You can select one or more filters for forwarding your repository contents. InTrust will forward events that match any of the filters you select. Remember that each filter you add broadens the scope instead of narrowing it.
To manage the set of filters, click the button next to the list of current filters. In the filter browser that opens, select the check boxes next to the filters you need. Avoid selecting more than just a few filters, because that can adversely affect performance. A better approach is to create a dedicated Repository Viewer search with the right options.
Also note the following details:
Generally, you don't want to forward all the data that you collect. If you are targeting a SIEM system, you are likely to concentrate on specific activities to reduce costs and level of noise and make threat hunting and security analysis as efficient as possible.
For these exact purposes, InTrust provides a set of Repository Viewer searches designed to work as event forwarding filters (they are in fact better used as filters). They are available in the Threat Hunting | Windows | Native OS Logs Telemetry search folder. These filters accommodate knowledge from important sources such as the following:
You can combine these filters as you see fit or select all of them to fully cover your infrastructure security while still retaining focus.
|
NOTE: Some of these filters rely on logs that may not be readily available on your systems, such as WMI or Task Scheduler logs. If you use any of such filters, make sure the necessary audit data is collected. For details about selecting what to collect, see Collecting Events in Real Time. |
Suppose SecureWorks is already in place in your environment and is used for tracking the operation of Syslog-enabled systems. For Windows network auditing, you use InTrust and Change Auditor. You would like to extend the scope of your SecureWorks coverage to include suspicious user activity in the Windows network.
To capture suspicious administrative activity, you would need to look at the following:
Confirm that these data sources are used by the collections that work with your repository.
You need to enable forwarding for the repository that you have chosen for this purpose. Go to the properties of the repository and, on the Forwarding tab, select Enable forwarding and specify where the messages should go.
After you have completed the collection setup, confirm that the forwarding is really working. Wait a few minutes for the new settings to take effect. After that, log on to some of the computers that InTrust is watching, and try to make Active Directory changes. Then check on the SecureWorks appliance whether it has registered your activity.
Suppose Splunk is deployed in your environment for analyzing Windows security events. You would like to use InTrust as the forwarding mechanism. The data you need goes to a repository that is set aside specifically for forwarding purposes. The repository has only Windows Security log data.
|
IMPORTANT: When Splunk parses messages that contain escape sequences, it may truncate the values of discovered fields. The truncation occurs at these escape sequences. As a result, the field values that Splunk displays can differ from the original data. This doesn't affect searching. |
You need to perform some preparatory procedures in Splunk. An example of the configuration is described below, but it may differ for your Splunk deployment.
To make sure that event fields are recognized correctly, make a specialized source type for incoming InTrust data. If you want to use the Splunk UI for this, configure the options as follows (the last three options are set up in the Advanced group):
Option |
Value |
---|---|
Category |
Structured |
Indexed extractions |
json |
NO_BINARY_CHECK |
true |
SHOULD_LINEMERGE |
false |
pulldown_type |
1 |
If you want to skip configuration through the Splunk UI, include the following snippet in the <Splunk_installation_folder>\etc\apps\search\local\props.conf file:
[InTrust]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
pulldown_type = 1
In Splunk, add a new TCP or UDP network input and apply your new source type to it. Configure the network input as necessary, but make sure you set up the following:
Make a note of the port number where Splunk will listen for forwarded traffic. You are going to need it for InTrust forwarding configuration.
If you want to skip configuration through the Splunk UI, include a snippet like the following in the <Splunk_installation_folder>\etc\apps\search\local\inputs.conf file:
[tcp://514]
connection_host = ip
index = main
sourcetype = InTrust
If you are forwarding events over UDP, the first line in the snippet above should be [udp://514].
For details about the various ways that you can add network inputs in Splunk, see the "Get data from TCP and UDP ports" article in the documentation of your version of Splunk.
If you made your changes by editing configuration files, restart Splunk to apply them; use either the splunk stop and splunk start commands or the Restart action in the Splunk UI. For details, see the Splunk documentation.
To send data to Splunk, enable forwarding for the repository with the necessary data. Go to the properties of the repository and, on the Forwarding tab, select Enable forwarding and specify where the data should go.
Select Splunk JSON as the message format, and specify the correct Splunk host name and the port where the forwarded data is expected.
After you have completed the collection setup, confirm that the forwarding is really working. Wait a few minutes for the new settings to take effect. After that, log on to some of the computers that InTrust is watching, and try to make Active Directory changes. Then open Splunk and check whether your activity has registered.
InTrust real-time alerts, which are produced by real-time monitoring rules, cannot be directly transferred to a SIEM system. However, InTrust provides a way to get real-time alert data in event log form, which is compliant with SIEM technology. What you need to do is make your rules use Event Log Recipient as their notification destination, as described in Configuring Notification Groups and Recipients.
After you have set up event log-based notification as instructed in that topic, take the following steps in InTrust Deployment Manager:
When you are done, your SIEM solution will receive the equivalent of InTrust real-time alerts, with all the benefits of InTrust event correlation and none of the event log noise.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center