IT Security Search relies on data provided by auditing and operations management systems. At this time, the following systems are supported:
You can connect to any combination of these systems. However, to make the most of IT Security Search, you should establish links with all of them that are available to you. IT Security Search is designed to correlate the data they supply, sparing you the effort of trying to match disparate bits of information to build up a picture.
For example, an event captured by InTrust can prompt you to examine the initiator user account closely; user information is provided by Enterprise Reporter. Next, you might be interested in recent changes to the user account; this information comes from Change Auditor. With all three systems interconnected, these transitions from one piece of data to another are quick and seamless.
Support for Recovery Manager for Active Directory lets you perform recovery directly from the IT Security Search interface in addition to viewing a list of available backup states. For each of them, the Restore object to this state link is provided. If the object was changed rather than deleted, you can select specific modified attributes to restore. If it was deleted, you can only restore it to a full state.
To configure the connections between IT Security Search and any of the supported systems available in your environment, go to the IT Security Search settings page. To open this page, click Settings in the upper right corner.
See the following topics for details about connection configuration for each of the systems:
Change Auditor produces information about changes to critical resources such as Active Directory, Exchange or files on file servers. Generally, whenever you are looking for an answer to the question “What changed in the environment?” in IT Security Search, the data is likely provided by Change Auditor.
To start configuring the Change Auditor database data link, select the Connector enabled option. To set up connection to the Change Auditor database, configure the standard SQL Server database access settings:
To verify that your Change Auditor database access works, click the Test Connection link.
Finally, click Apply.
|
Caution: To make Change Auditor generate the events you want to see in IT Security Search, configure monitoring of the Active Directory attributes you are interested in. For that, in the configuration of the Auditing task, in the AD Attribute Auditing page, go to Forest Attributes. Select the object class and enable monitoring for the necessary attributes. For details about working with Change Auditor tasks, see the Change Auditor User Guide. |
InTrust collects audit events from a wide range of logs on a variety of platforms. Generally, whenever you are looking for an answer to the question “What happened?” in IT Security Search, the data is provided by InTrust.
To start configuring the InTrust repository data link, select the Connector enabled option. To set up connection to one or more InTrust repositories with audit data, configure the following:
NOTES:
|
To verify that your repository access works, click the Test Connection link.
Finally, click Apply.
Enterprise Reporter retains information about the configuration of critical systems. Generally, whenever you are looking for an answer to the question “What settings are configured for this?” in IT Security Search, the data is provided by Enterprise Reporter.
To start configuring the Enterprise Reporter database data link, select the Connector enabled option. To set up connection to the Enterprise Reporter database, configure the standard SQL Server database access settings:
To verify that your Enterprise Reporter database access works, click the Test Connection link.
Finally, click Apply.
Before you can use data from the Enterprise Reporter database, you need to wait until IT Security Search builds an index of objects that are loaded from the database.
To track the database indexing progress, check the Enterprise Reporter connector settings page. If any errors occur during indexing, they are displayed on the page.
By default, the index is updated every 24 hours. You can force an update by clicking Refresh Data Now.
IT Security Search provides the Who, Whom and Where smart aliases for record fields in the data it analyzes. This ensures that you get associated data from unrelated sources using the same terms in your search queries.
The necessary field mapping is created from Enterprise Reporter data. For example, if the Enterprise Reporter connector is configured, you can proceed from the user details page directly to a list of events initiated by the user. Otherwise, the Activity initiated by this user link may not even be available in the details, or it may produce fewer results than it should.
To make sure Enterprise Reporter provides the data for the mapping, configure a recurring Active Directory discovery that includes users and computers in its scope. Set the frequency of the discovery according to the policies in your environment.
Prior to version 3.0, Enterprise Reporter recorded local file and folder paths (such as C:\Windows\WinSxS\Manifests\manifest.txt); in version 3.0 it began recording network paths (such as \\ITSS30.LOCAL\C$\Windows\WinSxS\Manifests\manifest.txt) instead. The new format is not suitable for correlation with Change Auditor for Active Directory data, which has local paths.
If you are using Enterprise Reporter 3.0 or later, to make sure that links such as Who accessed this file work correctly in IT Security Search, configure a recurring Active Directory discovery of type Computer that includes all the necessary computers in its scope. Set the frequency of the discovery according to the policies in your environment.
By default, the Do not collect object counts option is enabled for Active Directory discoveries in Enterprise Reporter. If IT Security Search uses data obtained by such discoveries, it shows zeros for the number of users, groups and so on in the details of OUs. To make IT Security Search show the correct object counts, make sure the Do not collect object counts option is cleared for your Active Directory discoveries.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center