InTrust 11.5.1 - Product Overview

Introduction to InTrust

InTrust is a powerful framework for enterprise log management, provision of regulations compliance and IT data analytics.

What InTrust Can Do for You

InTrust focuses on logs, which make up the bulk of IT data in the enterprise. The log-oriented approach helps you achieve the following:

• Securely collect and archive logs in real time from across the diverse enterprise network
• Automate the log review process without hiring event log experts
• Pass audits by providing faster answers to the questions auditors will ask
• Conduct efficient investigations of security incidents and fraudulent activity of insiders
• Improve day-to-day operations by minimizing the number of tools and making IT data readily available
• Assess the robustness of security and operations without much effort

What's Inside

InTrust has many components, but not all of them are needed for most scenarios. The default components are few, accessible and easy to deploy; yet they cover the most common log management needs and incorporate impressive InTrust expertise.

The remaining components help manage rare logs, implement specialized scenarios and provide advanced capabilities such as reporting powered by SQL Server Reporting Services and real-time monitoring with alerts and automated response.

Default Deployment

The following components are installed by default:

• InTrust Server
  This is the principal component that provides most of the capabilities of InTrust, in both default and extended deployments. It is a back-end that keeps the InTrust configuration up to date and runs the operations according to that configuration.
• InTrust Deployment Manager
  This console is used for setting up real-time data gathering. This workflow is based on collections of Windows computers or Syslog devices, from which data is continuously gathered to the InTrust repository that you specify. In addition, InTrust Deployment Manager lets you forward Syslog messages and events from repositories to SIEM solutions such as SecureWorks.
• InTrust Repository Viewer
  This application lets you browse the contents of InTrust repositories, which are data stores that keep the InTrust-gathered data. Repository Viewer offers flexible searching, grouping, sorting and filtering for focused event analysis. It also supports running search-based scheduled reports on a regular basis, with customizable layouts and convenient delivery options.

Extended Deployment

The other components you can set up are also built around InTrust Server but geared for a different workflow and style of configuration. These components form an extended InTrust deployment.

• InTrust Manager
  This console sets up scheduled task-based gathering, reporting based on SQL Server Reporting Services, and real-time monitoring. InTrust Manager is required for all of these advanced features. For details about them, see the following documentation:
  • Deployment Guide
  • Auditing Guide
  • Real-Time Monitoring Guide

  • Leveraging Microsoft SQL Server Reporting Services Integration for Advanced Reporting

• Knowledge Portal
  This Web application is an alternative to the Reporting Services Web UI, streamlined for use with InTrust reports.
• InTrust Monitoring Console
  This Web application displays real-time alerts produced by InTrust and lets you track and manage their state.
• Knowledge Packs
  These are collections of InTrust resources that are needed for supporting specific platforms and logs. For example, installing the Linux Knowledge Pack enables InTrust to gather logs from Linux hosts (through InTrust agents), monitor these hosts in real time and build SSRS reports based on the collected data. The range of supported platforms and logs is broader for extended deployments than for default deployments.

Key Concepts

The following terms are important for understanding the basics of InTrust.

InTrust Server

An InTrust server is a computer where the InTrust Server component is set up. It processes requests from client applications such as Repository Viewer and InTrust Deployment Manager, performs the operations they request and handles the configuration.

InTrust Repository

The repository is the primary type of data store in InTrust. Repositories are intended for long-term archiving of data in a compressed format. For fast access to the data they contain, repositories have indexes, which are maintained by the InTrust server.

Repositories are normally file-based, but in extended deployments you also have the option of associating a repository with an EMC Centera appliance.

The same repository can be used for both real-time gathering and scheduled task-based gathering; the only restriction is that the same data from the same computers must not be gathered using both methods at once.

InTrust Organization

An InTrust organization is a group of InTrust servers with a shared configuration, for which a SQL Server database is used.

An InTrust organization provides the following:

• Load balancing among InTrust servers
• A common list of InTrust organization administrators
• A uniform selection of available data sources for all member InTrust servers

InTrust Agents

An InTrust agent is an application which is usually automatically installed by InTrust Server on target computers to locally perform audit data gathering and, in extended deployments, real-time monitoring. Alternatively, you install and uninstall agents explicitly using InTrust Deployment Manager (or InTrust Manager). However, you can install InTrust agents manually (for example, if the target computer is behind a firewall or in an untrusted domain). In addition, a Windows Installer package for the InTrust agent makes it possible to manage agent installations using Group Policy.

During its operation an agent communicates with InTrust Server over the TCP protocol. In complex environments, agents require only one open port to allow incoming traffic to the InTrust server address.

If an agent cannot connect to the InTrust Server for the certain time period (for example, if the InTrust server was removed), it is “retired” (uninstalled) automatically.

How It Works

The following diagram summarizes the points made in the Introduction to InTrust topic and shows where the components fit in the big picture. The roles of the users shown here are pure examples. Of course, each of them can benefit from all of the client applications.

Note that the diagram shows only the default InTrust deployment. For a representation of an extended deployment, see Technical Insight.

Supported Platforms and Data Sources

This is a breakdown of how InTrust handles heterogeneous audit data. Instead of "log", the broader term "data source" is used, because some of the valuable transient data that InTrust can watch is not strictly logs.

The real-time gathering feature is part of the default InTrust deployment.

The task-based gathering and real-time monitoring features come with the extended deployment.

Microsoft Windows

64-bit architecture:

• Microsoft Windows Server 2019
• Microsoft Windows Server 2016
• Microsoft Windows 10
• Microsoft Windows Server 2012 R2
• Microsoft Windows 8.1
• Microsoft Windows Server 2012

32-bit architecture:

• Microsoft Windows 10
• Microsoft Windows 7

Red Hat Enterprise Linux

• Red Hat Enterprise Linux 8
• Red Hat Enterprise Linux 7 – 7.4
• Red Hat Enterprise Linux 6.3 – 6.9

Oracle Linux

• Oracle Linux 8
• Oracle Linux 7 – 7.4
• Oracle Linux 6.3 – 6.9

Ubuntu Linux

Ubuntu Linux 18.04

VMware ESX and ESXi

• VMware ESXi 6.7
• VMware ESXi 6.5

Trend Micro InterScan Web Security Virtual Appliance

Trend Micro InterScan Web Security Virtual Appliance 6.5