Chat now with support
Chat with Support

InTrust 11.3 - Integration into SIEM Solutions Through Event Forwarding

Advanced Event Forwarding Scenario

In this scenario, you use a dedicated repository for event forwarding. Create a new collection specifically for the events you want to forward, and select to create a new repository for this collection.

As a final step, you can make sure that disk space is not wasted on the repository contents that you are not going to use. Set up automatic cleanup of the repository contents. For that, use the InTrust Manager console from an extended InTrust deployment to do the following:

  1. Connect InTrust Manager to the organization where your repository resides.
  2. Create a task and schedule it to run periodically; for example, every day.
  3. Within the task, create a single repository cleanup job that clears everything from the repository used for the forwarding.
  4. Commit your configuration changes.

For details about performing these steps, see the Auditing Guide.

Example: Set Up Forwarding to SecureWorks

Suppose SecureWorks is already in place in your environment and is used for tracking the operation of Syslog-enabled systems. For Windows network auditing, you use InTrust and Change Auditor. You would like to extend the scope of your SecureWorks coverage to include suspicious user activity in the Windows network.

Make Sure You Have the Data

To capture suspicious administrative activity, you would need to look at the following:

  • User session events provided by InTrust
    These events provide a deep insight into user logons, logoffs and sessions.
  • Change Auditor for Active Directory log
    This log provides fine-grained information about all changes to Active Directory.

Confirm that these data sources are used by the collections that work with your repository.

Configure the Forwarding

You need to enable forwarding for the repository with the necessary data. Go to the properties of the repository and, on the Forwarding tab, select Enable forwarding and specify where the messages should go.

After you have completed the collection setup, confirm that the forwarding is really working. Wait a few minutes for the new settings to take effect. After that, log on to some of the computers that InTrust is watching, and try to make Active Directory changes. Then check on the SecureWorks appliance whether it has registered your activity.

Example: Set Up Forwarding to Splunk

Suppose Splunk is deployed in your environment for analyzing Windows security events. You would like to use InTrust as the forwarding mechanism. The data you need goes to a repository that is set aside specifically for forwarding purposes. The repository has only Windows Security log data.

Get Splunk Ready

Caution: For the sake of speed, the Splunk forwarding component of InTrust uses the UDP protocol, so successful delivery of forwarded data is not guaranteed.

You need to perform two procedures in Splunk (and maybe restart it), as described below.

Step 1: Define a Source Type

To make sure that event fields are recognized correctly, make a specialized source type for incoming InTrust data. If you want to use the Splunk UI for this, configure the options as follows (the last three options are set up in the Advanced group):

Option

Value

Category

Structured

Indexed extractions

json

NO_BINARY_CHECK

true

SHOULD_LINEMERGE

false

pulldown_type

1

If you want to skip configuration through the Splunk UI, include the following snippet in the <Splunk_installation_folder>\etc\apps\search\local\props.conf file:

[InTrust]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
pulldown_type = 1

Step 2: Configure a Network Input

In Splunk, add a new UDP network input and apply your new source type to it. Configure the network input as necessary, but make sure you set up the following:

  1. It must use the UDP protocol.
  2. Specify the source type you defined earlier; in this example, it is InTrust.

Make a note of the port number where Splunk will listen for forwarded UDP traffic. You are going to need it for InTrust forwarding configuration.

If you want to skip configuration through the Splunk UI, include the following snippet in the <Splunk_installation_folder>\etc\apps\search\local\inputs.conf file:

[udp://514]
connection_host = ip
index = main
sourcetype = InTrust

For details about the various ways that you can add network inputs in Splunk, see the "Get data from TCP and UDP ports" article in the documentation of your version of Splunk.

Step 3 (Conditional): Restart Splunk

If you made your changes by editing configuration files, restart Splunk to apply them; use either the splunk stop and splunk start commands or the Restart action in the Splunk UI. For details, see the Splunk documentation.

Configure the Forwarding

To send data to Splunk, enable forwarding for the repository with the necessary data. Go to the properties of the repository and, on the Forwarding tab, select Enable forwarding and specify where the data should go.

Select Splunk (JSON) as the message format, and specify the correct Splunk host name and the UDP port where the forwarded data is expected.

After you have completed the collection setup, confirm that the forwarding is really working. Wait a few minutes for the new settings to take effect. After that, log on to some of the computers that InTrust is watching, and try to make Active Directory changes. Then open Splunk and check whether your activity has registered.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating