Chat now with support
Chat with Support

Welcome, erwin customers to Quest Support Portal click here for for frequently asked questions regarding servicing your supported assets.

IT Security Search 11.3 - User Guide

Where the Data Comes From

IT Security Search relies on data provided by auditing systems. At this time, the following systems are supported:

  • InTrust
  • Change Auditor
  • Enterprise Reporter
  • Recovery Manager for Active Directory
  • Active Roles

You can connect to any combination of these systems. However, to make the most of IT Security Search, you should establish links with all of them that are available to you. IT Security Search is designed to correlate the data they supply, sparing you the effort of trying to match disparate bits of information to build up a picture.

For example, an event captured by InTrust can prompt you to examine the initiator user account closely; user information is provided by Enterprise Reporter. Next, you might be interested in recent changes to the user account; this information comes from Change Auditor. With all three systems interconnected, these transitions from one piece of data to another are quick and seamless.

Support for Recovery Manager for Active Directory lets you perform recovery directly from the IT Security Search interface in addition to viewing a list of available backup states. For each of them, the Restore object to this state link is provided. If the object was changed rather than deleted, you can select specific modified attributes to restore. If it was deleted, you can only restore it to a full state.

Specifying Data Sources

To configure the connections between IT Security Search and any of the supported systems available in your environment, go to the IT Security Search settings page. To open this page, click Settings in the upper right corner.

See the following topics for details about connection configuration for each of the systems:

Change Auditor Database

Change Auditor produces information about changes to critical resources such as Active Directory, Exchange or files on file servers. Generally, whenever you are looking for an answer to the question “What changed in the environment?” in IT Security Search, the data is likely provided by Change Auditor.

To start configuring the Change Auditor database data link, select the Connector enabled option. To set up connection to the Change Auditor database, configure the standard SQL Server database access settings:

  • Server name
  • Database name
  • Authentication type
    The following options are available:
    • Windows authentication
      Make sure the Active Directory account you specify is granted Read permissions on the database.
    • SQL Server authentication
      Specifies that SQL Server-specific credentials are used.
  • User name and password

To verify that your Change Auditor database access works, click the Test Connection link.

Finally, click Apply.

Caution: To make Change Auditor generate the events you want to see in IT Security Search, configure monitoring of the Active Directory attributes you are interested in. For that, in the configuration of the Auditing task, in the AD Attribute Auditing page, go to Forest Attributes. Select the object class and enable monitoring for the necessary attributes.

For details about working with Change Auditor tasks, see the Change Auditor User Guide.

InTrust Repository

InTrust collects audit events from a wide range of logs on a variety of platforms. Generally, whenever you are looking for an answer to the question “What happened?” in IT Security Search, the data is provided by InTrust.

To start configuring the InTrust repository data link, select the Connector enabled option. To set up connection to one or more InTrust repositories with audit data, configure the following:

  • InTrust server name and credentials
    This is an InTrust server in the InTrust organization where the repository is registered. There can be multiple servers in an InTrust organization, and any of them is accepted.
  • The repository or repositories to connect to

NOTES:

  • The page shows the date of the last gathered event across all of the included repositories.
  • If there was recently a problem with a repository, indicated by an error icon, hover the mouse cursor over that repository, and a tooltip will show the error message.

To verify that your repository access works, click the Test Connection link.

Finally, click Apply.

Enterprise Reporter Database

Enterprise Reporter retains information about the configuration of critical systems. Generally, whenever you are looking for an answer to the question “What settings are configured for this?” in IT Security Search, the data is provided by Enterprise Reporter.

To start configuring the Enterprise Reporter database data link, select the Connector enabled option. To set up connection to the Enterprise Reporter database, configure the standard SQL Server database access settings:

  • Server name
  • Database name
  • Authentication type

    The following options are available:
    • Windows authentication
    • SQL Server authentication
      Specifies that SQL Server-specific credentials are used.
  • User name and password
    Make sure the Active Directory account you specify is granted Read and Execute permissions on the database.

To verify that your Enterprise Reporter database access works, click the Test Connection link.

Finally, click Apply.

Caution: In the properties of the NTFS discovery you use in Enterprise Reporter, make sure the For this discovery, collect trough option is set to The administrative share. This is required for correlation of Change Auditor data with information about files. For details about working with Enterprise Reporter discoveries, see Creating and Managing Discoveries.

Indexing

Before you can use data from the Enterprise Reporter database, you need to wait until an index is built.

To track the progress of index building, check the Enterprise Reporter connector settings page. If any errors occur during database indexing, they are displayed on the page.

You can force reindexing of objects that are loaded from the Enterprise Reporter database by clicking Rebuild Index.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating