Chat now with support
Chat with Support

IT Security Search 11.3.2 - User Guide

Recovery Manager for Active Directory Server

Recovery Manager for Active Directory performs Active Directory recovery at any level: from individual objects and attributes to entire domains and, in the case of Recovery Manager for Active Directory Forest Edition, even Active Directory forests. IT Security Search lets you track recovery-related activity. Enabling the Recovery Manager for Active Directory data link makes it possible to list available backup states and restore objects to any of them.

NOTE: You cannot perform forest-level recovery from IT Security Search.

To start configuring the Recovery Manager for Active Directory data link, select the Connector enabled option. To set up connection to Recovery Manager for Active Directory, configure the following:

  1. Recovery Manager connection settings
    Specify the Recovery Manager server to connect to and the credentials to use for running PowerShell cmdlets on that server. The account you supply must have local administrator privileges on the server.
  2. Active Directory connection settings
    Specify the Active Directory domain or a particular domain controller and the credentials to use for working with backup data. The account you supply must be powerful enough to both read the backup configuration and perform recovery by applying backup states.

For up-to-date details about the permissions required for access to Recovery Manager for Active Directory, see the Recovery Manager for Active Directory Deployment Guide.

To make sure that you have specified valid account or accounts, click the Test connection link. This verifies that the credentials are valid and suitable for running searches. However, it does not ensure that the Active Directory access account can perform recovery operations.

Active Roles

Active Roles simplifies and streamlines creation and ongoing management of user accounts, groups and other objects in Active Directory. Generally, whenever you are looking for an answer to the question “What is known about this user or group?” in IT Security Search, the data can be provided by Active Roles.

Active Roles brings information about the following:

  • Users
  • Groups
  • Computers
  • OUs
  • Active Directory change events as logged by Active Roles
  • Active Roles-specific information:
    • Virtual attributes of objects
    • Dynamic groups and their membership rules

To start configuring the Active Roles data link, select the Connector enabled option. To set up connection to the Active Roles server, configure the following settings:

  • Server name
  • User name and password
    The account you supply must be powerful enough to do the following:
    • Read Active Directory data
    • Run PowerShell cmdlets on the Active Roles server

To verify that your Active Roles server access works, click the Test Connection link.

Finally, click Apply.

Caution: For the connection to the Active Roles server to work, make sure that port 15172 is opened for both inbound and outbound traffic on that server.

Management History Synchronization Specifics

Management history synchronization between IT Security Search and Active Roles does not happen directly. IT Security Search uses its own “warehouse” component as an intermediary data store. The first synchronization can take a long time, because all available history has to be processed. After that, synchronization involves only the most recent data.

Running Searches

To begin searching, enter what you are looking for in the search box. For example, start with a user name, a network share path, a computer name or a phrase to look for in event fields.

A search involves all available item types (events, users, files, computers and so on) at once, no matter which item type is currently highlighted. By default, the number of results returned is limited to 100,000. For Recovery Manager for Active Directory items, the limit is fixed at 5,000.

Viewing Data by Object Type

IT Security Search groups the discovered data by object type:

  • Computers
  • Events
  • Files
  • Groups
  • OUs
  • Shares
  • Users

These items can be selected at the top. The object type is also switched when you use links in the context of some object's details, such as Activity initiated by this user or Who granted permissions to this file.

Specifying a Time Range for Events

To display events from only a specific time period, use the time range filter. For that, click the clock icon in the search box. If you choose not to specify a time range, the search will involve all available data.

Understanding the Event Timeline

The event timeline is a bar graph representation of search results, where you can quickly spot event patterns. For example, it helps you find out the peak hours for the events you are interested in or easily track activity outside business hours.

Viewing Details of Search Results

When you select an item from the result list, the right pane shows brief details about the item. To go to the full details view for this item, click View Details.

The details view also suggests links to related data which you might be interested in and which you might be trying to find in the first place. Clicking such a link starts a search in an automatically supplied context. For example, when you are viewing the details of a folder in a network share, the following links are ready for you:

  • Who accessed this folder
  • Who granted permissions to this folder
  • Files and folders in this share

Information about users, groups, computers and organizational units can come from more than one source. At this time, the following systems provide data about them: Enterprise Reporter, Recovery Manager for Active Directory and Active Roles. When multiple sources have information about the same object, IT Security Search shows data from the source that submitted it first, so that the results can be displayed sooner. A warning is shown about additional data that may be available. If you want these results, click the run a full scan link in the warning text. This will cause IT Security Search to retrieve the data from the remaining sources and correlate it.

Navigating Session History Using Breadcrumbs

As you work with the search results, your search path is saved as a breadcrumb sequence. This helps you go back to any previous step in your session without retracing the steps.

Using Facets to Filter Results

Facets are quick view filters by property value. When you apply a facet, IT Security Search shows only matching items. You can apply multiple facets at once, progressively limiting the number of results; you can also remove any of the facets you have applied.

Facets are shown to the left of the result pane. To apply a facet, click an available value link. For example, if you are viewing the details of a deleted user account (where the value of State is Deleted) and want to focus on other deleted users, click the Deleted link.

Alternatively, you can use the item's properties to work with facets. The properties that support this have funnel icons next to them in the details pane. To apply a facet, click such a property.

Fine-Tuning Your Search Terms

Simple searches produce results where the term you specify is contained anywhere in the discovered data. To make your searches less broad and more relevant, you can use hints—for example, by prefixing the field names to look in. For details, see Search Term Syntax.

 

 

Search Term Syntax

Use the following syntax for search terms in the search box. Searches are case-insensitive.

Notes:

  • Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter.
  • If you specify file system paths (such as C:\Windows) or Active Directory distinguished names (such as CN = Builtin, DC = kltest16, DC = test, DC = local) as search terms, enclose them in quotation marks. This is necessary due to the way the search engine treats the backslash (as an escape character) and the equality sign (as an attribute indicator).

For details about the fields that you can use in your search queries, see Data Field Reference.

Single-Word Terms

This is known as full-text search. The search involves all available fields and uses the Contains operator.

Meaning Syntax Details
Look for a single-word term in any attribute Word without spaces
Example: john		 john matches John or john in any attribute, but does not match stjohn in any attribute
Look for a single-word term with the specified beginning in any attribute Word ending in an asterisk (*) without spaces
Example: john*		 john* matches John or Johnson in any attribute
Find attributes where a specific single-word term is not contained in any attributes Word without spaces with a leading hyphen
Example: -john		 -john may match entries that contain stjohn, but does not match entries that contain john in any attribute
Find entries where a specific single-word term with the specified beginning is not contained in any attributes Word ending in an asterisk (*) without spaces with a leading hyphen
Example: -john*		 -john* may match entries that contain stjohn, but does not match entries that contain john or johnson in any attribute

Term Combinations

Meaning Syntax Details
Look for entries with specific single-word terms in any attributes Words separated by spaces
Example: john glen*		 john glen* matches john and glen, or john and glenda, or john and glen and glenda, wherever they are found
Look for entries that do not contain specific single-word terms in any attribute Word without spaces
Examples:
  • -john -glen
  • john -glen*
  • -john -glen matches entries that do not contain john or glen anywhere
  • john -glen* matches entries that contain john in any attribute and at the same time do not contain glen or glenda anywhere
Look for entries with a specific multiple-word phrase in any attribute Phrase in quotation marks
Example: "Account Logon"		 "Account Logon" matches entries that contain the exact phrase Account Logon in any attribute
Look for entries that do not contain a specific multiple-word phrase in any attribute Phrase in quotation marks
Example: logon server01 -"Account Logon"		 logon server01 -"Account Logon" matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute
Meet one of the specified terms (or sets of terms) Terms (single words or phrases) separated by the OR operator; this operator has the following specifics:
  • It is case-sensitive: it must always be specified as OR
  • It denotes a choice between everything to the left of it and everything to the right of it
  • You can use multiple OR operators in a query; the boundary of an OR clause is the beginning of the query, the end of the query, or another OR

Examples:
  • paul john OR thomas
  • -"logon/logoff" server01 OR stjohn
  • paul john OR thomas matches entries that contain either both John and Paul, or Thomas anywhere
  • -"logon/logoff" server01 OR stjohn matches either entries without the phrase Logon/Logoff that contain server01, or entries with stjohn (no matter whether they contain the phrase Logon/Logoff)
Explicitly mark an AND operation for visual clarity Terms (single words or phrases) separated by the AND operator; this operator has the following specifics:
  • It is case-sensitive: it must always be specified as AND
  • It can be omitted wherever it occurs

Examples:
  • paul AND john
  • paul john
 paul AND john and paul john are identical in meaning: look for entries where both paul and john occur.
Group and nest terms for logical operations on them Parentheses enclosing the terms you want to group
Example: (homer marge) OR (peter lois)		 (homer marge) OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois. It does not match entries with both peter and homer that do not contain lois or marge.

Searching in Specific Attributes

To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.

The following distinction is important:

  • Labels unambiguously mapped to entry attributes; for example, Path:"Documents and Settings" in file access entries
    In this case, the search involves the specified field and uses the Contains operator.
  • Labels mapped to different attributes in different contexts (known as normalized attributes); for example, Where:primrose would mean the primrose domain for users or groups, the primrose computer for files or shares, and so on
    In this case, the search involves the associated fields as necessary and may even modify the search terms.

For details about the meanings of labels in particular contexts, see Normalized Attributes below.

Note: When you look for permission information, you can use the Who, What and Owner attributes as follows:

  • With regard to files, Who means the account that has permissions.
  • Use What to specify the permission.
  • Owner is not a real permission, but you can use it (as in What:Owner) to find the owner of a file.

 

Meaning Syntax Details
Attribute contains term Examples:
  • user:stjohn
  • description:"Special privileges assigned"
  • user:stjohn matches entries where the User attribute contains the word stjohn
  • description:"Special privileges assigned" matches entries where the Description attribute contains the exact phrase Special privileges assigned
Attribute does not contain term Examples:
  • -user:john*
  • -description:"Special privileges assigned"
  • -[log name]:"Directory Service"
  • -user:john* matches entries where the User attribute does not contain the words john or johnson
  • -description:"Special privileges assigned" matches entries where the Description attribute does not contain the exact phrase Special privileges assigned
  • -[log name]:"Directory Service" matches entries where the Log Name attribute does not contain the exact phrase Directory Service
Attribute equals term Examples:
  • computer=server01.example.com
  • description="An account was successfully logged on."
  • computer=server01.example.com matches entries where the contents of the Computer attribute are exactly server01.example.com
  • description="An account was successfully logged on." matches entries where the contents of the Description attribute are exactly An account was successfully logged on.
Attribute does not equal term Examples:
  • -computer=server01.example.com
  • -description="An account was successfully logged on."
  • -computer=server01.example.com matches entries where the contents of the Computer attribute are different from server01.example.com
  • -description="An account was successfully logged on." matches entries where the contents of the Description attribute are different from An account was successfully logged on.

Filter Syntax

Select one of the operators (explained in the following table), and enter your filter terms.

Operator

Syntax

Example

 Meaning
Contains

[FieldName]:<Value>

Name:Paul

 The attribute contains all of the specified terms at once in any combination
Does not contain

-[FieldName]:<Value>

-Name:John

 The attribute contains none of the specified terms anywhere
Equals

[FieldName]=<Value>

 Name="John Paul" The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator
Does not equal

-[FieldName]=<Value>

-SamAccountName=jpaul

 The attribute contents are not identical to the specified phrase; do not enclose the phrase in quotation marks for this operator

 

The following search syntax rules described above also apply to filter terms:

  • Terms are case-insensitive.
  • The term can be a single word, multiple words, or a phrase in quotation marks.
  • In single-word terms, a trailing asterisk is treated as a wildcard character.
  • In exact phrases, an asterisk is treated as a regular character.

Note: Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter.

Normalized Attributes

The following table shows what attributes are involved in searches that use the Who, What and Where labels. Active Directory attributes are bolded. Information about events is not included, because Who, What and Where are mapped directly to the same-name fields in InTrust and Change Auditor events.

Label →

Context ↓

 Who What Where
Users
  • SAMAccountName
  • DisplayName
  • AccountSid
  • DistinguishedName
N/A DomainName
Groups
  • User information
  • User account information
  • ManagedByFullName
  • ManagedByDisplayName
N/A DomainName
Computers
  • ManagedByFullName
  • ManagedByDisplayName
N/A
  • ComputerName
  • NetBiosName
Shares User information N/A ComputerName
Files Permission information Permission information ComputerName

Specifics of Recovery Manager for Active Directory Data

Recovery Manager for Active Directory provides data about users, groups, computers and organizational units, including those that have been deleted. Searching within that data should be approached in special ways.

One drawback is that full-text search does not work in Recovery Manager for Active Directory. Generally, it is recommended that you complement this data with results from Enterprise Reporter, if possible.

Searching by Distinguished Name

In all attributes that contain distinguished names, such as distinguishedName or manager, only the "equals" operator is used, meaning that the value must match exactly. For example, if the manager attribute of a user is "CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp", then the following happens:

  • These queries match the user:
    Manager:"CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp"
    Manager="CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp"
  • These queries do not match the user:
    Manager:"CN=David Shore"
    Manager="CN=David Shore"

Searching for Deleted Objects

When Active Directory objects are deleted, they are really moved to the Deleted Objects container; some of their attributes are cleared and some are changed, including the name. These tips will help you compose queries that produce the expected results for deleted objects:

  • The name attribute undergoes the following change: <object_name> becomes <object_name>\0ADEL<object_GUID>. If you are aware of this pattern, you can look for deleted objects specifically.
  • The samAccountName attribute remains unchanged in deleted users, computers and groups.
  • In computers, the dnsHostName attribute also remains unchanged.

Searching Without Specifying Fields

When you supply a search term without prefixing a field name, IT Security Search adds the field name for you, as follows:

Object Type

Field

Examples

User or group

aNR

"Alan Smithee" becomes aNR:"Alan Smithee"

"Alan Smithee*" becomes aNR:"Alan Smithee" (wildcards are not supported by Recovery Manager for Active Directory)

Computer or OU

name

primrose.domain.local becomes name:primrose.domain.local

Directors* becomes name:Directors (wildcards are not supported by Recovery Manager for Active Directory)

It is recommended that you specify the target fields explicitly and use the fields suggested in Searching for Deleted Objects above.

Specifics of Enterprise Reporter Data

Data from Enterprise Reporter contains information about permission assignments, and you can get this information by using the Assignment field in your search queries. This field accepts the following values: Direct, Indirect and All. Example: Assignment=All. If the Assignment field is omitted, its value is assumed to be Direct.

If you use the Assignment field in a query, permissions are analyzed for the objects indicated by the Who field.

Caution: In queries about permission assignments, the value of the Who field must be in domain\user format, where the domain name is a NetBIOS name.

Using the PermissionsForFile keyword also gives you permission assignment data from Enterprise Reporter. This keyword requires that you specify a nested search query enclosed in double quotes; the inner query must use single quotes. Example:

PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\'"

In the inner query, the What keyword helps specify the kind of permission to search for. Both of the following queries will return users with the Full Control permission:

PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\' AND what:full"

PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\' AND what:'full control'"

The PermissionsForFile keyword can be used in conjunction with other keywords and doesn't have to specify the entire query. The following will return all users called Administrator who have access permissions:

Who:Administrator PermissionsForFile="Where='server1' AND Path='D:\some\important\folder\'"

Searching for Effective Permissions

You can query effective permissions by including What:Effective. For assignments, this option takes effect if you specify Assignment=All or Assignment=Indirect.

If What:Effective is omitted, the results include all files on which both Allow and Deny permissions are set. For example, if a user is a member of a group which is denied access to a particular file, then the file will be in the results, and Access Type will be recognized as Deny. If What:Effective is included, then the results will contain only Allow permissions.

Examples:

Who="ITSS\UserRead" AND Assignment=All AND What:Effective

Who="ITSS\UserRead" AND Assignment=All AND What:Effective AND What:modify

PermissionsForFile="Where='ITSER.LOCAL' AND Path='C:\ImportantShare\Folder1\' What:Effective"

PermissionsForFile="Where='ITSER.LOCAL' AND Path='C:\ImportantShare\Folder1\' What:Effective What:Modify"

Examples

Queries for events
Query Meaning
Who:"John Smith" Activity initiated by user John Smith
What:"Group Member" AND "DL.RD" Who was added to and deleted from group DL.RD
Where:"primrose" Access to computer primrose
Workstation:"primrose" Access from computer primrose
Queries for files and folders
Query Meaning
Where:"primrose.mycorp.com" AND "D:\Private\assessment.pdf" Who accessed the D:\Private\assessment.pdf file
Where:"primrose.mycorp.com" AND "D:\Personal\assessment.pdf" AND What:"File Access Rights Changed" Who granted permissions to the D:\Personal\assessment.pdf file
Who:"John Smith" What:Owner Files and folders owned by user John Smith
Who:"John Smith" Files and folders where user John Smith has permissions
Where:"primrose.mycorp.com" AND "C:\_VIDEO" Files and folders in the _VIDEO share
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating