Chat now with support
Chat with Support

InTrust 11.3.1 - Auditing and Monitoring Microsoft Windows

InTrust Predefined Objects for Windows-Based Computers

InTrust offers a set of predefined objects that will help you configure the gathering and monitoring event data from your Windows-based computers. The following is a list of these objects. For a list of Windows reports, see Report Pack for Windows.

Gathering Policies

  • Windows/AD: Security: All Events
    Defines all Windows/AD security events to be collected to a repository. The most critical security events, such as Failed Logons, Account Management, etc. are to be collected into database for analysis. The policy is intended to be used for gathering on a daily basis.
  • Windows/AD: Security: All Logons
    Defines the Logon events to be collected both to a repository and a database.
  • Windows/AD: Security: Failed Logons
    Defines the Failed Logon events to be collected to both a repository and a database.
  • Windows/AD: Security: Account Management
    Defines the Account Management events to be collected both to a repository and a database.
  • Windows/AD: Security: Policy Changes
    Defines the Policy Changes to be collected both to a repository and a database.
  • Windows/AD: Security: Objects Access
    Defines the Object Access events to be collected both to a repository and a database.
  • Windows/AD: Security: Misc
    Defines all Windows/AD miscellaneous security events to be collected to a repository. The most critical of miscellaneous security events such as Security Subsystem and Audit Subsystem Faults are to be collected into database for analysis.
  • Windows/AD: DHCP
    Collects all the DHCP events from both the Windows System Log and the DHCP Audit Log to a repository and a database.
  • Windows/AD: Security: Objects Access: Registry Access
    Defines the Registry Access events to be collected both to a repository and a database.
  • Windows/AD: Successful AD Administrator Logons
    Defines the AD Administrator events to DC to be collected both to a repository and a database.
  • Auditing Domain Controllers: Events from DCs
    Defines all events from domain controller logs to be collected to the repository and then imported to an audit database as part of the “Auditing Domain Controllers” best practice scenario. No filters are applied.
  • Auditing Domain Controllers: Events from DCs for the Last 24 Hours
    Defines all events from domain controller logs to be collected to the repository and then imported to an audit database as part of the “Auditing Domain Controllers” best-practice scenario. All events older than 24 hours are filtered out.
  • Auditing Exchange Servers: Events from Exchange Servers
    Defines all Exchange-related events to be collected to the repository and then imported to an audit database as part of the “Auditing Exchange Servers” best practice scenario. No filters are applied.
  • Auditing Exchange Servers: Exchange Events for the Last 24 Hours
    Defines all Exchange-related events to be collected to the repository and then imported to an audit database as part of the “Auditing Exchange Servers” best practice scenario. All events older than 24 hours are filtered out.
  • Auditing File Servers: Events from File Servers
    Defines all file server-related events to be collected to the repository and then imported to an audit database as part of the “Auditing File Servers” best practice scenario. No filters are applied.
  • Auditing File Servers: File Server Events for the Last 24 Hours
    Defines all file server-related events to be collected to the repository and then imported to an audit database as part of the “Auditing File Servers” best practice scenario. All events older than 24 hours are filtered out.
  • Auditing Workstations: Events from Workstations
    Defines all events from desktop logs to be collected to the repository and then imported to an audit database as part of the “Auditing Workstations” best practice scenario. No filters are applied.
  • Auditing Workstations: Events from Workstations for the Last 24 Hours
    Defines all events from desktop logs to be collected to the repository and then imported to an audit database as part of the “Auditing Workstations” best practice scenario. All events older than 24 hours are filtered out.

Import Policies

  • Windows/AD: Security: All Events
    Defines all Windows/AD security events to be imported to a database for analysis.
  • Windows/AD: Security: All Logons
    Defines the Logon events to be imported to a database.
  • Windows/AD: Security: Failed Logons
    Defines the Failed Logon events to be imported to a database.
  • Windows/AD: Security: Account Management
    Defines the Account Management events to be imported to a database.
  • Windows/AD: Security: Policy Changes
    Defines the Policy Changes to be imported to a database.
  • Windows/AD: Security: Objects Access
    Defines the Object Access events to be imported to a database.
  • Windows/AD: Security: Misc
    Defines the most critical of miscellaneous security events such as Security Subsystem and Audit Subsystem Faults to be imported to database for analysis.
  • Windows/AD: DHCP
    Imports the DHCP events from both the Windows System Log and the DHCP Audit Log to a database.
  • Windows/AD: Security: Objects Access: Registry Access
    Defines the Registry Access events to be imported to a database.
  • Windows/AD: Successful AD Administrator Logons
    Defines the AD Administrator events to DC to be imported to a database.
  • Auditing Domain Controllers: Weekly Reporting
    Defines events from the Windows Security, System and Application logs and the InTrust for AD log to be imported to an audit database. Events older than one week are excluded.
  • Auditing Domain Controllers: Daily Reporting
    Defines events from the Windows Security, System and Application logs and the InTrust for AD log to be imported to an audit database. Events older than one day are excluded.
  • Auditing Exchange Servers: Weekly Reporting
    Defines events from the Windows Security, System, Directory Service and Application logs, Exchange tracking log and CA for Exchange log to be imported to an audit database. Events older than one week are excluded.
  • Auditing Exchange Servers: Daily Reporting
    Defines events from the Windows Security, System, Directory Service and Application logs, Exchange tracking log and CA for Exchange log to be imported to an audit database. Events older than one day are excluded.
  • Auditing File Servers: Weekly Reporting
    Defines events from the Windows Security, System, Directory Service and Application logs and CA for file servers log to be imported to an audit database. Events older than one week are excluded.
  • Auditing File Servers: Daily Reporting
    Defines events from the Windows Security, System, Directory Service and Application logs and CA for file servers log to be imported to an audit database. Events older than one day are excluded.
  • Auditing Workstations: Weekly Reporting
    Defines events from the Windows Security, System and Application logs to be imported to an audit database. Events older than one week are excluded.
  • Auditing Workstations: Daily Reporting
    Defines events from the Windows Security, System and Application logs to be imported to an audit database. Events older than one day are excluded.

Jobs

  • All Windows and AD Security Events collection
    Collects all the Windows/AD security events to the default repository. The most critical security events such as failed logons are also collected to the default database for analysis
  • DHCP Events collection
    Collection of the DHCP events to the default repository and the default database.
  • Daily Windows and AD Security Events Reporting
    Controls daily reporting of the most critical Windows/AD security events
  • Notify Security Operators
    Notifies the Security Operators notification group of task completion.
  • InTrust Log Collection
    Collection of the InTrust log from all InTrust servers in the organization.
  • Audit Database Cleanup
    Clears all default InTrust audit database contents older than one week.
  • Event Collection
    Gathers all domain controller-related, all Exchange-related events, or all desktop-related events to the default repository.
  • Reports on DCs
    Builds reports as part of the “Auditing Domain Controllers” best-practice scenario.
  • Windows Event Log Reports
    Builds Windows log-based reports as part of the “Auditing Domain Controllers” best-practice scenario.
  • ChangeAuditor for AD Reports
    Builds ChangeAuditor for AD reports as part of the “Auditing Domain Controllers” best-practice scenario.
  • Event Import
    Imports all domain controller-related events, all Exchange-related events or all desktop-related events from the default repository to the default audit database.
  • Reports on Exchange Servers
    Builds reports as part of the “Auditing Exchange Servers” best-practice scenario.
  • CA for Exchange Servers Reports
    Builds CA for Exchange log reports as part of the “Auditing Exchange Servers” best-practice scenario.
  • Reports on Workstations
    Builds reports based on the most common events as part of the “Auditing Workstations” best-practice scenario.
  • Comprehensive Reports on Workstations
    Builds diverse reports as part of the “Auditing Workstations” best-practice scenario.

Tasks

  • Windows and AD Security Daily collection and reporting
    Daily collection of all the Windows/AD security events to the default repository. The most critical security events such as failed logons are collected also to the default database for analysis.
  • Weekly InTrust Log Collection
    Collection of the InTrust log from all InTrust servers in the organization.
  • Auditing Domain Controllers: Daily Gathering
    Gathers all domain controller-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing Domain Controllers” best-practice scenario when it is set to use a schedule.
  • Daily Audit Database Cleanup
    Clears all default InTrust audit database contents older than one week. This task runs daily and is shared by all best-practice scenarios: “Auditing Domain Controllers”, “Auditing Exchange Servers”, “Auditing File Servers” and “Auditing Workstations”.
  • Auditing Domain Controllers: Ad-Hoc Reporting for the Last 24 Hours
    Gathers domain controller-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Domain Controllers” best-practice scenario.
  • Auditing Domain Controllers: Daily Reporting
    Gathers domain controller-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Domain Controllers” best-practice scenario. This task runs daily.
  • Auditing Domain Controllers: Weekly Reporting
    Gathers domain controller-related events for the last week, imports them to the default audit database and creates reports as part of the “Auditing Domain Controllers” best-practice scenario. This task runs weekly.
  • Auditing Exchange Servers: Daily Gathering
    Gathers all Exchange-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing Exchange Servers” best-practice scenario when it is set to use a schedule.
  • Auditing Exchange Servers: Ad-Hoc Reporting for the Last 24 Hours
    Gathers Exchange-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Exchange Servers” best-practice scenario.
  • Auditing Exchange Servers: Daily Reporting
    Gathers Exchange-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Exchange Servers” best-practice scenario. This task runs daily.
  • Auditing Exchange Servers: Weekly Reporting
    Gathers Exchange-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Exchange Servers” best-practice scenario. This task runs weekly.
  • Auditing File Servers: Daily Gathering
    Gathers all file server-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing File Servers” best-practice scenario when it is set to use a schedule.
  • Auditing File Servers: Ad-Hoc Reporting for the Last 24 Hours
    Gathers file server-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing File Servers” best-practice scenario.
  • Auditing File Servers: Daily Reporting
    Gathers file server-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing File Servers” best-practice scenario. This task runs daily.
  • Auditing File Servers: Weekly Reporting
    Gathers file server-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing File Servers” best-practice scenario. This task runs weekly.
  • Auditing Workstations: Daily Gathering
    Gathers all workstation-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing Workstations” best-practice scenario when it is set to use a schedule.
  • Auditing Workstations: Ad-Hoc Reporting for the Last 24 Hours
    Gathers desktop-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Workstations” best-practice scenario.
  • Auditing Workstations: Daily Reporting
    Gathers desktop-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Workstations” best-practice scenario. This task runs daily.
  • Auditing Workstations: Weekly Reporting
    Gathers desktop-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Workstations” best-practice scenario. This task runs weekly.

Sites

  • All MS Windows NT based computers in the domain
    All supported Microsoft Windows-based computers in the domain
  • All Windows servers in the domain
  • All Windows desktops in the domain
  • All DHCP servers in the domain
  • All InTrust servers
  • Auditing Domain Controllers: DCs
  • Auditing Exchange Servers: Exchange Servers
  • Auditing File Servers: File Servers
  • Auditing Workstations: Workstations

Real-Time Monitoring Policies

  • Windows/AD Security: full
    Specifies monitoring of all the security events on all the NT-based computers in the domain
  • Windows/AD Security: Detecting Common Attacks
    Specifies only common attacks to be monitored on all the NT-based computers in the domain
  • Windows/AD Security: Administrative Activity Monitoring
    Specifies administrative activity to be monitored on all the NT-based computers in the domain
  • InTrust: Tracking Log Monitoring
    Specifies monitoring of critical events from all the InTrust servers in the organization.
Related Documents