IT Security Search 11.5.1

Table of Contents

Welcome to IT Security Search Installing IT Security Search Security Details and Configuration Who Can Do What in IT Security Search Where the Data Comes From

Change Auditor Database InTrust Repository Enterprise Reporter Recovery Manager for Active Directory Server Active Roles Splunk HTTPS API for Forwarded Change Auditor Events

Running Searches

Search Term Syntax Data Field Reference

Enterprise Reporter Data Fields InTrust Data Fields Change Auditor for Active Directory Data Fields Active Roles Data Fields Recovery Manager for Active Directory Data Fields

Saving Searches and Running Saved Searches Customizing Action Links

Use Scenarios

Case Study: Investigating Tampering Case Study: Making the Most of Multiple Connectors Case Study: Active Roles Dynamic Group Membership Tracking

Additional Utility Scripts Providing Information to Support

Recovery Manager for Active Directory Server

Recovery Manager for Active Directory performs Active Directory recovery at any level: from individual objects and attributes to entire domains and, in the case of Recovery Manager for Active Directory Forest Edition, even Active Directory forests. IT Security Search lets you track recovery-related activity. Enabling the Recovery Manager for Active Directory data link makes it possible to list available backup states and restore objects to any of them.

NOTE: You cannot perform forest-level recovery from IT Security Search.

To start configuring the Recovery Manager for Active Directory data link, select the Connector enabled option. To set up connection to Recovery Manager for Active Directory, configure the following:

Recovery Manager connection settings
Specify the Recovery Manager server to connect to and the credentials to use for running PowerShell cmdlets on that server. The account you supply must have local administrator privileges on the server.
Active Directory connection settings
Specify the Active Directory domain or a particular domain controller and the credentials to use for working with backup data. The account you supply must be powerful enough to both read the backup configuration and perform recovery by applying backup states.

For up-to-date details about the permissions required for access to Recovery Manager for Active Directory, see the Recovery Manager for Active Directory Deployment Guide.

To make sure that you have specified valid account or accounts, click the Test connection link. This verifies that the credentials are valid and suitable for running searches. However, it does not ensure that the Active Directory access account can perform recovery operations.

Active Roles

Active Roles simplifies and streamlines creation and ongoing management of user accounts, groups and other objects in Active Directory. Generally, whenever you are looking for an answer to the question “What is known about this user or group?” in IT Security Search, the data can be provided by Active Roles.

Active Roles brings information about the following:

Users
Groups
Computers
OUs
Active Directory change events as logged by Active Roles
Active Roles-specific information:
- Virtual attributes of objects
- Dynamic groups and their membership rules
- Management history
- Managed units

To start configuring the Active Roles data link, select the Connector enabled option. To set up connection to the Active Roles server, configure the following settings:

Server name
User name and password
The account you supply must be powerful enough to do the following:
- Read Active Directory data
- Run PowerShell cmdlets on the Active Roles server

To verify that your Active Roles server access works, click the Test Connection link.

Finally, click Apply.

Caution: For the connection to the Active Roles server to work, make sure that port 15172 is opened for both inbound and outbound traffic on that server.

Management History Synchronization Specifics

Management history synchronization between IT Security Search and Active Roles does not happen directly. IT Security Search uses its own “warehouse” component as an intermediary data store. The first synchronization can take a long time, because all available history has to be processed. After that, synchronization involves only the most recent data.

Splunk

The Splunk connector retrieves searchable data from Splunk.

The connector has the following minimal configuration options:

Splunk server URI
The user name and password of the account to use for access to Splunk

One additional setting that you may want to configure is the number of retrieved Splunk results. By default, Splunk returns 50,000 objects, whereas IT Security Search shows 100,000 per page. To make these limits consistent, take the following steps:

On the Splunk server, open (or create if necessary) the %programfiles%\Splunk\etc\system\local\limits.conf file (on Windows) or /opt/splunk/etc/system/local/limits.conf file (on Linux) in a text editor.
Add the following lines to the file:

[restapi]

maxresultrows = 100000
Restart Splunk.

A predefined Splunk-to-IT Security Search field mapping is provided out of the box. If you find that this mapping doesn't suit you, call Quest Support. This will help improve Splunk integration for you and everyone else.

HTTPS API for Forwarded Change Auditor Events

IT Security Search 11.5.1 contains an early implementation of support for retrieval of forwarded Change Auditor data in the Warehouse connector. This feature preview is provided as-is, so that you can try it out, give us feedback and help us make it more useful in a future release.

Before You Begin

First, make sure the ITSS.Warehouse service is running on your IT Security Search server. This is required for a successful Change Auditor subscription.

Getting Change Auditor Ready

To make Change Auditor push audit data to Warehouse, run the CreateCAITSSEventSubscription.ps1 PowerShell script, which is located in the <Change Auditor installation folder>\Client\PowerShell Sample Scripts folder on your Change Auditor coordinator. This will start a multi-step configuration procedure in the command prompt, where you will need to specify the settings for your particular environment.

The following are examples of values that you can supply for some of the prompts:

Specify Change Auditor installation name
DEFAULT
Enter the number(s) of the subsystem events to be forwarded (separate multiple entries with commas)
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18

Specify the destination URL and port for the ITSS warehouse instance
https://myitssserver:443/warehouse/changeauditor/events

NOTES:To find out which port is used, check the HKEY_LOCAL_MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenPort registry value on the IT Security Search server. To see whether HTTPS is used instead of HTTP, check the HKEY_LOCAL_MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenScheme registry value.

Enter a coordinator DNS or NetBIOS name (or press enter to finish)
mycacoordinatorvm1,someothercacoordinatorvm9

The following additional scripts are also provided to let you manage your IT Security Search subscriptions:

GetCAITSSEventSubscriptions.ps1
ModifyCAITSSEventSubscription.ps1
RemoveCAITSSEventSubscription.ps1

Getting IT Security Search Ready

IMPORTANT:

Using Change Auditor connector and the Warehouse connector to get data from the same Change Auditor coordinator at once is not recommended as it might result in duplicate events in your searches.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

IT Security Search 11.5.1 - User Guide