This chapter describes several common use scenarios for the Knowledge Pack. The related topics describe general methods to achieve typical tasks and do not contain detailed instructions on procedures:
For detailed instructions about working with InTrust configuration objects, refer to the Auditing Guide.
This scenario is possible if the environment is configured so as to allow certain users to perform administrative actions outside Active Roles. Suppose you want to monitor changes to mailbox aliases in your environment that bypass Active Roles.
For example, suppose that there is a distinct policy for mailbox naming, and Active Roles imposes this policy. However, certain personnel can manage mailboxes without using Active Roles. You need to make sure that any mailbox management actions that these users perform comply with the policy and that no controversial changes are made inadvertently.
Configure the “Active Roles: Policy compliance check” rule to send email notifications to your Active Roles operators, as follows:
After that, you will receive notifications whenever a policy violation occurs for an object in the monitored OUs. Watch out for messages about mailbox alias changes.
In this scenario, you schedule a report on account management actions performed outside Active Roles. The information for the report comes from the Change Auditor for AD log and Security log on to the domain controllers of the domain you are interested in and from the ARAdminService log on the Active Roles servers in that domain.
To configure this workflow
Now your report storage will contain a detailed report prepared automatically on schedule.
If you prefer to leave the default settings in the predefined task, make a copy of it and use the copy instead.
This scenario is common when the Active Roles service fails and you need to find out the reason. It is possible that the failure is due to a denial of service attack or abnormal activity going on. The symptom of such a situation is a large number of failure audit events in the environment.
You can monitor such situations by deploying the following rules:
Configure alerts from these two rules to be shown in InTrust Monitoring Console. When “Active Roles Service: General response” tells you that the service is not responding, check whether the alert is accompanied by the “Active Roles: Multiple failure audit” alert.
If both of these alerts are generated during a short period of time, investigate why the failure events occurred.
To implement this monitoring, prepare Monitoring Console for the task as described in the Viewing Alerts in InTrust Monitoring Console topic. When creating the alert view, include the two rules listed previously and the “Active Roles: Servers” site.
Remember that your alert viewers and managers must be inspectors for the group that holds the two rules and for the monitored site. Include the rules in the alert view you create.
If this situation is detected, you can further investigate the issue by preparing the “Active Roles all server events” SSRS report and analyzing it in InTrust Knowledge Portal. The report’s EventID filter lets you narrow down the scope of events to be included, and the Date Range filter refines the time period for the report.
For more information about using reports, see the Data Gathering and Reporting topic.
Alternatively, you can analyze events in Repository Viewer or IT Security Search. This means working with events stored in an InTrust repository instead of the audit database. For details, see the following: