立即与支持人员聊天
与支持团队交流

IT Security Search 11.4.1 - User Guide

InTrust Data Fields

The following are lists of fields that occur in InTrust events, organized by type of returned object.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries.

Field Name

In UI

Example Value

Details

Category

No

Sensitive Privilege Use

Event category

Computer

No

Y1202.seldom.mycompany

Computer where the event occurred

ComputerType

No

69635

Mask for computer type

DataSourceType

No

{A9E5C7A2-5C01-41B7-9D36-E562DFDDEFA9}

GUID of InTrust data source type

Description

No

An operation was attempted on a privileged object.

Event description

Environment

No

9E442BEE-EAC2-4D79-9013-053FB225CFD0

Enviroment GUID

EventID

No

4674

Event ID

Type

No

16

Event Type ID numeric

SourceComputer

No

Y1202

Name of gathering computer

SourceDomain

No

SELDOM

Name of gathering computer's domain

Log

No

Security

Log name

PlatformID

No

500

Platform ID (500 means Windows)

Source

No

Security

Event source

UserDomain

No

WST9983

Domain of the user that initiated this event

UserName

No

Administrator

Name of the user that initiated this event

VersionMajor

No

6

OS version major

VersionMinor

No

2

OS version minor

InsertionString*

Yes

NT AUTHORITY

InsertionString1, InsertionString2 etc.

Workstation

No

WST9983

Computer where the operation was initiated

Where_From

No

WST9983

Same as Workstation

WhoDomain

No

SALES

Same as UserDomain

Who

No

Administrator

Same as UserName

Object_DN

No

CN=HealthMailbox,
CN=Users,
DC=seldom,
DC=mycompany

DN of the object that was changed/deleted/created

Object_ID

Yes

DE442BEE-EAC2-4D79-9013-053FB225CFD0

ID of the object that was changed/deleted/created

WhomId

No

CN=Admin,
CN=Users,
DC=seldom,
DC=spb,
DC=qsft

Object_DN of the object that was changed/deleted/created, if available; otherwise Object_ID of the object

Whom_ObjectClass

No

user

Class of the object that was changed/deleted /created

ComputerName

No

COMP1

Same as Computer

What

No

NTLM Authentication

Event literal

Log name

No

Security

Same as Log

SourceName

No

Security

Same as Source

RelatedOU

No

sales.mycompany.corp/Production Computers

By Enterprise Reporter: OU associated with the computer

Whom_ObjectClass

No

user

By Enterprise Reporter: Object class of Whom

Change Auditor for Active Directory Data Fields

The following are lists of fields that occur in Change Auditor for Active Directory events, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.

Field Name

Example Value

Details

AAD_City

"Halifax", "New York City"

Azure sign-in city

AAD_Country

"Canada", "US"

Azure sign-in country

AAD_ActivityStatusReason

User successfully reset password

Reason for activity status

AAD_OnPremisesTarget

RHSOFTWARE\AD_Admin

Azure AD on premises target name

AAD_OnPremisesUserName

RHSOFTWARE\AD_Admin

Azure AD on premises user name

AAD_State

"Nova Scotia", "New York"

Azure sign-in state

AAD_TargetDisplayName

AD_Admin@RHSoftware.Net

Azure AD Target object display name

AAD_TenantDefaultDomain

QAMyProduct.onmicrosoft.com

Azure AD tenant default domain name

AAD_TenantDisplayName

QA QAMyProduct.onmicrosoft.com My Product

Azure AD tenant display name

ActionName

Modify Attribute

Name of action

Activity Details

User successfully reset password

Same as AAD_ActivityStatusReason

After

E:\NewName.txt

Same as ValueNew

Azure - Activity Name

Set Company Information

Same as O365_Operation

Before

E:\OldName.txt

Same as ValueOld

Description

User AD Admin in the directory had their password reset

Event's description

DomainName

PROD

Domain where operation was performed

FacilityName

Local User Monitoring

Name of Facility

LDAP - Attributes

canonicalName, co, company, department, displayName

Attributes that were queried

LDAP - Elapsed

8094

How long the AD query took to run, in milliseconds; zero (0) indicates that it took less than a millisecond to complete

LDAP - Filter

(&(objectClass=user)(!(objectClass=computer)))

Filter string used in the AD query

LDAP - Occurrences

1

Number of times the AD query occurred during the specified interval

LDAP - Results

52

Number of results returned for the query

LDAP - Scope

This object and all children

Scope of coverage: (This object only, This object and all children)

LDAP - Since

2018-01-15T09:42:01.3672010Z

Date and time when the AD query was first initiated

Log

ChangeAuditor

Name of event log

Log name

ChangeAuditor

Same as Log

O365_Operation

Set Company Information

Office 365 operation

O365_SiteUrl

https://qa.sharepoint.com/sites/Certification/

URL of Office 365 site

Office 365 Site URL

https://qa.sharepoint.com/sites/Certification/

Same as O365_SiteUrl

On premises target

RHSOFTWARE\AD_Admin

Same as AAD_OnPremisesTarget

On premises user name

RHSOFTWARE\AD_Admin

Same as AAD_OnPremisesUserName

RelatedOU

RHSoftware.Net/AzureAD Accounts

Same as RelatedOUWhom

RelatedOUWhere

 OU=Domain Controllers,DC=RHSoftware,DC=Net

Ou where operation was performed

RelatedOUWhom

RHSoftware.Net/AzureAD Accounts

OU of target object

Result

None

Operation result

SiteName

EMEA-SPB

Site where operation was performed

Target display name

AD_Admin@RHSoftware.Net

Same as AAD_TargetDisplayName

Tenant

QAMyProduct.onmicrosoft.com

Same as AAD_TenantDisplayName

Tenant initial domain

QAMyProduct.onmicrosoft.com

Same as AAD_TenantDefaultDomain

UserName

SPB9983\Administrator

Event initiator

ValueNew

E:\NewName.txt

new value of changed attribute

ValueOld

E:\OldName.txt

old value of changed attribute

What

Local user logged on

Event class name

When

2016-11-12T06:00:00.0460000Z

When the operation was performed

Where

wst9983

Where the operation was performed

Where_From

wst9943.sales.mycompany.com

Same as Workstation

Who

Administrator

Display name or name of initiator

WhoId

S-1-5-21-1763487455-1171009733-2095814533-500

SID of initiator

Whom

WST9983\TestUser

Target object of operation

Whom_ObjectClass

Users

Target object's class

Workstation

wst9983.sales.mycompany.com

Workstationn from that operation was initiated

Active Roles Data Fields

The following are lists of fields that occur in Active Roles data, organized by type of returned object. All of these fields are available in the IT Security Search web UI as clickable elements. You can also type any of these fields in your search queries.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries. For events, all fields are displayed.

Events

Field Name

Example Value

Details

AR_ClientComputerName

ITSEARCHTEST3

Host with Active Roles client software

AR_ClientVersion_Build

2

Version build number of Active Roles client software

AR_ClientVersion_Major

7

Version major number of Active Roles client software

AR_ClientVersion_Minor

1

Version minor number of Active Roles client software

AR_ClientVersion_Revision

3406

Revision of Active Roles client software

AR_Server

arsit

Active Roles Server host

Attribute_*

New description1

New value of attribute

ChangedAttributes

description,streetAddress

List of attributes

Completed

2017-05-04T07:18:57.9741631Z

Timestamp of operation when that was completed

Control_OperationReason

Reason for modification

Reason of operation

Description

Modified attributes:
groupType: -2147483646
objectClass: group
sAMAccountName: ArsTestTemporalGroupSam_CB79
objectSid: AQUAAAAAAAUVAAAA+mvC8IvUdNjWHCAbGGkBAA==

Description of event

ID

1-107540

ID of operation

Initiated

2017-05-04T07:18:57.9116595Z

Timestamp of operation when that was initiated

Initiator_DN

CN=Zakhar Shkonda,
OU=zs,
OU=TestUsers,
DC=it,
DC=sales,
DC=mycompany

DN of initiator

Initiator_Guid

b58c2906-ad0b-4682-
bab3-0ae56503eeb5

GUID of initiator

Initiator_Host

ARSIT.it.sales.mycompany

Host of Initiator

Initiator_IsDSAdmin

True

True if initiator is DS administrator

Initiator_NTAccountName

IT\zs

NT Account name of initiator

Initiator_ObjectClass

user

Class of initiator

Initiator_Sid

S-1-5-21-4039273466-
3631535243-455089366-91270

SID of initiator

Initiator_Site

Default-First-Site-Name

Site of initiator

Log

Active Roles

Log name

Logon_Site

Default-First-Site-Name

Same as Initiator_Site

Operation_GUID

9b3c5524-065d-418a-9511-
3043ab1a5bd7

GUID of operation

Operation_Type

Delete

Type of operation

Operation_TypeID

1

Type ID of operation

Reason

Reason for modification

Same as Control_OperationReason

RelatedOU

it.sales.mycompany/AutotestOU/ARS/FIT2711055222_0E7C

Same as TargetObject_OUCanonical

Result

Completed

Same as Status

Status

Completed

Operation status

StatusID

1

Operation status ID

TargetObject_DN

CN=ArsCHUser1_0E7C,
OU=FIT2711055222_0E7C,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

DN of target object

TargetObject_Guid

b6a8b5d0-e003-4421-
a7a4-e6fc11f3075a

GUID of target object

TargetObject_NTAccountName

IT\ArsCHUser1_0E7C

NT Account name of target object

TargetObject_ObjectClass

user

Class of target object

TargetObject_OUCanonical

it.mycompany.com/AutotestOU/ARS/FIT2711055222_0E7C

Canonical name of object's OU

TargetObject_Sid

S-1-5-21-4039273466-
3631535243-455089366-91270

SID of target object

TargetObject_SimpleName

ArsCHUser1_0E7C

Name of target object

What

Delete

Same as Operation_Type

When

2017-05-10T08:38:58.0000000Z

Same as Completed

Where

dc2.it.sales.mycompany

Host where this operation was performed

Who

IT\zs

Same as Initiator_NTAccountName

Who_DN

CN=Caroline Abbage,
OU=mgmt,
OU=TestUsers,
DC=it,
DC=sales,
DC=mycompany

Same as Initiator_DN

Who_Guid

b58c2906-ad0b-4682-
bab3-0ae56503eeb5

Same as Initiator_Guid

Who_IsDSAdmin

True

Initiator_IsDSAdmin

Who_ObjectClass

user

Same as Initiator_ObjectClass

Who_Sid

S-1-5-21-4039273466-
3631535243-455089366-1131

Same as Initiator_Sid

WhoId

S-1-5-21-4039273466-
3631535243-455089366-1131

Same as Initiator_Sid

Whom

ArsTestDynamicGroup_CB79

Same as TargetObject_SimpleName

Whom_DN

CN=ArsTestTemporalGroup_CB79,
​​OU=FIT1010370592_CB79,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

Same as TargetObject_DN

Whom_Guid

eff86e4b-7800-44ce-
af3c-ecf198ccadd5

Same as TargetObject_Guid

Whom_NTAccountName

IT\ArsCHUser1_0E7C

Same as TargetObject_NTAccountName

Whom_ObjectClass

Groups

Same as TargetObject_ObjectClass

Whom_Sid

S-1-5-21-4039273466-
3631535243-455089366-92446

Same as TargetObject_Sid

WhomId

CN=ArsTestDynamicGroup_CB79,
CN=ArsTestContainer2_C829,
OU=FIT1012125742_C829,
OU=ARS,
OU=AutotestOU,
DC=it,
DC=sales,
DC=mycompany

Same as TargetObject_DN

WhomSimple

ArsTestDynamicGroup_CB79

Same as TargetObject_SimpleName

Workstation

ARSIT.it.sales.mycompany

Same as Initiator_Host

Computers

Field Name

In UI

Example Value

Details

AccountSid

Yes

S-1-5-21-4039273466-

3631535243-455089366-89812

Computer account SID

Description

Yes

Storage Server

Description of computer

DistinguishedName

No

CD=DC1,
CN=Domain Controllers,
DC=it,
DC=sales,
DC=mycompany

Computer account distinguished name; search by full value only

DNSHostName

Yes

DC1.it.sales.mycompany

DNS host name

Location

Yes

Houston

Location of computer

ManagedBy

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Distinguished name of manager of the computer account; search by full value only

Name

Yes

DC1

Same as NetBiosName

NetBiosName

Yes

DC1

NetBIOS name of computer

NumLogons

Yes

12656

Logon count

ObjectCategory

Yes

computer

Object class = computer

ObjectGUID

No

ddd94ab4-5de6-4696-

a93c-433cf9827c28

Object GUID of computer account

OSName

Yes

Windows Server 2008 R2 Enterprise

OS name

OSServicePack

Yes

Service Pack 1

OS service pack

OSVersion

Yes

6.1 (7601)

OS version

Where

Yes

DC1

Same as NetBiosName

Who

Yes

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

Groups

Field Name

In UI

Example Value

Details

CN

Yes

Users

Common name of group

Description

Yes

Houston internal group for notification

Description of group

DisplayName

Yes

Users

Display name of group

DistinguishedName

No

CN=MCDL.RD.Notification,

OU=RD,

OU=Groups,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group;. search by full value only

Email

Yes

MCDL.RD.Notification@it.sales.mycompany

Email address of group

GroupType

No

-2147483640

Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx)

HomePage

Yes

http://homepage

Home page of group

Info

Yes

Some info

Additional information about group

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the group; search by full value only

Name

Yes

Users

Name of group

ObjectCategory

Yes

group

Object class = group

ObjectGUID

No

 80b090a2-968f-42e6-

bc76-6e2505f43759

GUID of group object

SAMAccountName

Yes

Users

SAMAccount name of group

Url

Yes

http://groupname

URL of group

Who

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

OUs

Field Name

In UI

Example Value

Details

Description

Yes

Default container for Defender objects

Description of OU

DistinguishedName

No

OU=BestEmployees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group; search by full value only

ManagedBy

No

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the OU; search by full value only

Name

Yes

Users

Name of OU

ObjectCategory

Yes

organizationalUnit

Object class = organizationalUnit or container

ObjectGUID

No

675205fb-4d29-44b6-

9284-69e867689f38

GUID of OU

USNChanged

No

9296605

USN-Changed attribute of OU; search by full value only

Users

Field Name

In UI

Example Value

Details

AccountSid

No

S-1-5-21-4039273466-
3631535243-455089366-26350

User SID; search by full value only

Company

Yes

MyCompany

Company name

Country

Yes

United States

Country name

Department

Yes

Sales

Department name

DisplayName

No

Caroline Abbage

User display name

DistinguishedName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

User distinguished name; search by full value only

EmailAddress

Yes

Caroline.Abbage@sales.mycompany.com

Email address

HomePhoneNumber

Yes

+1 410 531 0638

Home telephone number

Logon Name

Yes

 

Same as LogonName

LogonName

No

SVC-Scanner@main.mycompany.corp

Logon name for the domain user

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of user; search by full value only

Mobile

Yes

+ 911 9 769 8889

Mobile phone number

Name

Yes

Caroline Abbage

User name

ObjectCategory

Yes

user

Object class = user

ObjectGUID

No

861205fb-4d29-44b6-
9284-69e867689f38

User object GUID; search by full value only

Office

Yes

Ludlow st. 80, suite 200

Physical delivery office name

SAMAccountName

Yes

jcdenton

SAMAccountName of user

StreetAddress

Yes

Ludlow st. 80

Street address

TelephoneNumber

Yes

+ 123 4 567 8900

Telephone number

Title

Yes

Mgr, Sales

User job title

USNChanged

No

9296605

USN-Changed attribute of user; search by full value only

Who

No

Administrator

Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName

Recovery Manager for Active Directory Data Fields

The following are lists of fields that occur in Recovery Manager for Active Directory data, organized by type of returned object.

NOTE: The In UI column indicates if the field is available in the IT Security Search web UI as a clickable element. Whether or not you can click it in the UI, you can type any of these fields in your search queries.

Computers

Field Name

In UI

Example Value

Details

AccountSid

Yes

S-1-5-21-4039273466-

3631535243-455089366-89812

Computer account SID

Description

Yes

Storage Server

Description of computer

DistinguishedName

No

CD=DC1,
CN=Domain Controllers,
DC=it,
DC=sales,
DC=mycompany

Computer account distinguished name; search by full value only

DNSHostName

Yes

DC1.it.sales.mycompany

DNS host name

Location

Yes

Houston

Location of computer

ManagedBy

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Distinguished name of manager of the computer account; search by full value only

Name

Yes

DC1

Same as NetBiosName

NetBiosName

Yes

DC1

NetBIOS name of computer

NumLogons

Yes

12656

Logon count

ObjectCategory

Yes

computer

Object class = computer

ObjectGUID

No

ddd94ab4-5de6-4696-

a93c-433cf9827c28

Object GUID of computer account

OSName

Yes

Windows Server 2008 R2 Enterprise

OS name

OSServicePack

Yes

Service Pack 1

OS service pack

OSVersion

Yes

6.1 (7601)

OS version

Where

Yes

DC1

Same as NetBiosName

Who

Yes

CN=Caroline Abbage,
OU=Employees,
DC=it,
DC=sales,
DC=mycompany

Same as ManagedByFullName

Groups

Field Name

In UI

Example Value

Details

CN

Yes

Users

Common name of group

Description

Yes

Houston internal group for notification

Description of group

DisplayName

Yes

Users

Display name of group

DistinguishedName

No

CN=MCDL.RD.Notification,

OU=RD,

OU=Groups,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group;. search by full value only

Email

Yes

MCDL.RD.Notification@it.sales.mycompany

Email address of group

GroupType

No

-2147483640

Integer value of bitmask that contains information about group type and scope; search by full value only (more details at https://msdn.microsoft.com/en-us/library/ms675935.aspx)

HomePage

Yes

http://homepage

Home page of group

Info

Yes

Some info

Additional information about group

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the group; search by full value only

Name

Yes

Users

Name of group

ObjectCategory

Yes

group

Object class = group

ObjectGUID

No

 80b090a2-968f-42e6-

bc76-6e2505f43759

GUID of group object

SAMAccountName

Yes

Users

SAMAccount name of group

Url

Yes

http://groupname

URL of group

Who

Yes

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

OUs

Field Name

In UI

Example Value

Details

Description

Yes

Default container for Defender objects

Description of OU

DistinguishedName

No

OU=BestEmployees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of group; search by full value only

ManagedBy

No

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

Yes

CN=Clive Herry,

OU=mgmt,

OU=TestUsers,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of the OU; search by full value only

Name

Yes

Users

Name of OU

ObjectCategory

Yes

organizationalUnit

Object class = organizationalUnit or container

ObjectGUID

No

675205fb-4d29-44b6-

9284-69e867689f38

GUID of OU

USNChanged

No

9296605

USN-Changed attribute of OU; search by full value only

Users

Field Name

In UI

Example Value

Details

AccountSid

No

S-1-5-21-4039273466-
3631535243-455089366-26350

User SID; search by full value only

Company

Yes

MyCompany

Company name

Country

Yes

United States

Country name

Department

Yes

Sales

Department name

DisplayName

No

Caroline Abbage

User display name

DistinguishedName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

User distinguished name; search by full value only

EmailAddress

Yes

Caroline.Abbage@sales.mycompany.com

Email address

HomePhoneNumber

Yes

+1 410 531 0638

Home telephone number

Logon Name

No

 

Same as LogonName

LogonName

No

SVC-Scanner@main.mycompany.corp

Logon name for the domain user

ManagedBy

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Same as ManagedByFullName

ManagedByFullName

No

CN=Caroline Abbage,

OU=Employees,

DC=it,

DC=sales,

DC=mycompany

Distinguished name of manager of user; search by full value only

Mobile

Yes

+ 911 9 769 8889

Mobile phone number

Name

Yes

Caroline Abbage

User name

ObjectCategory

Yes

user

Object class = user

ObjectGUID

No

861205fb-4d29-44b6-
9284-69e867689f38

User object GUID; search by full value only

Office

Yes

Ludlow st. 80, suite 200

Physical delivery office name

SAMAccountName

Yes

jcdenton

SAMAccountName of user

StreetAddress

Yes

Ludlow st. 80

Street address

TelephoneNumber

Yes

+ 123 4 567 8900

Telephone number

Title

Yes

Mgr, Sales

User job title

USNChanged

No

9296605

USN-Changed attribute of user; search by full value only

Who

No

Administrator

Search in the following attributes: SAMAccountName, DisplayName, AccountSid, DistinguishedName

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级