Chat now with support
Chat with Support

IT Security Search 11.5.2 - User Guide

Recovery Manager for Active Directory Server

Recovery Manager for Active Directory performs Active Directory recovery at any level: from individual objects and attributes to entire domains and, in the case of Recovery Manager for Active Directory Forest Edition, even Active Directory forests. IT Security Search lets you track recovery-related activity. Enabling the Recovery Manager for Active Directory data link makes it possible to list available backup states and restore objects to any of them.

NOTE: You cannot perform forest-level recovery from IT Security Search.

To start configuring the Recovery Manager for Active Directory data link, select the Connector enabled option. To set up connection to Recovery Manager for Active Directory, configure the following:

  1. Recovery Manager connection settings
    Specify the Recovery Manager server to connect to and the credentials to use for running PowerShell cmdlets on that server. The account you supply must have local administrator privileges on the server.
  2. Active Directory connection settings
    Specify the Active Directory domain or a particular domain controller and the credentials to use for working with backup data. The account you supply must be powerful enough to both read the backup configuration and perform recovery by applying backup states.

For up-to-date details about the permissions required for access to Recovery Manager for Active Directory, see the Recovery Manager for Active Directory Deployment Guide.

To make sure that you have specified valid account or accounts, click the Test connection link. This verifies that the credentials are valid and suitable for running searches. However, it does not ensure that the Active Directory access account can perform recovery operations.

Active Roles

Active Roles simplifies and streamlines creation and ongoing management of user accounts, groups and other objects in Active Directory. Generally, whenever you are looking for an answer to the question “What is known about this user or group?” in IT Security Search, the data can be provided by Active Roles.

Active Roles brings information about the following:

  • Users
  • Groups
  • Computers
  • OUs
  • Active Directory change events as logged by Active Roles
  • Active Roles-specific information:
    • Virtual attributes of objects
    • Dynamic groups and their membership rules
    • Management history
    • Managed units

To start configuring the Active Roles data link, select the Connector enabled option. To set up connection to the Active Roles server, configure the following settings:

  • Server name
  • User name and password
    The account you supply must be powerful enough to do the following:
    • Read Active Directory data
    • Run PowerShell cmdlets on the Active Roles server

To verify that your Active Roles server access works, click the Test Connection link.

Finally, click Apply.

Caution: For the connection to the Active Roles server to work, make sure that port 15172 is opened for both inbound and outbound traffic on that server.

Management History Synchronization Specifics

Management history synchronization between IT Security Search and Active Roles does not happen directly. IT Security Search uses its own “warehouse” component as an intermediary data store. The first synchronization can take a long time, because all available history has to be processed. After that, synchronization involves only the most recent data.

Splunk

The Splunk connector retrieves searchable data from Splunk.

The connector has the following minimal configuration options:

  • Splunk server URI
  • The user name and password of the account to use for access to Splunk

One additional setting that you may want to configure is the number of retrieved Splunk results. By default, Splunk returns 50,000 objects, whereas IT Security Search shows 100,000 per page. To make these limits consistent, take the following steps:

  1. On the Splunk server, open (or create if necessary) the %programfiles%\Splunk\etc\system\local\limits.conf file (on Windows) or /opt/splunk/etc/system/local/limits.conf file (on Linux) in a text editor.
  2. Add the following lines to the file:

    [restapi]

    maxresultrows = 100000
  3. Restart Splunk.

A predefined Splunk-to-IT Security Search field mapping is provided out of the box. If you find that this mapping doesn't suit you, call Quest Support. This will help improve Splunk integration for you and everyone else.

HTTPS API for Forwarded Change Auditor Events

IT Security Search 11.5.2 contains an early implementation of support for retrieval of forwarded Change Auditor data in the Warehouse connector. This feature preview is provided as-is, so that you can try it out, give us feedback and help us make it more useful in a future release.

Before You Begin

First, make sure the ITSS.Warehouse service is running on your IT Security Search server. This is required for a successful Change Auditor subscription.

Getting Change Auditor Ready

To make Change Auditor push audit data to Warehouse, run the CreateCAITSSEventSubscription.ps1 PowerShell script, which is located in the <Change Auditor installation folder>\Client\PowerShell Sample Scripts folder on your Change Auditor coordinator. This will start a multi-step configuration procedure in the command prompt, where you will need to specify the settings for your particular environment.

The following are examples of values that you can supply for some of the prompts:

  • Specify Change Auditor installation name
    DEFAULT
  • Enter the number(s) of the subsystem events to be forwarded (separate multiple entries with commas)
    1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
  • Specify the destination URL and port for the ITSS warehouse instance
    https://myitssserver:443/warehouse/changeauditor/events

    NOTES:To find out which port is used, check the HKEY_LOCAL_MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenPort registry value on the IT Security Search server. To see whether HTTPS is used instead of HTTP, check the HKEY_LOCAL_MACHINE\SOFTWARE\Quest\IT Security Search Warehouse API\ListenScheme registry value.

  • Enter a coordinator DNS or NetBIOS name (or press enter to finish)
    mycacoordinatorvm1,someothercacoordinatorvm9

The following additional scripts are also provided to let you manage your IT Security Search subscriptions:

  • GetCAITSSEventSubscriptions.ps1
  • ModifyCAITSSEventSubscription.ps1
  • RemoveCAITSSEventSubscription.ps1

Getting IT Security Search Ready

IMPORTANT:

  • Using Change Auditor connector and the Warehouse connector to get data from the same Change Auditor coordinator at once is not recommended as it might result in duplicate events in your searches.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating