This is a short video to demonstrate the powerful forensic capabilities of IT Security Search. My name is Shawny Reiner, and I'm a Strategic Systems Consultant for Quest Software.
IT Security Search is a web-based interface. It's a free offering with any of our solutions that it works with. The Quest solutions are Active Roles, Change Auditor, Enterprise Reporter, Entrust, and Recovery Manager for Active Directory. We've recently added a Splunk connector as well, although Splunk is not a Quest offering.
ITSS uses the data from these products to provide quick, consolidated, and correlated forensic searching of changes, issues, and general information in your environment. And as you can see, it looks very much like an internet search engine. And it pretty much works like that except searching across the data sources I just mentioned.
ITSS makes normally difficult investigations with native tools and logs much easier. And an example of one of those is finding changes when somebody has made those changes through the membership of a nested group. In this scenario, there is a folder named HR_Sensitive inside the HR Share.
Several changes have been made to some files in that folder, and a ticket has been logged. And our goal is to find out who did it, how they gained access, what and all the changes that they made, and when they made those changes. Typically when a trouble ticket has been placed, there'll be some information in it you could use to begin a search such as the name of the file impacted.
So to begin, I'm going to type just the partial name of one of the files and apply a date filter. As it begins to search, it provides information about events and any other related information to this work. I can further sort these events by the categories here in the Navigation pane. And in filtering that, it gives me a lot less to look at.
So as it continues to populate, I can immediately see that it is Zane Shine who made the changes. I can see the name of the file here that's on that and begin to understand the time frame that he made the changes in. So now we know the who, but we have to understand the how.
To begin that, I'm going to use some of the information organized in the tabs up here, specifically under Files. And this information's provided by Enterprise Reporter. Typically it displays the information with the most pertinent information at the top. But if it doesn't, you have other filters you can do to reduce this list if it's a really large list.
But I can see here this is the file I'm interested in. It's the folder. It's the file name. So I select it and view its details because I'm interested in who has access.
So again, this is a fairly short list in this lab. And it's very easy to see immediately that HR Managers is the group that's providing primary access. So I'm going to do a simple search of HR Managers in the Search bar. If you had multiple groups to look at, it would still be fairly quick to search each of the groups to find the one that is in question.
I'm going to keep the same time frame and start the search. When it populates the Group tab, then I can take a look at HR Managers' details. I select it, I view its details, and it provides me a lot of information about this group.
The thing I'm most interested in at the moment is if Zane is a direct member, which, as I can see, he is not. So I need to look at nested groups. So I only have a single nested group. I can simply click into that group and take a look at its detail.
So again, I'm interested in if Zane is a member. Well, I can see that he is, so now I know the how. Zane is a member of a nested group called HR Leads, which is nested in HR Managers. And HR Managers is providing access.
But what if you had a really long list of nested groups inside HR Managers? It would be time consuming to click into each one of those. There is another powerful feature of ITSS that can help, and it's called complex searching.
And there are even some built-in complex searches. And there's documentation that clearly outlines the syntax, those searches, and how to use them. And this is just a snippet of that documentation.
But to use it, you simply enter the complex search that you want to save, and then you add it to the saved searches. It asks you for some information. And once it's saved, it's there for you to use over and over again.
The particular complex search that's relevant to this scenario is one called "Member of Deep." And its intent is to bring back direct and indirect memberships for a stated user. And I have previously created and saved one.
So I click on the little Storage icon, bring up my search. It's going to prompt me for the information it needs to complete the search. In this case, it's the user name. And I've added a parameter to filter out a pretty noisy group that's applied everywhere throughout the environment and isn't relevant to this particular search.
So as we wait for that to pop, what we're interested in looking for are Zane's groups, both indirect and direct. And we can see here's the HR Managers that he's an indirect manager-- member of. And here's HR Leads, which he's direct. And now it would be a fairly simple task of comparing this list of Zane's group memberships to the list of nested groups in HR Manager to find out the how.
Now that we know the how, we need to simply find the what and the when. And that's a very easy search of Zane, again, just his user name and the frame. As that begins the search, it starts to populate events again. Once again, we can use the organizational items in the Navigation pane for events of the who, the what, the where to filter those. Again, a very pertinent filter for this is the file server name.
Once that's filtered, I can then look at What section here to take a look at all of the things he's done, all the actions he's taken. We can see folder opens, file deletes, writes, opened, renamed. So we know everything that he's done.
We can export this entire list to give a report to the person who asked for it. We can see the dates here, the description of every file, whether he deleted it or opened it. You can do further filtering if you like on the file delete or any other action to take a look. But it's a very quick way of finding the information without even having to leave the ITSS console.
So thank you for watching this video today. Please watch the other available videos to see what more you can do and the powerful forensic investigations you can perform with ITSS.