Chat now with support
Chat with Support

InTrust 11.5.1 - What's New

New in InTrust 11.4.1

Event Forwarding in Syslog RFC 5424 Format

The Syslog message format defined by RFC 5424 is widely supported by SIEM providers. Now that InTrust can forward events in this format, you can easily integrate your InTrust-collected data with a variety of SIEM solutions, without the need for custom scripts implementing proprietary formats.

Event Forwarding Takes Advantage of TLS

Event forwarding over TCP can now be secured with TLS in environments where this type of security is used. TLS-Secured TCP is a new transport option in the forwarding settings for InTrust repositories.

Support for Multiple Filters for Event Forwarding

Unlike previous releases where you used one event forwarding filter per repository, you can now specify multiple filters. InTrust will forward events that match any of the filters you select. Each filter you add broadens the scope instead of narrowing it.

Best Practice Filters for Event Forwarding

InTrust provides a set of event forwarding filters that incorporate security analysis best practices. These filters incorporate recommendations from such sources as NSA and MITRE and categorized so that you can easily combine them as necessary.

The filters are customarily implemented as searches and are available in the Threat Hunting | Windows | Native OS Logs Telemetry search folder.

Support for Deployment on Windows Server 2019 and SQL Server 2017

InTrust components can be installed on computers running Windows Server 2019. InTrust configuration, audit and alert databases can be hosted on Microsoft SQL Server 2017.

InTrust SDK Improvements

The InTrust SDK now provides bindings for working with sites and event forwarding configuration.

Alerts on Password Spraying Attempts

The new "Potential password spraying (multiple failed logons for valid accounts)" rule captures situations where an attacker tries multiple user names in a row with the same password, circumventing the built-in account-locking mechanism.
The rule complements the existing multiple logon failure rules and is located in the Advanced Threat Protection | Windows/AD Suspicious Activity | Gaining User Access | Brute-force attacks rule folder.

Knowledge Packs for Solaris and IBM AIX Are Not Included

This release does not contain any changes to the Knowledge Packs for Solaris and IBM AIX, therefore these components were not rebuilt for InTrust 11.4.1. If you need InTrust configuration objects related to these platforms and InTrust agents for them, use previous versions of these components. Do one of the following:

  • If you are upgrading to InTrust 11.4.1, just perform the upgrade. Your agents and configuration objects will keep working.
  • If you are doing a fresh deployment of InTrust 11.4.1, install version 11.4 of the Knowledge Packs in addition. To download the packages, go to https://support.quest.com/intrust/11.4.

New in InTrust 11.4

Real-Time Monitoring of Suspicious PowerShell Activity

The new "Suspicious PowerShell activity" and "Suspicious PowerShell Core activity" rules help minimize the impact of attacks based on PowerShell scripts. InTrust lets you thwart PowerShell-wielding attackers by setting up alerts and emergency response actions for whenever someone uses suspicious PowerShell commands. These rules watch for telltale traces of potentially dangerous PowerShell activity, so they rely on PowerShell logging. For details about this real-time monitoring scenario, see Setting Up Monitoring for Suspicious PowerShell Activity.

Event Forwarding over TCP guarantees delivery

The event forwarding engine has been redesigned from the ground up to enable support for TCP and make forwarding more robust and extensible. TCP is now available along with UDP as the transport for audit data transmission. It ensures guaranteed delivery of forwarded events.

Self-Auditing Capabilities for InTrust Server and InTrust Agent

This release lays the groundwork for InTrust self-auditing. With this initial implementation, you can keep track of the connections that your InTrust servers and agents make and accept. In addition to its own value, this data helps achieve compliance with regulations regarding auditing systems. For details, see Self-Auditing in InTrust.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating