Introduction
NetIQ Users report
Content of NetIQ Users report
Creation of report in the selected period of time
Export and download of the results
Reports schedule
Group Membership report
Working with the reports filters
Real use case example
Further investigation
Investigation results
Hello. In this video we’re going to show you how to use ACDI reports to audit and monitor data and events in your directory.
Let's start from beginning. By default, ACDI contains a list of predefined default reports that are used to create tables with statistical data or to audit upcoming events.
Reports may be searched either by text or by name.
Let's start with the simplest report: NetIQ Users Report.
This report is based on the snapshot data stored in a system.
Every day or by using Cron, the Snapshot Service takes a snapshot of your eDirectory or Active Directory and stores the state of objects in Opensearch so that you can parse through it using ACDI.
The NetIQ Users Report contains only one entity, which is based on those snapshots—report default.
On the Report graph you can see this entity, its filters, and result attributes will get in the final report.
As for filters, Result Table Attributes, and Postprocessing, we’ll be coming back to these options of report editing in upcoming videos. Now, let's go back to the report.
This report will allow you to create reports and to see the current states of your user objects in the selected period of time.
Let’s assume you want to set it for a snapshot from the previous week. You can use here either absolute or relative date pickers.
Let’s choose “7 days ago.” And you also want to see values for the user with surname “Strand.”
Ok. The user is found, and you can use other filters here and narrow down the search results. Let's click “Run.”
Here you can see that during the selected period this user has the following attributes and “False” locked.
You can export report results into CSV, XLSX, or PDF format, which is extremely convenient.
The next step is to download the file so that you can later process the data using external applications.
Additionally, reports can be scheduled to be created when you need them. Here are the filters you selected at the previous step, namely, “Last Name” and “Date Time Range.
Now you need to define the scheduler to enable the scheduled report creation and select if you want the report to be sent via email or be saved on a local machine.
The default “Cron expression” you see here means that on the first day of each month at four minutes past midnight, report will be created in the CSV format.
You can select the format here and also define emails to which this report will be sent. Save the settings, and the Expert Service will create this report and send it to you on a monthly basis.
Let's look at a more complex report like the Group Membership report.
This report contains two entities: group and Person, which are linked using member and DN: DN for a user member for a group.
With the help of the Report Graph, you can easily visualize connections.
With the help of the Report Graph, you can easily visualize connections. There are also mandatory attribute for groups. This means that additionally for the default filter “Object class: group of names,” objects that don’t have a value from the attribute “Member” will be filtered out.
Let's look how it works.
Let’s filter the reports with the help of the keyword “group
Here it is—the NetIQ Group Membership report.
In this list and in this search, you will get only groups that have at least one member.
The filter can be customized though.
You can define the search options and select, for instance, the search by regular expressions. Here are also other options like “case sensitive,” “show duplicates,” or you can disable the filtering using mandatory attributes.
Now it's disabled and you can see more groups. This is because most of them have no members. Let’s look how the link between two entities works.
There are some filters for the group entity
and some filters for the person entity. Let’s assume you want to check group admins.
Here you see that there are groups with the CN “Admins” in two different containers. You need the one that is located in the ACD 4.
After the filters are selected and applied, you can see that the application impacted the person entities. There is also only one group matching filters we selected and 21 persons, which means that this group has 21 members. Let's run this report.
Here you can see the information about this group and all its members. Additionally, secondary entities can be enriched by some additional attributes. Not only DN, as it's by default set in member attribute of groups, but some additional information about members.
It's defined in the “Result Table Attributes” submenu.
If a group contains too many members, you can make the data more readable if there is a row per member of the group.
The report can be displayed in a flat format, which you can enable here with the help of a switcher.
Let’s enable the flat format and click “Run.” So now you have the data in the table in flat format.
Two previous reports were based on the data from snapshots. However, ACDI also contains reports based on audit events. Let's check a few of them and go through a real use case.
Let's use NetIQ Audit Users report.
You can see that time picker is set to go through events during the last seven days. Let’s imagine that yesterday one of your employees, Astrid Strand, lost access to her account.
It’s possible to filter by surname, first name to narrow down the search. And here you see that during the last week there were two changes for this user. Let's investigate.
Here we can see that on the exact date someone changed the attribute “Login disabled” to “True” and then later the admin was enabled. And the report shows that the modifier of the incorrect event was a user with the CN “Valerius.”
You want to investigate further, don’t you? You want to know why and how Valerius got access and authorization to make changes for your users.
Let’s go back to the filters and clean up last name filter. Ok, now let’s check all changes for Valerius.
So, here you see that previously on that day this user became a member of group “Admins.” This user was enabled and logged into the system. And the reason why this user got admin permissions was due to changes made in the group membership. They were made by a service account that is used by Active Directory to eDirectory driver in the standard Active Directory driver.
Let’s dive deeper and check all other changes for the “Admins” group because it seems to be a breach in security.
For this you can use the NetIQ Audit Groups where you enter “Admins” in the “Object Name” filter.
Here you want to get the information about all the changes in admins during the last seven days. Let's run the report.
Now you see that, fortunately, this was the only change during the week.
This was a short overview and guide of how ACDI reports can help you investigate real cases in your environments. Thank you for your attention and take care.
Should you have any questions or require any assistance, please do not hesitate to contact us at any time swsupport.skypro@skypro.ch