Chat now with support
Chat with Support

InTrust 11.4.1 - InTrust Reports

Report Pack_Windows

Report Pack for Windows

This section contains a list of reports included in the InTrust11.4.1 Report Pack for Windows.

Administrative Activity

Account Management

Group Management

This InTrust report shows group changes. Groups should be created, deleted, or changed by administrators. If the administrator fails to duly perform group management tasks, this may lead to user rights misrule and security violations.

Group Membership Management

This InTrust report shows group membership changes. User accounts should be added to or removed from groups by administrators. If the administrator fails to duly perform group membership management tasks, this may lead to user rights misrule and security violations.

Password resets

This InTrust report shows when account passwords were reset and who reset them. An entry in the report means that the password was either reset or changed. By default, only user accounts are included, but you can use the User Accounts filter if you want to include computer accounts as well.

User Accounts Management

This InTrust report shows changes to user accounts. User accounts should be created, deleted, enabled, or disabled by administrators. If the administrator fails to duly perform account management tasks, this may lead to account misrule and even security violations.

User rights management

This InTrust report shows changes to user rights. User rights should be assigned or removed by administrators. If the administrator fails to duly perform user rights management tasks, this may lead to user rights misrule and security violations.

Network Management

Computer accounts changes

This InTrust report shows computer accounts changes. Computer accounts should be created, deleted, renamed, or changed by administrative accounts only. If the administrator fails to duly perform computer account management tasks, this may lead to security violations.

DHCP history

This report summarizes DHCP log data and represents the information as time intervals during which computers have certain IP addresses. If an event specifies the host as localhost or host from localdomain, the actual DNS name is determined by the MAC address. The report helps quickly pinpoint a computer at which certain actions were performed. For correct results, create this report for a single DHCP server or for several DHCP servers that work simultaneously and do not serve overlapping IP address pools.

Domain Trusts Changes

This InTrust report shows domain trust changes. Domain trusts should be added, removed, or modified by administrative accounts only. If the administrator does not duly perform domain trust management tasks, this may lead to security violations.

Policy Changes

Audit Policy Changed

This InTrust report shows audit policy changes. Audit policy should be modified by administrative accounts only; otherwise these changes can indicate a security breach. Failure of the administrator to duly perform audit policy management tasks may lead to security violations.

Kerberos and Domain Policy changed

This InTrust report shows Audit and Kerberos policies changes.

Forensic Analysis

Detailed Reports

All user activities [details]

This InTrust report shows and expands statistics on security events. Security events capture the activity taking place in the network and show, for example, when and where users log on, what data they access, how they manage accounts, and so on.

Event Log Gaps

This InTrust report shows situations when events are missing from logs for a time period that you specify. For example, if a file server with classified data does not appear to have logged events for an hour, this is suspicious, all the more so if the server is supposed to be up at all times. It is possible that the server was down during that time or the log was cleared. Such a situation does not necessary mean a problem but should be investigated.

Events related with the specified event [advanced]

This InTrust report helps you analyze the background of an event you are interested in by exploring related events.

Raw data analysis

This InTrust report shows event data from specified event logs of selected computers.

Summary Reports

Account management statistics

This InTrust report shows the number of accounts created, changed, and deleted within a specified time period for such important types of accounts as user accounts, security groups, and distribution groups. It also shows group membership modification for both security and distribution groups.

All user activities [summary]

This InTrust report shows statistics on security events grouped by users and their domains. Security events capture the activity taking place in the network and show, for example, when and where users log on, what data they access, how they manage accounts, and so on. The report is primarily intended for presenting statistics in printed form but, when working interactively, you can click any number to view the details of all events that the number stands for.

Logon Statistics

In the Windows environment different logon types are registered by the system depending on what kind of resource a user accesses. This InTrust report shows all logon types such as interactive logons to domains, access to shared folders, dial-up connections to the network, and so on, and groups logon statistics.

Major Security Events

Event log cleared

This InTrust report shows event log cleared events. Event logs should be cleared only when there is lack of free space, which rarely occurs. Therefore, instances of event logs being cleared can indicate intruder activity and attempts to cover the tracks.

System Time changed

This InTrust Report shows the occurrences of System Time Change event. Time synchronism is a critical condition for most network environments. Unauthorized manual time change can cause improper functioning of services, business applications and authentication subsystem.

User account lock-unlock

This InTrust report shows user account locked out and unlocked. A user account can be locked in accordance with the Account Lockout Policy (as a rule, after an incorrect password is entered several times in a row). Such a situation may mean password-guessing, especially if an administrative account gets locked. Click a user account in the report to view its details.

Related Documents