InTrust Predefined Objects for Windows-Based Computers
InTrust offers a set of predefined objects that will help you configure the gathering and monitoring event data from your Windows-based computers. The following is a list of these objects. For a list of Windows reports, see Report Pack for Windows.
Gathering Policies
- Windows/AD: Security: All Events
Defines all Windows/AD security events to be collected to a repository. The most critical security events, such as Failed Logons, Account Management, etc. are to be collected into database for analysis. The policy is intended to be used for gathering on a daily basis.
- Windows/AD: Security: All Logons
Defines the Logon events to be collected both to a repository and a database.
- Windows/AD: Security: Failed Logons
Defines the Failed Logon events to be collected to both a repository and a database.
- Windows/AD: Security: Account Management
Defines the Account Management events to be collected both to a repository and a database.
- Windows/AD: Security: Policy Changes
Defines the Policy Changes to be collected both to a repository and a database.
- Windows/AD: Security: Objects Access
Defines the Object Access events to be collected both to a repository and a database.
- Windows/AD: Security: Misc
Defines all Windows/AD miscellaneous security events to be collected to a repository. The most critical of miscellaneous security events such as Security Subsystem and Audit Subsystem Faults are to be collected into database for analysis.
- Windows/AD: DHCP
Collects all the DHCP events from both the Windows System Log and the DHCP Audit Log to a repository and a database.
- Windows/AD: Security: Objects Access: Registry Access
Defines the Registry Access events to be collected both to a repository and a database.
- Windows/AD: Successful AD Administrator Logons
Defines the AD Administrator events to DC to be collected both to a repository and a database.
- Auditing Domain Controllers: Events from DCs
Defines all events from domain controller logs to be collected to the repository and then imported to an audit database as part of the “Auditing Domain Controllers” best practice scenario. No filters are applied.
- Auditing Domain Controllers: Events from DCs for the Last 24 Hours
Defines all events from domain controller logs to be collected to the repository and then imported to an audit database as part of the “Auditing Domain Controllers” best-practice scenario. All events older than 24 hours are filtered out.
- Auditing Exchange Servers: Events from Exchange Servers
Defines all Exchange-related events to be collected to the repository and then imported to an audit database as part of the “Auditing Exchange Servers” best practice scenario. No filters are applied.
- Auditing Exchange Servers: Exchange Events for the Last 24 Hours
Defines all Exchange-related events to be collected to the repository and then imported to an audit database as part of the “Auditing Exchange Servers” best practice scenario. All events older than 24 hours are filtered out.
- Auditing File Servers: Events from File Servers
Defines all file server-related events to be collected to the repository and then imported to an audit database as part of the “Auditing File Servers” best practice scenario. No filters are applied.
- Auditing File Servers: File Server Events for the Last 24 Hours
Defines all file server-related events to be collected to the repository and then imported to an audit database as part of the “Auditing File Servers” best practice scenario. All events older than 24 hours are filtered out.
- Auditing Workstations: Events from Workstations
Defines all events from desktop logs to be collected to the repository and then imported to an audit database as part of the “Auditing Workstations” best practice scenario. No filters are applied.
- Auditing Workstations: Events from Workstations for the Last 24 Hours
Defines all events from desktop logs to be collected to the repository and then imported to an audit database as part of the “Auditing Workstations” best practice scenario. All events older than 24 hours are filtered out.
Import Policies
- Windows/AD: Security: All Events
Defines all Windows/AD security events to be imported to a database for analysis.
- Windows/AD: Security: All Logons
Defines the Logon events to be imported to a database.
- Windows/AD: Security: Failed Logons
Defines the Failed Logon events to be imported to a database.
- Windows/AD: Security: Account Management
Defines the Account Management events to be imported to a database.
- Windows/AD: Security: Policy Changes
Defines the Policy Changes to be imported to a database.
- Windows/AD: Security: Objects Access
Defines the Object Access events to be imported to a database.
- Windows/AD: Security: Misc
Defines the most critical of miscellaneous security events such as Security Subsystem and Audit Subsystem Faults to be imported to database for analysis.
- Windows/AD: DHCP
Imports the DHCP events from both the Windows System Log and the DHCP Audit Log to a database.
- Windows/AD: Security: Objects Access: Registry Access
Defines the Registry Access events to be imported to a database.
- Windows/AD: Successful AD Administrator Logons
Defines the AD Administrator events to DC to be imported to a database.
- Auditing Domain Controllers: Weekly Reporting
Defines events from the Windows Security, System and Application logs and the InTrust for AD log to be imported to an audit database. Events older than one week are excluded.
- Auditing Domain Controllers: Daily Reporting
Defines events from the Windows Security, System and Application logs and the InTrust for AD log to be imported to an audit database. Events older than one day are excluded.
- Auditing Exchange Servers: Weekly Reporting
Defines events from the Windows Security, System, Directory Service and Application logs, Exchange tracking log and CA for Exchange log to be imported to an audit database. Events older than one week are excluded.
- Auditing Exchange Servers: Daily Reporting
Defines events from the Windows Security, System, Directory Service and Application logs, Exchange tracking log and CA for Exchange log to be imported to an audit database. Events older than one day are excluded.
- Auditing File Servers: Weekly Reporting
Defines events from the Windows Security, System, Directory Service and Application logs and CA for file servers log to be imported to an audit database. Events older than one week are excluded.
- Auditing File Servers: Daily Reporting
Defines events from the Windows Security, System, Directory Service and Application logs and CA for file servers log to be imported to an audit database. Events older than one day are excluded.
- Auditing Workstations: Weekly Reporting
Defines events from the Windows Security, System and Application logs to be imported to an audit database. Events older than one week are excluded.
- Auditing Workstations: Daily Reporting
Defines events from the Windows Security, System and Application logs to be imported to an audit database. Events older than one day are excluded.
Jobs
- All Windows and AD Security Events collection
Collects all the Windows/AD security events to the default repository. The most critical security events such as failed logons are also collected to the default database for analysis
- DHCP Events collection
Collection of the DHCP events to the default repository and the default database.
- Daily Windows and AD Security Events Reporting
Controls daily reporting of the most critical Windows/AD security events
- Notify Security Operators
Notifies the Security Operators notification group of task completion.
- InTrust Log Collection
Collection of the InTrust log from all InTrust servers in the organization.
- Audit Database Cleanup
Clears all default InTrust audit database contents older than one week.
- Event Collection
Gathers all domain controller-related, all Exchange-related events, or all desktop-related events to the default repository.
- Reports on DCs
Builds reports as part of the “Auditing Domain Controllers” best-practice scenario.
- Windows Event Log Reports
Builds Windows log-based reports as part of the “Auditing Domain Controllers” best-practice scenario.
- ChangeAuditor for AD Reports
Builds ChangeAuditor for AD reports as part of the “Auditing Domain Controllers” best-practice scenario.
- Event Import
Imports all domain controller-related events, all Exchange-related events or all desktop-related events from the default repository to the default audit database.
- Reports on Exchange Servers
Builds reports as part of the “Auditing Exchange Servers” best-practice scenario.
- CA for Exchange Servers Reports
Builds CA for Exchange log reports as part of the “Auditing Exchange Servers” best-practice scenario.
- Reports on Workstations
Builds reports based on the most common events as part of the “Auditing Workstations” best-practice scenario.
- Comprehensive Reports on Workstations
Builds diverse reports as part of the “Auditing Workstations” best-practice scenario.
Tasks
- Windows and AD Security Daily collection and reporting
Daily collection of all the Windows/AD security events to the default repository. The most critical security events such as failed logons are collected also to the default database for analysis.
- Weekly InTrust Log Collection
Collection of the InTrust log from all InTrust servers in the organization.
- Auditing Domain Controllers: Daily Gathering
Gathers all domain controller-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing Domain Controllers” best-practice scenario when it is set to use a schedule.
- Daily Audit Database Cleanup
Clears all default InTrust audit database contents older than one week. This task runs daily and is shared by all best-practice scenarios: “Auditing Domain Controllers”, “Auditing Exchange Servers”, “Auditing File Servers” and “Auditing Workstations”.
- Auditing Domain Controllers: Ad-Hoc Reporting for the Last 24 Hours
Gathers domain controller-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Domain Controllers” best-practice scenario.
- Auditing Domain Controllers: Daily Reporting
Gathers domain controller-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Domain Controllers” best-practice scenario. This task runs daily.
- Auditing Domain Controllers: Weekly Reporting
Gathers domain controller-related events for the last week, imports them to the default audit database and creates reports as part of the “Auditing Domain Controllers” best-practice scenario. This task runs weekly.
- Auditing Exchange Servers: Daily Gathering
Gathers all Exchange-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing Exchange Servers” best-practice scenario when it is set to use a schedule.
- Auditing Exchange Servers: Ad-Hoc Reporting for the Last 24 Hours
Gathers Exchange-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Exchange Servers” best-practice scenario.
- Auditing Exchange Servers: Daily Reporting
Gathers Exchange-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Exchange Servers” best-practice scenario. This task runs daily.
- Auditing Exchange Servers: Weekly Reporting
Gathers Exchange-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Exchange Servers” best-practice scenario. This task runs weekly.
- Auditing File Servers: Daily Gathering
Gathers all file server-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing File Servers” best-practice scenario when it is set to use a schedule.
- Auditing File Servers: Ad-Hoc Reporting for the Last 24 Hours
Gathers file server-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing File Servers” best-practice scenario.
- Auditing File Servers: Daily Reporting
Gathers file server-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing File Servers” best-practice scenario. This task runs daily.
- Auditing File Servers: Weekly Reporting
Gathers file server-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing File Servers” best-practice scenario. This task runs weekly.
- Auditing Workstations: Daily Gathering
Gathers all workstation-related events to the default repository three times a day: about 6 AM, noon and 6 PM. This task is used in the “Auditing Workstations” best-practice scenario when it is set to use a schedule.
- Auditing Workstations: Ad-Hoc Reporting for the Last 24 Hours
Gathers desktop-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Workstations” best-practice scenario.
- Auditing Workstations: Daily Reporting
Gathers desktop-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Workstations” best-practice scenario. This task runs daily.
- Auditing Workstations: Weekly Reporting
Gathers desktop-related events for the last 24 hours, imports them to the default audit database and creates reports as part of the “Auditing Workstations” best-practice scenario. This task runs weekly.
Sites
- All MS Windows NT based computers in the domain
All supported Microsoft Windows-based computers in the domain
- All Windows servers in the domain
- All Windows desktops in the domain
- All DHCP servers in the domain
- All InTrust servers
- Auditing Domain Controllers: DCs
- Auditing Exchange Servers: Exchange Servers
- Auditing File Servers: File Servers
- Auditing Workstations: Workstations
Real-Time Monitoring Policies
- Windows/AD Security: full
Specifies monitoring of all the security events on all the NT-based computers in the domain
- Windows/AD Security: Detecting Common Attacks
Specifies only common attacks to be monitored on all the NT-based computers in the domain
- Windows/AD Security: Administrative Activity Monitoring
Specifies administrative activity to be monitored on all the NT-based computers in the domain
- InTrust: Tracking Log Monitoring
Specifies monitoring of critical events from all the InTrust servers in the organization.