Chat now with support
Chat with Support

InTrust 11.5.1 - Searching for Events in Repository Viewer

Getting Started with Repository Viewer

Notes:

  • When you launch Repository Viewer for the first time, the console asks you to specify the repository to look in.
  • Repository Viewer remembers the most recently used repository and opens it automatically on startup.

To open a repository, click Repositories | Open in the main menu. You are prompted to select what kind of repository to connect to: idle repository or production repository. These options mean the following:

  • Production repository
    This ensures that the InTrust server you specify handles the communication between Repository Viewer and the repository. Always use this option if the repository you need is managed by an InTrust server and is available for gathering, consolidation and other operations. This method does not lock down the repository index, and multiple instances of Repository Viewer can use its index simultaneously.
  • Idle repository
    This makes Repository Viewer read data directly from the repository without any intermediary components. Use this option only when the repository you need is not attached to any InTrust server. For example, it can be a backup copy of a production repository or an idle repository with historical data. Note that using direct connection locks the index of a repository so that only the first-connected instance of Repository Viewer can use the advantages of indexing.

Production repositories can be grouped together to form repository groups. A repository group acts as a single unit: you can run searches on it and create reports as if it were a regular repository. For details about repository group membership, see Managing Repository Groups.

NOTE: Repository Viewer works with repository groups concurrently, but multi-repository searching is not completely overhead-free.

Repository groups are stored in InTrust configuration, and they are available to every instance of Repository Viewer connected to the InTrust organization.

To open a production repository or repository group

  1. Select whether you want to connect by specifying an InTrust organization or a specific InTrust server.
  2. Select the organization or server.
  3. Select whether you want to open individual repositories or a repository group.
    The following happens for individual repositories:
    • If you select a single repository, it will open in a temporary group. If there is still one repository in the group by the time you finish the session, the group is not saved in InTrust configuration.
    • If you select multiple individual repositories or repository groups, a new group will be created for them, and the group will open. It will include all members in your selection.

    If you select a repository group, that group will open.

You should always use the index if it is available and up to date. The index makes Repository Viewer operation interactive.

Notes:

  • For access to a production repository, Repository Viewer must be running under any of the following:
    • An account that is listed as an organization administrator.
    • An account which has at least Read permissions on the repository and index and is a member of the computer local AMS Readers group on the InTrust server that manages the repository (or repositories) and on the InTrust server that Repository Viewer connects to (these may be two different servers).
  • Make sure all InTrust servers in the organization have the agent communication port (900 by default) and InTrust Server management port (8340 by default) open for inbound traffic.
  • If Repository Viewer connects from a remote computer, inbound TCP ports 1024 to 65535 must be open on that computer for communication with the InTrust server.
  • After you have opened a repository or repository group from some InTrust organization, there is a quick way to open other repositories from the same organization. For that, click Repositories | Change.

To open an idle repository

  1. Specify the local or network path to the repository root folder.
  2. To use the index of the repository, in the Index location group of options select Repository folder or supply a path in the This location text box. To continue without an index, select No index.

Note: For access to an idle repository, Repository Viewer must be running under an account with at least Read permissions on the share that contains the repository.

Once you have opened a repository or repository group, the left pane shows the following:

  • A navigation tree with the repository structure
    The tree represents the repository structure using multiple levels, such as environment (Microsoft Windows or Unix), domain (for Windows only) and computer.
  • Predefined searches with search condition presets
    These are essentially built-in interactive reports. For details, see Predefined Searches.
  • Custom searches
    These are searches that you create yourself, either based on existing ones or from scratch. For details, see Custom Searches.

The right pane contains search tools.

Note: Any tab can be detached and docked freely in the right pane. To detach a tab, drag it away from where it is docked. To dock a pane, drag it onto any of the areas of the view compass that appears. To make it a tab again, right-click its caption and select Tabbed Document.

Running Searches

To run a search, click Go. The context of your search depends on the following:

  1. Where in the navigation tree you are
    Selecting a node in the navigation tree means that your searches will include only the events available at that node's level. For example, to look in the entire repository group, select the repository group node; to get events only from a particular repository or computer, select that repository or computer's node.
  2. Whether you are using any parameter filters
    Running the search without any parameters will show you all events at your current navigation tree level. If you add any filters, they are applied during the search. If you have selected any search in the left pane, you are already using the filter set configured for that search.

By default, the number of search results that can be displayed at once is capped at 5000. If you reach this limit, consider specifying better filtering conditions. You can also change the search result limit on the Search Filter tab.

Notes:

  • The higher the search limit, the more memory is used by Repository Viewer. If you want to increase the search result limit beyond 5000, do it with caution.
  • Use filtering by date whenever the date range is known. This speeds up searches considerably.

Predefined Searches

Repository Viewer provides an extensive set of preconfigured searches out of the box. They will likely cover most of your event analysis needs; consider trying these searches before you begin creating your own. To view and use the searches included by default, expand the Predefined Search Folders node. Predefined searches are available only when you are working with production repositories.

Notes:

  • Predefined searches are stored in the InTrust configuration database.
  • Predefined searches are updated from one InTrust version to another. This can cause upgraded Repository Viewer to fail to find events that the old version was able to find. For details, see Changes to Event Fields. Events gathered to the repository after the InTrust upgrade are fully compatible with the updated predefined searches.

You can freely modify these searches in the Search Filter tab (see Filter Parameters for details). However, any changes you make are applied only for the current session. The next time you open Repository Viewer, predefined searches will be in their default state. If you want to save your changes permanently, make a copy of the modified search using the Copy To button in the toolbar of the Search Filter tab . A predefined search can be a convenient starting point for creating your own search.

Note: The Copy To button is available only when an existing search is selected. When the filter parameters are configured from scratch, the button is labeled Save As.

In addition to the search filter configuration, the saved search includes the event list layout. If you have configured grouping and sorting for the search (see Configuring the Result Layout for details), these settings are preserved.

After you have saved your own search, all subsequent changes to it are applied immediately and permanently. See also the Custom Searches topic.

Changes to Event Fields

The set of fields in events stored in the InTrust repository has been expanded from version to version. Predefined searches in Repository Viewer have kept up with those changes and incorporated the newly-added fields. As a result, predefined searches may not always work as expected on event data that was collected by older versions of InTrust. This topic lists the added fields by InTrust version.

If your search unexpectedly turns up too little old data, you may want to modify the search to exclude recently implemented fields.

Added in Version 11.4.1 Update 1

New fields for rule match event (event ID 17408) in InTrust Server log:

Field Name Field Display Name

Alert

Alert

Alert_Code

Alert Code

Alert_Generation_Time_Local

Alert Generation Time Local

Alert_Generation_Time_UTC

Alert Generation Time UTC

Alert_Severity

Alert Severity

Rule_ID

Rule ID

Severity_Code

Severity Code

Added in Version 11.4.1

New fields for Security log events that have Active Directory attributes in their descriptions:

Field Name Field Display Name

DNS_Host_Name

DNS Host Name

Domain_Behavior_Version

Domain Behavior Version

Force_Logoff

Force Logoff

Lockout_Duration

Lockout Duration

Lockout_Observation_Window

Lockout Observation Window

Lockout_Threshold

Lockout Threshold

Machine_Account_Quota

Machine Account Quota

Max_Password_Age

Max Password Age

Min_Password_Age

Min Password Age

Min_Password_Length

Min Password Length

Mixed_Domain_Mode

Mixed Domain Mode

OEM_Information

OEM Information

Password_History_Length

Password History Length

Password_Properties

Password Properties

Service_Principal_Names

Service Principal Names

New fields for InTrust Server log events:

Field Name Field Display Name

Alert_Code

Alert Code

Alert_Severity

Alert Severity

Port

Port

License

License

Data_Source_Type

Data Source Type

Server

Server

Timezone

Timezone

UTC_offset

UTC offset

Permission

Permission

Removed in Version 11.4.1

These fields were never used and have been superseded:

Field Name Field Display Name

DS_Name

DS Name

DS_Type

DS Type

Added in Version 11.4

New fields for InTrust Self-Audit log events:

Field Name Field Display Name

Audit_Level

Audit Level

Extension

Extension

Interface

Interface

Interface_ID

Interface ID

UTC

UTC

Log_Name

Log_Name

End_Date

End Date

Job

Job

New fields for PowerShell log events:

Field Name Field Display Name

Context

Context

User_Data

User Data

Payload

Payload

Scriptblock

Scriptblock

Scriptblock_ID

Scriptblock ID

New fields for Windows Security log event 4738:

Field Name Field Display Name

Account_Expires

Account Expires

AllowedToDelegateTo

Allowed To Delegate To

Home_Directory

Home Directory

Home_Drive

Home Drive

Logon_Hours

Logon Hours

Password_Last_Set

Password Last Set

Primary_Group_ID

Primary Group ID

Profile_Path

Profile Path

Script_Path

Script Path

SID_History

SID History

User_Account_Control

User Account Control

User_Parameters

User Parameters

User_Workstations

User Workstations

Added and Changed in Version 11.3.2

New field for Windows Security log events:

Field Name

Field Display Name

Failure_Code

Failure Code

Repurposed field for Windows Security log events, changed to contain textual descriptions instead of failure codes:

Field Name

Field Display Name

Failure_Reason

Failure Reason

New fields for the Agent Management and Real-Time Service sources in InTrust Sever log events:

Field Name

Field Display Name

Agent

Agent

AgentID

Agent ID

Data_Source

Data Source

Data_Source_ID

Data Source ID

Error_Text

Error Text

Not_Responding_Minutes

Not Responding Minutes

Not_Responding_Seconds

Not Responding Seconds

Percent

Percent

Repository

Repository

Rule

Rule

Size

Size

Added and Changed in Version 11.3.1

Field Name Field Display Name

DS_Name

DS Name

DS_Type

DS Type

Property

Property

Schema

Schema

Status

Status

Value

Value

Added and Changed in Version 11.3

These changes mostly concern the ARS log and also, to a minor extent, Windows Security log.

Field Name Field Display Name

Access_Mask

Access Mask

Accesses

Accesses

Account_Domain

Account Domain

Activity

Activity

Activity_Operation_GUID

Activity Operation GUID

Activity_Operation_ID

Activity Operation ID

Activity_Type

Activity Type

Admin_Account

Service Account

Advanced_Options

Advanced Options

Approver

Approver

Assembly

Assembly

Attachment_file_name

Attachment file name

Attestor

Attestor

Attribute

Attribute

Attribute_name

Attribute name

Authentication_Package

Authentication Package

Body

Body

Branch

Branch

CAP

CAP

CAPs_Added

CAPs Added

CAPs_Deleted

CAPs Deleted

CAPs_Modified

CAPs Modified

Certificate_Issuer_Name

Certificate Issuer Name

Certificate_Serial_Number

Certificate Serial Number

Certificate_Thumbprint

Certificate Thumbprint

Class_ID

Class ID

Class_Name

Class Name

Collection

Collection

Command

Command

Compatible_IDs

Compatible IDs

Configuration

Configuration

Configuration_Group

Configuration Group

Configured_Names

Configured Names

Container

Container

Database

Database

DC

DC

Destination

Destination

Details

Details

Details2

Details 2

Details3

Details 3

Device_Claims

Device Claims

Device_ID

Device ID

Device_Name

Device Name

Direction

Direction

Disable_Integrity_Checks

Disable Integrity Checks

Disabled_Privileges

Disabled Privileges

Enabled_Privileges

Enabled Privileges

EncapMethod

EncapMethod

Error_Code

Error Code

EtherType

EtherType

Event_in_Sequence

Event in Sequence

Expiration

Expiration

Failed

Failed

File_Name

File Name

Filter

Filter

Filter_ID

Filter ID

Flight_Signing

Flight Signing

Forest

Forest

Function

Function

GC

GC

GC_Site

GC Site

Group_Membership

Group Membership

Group_Type

Group Type

Handle_ID

Handle ID

Handler

Handler

Hardware

Hardware

Header

Header

HyperVisor_Debugging

HyperVisor Debugging

HyperVisor_Launch_Type

HyperVisor Launch Type

HyperVisor_Load_Options

HyperVisor Load Options

Instance

Instance

Interval

Interval

IP_Address

IP Address

Kernel_Debugging

Kernel Debugging

Layer_ID

Layer ID

Layer_Name

Layer Name

Load_Options

Load Options

Location

Location

Logon_ID

Logon ID

Master

Master

Maximum_Allowed

Maximum Allowed

Module

Module

Module_GUID

Module GUID

Nested_Group

Nested Group

New_Accesses

New Accesses

New_MaxUsers

New MaxUsers

New_Name

New Name

New_Remark

New Remark

New_SD

New SD

New_Share_Flags

New Share Flags

Object_ID

Object ID

Old_MaxUsers

Old MaxUsers

Old_Remark

Old Remark

Old_Share_Flags

Old Share Flags

Operation

Operation

Operation_GUID

Operation GUID

Operation_ID

Operation ID

Ownership_Type

Ownership Type

Packets_Discarded

Packets Discarded

Parameters

Parameters

Partition

Partition

Policy_Category

Policy Category

Policy_Change

Policy Change

Policy_ID

Policy ID

Policy_Subcategory

Policy Subcategory

Pre_Authentication_Type

Pre-Authentication Type

Process_ID

Process ID

Protocol

Protocol

Reason

Reason

Result

Result

Result_Code

Result Code

Run_As

Run As

Schema_Builtin_Version

Schema Builtin Version

Schema_Info

Schema Info

Schema_Virtual_Version

Schema Virtual Version

SCP

SCP

SD

SD

Sequence_Length

Sequence Length

Server_Name

Server Name

Service_ID

Service ID

Service_Name

Service Name

Shadow

Shadow

Share_Name

Share Name

Share_Path

Share Path

Silo_Name

Silo Name

Site

Site

SnapControl

SnapControl

SnapOui

SnapOui

Source_Details

Source Details

Source_Network_Address

Source Address

SPN_Name

SPN Name

Start_Date

Start Date

Succeed

Succeed

System_Event_Logging

System Event Logging

Target_Address

Target Address

Target_Port

Target Port

Task

Task

Test_Signing

Test Signing

TGT_Lifetime

TGT Lifetime

Ticket_Encryption_Type

Ticket Encryption Type

Ticket_Options

Ticket Options

Total

Total

TPAM_Failed

TPAM: Failed

TPAM_Operation

TPAM: Operation

TPAM_Role

TPAM: Role

TPAM_Target

TPAM: Target

Transited_Services

Transited Services

UNIX_Result

UNIX: Result

User_Claims

User Claims

User_Name

User_Name

VlanTag

VlanTag

VSM_Launch_Type

VSM Launch Type

vSwitch_ID

vSwitch ID

Workflow

Workflow

Workflow_GUID

Workflow GUID

Added in Version 11.1

Field Name Field Display Name

Facility

Facility

Object_New_DN

Object New DN

Object_Old_DN

Object Old DN

Severity

Severity

Added in Version 11.0

Field Name Field Display Name

UNIX_AUDIT_NAME

Audit Event

UNIX_AUDIT_CLASS

Audit Class

UNIX_AUDIT_CALL

Audit Call

UNIX_AUDIT_TRAIL

Audit Trail

UNIX_AUDIT_COMMAND

Audit Command

Added in Version 10.7

Field Name

Field Display Name

Filer

Filer

New_path

New path

Scope

Scope

Number_of_results

Number of results

Query_filter

Query filter

Attribute_name

Attribute name

Elapsed

Elapsed

Query_type

Query type

TPAM_Operation

Operation

TPAM_Role

Role

TPAM_Target

Target

TPAM_Failed

Failed

UNIX_Result

Result

UNIX_OS

OS

QPMU_Service

Service

QPMU_Master_host

Master host

QPMU_Submit_host

Submit host

QPMU_Submit_user

Submit user

QPMU_Run_host

Run host

QPMU_Run_user

Run user

QPMU_Command_line

Command line

Permissions_Changed

Permissions Changed

Original_Owner

Original Owner

New_Owner

New Owner

Data_Written

Data Written

Permission_level_name

Permission level name

Permission_level_allow_mask

Permission level allow mask

Permission_level_deny_mask

Permission level deny mask

Site_URL

Site URL

List_URL

List URL

List_relative_URL

List relative URL

User_Logon_Name

User Logon Name

Applied_to

Applied to

Inherited_from

Inherited from

Version

Version

Grantee_user_name

Grantee user name

Grantee_group_name

Grantee group name

Field_Name

Field Name

Old_value

Old value

New_value

New value

Attachment_file_name

Attachment file name

Added in Version 10.6

Field Name

Field Display Name

Affected_Group

Affected Group

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating