Chat now with support
Chat with Support

InTrust 11.4.1 - Searching for Events in Repository Viewer

Custom Searches

If the predefined Repository Viewer searches do not cover your specific needs, use custom searches: either based on the predefined ones or created from scratch.

IMPORTANT:

To create custom searches, you need to make sure your account is an InTrust organization administrator. To view and edit the list of organization administrators, do one of the following:

  • In InTrust Deployment Manager, click Manage | Configure Access.
  • In InTrust Manager, open the properties of the root node.

The default organization administrators are the accounts used for installing InTrust and for running InTrust services.

Ad-Hoc Searches

To run an ad-hoc search with parameters, use the Search Filter tab, which is under the event list in the default layout. The Add or Remove Parameters button lets you customize your search, as follows:

  1. Click Add or Remove Parameters.
  2. In the Select Filter Parameters tool bar that opens, select the parameters that you want to define for the filter. See Filter Parameters for details.
  3. When you have added the necessary parameters, close the Select Filter Parameters tool bar, and specify the values you want to filter by and the operators to use for value matching.
  4. Click Go.

If you expect to use the same set of parameters in the future, you can save it as a custom search. For details, see Custom Searches below.

Any search filter configuration can be saved as a search. You can make custom searches:

  1. By modifying predefined searches and saving your changes, as described in the Predefined Searches topic. This method can save you a great deal of time and effort.
  2. By building a set of filters from scratch when only a node in the navigation tree is selected, and saving this.

To create a search based on your current filter configuration and place in the navigation tree, click Save As in the Search Filter tab when it shows your filter settings, and specify the name of the new search in the dialog box that appears.

Note: The Save As button is available only when the filter parameters are configured from scratch. When an existing search is selected, the button is labeled Copy To.

Mind that the node currently selected in the navigation tree can affect the set of parameters defined for the search. For example, if a particular computer is selected, an additional parameter will be automatically added to show events only from this computer. If you want to avoid this, create searches while the root folder of the repository is selected.

Note: Each user's custom searches are saved in the InTrust configuration database. They are available to all InTrust organization administrators (for reading and writing) and members of the AMS Readers local group on the repository-managing InTrust server (for reading).

Organizing Searches

To logically nest searches, organize them into folders:

  • To create folders for your searches in advance, right-click Custom Search Folders in the left pane and select Create Folder.
  • To create a folder while saving the search, click the folder icon in the Save As dialog box.

Best Practice: Search Across Event Fields

If you want to find specific information no matter which event field it is in, use the Any Field parameter for your search term. This is especially helpful if you are not familiar with the information layout in the events you are working with.

To find this parameter in the Select Filter Parameters dialog box, select the Primary option in the drop-down list. Any Field is the first item in the list.

Generally, this is a good starting point for refining a search: it let you exclude the fields where you don't want the term to occur instead of trying to include all the fields where it might occur.

Managing Repository Groups

After you have opened a repository group in Repository Viewer, you can manage its membership as follows:

  • Using the Remove command in the member repository shortcut menu
  • Using the Add Repository command in the group shortcut menu

The shortcut menu for a repository group also contains the Rename Repository Group and Delete Repository Group commands. The Delete Repository Group command erases the group from InTrust configuration. The other place where you can delete a repository group is in the Open Repositories wizard; all existing repository groups in the InTrust organization are listed there.

IMPORTANT: Whenever a repository is added to a group or removed from it, the change is immediately applied in all instanced of Repository Viewer connected to an InTrust organization. In addition, removing a repository group also deletes all scheduled reports that use the repository group. These changes should be made responsibly.

 

Filter Parameters in Repository Viewer

Repository Viewer provides a variety of fields to look in. To list all of them, select All in the drop-down list in the Select Filter Parameters toolbar. By default, only the normalized fields (such as Who, When or What) are shown.

The parameters include:

  1. Regular event fields (available in the Primary set and under All)
  2. Additional parameters:
    • The Insertion strings set
      These are the unnamed insertion strings that events use for storing various information. You can use these fields if you know precisely what they are used for in the events you are working with.
    • The Resolved insertion strings set
      These are regular insertion strings that have been processed to resolve any GUIDs and SIDs that occur in them. Note that the resolution works only for events that were gathered using InTrust agents.
    • The Named insertion strings set
      These are friendly labels for regular insertion strings. Note that different types of events use identically-numbered insertion strings for different kinds of data, so you should make sure the meaning is right if you use a named insertion string in your search. Named insertion strings are intended for improving presentation, especially if you are preparing custom searches for someone else to use.
    • The Normalized event fields set
      See Normalized Event Fields (Who, What, When and Others) for details.
    • The Any Field parameter
      See the Best Practice: Search Across Event Fields section in Custom Searches for details.
    • The Custom parameter
      See Advanced Expression-Based Filters for details.

Configuring Parameters

When you have added a parameter to the Search Filter tab, specify the following:

  1. The operator to apply
    Use the leftmost button in the operator block. The operators are "Equals", "Contains", "Ends with" and so on.
  2. The parameter value
    This is a combo box where in addition to an explicit value, this can be one of the following options:
    • Blanks
      Matches if the field is empty.
    • NonBlanks
      Matches if the field is not empty.
    • Custom
      Lets you build a logical condition tree that works within this particular parameter; see below for details.

Note: In the current version of Repository Viewer, the following issues are known to exist in search filters:

  • The value used for the Any Field parameter matches only the beginnings of words.
  • The "Contains" operator matches only the beginnings of words.

All the parameters you include in the filter are combined using logical AND—they must all match for the filter as a whole to match. For details about using OR operations, see Advanced Expression-Based Filters.

Caution: For some search filter operators, there is no search speedup if the repository is indexed. The following operators cannot take advantage of the index:

  • Not equals
  • Does not contain
  • Not like (wildcards)
  • Does not start with
  • Ends with
  • Does not end with

Custom Logic for Parameters

Selecting Custom in the parameter value combo box opens a dialog box that lets you set up multiple matching conditions and manage their flow with the AND and OR operators.

 

  • To change the list, use the Add Condition and Remove Condition(s) buttons.
  • To select conditions, use the leftmost column: you can Ctrl-click, Shift-click and drag-select items.
  • To apply the AND operator (meaning, match all of them) to selected conditions, click the 'And' Group button. The grouping will be visualized as a blue line that spans the operators.
  • To apply the OR operator (meaning, match any of them) to selected conditions, click the 'Or' Group button. The grouping will be visualized as an orange line that spans the operators.
  • To change a group's operator from OR to AND or the other way around, click the line that marks the grouping, or select a member of the group and click the Toggle button.
  • To remove one or more conditions from a group, select them and click the Ungroup button.

Note that this logic is processed for values of a single parameter. If you want to analyze multiple parameters, see Advanced Expression-Based Filters for details.

Normalized Event Fields (Who, What, When and Others)

These fields are not present in the original events; they are filled in by InTrust based on knowledge about the contents of regular fields in various types of events. Normalized fields make it easier to retrieve the most important information from the event; you do not have to know which particular original fields contain which kind of information.

The current set of supported normalized fields is as follows:

FIELD

MEANING

What

A brief description of what the event is about. It is related to such fields as Description and Category.

Example: For all events that have to do with logging on, the What field says Logon, regardless of the event category, platform where it occurred, or nature of the logon.

When When the event was generated. The time is automatically converted to the local time on the computer where Repository Viewer is running.
Where The computer where the event happened (had effect).
Where From The name or IP address of the computer from which the activity (such as a logon, or a configuration change) was performed. This is not necessarily the same computer as the one where the activity had effect.
Who

Plain user name of the account that caused the event.

Example: Using this field helps you track user activity across platforms: Windows, Unix, VMware and so on.

WhoDomain

The Active Directory domain of the account that caused the event, where applicable.

Whom

The user account that was affected by the event, where applicable.

Example: In password change events, this field shows whose password was changed.

Note: Use Event-o-Pedia (http://eventopedia.cloudapp.net/) to learn more about the events you can audit. This Web site is a knowledge base that helps you find out the meaning, structure and importance of the events you encounter.

Advanced Expression-Based Filters

The Custom filter parameter lets you specify expressions for very specific filtering needs that cannot be covered by the built-in options (for example, complex time ranges). The parameter accepts expressions in the REL expression language, which is used for event analysis throughout InTrust. The language is described in the InTrust Customization Kit document.

The immediate and intuitive advantage of custom expressions is the ability to use logical OR across multiple fields to branch your matching conditions. Effectively, this lets you combine multiple searches.

The default catch-all expression is true. In real-world use, you need to provide a REL expression that evaluates to true only if your specific conditions are met.

Examples of expression-based filters:

What you want to find

Expression

Events where the Computer field is "SRV01" or the User Name field is "DOMAIN1\jdoe", but not necessarily both at once.

(Computer = "SRV01") or (UserName = "DOMAIN1\\jdoe")

Events where the Who field is an account that is a member of the Domain Admins group.

member_of( Who, 'Domain Admins', true)

Important: This expression works only for global and universal groups, not for domain local groups. It is suitable in this case, because Domain Admins is a global group.

For more advanced expression techniques, refer to the REL-specific topics in the InTrust Customization Kit.

Changing the Business Hours and Non-Business Hours Parameters

The Business Hours and Non-Business Hours parameters define fixed time patterns, and no user interface is provided for editing these patterns. If you need to adjust the hours for a particular search, you can do so using native SQL Server tools, as follows:

  1. Run an SQL query on the InTrust configuration database to find the search you need. For example:
    select [Guid], [Query] from [dbo].[SearchItem] where [name] = '<search_name>'
    This returns the GUID of the search and the query that it uses. Here is a sample search query:
    <SearchQuery>
      <SimpleCriterias>
        <SimpleCriteria>
          <name>When</name>
          <condition>
            <GroupOperator>And</GroupOperator>
            <Items>
              <DateTimeComparisonCondition_BusinessHours>
                <start_time>8</start_time>
                <end_time>19</end_time>
                <start_dow>1</start_dow>
                <end_dow>5</end_dow>
              </DateTimeComparisonCondition_BusinessHours> 
            </Items>
          </condition>
        </SimpleCriteria>
      </SimpleCriterias>
      <FullTextSearchCriteriaItem>
        <FTS/>
      </FullTextSearchCriteriaItem>
    </SearchQuery>
  2. Edit the search query so that it meets your requirements. You need to make changes to the contents of the DateTimeComparisonCondition_BusinessHours or DateTimeComparisonCondition_NonBusinessHours node. In particular, you need to modify the integer values of the following:
    • start_time
      What time the business or non-business hours start
    • end_time
      What time the business or non-business hours end
    • start_dow
      The first work day in the case of business hours; the first day off in the case of non-business hours (0 through 6 is Sunday through Saturday)
    • end_dow
      The last work day in the case of business hours; the last day off in the case of non-business hours (0 through 6 is Sunday through Saturday)

Note: It is assumed that the times you specify are in the time zones of the computers where the events were logged. If you want these original timestamps to appear in Repository Viewer and scheduled reports, make sure the Local Time column is displayed in the grid. This column is hidden by default. For details about changing the grid, see Configuring the Result Layout.

  1. Overwrite the original search query with your modified version in the configuration database, using the previously extracted GUID to identify the search. For that, use an SQL query like the following:
    update [dbo].[SearchItem] set [Query] = '<modified_search_query_string>' where [Guid] = '<search_GUID>'

Examining Event Details

To view the details of a selected event, use the Event Details tab. Double-click the event to open this tab.

In addition to displaying event details, this view provides some useful functionality. Click anywhere in the Event Details tab to open the shortcut menu with the additional options:

  • Copy to Clipboard
    You can paste the copied event details in a spreadsheet, word processor, plain text file and so on. The result should be correctly formatted for any of these destinations.
  • View Details in Eventopedia
    Eventopedia (http://eventopedia.cloudapp.net) is an encyclopedia of known audit log events that explains their meanings and uses.
  • Investigate in IT Security Search and Set Up IT Security Search Link
    See Drilling Down with IT Security Search below for details.

  • Email Event Details
    This action composes an email message from the event details in Microsoft Outlook. An installed copy of Outlook is required.

Drilling Down with IT Security Search

You can use the event whose details you are viewing as a starting point for an event analysis session in IT Security Search.

Before you can use this functionality, you need to configure the link between Repository Viewer and IT Security Search. Repository Viewer needs to know the URL where IT Security Search is available in your environment and which event fields to use for generating search queries. Click Set Up IT Security Search Link in the shortcut menu to specify these settings.

After you have configured the link, you can use the Investigate in IT Security Search action with any event currently opened in the Event Details tab.

For details about using IT Security Search, see the IT Security Search User Guide.

Related Documents