Actions

Tags

Sergey.Goncharenko
Jun 3, 2020
New in Quest InTrust - Real-Time alert notification in the Event Log

Quest InTrust is a very powerful log management framework which also contains a lot of possible ways to notify about triggered alerts:

With latest 11.4.1 Update 1 we've added one more - Event Log notifications, which also means integrating security alerts into SIEM

Once an alert is triggered, InTrust will create an event in the InTrust Server event log

Contents of the event can be modified in a couple of ways: modify the alert text or modify the event notification text. To add a notification you need to do the following:

Add event log to the corresponding notification channel of the real-time monitoring policy

In the real-time monitoring rule configuration, add event log notification and modify the text if necessary and make sure the rule is enabled, the policy is enabled and site for the policy contains target computers

Here is the event example

You can use the library of pre-built security and operations alerts to get notified via event log

Because InTrust is a framework, you can use it to collect this log and forward alert notifications to SIEM, here is how it can be configured in the InTrust Deployment Manager.

Make sure real-time log collection is collecting the InTrust Server Log

Specify InTrust Alerts as a forwarding filter if there is another filter already (if you are forwarding everything - all events including alerts will be sent)

To help our customers batch-enable all event rules with the new notification action we've released a special support tool

When collected InTrust server event log with alert notifications can be used in Repository Viewer to see and investigate alerts

  • over 3 years ago in reply to a00_58193

    I'll probably do another blog post on this. This is doable with the current version, but we'll improve documentation and we will add some of the configurations items to the product. Here is an example .conf file for the log stash (InTrust need to be configured to use TCP and RFC5424 event format):

    input {
################ Enable UDP section if necessary ##########################
#    udp {
#        port => 55514
#        type => "rfc5424"
#       codec => multiline {
#               pattern => "^<%{NONNEGINT:syslog_pri}>"
#               negate => true
#               what => "previous"
#       }
#    }
###########################################################################
    tcp {
        port => 55514
        type => "rfc5424"
        codec => multiline {
                pattern => "^<%{NONNEGINT:syslog_pri}>"
                negate => true
                what => "previous"
        }
    }
}
filter {
    if [type] == "rfc5424" {
        grok {
            #
            # Regexp to capture RFC5424 parts of InTrust message accurately (with newline characters)
            #
            match => {
                "message" => "(?m)<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:program}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:process_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:message_id})%{SPACE}(?:-|(?<structured_data>(\[.*?[^\\]\])+))(?:%{SPACE}(?m)(?<syslog_message>(.|\r|\n)*)|%{GREEDYDATA:syslog_other})"
            }
            add_tag => [ "match" ]
        }
        if "match" in [tags] {
            syslog_pri {
                remove_field => "syslog_pri"
            }
            date {
                match => [ "syslog_timestamp", "ISO8601", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss.SSS" ]
                remove_field => "syslog_timestamp"
            }
            if [structured_data] {
                ruby {
                    code => '
                        #
                        #Ruby code to parse key=value paramters from RFC5424 InTrust message accurately (some may include new line characters)
                        #
                        def extract_syslog5424_sd(syslog5424_sd)
                            sd = {}
                            syslog5424_sd.scan(/\[(?<element>(.|\r|\n|\t)*?)\]/) do |element|
                                data = element[0].match(/(?<sd_id>[^\ ]+)(?<sd_params> (.|\r|\n)*)?/)
                                sd_id = data[:sd_id].split("@", 2)[0]
                                sd[sd_id] = {}
                                next if data.nil? || data[:sd_params].nil?
                                data[:sd_params].scan(/ (.*?[=](?:""|"(.|\r|\n|\t)*?"))/) do |set|
                                    set = set[0].match(/(?<param_name>.*?)[=]\"(?<param_value>(.|\r|\n|\t)*)\"/)
                                    sd[sd_id][set[:param_name]] = set[:param_value]
                                end
                            end
                            sd
                        end
                        event.set("[sd]", extract_syslog5424_sd(event.get("[structured_data]")))
                    '
                    remove_field => "structured_data"
                }
            }
            #
            # Converting InTrust parsing into Elastic common fields, specifically focused on winlogbeat index structure
            #

            mutate{
                rename => {"host" => "syslog.host.ip"}
                rename => {"message" => "message_raw"}
                rename => {"syslog_message" => "message"}
                add_field => {
                    "event.category" => "%{[sd][InTrust.Predefined][Category]}"
                    "event.action" => "%{[sd][InTrust.Predefined][Category]}"
                    "event.module" => "%{[sd][InTrust.Predefined][GatheringEventLog]}"
                    "event.provider" => "%{[sd][InTrust.Predefined][SourceName]}"
                    "winlog.event_id" => "%{[sd][InTrust.Predefined][EventID]}"
                    "winlog.computer_name" => "%{[sd][InTrust.Predefined][ComputerName]}"
                    "winlog.record_id" => "%{[sd][InTrust.Predefined][RecordKey]}"
                    "host.os.version" => "%{[sd][InTrust.Predefined][VersionMajor]}.%{[sd][InTrust.Predefined][VersionMinor]}"
                }
                replace => {"host.name" => "%{[sd][InTrust.Predefined][ComputerName]}"}
            }
            if [sd][InTrust.Named][Result] {
                mutate{
                    add_field => {
                        "event.outcome" => "%{[sd][InTrust.Named][Result]}"
                    }
                }
            }
            if [sd][InTrust.Named][Result] {
                mutate{
                    add_field => {"user.name" => "%{[sd][InTrust.Named][Who]}"}
                }
            }
            if [sd][InTrust.Named][Security_ID] {
                mutate{
                    add_field => {"user.id" => "%{[sd][InTrust.Named][Security_ID]}"}
                }
            }
            if [sd][InTrust.Named][WhoDomain] {
                mutate{
                    add_field => {
                        "user.domain" => "%{[sd][InTrust.Named][WhoDomain]}"
                        "winlog.user.domain" => "%{[sd][InTrust.Named][WhoDomain]}"
                    }
                }
            }
            if [sd][InTrust.Named][Who] {
                mutate{
                    add_field => {"winlog.user.name" => "%{[sd][InTrust.Named][Who]}"}
                }
            }
            #
            # Normalizing InTrust Security Alerts for Elastic SIEM
            #
            if [event.action] == "Rule Match" {
                mutate{
                    add_field => {"event.kind" => "alert"}
                    replace => {"event.action" => "Security Alert"}
                    replace => {"event.category" => "%{[sd][InTrust.Named][What]}"}
                }
            }else{
                mutate{ add_field => {"event.kind" => "event"}}
            }
            mutate{lowercase => ["event.module"]}
        }
    }
}
output {
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "intrust-%{+YYYY.MM.dd}" #The corresponding winlogbeat indexing template should be deployed for intrust-* index, also intrust-* index should be added to SIEM indexes
    }
    ## Uncomment for debug purposes
    #stdout { codec => rubydebug }
}

  • over 3 years ago

    Do you have plans  to release OOTB integration with Elastisearch?

Related Content