Change Guardian provides an integration framework for AD or IDM to track identities of each user account and what events those identities have performed.
This integration provides functionality on several levels:
The People Browser provides the ability to look up the following information about a user:
Contact information
Accounts associated with that user
Most recent authentication events
Most recent access events
Most recent permissions changes
Reports and Correlation rules provide an integrated view of a user's true identity, even across multiple systems on which the user has separate accounts. For example, accounts like COMPANY\testuser; > cn=testuser,ou=engineering,o=company, and TUser@company.com can be mapped to the actual person who owns the accounts.
By displaying information about the people initiating a given action or people affected by an action, incident response times are improved and behavior-based analysis is enabled.
NOTE:Only administrators can integrate Change Guardian with identity management systems.
Change Guardian only provides initiator’s user name and the ObjectSID of an event during auditing activities. However, more information is essential to detect and assess risks.
The benefits of Change Guardian integration with AD are as follows:
Permits the Change Guardian server to retrieve user information from AD and map with associated incoming events.
Helps map user profiles with attributes in the web console.
These allow you to enrich available information and so better detect and assess risks. Some additional features also include:
Receive delta values from AD.
Support for adding additional attributes.
Support for mapping custom attributes.
Synchronize users from multiple user containers concurrently.
Synchronize deleted users.
Synchronizing Active Directory user accounts allows you to retrieve information about the user associated with a particular event, such as the user name, the user’s email address, and the user’s contact details. The user information comes from the Active Directory server in your environment. You can also view all the user’s recent activities.
Using the Administration Console, you add one or more user containers and the user attributes that you want to synchronize.
To view and manage synchronized Active Directory accounts:
In the Administration Console, click Integration.
Click AD Accounts.
Active Directory stores user accounts in containers. You can add one or more containers to Change Guardian to synchronize the users accounts.
To add a user container to Change Guardian:
In the Administration Console, click Integration > AD Accounts > Add User Container.
Provide the appropriate information for the user container you want to synchronize.
To synchronize Active Directory user accounts to Change Guardian, Change Guardian needs to map the user account field names in Active Directory to an attribute in your directory service. By default, Change Guardian maps the most commonly used field names, but you can add or remove mappings as necessary.
To modify user profile mapping, in the Administration Console, click Integration> AD Accounts> User Profile Mapping.
If you have Identity Manager installed, you can use Change Guardian with Identity Manager to view user identity details of events. You must have the View People Browser permission to view identity details
To view user identity details:
Perform a search, and refine the search results as needed.
In the search results, select the events for which you want to view the identity details.
Click Event operations > Show identity details.
Select whether you want to view the identity of the Initiator user, the Target user, or both.
For more information about integrating identity information with Change Guardian events, see Integrating Identity Information
in the Sentinel Administration Guide
.
To search and view identity information, see Searching and Viewing User Identities in the Change Guardian User Guide
.