Chat now with support
Chat with Support

IT Security Search 11.5 - User Guide

Change Auditor for Active Directory Data Fields

The following are lists of fields that occur in Change Auditor for Active Directory events, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.

Field Name

Example Value

Details

AAD_City

"Halifax", "New York City"

Azure sign-in city

AAD_Country

"Canada", "US"

Azure sign-in country

AAD_ActivityStatusReason

User successfully reset password

Reason for activity status

AAD_OnPremisesTarget

RHSOFTWARE\AD_Admin

Azure AD on premises target name

AAD_OnPremisesUserName

RHSOFTWARE\AD_Admin

Azure AD on premises user name

AAD_State

"Nova Scotia", "New York"

Azure sign-in state

AAD_TargetDisplayName

AD_Admin@RHSoftware.Net

Azure AD Target object display name

AAD_TenantDefaultDomain

QAMyProduct.onmicrosoft.com

Azure AD tenant default domain name

AAD_TenantDisplayName

QA QAMyProduct.onmicrosoft.com My Product

Azure AD tenant display name

ActionName

Modify Attribute

Name of action

Activity Details

User successfully reset password

Same as AAD_ActivityStatusReason

After

E:\NewName.txt

Same as ValueNew

Azure - Activity Name

Set Company Information

Same as O365_Operation

Before

E:\OldName.txt

Same as ValueOld

Description

User AD Admin in the directory had their password reset

Event's description

DomainName

PROD

Domain where operation was performed

FacilityName

Local User Monitoring

Name of Facility

LDAP - Attributes

canonicalName, co, company, department, displayName

Attributes that were queried

LDAP - Elapsed

8094

How long the AD query took to run, in milliseconds; zero (0) indicates that it took less than a millisecond to complete

LDAP - Filter

(&(objectClass=user)(!(objectClass=computer)))

Filter string used in the AD query

LDAP - Occurrences

1

Number of times the AD query occurred during the specified interval

LDAP - Results

52

Number of results returned for the query

LDAP - Scope

This object and all children

Scope of coverage: (This object only, This object and all children)

LDAP - Since

2018-01-15T09:42:01.3672010Z

Date and time when the AD query was first initiated

Log

ChangeAuditor

Name of event log

Log name

ChangeAuditor

Same as Log

O365_Operation

Set Company Information

Office 365 operation

O365_SiteUrl

https://qa.sharepoint.com/sites/Certification/

URL of Office 365 site

Office 365 Site URL

https://qa.sharepoint.com/sites/Certification/

Same as O365_SiteUrl

On premises target

RHSOFTWARE\AD_Admin

Same as AAD_OnPremisesTarget

On premises user name

RHSOFTWARE\AD_Admin

Same as AAD_OnPremisesUserName

RelatedOU

RHSoftware.Net/AzureAD Accounts

Same as RelatedOUWhom

RelatedOUWhere

 OU=Domain Controllers,DC=RHSoftware,DC=Net

Ou where operation was performed

RelatedOUWhom

RHSoftware.Net/AzureAD Accounts

OU of target object

Result

None

Operation result

SiteName

EMEA-SPB

Site where operation was performed

Target display name

AD_Admin@RHSoftware.Net

Same as AAD_TargetDisplayName

Tenant

QAMyProduct.onmicrosoft.com

Same as AAD_TenantDisplayName

Tenant initial domain

QAMyProduct.onmicrosoft.com

Same as AAD_TenantDefaultDomain

UserName

SPB9983\Administrator

Event initiator

ValueNew

E:\NewName.txt

new value of changed attribute

ValueOld

E:\OldName.txt

old value of changed attribute

What

Local user logged on

Event class name

When

2016-11-12T06:00:00.0460000Z

When the operation was performed

Where

wst9983

Where the operation was performed

Where_From

wst9943.sales.mycompany.com

Same as Workstation

Who

Administrator

Display name or name of initiator

WhoId

S-1-5-21-1763487455-1171009733-2095814533-500

SID of initiator

Whom

WST9983\TestUser

Target object of operation

Whom_ObjectClass

Users

Target object's class

Workstation

wst9983.sales.mycompany.com

Workstationn from that operation was initiated

Active Roles Data Fields

The following are lists of fields that occur in Active Roles data, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. For events, all fields are displayed.

Events

Field Name

Example Value

Details

AR_ClientComputerName

ITSEARCHTEST3

Host with Active Roles client software

AR_ClientVersion_Build

2

Version build number of Active Roles client software

AR_ClientVersion_Major

7

Version major number of Active Roles client software

AR_ClientVersion_Minor

1

Version minor number of Active Roles client software

AR_ClientVersion_Revision

3406

Revision of Active Roles client software

AR_Server

arsit

Active Roles Server host

Attribute_*

New description1

New value of attribute

ChangedAttributes

description,streetAddress

List of attributes

Completed

2017-05-04T07:18:57.9741631Z

Timestamp of operation when that was completed

Control_OperationReason

Reason for modification

Reason of operation

Description

Modified attributes:
groupType: -2147483646
objectClass: group
sAMAccountName: ArsTestTemporalGroupSam_CB79
objectSid: AQUAAAAAAAUVAAAA+mvC8IvUdNjWHCAbGGkBAA==

Description of event

ID

1-107540

ID of operation

Initiated

2017-05-04T07:18:57.9116595Z

Timestamp of operation when that was initiated

Initiator_DN

CN=Zakhar Shkonda,
OU=zs,
OU=TestUsers,
DC=it,
DC=sales,
DC=mycompany

DN of initiator

Initiator_Guid

b58c2906-ad0b-4682-
bab3-0ae56503eeb5

GUID of initiator

Initiator_Host

ARSIT.it.sales.mycompany

Host of Initiator

Initiator_IsDSAdmin

True

True if initiator is DS administrator

Initiator_NTAccountName

IT\zs

NT Account name of initiator

Initiator_ObjectClass

user

Class of initiator

Initiator_Sid

S-1-5-21-4039273466-
3631535243-455089366-91270

SID of initiator

Initiator_Site

Default-First-Site-Name

Site of initiator

Log

Active Roles

Log name

Logon_Site

Default-First-Site-Name

Same as Initiator_Site

Operation_GUID

9b3c5524-065d-418a-9511-
3043ab1a5bd7

GUID of operation

Operation_Type

Delete

Type of operation

Operation_TypeID

1

Type ID of operation

Reason

Reason for modification

Same as Control_OperationReason

RelatedOU

it.sales.mycompany/AutotestOU/ARS/FIT2711055222_0E7C

Same as TargetObject_OUCanonical

Result

Completed

Same as Status

Status

Completed

Operation status

StatusID

1

Operation status ID

TargetObject_DN

CN=ArsCHUser1_0E7C,
OU=FIT2711055222_0E7C,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

DN of target object

TargetObject_Guid

b6a8b5d0-e003-4421-
a7a4-e6fc11f3075a

GUID of target object

TargetObject_NTAccountName

IT\ArsCHUser1_0E7C

NT Account name of target object

TargetObject_ObjectClass

user

Class of target object

TargetObject_OUCanonical

it.mycompany.com/AutotestOU/ARS/FIT2711055222_0E7C

Canonical name of object's OU

TargetObject_Sid

S-1-5-21-4039273466-
3631535243-455089366-91270

SID of target object

TargetObject_SimpleName

ArsCHUser1_0E7C

Name of target object

What

Delete

Same as Operation_Type

When

2017-05-10T08:38:58.0000000Z

Same as Completed

Where

dc2.it.sales.mycompany

Host where this operation was performed

Who

IT\zs

Same as Initiator_NTAccountName

Who_DN

CN=Caroline Abbage,
OU=mgmt,
OU=TestUsers,
DC=it,
DC=sales,
DC=mycompany

Same as Initiator_DN

Who_Guid

b58c2906-ad0b-4682-
bab3-0ae56503eeb5

Same as Initiator_Guid

Who_IsDSAdmin

True

Initiator_IsDSAdmin

Who_ObjectClass

user

Same as Initiator_ObjectClass

Who_Sid

S-1-5-21-4039273466-
3631535243-455089366-1131

Same as Initiator_Sid

WhoId

S-1-5-21-4039273466-
3631535243-455089366-1131

Same as Initiator_Sid

Whom

ArsTestDynamicGroup_CB79

Same as TargetObject_SimpleName

Whom_DN

CN=ArsTestTemporalGroup_CB79,
​​OU=FIT1010370592_CB79,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

Same as TargetObject_DN

Whom_Guid

eff86e4b-7800-44ce-
af3c-ecf198ccadd5

Same as TargetObject_Guid

Whom_NTAccountName

IT\ArsCHUser1_0E7C

Same as TargetObject_NTAccountName

Whom_ObjectClass

Groups

Same as TargetObject_ObjectClass

Whom_Sid

S-1-5-21-4039273466-
3631535243-455089366-92446

Same as TargetObject_Sid

WhomId

CN=ArsTestDynamicGroup_CB79,
CN=ArsTestContainer2_C829,
OU=FIT1012125742_C829,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

Same as TargetObject_DN

WhomSimple

ArsTestDynamicGroup_CB79

Same as TargetObject_SimpleName

Workstation

ARSIT.it.sales.mycompany

Same as Initiator_Host

Computers

Field Name

In UI

Example Value

Details

AccountSid

Yes

S-1-5-21-4039273466-

3631535243-455089366-89812

Computer account SID

Description

Yes

Storage Server

Description of computer

DistinguishedName

No

CD=DC1,
CN=Domain Controllers,
DC=it,
DC=sales,
DC=mycompany

Computer account distinguished name; search by full value only

DNSHostName

Yes

DC1.it.sales.mycompany

DNS host name

Location

Yes

Houston

Location of computer

ManagedBy

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Distinguished name of manager of the computer account; search by full value only

Name

Yes

DC1

Same as NetBiosName

NetBiosName

Yes

DC1

NetBIOS name of computer

NumLogons

Yes

12656

Logon count

ObjectCategory

Yes

computer

Object class = computer

ObjectGUID

No

ddd94ab4-5de6-4696-

a93c-433cf9827c28

Object GUID of computer account

OSName

Yes

Windows Server 2008 R2 Enterprise

OS name

OSServicePack

Yes

Service Pack 1

OS service pack

OSVersion

Yes

6.1 (7601)

OS version

Where

Yes

DC1

Same as NetBiosName

Who

Yes

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

Groups

Field Name

In UI

Example Value

Details

CN

Yes

Users

Common name of group

Description

Yes

Houston internal group for notification

Description of group

DisplayName

Yes

Users

Display name of group

DistinguishedName

No

CN=MCDL.RD.Notification,

OU=RD,

OU=Groups,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group;. search by full value only

Email

Yes

MCDL.RD.Notification@it.sales.mycompany

Email address of group

GroupType

No

-2147483640

Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx)

HomePage

Yes

http://homepage

Home page of group

Info

Yes

Some info

Additional information about group

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the group; search by full value only

Name

Yes

Users

Name of group

ObjectCategory

Yes

group

Object class = group

ObjectGUID

No

 80b090a2-968f-42e6-

bc76-6e2505f43759

GUID of group object

SAMAccountName

Yes

Users

SAMAccount name of group

Url

Yes

http://groupname

URL of group

Who

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

OUs

Field Name

In UI

Example Value

Details

Description

Yes

Default container for Defender objects

Description of OU

DistinguishedName

No

OU=BestEmployees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group; search by full value only

ManagedBy

No

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the OU; search by full value only

Name

Yes

Users

Name of OU

ObjectCategory

Yes

organizationalUnit

Object class = organizationalUnit or container

ObjectGUID

No

675205fb-4d29-44b6-

9284-69e867689f38

GUID of OU

USNChanged

No

9296605

USN-Changed attribute of OU; search by full value only

Users

Field Name

In UI

Example Value

Details

AccountSid

No

S-1-5-21-4039273466-
3631535243-455089366-26350

User SID; search by full value only

Company

Yes

MyCompany

Company name

Country

Yes

United States

Country name

Department

Yes

Sales

Department name

DisplayName

No

Caroline Abbage

User display name

DistinguishedName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

User distinguished name; search by full value only

EmailAddress

Yes

Caroline.Abbage@sales.mycompany.com

Email address

HomePhoneNumber

Yes

+1 410 531 0638

Home telephone number

Logon Name

Yes

 

Same as LogonName

LogonName

No

SVC-Scanner@main.mycompany.corp

Logon name for the domain user

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of user; search by full value only

Mobile

Yes

+ 911 9 769 8889

Mobile phone number

Name

Yes

Caroline Abbage

User name

ObjectCategory

Yes

user

Object class = user

ObjectGUID

No

861205fb-4d29-44b6-
9284-69e867689f38

User object GUID; search by full value only

Office

Yes

Ludlow st. 80, suite 200

Physical delivery office name

SAMAccountName

Yes

jcdenton

SAMAccountName of user

StreetAddress

Yes

Ludlow st. 80

Street address

TelephoneNumber

Yes

+ 123 4 567 8900

Telephone number

Title

Yes

Mgr, Sales

User job title

USNChanged

No

9296605

USN-Changed attribute of user; search by full value only

Who

No

Administrator

Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName

Recovery Manager for Active Directory Data Fields

The following are lists of fields that occur in Recovery Manager for Active Directory data, organized by type of returned object.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries.

Computers

Field Name

In UI

Example Value

Details

AccountSid

Yes

S-1-5-21-4039273466-

3631535243-455089366-89812

Computer account SID

Description

Yes

Storage Server

Description of computer

DistinguishedName

No

CD=DC1,
CN=Domain Controllers,
DC=it,
DC=sales,
DC=mycompany

Computer account distinguished name; search by full value only

DNSHostName

Yes

DC1.it.sales.mycompany

DNS host name

Location

Yes

Houston

Location of computer

ManagedBy

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Distinguished name of manager of the computer account; search by full value only

Name

Yes

DC1

Same as NetBiosName

NetBiosName

Yes

DC1

NetBIOS name of computer

NumLogons

Yes

12656

Logon count

ObjectCategory

Yes

computer

Object class = computer

ObjectGUID

No

ddd94ab4-5de6-4696-

a93c-433cf9827c28

Object GUID of computer account

OSName

Yes

Windows Server 2008 R2 Enterprise

OS name

OSServicePack

Yes

Service Pack 1

OS service pack

OSVersion

Yes

6.1 (7601)

OS version

Where

Yes

DC1

Same as NetBiosName

Who

Yes

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

Groups

Field Name

In UI

Example Value

Details

CN

Yes

Users

Common name of group

Description

Yes

Houston internal group for notification

Description of group

DisplayName

Yes

Users

Display name of group

DistinguishedName

No

CN=MCDL.RD.Notification,

OU=RD,

OU=Groups,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group;. search by full value only

Email

Yes

MCDL.RD.Notification@it.sales.mycompany

Email address of group

GroupType

No

-2147483640

Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx)

HomePage

Yes

http://homepage

Home page of group

Info

Yes

Some info

Additional information about group

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the group; search by full value only

Name

Yes

Users

Name of group

ObjectCategory

Yes

group

Object class = group

ObjectGUID

No

 80b090a2-968f-42e6-

bc76-6e2505f43759

GUID of group object

SAMAccountName

Yes

Users

SAMAccount name of group

Url

Yes

http://groupname

URL of group

Who

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

OUs

Field Name

In UI

Example Value

Details

Description

Yes

Default container for Defender objects

Description of OU

DistinguishedName

No

OU=BestEmployees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group; search by full value only

ManagedBy

No

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the OU; search by full value only

Name

Yes

Users

Name of OU

ObjectCategory

Yes

organizationalUnit

Object class = organizationalUnit or container

ObjectGUID

No

675205fb-4d29-44b6-

9284-69e867689f38

GUID of OU

USNChanged

No

9296605

USN-Changed attribute of OU; search by full value only

Users

Field Name

In UI

Example Value

Details

AccountSid

No

S-1-5-21-4039273466-
3631535243-455089366-26350

User SID; search by full value only

Company

Yes

MyCompany

Company name

Country

Yes

United States

Country name

Department

Yes

Sales

Department name

DisplayName

No

Caroline Abbage

User display name

DistinguishedName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

User distinguished name; search by full value only

EmailAddress

Yes

Caroline.Abbage@sales.mycompany.com

Email address

HomePhoneNumber

Yes

+1 410 531 0638

Home telephone number

Logon Name

No

 

Same as LogonName

LogonName

No

SVC-Scanner@main.mycompany.corp

Logon name for the domain user

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of user; search by full value only

Mobile

Yes

+ 911 9 769 8889

Mobile phone number

Name

Yes

Caroline Abbage

User name

ObjectCategory

Yes

user

Object class = user

ObjectGUID

No

861205fb-4d29-44b6-
9284-69e867689f38

User object GUID; search by full value only

Office

Yes

Ludlow st. 80, suite 200

Physical delivery office name

SAMAccountName

Yes

jcdenton

SAMAccountName of user

StreetAddress

Yes

Ludlow st. 80

Street address

TelephoneNumber

Yes

+ 123 4 567 8900

Telephone number

Title

Yes

Mgr, Sales

User job title

USNChanged

No

9296605

USN-Changed attribute of user; search by full value only

Who

No

Administrator

Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName

Saving Searches and Running Saved Searches

You can save any search for later reuse. Any IT Security Search operator or administrator can save searches and run saved searches, but only administrators can make them public for shared use.

Saving Searches

To save a search, click the drop-down icon at the left edge of the search box and click Save Current Search. Proceed to configure your search in the popup that appears:

  • Give the search a meaningful name.
  • Add tags so that users can easily find the search by category.
  • Select which parameters you want to make customizable, if necessary.
    All field names that occur in your search string are listed. Select the check boxes next to the ones that you want to make customizable. Whenever this saved search is used in the future, it will prompt for the values of all of the fields you select.

NOTE: The field selection controls in the popup are really only a graphical way to include special syntax in your search string. The syntax for a customizable attribute is a string (usually, the field name) enclosed in double curly braces, in the place of a value substring.

For example, Domain:{{Domain}} will make IT Security Search prompt you for the value of the Domain field, labeled "Domain"; Domain:{{Active Directory Domain}} will also prompt you for the value of Domain, but the label will be "Active Directory Domain".

You can manually construct search strings that include this syntax, without using the field selector. This helps you provide descriptive labels for parameters.

  • Specify the time period that the search must cover.
    For that, select one of the options at the right edge of the search box. These times are relative to the moment the saved search is run.

When you have configured these options, click Save.

Running a Saved Search

To run an existing saved search, click the drop-down icon at the left edge of the search box; the available saved searches are listed at the bottom of the popup that appears. You can filter the list by clicking tag buttons in the Saved Search Categories drop-down.

Making a Saved Search Public or Private

You can publish a search to make it available to all operators only if you are an IT Security Search administrator.

In the saved search list, the items have a lock icon showing their state. A private search has a closed lock icon; click the icon to make it public. A public search has an open lock icon; click the icon to make it private.

Deleting a Saved Search

To delete a saved search, highlight it in the saved search list and click the cross icon.

Importing and Exporting Searches

Saved search import and export capabilities help you back up and restore your IT data analysis knowledge and share it with other IT Security Search users.

To use the Import and Export actions, click the drop-down icon at the left edge of the search box; these actions are available at the top of the drop-down menu.

When you click Export, you are prompted to save a *.yaml file. The resulting file will contain all saved searches created under your account plus any saved searches made public by administrators.

NOTE: This action saves not only searches but also any custom action links defined in your IT Security Search deployment. For details about making custom action links, see Customizing Action Links.

When you click Import, you are prompted to select a previously exported *.yaml file. If the file includes any searches with the same names as your existing searches, you have the option to collectively skip, overwrite or automatically rename such searches.

IMPORTANT: Overwriting administrator-created public saved searches is disallowed for IT Security Search operators, but not for administrators; in this situation, if you are an operator, the search in the source file is silently skipped instead.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating