Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Auditing and Monitoring Active Roles

Use Cases

This chapter describes several common use scenarios for the Knowledge Pack. The related topics describe general methods to achieve typical tasks and do not contain detailed instructions on procedures:

  • Checking Policy Compliance
  • Reporting on Account Management
  • Investigating Service Failure
  • Data Archiving and Analysis

For detailed instructions about working with InTrust configuration objects, refer to the Auditing Guide.

Checking Policy Compliance

This scenario is possible if the environment is configured so as to allow certain users to perform administrative actions outside Active Roles. Suppose you want to monitor changes to mailbox aliases in your environment that bypass Active Roles.

For example, suppose that there is a distinct policy for mailbox naming, and Active Roles imposes this policy. However, certain personnel can manage mailboxes without using Active Roles. You need to make sure that any mailbox management actions that these users perform comply with the policy and that no controversial changes are made inadvertently.

Configure the “Active Roles: Policy compliance check” rule to send email notifications to your Active Roles operators, as follows:

  1. Make sure that the “Active Roles Operators” notification group is populated with accounts that must receive the notifications.
  2. Open the properties of the “Active Roles: Policy compliance check” rule.
  3. On the General tab, make sure that Enabled is selected.
  4. On the Matching tab, select the check box next to the parameter in the list and specify the organizational units you want to monitor in the Containers parameter.
  5. The list should contain few items. If the list is too large, rule matching takes a very long time.
  6. Click OK.
  7. Open the properties of the “Active Roles: Administration Service Policy” Policy.
  8. Check that “Active Roles: Servers” is listed on the Sites tab, and the “Active Roles: Policy compliance check” rule (or the rule group that contains that rule) is listed on the Rules tab..
  9. Select Activate on the General tab.
  10. Click OK.
  11. Commit the changes you have made by clicking the Commit button on the toolbar.

After that, you will receive notifications whenever a policy violation occurs for an object in the monitored OUs. Watch out for messages about mailbox alias changes.

Reporting on Account Management

In this scenario, you schedule a report on account management actions performed outside Active Roles. The information for the report comes from the Change Auditor for AD log and Security log on to the domain controllers of the domain you are interested in and from the ARAdminService log on the Active Roles servers in that domain.

To configure this workflow

  1. Make sure the “Active Roles: Weekly reporting” task runs after all the required data has been gathered by the “Active Roles: Daily events collection”.
  2. If necessary, edit the reporting job within the “Active Roles: Weekly reporting” task. For example, you can change filter settings for the “Account management performed outside Active Roles (Security Log)” report and specify the preferred output format for reports.
  3. Optionally, add a notification job that informs you of task completion.

Now your report storage will contain a detailed report prepared automatically on schedule.

If you prefer to leave the default settings in the predefined task, make a copy of it and use the copy instead.

Investigating Service Failure

This scenario is common when the Active Roles service fails and you need to find out the reason. It is possible that the failure is due to a denial of service attack or abnormal activity going on. The symptom of such a situation is a large number of failure audit events in the environment.

You can monitor such situations by deploying the following rules:

  • “Active Roles Service: General response”
  • “Active Roles: Multiple failure audit”

Configure alerts from these two rules to be shown in InTrust Monitoring Console. When “Active Roles Service: General response” tells you that the service is not responding, check whether the alert is accompanied by the “Active Roles: Multiple failure audit” alert.

If both of these alerts are generated during a short period of time, investigate why the failure events occurred.

To implement this monitoring, prepare Monitoring Console for the task as described in the Viewing Alerts in InTrust Monitoring Console topic. When creating the alert view, include the two rules listed previously and the “Active Roles: Servers” site.

Remember that your alert viewers and managers must be inspectors for the group that holds the two rules and for the monitored site. Include the rules in the alert view you create.

If this situation is detected, you can further investigate the issue by preparing the “Active Roles all server events” SSRS report and analyzing it in InTrust Knowledge Portal. The report’s EventID filter lets you narrow down the scope of events to be included, and the Date Range filter refines the time period for the report.

For more information about using reports, see the Data Gathering and Reporting topic.

Alternatively, you can analyze events in Repository Viewer or IT Security Search. This means working with events stored in an InTrust repository instead of the audit database. For details, see the following:

Related Documents