Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Auditing and Monitoring PowerShell Activity

Real-Time Collection and Forwarding of PowerShell Activity Data

This topic explains how you can continuously gather PowerShell events to InTrust repositories and, if necessary, forward it to a SIEM solution of your choice for analysis. The functionality described here is part of the feature set provided by InTrust Deployment Manager. To proceed, run this console and connect to your InTrust organization.

Decide Where to Store the Events

It's up to you if you want to store your PowerShell audit data in one of your existing repositories or a dedicated repository. A dedicated repository is recommended if you intend to forward the incoming data to a SIEM solution.

If you want to create a new repository, go to the Storage view, click the New button and follow the steps. For details, see Managing Repositories.

Set Up Gathering

You need a dedicated collection for PowerShell events. Go to the Collections view and take the following steps:

  1. Right-click the Collections node, select New Windows Collection and follow the steps.
  2. On the Specify Computers step, supply the computers that you want to collect PowerShell logs from.
  3. On the Data Sources and Repository step:
    1. Select the Windows PowerShell Operational Log and Windows PowerShell Core Operational Log data sources.
    2. Make sure the If any of the selected data sources cannot be found, consider this an error option is cleared.
      NOTE: Before Update 1 for InTrust 11.4.1, this option was labeled Suppress errors from non-existent data sources and did the opposite. If you are using InTrust 11.4.1 without Update 1, make sure Suppress errors from non-existent data sources is selected.
    3. Select the repository you decided on earlier.
  4. Finish the steps.

For more details, see Managing Collections.

Set Up Forwarding

If you want to forward your collected PowerShell data, take the following steps:

  1. Go to the Storage view and select the repository that stores PowerShell data.
  2. In the right pane, in the Forwarding block of options, click Edit and select Enable forwarding.
  3. Configure your forwarding settings as necessary. For details, see Turning Forwarding On and Off.
  4. Click Apply to put your changes into effect.

 

Task-Based Gathering of PowerShell Activity Data

If you just want to archive your PowerShell audit data without real-time awareness of what is going on, you may want to use task-based gathering. This kind of gathering is also the only option if you want to collect data without installing InTrust agents on the audited computers.

The functionality described here is part of the feature set provided by InTrust Manager. To proceed, run this console and connect to your InTrust organization.

To implement the simplest configuration for this scenario, create the following:

  • One InTrust site that contains all the computers you want to collect PowerShell events from, under the Quest InTrust Manager | Configuration | Sites | Microsoft Windows Network node.
  • One gathering policy that defines how to collect logs, under the Quest InTrust Manager | Gathering | Gathering Policies | Microsoft Windows Network node.
    When prompted to include data sources in the policy, select the Windows PowerShell Operational Log and Windows PowerShell Core Operational Log data sources.
  • If you want a dedicated store for your PowerShell event data, a new repository under the Quest InTrust Manager | Configuration | Data Stores | Repositories node.
  • One InTrust scheduled task under the Quest InTrust Manager | Workflow | Tasks node.
    The schedule for the task should be enabled and set to a time that is convenient to you—for example, sometime during off-peak hours.
  • One gathering job within the scheduled task.
    In the configuration of the gathering job, specify the repository you decided on, the site you created and the policy you created.

After you have set up these configuration objects, click the Commit button in the toolbar to put the workflow in effect.

For details about the particular procedures involved in this configuration, see the following topics:

Analyzing PowerShell Events in Repository Viewer

To match the Windows PowerShell Operational Log and Windows PowerShell Core Operational Log data sources that are available out of the box, Repository Viewer provides the Threat Hunting | Windows | PowerShell search folder with dedicated predefined searches. You can use these searches directly or make custom searches based on them to better suit your needs.

For details about running searches and preparing scheduled reports on your repository data, see Searching for Events in Repository Viewer.

Related Documents