Grid Layout

When you view events of a particular kind, you may want to see a specific set of fields, including fields unique to such events. You may also want to hide fields that don't matter to you. To make such changes to the event layout, use the tools in the Columns drop-down menu to the right of the grid.

To add a field as a column, type its name in the text box provided in the drop-down menu and click Add. You can specify any name. To look up the correct field names, use the details view for any relevant event.

To remove an existing column, click the trash can icon next to its name.

To restore the default set of fields, click Reset to defaults.

To reorder columns, drag their headings around in the grid.

Your custom layout settings are used when you export events to PDF or CVS (using the Export to drop-down menu).

Understanding the Event Timeline

The event timeline is a bar graph representation of search results, where you can quickly spot event patterns. For example, it helps you find out the peak hours for the events you are interested in or easily track activity outside business hours.

Viewing Details of Search Results

When you select an item from the result list, the right pane shows brief details about the item. To go to the full details view for this item, click View Details.

The details view also suggests links to related data which you might be interested in and which you might be trying to find in the first place. Clicking such a link starts a search in an automatically supplied context. For example, when you are viewing the details of a folder in a network share, the following links are ready for you:

  • Who accessed this folder
  • Who granted permissions to this folder
  • Files and folders in this share

Information about users, groups, computers and organizational units can come from more than one source. At this time, the following systems provide data about them: Enterprise Reporter, Recovery Manager for Active Directory and Active Roles. When multiple sources have information about the same object, IT Security Search shows data from the source that submitted it first, so that the results can be displayed sooner. A warning is shown about additional data that may be available. If you want these results, click the run a full scan link in the warning text. This will cause IT Security Search to retrieve the data from the remaining sources and correlate it.

Navigating Session History Using Breadcrumbs

As you work with the search results, your search path is saved as a breadcrumb sequence. This helps you go back to any previous step in your session without retracing the steps.

Using Facets to Filter Results

Facets are quick view filters by property value. When you apply a facet, IT Security Search shows only matching items. You can apply multiple facets at once, progressively limiting the number of results; you can also remove any of the facets you have applied.

Facets are shown to the left of the result pane. To apply a facet, click an available value link. For example, if you are viewing the details of a deleted user account (where the value of State is Deleted) and want to focus on other deleted users, click the Deleted link.

Alternatively, you can use the item's properties to work with facets. The properties that support this have funnel icons next to them in the details pane. To apply a facet, click such a property.

Fine-Tuning Your Search Terms

Simple searches produce results where the term you specify is contained anywhere in the discovered data. To make your searches less broad and more relevant, you can use hints—for example, by prefixing the field names to look in. For details, see Search Term Syntax.

Automating Complex Search Scenarios

Some search workflow ideas are best expressed as multi-stage search queries where data produced by a search is automatically streamed into the next search in a chain. The pipe operator (|) helps you achieve this, and field names in curly braces specify which fields to analyse in that data.

Example 1: Find the managers of all users who have created or deleted files on the \\FILESRV1\Software network share

"\\FILESRV1\Software" | Description:{SharePath} AND (What="File Created" OR What="File Deleted") | Who={Who} | DisplayName="{ManagedByDisplayName}"

Example 2: Find events by users from the Milwaukee office on computer FILESRV1

Office="Milwaukee" | Who:{SAMAccountName} AND Where:filesrv1

Example 3: Find computers where members of the Accounting group have logged in

"Accounting" | Who:{SAMAccountName} AND What:logon | Where={Where}

Example 4: Find all users from the same office as user dshaw

Who="dshaw" | Office="{Office}"

 

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating