Suppose a critical file (such as a project roadmap or payroll file) is showing signs of tampering. You want to use IT Security Search to look into this.
To make the investigation as efficient as possible, make sure that data from the following sources is available:
You are about to examine the circumstances of file modifications, so it makes sense to start by finding the affected file. This will provide clues about where to go next and also mark a point (as a breadcrumb) that you can always fall back to, even if your next steps take you too far.
When you have found the file, open its full details and use the Who accessed this file link provided in that view. In the list of events that are found, find a "File changed" event and use the What facet to filter out other types of events. Try to spot any unlikely users in the list of file change events.
Suppose you find an event by a user who is not meant to have access to the file. Note the time of the event, and then open the details of the event and click the user name. In the the user details view that opens, click the Files and folder where this user has permissions link. If the file in question is not listed, that means the permissions have been rolled back by now—likely a piece of incriminating data.
You can also view the entire history of permission management for the file. Use the breadcrumbs to go back to the file details view, and click the Who granted permissions to this file link.
Use the breadcrumbs to go back to the user details view, and click the Activity initiated by this user link. Use the time range filter to restrict the results to a period around the time of the suspicious file modification. The results may reveal noteworthy details about the situation. Consider examining InTrust-specific user session events for the following clues:
In addition, check if there were any attempts to clear security logs.
Suppose a user complains about being unable to log in through VPN. Use IT Security Search to investigate and resolve the situation.
For best results, enable the following connectors:
You should start by searching for the David Shore user account, which is having problems. To get results quickly, use the Whom:"David Shore" query. This will take you directly to the events that affected the account.
Suppose the search results include group membership change events from InTrust and Change Auditor indicating that the user was removed from one or more groups. Examine these events and find the one about the group used for providing VPN access. Note that the timestamp of the event is later than the last Active Directory backup. Also note the other event details such as who did this.
In the breadcrumbs line, click the user name to open the user details, and go to the History tab. In the change history view, locate the state before the VPN-related group membership change, and click the corresponding Restore object to this state link.
VPN access for David Shore is restored now, and you know who interfered with his group membership.
Suppose a new user is not getting the expected permissions to open a network share. You want to use IT Security Search to look into this.
To make the investigation as efficient as possible, make sure that data from the following sources is available:
You are about to examine share access, so it makes sense to start by looking at share permissions.
Search for the share path. Click the share you need in the list of results and open its details. In the permissions table, you find the Marketing group, which is used for controlling access to the share. Apparently the user is supposed to be a member of this group, but is not.
Do a search for the Marketing group; click the group in the results and go to the details view for the it. It turns out to be an Active Roles dynamic group. Click the Membership Rules tab in the details table to see how the group is populated. In the Rule Details column, you find the following rule: "[User] department Is (exactly) Marketing".
The user's department information is probably wrong, making the user unfit for membership in the Marketing dynamic group. See if this guess is correct: search for the user name, locate the user in the results and open the user's details.
You find that the value of the Department attribute has a typo: "Markering" instead of "Marketing", and you notify security administrator about this issue.
When you get a response from the administrator saying that the problem has been resolved, you do another search for the Marketing group to confirm that the user is now a member.
If you need to contact Support, you should provide various technical details for a speedy response. IT Security Search includes a utility that automatically gathers all the information that support engineers may need and stores it in a single ZIP file.
To create such a file, open the About box in the IT Security Search UI, select the Contact tab and click Gather Support Information (or Save Information for Support since IT Security Search 11.3.2 Update 1). The file is not transferred to Support automatically. To submit it, open a service request at https://support.quest.com/contact-support.
Quest needs your consent for gathering the data, because some information in the resulting file may be considered sensitive. Quest ensures that storage and processing of this information are duly protected to safeguard your privacy.
The following information is gathered:
IT Security Search uses PowerShell to collect the data.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center
