As you know InTrust 10.4 has recently come out of the door and I feel very excited about this release. As always you can find a detailed description of all new features in the What’s New and official product documentation. So instead of wasting time and precious blog space on copying a list of new features in this post I wanted to summarize why this release reaches a very important milestone in the product maturity.
The version 10.4 of InTrust advances in all three main capabilities attributed to successful event log management products:
- Cope with enormous amounts of log data.
One of the reasons why human beings cannot deal with event logs on their own is incredible amount of data that gets generated on all computers and devices on a daily basis. Our clients report hundreds of millions of events being generated in their environments daily!
This version of InTrusts features numerous improvements in performance of indexing and querying of repository data. Now with inexpensive entry level server hardware it is possible to index up to dozens of thousands of events per second.
- Normalize, enrich, and add relevant metadata to events.
Logs are there to help you make judgments about the operational and security state of the system and it is near to impossible to do that without appropriate level of details and convenient representation of events residing in those logs.
The 10.4 release now applies the W6 normalization scheme to all events that can be found on Windows servers, domain controllers and workstations. From now on for every significant event that can be found in Windows event log InTrust will explain in simple terms what it means and extract all the details you need to know like Who performed the action, When it was performed, What that action actually entailed, which server it happened on (Where) and which user workstation it originated from (Where from). The good news is that this normalization applies not only to native operating system logs like Security event log. It creates a compound effect for users that happen to have other Quest products like Change Auditor and ActiveRoles Server that generate their own events with advanced level of details and can naturally adhere to the same W6 scheme.
- Provide tools for log analysis and building reports.
Compliance regulations and ever growing corporate security requirements raised a demand for tools helping with forensic event analysis and automated reporting.
InTrust Repository Viewer capitalized on other building blocks to become such a tool. Unmatched performance and capacity of the indexed repository, superior details of events produced by Quest own auditing tools, normalization of events into the common W6 representation and rich data exploration capabilities of its UI make Repository Viewer the ultimate tool for ad-hoc investigation of security incidents and interactive reporting.
So now in a single report you can easily grasp dissimilar events coming from different logs: logons (Windows Security log) and changes to files and folders (ChangeAuditor for Windows File Servers), provisioning of new user accounts (ActiveRoles Server) and OU delegations (ChangeAuditor for Active Directory), account lockout policy changes (ChangeAuditor for Active Directory) and subsequent account lockouts (Windows Security log). More importantly interactive reports like that can now be built right in InTrust Repository Viewer and they will take seconds to bring in the data.
Did I whet your appetite to go hands on with the newest InTrust release? So why wait? Just go to the produce web page and download the newest bits. Oh, and did I mention that it now takes minutes to install it?