Chat now with support
Chat with Support

InTrust 11.6.1 - InTrust Reports

Major Security Events

Event log cleared

This InTrust report shows event log cleared events. Event logs should be cleared only when there is lack of free space, which rarely occurs. Therefore, instances of event logs being cleared can indicate intruder activity and attempts to cover the tracks.

System Time changed

This InTrust Report shows the occurrences of System Time Change event. Time synchronism is a critical condition for most network environments. Unauthorized manual time change can cause improper functioning of services, business applications and authentication subsystem.

User account lock-unlock

This InTrust report shows user account locked out and unlocked. A user account can be locked in accordance with the Account Lockout Policy (as a rule, after an incorrect password is entered several times in a row). Such a situation may mean password-guessing, especially if an administrative account gets locked. Click a user account in the report to view its details.

Normal User Activity

Logons

Suspicious Logons

Logons during non-business hours

Users do not normally logon to the system during non-working hours. An abnormal number of logons during non-business hours may indicate an intrusion attempt. With this InTrust report, you can examine every attempt in detail to find out who was doing what during the specified time interval.

Logons with built-in account names

This InTrust report shows logons with built-in account names. Almost every system includes a number of built-in accounts (Guest, Administrator, etc.). These accounts are primary targets for intrusions and attacks because their names are well-known. Intensive successful logons using these accounts can indicate an intrusion attempt.

Multiple Logon Failures

Multiple logon failures can indicate a brute-force attack. This InTrust report provides detailed information on logon failures, including the user account, the reason for failure, the logon type, etc. Click a number in the Attempts column to find out details of logon failures in a subreport.

Multiple logons failure [Windows-Kerberos-NTLM]

This InTrust report shows failed logons that came in series. In the report, a series is several logons of the same type from the same computer within the specified time interval. Kerberos, NTLM and Windows events are displayed separately for each domain.

Usual Logons

Account logon events [NTLM]

NT LAN Manager is a traditional password-based authentication protocol for Windows-based networks. This InTrust report displays information on NT LAN Manager audit results.

Active Directory Administrator Logons

This InTrust report documents all logons to domain controllers by users with administrator equivalent user rights.

All logons

This InTrust report shows successful and failed logons of all types. For failed logons, reasons are displayed. This helps analyze who tried to log on to which computers from which workstations.

All logons [with hyperlinks]

This InTrust report shows successful and failed logons of all types. For failed logons, reasons are displayed. This helps analyze who tried to log on to which computers from which workstations.

Domain Account Authentication

This InTrust report is intended to show account logon events on Domain Controllers including both NTLM and Kerberos authentication.

Logon activity trends

This InTrust chart graphically represents logon activity in your network, visualizing, for example, statistics for logons that failed due to different reasons (for example, bad password, disabled user account, etc.). The chart allows you to detect trends in logon activity and analyze anomalies.

Successful Authentication ticket granted

This InTrust report shows successful account logons based on kerberos events.

Object Access

Active Directory object access [DS logging]

This InTrust report shows Active Directory object access attempts. Access to some types of objects may be unwarranted. The report is based on information from the Directory Service log, and it complements the Active Directory object access report.

Active Directory objects access

This InTrust report shows Active Directory object access attempts. Access to some types of objects may be unwarranted. Such events often indicate changes to the environment, and they need to be tracked. Note This report is based on object access events from the Security log.

File Access

This InTrust report shows file access attempts. Access to certain files may be unwarranted.

Group Policy Object access

This InTrust report shows Group Policy objects access attempts. Access to this type of objects may be unwarranted. Such events often indicate changes to the policies, and they need to be tracked. Note This report is based on object access events from the Security log.

NTFS audit [Windows XP 2003 and later]

This InTrust report helps you analyze the files and folders audit events from the Security log (Windows XP, Windows Server 2003 and later). If files or folders are accessed through network shares rather than locally, the report does not show such situations. Use report filters to precisely find out the information you need.

Registry Access

This InTrust report shows attempts to access registry keys. Access to some registry keys (particularly the startup keys) may be unwarranted.

Registry Value Modifications [Windows 2008 Vista]

This InTrust report shows modifications of the registry values on Windows 2008, Windows Vista machines. The report is based on EventID=4657. Note: Some value changes cannot be displayed due to specific data type.

Remote Access

RAS authentication failures

This InTrust report shows situations when a user failed to authenticate with the remote access server. Sometimes this means a failed attempt to gain unauthorized access to resources.

Software and System Audit

Security Subsystem Events

Active Directory security subsystem faults

Active Directory subsystems (for example, Net Logon) provide for security functions; therefore, errors in their operation may indicate security breaches. This InTrust report helps track such errors.

Event Log Errors

Errors or warnings from the event log could be an indication of intruder activity or an auditing system malfunction. This InTrust report shows situations when event logs generated warnings or errors.

Logon Components Failures

This InTrust report shows situations when a logon failed because the Net Logon service was not running or because an unspecified error occurred. The Net Logon service is used for authenticating users and services via a secure channel between a workstation and a domain controller. The report helps respond to such significant errors as soon as possible.

Policy enforcement errors

This InTrust report shows some events from the security policy subsystem which could be an indication of intruder activity or a potential security breach.

Windows File Protection System Events [except Windows 2008 Windows Vista]

This InTrust report shows windows file protection system events. They indicate activity that might affect critical system files. Events not caused by legitimate tasks (such as installing or uninstalling software) may indicate intrusion attempts.

Software Applications

Process executed summary

This InTrust report summarized each program executed by server and how many times the program was executed during selected time period.

Process tracking

This InTrust report shows whether the applications you specify were started. If an application is prohibited, its launch may indicate a security issue. What is more, running restricted software often means corporate policy violations.

Server Reboots

This InTrust report shows the number of reboots for the servers in your environment within a specified time period. Click a number in the Count column to view details of each reboot event in a subreport. If reboots are too frequent or too numerous, this may indicate a problem with the computers where they occur.

Server reboots [Win2003 Win2008]

This InTrust report shows both expected and unexpected server reboots (Windows 2003, Windows 2008 only). Notes: Please ensure than Shutdown Event Tracker service is enabled at your servers.

Service installation attempt

The set of system services installed is a significant term of server configuration. Unauthorized service installation attempt may indicate that system intrusion is occurred. This InTrust report is based on the following events: 4697 for Windows 2008/Vista, 601 for other Windows versions

Software installation

This InTrust report helps track what software products are installed or failed to install on which computers. The report shows only those products whose setup programs use Windows Installer. Using the Grouping filter, you can organize the information as necessary. To see what software was installed on particular computers, use grouping by computer. To find out where certain software products were installed, use grouping by software product.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating