Hi,
I have change auditor and Intrust in my infrastructure.Recently enterprise license purchased for both.
I found a article Intrust and Change auditor can be integrated.
some questions
1.) Intrust logs stored in repository
2) CA logs stored in SQL
How do i integrate both products. Do I need to newly deploy the setup for integrating
Since the storage of audit data is so very different between the products, the simplest integration point is probably "IT Security Search".
It's easiest to understand by way of an example:
Suppose you would like to see all the activities of an admin "Sally".
Once you have IT Security Search deployed, it has the ability to search through by the InTrust data and the Change Auditor data for all actions performed by Sally. So ITSS is essentially your integration point.
Is this a complete answer? It depends on your needs / use cases for the audit data you are collecting. - e.g. do you need to publish reports? do you need to take immediate action to "fix" or "undo" administrative actions? Both products offer these capabilities but in different ways.
Yes, IT Security Search can be used to archive data from Change Auditor, Change Auditor HTTP push connector can be used for that.
However, if you want to integrate to the point that InTrust can perform response actions, such as demonstrated in a ransomware attack video, you will need to enable other kind of integration. Change Auditor can send events to the Windows Event log, there is a special setting in the CA configuration where you can enable that. Once you did this, install Change Auditor Knowledge Pack using the InTrust setup and collect installed Change Auditor data sources from the CA agents, server, and coordinators for data. Enable real-time monitoring rules from the CA Knowledge Pack for alerts and response actions.
Great point Sergey.Goncharenko. What needs to be made clear here is that InTrust's raw data source from the windows platform is windows event log format (which it then "compresses" and stores into the Repository). Change Auditor's raw format is its highly optimized storage in SQL. InTrust cannot currently ingest this directly so it needs Change Auditor to write its events to its own windows event log (on each host) and then InTrust can collect and store this into its Repository. So as such, Change Auditor becomes another windows event log source just like the security log, system log etc. etc.
Thank you for your time.
From your answer I understand that Change Auditor and Intrust work on their own way. By using IT Security Search I can fetch the logs from CA database and Intrust repository.
Hope that IT Security Search can installed in CA or InTrust console.
