Use the following syntax for search terms in the search box. Searches are case-insensitive.
|
Notes:
|
For details about the fields that you can use in your search queries, see Data Field Reference.
This is known as full-text search. The search involves all available fields and uses the Contains operator.
Meaning | Syntax | Details |
---|---|---|
Look for a single-word term in any attribute | Word without spaces Example: john |
john matches John or john in any attribute, but does not match stjohn in any attribute |
Look for a single-word term with the specified beginning in any attribute | Word ending in an asterisk (*) without spaces Example: john* |
john* matches John or Johnson in any attribute |
Find attributes where a specific single-word term is not contained in any attributes | Word without spaces with a leading hyphen Example: -john |
-john may match entries that contain stjohn, but does not match entries that contain john in any attribute |
Find entries where a specific single-word term with the specified beginning is not contained in any attributes | Word ending in an asterisk (*) without spaces with a leading hyphen Example: -john* |
-john* may match entries that contain stjohn, but does not match entries that contain john or johnson in any attribute |
Meaning | Syntax | Details |
---|---|---|
Look for entries with specific single-word terms in any attributes | Words separated by spaces Example: john glen* |
john glen* matches john and glen, or john and glenda, or john and glen and glenda, wherever they are found |
Look for entries that do not contain specific single-word terms in any attribute | Word without spaces Examples:
|
|
Look for entries with a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: "Account Logon" |
"Account Logon" matches entries that contain the exact phrase Account Logon in any attribute |
Look for entries that do not contain a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: logon server01 -"Account Logon" |
logon server01 -"Account Logon" matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute |
Meet one of the specified terms (or sets of terms) | Terms (single words or phrases) separated by the OR operator; this operator has the following specifics:
Examples:
|
|
Explicitly mark an AND operation for visual clarity | Terms (single words or phrases) separated by the AND operator; this operator has the following specifics:
Examples:
|
paul AND john and paul john are identical in meaning: look for entries where both paul and john occur. |
Group and nest terms for logical operations on them | Parentheses enclosing the terms you want to group Example: (homer marge) OR (peter lois) |
(homer marge) OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois. It does not match entries with both peter and homer that do not contain lois or marge. |
To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.
The following distinction is important:
For details about the meanings of labels in particular contexts, see Normalized Attributes below.
|
Note: When you look for permission information, you can use the Who, What and Owner attributes as follows:
|
Meaning | Syntax | Details |
---|---|---|
Attribute contains term | Examples:
|
|
Attribute does not contain term | Examples:
|
|
Attribute equals term | Examples:
|
|
Attribute does not equal term | Examples:
|
|
If your search term must include double quotes ("), then for each double quote you need supply an additional double quote as an escape character. See the following examples:
To find this string |
Specify this term |
---|---|
the "Cancel" button |
"the ""Cancel"" button" |
computer "kltest16" |
"computer ""kltest16""" |
This requirement does not apply to apostrophes, which are frequently used as quotes. Single quotes of this kind do not need escaping and should be specified in a plain string, as in "local 'Administrator' user".
Select one of the operators (explained in the following table), and enter your filter terms.
Operator |
Syntax |
Example |
Meaning |
---|---|---|---|
Contains |
[FieldName]:<Value> |
Name:Paul |
The attribute contains all of the specified terms at once in any combination |
Does not contain |
-[FieldName]:<Value> |
-Name:John |
The attribute contains none of the specified terms anywhere |
Equals |
[FieldName]=<Value> |
Name="John Paul" |
The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
Does not equal |
-[FieldName]=<Value> |
-SamAccountName=jpaul |
The attribute contents are not identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
The following search syntax rules described above also apply to filter terms:
|
Note: Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter. |
The following table shows what attributes are involved in searches that use the Who, What and Where labels. Active Directory attributes are bolded. Information about events is not included, because Who, What and Where are mapped directly to the same-name fields in InTrust and Change Auditor events.
Label → Context ↓ |
Who | What | Where |
---|---|---|---|
Users |
SAMAccountName DisplayName AccountSid DistinguishedName LogonName |
N/A |
DomainName |
Groups |
User information User account information ManagedByFullName ManagedByDisplayName |
N/A |
DomainName |
Computers |
ManagedByFullName ManagedByDisplayName |
N/A |
ComputerName NetBiosName |
Shares |
User information |
N/A |
ComputerName |
Files |
Permission information |
Permission information |
ComputerName |
Functions are a way to transform the results of a query to other objects inside a larger query. IT Security Search functions take a query as their single argument and return a collection of objects. Function names are case-insensitive.
Function |
Details |
Examples |
---|---|---|
Members |
Returns the direct members of all groups that the argument query returned. |
Members([Managed By]:"marty stu") |
Members_Deep |
Returns both direct and indirect members of all groups that the argument query returned. |
Members_Deep(name="DL.IT") |
MemberOf |
Returns all groups that directly contain the accounts returned by the argument query. |
MemberOf(FullName="DL.Accounting") |
MemberOf_Deep |
Returns all groups that directly or indirectly contain the accounts returned by the argument query. |
MemberOf_Deep(Name="DL.Facilities") |
If the argument query returns objects that a function cannot be applied to, the function skips these objects. For example, the Members function doesn't do anything about user account objects.
Suppose you want to get events from all computers where user martystu is an administrator. Use the following query:
MemberOf_Deep(Who=martystu) AccountSID="S-1-5-32-544" | Where="{DomainName}" Who=martystu
This query takes advantage of the well-known SID of the built-in Administrators group. First it finds all aliases of this user account, then it gets all local Administrators groups where those accounts are members, no matter whether direct or indirect (membership information is discovered by Enterprise Reporter). Then the query pipes the results through a sub-query to find all events by these users on computers where they are administrators. For details about search-in-search capabilities, see Making Multi-Stage Searches.
These functions support a syntax extension that lets you fine-tune their behavior by specifying attributes. A function call with attributes looks like this:
[FunctionName:attribute1,attribute2,…, attributeN](<search query>)
For example, to list objects that are explicitly denied access to a specific file, use the ObjectPermissions function as follows:
[ObjectPermissions:deny,explicit](“c:\sensitive\off_limits.txt”)
By default, it is assumed that you request data about all "allow" permissions.
Function |
Supported |
Details |
Examples |
---|---|---|---|
ObjectPermissions |
allow |
Returns users and groups that have direct (explicitly assigned and inherited) permissions on the discovered file, folder or network share. |
|
ObjectPermissions_Effective |
allow |
Returns users and groups that have direct (explicitly assigned and inherited) and indirect (obtained through group membership) permissions on the discovered file, folder or network share. |
|
AccountPermissions |
allow |
Returns files, folders and network shares where the specified user or group is directly granted permissions. |
|
AccountPermissions_Effective |
allow |
Returns files, folders and network shares where the specified user or group is directly or indirectly granted permissions. |
|
Calling the default parameter-free variants of these functions is equivalent to calling them with all supported parameters except deny. For example, the following two calls are synonymous:
ObjectPermissions_Effective(Where:server1)
[ObjectPermissions:allow,inherited,explicit,direct,indirect](Where:server1)
Functions have the following limitations:
You have the option to run a search on the results of another search. It is a way to automate your established search practices, and it may provide a clearer and more convenient representation of your intentions.
This is similar to how the output of a command is redirected into another command as its input in PowerShell and Unix shell languages. Accordingly, search result redirection is provided by the familiar pipe (|) operator.
To indicate a field whose value should be carried over from the left query to the right through the pipe, enclose the field name in curly braces, as in {Where} or {EventID}.
Example:
"rd.itsearch"| What:Logon AND Who:"{SAMAccountName}" | Name="{Where}"
In this three-stage search, the initial results are refined twice. First, it finds all users that are members of the rd.itsearch group. For these users, it finds such events that the users' SAM account names are in the Who field, and the What field contains "Logon". From the resulting events, pick only those that have any of the discovered computer names in the Where field.
If you specify the {Context.CurrentUser} variable in your query, it is automatically resolved to information that identifies the user who is running the query. The following information is extracted (where available): account name in domain\user format, SAM account name, display name and SID.
For example, if user Alan Smithee supplies a query containing Who="{Context.CurrentUser}", the resulting substituted information can be something like this:
Who=production\asmithee OR Who=ASmithee OR Who="Alan Smithee" OR Who="S-1-5-21-2591644-1571856274-80062049-1617"
If you want a particular identifying field instead of a set of fields, use the following accessors:
Examples:
NOTE: Resolution of this variable does not require that the Enterprise Reporter connector be enabled. |
Recovery Manager for Active Directory provides data about users, groups, computers and organizational units, including those that have been deleted. Searching within that data should be approached in special ways.
One drawback is that full-text search does not work in Recovery Manager for Active Directory. Generally, it is recommended that you complement this data with results from Enterprise Reporter, if possible.
In all attributes that contain distinguished names, such as distinguishedName or manager, only the "equals" operator is used, meaning that the value must match exactly. For example, if the manager attribute of a user is "CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp", then the following happens:
When Active Directory objects are deleted, they are really moved to the Deleted Objects container; some of their attributes are cleared and some are changed, including the name. These tips will help you compose queries that produce the expected results for deleted objects:
When you supply a search term without prefixing a field name, IT Security Search adds the field name for you, as follows:
Object Type |
Field |
Examples |
---|---|---|
User or group |
aNR |
"Alan Smithee" becomes aNR:"Alan Smithee" "Alan Smithee*" becomes aNR:"Alan Smithee" (wildcards are not supported by Recovery Manager for Active Directory) |
Computer or OU |
name |
primrose.domain.local becomes name:primrose.domain.local Directors* becomes name:Directors (wildcards are not supported by Recovery Manager for Active Directory) |
It is recommended that you specify the target fields explicitly and use the fields suggested in Searching for Deleted Objects above.
The following topics provide details about fields that you can use in search queries, organized by supported system:
The following are lists of fields that occur in Enterprise Reporter data, organized by type of returned object.
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
AccountFullName |
No |
MAIN\HOUDEVW04$ |
SAMAccountDomain\SAMAccountName of the relevant computer account |
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the computer account |
ComputerName |
Yes |
achtung.main.mycompany.corp |
Short or NetBIOS name for the computer |
Description |
Yes |
Serial , AOPEN_, AWRDACPI, 1002MHz, 1002MHz, 3072MB RAM |
Description for the computer |
DistinguishedName |
No |
CN=HOUITW09, |
Distinguished name for domain computer |
Domain |
Yes |
|
Same as DomainName |
DomainName |
No |
main.mycompany.corp |
Fully qualified domain name |
Groups |
No |
Pre-Windows 2000 Compatible Access;Cert Publishers |
List of groups (in common name format) where the computer account is a member explicitly |
HasGroups |
No |
True |
True if this computer account is a member of any group |
IsHidden |
No |
False |
True if the server is visible to other computers in the same network; otherwise, false |
Location |
Yes |
US/Houston |
Location of domain computer |
ManagedByDisplayName |
No |
Patricia Lum |
The display name of account by which the domain computer is managed |
ManagedByType |
No |
Users |
Type of account by which the domain computer is managed; Users or Groups |
Name |
Yes |
achtung |
NetBIOS name of the computer |
NetBiosName |
No |
IRVWEBW05 |
NetBIOS name for domain computer |
NumLogons |
No |
291 |
Number of times the domain computer was logged into |
OSName |
No |
Windows Server 2003 |
Full name of the computer's operating system |
OSServicePack |
No |
Service Pack 1 |
Service pack name for the computer's operating system |
OSVersion |
No |
5.2 (3790) |
Operating system version number for the computer |
OU_CanonicalName |
No |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit |
OU_DistinguishedName |
No |
OU=Cary, |
Distinguished name for organizational unit |
RelatedOU |
No |
|
Same as OU_CanonicalName |
Scope |
Yes |
Active Directory |
Active Directory or Workgroup |
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
State |
Yes |
Current |
Current or Deleted |
Where |
No |
|
Same as ComputerName, NetBiosName |
Who |
No |
|
Same as ManagedByFullName, ManagedByDisplayName |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
Computer |
Yes |
|
Same as ComputerName |
ComputerName |
No |
WST9240.main.mycompany.corp |
Short or NetBIOS name for the computer |
DomainName |
Yes |
MAIN |
NetBIOS name for domain |
Extension |
Yes |
.exe |
Extension of the file |
File |
Yes |
TestConsol.exe |
File or folder name |
FullAccountName |
Yes |
WST9240\Administrators |
SAMAccountDomain\SAMAccountName of owner account |
OU_CanonicalName |
Yes |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit (for domain users only) |
Owner |
Yes |
|
Same as FullAccountName, OwnerSid |
Owner Domain |
No |
|
Same as SAMOwnerDomain |
OwnerSid |
No |
S-1-5-32-544 |
Security identifier (SID) of the owner account |
OwnerType |
No |
Groups |
Owner account type: Users or Groups |
Path |
Yes |
D:\Images\59491\ |
Full path of the folder or file; based on the collection options, the value could be in the format c:\folder or \\computer\shared\Folder |
Permission |
No |
|
Same as PermissionsText |
PermissionsText |
No |
WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/run file, Read attributes, Write attributes, Read permissions Inherite |
Semicolon-delimited list of permission/ Account: access_ type [Allow|Deny] inheritance[Inherited|Explicit] |
RelatedOU |
No |
|
Same as OU_CanonicalName |
SAMOwnerDomain |
No |
WST9240 |
SAM account name of owner account's domain |
SAMOwnerName |
No |
Administrators |
SAM account name of owner account |
Size |
Yes |
31335914 |
Size in bytes of the NTFS object |
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
Type |
Yes |
File |
File or Folder; Folder if the NTFS object is a folder; otherwise, File |
What |
No |
|
Same as PermissionsText |
Where |
No |
|
Same as ComputerName |
Who |
No |
|
Same as PermissionsText |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the account |
AdminDisplayName |
No |
Administrator |
Admin display name for the domain group; name is displayed on admin screens |
CanonicalName |
No |
main.mycompany.corp/Groups/ |
The name of the domain group in canonical format |
CommonName |
No |
Development Users |
Common name for domain group |
Description |
Yes |
Owner: CLIVE_HERRY |
Description of the group |
DisplayName |
No |
AA_Accounting |
Display or common name for the group |
DistinguishedName |
No |
CN=MCDL.RD.CRDHub.APAC.AU,OU=RD, |
Distinguished name for domain group or SAM account name for a local user (computer\username) |
Domain |
Yes |
|
Same as DomainName |
DomainName |
Yes |
main.mycompany.corp |
Fully qualified domain name for domain accounts or computer's NetBios Name for local |
|
Yes |
|
Same as EmailAddress |
EmailAddress |
No |
BC5796F842DD49CD8F4@ |
Email address for the group |
Friendly Name |
Yes |
|
Same as FriendlyName |
FriendlyName |
No |
AA_Accounting (MAIN\FB430EAC2D2E4) |
Friendly name for the group |
FullAccountName |
No |
MAIN\Office.AMER.US.Boston |
domain\group; group is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer |
FullName |
No |
Development Users |
Full name for domain group |
Groups |
No |
MCDL.PreSales.NAC.DatabasePerf; |
Common or SAM account names of groups (semicolon-separated) that are explicitly members |
GroupScope |
Yes |
Universal |
One of the following:
|
GroupType |
Yes |
|
Same as IsSecurityEnabled |
HasGroups |
No |
False |
True if this group has members of type "group" |
HasUsers |
No |
True |
True if this group has members of type "user" |
HomePage |
No |
http://homepage |
Primary home page for domain group |
Info |
No |
Created as part of the ChangeBase Mail migration by Charles Arrot |
Informational notes on the domain group |
IsSecurityEnabled |
No |
Security |
Security or Distribution |
Managed By |
No |
|
Same as ManagedByDisplayName, ManagedByFullName |
ManagedByDisplayName |
No |
Owen Range |
Display name or Common name of account by which the domain group is managed |
ManagedByFullName |
No |
CN=Sarah Quash,OU=Employees, |
Account (distinguished name) by which the domain group is managed |
ManagedByType |
No |
Users |
Type of account by which the domain group is managed; Users or Groups |
Name |
Yes |
|
Same as DisplayName |
Nested Groups |
No |
|
Same as Groups |
Organizational Unit |
Yes |
|
Same as OU_CanonicalName |
OU_CanonicalName |
No |
main.mycompany.corp/Groups/Sales |
Canonical name for organizational unit |
OU_DistinguishedName |
No |
OU=Sales,OU=Groups,DC=main, |
Distinguished name for organizational unit |
RelatedOU |
No |
|
Same as OU_CanonicalName |
SAMAccountDomain |
No |
MAIN |
SAM account name for the account's domain for domain's groups or NetBIOS name of the computer for computer's groups |
SAMAccountName |
No |
MCDL.RD.CRDHub.APAC.AU |
SAM account name for the account |
SIDHistory |
No |
S-1-5-21-329068152- |
List of previous security identifiers (SID) used if the domain group was moved from other domains |
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
State |
Yes |
Current |
Current or Deleted |
Url |
No |
http://group |
URL addresses of websites for the domain group |
Users |
No |
Zoe Ucchini;Peter Omelo |
Common or SAM account names of users (semicolon-separated) that are explicitly members |
Where |
No |
|
Same as DomainName |
Who |
No |
|
Same as Users, UsersAccounts, ManagedByFullName, ManagedByDisplayName |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
AppliesTo |
No |
|
Same as PermissionsText |
CanonicalName |
Yes |
main.mycompany.corp/Builtin |
Canonical name for organizational unit |
ContainerType |
No |
Container |
Type of container: Container or Organizational Unit |
Description |
Yes |
Default container for upgraded computer accounts |
|
DistinguishedName |
No |
Description for organizational unit |
Distinguished name for organizational unit |
Domain |
Yes |
|
Same as DomainName |
DomainName |
No |
main.mycompany.corp |
Fully qualified domain name |
HasPermissions |
No |
True |
True or False; True if PermissionsText is not empty |
Managed By |
Yes |
|
Same as ManagedByFullName,ManagedByDisplayName |
ManagedByDisplayName |
No |
MCDL.RD.ITSearch |
Display or common name of management account |
ManagedByFullName |
No |
CN=MCDL.RD.ITSearch,OU=RD,OU=Groups, |
The account (distinguished name) by which the organizational unit is managed |
ManagedByType |
No |
Groups |
Management account type; Users or Groups |
Name |
Yes |
Computers |
Common short name for organizational unit |
NumberOfComputers |
No |
4 |
Number of domain computers in organizational unit |
NumberOfContacts |
No |
5 |
Number of contacts in organizational unit |
NumberOfGroups |
No |
3 |
Number of domain groups in organizational unit |
NumberOfOtherObjects |
No |
6 |
Number of other domain objects in organizational unit |
NumberOfUsers |
No |
2 |
|
Permission |
No |
|
Same as PermissionsText |
PermissionsText |
No |
NT AUTHORITY\SELF: Allow Read Property, Write Property for location [Descendant computer objects] Inherited;NT AUTHORITY\SELF: Allow Read Property, Write Property for defender-tokenData [Descendant defender-tokenLicenseClass objects] Inherited |
Semicolon-separated list of permission/ account: access_ type [Allow|Deny] inheritance[Inherited|Explicit] |
RelatedOU |
No |
|
Same as CanonicalName |
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
State |
Yes |
Current |
Current or Deleted |
What |
No |
|
Same as PermissionsText |
Where |
No |
|
Same as DomainName |
Who |
No |
|
Same as ManagedByFullName,PermissionsText |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
Comment |
Yes |
Docs share |
Comment for the share |
Computer |
Yes |
|
Same as ComputerName |
ComputerName |
No |
WST9240.main.mycompany.corp |
NetBIOS name of the computer |
FullOwnerName |
No |
WST9240\Administrators |
SAMAccountDomain\SAMAccountName of owner account |
Local Path |
Yes |
|
Same as SharePath |
Name |
Yes |
|
Same as ShareName |
Owner |
Yes |
|
Same as FullOwnerName |
OwnerDomain |
No |
WST9240 |
SAM account name of owner account's domain |
OwnerName |
No |
Administrators |
SAM account name of owner account |
OwnerType |
No |
Groups |
Owner account type; Users or Groups |
PermissionsText |
No |
WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/run file, Read attributes, Write attributes, Read permissions Inherite |
Semicolon-delimited list of permission/ Account: access type [Allow|Deny] Inheritance[Inherited|Explicit] |
RelatedOU |
No |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit (for domain users only) |
ShareName |
No |
C$ |
Name of the share |
SharePath |
No |
D:\Custom Utilites |
Local path of share |
ShareType |
No |
Administrative Shared Folder |
Type of resource being shared |
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
What |
No |
|
Same as PermissionsText |
Where |
No |
|
Same as ComputerName |
Who |
No |
|
Same as PermissionsText |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
Account SID |
Yes |
|
Same as AccountSid |
AccountIsDisabled |
No |
True |
True if domain(computer) user account is disabled; otherwise, False |
AccountIsLocked |
No |
False |
True if domain(local) user account is locked; otherwise, False |
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the account |
Assistant |
No |
CN=Pamela Ear, |
The distinguished name of the domain user's administrative assistant |
CannotChangePassword |
Yes |
False |
True if the local user cannot change the password; otherwise, false |
City |
No |
Shanghai |
City of domain user account |
Company |
Yes |
My Company Inc. |
Company of the user account |
Country |
Yes |
Canada |
Country or region of the user account |
Department |
Yes |
R&D - Development |
Name of the user's department |
Description |
No |
Build account for Archive Manager Offline Client |
Description of the user |
DirectReports |
No |
CN=Philip Arsley, |
List of domain users that directly report to the domain user |
DisplayName |
No |
Caroline Abbage |
Display name or SAMAccount name for the user |
DistinguishedName |
No |
CN=Caroline Abbage, |
Distinguished name for domain user or computer\user for local users |
Division |
No |
Reporting division |
Division for domain user |
Domain |
Yes |
main.mycompany.corp |
Fully qualified domain name for domain's users or NetBIOS name of the computer for computer's users |
|
Yes |
|
Same as EmailAddress |
EmailAddress |
No |
Patricia.Lum@support.mycompany.com |
Email address for the user |
EmployeeID |
No |
69267 |
Employee ID for domain user |
FaxNumber |
No |
0123456789 |
Facsimile number for domain user |
FirstName |
No |
Paul |
Given name (first name) of domain user |
FullAccountName |
No |
MAIN\jcdenton |
domain\user; user is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer |
Groups |
No |
WST8766VM1\Administrators; |
List of groups. CommonName or Computer\groupName (explicit membership) |
HasDirectReports |
No |
True |
True or False; True if DirectReports is not empty |
HasGroups |
No |
True |
True if this user is member of any group |
HasPhoto |
No |
True |
True if this user has a photo |
HomeDirSize |
No |
0 |
Size of the home directory for the domain user |
HomePhoneNumber |
No |
+7-123-4567890 |
Phone number for the domain user |
HomePostalAddress |
No |
Main street |
Mailing address for the domain user |
Info |
No |
Account used for Patchlink & Symantec scanning of domain systems |
Informational notes on the domain user |
Initials |
No |
M |
Initials for the domain user |
IpPhone |
No |
+44 1234 567890 x12345 |
IP telephone number or address for the domain user |
LastName |
No |
Epper |
Last name of domain user |
LogonHours |
No |
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |
Hex-coded hours that the domain/local user is allowed to log on to the domain |
Logon Name |
No |
|
Same as LogonName |
LogonName |
No |
SVC-Scanner@main.mycompany.corp |
Logon name for the domain user |
ManagedBy |
No |
CN=Christina Hilli, |
The account (distinguished name) by which the domain user is managed |
Manager |
Yes |
|
Same as ManagedBy,ManagedByDisplayName |
MiddleName |
No |
N |
Middle name for the domain user |
Mobile |
Yes |
+7-123-4567890 |
Mobile number for the user |
Name |
Yes |
|
Same as DisplayName |
NumLogons |
No |
3910 |
Number of times the domain/local user has successfully logged on |
Office |
Yes |
Castlegar |
Office location for the user |
Organizational Unit |
Yes |
|
Same as OU_CanonicalName |
OtherIpPhone |
No |
Conference 84030 |
List of alternate TCP/IP addresses for the phone for the domain user (Telephony) |
OtherMailbox |
No |
other_mailbox@hotmail.com |
Additional email addresses for the domain user |
OtherMobile |
No |
+55 11 12345 6789 |
List of alternate mobile phone numbers for the domain user |
OtherTelephone |
No |
+1 123 456 7890 |
List of alternate telephone numbers for the domain user |
OU_CanonicalName |
No |
main.mycompany.corp/IS/SVC-Accounts/MailboxEnabled |
Canonical name for organizational unit (for domain users only) |
OU_DistinguishedName |
No |
OU=Enabled SVC-Accounts, |
Distinguished name for organizational unit (for domain users only) |
PasswordIsexpired |
No |
True |
True if domain user's password is expired; otherwise, false |
PasswordNeverExpires |
No |
True |
True if the domain/local user's password never expires; otherwise, false |
PersonalTitle |
No |
Mr. |
Personal title for the domain user |
PostalCode |
No |
411016 |
Postal or zip code for the domain user |
RelatedOU |
No |
|
Same as OU_CanonicalName |
SAM Account Domain |
Yes |
|
Same as SAMAccountDomain |
SAM Account Name |
Yes |
|
Same as SAMAccountName |
SAMAccountDomain |
No |
MAIN |
SAM account name for the account's domain for domain's users or NetBIOS name of the computer for computer's users |
SAMAccountName |
No |
jcdenton |
SAM account name for the account |
Scope |
Yes |
Active Directory |
Active Directory or Computer |
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
State |
Yes |
Current |
Current or Deleted |
StateOrProvince |
No |
AZ |
State or province for the domain user |
StreetAddress |
No |
1042 Bluesky Blvd., Bldg. 1 Flagstaff AZ |
Street address for the domain user |
TelephoneNumber |
No |
+1 123 456 7890 x45678 |
Telephone number for the domain user |
Title |
Yes |
Software Developer 3 |
Title for the user |
UserPrivilegeLevel |
No |
Normal |
Flag for user privilege level: Normal or Unknown |
UserWorkstations |
No |
ALVMISW02,ALVSANW01,ALVPATW01,ALVPATW02 |
NetBIOS or DNS names of the computers running Windows?NT Workstation or Windows?2000 Professional to which the domain user can log on |
Where |
No |
|
Same as DomainName |
Who |
No |
|
Same as SAMAccountName, DisplayName, AccountSid, DistinguishedName |
In addition to the object types listed above, Enterprise Reporter can provide field data for various other objects. To see the kinds of objects available in your environment, click the More tab in the search result grid. For a list of supported fields of a particular object type, see the details of such an object.
The following are lists of fields that occur in InTrust events, organized by type of returned object.
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Field Name |
In UI |
Example Value |
Details |
---|---|---|---|
Category |
No |
Sensitive Privilege Use |
Event category |
Computer |
No |
Y1202.seldom.mycompany |
Computer where the event occurred |
ComputerType |
No |
69635 |
Mask for computer type |
DataSourceType |
No |
{A9E5C7A2-5C01-41B7-9D36-E562DFDDEFA9} |
GUID of InTrust data source type |
Description |
No |
An operation was attempted on a privileged object. |
Event description |
Environment |
No |
9E442BEE-EAC2-4D79-9013-053FB225CFD0 |
Enviroment GUID |
EventID |
No |
4674 |
Event ID |
Type |
No |
16 |
Event Type ID numeric |
SourceComputer |
No |
Y1202 |
Name of gathering computer |
SourceDomain |
No |
SELDOM |
Name of gathering computer's domain |
Log |
No |
Security |
Log name |
PlatformID |
No |
500 |
Platform ID (500 means Windows) |
Source |
No |
Security |
Event source |
UserDomain |
No |
WST9983 |
Domain of the user that initiated this event |
UserName |
No |
Administrator |
Name of the user that initiated this event |
VersionMajor |
No |
6 |
OS version major |
VersionMinor |
No |
2 |
OS version minor |
InsertionString* |
Yes |
NT AUTHORITY |
InsertionString1, InsertionString2 etc. |
Workstation |
No |
WST9983 |
Computer where the operation was initiated |
Where_From |
No |
WST9983 |
Same as Workstation |
WhoDomain |
No |
SALES |
Same as UserDomain |
Who |
No |
Administrator |
Same as UserName |
Object_DN |
No |
CN=HealthMailbox, |
DN of the object that was changed/deleted/created |
Object_ID |
Yes |
DE442BEE-EAC2-4D79-9013-053FB225CFD0 |
ID of the object that was changed/deleted/created |
WhomId |
No |
CN=Admin, |
Object_DN of the object that was changed/deleted/created, if available; otherwise Object_ID of the object |
Whom_ObjectClass |
No |
user |
Class of the object that was changed/deleted /created |
ComputerName |
No |
COMP1 |
Same as Computer |
What |
No |
NTLM Authentication |
Event literal |
Log name |
No |
Security |
Same as Log |
SourceName |
No |
Security |
Same as Source |
RelatedOU |
No |
sales.mycompany.corp/Production Computers |
By Enterprise Reporter: OU associated with the computer |
Whom_ObjectClass |
No |
user |
By Enterprise Reporter: Object class of Whom |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center