The Syslog message format defined by RFC 5424 is widely supported by SIEM providers. Now that InTrust can forward events in this format, you can easily integrate your InTrust-collected data with a variety of SIEM solutions, without the need for custom scripts implementing proprietary formats.
Event forwarding over TCP can now be secured with TLS in environments where this type of security is used. TLS-Secured TCP is a new transport option in the forwarding settings for InTrust repositories.
Unlike previous releases where you used one event forwarding filter per repository, you can now specify multiple filters. InTrust will forward events that match any of the filters you select. Each filter you add broadens the scope instead of narrowing it.
InTrust provides a set of event forwarding filters that incorporate security analysis best practices. These filters incorporate recommendations from such sources as NSA and MITRE and categorized so that you can easily combine them as necessary.
The filters are customarily implemented as searches and are available in the Threat Hunting | Windows | Native OS Logs Telemetry search folder.
InTrust components can be installed on computers running Windows Server 2019. InTrust configuration, audit and alert databases can be hosted on Microsoft SQL Server 2017.
The InTrust SDK now provides bindings for working with sites and event forwarding configuration.
The new "Potential password spraying (multiple failed logons for valid accounts)" rule captures situations where an attacker tries multiple user names in a row with the same password, circumventing the built-in account-locking mechanism.
The rule complements the existing multiple logon failure rules and is located in the Advanced Threat Protection | Windows/AD Suspicious Activity | Gaining User Access | Brute-force attacks rule folder.
This release does not contain any changes to the Knowledge Packs for Solaris and IBM AIX, therefore these components were not rebuilt for InTrust 11.4.1. If you need InTrust configuration objects related to these platforms and InTrust agents for them, use previous versions of these components. Do one of the following:
The new "Suspicious PowerShell activity" and "Suspicious PowerShell Core activity" rules help minimize the impact of attacks based on PowerShell scripts. InTrust lets you thwart PowerShell-wielding attackers by setting up alerts and emergency response actions for whenever someone uses suspicious PowerShell commands. These rules watch for telltale traces of potentially dangerous PowerShell activity, so they rely on PowerShell logging. For details about this real-time monitoring scenario, see Setting Up Monitoring for Suspicious PowerShell Activity.
The event forwarding engine has been redesigned from the ground up to enable support for TCP and make forwarding more robust and extensible. TCP is now available along with UDP as the transport for audit data transmission. It ensures guaranteed delivery of forwarded events.
This release lays the groundwork for InTrust self-auditing. With this initial implementation, you can keep track of the connections that your InTrust servers and agents make and accept. In addition to its own value, this data helps achieve compliance with regulations regarding auditing systems. For details, see Self-Auditing in InTrust.
© ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー Cookie Preference Center
