Chat now with support
Chat with Support

IT Security Search 11.3 - User Guide

Case Study: Investigating Tampering

Suppose a critical file (such as a project roadmap or payroll file) is showing signs of tampering. You want to use IT Security Search to look into this.

What you will need

To make the investigation as efficient as possible, make sure that data from the following sources is available:

  • For security events, including user session events: InTrust
  • For file change information: Change Auditor
  • For user information: Enterprise Reporter
Where to start

You are about to examine the circumstances of file modifications, so it makes sense to start by finding the affected file. This will provide clues about where to go next and also mark a point (as a breadcrumb) that you can always fall back to, even if your next steps take you too far.

How to proceed

When you have found the file, open its full details and use the Who accessed this file link provided in that view. In the list of events that are found, find a "File changed" event and use the What facet to filter out other types of events. Try to spot any unlikely users in the list of file change events.

Suppose you find an event by a user who is not meant to have access to the file. Note the time of the event, and then open the details of the event and click the user name. In the the user details view that opens, click the Files and folder where this user has permissions link. If the file in question is not listed, that means the permissions have been rolled back by now—likely a piece of incriminating data.

You can also view the entire history of permission management for the file. Use the breadcrumbs to go back to the file details view, and click the Who granted permissions to this file link.

Use the breadcrumbs to go back to the user details view, and click the Activity initiated by this user link. Use the time range filter to restrict the results to a period around the time of the suspicious file modification. The results may reveal noteworthy details about the situation. Consider examining InTrust-specific user session events for the following clues:

  • Logon session time and duration
  • Whether the session was interactive or Terminal Services-based

In addition, check if there were any attempts to clear security logs.

Case Study: Making the Most of Multiple Connectors

Suppose a user complains about being unable to log in through VPN. Use IT Security Search to investigate and resolve the situation.

What you will need

For best results, enable the following connectors:

  • For security events: InTrust and Change Auditor
  • For Active Directory object modification and recovery: Recovery Manager for Active Directory
  • For user information: Enterprise Reporter
Where to start

You should start by searching for the David Shore user account, which is having problems. To get results quickly, use the Whom:"David Shore" query. This will take you directly to the events that affected the account.

How to proceed

Suppose the search results include group membership change events from InTrust and Change Auditor indicating that the user was removed from one or more groups. Examine these events and find the one about the group used for providing VPN access. Note that the timestamp of the event is later than the last Active Directory backup. Also note the other event details such as who did this.

In the breadcrumbs line, click the user name to open the user details, and go to the History tab. In the change history view, locate the state before the VPN-related group membership change, and click the corresponding Restore object to this state link.

VPN access for David Shore is restored now, and you know who interfered with his group membership.

Case Study: Active Roles Dynamic Group Membership Tracking

Suppose a new user is not getting the expected permissions to open a network share. You want to use IT Security Search to look into this.

What you will need

To make the investigation as efficient as possible, make sure that data from the following sources is available:

  • For network share and user information: Enterprise Reporter
  • For dynamic group membership information: Active Roles
Where to start

You are about to examine share access, so it makes sense to start by looking at share permissions.

How to proceed

Search for the share path. Click the share you need in the list of results and open its details. In the permissions table, you find the Marketing group, which is used for controlling access to the share. Apparently the user is supposed to be a member of this group, but is not.

Do a search for the Marketing group; click the group in the results and go to the details view for the it. It turns out to be an Active Roles dynamic group. Click the Membership Rules tab in the details table to see how the group is populated. In the Rule Details column, you find the following rule: "[User] department Is (exactly) Marketing".

The user's department information is probably wrong, making the user unfit for membership in the Marketing dynamic group. See if this guess is correct: search for the user name, locate the user in the results and open the user's details.

You find that the value of the Department attribute has a typo: "Markering" instead of "Marketing", and you notify security administrator about this issue.

When you get a response from the administrator saying that the problem has been resolved, you do another search for the Marketing group to confirm that the user is now a member.

 

Feedback on IT Security Search

Feedback on IT Security Search

IT Security Search provides the following facilities for getting customer feedback:

  • An option to participate in the software improvement program. If you choose to participate, it will help Quest enhance customers' IT Security Search experience.
  • A utility that gathers information for support engineers.

Note: Participation in the software improvement program is available in version 11.0.5 and later.

Software Improvement Program

This initiative involves Quest automatically receiving anonymous usage statistics from the Quest software you install. No personal identifying data (such as account names) is included in this feedback. The purpose is to determine which features are most popular and find out how their use can be streamlined.

The following information is transmitted:

  • Hardware configuration
  • Which product features are used
  • External IP addresses

Participation in the program is voluntary. The first time you are prompted to make the choice is during IT Security Search installation. Depending on the country you select, you may be asked whether you want to opt in; for some countries, participation will be enabled automatically.

After you have set up IT Security Search, you can change your choice at any time by opening the About box in the IT Security Search UI, selecting the Customer Feedback tab and inverting the state of the I am willing to participate in the customer feedback program option.

Support Information Utility

If you need to contact Support, you should provide various technical details for a speedy response. IT Security Search includes a utility that automatically gathers all the information that support engineers may need and stores it in a single ZIP file.

To create such a file, open the About box in the IT Security Search UI, select the Contact tab and click Gather Support Information.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating