Chat now with support
Chat with Support

Welcome, erwin customers to Quest Support Portal click here for for frequently asked questions regarding servicing your supported assets.

IT Security Search 11.3 - User Guide

Active Roles Event Fields

The following are lists of fields that occur in Active Roles events, organized by type of returned object. You can use these fields in your search queries. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.

Field Name

Example Value

Details

AR_ClientComputerName

ITSEARCHTEST3

Host with Active Roles client software

AR_ClientVersion_Build

2

Version build number of Active Roles client software

AR_ClientVersion_Major

7

Version major number of Active Roles client software

AR_ClientVersion_Minor

1

Version minor number of Active Roles client software

AR_ClientVersion_Revision

3406

Revision of Active Roles client software

AR_Server

arsit

Active Roles Server host

Attribute_*

New description1

New value of attribute

ChangedAttributes

description,streetAddress

List of attributes

Completed

2017-05-04T07:18:57.9741631Z

Timestamp of operation when that was completed

Control_OperationReason

Reason for modification

Reason of operation

Description

Modified attributes:
groupType: -2147483646
objectClass: group
sAMAccountName: ArsTestTemporalGroupSam_CB79
objectSid: AQUAAAAAAAUVAAAA+mvC8IvUdNjWHCAbGGkBAA==

Description of event

ID

1-107540

ID of operation

Initiated

2017-05-04T07:18:57.9116595Z

Timestamp of operation when that was initiated

Initiator_DN

CN=Zakhar Shkonda,
OU=zs,
OU=TestUsers,
DC=it,
DC=sales,
DC=mycompany

DN of initiator

Initiator_Guid

b58c2906-ad0b-4682-
bab3-0ae56503eeb5

GUID of initiator

Initiator_Host

ARSIT.it.sales.mycompany

Host of Initiator

Initiator_IsDSAdmin

True

True if initiator is DS administrator

Initiator_NTAccountName

IT\zs

NT Account name of initiator

Initiator_ObjectClass

user

Class of initiator

Initiator_Sid

S-1-5-21-4039273466-
3631535243-455089366-91270

SID of initiator

Initiator_Site

Default-First-Site-Name

Site of initiator

Log

Active Roles

Log name

Logon_Site

Default-First-Site-Name

Same as Initiator_Site

Operation_GUID

9b3c5524-065d-418a-9511-
3043ab1a5bd7

GUID of operation

Operation_Type

Delete

Type of operation

Operation_TypeID

1

Type ID of operation

Reason

Reason for modification

Same as Control_OperationReason

RelatedOU

it.sales.mycompany/AutotestOU/ARS/FIT2711055222_0E7C

Same as TargetObject_OUCanonical

Result

Completed

Same as Status

Status

Completed

Operation status

StatusID

1

Operation status ID

TargetObject_DN

CN=ArsCHUser1_0E7C,
OU=FIT2711055222_0E7C,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

DN of target object

TargetObject_Guid

b6a8b5d0-e003-4421-
a7a4-e6fc11f3075a

GUID of target object

TargetObject_NTAccountName

IT\ArsCHUser1_0E7C

NT Account name of target object

TargetObject_ObjectClass

user

Class of target object

TargetObject_OUCanonical

it.mycompany.com/AutotestOU/ARS/FIT2711055222_0E7C

Canonical name of object's OU

TargetObject_Sid

S-1-5-21-4039273466-
3631535243-455089366-91270

SID of target object

TargetObject_SimpleName

ArsCHUser1_0E7C

Name of target object

What

Delete

Same as Operation_Type

When

2017-05-10T08:38:58.0000000Z

Same as Completed

Where

dc2.it.sales.mycompany

Host where this operation was performed

Who

IT\zs

Same as Initiator_NTAccountName

Who_DN

CN=Caroline Abbage,
OU=mgmt,
OU=TestUsers,
DC=it,
DC=sales,
DC=mycompany

Same as Initiator_DN

Who_Guid

b58c2906-ad0b-4682-
bab3-0ae56503eeb5

Same as Initiator_Guid

Who_IsDSAdmin

True

Initiator_IsDSAdmin

Who_ObjectClass

user

Same as Initiator_ObjectClass

Who_Sid

S-1-5-21-4039273466-
3631535243-455089366-1131

Same as Initiator_Sid

WhoId

S-1-5-21-4039273466-
3631535243-455089366-1131

Same as Initiator_Sid

Whom

ArsTestDynamicGroup_CB79

Same as TargetObject_SimpleName

Whom_DN

CN=ArsTestTemporalGroup_CB79,
​​OU=FIT1010370592_CB79,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

Same as TargetObject_DN

Whom_Guid

eff86e4b-7800-44ce-
af3c-ecf198ccadd5

Same as TargetObject_Guid

Whom_NTAccountName

IT\ArsCHUser1_0E7C

Same as TargetObject_NTAccountName

Whom_ObjectClass

Groups

Same as TargetObject_ObjectClass

Whom_Sid

S-1-5-21-4039273466-
3631535243-455089366-92446

Same as TargetObject_Sid

WhomId

CN=ArsTestDynamicGroup_CB79,
CN=ArsTestContainer2_C829,
OU=FIT1012125742_C829,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

Same as TargetObject_DN

WhomSimple

ArsTestDynamicGroup_CB79

Same as TargetObject_SimpleName

Workstation

ARSIT.it.sales.mycompany

Same as Initiator_Host

Recovery Manager for Active Directory Fields

The following are lists of fields that occur in Recovery Manager for Active Directory events, organized by type of returned object. You can use these fields in your search queries.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can use any of these fields in your search queries.

Computers

Field Name

In UI

Example Value

Details

AccountSid

Yes

S-1-5-21-4039273466-

3631535243-455089366-89812

Computer account SID

Description

Yes

Storage Server

Description of computer

DistinguishedName

No

CD=DC1,
CN=Domain Controllers,
DC=it,
DC=sales,
DC=mycompany

Computer account distinguished name; search by full value only

DNSHostName

Yes

DC1.it.sales.mycompany

DNS host name

Location

Yes

Houston

Location of computer

ManagedBy

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Distinguished name of manager of the computer account; search by full value only

Name

Yes

DC1

Same as NetBiosName

NetBiosName

Yes

DC1

NetBIOS name of computer

NumLogons

Yes

12656

Logon count

ObjectCategory

Yes

computer

Object class = computer

ObjectGUID

No

ddd94ab4-5de6-4696-

a93c-433cf9827c28

Object GUID of computer account

OSName

Yes

Windows Server 2008 R2 Enterprise

OS name

OSServicePack

Yes

Service Pack 1

OS service pack

OSVersion

Yes

6.1 (7601)

OS version

Where

Yes

DC1

Same as NetBiosName

Who

Yes

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

Groups

Field Name

In UI

Example Value

Details

CN

Yes

Users

Common name of group

Description

Yes

Houston internal group for notification

Description of group

DisplayName

Yes

Users

Display name of group

DistinguishedName

No

CN=MCDL.RD.Notification,

OU=RD,

OU=Groups,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group;. search by full value only

Email

Yes

MCDL.RD.Notification@it.sales.mycompany

Email address of group

GroupType

No

-2147483640

Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx)

HomePage

Yes

http://homepage

Home page of group

Info

Yes

Some info

Additional information about group

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the group; search by full value only

Name

Yes

Users

Name of group

ObjectCategory

Yes

group

Object class = group

ObjectGUID

No

 80b090a2-968f-42e6-

bc76-6e2505f43759

GUID of group object

SAMAccountName

Yes

Users

SAMAccount name of group

Url

Yes

http://groupname

URL of group

Who

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

OUs

Field Name

In UI

Example Value

Details

Description

Yes

Default container for Defender objects

Description of OU

DistinguishedName

No

OU=BestEmployees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group; search by full value only

ManagedBy

No

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the OU; search by full value only

Name

Yes

Users

Name of OU

ObjectCategory

Yes

organizationalUnit

Object class = organizationalUnit or container

ObjectGUID

No

675205fb-4d29-44b6-

9284-69e867689f38

GUID of OU

USNChanged

No

9296605

USN-Changed attribute of OU; search by full value only

Users

Field Name

In UI

Example Value

Details

AccountSid

No

S-1-5-21-4039273466-
3631535243-455089366-26350

User SID; search by full value only

Company

Yes

MyCompany

Company name

Country

Yes

United States

Country name

Department

Yes

Sales

Department name

DisplayName

No

Caroline Abbage

User display name

DistinguishedName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

User distinguished name; search by full value only

EmailAddress

Yes

Caroline.Abbage@sales.mycompany.com

Email address

HomePhoneNumber

Yes

+1 410 531 0638

Home telephone number

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of user; search by full value only

Mobile

Yes

+ 911 9 769 8889

Mobile phone number

Name

Yes

Caroline Abbage

User name

ObjectCategory

Yes

user

Object class = user

ObjectGUID

No

861205fb-4d29-44b6-
9284-69e867689f38

User object GUID; search by full value only

Office

Yes

Ludlow st. 80, suite 200

Physical delivery office name

SAMAccountName

Yes

jcdenton

SAMAccountName of user

StreetAddress

Yes

Ludlow st. 80

Street address

TelephoneNumber

Yes

+ 123 4 567 8900

Telephone number

Title

Yes

Mgr, Sales

User job title

USNChanged

No

9296605

USN-Changed attribute of user; search by full value only

Who

No

Administrator

Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName

Saving Searches and Running Saved Searches

You can save any search for later reuse. Any IT Security Search operator or administrator can save searches and run saved searches, but only administrators can make them public for shared use.

Saving Searches

To save a search, click the drop-down icon at the left edge of the search box and click Save Current Search. Proceed to configure your search in the popup that appears:

  • Give the search a meaningful name.
  • Add tags so that users can easily find the search by category.
  • Select which parameters you want to make customizable, if necessary.
    All field names that occur in your search string are listed. Select the check boxes next to the ones that you want to make customizable. Whenever this saved search is used in the future, it will prompt for the values of all of the fields you select.

NOTE: The field selection controls in the popup are really only a graphical way to include special syntax in your search string. The syntax for a customizable attribute is a string (usually, the field name) enclosed in double curly braces, in the place of a value substring.

For example, Domain:{{Domain}} will make IT Security Search prompt you for the value of the Domain field, labeled "Domain"; Domain:{{Active Directory Domain}} will also prompt you for the value of Domain, but the label will be "Active Directory Domain".

You can manually construct search strings that include this syntax, without using the field selector. This helps you provide descriptive labels for parameters.

  • Specify the time period that the search must cover.
    For that, select one of the options at the right edge of the search box. These times are relative to the moment the saved search is run.

When you have configured these options, click Save.

Running a Saved Search

To run an existing saved search, click the drop-down icon at the left edge of the search box; the available saved searches are listed at the bottom of the popup that appears. You can filter the list by clicking tag buttons in the Saved Search Categories drop-down.

Making a Saved Search Public or Private

You can publish a search to make it available to all operators only if you are an IT Security Search administrator.

In the saved search list, the items have a lock icon showing their state. A private search has a closed lock icon; click the icon to make it public. A public search has an open lock icon; click the icon to make it private.

Deleting a Saved Search

To delete a saved search, highlight it in the saved search list and click the cross icon.

Use Scenarios

The following examples explain how IT Security Search tools can be applied in practice to real-life situations.

Finding and Examining a User

To find events where a particular user is somehow involved (as the doer or as a subject), run a search for any of the variety of names that identify the user in the environment. You can supply the first name, last name, full name, logon name and so on.

The results of your search put the most relevant matching users at the top of the list. If there are too many matches, refine the results using facets.

From a different perspective, if you need to find a user whose name you are not sure about but whose manager's name you remember, try searching for the manager's name, then opening the details of the manager's user account and finding the user you are looking for among the manager's direct reports.

Understanding Who Did What

A typical use case is tracking the activity that involved a particular object, such as a file, folder, group or user account. You begin by finding this object; this provides a starting point and a context for your session. The next step is to use the links in the object's details view. This is the easiest way to create a context and filter out irrelevant data.

Another option is to start with events directly, especially if you expect to find specific events within a specific period of time. To specify the period, use the date range filter. The graphical timeline in the result grid can help you quickly locate peaks of activity that need closer examination.

Exploring a User's Scope of Access

IT Security Search provides quick access to information about files and folders owned by a user and all permissions assigned to the user; for that, use the Files and folders owned by this user, Files and folders where this user has direct permissions and Files and folders where this user has permissions (both direct and indirect) links in the details view for the user you are interested in.

Conversely, if you start with a particular file or folder, its details contain a table of permissions, which can prompt your further steps.

Tracking Permission Management

You can easily follow permission assignment activity using the Who changed permissions on this file and Who changed permissions on this folder links in the details view of a file or folder, respectively.

Exploring Change History of Active Directory Objects

Object change history is available only if the Recovery Manager for Active Directory connector is enabled. For information about changes to an object, go to the History tab on the object's details page. Only the three most recent states are shown on this tab, with changes that occurred after each of them.

You can restore the object to any of these states by clicking its Restore object to this state link. If the object was changed rather than deleted, you have the option to restore specific modified attributes. If it was deleted, you can only restore it to a full state.

Case Studies

See also the following topics for examples of investigations that IT Security Search can help carry out:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating