Chat now with support
Chat with Support

InTrust 11.3 - InTrust Reports

Auditing Exchange Servers

All Events (Based on ChangeAuditor for Exchange Data)

All Exchange-related audit events from Windows event logs

This report requires the InTrust Plug-in for Active Directory Service to be installed on domain controllers. This report contains combined Exchange-related information from the InTrust for Exchange event log, the InTrust for AD event log, and the Application log.

Exchange events statistics (Application log only)

This report shows general Exchange event statistics. You can click a number in the report to view a sub-report with details of the events that the number represents.

Configuration Changes (Based on ChangeAuditor for Exchange Data)

Exchange-related configuration object modifications

This report shows changes to the configuration of the Exchange organization in Active Directory. This report requires ChangeAuditor for Active Directory to be installed on domain controllers.

Logons (Based on Windows Logs)

Administrative logons (Security log only)

This InTrust report shows successful and failed logons of all types by the specified privileged users. By default, only the "Admin" and "Administrator" user names are included. Change the filters to include any other privileged users you need. For failed logons, reasons are displayed. The report uses only Security log events.

Failed logons (Security log only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only Security log events.

Multiple failed logons (Security log only)

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. The report uses only Security log events. Click a number in the Attempts column to view the details of logon failures in a subreport.

Non-network logons (Security log only)

This InTrust report shows successful and failed logons of all types except 'Network'. For failed logons, reasons are displayed. The report uses only Security log events.

Mailbox Access (Based on ChangeAuditor for Exchange Data)

Store operations

This report shows store operations.

Use of Send privileges

This InTrust report helps you monitor how Send permissions are used. Set the MS Exchange diagnostics logging on the 'Send as' and 'Send on behalf of' on Exchange server to minimum level.

Mailbox Logons (Based on ChangeAuditor for Exchange Data)

Logons (Application log only)

This report shows successful MAPI logons to mailboxes in your Exchange environment. The MAPI protocol is used by clients such as Microsoft Outlook. The report helps you find out who uses which personal or shared mailboxes. This report requires setting the MS Exchange diagnostics logging on the MSExchangeIS at least to minimum level on Exchange server.

Permission Changes (Based on ChangeAuditor for Exchange Data)

Delegate management - brief

This report provides information about delegate assignment, including delegate creation, delegate removal, and changes to permissions granted to delegates via Microsoft Outlook.

Delegate management - detailed

This report provides information about delegate assignment, including delegate creation, delegate removal, and changes to permissions granted to delegates.

Folder permission changes - brief

This report shows changes to folder permissions in mailboxes (client permissions changes). The report contains old permissions value and new permission value.

Mailbox permission changes

This report shows details about changes to user mailbox security settings. The report displays Access Control Entries that were added, deleted, or modified in the ACL of the mailbox. The report helps identity which permissions on which mailboxes were granted to or revoked from which accounts. This report requires ChangeAuditor for Active Directory to be installed on domain controllers.

Public folder permission changes

This report shows Folder Permission changes.

Protection Group Configuration (Based on ChangeAuditor for Exchange Data)

Protection group object modifications

This report shows changes to the configuration of the Exchange organization in Active Directory. This report requires ChangeAuditor for Active Directory to be installed on domain controllers.

Summary (Based on ChangeAuditor for Exchange Data)

Mailbox access

This report shows a color-coded summary of all mailbox access events that occurred in your environment. The baseline is configured in a report parameter. From each section you can drill down to a list of changes associated with the selected number. Comparing the actual number within a particular category with the specified baseline can help detect abnormal administrative activity, discover violations, and improve procedures established in the environment.

Mailbox permissions

This report shows a color-coded summary of all mailbox permissions changes events that occurred in your environment. The baseline is configured in a report parameter. From each section you can drill down to a list of changes associated with the selected number. Comparing the actual number within a particular category with the specified baseline can help detect abnormal administrative activity, discover violations, and improve procedures established in the environment.

Protected groups

This report shows a color-coded summary of all protected groups changes events that occurred in your environment. The baseline is configured in a report parameter. From each section you can drill down to a list of changes associated with the selected number. Comparing the actual number within a particular category with the specified baseline can help detect abnormal administrative activity, discover violations, and improve procedures established in the environment.

Auditing File Servers

Recent Content Operations (Based on ChangeAuditor for File Servers Data)

Shadow copy modifications

This InTrust report shows details about actions preformed with shadow copies. Report contains information about create, delete and rollback actions.

Activity Research (Based on ChangeAuditor for File Servers Data)

Content Activity Research

This InTrust report shows who gained what type of access to files and folders that ChangeAuditor for Windows File Servers monitors. Data in the report is grouped by file server.

User Activity Research

This InTrust report shows who gained what type of access to files and folders that ChangeAuditor for Windows File Servers monitors. Data in the report is grouped by user, then by file server.

Content Usage Statistics (Based on ChangeAuditor for File Servers Data)

Most accessed objects

This InTrust report shows files and folders for which the largest number of access attempts occurred. The time of the last access attempt is included.

Most active content users

This InTrust report shows statistics for users who access monitored files and folders most actively. The time of the last access attempt is included.

Most modified objects

This InTrust report shows files and folders which were modified the most times. The time of the last modification and the user responsible are displayed.

Objects with most failed access attempts

This InTrust report shows files and folders for which the largest number of failed access attempts occurred.

Top active users per operation

This InTrust report shows statistics for users who access monitored files and folders most actively. The time of the last access attempt is included. Access attempts are grouped by operation.

Users with most failed access attempts

This InTrust report shows users with the largest number of failed attempts to access files and folders that ChangeAuditor for Windows File Servers monitors. The time of the last failed access attempt is included.

EMC Events (Based on ChangeAuditor for File Servers Data)

All ChangeAuditor for EMC events by action

This report shows all events from ChangeAuditor for EMC log

All ChangeAuditor for EMC events by IP address

This report shows all events from ChangeAuditor for EMC log

Logons (Based on Windows Logs)

Administrative logons (Security log only)

This InTrust report shows successful and failed logons of all types by the specified privileged users. By default, only the "Admin" and "Administrator" user names are included. Change the filters to include any other privileged users you need. For failed logons, reasons are displayed. The report uses only Security log events.

Failed logons (Security log only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only Security log events.

Multiple failed logons (Security log only)

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. The report uses only Security log events. Click a number in the Attempts column to view the details of logon failures in a subreport.

Non-network logons (Security log only)

This InTrust report shows successful and failed logons of all types except 'Network'. For failed logons, reasons are displayed. The report uses only Security log events.

NetApp Events (Based on ChangeAuditor for File Servers Data)

All ChangeAuditor for NetApp events by action

This report shows all events from Change Auditor for NetApp log

All ChangeAuditor for NetApp events by IP address

This report shows all events from Change Auditor for NetApp log

Recent Share Operations (Based on ChangeAuditor for File Servers Data)

Recent share operations

This InTrust report shows who and when recently changed shares.

Auditing Workstations

Activity on Workstations (Based on Windows Logs)

Concurrent user logon sessions

This report displays user logon sessions from different computers that overlapped in time. The report uses advanced logon events generate

d by InTrust agents.

Local audit policy changes

This InTrust report shows audit policy changes. Audit policy should be modified by administrative accounts only; otherwise these changes can indicate a security breach. Failure of the administrator to duly perform audit policy management tasks may lead to security violations.

Local group management

This InTrust report shows local group changes. Groups should be created, deleted, or changed by administrators. If the administrator fails to duly perform group management tasks, this may lead to user rights misrule and security violations.

Local group membership management

This InTrust report shows local group membership changes. User accounts should be added to or removed from groups by administrators. If the administrator fails to duly perform group membership management tasks, this may lead to user rights misrule and security violations.

Local user account management

This InTrust report shows changes to local user accounts. User accounts should be created, deleted, enabled, or disabled by administrators. If the administrator fails to duly perform account management tasks, this may lead to account misrule and even security violations.

Logons to workstations

This InTrust report shows successful and failed logons of all types. For failed logons, reasons are displayed. This helps analyze who tried to log on to which computers from which workstations.

Removable media attach-detach by workstation

For correct results, this report relies on the "Workstations: Removable devices attached/detached" real-time monitoring policy and real-time monitoring rules from "Use of removable media" folder.

User account lockouts and unlocks by workstation

This InTrust report shows user account locked out and unlocked. A user account can be locked in accordance with the Account Lockout Policy (as a rule, after an incorrect password is entered several times in a row). Such a situation may mean password-guessing, especially if an administrative account gets locked. Click a user account in the report to view its details.

User logon session duration by day

For each interactive logon session this report shows its start and termination time and how long it lasted. The report uses advanced logon events generated by InTrust agents.

Workstation process tracking

This InTrust report shows whether the applications you specify were started. If an application is prohibited, its launch may indicate a security issue. What is more, running restricted software often means corporate policy violations.

Workstation registry access

This InTrust report shows attempts to access registry keys. Access to some registry keys (particularly the startup keys) may be unwarranted.

Workstation registry value modifications (Windows Vista and later)

This InTrust report shows modifications of the registry values on Windows Vista (and later) machines. The report is based on EventID=4657. Note: Some value changes cannot be displayed due to specific data type.

Workstation software installation

This InTrust report helps track what software products are installed or failed to install on which computers. The report shows only those products whose setup programs use Windows Installer. Using the Grouping filter, you can organize the information as necessary. To see what software was installed on particular computers, use grouping by computer. To find out where certain software products were installed, use grouping by software product.

Logons (Based on Windows Logs)

Administrative logons (Security log only)

This InTrust report shows successful and failed logons of all types by the specified privileged users. By default, only the "Admin" and "Administrator" user names are included. Change the filters to include any other privileged users you need. For failed logons, reasons are displayed. The report uses only Security log events.

Failed logons (Security log only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only Security log events.

Multiple failed logons (Security log only)

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. The report uses only Security log events. Click a number in the Attempts column to view the details of logon failures in a subreport.

Non-network logons (Security log only)

This InTrust report shows successful and failed logons of all types except 'Network'. For failed logons, reasons are displayed. The report uses only Security

Report for Microsoft Excel

This section contains a list of reports included in the InTrust 11.3 Knowledge Pack for Microsoft Excel.

These reports are based on data from log.

Microsoft Excel

Changes in Excel files

This InTrust report shows Excel file changes logged by the excelTrackChangesCollector.exe utility, which is provided as part of the InTrust Knowledge Pack for Microsoft Excel.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating