Chat now with support
Chat with Support

IT Security Search 11.5 - User Guide

Search Term Syntax

Use the following syntax for search terms in the search box. Searches are case-insensitive.

Notes:

  • Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter.
  • If you specify file system paths (such as C:\Windows) or Active Directory distinguished names (such as CN = Builtin, DC = kltest16, DC = test, DC = local) as search terms, enclose them in quotation marks. This is necessary due to the way the search engine treats the backslash (as an escape character) and the equality sign (as an attribute indicator).

For details about the fields that you can use in your search queries, see Data Field Reference.

Single-Word Terms

This is known as full-text search. The search involves all available fields and uses the Contains operator.

Meaning Syntax Details
Look for a single-word term in any attribute Word without spaces
Example: john
john matches John or john in any attribute, but does not match stjohn in any attribute
Look for a single-word term with the specified beginning in any attribute Word ending in an asterisk (*) without spaces
Example: john*
john* matches John or Johnson in any attribute
Find attributes where a specific single-word term is not contained in any attributes Word without spaces with a leading hyphen
Example: -john
-john may match entries that contain stjohn, but does not match entries that contain john in any attribute
Find entries where a specific single-word term with the specified beginning is not contained in any attributes Word ending in an asterisk (*) without spaces with a leading hyphen
Example: -john*
-john* may match entries that contain stjohn, but does not match entries that contain john or johnson in any attribute

Term Combinations

Meaning Syntax Details
Look for entries with specific single-word terms in any attributes Words separated by spaces
Example: john glen*
john glen* matches john and glen, or john and glenda, or john and glen and glenda, wherever they are found
Look for entries that do not contain specific single-word terms in any attribute Word without spaces
Examples:
  • -john -glen
  • john -glen*
  • -john -glen matches entries that do not contain john or glen anywhere
  • john -glen* matches entries that contain john in any attribute and at the same time do not contain glen or glenda anywhere
Look for entries with a specific multiple-word phrase in any attribute Phrase in quotation marks
Example: "Account Logon"
"Account Logon" matches entries that contain the exact phrase Account Logon in any attribute
Look for entries that do not contain a specific multiple-word phrase in any attribute Phrase in quotation marks
Example: logon server01 -"Account Logon"
logon server01 -"Account Logon" matches entries that contain the words Logon and server01 anywhere but do not contain the exact phrase Account Logon in any attribute
Meet one of the specified terms (or sets of terms) Terms (single words or phrases) separated by the OR operator; this operator has the following specifics:
  • It is case-sensitive: it must always be specified as OR
  • It denotes a choice between everything to the left of it and everything to the right of it
  • You can use multiple OR operators in a query; the boundary of an OR clause is the beginning of the query, the end of the query, or another OR

Examples:
  • paul john OR thomas
  • -"logon/logoff" server01 OR stjohn
  • paul john OR thomas matches entries that contain either both John and Paul, or Thomas anywhere
  • -"logon/logoff" server01 OR stjohn matches either entries without the phrase Logon/Logoff that contain server01, or entries with stjohn (no matter whether they contain the phrase Logon/Logoff)
Explicitly mark an AND operation for visual clarity Terms (single words or phrases) separated by the AND operator; this operator has the following specifics:
  • It is case-sensitive: it must always be specified as AND
  • It can be omitted wherever it occurs

Examples:
  • paul AND john
  • paul john
paul AND john and paul john are identical in meaning: look for entries where both paul and john occur.
Group and nest terms for logical operations on them Parentheses enclosing the terms you want to group
Example: (homer marge) OR (peter lois)
(homer marge) OR (peter lois) matches either entries with both homer and marge, or entries with both peter and lois. It does not match entries with both peter and homer that do not contain lois or marge.

Searching in Specific Attributes

To apply your search term only to a particular attribute, prepend the name of the attribute with a colon (:) or equals sign (=) to your search term, as shown in the table below. If the attribute name is made up of multiple words, enclose it in brackets (as in [log name]:security). All the syntax conventions described above also apply.

The following distinction is important:

  • Labels unambiguously mapped to entry attributes; for example, Path:"Documents and Settings" in file access entries
    In this case, the search involves the specified field and uses the Contains operator.
  • Labels mapped to different attributes in different contexts (known as normalized attributes); for example, Where:primrose would mean the primrose domain for users or groups, the primrose computer for files or shares, and so on
    In this case, the search involves the associated fields as necessary and may even modify the search terms.

For details about the meanings of labels in particular contexts, see Normalized Attributes below.

Note: When you look for permission information, you can use the Who, What and Owner attributes as follows:

  • With regard to files, Who means the account that has permissions.
  • Use What to specify the permission.
  • Owner is not a real permission, but you can use it (as in What:Owner) to find the owner of a file.

 

Meaning Syntax Details
Attribute contains term Examples:
  • user:stjohn
  • description:"Special privileges assigned"
  • user:stjohn matches entries where the User attribute contains the word stjohn
  • description:"Special privileges assigned" matches entries where the Description attribute contains the exact phrase Special privileges assigned
Attribute does not contain term Examples:
  • -user:john*
  • -description:"Special privileges assigned"
  • -[log name]:"Directory Service"
  • -user:john* matches entries where the User attribute does not contain the words john or johnson
  • -description:"Special privileges assigned" matches entries where the Description attribute does not contain the exact phrase Special privileges assigned
  • -[log name]:"Directory Service" matches entries where the Log Name attribute does not contain the exact phrase Directory Service
Attribute equals term Examples:
  • computer=server01.example.com
  • description="An account was successfully logged on."
  • computer=server01.example.com matches entries where the contents of the Computer attribute are exactly server01.example.com
  • description="An account was successfully logged on." matches entries where the contents of the Description attribute are exactly An account was successfully logged on.
Attribute does not equal term Examples:
  • -computer=server01.example.com
  • -description="An account was successfully logged on."
  • -computer=server01.example.com matches entries where the contents of the Computer attribute are different from server01.example.com
  • -description="An account was successfully logged on." matches entries where the contents of the Description attribute are different from An account was successfully logged on.

Specifying Quotation Marks

If your search term must include double quotes ("), then for each double quote you need supply an additional double quote as an escape character. See the following examples:

To find this string

Specify this term

the "Cancel" button

"the ""Cancel"" button"

computer "kltest16"

"computer ""kltest16"""

This requirement does not apply to apostrophes, which are frequently used as quotes. Single quotes of this kind do not need escaping and should be specified in a plain string, as in "local 'Administrator' user".

Filter Syntax

Select one of the operators (explained in the following table), and enter your filter terms.

Operator

Syntax

Example

Meaning

Contains

[FieldName]:<Value>

Name:Paul

The attribute contains all of the specified terms at once in any combination

Does not contain

-[FieldName]:<Value>

-Name:John

The attribute contains none of the specified terms anywhere

Equals

[FieldName]=<Value>

Name="John Paul"

The attribute contents are identical to the specified phrase; do not enclose the phrase in quotation marks for this operator

Does not equal

-[FieldName]=<Value>

-SamAccountName=jpaul

The attribute contents are not identical to the specified phrase; do not enclose the phrase in quotation marks for this operator

 

The following search syntax rules described above also apply to filter terms:

  • Terms are case-insensitive.
  • The term can be a single word, multiple words, or a phrase in quotation marks.
  • In single-word terms, a trailing asterisk is treated as a wildcard character.
  • In exact phrases, an asterisk is treated as a regular character.

Note: Asterisk wildcards in an initial position are currently not supported for events provided by InTrust and Recovery Manager for Active Directory. This limitation does not apply to data provided by Change Auditor and Enterprise Reporter.

Normalized Attributes

The following table shows what attributes are involved in searches that use the Who, What and Where labels. Active Directory attributes are bolded. Information about events is not included, because Who, What and Where are mapped directly to the same-name fields in InTrust and Change Auditor events.

Label →

Context ↓

Who What Where

Users

SAMAccountName

DisplayName

AccountSid

DistinguishedName

LogonName

N/A

DomainName

Groups

User information

User account information

ManagedByFullName

ManagedByDisplayName

N/A

DomainName

Computers

ManagedByFullName

ManagedByDisplayName

N/A

ComputerName

NetBiosName

Shares

User information

N/A

ComputerName

Files

Permission information

Permission information

ComputerName

 

Using Functions in Queries

Functions are a way to transform the results of a query to other objects inside a larger query. IT Security Search functions take a query as their single argument and return a collection of objects. Function names are case-insensitive.

Group Membership Resolution Functions

Function

Details

Examples

Members

Returns the direct members of all groups that the argument query returned.

Members([Managed By]:"marty stu")

Members_Deep

Returns both direct and indirect members of all groups that the argument query returned.

Members_Deep(name="DL.IT")

MemberOf

Returns all groups that directly contain the accounts returned by the argument query.

MemberOf(FullName="DL.Accounting")

MemberOf_Deep

Returns all groups that directly or indirectly contain the accounts returned by the argument query.

MemberOf_Deep(Name="DL.Facilities")

If the argument query returns objects that a function cannot be applied to, the function skips these objects. For example, the Members function doesn't do anything about user account objects.

Example

Suppose you want to get events from all computers where user martystu is an administrator. Use the following query:

MemberOf_Deep(Who=martystu) AccountSID="S-1-5-32-544" | Where="{DomainName}" Who=martystu

This query takes advantage of the well-known SID of the built-in Administrators group. First it finds all aliases of this user account, then it gets all local Administrators groups where those accounts are members, no matter whether direct or indirect (membership information is discovered by Enterprise Reporter). Then the query pipes the results through a sub-query to find all events by these users on computers where they are administrators. For details about search-in-search capabilities, see Making Multi-Stage Searches.

Permission Resolution Functions

These functions support a syntax extension that lets you fine-tune their behavior by specifying attributes. A function call with attributes looks like this:

[FunctionName:attribute1,attribute2,…, attributeN](<search query>)

For example, to list objects that are explicitly denied access to a specific file, use the ObjectPermissions function as follows:

[ObjectPermissions:deny,explicit](“c:\sensitive\off_limits.txt”)

By default, it is assumed that you request data about all "allow" permissions.

Function

Supported
Attributes

Details

Examples

ObjectPermissions

allow
deny
inherited
explicit

Returns users and groups that have direct (explicitly assigned and inherited) permissions on the discovered file, folder or network share.

  • Get a list of users and groups that are directly granted "allow" permissions on the specified file:
    ObjectPermissions("с:\boring\interesting.txt”)
  • Get objects that are directly granted "allow" and "deny" permissions on the specified folder:
    [ObjectPermissions:allow,deny]("с:\outrageous”)

ObjectPermissions_Effective

allow
deny
inherited
explicit
direct
indirect

Returns users and groups that have direct (explicitly assigned and inherited) and indirect (obtained through group membership) permissions on the discovered file, folder or network share.

  • Get a list of users and groups that have "allow" permissions on the specified network share:
    ObjectPermissions_Effective ("\\prodfiles1\Department Documents")
  • Get a list of users and groups that have access to the specified network share due to group membership:
    [ObjectPermissions_Effective:indirect]("\\prodfiles1\Department Documents")

AccountPermissions

allow
deny
inherited
explicit

Returns files, folders and network shares where the specified user or group is directly granted permissions.

  • Get a list of all files, folders and network shares where users from the Toronto office have direct "allow" permissions:
    AccountPermissions(Office="Toronto")
  • Get a list of all files, folders and network shares to which users from the specified group are denied access explicitly or through permission inheritance:
    [AccountPermissions:deny]( name=dl.rd.backend)

AccountPermissions_Effective

allow
deny
inherited
explicit
direct
indirect

Returns files, folders and network shares where the specified user or group is directly or indirectly granted permissions.

  • Get a list of all files, folders and network shares where users reporting to the specified manager have "allow" permissions:
    AccountPermissions_Effective(Manager="Marty Stu")
  • Get a list of all files, folders and network shares where users reporting to the specified manager have indirect access due to group membership:
    [AccountPermissions_Effective:indirect](Manager="Mary Sue")

Calling the default parameter-free variants of these functions is equivalent to calling them with all supported parameters except deny. For example, the following two calls are synonymous:

ObjectPermissions_Effective(Where:server1)
[ObjectPermissions:allow,inherited,explicit,direct,indirect](Where:server1)

Function Limitations

Functions have the following limitations:

  • Multi-stage searches cannot be function arguments. Incorrect: Members(ManagedBy:"mary sue" | name="{FullName}")
  • Functions are not supported in operator scope queries described in Who Can Do What in IT Security Search.
  • AND-based conjunction of function calls is disallowed. Incorrect: Members(name="group1") AND Members(name="group2")
  • Negation of function calls is disallowed. Incorrect: -MemberOf(name="group3")
  • A function cannot have a function call as an argument.
  • The functions work only on Enterprise Reporter data. For all other data, they return nothing.

Making Multi-Stage Searches

You have the option to run a search on the results of another search. It is a way to automate your established search practices, and it may provide a clearer and more convenient representation of your intentions.

This is similar to how the output of a command is redirected into another command as its input in PowerShell and Unix shell languages. Accordingly, search result redirection is provided by the familiar pipe (|) operator.

To indicate a field whose value should be carried over from the left query to the right through the pipe, enclose the field name in curly braces, as in {Where} or {EventID}.

Example:

"rd.itsearch"| What:Logon AND Who:"{SAMAccountName}" | Name="{Where}"

In this three-stage search, the initial results are refined twice. First, it finds all users that are members of the rd.itsearch group. For these users, it finds such events that the users' SAM account names are in the Who field, and the What field contains "Logon". From the resulting events, pick only those that have any of the discovered computer names in the Where field.

Auto-Resolution of the Current User

If you specify the {Context.CurrentUser} variable in your query, it is automatically resolved to information that identifies the user who is running the query. The following information is extracted (where available): account name in domain\user format, SAM account name, display name and SID.

For example, if user Alan Smithee supplies a query containing Who="{Context.CurrentUser}", the resulting substituted information can be something like this:

Who=production\asmithee OR Who=ASmithee OR Who="Alan Smithee" OR Who="S-1-5-21-2591644-1571856274-80062049-1617"

If you want a particular identifying field instead of a set of fields, use the following accessors:

  • {Context.CurrentUser.FullAccountName}
  • {Context.CurrentUser.SamAccountName}
  • {Context.CurrentUser.DisplayName}
  • {Context.CurrentUser.AccountSid}

Examples:

  • Description:"Computer of {Context.CurrentUser.DisplayName}" becomes Description:"Computer of Alan Smithee"
  • onpremisessecurityidentifier="{Context.CurrentUser.AccountSid}" becomes onpremisessecurityidentifier="S-1-5-21-2591644-1571856274-80062049-1617"

NOTE: Resolution of this variable does not require that the Enterprise Reporter connector be enabled.

Specifics of Recovery Manager for Active Directory Data

Recovery Manager for Active Directory provides data about users, groups, computers and organizational units, including those that have been deleted. Searching within that data should be approached in special ways.

One drawback is that full-text search does not work in Recovery Manager for Active Directory. Generally, it is recommended that you complement this data with results from Enterprise Reporter, if possible.

Searching by Distinguished Name

In all attributes that contain distinguished names, such as distinguishedName or manager, only the "equals" operator is used, meaning that the value must match exactly. For example, if the manager attribute of a user is "CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp", then the following happens:

  • These queries match the user:
    Manager:"CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp"
    Manager="CN=David Shore,OU=Employees,DC=it,DC=example,DC=corp"
  • These queries do not match the user:
    Manager:"CN=David Shore"
    Manager="CN=David Shore"

Searching for Deleted Objects

When Active Directory objects are deleted, they are really moved to the Deleted Objects container; some of their attributes are cleared and some are changed, including the name. These tips will help you compose queries that produce the expected results for deleted objects:

  • The name attribute undergoes the following change: <object_name> becomes <object_name>\0ADEL<object_GUID>. If you are aware of this pattern, you can look for deleted objects specifically.
  • The samAccountName attribute remains unchanged in deleted users, computers and groups.
  • In computers, the dnsHostName attribute also remains unchanged.

Searching Without Specifying Fields

When you supply a search term without prefixing a field name, IT Security Search adds the field name for you, as follows:

Object Type

Field      

Examples

User or group

aNR

"Alan Smithee" becomes aNR:"Alan Smithee"

"Alan Smithee*" becomes aNR:"Alan Smithee" (wildcards are not supported by Recovery Manager for Active Directory)

Computer or OU

name

primrose.domain.local becomes name:primrose.domain.local

Directors* becomes name:Directors (wildcards are not supported by Recovery Manager for Active Directory)

It is recommended that you specify the target fields explicitly and use the fields suggested in Searching for Deleted Objects above.

Data Field Reference

The following topics provide details about fields that you can use in search queries, organized by supported system:

Enterprise Reporter Data Fields

The following are lists of fields that occur in Enterprise Reporter data, organized by type of returned object.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries.

Computers

Field Name

In UI

Example Value

Details

AccountFullName

No

MAIN\HOUDEVW04$

SAMAccountDomain\SAMAccountName of the relevant computer account

AccountSid

No

S-1-5-21-636461855-
2365528612-2953867313-5163

Security identifier (SID) of the computer account

ComputerName

Yes

achtung.main.mycompany.corp

Short or NetBIOS name for the computer

Description

Yes

Serial , AOPEN_, AWRDACPI, 1002MHz, 1002MHz, 3072MB RAM

Description for the computer

DistinguishedName

No

CN=HOUITW09,
OU=Houston,
OU=AMER,
OU=Production Computers,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for domain computer

Domain

Yes

 

Same as DomainName

DomainName

No

main.mycompany.corp

Fully qualified domain name

Groups

No

Pre-Windows 2000 Compatible Access;Cert Publishers

List of groups (in common name format) where the computer account is a member explicitly

HasGroups

No

True

True if this computer account is a member of any group

IsHidden

No

False

True if the server is visible to other computers in the same network; otherwise, false

Location

Yes

US/Houston

Location of domain computer

ManagedByDisplayName

No

Patricia Lum

The display name of account by which the domain computer is managed

ManagedByType

No

Users

Type of account by which the domain computer is managed; Users or Groups

Name

Yes

achtung

NetBIOS name of the computer

NetBiosName

No

IRVWEBW05

NetBIOS name for domain computer

NumLogons

No

291

Number of times the domain computer was logged into

OSName

No

Windows Server 2003

Full name of the computer's operating system

OSServicePack

No

Service Pack 1

Service pack name for the computer's operating system

OSVersion

No

5.2 (3790)

Operating system version number for the computer

OU_CanonicalName

No

main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers

Canonical name for organizational unit

OU_DistinguishedName

No

OU=Cary,
OU=AMER,
OU=Production Computers,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for organizational unit

RelatedOU

No

 

Same as OU_CanonicalName

Scope

Yes

Active Directory

Active Directory or Workgroup

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

Where

No

 

Same as ComputerName, NetBiosName

Who

No

 

Same as ManagedByFullName, ManagedByDisplayName

Files

Field Name

In UI

Example Value

Details

Computer

Yes

 

Same as ComputerName

ComputerName

No

WST9240.main.mycompany.corp

Short or NetBIOS name for the computer

DomainName

Yes

MAIN

NetBIOS name for domain

Extension

Yes

.exe

Extension of the file

File

Yes

TestConsol.exe

File or folder name

FullAccountName

Yes

WST9240\Administrators

SAMAccountDomain\SAMAccountName of owner account

OU_CanonicalName

Yes

main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers

Canonical name for organizational unit (for domain users only)

Owner

Yes

 

Same as FullAccountName, OwnerSid

Owner Domain

No

 

Same as SAMOwnerDomain

OwnerSid

No

S-1-5-32-544

Security identifier (SID) of the owner account

OwnerType

No

Groups

Owner account type: Users or Groups

Path

Yes

D:\Images\59491\

Full path of the folder or file; based on the collection options, the value could be in the format c:\folder or \\computer\shared\Folder

Permission

No

 

Same as PermissionsText

PermissionsText

No

WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/run file, Read attributes, Write attributes, Read permissions Inherite

Semicolon-delimited list of permission/ Account: access_ type [Allow|Deny] inheritance[Inherited|Explicit]

RelatedOU

No

 

Same as OU_CanonicalName

SAMOwnerDomain

No

WST9240

SAM account name of owner account's domain

SAMOwnerName

No

Administrators

SAM account name of owner account

Size

Yes

31335914

Size in bytes of the NTFS object

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

Type

Yes

File

File or Folder; Folder if the NTFS object is a folder; otherwise, File

What

No

 

Same as PermissionsText

Where

No

 

Same as ComputerName

Who

No

 

Same as PermissionsText

Groups

Field Name

In UI

Example Value

Details

AccountSid

No

S-1-5-21-636461855-
2365528612-
2953867313-107634

Security identifier (SID) of the account

AdminDisplayName

No

Administrator

Admin display name for the domain group; name is displayed on admin screens

CanonicalName

No

main.mycompany.corp/Groups/
RD/MCDL.RD.CRDHub.APAC.AU

The name of the domain group in canonical format

CommonName

No

Development Users

Common name for domain group

Description

Yes

Owner: CLIVE_HERRY

Description of the group

DisplayName

No

AA_Accounting

Display or common name for the group

DistinguishedName

No

CN=MCDL.RD.CRDHub.APAC.AU,OU=RD,
OU=Groups,DC=main,DC=mycompany,DC=corp

Distinguished name for domain group or SAM account name for a local user (computer\username)

Domain

Yes

 

Same as DomainName

DomainName

Yes

main.mycompany.corp

Fully qualified domain name for domain accounts or computer's NetBios Name for local

E-mail

Yes

 

Same as EmailAddress

EmailAddress

No

BC5796F842DD49CD8F4@
sales.mycompany.com

Email address for the group

Friendly Name

Yes

 

Same as FriendlyName

FriendlyName

No

AA_Accounting (MAIN\FB430EAC2D2E4)

Friendly name for the group

FullAccountName

No

MAIN\Office.AMER.US.Boston

domain\group; group is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer

FullName

No

Development Users

Full name for domain group

Groups

No

MCDL.PreSales.NAC.DatabasePerf;
MCDL.Sales.DBPerformance.SR.NA

Common or SAM account names of groups (semicolon-separated) that are explicitly members

GroupScope

Yes

Universal

One of the following:

  • Builtin local
  • Global
  • Domain local
  • Local
  • Universal
  • SQL Login
  • Well Known
  • Unknown

GroupType

Yes

 

Same as IsSecurityEnabled

HasGroups

No

False

True if this group has members of type "group"

HasUsers

No

True

True if this group has members of type "user"

HomePage

No

http://homepage

Primary home page for domain group

Info

No

Created as part of the ChangeBase Mail migration by Charles Arrot

Informational notes on the domain group

IsSecurityEnabled

No

Security

Security or Distribution

Managed By

No

 

Same as ManagedByDisplayName, ManagedByFullName

ManagedByDisplayName

No

Owen Range

Display name or Common name of account by which the domain group is managed

ManagedByFullName

No

CN=Sarah Quash,OU=Employees,
DC=main,DC=mycompany,DC=corp

Account (distinguished name) by which the domain group is managed

ManagedByType

No

Users

Type of account by which the domain group is managed; Users or Groups

Name

Yes

 

Same as DisplayName

Nested Groups

No

 

Same as Groups

Organizational Unit

Yes

 

Same as OU_CanonicalName

OU_CanonicalName

No

main.mycompany.corp/Groups/Sales

Canonical name for organizational unit

OU_DistinguishedName

No

OU=Sales,OU=Groups,DC=main,
DC=mycompany,DC=corp

Distinguished name for organizational unit

RelatedOU

No

 

Same as OU_CanonicalName

SAMAccountDomain

No

MAIN

SAM account name for the account's domain  for domain's groups or NetBIOS name of the computer for computer's groups

SAMAccountName

No

MCDL.RD.CRDHub.APAC.AU

SAM account name for the account

SIDHistory

No

S-1-5-21-329068152-
688789844-
839522115-10863

List of previous security identifiers (SID) used if the domain group was moved from other domains

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

Url

No

http://group

URL addresses of websites for the domain group

Users

No

Zoe Ucchini;Peter Omelo

Common or SAM account names of users (semicolon-separated) that are explicitly members

Where

No

 

Same as DomainName

Who

No

 

Same as Users, UsersAccounts, ManagedByFullName, ManagedByDisplayName

OUs

Field Name

In UI

Example Value

Details

AppliesTo

No

 

Same as PermissionsText

CanonicalName

Yes

main.mycompany.corp/Builtin

Canonical name for organizational unit

ContainerType

No

Container

Type of container: Container or Organizational Unit

Description

Yes

Default container for upgraded computer accounts

 

DistinguishedName

No

Description for organizational unit

Distinguished name for organizational unit

Domain

Yes

 

Same as DomainName

DomainName

No

main.mycompany.corp

Fully qualified domain name

HasPermissions

No

True

True or False; True if PermissionsText is not empty

Managed By

Yes

 

Same as ManagedByFullName,ManagedByDisplayName

ManagedByDisplayName

No

MCDL.RD.ITSearch

Display or common name of management account

ManagedByFullName

No

CN=MCDL.RD.ITSearch,OU=RD,OU=Groups,
DC=main,DC=mycompany,DC=corp

The account (distinguished name) by which the organizational unit is managed

ManagedByType

No

Groups

Management account type; Users or Groups

Name

Yes

Computers

Common short name for organizational unit

NumberOfComputers

No

4

Number of domain computers in organizational unit

NumberOfContacts

No

5

Number of contacts in organizational unit

NumberOfGroups

No

3

Number of domain groups in organizational unit

NumberOfOtherObjects

No

6

Number of other domain objects in organizational unit

NumberOfUsers

No

2

 

Permission

No

 

Same as PermissionsText

PermissionsText

No

NT AUTHORITY\SELF: Allow Read Property, Write Property for location [Descendant computer objects] Inherited;NT AUTHORITY\SELF: Allow Read Property, Write Property for defender-tokenData [Descendant defender-tokenLicenseClass objects] Inherited

Semicolon-separated list of permission/ account: access_ type [Allow|Deny] inheritance[Inherited|Explicit]

RelatedOU

No

 

Same as CanonicalName

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

What

No

 

Same as PermissionsText

Where

No

 

Same as DomainName

Who

No

 

Same as ManagedByFullName,PermissionsText

Shares

Field Name

In UI

Example Value

Details

Comment

Yes

Docs share

Comment for the share

Computer

Yes

 

Same as ComputerName

ComputerName

No

WST9240.main.mycompany.corp

NetBIOS name of the computer

FullOwnerName

No

WST9240\Administrators

SAMAccountDomain\SAMAccountName of owner account

Local Path

Yes

 

Same as SharePath

Name

Yes

 

Same as ShareName

Owner

Yes

 

Same as FullOwnerName

OwnerDomain

No

WST9240

SAM account name of owner account's domain

OwnerName

No

Administrators

SAM account name of owner account

OwnerType

No

Groups

Owner account type; Users or Groups

PermissionsText

No

WST9240\Remote Desktop Users: Allow List folder/read data, Create files/Write data, Create folders/append data, Read extended attributes, Write extended attributes, Traverse folder/run file, Read attributes, Write attributes, Read permissions Inherite

Semicolon-delimited list of permission/ Account: access type [Allow|Deny] Inheritance[Inherited|Explicit]

RelatedOU

No

main.mycompany.corp/Production Computers/US/Houston/R&D Test Computers

Canonical name for organizational unit (for domain users only)

ShareName

No

C$

Name of the share

SharePath

No

D:\Custom Utilites

Local path of share

ShareType

No

Administrative Shared Folder

Type of resource being shared

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

What

No

 

Same as PermissionsText

Where

No

 

Same as ComputerName

Who

No

 

Same as PermissionsText

Users

Field Name

In UI

Example Value

Details

Account SID

Yes

 

Same as AccountSid

AccountIsDisabled

No

True

True if domain(computer) user account is disabled; otherwise, False

AccountIsLocked

No

False

True if domain(local) user account is locked; otherwise, False

AccountSid

No

S-1-5-21-636461855-
2365528612-
2953867313-71684

Security identifier (SID) of the account

Assistant

No

CN=Pamela Ear,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

The distinguished name of the domain user's administrative assistant

CannotChangePassword

Yes

False

True if the local user cannot change the password; otherwise, false

City

No

Shanghai

City of domain user account

Company

Yes

My Company Inc.

Company of the user account

Country

Yes

Canada

Country or region of the user account

Department

Yes

R&D - Development

Name of the user's department

Description

No

Build account for Archive Manager Offline Client

Description of the user

DirectReports

No

CN=Philip Arsley,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp;
CN=Gwen Arlic,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp;
CN=Greg Inger,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

List of domain users that directly report to the domain user

DisplayName

No

Caroline Abbage

Display name or SAMAccount name for the user

DistinguishedName

No

CN=Caroline Abbage,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for domain user or computer\user for local users

Division

No

Reporting division

Division for domain user

Domain

Yes

main.mycompany.corp

Fully qualified domain name for domain's users or NetBIOS name of the computer for computer's users

E-mail

Yes

 

Same as EmailAddress

EmailAddress

No

Patricia.Lum@support.mycompany.com

Email address for the user

EmployeeID

No

69267

Employee ID for domain user

FaxNumber

No

0123456789

Facsimile number for domain user

FirstName

No

Paul

Given name (first name) of domain user

FullAccountName

No

MAIN\jcdenton

domain\user; user is a SAM account name, domain is the SAM account name of a domain or NetBIOS name of a computer

Groups

No

WST8766VM1\Administrators;
Office.US.Houston

List of groups. CommonName or  Computer\groupName (explicit membership)

HasDirectReports

No

True

True or False; True if DirectReports is not empty

HasGroups

No

True

True if this user is member of any group

HasPhoto

No

True

True if this user has a photo

HomeDirSize

No

0

Size of the home directory for the domain user

HomePhoneNumber

No

+7-123-4567890

Phone number for the domain user

HomePostalAddress

No

Main street

Mailing address for the domain user

Info

No

Account used for Patchlink & Symantec scanning of domain systems

Informational notes on the domain user

Initials

No

M

Initials for the domain user

IpPhone

No

+44 1234 567890 x12345

IP telephone number or address for the domain user

LastName

No

Epper

Last name of domain user

LogonHours

No

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Hex-coded hours that the domain/local user is allowed to log on to the domain

Logon Name

No

 

Same as LogonName

LogonName

No

SVC-Scanner@main.mycompany.corp

Logon name for the domain user

ManagedBy

No

CN=Christina Hilli,
OU=Employees,
DC=main,
DC=mycompany,
DC=corp

The account (distinguished name) by which the domain user is managed

Manager

Yes

 

Same as ManagedBy,ManagedByDisplayName

MiddleName

No

N

Middle name for the domain user

Mobile

Yes

+7-123-4567890

Mobile number for the user

Name

Yes

 

Same as DisplayName

NumLogons

No

3910

Number of times the domain/local user has successfully logged on

Office

Yes

Castlegar

Office location for the user

Organizational Unit

Yes

 

Same as OU_CanonicalName

OtherIpPhone

No

Conference 84030

List of alternate TCP/IP addresses for the phone for the domain user (Telephony)

OtherMailbox

No

other_mailbox@hotmail.com

Additional email addresses for the domain user

OtherMobile

No

+55 11 12345 6789

List of alternate mobile phone numbers for the domain user

OtherTelephone

No

+1 123 456 7890

List of alternate telephone numbers for the domain user

OU_CanonicalName

No

main.mycompany.corp/IS/SVC-Accounts/MailboxEnabled

Canonical name for organizational unit (for domain users only)

OU_DistinguishedName

No

OU=Enabled SVC-Accounts,
OU=SVC-Accounts,
OU=IS,
DC=main,
DC=mycompany,
DC=corp

Distinguished name for organizational unit (for domain users only)

PasswordIsexpired

No

True

True if domain user's password is expired; otherwise, false

PasswordNeverExpires

No

True

True if the domain/local user's password never expires; otherwise, false

PersonalTitle

No

Mr.

Personal title for the domain user

PostalCode

No

411016

Postal or zip code for the domain user

RelatedOU

No

 

Same as OU_CanonicalName

SAM Account Domain

Yes

 

Same as SAMAccountDomain

SAM Account Name

Yes

 

Same as SAMAccountName

SAMAccountDomain

No

MAIN

SAM account name for the account's domain  for domain's users or NetBIOS name of the computer for computer's users

SAMAccountName

No

jcdenton

SAM account name for the account

Scope

Yes

Active Directory

Active Directory or Computer

Source

Yes

Enterprise Reporter

Enterprise Reporter (data source)

State

Yes

Current

Current or Deleted

StateOrProvince

No

AZ

State or province for the domain user

StreetAddress

No

1042 Bluesky Blvd., Bldg. 1 Flagstaff AZ

Street address for the domain user

TelephoneNumber

No

+1 123 456 7890 x45678

Telephone number for the domain user

Title

Yes

Software Developer 3

Title for the user

UserPrivilegeLevel

No

Normal

Flag for user privilege level: Normal or Unknown

UserWorkstations

No

ALVMISW02,ALVSANW01,ALVPATW01,ALVPATW02

NetBIOS or DNS names of the computers running Windows?NT Workstation or Windows?2000 Professional to which the domain user can log on

Where

No

 

Same as DomainName

Who

No

 

Same as SAMAccountName, DisplayName, AccountSid, DistinguishedName

Other Object Types

In addition to the object types listed above, Enterprise Reporter can provide field data for various other objects. To see the kinds of objects available in your environment, click the More tab in the search result grid. For a list of supported fields of a particular object type, see the details of such an object.

InTrust Data Fields

The following are lists of fields that occur in InTrust events, organized by type of returned object.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries.

Field Name

In UI

Example Value

Details

Category

No

Sensitive Privilege Use

Event category

Computer

No

Y1202.seldom.mycompany

Computer where the event occurred

ComputerType

No

69635

Mask for computer type

DataSourceType

No

{A9E5C7A2-5C01-41B7-9D36-E562DFDDEFA9}

GUID of InTrust data source type

Description

No

An operation was attempted on a privileged object.

Event description

Environment

No

9E442BEE-EAC2-4D79-9013-053FB225CFD0

Enviroment GUID

EventID

No

4674

Event ID

Type

No

16

Event Type ID numeric

SourceComputer

No

Y1202

Name of gathering computer

SourceDomain

No

SELDOM

Name of gathering computer's domain

Log

No

Security

Log name

PlatformID

No

500

Platform ID (500 means Windows)

Source

No

Security

Event source

UserDomain

No

WST9983

Domain of the user that initiated this event

UserName

No

Administrator

Name of the user that initiated this event

VersionMajor

No

6

OS version major

VersionMinor

No

2

OS version minor

InsertionString*

Yes

NT AUTHORITY

InsertionString1, InsertionString2 etc.

Workstation

No

WST9983

Computer where the operation was initiated

Where_From

No

WST9983

Same as Workstation

WhoDomain

No

SALES

Same as UserDomain

Who

No

Administrator

Same as UserName

Object_DN

No

CN=HealthMailbox,
CN=Users,
DC=seldom,
DC=mycompany

DN of the object that was changed/deleted/created

Object_ID

Yes

DE442BEE-EAC2-4D79-9013-053FB225CFD0

ID of the object that was changed/deleted/created

WhomId

No

CN=Admin,
CN=Users,
DC=seldom,
DC=spb,
DC=qsft

Object_DN of the object that was changed/deleted/created, if available; otherwise Object_ID of the object

Whom_ObjectClass

No

user

Class of the object that was changed/deleted /created

ComputerName

No

COMP1

Same as Computer

What

No

NTLM Authentication

Event literal

Log name

No

Security

Same as Log

SourceName

No

Security

Same as Source

RelatedOU

No

sales.mycompany.corp/Production Computers

By Enterprise Reporter: OU associated with the computer

Whom_ObjectClass

No

user

By Enterprise Reporter: Object class of Whom

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating