IT Security Search relies on data provided by auditing and operations management systems. At this time, the following systems are supported:
You can connect to any combination of these systems. However, to make the most of IT Security Search, you should establish links with all of them that are available to you. IT Security Search is designed to correlate the data they supply, sparing you the effort of trying to match disparate bits of information to build up a picture.
For example, an event captured by InTrust can prompt you to examine the initiator user account closely; user information is provided by Enterprise Reporter. Next, you might be interested in recent changes to the user account; this information comes from Change Auditor. With all three systems interconnected, these transitions from one piece of data to another are quick and seamless.
Support for Recovery Manager for Active Directory lets you perform recovery directly from the IT Security Search interface in addition to viewing a list of available backup states. For each of them, a link is provided that lets you restore that particular state. If the object was changed rather than deleted, you can select specific modified attributes to restore. If it was deleted, you can only restore it to a full state.
To configure the connections between IT Security Search and any of the supported systems available in your environment, go to the IT Security Search settings page. To open this page, click Settings in the upper right corner.
See the following topics for details about connection configuration for each of the systems:
Change Auditor produces information about what is happening to critical resources such as Active Directory, Exchange or files on file servers, or in cloud environments such as Azure and Office 365. Generally, whenever you are looking for an answer to the question “What changed in the environment?” in IT Security Search, the data is likely provided by Change Auditor.
To start configuring the Change Auditor database data link, select the Connector enabled option. To set up connection to the Change Auditor database, configure the standard SQL Server database access settings:
To verify that your Change Auditor database access works, click the Test Connection link.
Finally, click Apply.
Caution: To make Change Auditor generate the events you want to see in IT Security Search, configure monitoring of the Active Directory attributes you are interested in. For that, in the configuration of the Auditing task, in the AD Attribute Auditing page, go to Forest Attributes. Select the object class and enable monitoring for the necessary attributes.
For details about working with Change Auditor tasks, see the Change Auditor User Guide.
InTrust collects audit events from a wide range of logs on a variety of platforms. Generally, whenever you are looking for an answer to the question “What happened?” in IT Security Search, the data is provided by InTrust.
To start configuring the InTrust repository data link, select the Connector enabled option. To set up connection to one or more InTrust repositories with audit data, configure the following:
To verify that your repository access works, click the Test Connection link.
Finally, click Apply.
Enterprise Reporter retains information about the configuration of critical systems. Generally, whenever you are looking for an answer to the question “What settings are configured for this?” in IT Security Search, the data is provided by Enterprise Reporter.
IT Security Search receives and stores data that is forwarded from Enterprise Reporter. The Warehouse component is responsible for the capture and storage.
To start configuring the Enterprise Reporter data link, select the Connector enabled option. However, most of the configuration occurs on the pushing end.
The next push will occur after the next Enterprise Reporter discovery.
IT Security Search provides the Who, Whom and Where smart aliases for record fields in the data it analyzes. This ensures that you get associated data from unrelated sources using the same terms in your search queries.
The necessary field mapping is created from Enterprise Reporter data. For example, if the Enterprise Reporter connector is configured, you can proceed from the user details page directly to a list of events initiated by the user. Otherwise, the Activity initiated by this user link may not even be available in the details, or it may produce fewer results than it should.
To make sure Enterprise Reporter provides the data for the mapping, configure a recurring Active Directory discovery that includes users and computers in its scope. Set the frequency of the discovery according to the policies in your environment.
By default, the Do not collect object counts option is enabled for Active Directory discoveries in Enterprise Reporter. If IT Security Search uses data obtained by such discoveries, it shows zeros for the number of users, groups and so on in the details of OUs. To make IT Security Search show the correct object counts, make sure the Do not collect object counts option is cleared for your Active Directory discoveries.