What are the new features and what has been resolved in InTrust 11.4.2?
対策
New Features:
Alerts on more suspicious logons - The new "Multiple logons by the same user from different workstations" rule helps you capture situations where a set of credentials is shared by a group of people or has been stolen by an attacker and is being tried on multiple computers at once. These incidents are tricky because they slip through the cracks if you are only focusing on individual workstations. The rule is based on making the InTrust server analyze incoming audit data from multiple monitored computers.To minimize false positives, the rule comes with a flexible set of parameters that let you fine-tune the analysis, including the logon types you want to watch for.The rule is located in the Advanced Threat Protection | Windows/AD Suspicious Activity | Gaining User Access | Suspicious logons rule folder
Support for Exchange Server 2019 Auditing - The Exchange auditing capabilities of InTrust have been extended to Exchange Server 2019
Solaris Knowledge Pack distribution resumes - The Knowledge Pack for Solaris has been rebuilt for this version of InTrust, and you don't need to get it from a previous version anymore
HP-UX auditing and real-time monitoring support is discontinued - This InTrust release does not include HP-UX related components or configuration items. It is not expected that future versions will provide them
Enhancements:
Safer use of Repository Viewer searches for event forwarding purposes: If a search is used as an event filter for forwarding from any repository, this is now clearly indicated in Repository Viewer so that you don't accidentally break the forwarding configuration. If you try to edit such a search, you get a warning message, and deleting a filtering search (or a search folder that contains it) is disallowed - IN-1320
Improved InTrust deployment health tracking with new rules: The following real-time monitoring rules have been added to help you ensure smooth InTrust operation:
InTrust Internal Events | Agent Management | Agent is not responding
InTrust Internal Events | Agent Management | Agent is lost
All of these rules are based on events from the InTrust Server log - IN-12840
Resolved Issues:
Event ID 104 in the InTrust Server log can contain an incorrect time range for deleted repository files. Such events are invalid and occur when cleanup of repository files in accordance with the retention policy deletes data that hasn't been forwarded yet - IN-4478
During InTrust setup and upgrade, some unneeded triggers are left behind in the InTrust configuration database, which adversely affects InTrust Server performance - IN-12727
Real-time event collection and task-based gathering use different ways to get the name of the computer, so the letter case in the computer name may vary. If events with different letter cases in the same computer name go into the same repository, then import of that computer's most recent event data into an audit database doesn't work. This situation persists until the next repository merge operation, which happens every 24 hours by default - IN-13385
If InTrust runs out of memory or disk space, its component database may become corrupted. This is a very serious situation that makes the affected InTrust server or agent unrecoverable and halts all activity associated with that server or agent - IN-13592
When events are forwarded in JSON format, the "record key" field is missing from them - IN-14312