Chat now with support
Chat with Support

IT Security Search 11.3.2 - User Guide

Where the Data Comes From

IT Security Search relies on data provided by auditing and operations management systems. At this time, the following systems are supported:

  • InTrust
  • Change Auditor
  • Enterprise Reporter
  • Recovery Manager for Active Directory
  • Active Roles

You can connect to any combination of these systems. However, to make the most of IT Security Search, you should establish links with all of them that are available to you. IT Security Search is designed to correlate the data they supply, sparing you the effort of trying to match disparate bits of information to build up a picture.

For example, an event captured by InTrust can prompt you to examine the initiator user account closely; user information is provided by Enterprise Reporter. Next, you might be interested in recent changes to the user account; this information comes from Change Auditor. With all three systems interconnected, these transitions from one piece of data to another are quick and seamless.

Support for Recovery Manager for Active Directory lets you perform recovery directly from the IT Security Search interface in addition to viewing a list of available backup states. For each of them, the Restore object to this state link is provided. If the object was changed rather than deleted, you can select specific modified attributes to restore. If it was deleted, you can only restore it to a full state.

Specifying Data Sources

To configure the connections between IT Security Search and any of the supported systems available in your environment, go to the IT Security Search settings page. To open this page, click Settings in the upper right corner.

See the following topics for details about connection configuration for each of the systems:

Change Auditor Database

Change Auditor produces information about changes to critical resources such as Active Directory, Exchange or files on file servers. Generally, whenever you are looking for an answer to the question “What changed in the environment?” in IT Security Search, the data is likely provided by Change Auditor.

To start configuring the Change Auditor database data link, select the Connector enabled option. To set up connection to the Change Auditor database, configure the standard SQL Server database access settings:

  • Server name
  • Database name
  • Authentication type
    The following options are available:
    • Windows authentication
      Make sure the Active Directory account you specify is granted Read and Execute permissions on the database.
    • SQL Server authentication
      Specifies that SQL Server-specific credentials are used.
  • User name and password

To verify that your Change Auditor database access works, click the Test Connection link.

Finally, click Apply.

Caution: To make Change Auditor generate the events you want to see in IT Security Search, configure monitoring of the Active Directory attributes you are interested in. For that, in the configuration of the Auditing task, in the AD Attribute Auditing page, go to Forest Attributes. Select the object class and enable monitoring for the necessary attributes.

For details about working with Change Auditor tasks, see the Change Auditor User Guide.

InTrust Repository

InTrust collects audit events from a wide range of logs on a variety of platforms. Generally, whenever you are looking for an answer to the question “What happened?” in IT Security Search, the data is provided by InTrust.

To start configuring the InTrust repository data link, select the Connector enabled option. To set up connection to one or more InTrust repositories with audit data, configure the following:

  • InTrust server name and credentials
    This is an InTrust server in the InTrust organization where the repository is registered. There can be multiple servers in an InTrust organization, and any of them is accepted.
    Make sure access to repositories is configured for the account you supply:
    • If you want read-only access to repositories, the account must be a member of the computer local AMS Readers group on the InTrust server.
    • If you want the account to be able to create repositories, it must be listed as an InTrust organization administrator. For details, see InTrust Organization Administrators. Membership in AMS Readers is not necessary in this case.
    • The account must have the necessary share permissions on the network share that makes the repository available. For retrieving events it needs the Read permission; if you want to create repositories, it needs Full Control.
  • The repository or repositories to connect to

NOTES:

  • The page shows the date of the last gathered event across all of the included repositories.
  • If there was recently a problem with a repository, indicated by an error icon, hover the mouse cursor over that repository, and a tooltip will show the error message.

To verify that your repository access works, click the Test Connection link.

Finally, click Apply.

Enterprise Reporter Database

Enterprise Reporter retains information about the configuration of critical systems. Generally, whenever you are looking for an answer to the question “What settings are configured for this?” in IT Security Search, the data is provided by Enterprise Reporter.

To start configuring the Enterprise Reporter database data link, select the Connector enabled option. To set up connection to the Enterprise Reporter database, configure the standard SQL Server database access settings:

  • Server name
  • Database name
  • Authentication type

    The following options are available:
    • Windows authentication
    • SQL Server authentication
      Specifies that SQL Server-specific credentials are used.
  • User name and password
    Make sure the Active Directory account you specify is granted Read and Execute permissions on the database.

To verify that your Enterprise Reporter database access works, click the Test Connection link.

Finally, click Apply.

Keeping the Index Up to Date

Before you can use data from the Enterprise Reporter database, you need to wait until IT Security Search builds an index of objects that are loaded from the database.

To track the database indexing progress, check the Enterprise Reporter connector settings page. If any errors occur during indexing, they are displayed on the page.

By default, the index is updated every 24 hours. You can force an update by clicking Refresh Data Now.

Making All Data Cohesive with Enterprise Reporter

IT Security Search provides the Who, Whom and Where smart aliases for record fields in the data it analyzes. This ensures that you get associated data from unrelated sources using the same terms in your search queries.

The necessary field mapping is created from Enterprise Reporter data. For example, if the Enterprise Reporter connector is configured, you can proceed from the user details page directly to a list of events initiated by the user. Otherwise, the Activity initiated by this user link may not even be available in the details, or it may produce fewer results than it should.

To make sure Enterprise Reporter provides the data for the mapping, configure a recurring Active Directory discovery that includes users and computers in its scope. Set the frequency of the discovery according to the policies in your environment.

Handling of File and Folder Paths in Enterprise Reporter 3.0 and Later

Prior to version 3.0, Enterprise Reporter recorded local file and folder paths (such as C:\Windows\WinSxS\Manifests\manifest.txt); in version 3.0 it began recording network paths (such as \\ITSS30.LOCAL\C$\Windows\WinSxS\Manifests\manifest.txt) instead. The new format is not suitable for correlation with Change Auditor for Active Directory data, which has local paths.

If you are using Enterprise Reporter 3.0 or later, to make sure that links such as Who accessed this file work correctly in IT Security Search, configure a recurring Active Directory discovery of type Computer that includes all the necessary computers in its scope. Set the frequency of the discovery according to the policies in your environment.

Ensuring Correct Object Counts for OUs

By default, the Do not collect object counts option is enabled for Active Directory discoveries in Enterprise Reporter. If IT Security Search uses data obtained by such discoveries, it shows zeros for the number of users, groups and so on in the details of OUs. To make IT Security Search show the correct object counts, make sure the Do not collect object counts option is cleared for your Active Directory discoveries.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating