Active Roles Data Fields
The following are lists of fields that occur in Active Roles data, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.
|
Field Name |
Example Value |
Details |
|---|---|---|
|
AR_ClientComputerName |
ITSEARCHTEST3 |
Host with Active Roles client software |
|
AR_ClientVersion_Build |
2 |
Version build number of Active Roles client software |
|
AR_ClientVersion_Major |
7 |
Version major number of Active Roles client software |
|
AR_ClientVersion_Minor |
1 |
Version minor number of Active Roles client software |
|
AR_ClientVersion_Revision |
3406 |
Revision of Active Roles client software |
|
AR_Server |
arsit |
Active Roles Server host |
|
Attribute_* |
New description1 |
New value of attribute |
|
ChangedAttributes |
description,streetAddress |
List of attributes |
|
Completed |
2017-05-04T07:18:57.9741631Z |
Timestamp of operation when that was completed |
|
Control_OperationReason |
Reason for modification |
Reason of operation |
|
Description |
Modified attributes: |
Description of event |
|
ID |
1-107540 |
ID of operation |
|
Initiated |
2017-05-04T07:18:57.9116595Z |
Timestamp of operation when that was initiated |
|
Initiator_DN |
CN=Zakhar Shkonda, |
DN of initiator |
|
Initiator_Guid |
b58c2906-ad0b-4682- |
GUID of initiator |
|
Initiator_Host |
ARSIT.it.sales.mycompany |
Host of Initiator |
|
Initiator_IsDSAdmin |
True |
True if initiator is DS administrator |
|
Initiator_NTAccountName |
IT\zs |
NT Account name of initiator |
|
Initiator_ObjectClass |
user |
Class of initiator |
|
Initiator_Sid |
S-1-5-21-4039273466- |
SID of initiator |
|
Initiator_Site |
Default-First-Site-Name |
Site of initiator |
|
Log |
Active Roles |
Log name |
|
Logon_Site |
Default-First-Site-Name |
Same as Initiator_Site |
|
Operation_GUID |
9b3c5524-065d-418a-9511- |
GUID of operation |
|
Operation_Type |
Delete |
Type of operation |
|
Operation_TypeID |
1 |
Type ID of operation |
|
Reason |
Reason for modification |
Same as Control_OperationReason |
|
RelatedOU |
it.sales.mycompany/AutotestOU/ARS/FIT2711055222_0E7C |
Same as TargetObject_OUCanonical |
|
Result |
Completed |
Same as Status |
|
Status |
Completed |
Operation status |
|
StatusID |
1 |
Operation status ID |
|
TargetObject_DN |
CN=ArsCHUser1_0E7C, |
DN of target object |
|
TargetObject_Guid |
b6a8b5d0-e003-4421- |
GUID of target object |
|
TargetObject_NTAccountName |
IT\ArsCHUser1_0E7C |
NT Account name of target object |
|
TargetObject_ObjectClass |
user |
Class of target object |
|
TargetObject_OUCanonical |
it.mycompany.com/AutotestOU/ARS/FIT2711055222_0E7C |
Canonical name of object's OU |
|
TargetObject_Sid |
S-1-5-21-4039273466- |
SID of target object |
|
TargetObject_SimpleName |
ArsCHUser1_0E7C |
Name of target object |
|
What |
Delete |
Same as Operation_Type |
|
When |
2017-05-10T08:38:58.0000000Z |
Same as Completed |
|
Where |
dc2.it.sales.mycompany |
Host where this operation was performed |
|
Who |
IT\zs |
Same as Initiator_NTAccountName |
|
Who_DN |
CN=Caroline Abbage, |
Same as Initiator_DN |
|
Who_Guid |
b58c2906-ad0b-4682- |
Same as Initiator_Guid |
|
Who_IsDSAdmin |
True |
Initiator_IsDSAdmin |
|
Who_ObjectClass |
user |
Same as Initiator_ObjectClass |
|
Who_Sid |
S-1-5-21-4039273466- |
Same as Initiator_Sid |
|
WhoId |
S-1-5-21-4039273466- |
Same as Initiator_Sid |
|
Whom |
ArsTestDynamicGroup_CB79 |
Same as TargetObject_SimpleName |
|
Whom_DN |
CN=ArsTestTemporalGroup_CB79, |
Same as TargetObject_DN |
|
Whom_Guid |
eff86e4b-7800-44ce- |
Same as TargetObject_Guid |
|
Whom_NTAccountName |
IT\ArsCHUser1_0E7C |
Same as TargetObject_NTAccountName |
|
Whom_ObjectClass |
Groups |
Same as TargetObject_ObjectClass |
|
Whom_Sid |
S-1-5-21-4039273466- |
Same as TargetObject_Sid |
|
WhomId |
CN=ArsTestDynamicGroup_CB79, |
Same as TargetObject_DN |
|
WhomSimple |
ArsTestDynamicGroup_CB79 |
Same as TargetObject_SimpleName |
|
Workstation |
ARSIT.it.sales.mycompany |
Same as Initiator_Host |
Recovery Manager for Active Directory Data Fields
The following are lists of fields that occur in Recovery Manager for Active Directory data, organized by type of returned object.
|
NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. |
Computers
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
Yes |
S-1-5-21-4039273466- 3631535243-455089366-89812 |
Computer account SID |
|
Description |
Yes |
Storage Server |
Description of computer |
|
DistinguishedName |
No |
CD=DC1, |
Computer account distinguished name; search by full value only |
|
DNSHostName |
Yes |
DC1.it.sales.mycompany |
DNS host name |
|
Location |
Yes |
Houston |
Location of computer |
|
ManagedBy |
No |
CN=Caroline Abbage, |
Same as ManagedByFullName |
|
ManagedByFullName |
No |
CN=Caroline Abbage, |
Distinguished name of manager of the computer account; search by full value only |
|
Name |
Yes |
DC1 |
Same as NetBiosName |
|
NetBiosName |
Yes |
DC1 |
NetBIOS name of computer |
|
NumLogons |
Yes |
12656 |
Logon count |
|
ObjectCategory |
Yes |
computer |
Object class = computer |
|
ObjectGUID |
No |
ddd94ab4-5de6-4696- a93c-433cf9827c28 |
Object GUID of computer account |
|
OSName |
Yes |
Windows Server 2008 R2 Enterprise |
OS name |
|
OSServicePack |
Yes |
Service Pack 1 |
OS service pack |
|
OSVersion |
Yes |
6.1 (7601) |
OS version |
|
Where |
Yes |
DC1 |
Same as NetBiosName |
|
Who |
Yes |
CN=Caroline Abbage, |
Same as ManagedByFullName |
Groups
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
CN |
Yes |
Users |
Common name of group |
|
Description |
Yes |
Houston internal group for notification |
Description of group |
|
DisplayName |
Yes |
Users |
Display name of group |
|
DistinguishedName |
No |
CN=MCDL.RD.Notification, OU=RD, OU=Groups, DC=it, DC=sales, DC=mycompany |
Distinguished name of group;. search by full value only |
|
|
Yes |
MCDL.RD.Notification@it.sales.mycompany |
Email address of group |
|
GroupType |
No |
-2147483640 |
Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx) |
|
HomePage |
Yes |
http://homepage |
Home page of group |
|
Info |
Yes |
Some info |
Additional information about group |
|
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the group; search by full value only |
|
Name |
Yes |
Users |
Name of group |
|
ObjectCategory |
Yes |
group |
Object class = group |
|
ObjectGUID |
No |
80b090a2-968f-42e6- bc76-6e2505f43759 |
GUID of group object |
|
SAMAccountName |
Yes |
Users |
SAMAccount name of group |
|
Url |
Yes |
http://groupname |
URL of group |
|
Who |
Yes |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
OUs
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
Description |
Yes |
Default container for Defender objects |
Description of OU |
|
DistinguishedName |
No |
OU=BestEmployees, DC=it, DC=sales, DC=mycompany |
Distinguished name of group; search by full value only |
|
ManagedBy |
No |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
Yes |
CN=Clive Herry, OU=mgmt, OU=TestUsers, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of the OU; search by full value only |
|
Name |
Yes |
Users |
Name of OU |
|
ObjectCategory |
Yes |
organizationalUnit |
Object class = organizationalUnit or container |
|
ObjectGUID |
No |
675205fb-4d29-44b6- 9284-69e867689f38 |
GUID of OU |
|
USNChanged |
No |
9296605 |
USN-Changed attribute of OU; search by full value only |
Users
|
Field Name |
In UI |
Example Value |
Details |
|---|---|---|---|
|
AccountSid |
No |
S-1-5-21-4039273466- |
User SID; search by full value only |
|
Company |
Yes |
MyCompany |
Company name |
|
Country |
Yes |
United States |
Country name |
|
Department |
Yes |
Sales |
Department name |
|
DisplayName |
No |
Caroline Abbage |
User display name |
|
DistinguishedName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
User distinguished name; search by full value only |
|
EmailAddress |
Yes |
Caroline.Abbage@sales.mycompany.com |
Email address |
|
HomePhoneNumber |
Yes |
+1 410 531 0638 |
Home telephone number |
|
ManagedBy |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Same as ManagedByFullName |
|
ManagedByFullName |
No |
CN=Caroline Abbage, OU=Employees, DC=it, DC=sales, DC=mycompany |
Distinguished name of manager of user; search by full value only |
|
Mobile |
Yes |
+ 911 9 769 8889 |
Mobile phone number |
|
Name |
Yes |
Caroline Abbage |
User name |
|
ObjectCategory |
Yes |
user |
Object class = user |
|
ObjectGUID |
No |
861205fb-4d29-44b6- |
User object GUID; search by full value only |
|
Office |
Yes |
Ludlow st. 80, suite 200 |
Physical delivery office name |
|
SAMAccountName |
Yes |
jcdenton |
SAMAccountName of user |
|
StreetAddress |
Yes |
Ludlow st. 80 |
Street address |
|
TelephoneNumber |
Yes |
+ 123 4 567 8900 |
Telephone number |
|
Title |
Yes |
Mgr, Sales |
User job title |
|
USNChanged |
No |
9296605 |
USN-Changed attribute of user; search by full value only |
|
Who |
No |
Administrator |
Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName |
Saving Searches and Running Saved Searches
You can save any search for later reuse. Any IT Security Search operator or administrator can save searches and run saved searches, but only administrators can make them public for shared use.
Saving Searches
To save a search, click the drop-down icon at the left edge of the search box and click Save Current Search. Proceed to configure your search in the popup that appears:
- Give the search a meaningful name.
- Add tags so that users can easily find the search by category.
- Select which parameters you want to make customizable, if necessary.
All field names that occur in your search string are listed. Select the check boxes next to the ones that you want to make customizable. Whenever this saved search is used in the future, it will prompt for the values of all of the fields you select.
|
|
For example, Domain:{{Domain}} will make IT Security Search prompt you for the value of the Domain field, labeled "Domain"; Domain:{{Active Directory Domain}} will also prompt you for the value of Domain, but the label will be "Active Directory Domain". You can manually construct search strings that include this syntax, without using the field selector. This helps you provide descriptive labels for parameters. |
- Specify the time period that the search must cover.
For that, select one of the options at the right edge of the search box. These times are relative to the moment the saved search is run.
When you have configured these options, click Save.
Running a Saved Search
To run an existing saved search, click the drop-down icon at the left edge of the search box; the available saved searches are listed at the bottom of the popup that appears. You can filter the list by clicking tag buttons in the Saved Search Categories drop-down.
Making a Saved Search Public or Private
You can publish a search to make it available to all operators only if you are an IT Security Search administrator.
In the saved search list, the items have a lock icon showing their state. A private search has a closed lock icon; click the icon to make it public. A public search has an open lock icon; click the icon to make it private.
Deleting a Saved Search
To delete a saved search, highlight it in the saved search list and click the cross icon.
Use Scenarios
The following examples explain how IT Security Search tools can be applied in practice to real-life situations.
Finding and Examining a User
To find events where a particular user is somehow involved (as the doer or as a subject), run a search for any of the variety of names that identify the user in the environment. You can supply the first name, last name, full name, logon name and so on.
The results of your search put the most relevant matching users at the top of the list. If there are too many matches, refine the results using facets.
From a different perspective, if you need to find a user whose name you are not sure about but whose manager's name you remember, try searching for the manager's name, then opening the details of the manager's user account and finding the user you are looking for among the manager's direct reports.
Understanding Who Did What
A typical use case is tracking the activity that involved a particular object, such as a file, folder, group or user account. You begin by finding this object; this provides a starting point and a context for your session. The next step is to use the links in the object's details view. This is the easiest way to create a context and filter out irrelevant data.
Another option is to start with events directly, especially if you expect to find specific events within a specific period of time. To specify the period, use the date range filter. The graphical timeline in the result grid can help you quickly locate peaks of activity that need closer examination.
Exploring a User's Scope of Access
IT Security Search provides quick access to information about files and folders owned by a user and all permissions assigned to the user; for that, use the Files and folders owned by this user, Files and folders where this user has direct permissions and Files and folders where this user has permissions (both direct and indirect) links in the details view for the user you are interested in.
Conversely, if you start with a particular file or folder, its details contain a table of permissions, which can prompt your further steps.
Tracking Permission Management
You can easily follow permission assignment activity using the Who changed permissions on this file and Who changed permissions on this folder links in the details view of a file or folder, respectively.
Exploring Change History of Active Directory Objects
Object change history is available only if the Recovery Manager for Active Directory connector is enabled. For information about changes to an object, go to the History tab on the object's details page. Only the three most recent states are shown on this tab, with changes that occurred after each of them.
You can restore the object to any of these states by clicking its Restore object to this state link. If the object was changed rather than deleted, you have the option to restore specific modified attributes. If it was deleted, you can only restore it to a full state.
Case Studies
See also the following topics for examples of investigations that IT Security Search can help carry out: