Search Term Syntax
Use the following syntax for search terms in the search box. Searches are case-insensitive.
|
|
Notes:
|
For details about the fields that you can use in your search queries, see Data Field Reference.
Single-Word Terms
This is known as full-text search. The search involves all available fields and uses the Contains operator.
| Meaning | Syntax | Details |
|---|---|---|
| Look for a single-word term in any attribute | Word without spaces Example: john |
john matches John or john in any attribute, but does not match stjohn in any attribute |
| Look for a single-word term with the specified beginning in any attribute | Word ending in an asterisk (*) without spaces Example: john* |
john* matches John or Johnson in any attribute |
| Find attributes where a specific single-word term is not contained in any attributes | Word without spaces with a leading hyphen Example: -john |
-john may match entries that contain stjohn, but does not match entries that contain john in any attribute |
| Find entries where a specific single-word term with the specified beginning is not contained in any attributes | Word ending in an asterisk (*) without spaces with a leading hyphen Example: -john* |
-john* may match entries that contain stjohn, but does not match entries that contain john or johnson in any attribute |
Term Combinations
| Meaning | Syntax | Details |
|---|---|---|
| Look for entries with specific single-word terms in any attributes | Words separated by spaces Example: john glen* |
john glen* matches john and glen, or john and glenda, or john and glen and glenda, wherever they are found |
| Look for entries that do not contain specific single-word terms in any attribute | Word without spaces Examples:
|
|
| Look for entries with a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: "Account Logon" |
"Account Logon" matches entries that contain the exact phrase Account Logon in any attribute |
| Look for entries that do not contain a specific multiple-word phrase in any attribute | Phrase in quotation marks Example: logon server01 -"Account Logon" |
logon server01 -"Account Logon" matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute |
| Meet one of the specified terms (or sets of terms) | Terms (single words or phrases) separated by the OR operator; this operator has the following specifics:
Examples:
|
|
| Explicitly mark an AND operation for visual clarity | Terms (single words or phrases) separated by the AND operator; this operator has the following specifics:
Examples:
|
paul AND john and paul john are identical in meaning: look for entries where both paul and john occur. |
| Group and nest terms for logical operations on them | Parentheses enclosing the terms you want to group Example: (homer marge) OR (peter lois) |
(homer marge) OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois. It does not match entries with both peter and homer that do not contain lois or marge. |
Searching in Specific Attributes
To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.
The following distinction is important:
- Labels unambiguously mapped to entry attributes; for example, Path:"Documents and Settings" in file access entries
In this case, the search involves the specified field and uses the Contains operator. - Labels mapped to different attributes in different contexts (known as normalized attributes); for example, Where:primrose would mean the primrose domain for users or groups, the primrose computer for files or shares, and so on
In this case, the search involves the associated fields as necessary and may even modify the search terms.
For details about the meanings of labels in particular contexts, see Normalized Attributes below.
|
|
Note: When you look for permission information, you can use the Who, What and Owner attributes as follows:
|
| Meaning | Syntax | Details |
|---|---|---|
| Attribute contains term | Examples:
|
|
| Attribute does not contain term | Examples:
|
|
| Attribute equals term | Examples:
|
|
| Attribute does not equal term | Examples:
|
|
Specifying Quotation Marks
If your search term must include double quotes ("), then for each double quote you need supply an additional double quote as an escape character. See the following examples:
|
To find this string |
Specify this term |
|---|---|
|
the "Cancel" button |
"the ""Cancel"" button" |
|
computer "kltest16" |
"computer ""kltest16""" |
This requirement does not apply to apostrophes, which are frequently used as quotes. Single quotes of this kind do not need escaping and should be specified in a plain string, as in "local 'Administrator' user".
Filter Syntax
Select one of the operators (explained in the following table), and enter your filter terms.
|
Operator |
Syntax |
Example |
Meaning |
|---|---|---|---|
|
Contains |
[FieldName]:<Value> |
Name:Paul |
The attribute contains all of the specified terms at once in any combination |
|
Does not contain |
-[FieldName]:<Value> |
-Name:John |
The attribute contains none of the specified terms anywhere |
|
Equals |
[FieldName]=<Value> |
Name="John Paul" |
The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
|
Does not equal |
-[FieldName]=<Value> |
-SamAccountName=jpaul |
The attribute contents are not identical to the specified phrase; do not enclose the phrase in quotation marks for this operator |
The following search syntax rules described above also apply to filter terms:
- Terms are case-insensitive.
- The term can be a single word, multiple words, or a phrase in quotation marks.
- In single-word terms, a trailing asterisk is treated as a wildcard character.
- In exact phrases, an asterisk is treated as a regular character.
|
|
Note: Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter. |
Normalized Attributes
The following table shows what attributes are involved in searches that use the Who, What and Where labels. Active Directory attributes are bolded. Information about events is not included, because Who, What and Where are mapped directly to the same-name fields in InTrust and Change Auditor events.
|
Label → Context ↓ |
Who | What | Where |
|---|---|---|---|
|
Users |
SAMAccountName DisplayName AccountSid DistinguishedName LogonName |
N/A |
DomainName |
|
Groups |
User information User account information ManagedByFullName ManagedByDisplayName |
N/A |
DomainName |
|
Computers |
ManagedByFullName ManagedByDisplayName |
N/A |
ComputerName NetBiosName |
|
Shares |
User information |
N/A |
ComputerName |
|
Files |
Permission information |
Permission information |
ComputerName |
Using Functions in Queries
Functions are a way to transform the results of a query to other objects inside a larger query. IT Security Search functions take a query as their single argument and return a collection of objects. Function names are case-insensitive.
Group Membership Resolution Functions
|
Function |
Details |
Examples |
|---|---|---|
|
Members |
Returns the direct members of all groups that the argument query returned. |
Members([Managed By]:"marty stu") |
|
Members_Deep |
Returns both direct and indirect members of all groups that the argument query returned. |
Members_Deep(name="DL.IT") |
|
MemberOf |
Returns all groups that directly contain the accounts returned by the argument query. |
MemberOf(FullName="DL.Accounting") |
|
MemberOf_Deep |
Returns all groups that directly or indirectly contain the accounts returned by the argument query. |
MemberOf_Deep(Name="DL.Facilities") |
If the argument query returns objects that a function cannot be applied to, the function skips these objects. For example, the Members function doesn't do anything about user account objects.
Example
Suppose you want to get events from all computers where user martystu is an administrator. Use the following query:
MemberOf_Deep(Who=martystu) AccountSID="S-1-5-32-544" | Where="{DomainName}" Who=martystu
This query takes advantage of the well-known SID of the built-in Administrators group. First it finds all aliases of this user account, then it gets all local Administrators groups where those accounts are members, no matter whether direct or indirect (membership information is discovered by Enterprise Reporter). Then the query pipes the results through a sub-query to find all events by these users on computers where they are administrators. For details about search-in-search capabilities, see Making Multi-Stage Searches.
Permission Resolution Functions
These functions support a syntax extension that lets you fine-tune their behavior by specifying attributes. A function call with attributes looks like this:
[FunctionName:attribute1,attribute2,…, attributeN](<search query>)
For example, to list objects that are explicitly denied access to a specific file, use the ObjectPermissions function as follows:
[ObjectPermissions:deny,explicit](“c:\sensitive\off_limits.txt”)
By default, it is assumed that you request data about all "allow" permissions.
|
Function |
Supported |
Details |
Examples |
|---|---|---|---|
|
ObjectPermissions |
allow |
Returns users and groups that have direct (explicitly assigned and inherited) permissions on the discovered file, folder or network share. |
|
|
ObjectPermissions_Effective |
allow |
Returns users and groups that have direct (explicitly assigned and inherited) and indirect (obtained through group membership) permissions on the discovered file, folder or network share. |
|
|
AccountPermissions |
allow |
Returns files, folders and network shares where the specified user or group is directly granted permissions. |
|
|
AccountPermissions_Effective |
allow |
Returns files, folders and network shares where the specified user or group is directly or indirectly granted permissions. |
|
Calling the default parameter-free variants of these functions is equivalent to calling them with all supported parameters except deny. For example, the following two calls are synonymous:
ObjectPermissions_Effective(Where:server1)
[ObjectPermissions:allow,inherited,explicit,direct,indirect](Where:server1)
Function Limitations
Functions have the following limitations:
- Multi-stage searches cannot be function arguments. Incorrect: Members(ManagedBy:"mary sue" | name="{FullName}")
- Functions are not supported in operator scope queries described in Who Can Do What in IT Security Search.
- AND-based conjunction of function calls is disallowed. Incorrect: Members(name="group1") AND Members(name="group2")
- Negation of function calls is disallowed. Incorrect: -MemberOf(name="group3")
- A function cannot have a function call as an argument.
- The functions work only on Enterprise Reporter data. For all other data, they return nothing.
Making Multi-Stage Searches
You have the option to run a search on the results of another search. It is a way to automate your established search practices, and it may provide a clearer and more convenient representation of your intentions.
This is similar to how the output of a command is redirected into another command as its input in PowerShell and Unix shell languages. Accordingly, search result redirection is provided by the familiar pipe (|) operator.
To indicate a field whose value should be carried over from the left query to the right through the pipe, enclose the field name in curly braces, as in {Where} or {EventID}.
Example:
"rd.itsearch"| What:Logon AND Who:"{SAMAccountName}" | Name="{Where}"
In this three-stage search, the initial results are refined twice. First, it finds all users that are members of the rd.itsearch group. For these users, it finds such events that the users' SAM account names are in the Who field, and the What field contains "Logon". From the resulting events, pick only those that have any of the discovered computer names in the Where field.
Auto-Resolution of the Current User
If you specify the {Context.CurrentUser} variable in your query, it is automatically resolved to information that identifies the user who is running the query. The following information is extracted (where available): account name in domain\user format, SAM account name, display name and SID.
For example, if user Alan Smithee supplies a query containing Who="{Context.CurrentUser}", the resulting substituted information can be something like this:
Who=production\asmithee OR Who=ASmithee OR Who="Alan Smithee" OR Who="S-1-5-21-2591644-1571856274-80062049-1617"
If you want a particular identifying field instead of a set of fields, use the following accessors:
- {Context.CurrentUser.FullAccountName}
- {Context.CurrentUser.SamAccountName}
- {Context.CurrentUser.DisplayName}
- {Context.CurrentUser.AccountSid}
Examples:
- Description:"Computer of {Context.CurrentUser.DisplayName}" becomes Description:"Computer of Alan Smithee"
- onpremisessecurityidentifier="{Context.CurrentUser.AccountSid}" becomes onpremisessecurityidentifier="S-1-5-21-2591644-1571856274-80062049-1617"
|
NOTE: Resolution of this variable does not require that the Enterprise Reporter connector be enabled. |
Specifics of Recovery Manager for Active Directory Data
Recovery Manager for Active Directory provides data about users, groups, computers and organizational units, including those that have been deleted. Searching within that data should be approached in special ways.
One drawback is that full-text search does not work in Recovery Manager for Active Directory. Generally, it is recommended that you complement this data with results from Enterprise Reporter, if possible.
Searching by Distinguished Name
In all attributes that contain distinguished names, such as distinguishedName or manager, only the "equals" operator is used, meaning that the value must match exactly. For example, if the manager attribute of a user is "CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp", then the following happens:
- These queries match the user:
Manager:"CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp"
Manager="CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp" - These queries do not match the user:
Manager:"CN=David Shore"
Manager="CN=David Shore"
Searching for Deleted Objects
When Active Directory objects are deleted, they are really moved to the Deleted Objects container; some of their attributes are cleared and some are changed, including the name. These tips will help you compose queries that produce the expected results for deleted objects:
- The name attribute undergoes the following change: <object_name> becomes <object_name>\0ADEL<object_GUID>. If you are aware of this pattern, you can look for deleted objects specifically.
- The samAccountName attribute remains unchanged in deleted users, computers and groups.
- In computers, the dnsHostName attribute also remains unchanged.
Searching Without Specifying Fields
When you supply a search term without prefixing a field name, IT Security Search adds the field name for you, as follows:
|
Object Type |
Field |
Examples |
|---|---|---|
|
User or group |
aNR |
"Alan Smithee" becomes aNR:"Alan Smithee" "Alan Smithee*" becomes aNR:"Alan Smithee" (wildcards are not supported by Recovery Manager for Active Directory) |
|
Computer or OU |
name |
primrose.domain.local becomes name:primrose.domain.local Directors* becomes name:Directors (wildcards are not supported by Recovery Manager for Active Directory) |
It is recommended that you specify the target fields explicitly and use the fields suggested in Searching for Deleted Objects above.
Data Field Reference
The following topics provide details about fields that you can use in search queries, organized by supported system:
- Enterprise Reporter Data Fields
- InTrust Data Fields
- Change Auditor for Active Directory Data Fields
- Active Roles Data Fields
- Recovery Manager for Active Directory Data Fields
Enterprise Reporter Data Fields
The following are lists of fields that occur in Enterprise Reporter data, organized by type of returned object.
|
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Computers
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountFullName |
No |
MAIN\HOUDEVW04$ |
SAMAccountDomain\SAMAccountName of the relevant computer account |
|
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the computer account |
|
ComputerName |
Yes |
achtung.main.mycompany.corp |
Short or NetBIOS name for the computer |
|
Description |
Yes |
Serial , AOPEN_, AWRDACPI, 1002MHz, 1002MHz, 3072MB RAM |
Description for the computer |
|
DistinguishedName |
No |
CN=HOUITW09, |
Distinguished name for domain computer |
|
Domain |
Yes |
|
Same as DomainName |
|
DomainName |
No |
main.mycompany.corp |
Fully qualified domain name |
|
Groups |
No |
Pre-Windows 2000 Compatible Access;Cert Publishers |
List of groups (in common name format) where the computer account is a member explicitly |
|
HasGroups |
No |
True |
True if this computer account is a member of any group |
|
IsHidden |
No |
False |
True if the server is visible to other computers in the same network; otherwise, false |
|
Location |
Yes |
US/Houston |
Location of domain computer |
|
ManagedByDisplayName |
No |
Patricia Lum |
The display name of account by which the domain computer is managed |
|
ManagedByType |
No |
Users |
Type of account by which the domain computer is managed; Users or Groups |
|
Name |
Yes |
achtung |
NetBIOS name of the computer |
|
NetBiosName |
No |
IRVWEBW05 |
NetBIOS name for domain computer |
|
NumLogons |
No |
291 |
Number of times the domain computer was logged into |
|
OSName |
No |
Windows Server 2003 |
Full name of the computer's operating system |
|
OSServicePack |
No |
Service Pack 1 |
Service pack name for the computer's operating system |
|
OSVersion |
No |
5.2 (3790) |
Operating system version number for the computer |
|
OU_CanonicalName |
No |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit |
|
OU_DistinguishedName |
No |
OU=Cary, |
Distinguished name for organizational unit |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
Scope |
Yes |
Active Directory |
Active Directory or Workgroup |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
Where |
No |
|
Same as ComputerName, NetBiosName |
|
Who |
No |
|
Same as ManagedByFullName, ManagedByDisplayName |
Files
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Computer |
Yes |
|
Same as ComputerName |
|
ComputerName |
No |
WST9240.main.mycompany.corp |
Short or NetBIOS name for the computer |
|
DomainName |
Yes |
MAIN |
NetBIOS name for domain |
|
Extension |
Yes |
.exe |
Extension of the file |
|
File |
Yes |
TestConsol.exe |
File or folder name |
|
FullAccountName |
Yes |
WST9240\Administrators |
SAMAccountDomain\SAMAccountName of owner account |
|
OU_CanonicalName |
Yes |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit (for domain users only) |
|
Owner |
Yes |
|
Same as FullAccountName, OwnerSid |
|
Owner Domain |
No |
|
Same as SAMOwnerDomain |
|
OwnerSid |
No |
S-1-5-32-544 |
Security identifier (SID) of the owner account |
|
OwnerType |
No |
Groups |
Owner account type: Users or Groups |
|
Path |
Yes |
D:\Images\59491\ |
Full path of the folder or file; based on the collection options, the value could be in the format c:\folder or \\computer\shared\Folder |
|
Permission |
No |
|
Same as PermissionsText |
|
PermissionsText |
No |
WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/run file, Read attributes, Write attributes, Read permissions Inherite |
Semicolon-delimited list of permission/ Account: access_ type [Allow|Deny] inheritance[Inherited|Explicit] |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
SAMOwnerDomain |
No |
WST9240 |
SAM account name of owner account's domain |
|
SAMOwnerName |
No |
Administrators |
SAM account name of owner account |
|
Size |
Yes |
31335914 |
Size in bytes of the NTFS object |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
Type |
Yes |
File |
File or Folder; Folder if the NTFS object is a folder; otherwise, File |
|
What |
No |
|
Same as PermissionsText |
|
Where |
No |
|
Same as ComputerName |
|
Who |
No |
|
Same as PermissionsText |
Groups
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the account |
|
AdminDisplayName |
No |
Administrator |
Admin display name for the domain group; name is displayed on admin screens |
|
CanonicalName |
No |
main.mycompany.corp/Groups/ |
The name of the domain group in canonical format |
|
CommonName |
No |
Development Users |
Common name for domain group |
|
Description |
Yes |
Owner: CLIVE_HERRY |
Description of the group |
|
DisplayName |
No |
AA_Accounting |
Display or common name for the group |
|
DistinguishedName |
No |
CN=MCDL.RD.CRDHub.APAC.AU,OU=RD, |
Distinguished name for domain group or SAM account name for a local user (computer\username) |
|
Domain |
Yes |
|
Same as DomainName |
|
DomainName |
Yes |
main.mycompany.corp |
Fully qualified domain name for domain accounts or computer's NetBios Name for local |
|
|
Yes |
|
Same as EmailAddress |
|
EmailAddress |
No |
BC5796F842DD49CD8F4@ |
Email address for the group |
|
Friendly Name |
Yes |
|
Same as FriendlyName |
|
FriendlyName |
No |
AA_Accounting (MAIN\FB430EAC2D2E4) |
Friendly name for the group |
|
FullAccountName |
No |
MAIN\Office.AMER.US.Boston |
domain\group; group is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer |
|
FullName |
No |
Development Users |
Full name for domain group |
|
Groups |
No |
MCDL.PreSales.NAC.DatabasePerf; |
Common or SAM account names of groups (semicolon-separated) that are explicitly members |
|
GroupScope |
Yes |
Universal |
One of the following:
|
|
GroupType |
Yes |
|
Same as IsSecurityEnabled |
|
HasGroups |
No |
False |
True if this group has members of type "group" |
|
HasUsers |
No |
True |
True if this group has members of type "user" |
|
HomePage |
No |
http://homepage |
Primary home page for domain group |
|
Info |
No |
Created as part of the ChangeBase Mail migration by Charles Arrot |
Informational notes on the domain group |
|
IsSecurityEnabled |
No |
Security |
Security or Distribution |
|
Managed By |
No |
|
Same as ManagedByDisplayName, ManagedByFullName |
|
ManagedByDisplayName |
No |
Owen Range |
Display name or Common name of account by which the domain group is managed |
|
ManagedByFullName |
No |
CN=Sarah Quash,OU=Employees, |
Account (distinguished name) by which the domain group is managed |
|
ManagedByType |
No |
Users |
Type of account by which the domain group is managed; Users or Groups |
|
Name |
Yes |
|
Same as DisplayName |
|
Nested Groups |
No |
|
Same as Groups |
|
Organizational Unit |
Yes |
|
Same as OU_CanonicalName |
|
OU_CanonicalName |
No |
main.mycompany.corp/Groups/Sales |
Canonical name for organizational unit |
|
OU_DistinguishedName |
No |
OU=Sales,OU=Groups,DC=main, |
Distinguished name for organizational unit |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
SAMAccountDomain |
No |
MAIN |
SAM account name for the account's domain for domain's groups or NetBIOS name of the computer for computer's groups |
|
SAMAccountName |
No |
MCDL.RD.CRDHub.APAC.AU |
SAM account name for the account |
|
SIDHistory |
No |
S-1-5-21-329068152- |
List of previous security identifiers (SID) used if the domain group was moved from other domains |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
Url |
No |
http://group |
URL addresses of websites for the domain group |
|
Users |
No |
Zoe Ucchini;Peter Omelo |
Common or SAM account names of users (semicolon-separated) that are explicitly members |
|
Where |
No |
|
Same as DomainName |
|
Who |
No |
|
Same as Users, UsersAccounts, ManagedByFullName, ManagedByDisplayName |
OUs
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AppliesTo |
No |
|
Same as PermissionsText |
|
CanonicalName |
Yes |
main.mycompany.corp/Builtin |
Canonical name for organizational unit |
|
ContainerType |
No |
Container |
Type of container: Container or Organizational Unit |
|
Description |
Yes |
Default container for upgraded computer accounts |
|
|
DistinguishedName |
No |
Description for organizational unit |
Distinguished name for organizational unit |
|
Domain |
Yes |
|
Same as DomainName |
|
DomainName |
No |
main.mycompany.corp |
Fully qualified domain name |
|
HasPermissions |
No |
True |
True or False; True if PermissionsText is not empty |
|
Managed By |
Yes |
|
Same as ManagedByFullName,ManagedByDisplayName |
|
ManagedByDisplayName |
No |
MCDL.RD.ITSearch |
Display or common name of management account |
|
ManagedByFullName |
No |
CN=MCDL.RD.ITSearch,OU=RD,OU=Groups, |
The account (distinguished name) by which the organizational unit is managed |
|
ManagedByType |
No |
Groups |
Management account type; Users or Groups |
|
Name |
Yes |
Computers |
Common short name for organizational unit |
|
NumberOfComputers |
No |
4 |
Number of domain computers in organizational unit |
|
NumberOfContacts |
No |
5 |
Number of contacts in organizational unit |
|
NumberOfGroups |
No |
3 |
Number of domain groups in organizational unit |
|
NumberOfOtherObjects |
No |
6 |
Number of other domain objects in organizational unit |
|
NumberOfUsers |
No |
2 |
|
|
Permission |
No |
|
Same as PermissionsText |
|
PermissionsText |
No |
NT AUTHORITY\SELF: Allow Read Property, Write Property for location [Descendant computer objects] Inherited;NT AUTHORITY\SELF: Allow Read Property, Write Property for defender-tokenData [Descendant defender-tokenLicenseClass objects] Inherited |
Semicolon-separated list of permission/ account: access_ type [Allow|Deny] inheritance[Inherited|Explicit] |
|
RelatedOU |
No |
|
Same as CanonicalName |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
What |
No |
|
Same as PermissionsText |
|
Where |
No |
|
Same as DomainName |
|
Who |
No |
|
Same as ManagedByFullName,PermissionsText |
Shares
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Comment |
Yes |
Docs share |
Comment for the share |
|
Computer |
Yes |
|
Same as ComputerName |
|
ComputerName |
No |
WST9240.main.mycompany.corp |
NetBIOS name of the computer |
|
FullOwnerName |
No |
WST9240\Administrators |
SAMAccountDomain\SAMAccountName of owner account |
|
Local Path |
Yes |
|
Same as SharePath |
|
Name |
Yes |
|
Same as ShareName |
|
Owner |
Yes |
|
Same as FullOwnerName |
|
OwnerDomain |
No |
WST9240 |
SAM account name of owner account's domain |
|
OwnerName |
No |
Administrators |
SAM account name of owner account |
|
OwnerType |
No |
Groups |
Owner account type; Users or Groups |
|
PermissionsText |
No |
WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/run file, Read attributes, Write attributes, Read permissions Inherite |
Semicolon-delimited list of permission/ Account: access type [Allow|Deny] Inheritance[Inherited|Explicit] |
|
RelatedOU |
No |
main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers |
Canonical name for organizational unit (for domain users only) |
|
ShareName |
No |
C$ |
Name of the share |
|
SharePath |
No |
D:\Custom Utilites |
Local path of share |
|
ShareType |
No |
Administrative Shared Folder |
Type of resource being shared |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
What |
No |
|
Same as PermissionsText |
|
Where |
No |
|
Same as ComputerName |
|
Who |
No |
|
Same as PermissionsText |
Users
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Account SID |
Yes |
|
Same as AccountSid |
|
AccountIsDisabled |
No |
True |
True if domain(computer) user account is disabled; otherwise, False |
|
AccountIsLocked |
No |
False |
True if domain(local) user account is locked; otherwise, False |
|
AccountSid |
No |
S-1-5-21-636461855- |
Security identifier (SID) of the account |
|
Assistant |
No |
CN=Pamela Ear, |
The distinguished name of the domain user's administrative assistant |
|
CannotChangePassword |
Yes |
False |
True if the local user cannot change the password; otherwise, false |
|
City |
No |
Shanghai |
City of domain user account |
|
Company |
Yes |
My Company Inc. |
Company of the user account |
|
Country |
Yes |
Canada |
Country or region of the user account |
|
Department |
Yes |
R&D - Development |
Name of the user's department |
|
Description |
No |
Build account for Archive Manager Offline Client |
Description of the user |
|
DirectReports |
No |
CN=Philip Arsley, |
List of domain users that directly report to the domain user |
|
DisplayName |
No |
Caroline Abbage |
Display name or SAMAccount name for the user |
|
DistinguishedName |
No |
CN=Caroline Abbage, |
Distinguished name for domain user or computer\user for local users |
|
Division |
No |
Reporting division |
Division for domain user |
|
Domain |
Yes |
main.mycompany.corp |
Fully qualified domain name for domain's users or NetBIOS name of the computer for computer's users |
|
|
Yes |
|
Same as EmailAddress |
|
EmailAddress |
No |
Patricia.Lum@support.mycompany.com |
Email address for the user |
|
EmployeeID |
No |
69267 |
Employee ID for domain user |
|
FaxNumber |
No |
0123456789 |
Facsimile number for domain user |
|
FirstName |
No |
Paul |
Given name (first name) of domain user |
|
FullAccountName |
No |
MAIN\jcdenton |
domain\user; user is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer |
|
Groups |
No |
WST8766VM1\Administrators; |
List of groups. CommonName or Computer\groupName (explicit membership) |
|
HasDirectReports |
No |
True |
True or False; True if DirectReports is not empty |
|
HasGroups |
No |
True |
True if this user is member of any group |
|
HasPhoto |
No |
True |
True if this user has a photo |
|
HomeDirSize |
No |
0 |
Size of the home directory for the domain user |
|
HomePhoneNumber |
No |
+7-123-4567890 |
Phone number for the domain user |
|
HomePostalAddress |
No |
Main street |
Mailing address for the domain user |
|
Info |
No |
Account used for Patchlink & Symantec scanning of domain systems |
Informational notes on the domain user |
|
Initials |
No |
M |
Initials for the domain user |
|
IpPhone |
No |
+44 1234 567890 x12345 |
IP telephone number or address for the domain user |
|
LastName |
No |
Epper |
Last name of domain user |
|
LogonHours |
No |
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |
Hex-coded hours that the domain/local user is allowed to log on to the domain |
|
Logon Name |
No |
|
Same as LogonName |
|
LogonName |
No |
SVC-Scanner@main.mycompany.corp |
Logon name for the domain user |
|
ManagedBy |
No |
CN=Christina Hilli, |
The account (distinguished name) by which the domain user is managed |
|
Manager |
Yes |
|
Same as ManagedBy,ManagedByDisplayName |
|
MiddleName |
No |
N |
Middle name for the domain user |
|
Mobile |
Yes |
+7-123-4567890 |
Mobile number for the user |
|
Name |
Yes |
|
Same as DisplayName |
|
NumLogons |
No |
3910 |
Number of times the domain/local user has successfully logged on |
|
Office |
Yes |
Castlegar |
Office location for the user |
|
Organizational Unit |
Yes |
|
Same as OU_CanonicalName |
|
OtherIpPhone |
No |
Conference 84030 |
List of alternate TCP/IP addresses for the phone for the domain user (Telephony) |
|
OtherMailbox |
No |
other_mailbox@hotmail.com |
Additional email addresses for the domain user |
|
OtherMobile |
No |
+55 11 12345 6789 |
List of alternate mobile phone numbers for the domain user |
|
OtherTelephone |
No |
+1 123 456 7890 |
List of alternate telephone numbers for the domain user |
|
OU_CanonicalName |
No |
main.mycompany.corp/IS/SVC-Accounts/MailboxEnabled |
Canonical name for organizational unit (for domain users only) |
|
OU_DistinguishedName |
No |
OU=Enabled SVC-Accounts, |
Distinguished name for organizational unit (for domain users only) |
|
PasswordIsexpired |
No |
True |
True if domain user's password is expired; otherwise, false |
|
PasswordNeverExpires |
No |
True |
True if the domain/local user's password never expires; otherwise, false |
|
PersonalTitle |
No |
Mr. |
Personal title for the domain user |
|
PostalCode |
No |
411016 |
Postal or zip code for the domain user |
|
RelatedOU |
No |
|
Same as OU_CanonicalName |
|
SAM Account Domain |
Yes |
|
Same as SAMAccountDomain |
|
SAM Account Name |
Yes |
|
Same as SAMAccountName |
|
SAMAccountDomain |
No |
MAIN |
SAM account name for the account's domain for domain's users or NetBIOS name of the computer for computer's users |
|
SAMAccountName |
No |
jcdenton |
SAM account name for the account |
|
Scope |
Yes |
Active Directory |
Active Directory or Computer |
|
Source |
Yes |
Enterprise Reporter |
Enterprise Reporter (data source) |
|
State |
Yes |
Current |
Current or Deleted |
|
StateOrProvince |
No |
AZ |
State or province for the domain user |
|
StreetAddress |
No |
1042 Bluesky Blvd., Bldg. 1 Flagstaff AZ |
Street address for the domain user |
|
TelephoneNumber |
No |
+1 123 456 7890 x45678 |
Telephone number for the domain user |
|
Title |
Yes |
Software Developer 3 |
Title for the user |
|
UserPrivilegeLevel |
No |
Normal |
Flag for user privilege level: Normal or Unknown |
|
UserWorkstations |
No |
ALVMISW02,ALVSANW01,ALVPATW01,ALVPATW02 |
NetBIOS or DNS names of the computers running Windows?NT Workstation or Windows?2000 Professional to which the domain user can log on |
|
Where |
No |
|
Same as DomainName |
|
Who |
No |
|
Same as SAMAccountName, DisplayName, AccountSid, DistinguishedName |
Other Object Types
In addition to the object types listed above, Enterprise Reporter can provide field data for various other objects. To see the kinds of objects available in your environment, click the More tab in the search result grid. For a list of supported fields of a particular object type, see the details of such an object.
InTrust Data Fields
The following are lists of fields that occur in InTrust events, organized by type of returned object.
|
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Category |
No |
Sensitive Privilege Use |
Event category |
|
Computer |
No |
Y1202.seldom.mycompany |
Computer where the event occurred |
|
ComputerType |
No |
69635 |
Mask for computer type |
|
DataSourceType |
No |
{A9E5C7A2-5C01-41B7-9D36-E562DFDDEFA9} |
GUID of InTrust data source type |
|
Description |
No |
An operation was attempted on a privileged object. |
Event description |
|
Environment |
No |
9E442BEE-EAC2-4D79-9013-053FB225CFD0 |
Enviroment GUID |
|
EventID |
No |
4674 |
Event ID |
|
Type |
No |
16 |
Event Type ID numeric |
|
SourceComputer |
No |
Y1202 |
Name of gathering computer |
|
SourceDomain |
No |
SELDOM |
Name of gathering computer's domain |
|
Log |
No |
Security |
Log name |
|
PlatformID |
No |
500 |
Platform ID (500 means Windows) |
|
Source |
No |
Security |
Event source |
|
UserDomain |
No |
WST9983 |
Domain of the user that initiated this event |
|
UserName |
No |
Administrator |
Name of the user that initiated this event |
|
VersionMajor |
No |
6 |
OS version major |
|
VersionMinor |
No |
2 |
OS version minor |
|
InsertionString* |
Yes |
NT AUTHORITY |
InsertionString1, InsertionString2 etc. |
|
Workstation |
No |
WST9983 |
Computer where the operation was initiated |
|
Where_From |
No |
WST9983 |
Same as Workstation |
|
WhoDomain |
No |
SALES |
Same as UserDomain |
|
Who |
No |
Administrator |
Same as UserName |
|
Object_DN |
No |
CN=HealthMailbox, |
DN of the object that was changed/deleted/created |
|
Object_ID |
Yes |
DE442BEE-EAC2-4D79-9013-053FB225CFD0 |
ID of the object that was changed/deleted/created |
|
WhomId |
No |
CN=Admin, |
Object_DN of the object that was changed/deleted/created, if available; otherwise Object_ID of the object |
|
Whom_ObjectClass |
No |
user |
Class of the object that was changed/deleted /created |
|
ComputerName |
No |
COMP1 |
Same as Computer |
|
What |
No |
NTLM Authentication |
Event literal |
|
Log name |
No |
Security |
Same as Log |
|
SourceName |
No |
Security |
Same as Source |
|
RelatedOU |
No |
sales.mycompany.corp/Production Computers |
By Enterprise Reporter: OU associated with the computer |
|
Whom_ObjectClass |
No |
user |
By Enterprise Reporter: Object class of Whom |