Chat now with support
Chat with Support

The Quest and One Identity Support Portals will be unavailable on Friday July 10, 2020 from 5:30 PM to 6:30 PM for website maintenance.

InTrust 11.4.1 - InTrust Reports

Real-Time Monitoring Alerts

Alert Details

Alert Occurrences

Alerts Details

This InTrust report can help you in forensic analysis of the occurrences.

Alert Statistics

Alert Occurrences

Alert Statistics

This InTrust report displays the number of alerts that occurred and the average resolution time for the selected time period, environment and incident types. Note: If GMT time is desynchronized between the InTrust server and the computer where the agent operates, this can result in negative alert delivery times. These negative values are ignored when calculating the average resolution time. However, the number of alerts in the report does not depend on time synchronization.

Alerts Trend [chart]

This InTrust chart helps you to monitor and analyze security incidents which led to alert generation.

Top N Alerting Hosts [chart]

Use this InTrust chart to discover the computers that most frequently generate the alerts.

Top N frequent alerts [chart]

This InTrust chart helps you analyze the most frequent incidents that caused the majority of alerts.

Report Usage Statistics

Report Usage Statistics With Users

Best Practices Report Pack

This section contains a list of reports included in the InTrust 11.4.1 Best Practices Report Pack.

Auditing Domain Controllers

Active Directory Changes (Based on Windows Logs)

Access to computer objects

This InTrust report shows attempts to access computer objects in Active Directory. Such activity may indicate unsolicited changes to the environment and should be tracked. The report is based on object access events from the Security log.

Access to group objects

This InTrust report shows attempts to access group objects in Active Directory. Such activity may indicate unsolicited changes to the environment and should be tracked. The report is based on object access events from the Security log.

Access to user objects

This InTrust report shows attempts to access user objects in Active Directory. Such activity may indicate unsolicited changes to the environment and should be tracked. The report is based on object access events from the Security log.

Audit policy changes

This InTrust report shows audit policy changes. Audit policy should be modified by administrative accounts only; otherwise these changes can indicate a security breach. Failure of the administrator to duly perform audit policy management tasks may lead to security violations.

Computer accounts management

This report shows instances where computer accounts were created, deleted, enabled or disabled. If these actions are performed by someone other than authorized administrators, this may lead to security issues and violations.

Domain Trusts Changes

This InTrust report shows domain trust changes. Domain trusts should be added, removed, or modified by administrative accounts only. If the administrator does not duly perform domain trust management tasks, this may lead to security violations.

Group management

This InTrust report shows local group changes. Groups should be created, deleted, or changed by administrators. If the administrator fails to duly perform group management tasks, this may lead to user rights misrule and security violations.

Group membership management

This InTrust report shows local, global, universal groups membership changes. User accounts should be added to or removed from groups by administrators. If the administrator fails to duly perform group membership management tasks, this may lead to user rights misrule and security violations.

Group Policy object access

This InTrust report shows Group Policy objects access attempts. Access to this type of objects may be unwarranted. Such events often indicate changes to the policies, and they need to be tracked. Note This report is based on object access events from the Security log.

Kerberos and domain policy changes

This InTrust report shows Audit and Kerberos policies changes.

Password resets

This InTrust report shows when account passwords were reset and who reset them. An entry in the report means that the password was either reset or changed. By default, only user accounts are included, but you can use the User Accounts filter if you want to include computer accounts as well.

User account lockouts

This InTrust report shows user account locked out and unlocked. A user account can be locked in accordance with the Account Lockout Policy (as a rule, after an incorrect password is entered several times in a row). Such a situation may mean password-guessing, especially if an administrative account gets locked. Click a user account in the report to view its details.

User account management

This report shows instances where user accounts were created, deleted, enabled or disabled. If these actions are performed by someone other than authorized administrators, this may lead to security issues and violations.

User rights management

This InTrust report shows changes to user rights. User rights should be assigned or removed by administrators. If the administrator fails to duly perform user rights management tasks, this may lead to user rights misrule and security violations.

Critical Changes (Based on Change Auditor for AD Data)

All change requests for GPOs by domain

This Change Auditor for Active Directory report represents both successful and failed attempts to change Group Policy object settings, delete or create GPO. An attempt fails if the system failed to perform requested operation for some reason. The most common reason of failure is insufficient permissions to make the change. The report shows either textual description of a failure or just the failure code if it is impossible to resolve the failure code to its textual description.

Changes to Active Directory schema by object

This Change Auditor for Active Directory report shows all changes to your Active Directory schema. Using this report, you can track what schema classes and attributes were modified, and how it has affected your Active Directory. Use the Class Operations filter to pinpoint schema modifications related to schema classes. Use the Attribute Operations filter to pinpoint schema modifications related to schema attributes. Schema modification may adversely impact the whole enterprise if performed carelessly.

Changes to assigned Group Policy priorities by container

This Change Auditor for Active Directory report shows changes to Group Policy Object links related to the order in which Group Policies are applied to a site, domain, or OU within your Active Directory. If set improperly, this order may seriously affect the Resulting Set of Policies calculated at the computer where the policies are applied. This report together with Group Policy Assignments report help you ensure that Resulting Set of Policies for you domain users and computers is calculated properly.

Changes to audit policy settings by audit policy

This Change Auditor for Active Directory report shows all changes to Audit Policy settings for all Group Policies of your Active Directory domains. Turning on extra auditing may impact your domain controllers and other domain members, while turning auditing off may weaken the security. So, every modification of Audit Policy settings must be thoroughly examined.

Changes to FSMO roles by domain

This Change Auditor for Active Directory report shows all FSMO role transfers and seizures in every domain and forest of your Active Directory. For every FSMO role the report displays the domain controller that held the role before the change, and the one that acquired the role as a result of the change. FSMO role changes (especially role seizures) should be made only if it is impossible to recover the original holder after it has become unavailable.

Changes to replication configuration by forest

This Change Auditor for Active Directory report shows all changes related to the replication configuration of your Active Directory forests. The report analyzes changes to Active Directory objects and explains what these particular changes mean to the replication. Use the Configuration Items filter to analyze changes related to particular aspects of the replication configuration, for example, site link schedule changes, replication connection creations and deletions, and so on.

Changes to site configuration by forest

This Change Auditor for Active Directory report shows all changes related to the site configuration of your Active Directory forests. Using this report, you can inspect what new sites were created, and what changes were applied to existing sites. It is recommended to modify your site configuration only if the physical AD topology has been changed. This report enables you to control that no accidental or unwanted changes to your Active Directory sites were made.

Changes to user rights by domain

This Change Auditor for Active Directory report shows all changes to User Rights Assignment settings for all Group Policies of your Active Directory domains. These settings affect security and availability of your domain controllers and other domain members, so it is important to watch them closely. Too strict a User Rights policy leads to people and services having problems with access to necessary network resources, but excessive permissions are a serious flaw in network security.

Connection schedule changes

This Change Auditor for Active Directory report shows changes to the replication schedule defined at the level of replication connections. The schedule is displayed for the local time zone.

Direct SYSVOL changes by domain

This Change Auditor for Active Directory report shows Group Policy setting changes made by direct modification of policy files stored on the SYSVOL share of domain controllers. Changes to both Security Policies and Administrative Templates are included. Note. The report does not display malformed SYSVOL file changes that violated the established format of the policy setting file.

DNS record changes

This Change Auditor for Active Directory report shows changes to zone data of Active Directory-integrated DNS zones. You can see what DNS records were added, deleted or modified in a DNS zone. For each type of zone record (SRV, A, etc) specific details are provided.

Domain changes

This Change Auditor for Active Directory report shows domain functional level changes. Use the report to track changes to the domain functional level and suffixes.

Domain trust relationship changes

This Change Auditor for Active Directory report shows changes to domain trust relationships. You can see what domains were defined as trusted for a specific domain and what domains had their trust relationship removed.

Group Policy assignments by GPO

This Change Auditor for Active Directory report shows the change history for Group Policy Object links in your environment during the specified period. It displays: who made the change, what GPO flags were changed (such as Disabled and No Override), what GPO links were established or removed for what containers, when the change was made For modified GPO flags, the report shows both the old and the new (modified) flag values.

OU creation or deletion by domain

This Change Auditor for Active Directory report shows what organizational units were created or deleted in what domains.

OU delegation changes

This Change Auditor for Active Directory report shows changes to security configuration of organizational units. The report helps track permissions granted to delegated administrators.

OU moved or renamed by domain

This Change Auditor for Active Directory report shows what organization units were moved or renamed. For either type of change, both the old and new canonical name of the OU's parent container are displayed.

Permission inheritance changes by domain

This Change Auditor for Active Directory report shows changes to Active Directory objects' permission inheritance flag. It shows you whether inherited permissions were copied or removed from the object when the inheritance flag was cleared.

Policy inheritance blocking disabled or enabled by domain

Typically, Group Policy is propagated from parent to child containers within a domain. You can block policy inheritance at the domain or organizational-unit level by opening the properties dialog box for the domain or organizational unit and selecting the Block Policy inheritance check box. This Change Auditor for Active Directory report shows who and when enabled or disabled policy inheritance on what containers.

Security options changes by Group Policy

This Change Auditor for Active Directory report shows all changes to Security Options for all Group Policies of your Active Directory domains.

Site link schedule changes

This Change Auditor for Active Directory report shows changes to the replication schedule defined at the level of site links. The schedule is displayed for the local time zone.

Universal group membership setting changes

This Change Auditor for Active Directory report shows changes to the configuration of universal group membership caching. You can use this report to track sites where this setting was turned on or off. It also shows changes to the site used for refreshing the contents of the universal group cache.

Domain Controller Operation (Based on Windows Logs)

Event Log cleared

This InTrust report shows event log cleared events. Event logs should be cleared only when there is lack of free space, which rarely occurs. Therefore, instances of event logs being cleared can indicate intruder activity and attempts to cover the tracks.

Event log errors

Errors or warnings from the event log could be an indication of intruder activity or an auditing system malfunction. This InTrust report shows situations when event logs generated warnings or errors.

Policy enforcement errors

This InTrust report shows some events from the security policy subsystem which could be an indication of intruder activity or a potential security breach.

Registry Access

This InTrust report shows attempts to access registry keys. Access to some registry keys (particularly the startup keys) may be unwarranted.

Server reboots (Windows Server 2003 and Windows Server 2008 only)

This InTrust report shows both expected and unexpected server reboots (Windows 2003, Windows 2008 only). Notes: Please ensure than Shutdown Event Tracker service is enabled at your servers.

Software installation

This InTrust report helps track what software products are installed or failed to install on which computers. The report shows only those products whose setup programs use Windows Installer. Using the Grouping filter, you can organize the information as necessary. To see what software was installed on particular computers, use grouping by computer. To find out where certain software products were installed, use grouping by software product.

Logons (Based on Windows Logs)

Administrative logons (Security log only)

This InTrust report shows successful and failed logons of all types by the specified privileged users. By default, only the "Admin" and "Administrator" user names are included. Change the filters to include any other privileged users you need. For failed logons, reasons are displayed. The report uses only Security log events.

Failed logons (NTLM audit only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only NTLM events.

Failed logons (Security log only)

This InTrust report shows failed logons of all types. Failure reasons are indicated. The report uses only Security log events.

Logons (NTLM audit only)

This InTrust report shows successful and failed logons of all types. For failed logons, reasons are displayed. The report uses only NTLM events.

Multiple failed account logons

This InTrust report shows patterns where multiple account logon failures occurred in a row, possibly indicating a brute-force attack. The report uses Kerberos events.

Multiple failed logons

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. Data for the report comes from all relevant logs (Security, Kerberos, NTLM). Click a number in the Attempts column to view the details of logon failures in a subreport.

Multiple failed logons (Security log only)

This InTrust report shows patterns where multiple logon failures occurred in a row, possibly indicating a brute-force attack. Detailed information about the logon failures is provided. The report uses only Security log events. Click a number in the Attempts column to view the details of logon failures in a subreport.

Non-network logons (Security log only)

This InTrust report shows successful and failed logons of all types except 'Network'. For failed logons, reasons are displayed. The report uses only Security log events.

Regular Changes (Based on Change Auditor for AD Data)

Change requests for computer objects by domain

This InTrust report shows both successful and failed attempts to change attributes of computer objects in Active Directory. The most common reason for request failures is insufficient permissions to make the change. For each failure, the report shows a textual description where possible, or just the error code.

Change requests for group objects by domain - detailed

This InTrust report shows both successful and failed attempts to change attributes of group objects in Active Directory. The most common reason for request failures is insufficient permissions to make the change. For each failure, the report shows a textual description where possible, or just the error code.

Change requests for user objects by domain

This InTrust report shows both successful and failed attempts to change attributes of user objects in Active Directory. The most common reason for request failures is insufficient permissions to make the change. For each failure, the report shows a textual description where possible, or just the error code.

Changes to computer object attributes by domain

This InTrust report shows the history of changes to the attributes of computer objects in Active Directory during the specified period. It shows who changed what attributes, and when and how they were changed. This helps stay aware of what is happening to your Active Directory, and take corrective measures if required.

Changes to user account passwords by domain

The InTrust Plug-in for Active Directory report shows all changes to user account passwords. Passwords are changed by users themselves or reset by administrators on user request.

Changes to user object attributes by domain

This InTrust report shows the history of changes to the attributes of user objects in Active Directory during the specified period. It shows who changed what attributes, and when and how they were changed. This helps stay aware of what is happening to your Active Directory, and take corrective measures if required.

Computer object moves by domain

This Change Auditor for Active Directory report shows computers that were moved. The report displays both source and target locations, which can be organizational units and other containers.

Enabling and disabling of users by domain

To prevent a particular user from logging on for security reasons you can disable the user account rather than delete it altogether. The user account may be enabled again afterwards. This Change Auditor for Active Directory report shows the history of user account activations and deactivations.

Group creations and deletions by domain

This Change Auditor for Active Directory report shows what group accounts were created or deleted in what domains.

Group membership management by domain

This Change Auditor for Active Directory report shows all group membership changes. You can track which accounts were added to or removed from which groups, and who performed the management actions.

User account management by domain

This Change Auditor for Active Directory report shows all changes made to all user account attributes.

User account moves by domain

This Change Auditor for Active Directory report shows user accounts that were moved. The report displays both source and target locations, which can be organizational units and other containers.

User creations and deletions by domain

This Change Auditor for Active Directory report shows what user accounts were created and deleted in what domains.

Related Documents