This InTrust report shows group changes. Groups should be created, deleted, or changed by administrators. If the administrator fails to duly perform group management tasks, this may lead to user rights misrule and security violations.
This InTrust report shows group membership changes. User accounts should be added to or removed from groups by administrators. If the administrator fails to duly perform group membership management tasks, this may lead to user rights misrule and security violations.
This InTrust report shows when account passwords were reset and who reset them. An entry in the report means that the password was either reset or changed. By default, only user accounts are included, but you can use the User Accounts filter if you want to include computer accounts as well.
This InTrust report shows changes to user accounts. User accounts should be created, deleted, enabled, or disabled by administrators. If the administrator fails to duly perform account management tasks, this may lead to account misrule and even security violations.
This InTrust report shows changes to user rights. User rights should be assigned or removed by administrators. If the administrator fails to duly perform user rights management tasks, this may lead to user rights misrule and security violations.
This InTrust report shows computer accounts changes. Computer accounts should be created, deleted, renamed, or changed by administrative accounts only. If the administrator fails to duly perform computer account management tasks, this may lead to security violations.
This report summarizes DHCP log data and represents the information as time intervals during which computers have certain IP addresses. If an event specifies the host as localhost or host from localdomain, the actual DNS name is determined by the MAC address. The report helps quickly pinpoint a computer at which certain actions were performed. For correct results, create this report for a single DHCP server or for several DHCP servers that work simultaneously and do not serve overlapping IP address pools.
This InTrust report shows domain trust changes. Domain trusts should be added, removed, or modified by administrative accounts only. If the administrator does not duly perform domain trust management tasks, this may lead to security violations.
This InTrust report shows audit policy changes. Audit policy should be modified by administrative accounts only; otherwise these changes can indicate a security breach. Failure of the administrator to duly perform audit policy management tasks may lead to security violations.
This InTrust report shows Audit and Kerberos policies changes.
This InTrust report shows and expands statistics on security events. Security events capture the activity taking place in the network and show, for example, when and where users log on, what data they access, how they manage accounts, and so on.
This InTrust report shows situations when events are missing from logs for a time period that you specify. For example, if a file server with classified data does not appear to have logged events for an hour, this is suspicious, all the more so if the server is supposed to be up at all times. It is possible that the server was down during that time or the log was cleared. Such a situation does not necessary mean a problem but should be investigated.
This InTrust report helps you analyze the background of an event you are interested in by exploring related events.
This InTrust report shows event data from specified event logs of selected computers.
This InTrust report shows the number of accounts created, changed, and deleted within a specified time period for such important types of accounts as user accounts, security groups, and distribution groups. It also shows group membership modification for both security and distribution groups.
This InTrust report shows statistics on security events grouped by users and their domains. Security events capture the activity taking place in the network and show, for example, when and where users log on, what data they access, how they manage accounts, and so on. The report is primarily intended for presenting statistics in printed form but, when working interactively, you can click any number to view the details of all events that the number stands for.
In the Windows environment different logon types are registered by the system depending on what kind of resource a user accesses. This InTrust report shows all logon types such as interactive logons to domains, access to shared folders, dial-up connections to the network, and so on, and groups logon statistics.
This InTrust report shows event log cleared events. Event logs should be cleared only when there is lack of free space, which rarely occurs. Therefore, instances of event logs being cleared can indicate intruder activity and attempts to cover the tracks.
This InTrust Report shows the occurrences of System Time Change event. Time synchronism is a critical condition for most network environments. Unauthorized manual time change can cause improper functioning of services, business applications and authentication subsystem.
This InTrust report shows user account locked out and unlocked. A user account can be locked in accordance with the Account Lockout Policy (as a rule, after an incorrect password is entered several times in a row). Such a situation may mean password-guessing, especially if an administrative account gets locked. Click a user account in the report to view its details.
Logons during non-business hours
Users do not normally logon to the system during non-working hours. An abnormal number of logons during non-business hours may indicate an intrusion attempt. With this InTrust report, you can examine every attempt in detail to find out who was doing what during the specified time interval.
Logons with built-in account names
This InTrust report shows logons with built-in account names. Almost every system includes a number of built-in accounts (Guest, Administrator, etc.). These accounts are primary targets for intrusions and attacks because their names are well-known. Intensive successful logons using these accounts can indicate an intrusion attempt.
Multiple Logon Failures
Multiple logon failures can indicate a brute-force attack. This InTrust report provides detailed information on logon failures, including the user account, the reason for failure, the logon type, etc. Click a number in the Attempts column to find out details of logon failures in a subreport.
Multiple logons failure [Windows-Kerberos-NTLM]
This InTrust report shows failed logons that came in series. In the report, a series is several logons of the same type from the same computer within the specified time interval. Kerberos, NTLM and Windows events are displayed separately for each domain.
Account logon events [NTLM]
NT LAN Manager is a traditional password-based authentication protocol for Windows-based networks. This InTrust report displays information on NT LAN Manager audit results.
Active Directory Administrator Logons
This InTrust report documents all logons to domain controllers by users with administrator equivalent user rights.
All logons
This InTrust report shows successful and failed logons of all types. For failed logons, reasons are displayed. This helps analyze who tried to log on to which computers from which workstations.
All logons [with hyperlinks]
This InTrust report shows successful and failed logons of all types. For failed logons, reasons are displayed. This helps analyze who tried to log on to which computers from which workstations.
Domain Account Authentication
This InTrust report is intended to show account logon events on Domain Controllers including both NTLM and Kerberos authentication.
Logon activity trends
This InTrust chart graphically represents logon activity in your network, visualizing, for example, statistics for logons that failed due to different reasons (for example, bad password, disabled user account, etc.). The chart allows you to detect trends in logon activity and analyze anomalies.
Successful Authentication ticket granted
This InTrust report shows successful account logons based on kerberos events.
This InTrust report shows Active Directory object access attempts. Access to some types of objects may be unwarranted. The report is based on information from the Directory Service log, and it complements the Active Directory object access report.
This InTrust report shows Active Directory object access attempts. Access to some types of objects may be unwarranted. Such events often indicate changes to the environment, and they need to be tracked. Note This report is based on object access events from the Security log.
This InTrust report shows file access attempts. Access to certain files may be unwarranted.
This InTrust report shows Group Policy objects access attempts. Access to this type of objects may be unwarranted. Such events often indicate changes to the policies, and they need to be tracked. Note This report is based on object access events from the Security log.
This InTrust report helps you analyze the files and folders audit events from the Security log (Windows XP, Windows Server 2003 and later). If files or folders are accessed through network shares rather than locally, the report does not show such situations. Use report filters to precisely find out the information you need.
This InTrust report shows attempts to access registry keys. Access to some registry keys (particularly the startup keys) may be unwarranted.
This InTrust report shows modifications of the registry values on Windows 2008, Windows Vista machines. The report is based on EventID=4657. Note: Some value changes cannot be displayed due to specific data type.
This InTrust report shows situations when a user failed to authenticate with the remote access server. Sometimes this means a failed attempt to gain unauthorized access to resources.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
