Symantec Security Information Manager Administrator Guide

Transcription

1 Symantec Security Information Manager Administrator Guide

2 Symantec Security Information Manager Administrator Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: Legal Notice Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation 350 Ellis Street Mountain View, CA Printed in the United States of America

4 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level

5 Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs, DVDs, or manuals

6 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America

7 Contents Technical Support... 4 Section 1 Introducing the Information Manager Chapter 1 Overview About Symantec Security Information Manager What's new in this release New features Features of Information Manager About estimating system performance Chapter 2 Section 2 Understanding the Information Manager components About workflow in Information Manager About Information Manager components About security products and devices About event collectors About the Symantec Global Intelligence Network About the Information Manager Web service About Information Manager servers Managing roles, permissions, users, and organizational units Chapter 3 Managing roles and permissions About managing roles About planning for role creation About the administrator roles Creating a role Editing role properties Deleting a role About working with permissions About permissions... 56

8 8 Contents About the propagation of permissions Modifying permissions from the Permissions dialog box Chapter 4 Managing user and user groups About users and passwords Creating a new user Creating a user group About editing user properties Changing a user s password Specifying user business and contact information Managing role assignments and properties Managing user group assignments Specifying notification information About modifying user permissions Modifying a user group Deleting a user or a user group Customizing the password policy Chapter 5 Managing organizational units and computers About organizational units About managing organizational units Creating a new organizational unit About determining the length of the organizational unit name Editing organizational unit properties Deleting an organizational unit About managing computers within organizational units Creating computers within organizational units About editing computer properties Distributing configurations to computers in an organizational unit Moving a computer to a different organizational unit About modifying computer permissions Deleting a computer from an organizational unit About the Visualizer Chapter 6 Configuring a service provider About using Information Manager in a service provider context About the service provider environment from the client perspective

9 Contents 9 About the service provider environment from the provider perspective About customizing the Incidents view in a Service Provider Master console About responding to a client incident Creating Information Manager tickets in a Service Provider Master context Exporting incident information from the Client Incident viewer About setting up a Service Provider environment Configuring an instance of Information Manager as a Service Provider client Configuring an Information Manager server as a Service Provider Master Configuring service provider client management accounts Synchronizing the Service Provider Master with client incidents Disconnecting a client from a Service Provider Master Section 3 Planning for security management Chapter 7 Managing the correlation environment About the Correlation Manager About the Correlation Manager knowledge base About the default rules set Chapter 8 Defining rules strategy About creating the right rule set for your business About defining a rules strategy About correlation rules About rule conditions About rule types About event criteria About the Event Count, Span, and Table Size rule settings About the Tracking Key and Conclusion Creation fields About the Correlate By and Resource fields Importing existing rules Creating custom correlation rules About automatically assigning incidents Assigning incidents automatically to the least busy member in a user group

10 10 Contents Creating a multicondition rule Creating a correlation rule based on the X not followed by Y rule type Creating a correlation rule based on the X not followed by X rule type Creating a correlation rule for the Y not preceded by X rule type Creating a correlation rule for the Lookup Table Update Enabling and disabling rules Working with the Lookup Tables window Creating a user-defined Lookup Table Importing Lookup Tables and records Section 4 Understanding event collectors Chapter 9 Introducing event collectors About Event Collectors and Information Manager Components of collectors Chapter 10 Installing event collectors Before you install collectors Requirements for point products and the collectors Updating the hosts file About installation and configuration tasks for collectors Registering Collectors Installing the Symantec Event Agent Preinstallation requirements About installing the Event Agent Installing the Event Agent on Windows Installing the Event Agent on Solaris Installing the Event Agent on Linux About uninstalling the Event Agent About uninstalling the Event Agent on Windows About uninstalling the Event Agent on Linux and Solaris Event Agent Management with agentmgmt.bat utility Verifying Symantec Event Agent installation Verifying Symantec Event Agent operation Installing the collector on a remote computer Installing collectors on an Information Manager server Verifying collector installation Verifying collector configuration

11 Contents 11 About Symantec Universal Collectors Downloading and installing the Symantec Universal Collectors Chapter 11 Configuring point products and collectors About configuring a point product to work with a collector Creating and configuring sensors Creating a new sensor configuration Configuring the collector sensor to receive security events Adding, renaming, deleting, and disabling sensors Importing and exporting sensor properties Updating sensor properties globally Configuring collector raw event logging Chapter 12 Section 5 Configuring collectors for event filtering and aggregation Configuring event filtering Configuring event aggregation Working with events and event archives Chapter 13 Managing event archives About events, conclusions, and incidents About the Events view About the event lifecycle About event archives About multiple event archives Creating new event archives Restoring event archives Specifying event archive settings Creating a local copy of event archives on a network computer Viewing event data in the archives About the event archive viewer right pane Manipulating the event data histogram Setting a custom date and time range About viewing event details Modifying the format of the event details table Searching within event query results Filtering event data About working with event queries

12 12 Contents Using the Source View query and Target View query Creating query groups Creating custom queries Querying across multiple archives Managing the color scheme that is used in query results Editing queries Importing queries Exporting queries Publishing queries About querying for IP addresses Deleting queries Scheduling queries that can be distributed as reports Chapter 14 Forwarding events to an Information Manager server About forwarding events to an Information Manager server About registering a security directory Registering the Information Manager with a security domain Activating event forwarding Stopping event forwarding Chapter 15 Understanding event normalization About event normalization About normalization (.norm) files Chapter 16 About Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) About Effects values About Mechanisms values About Resources values EMR examples Chapter 17 Collector-based event filtering and aggregation About collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation About preparing to create collector-based rules Accessing event data in the Information Manager console

13 Contents 13 Creating collector-based filtering and aggregation specifications Examples of collector-based filtering and aggregation rules Filtering events generated by specific internal networks Filtering common firewall events Filtering common Symantec AntiVirus events Filtering or aggregating vulnerability assessment events Filtering Windows Event Log events Chapter 18 Working with the Assets table About the Assets table About how event correlation uses Assets table entries About CIA values in the Assets table Importing assets into the Assets table Searching, filtering, and sorting assets Visual identification of the IP addresses also on the IP Watchlist About vulnerability information in the Assets table About using a vulnerability scanner to populate Assets table About locked and unlocked assets in the Assets table Using the Assets table to help reduce false positives About filtering events based on the operating system About using CIA values to identify critical events About using Severity to identify events related to critical assets About using the Services tab About associating policies with assets to reduce false positives or escalate events to incidents Section 6 Configuring the Information Manager Chapter 19 Configuring the Console About configuring Information Manager Identifying critical systems Adding a policy Specifying networks

14 14 Contents Chapter 20 Configuring general settings in the Web configuration interface About the Settings view Editing the Hosts file Changing the network settings Changing date and time settings Changing a Network Time Protocol Server About the Password view Changing the password for Linux accounts Changing the password for symcmgmt Linux account About the Global Intelligence Network configuration view About running LiveUpdate Running LiveUpdate from the Information Manager Web configuration interface About integrating Active Directory with the Information Manager server Managing Active Directory configurations Adding the CA root certificate Shutting down the Information Manager server Restarting the Information Manager server About using the multipath feature for storage options About External Storage Creating NAS Configuration Deleting NAS configuration Connecting Information Manager to a SAN Connecting Information Manager to a DAS Configuring Information Manager with DAS/SAN Storage Extending the storage capacity of an existing DAS/SAN configuration Unmounting the DAS/SAN configuration Restoring a DAS/SAN configuration Deleting a DAS/SAN configuration Chapter 21 Managing Global Intelligence Network content About managing Global Intelligence Network content Registering a Global Intelligence Network license Viewing the status of Global Intelligence Network content Receiving Global Intelligence Network content updates

15 Contents 15 Chapter 22 Working with Information Manager configurations About agent configurations About Agent Connection Configurations Configuring Agent to Manager failover About the Information Manager configurations About the Manager components configurations Setting up blacklisting for logon failures Modifying administrative settings About Manager configurations Increasing the minimum free disk space requirement in high logging volume situations About Manager connection configurations About configuring Information Manager directories About configuring LiveUpdate About Java LiveUpdate Creating Java LiveUpdate configurations Scheduling LiveUpdate requests Modifying Java LiveUpdate configurations Editing Java LiveUpdate configuration properties Distributing a Java LiveUpdate configuration Section 7 Managing application data Chapter 23 Maintaining the Information Manager database About database maintenance Checking database status About the database health monitor service About purging event summary, alerts, and incident data Adjusting parameters for automated purges Setting the safe level and the alarm level for automated purges Chapter 24 Managing data backup, restore, and purge About backup, restore, and purge Performing a complete LDAP directory server backup Performing a complete LDAP directory server restore Performing a complete database backup Performing a complete database restore

16 16 Contents Performing a selective backup Performing a selective restore Scheduling a backup Editing a scheduled backup Deleting a scheduled backup Purging incident or event summary data Purging selective backup files Section 8 Appendix Appendix A Firewall Settings for the Information Manager Firewall settings Index

17 Section 1 Introducing the Information Manager Chapter 1. Overview Chapter 2. Understanding the Information Manager components

18 18

19 Chapter 1 Overview This chapter includes the following topics: About Symantec Security Information Manager What's new in this release Features of Information Manager About estimating system performance About Symantec Security Information Manager Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects and archives security events from across the enterprise. These events are correlated with the known asset vulnerabilities and current security information from the Global Intelligence Network. The resulting information provides the basis for real-time threat analysis and security incident identification. Information Manager archives the security data for forensic and regulatory compliance purposes. Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following: Firewalls Routers, switches, and VPNs Enterprise antivirus Intrusion detection systems and Intrusion Prevention Systems Vulnerability scanners Authentication servers

20 20 Overview What's new in this release Windows and UNIX system logs Information Manager provides the following features to help you recognize and respond to threats in your enterprise: Normalization and correlation of events from multiple vendors. Event archives to retain events in both their original (raw) and normalized formats. Distributed event filtering and aggregation to ensure that only relevant security events are correlated. Real-time security intelligence updates from Global Intelligence Network. These updates keep you apprised of global threats and let you correlate internal security activity with external threats. Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment. Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies that are associated with the affected assets. An Event Viewer that lets you easily mine large amounts of event data and identify the computers and users that are associated with each event. A client-based console from which you can view all security incidents and drill down to the related event details. These details include affected targets, associated vulnerabilities, and recommended corrective actions. Predefined and customizable queries to help you demonstrate compliance with the security and the data retention policies in your enterprise. A Web-based configuration interface that lets you view and customize the dashboard, configure settings, and manage events, incidents, and tickets remotely. You can download various utilities and perform routine maintenance tasks such as backup and restore. You can use the custom logs feature with the universal collectors to collect and map information from devices for which standard collectors are not available. See Features of Information Manager on page 22. What's new in this release Information Manager contains enhanced features. It also includes fixes for the known issues that existed in the previous versions. See New features on page 21.

21 Overview What's new in this release 21 New features Information Manager includes the following new features in addition to known issues and fixes: Symantec SIEM 9700 Series appliances SSIM Web Start Client Role-based access to the Event Query Templates Navigation option for Event Storage Rules list Symantec SIEM 9700 Series appliances Symantec SIEM 9700 Series appliances are scalable security information and event management appliances. These appliances provide reliable performance with Information Manager software. The SIEM 9700 Series is comprised of three models; the 9750, the 9751, and the Each model provides 3.9TB of redundant event storage and dedicated Remote Management Module features to allow remote management of the appliance. In addition, the 9751 and 9752 provide enterprise connectivity through 8GB Fibre Channel. Each physical appliance can be combined seamlessly with virtual appliances to ease interoperability. For more information, see the following guides: Symantec SIEM 9700 Series Appliances Maintenance Guide Symantec SIEM 9700 Series Appliances Installation Guide Symantec SIEM 9700 Series Appliances Product Description Guide Symantec SIEM 9700 Series Appliances Hardware Troubleshooting Guide Symantec SIEM 9700 Series Appliances Safety Guide See New features on page 21. SSIM Web Start Client By using SSIM Web Start Client, you can now reach the Information Manager console directly without downloading and installing the Information Manager console. The Launch SSIM Web Start Client link, that is located on the logon page of the Information Manager Web configuration interface, launches the Information Manager console. You can also access this link from the Downloads option on the Home view of the Web configuration interface. See New features on page 21.

22 22 Overview Features of Information Manager Role-based access to the Event Query Templates In Information Manager, an administrator can restrict the access of a user to Event Query Templates. Access to Event Query Templates can be controlled based on the View Event Query Templates permission that is granted to a role. By default, this permission is enabled for new roles. If the View Event Query Templates permission is disabled for a role, the user who is assigned with this role cannot access the Templates folder on the Events view. If the View Event Query Templates permission is enabled for a role, the user who is assigned with this role can access and run the Event Query Templates. See Enabling access to the Event Query Templates on page 46. See New features on page 21. Navigation option for Event Storage Rules list A Move to top option and a Move to bottom option are now available in the Event Storage rules list. These options can be used to move a rule directly to the top or to the bottom of the list. See New features on page 21. Features of Information Manager Symantec Security Information Manager 4.7 offers several new features over previous versions of Information Manager. You can find the following new features in the 4.7 release of the Information Manager: Information Manager is now hardware independent. You can now install the Information Manager software on the hardware of your choice subject to the minimum requirements. To identify the critical incidents and threats in your environment, the Information Manager lets you drill down into the reports and dashboards. Using the drill-down feature (available only on the console of the client), you can view the resources that are associated with an incident. This feature provides insights into the parts of the organization that the incident affects and the background information regarding the resources that are implicated. The drill-down feature helps simplify organizing, searching, and prioritizing specific assets or sets of assets, to assist in monitoring identity and access activities. The drill-down feature is supported on the following types of queries in the reports and dashboards:

23 Overview Features of Information Manager 23 Top N by field Trending for Top N by field Summary data queries The Information Manager now ships with version of the Symantec Event Agent. Active Directory Integration This feature allows the users of the Active Directory to access the Information Manager. This feature lets you configure the Information Manager server to use the Active Directory to perform user authentication. Report Templates The Information Manager has report content ready for regulatory compliance standards. These reports can automate the collection and analysis of log data. Therefore, businesses can provide the accountability and the transparency that is required to comply with stringent mandates and regulations. Report Templates are available for the following categories: HIPAA NERC SOX FISMA UK-DPA PCI-DSS ISO GLBA MISC Custom Log Management Using the Custom Log Management feature, you can now gather and correlate log data for applications universally for which collectors are not available. The Custom Log Management feature lets you collect logs from an application that the Information Manager does not support. You can analyze the received log data and adjust the fields where necessary so that the Information Manager can interpret the data. This feature helps in interpreting the log data that is collected from the application that the Information Manager does not support. The Information Manager provides Universal Collectors that you can use to collect the logs of applications that the Information Manager does not support. You can install the Universal Collectors on the computers on which Symantec Event Agent is installed. From the Custom Logs view on the Web configuration

24 24 Overview Features of Information Manager interface, you can map the application log data. Universal collectors collect this data to the fields that are defined in the Events view in the Information Manager. Advanced Event Correlation The Advanced Event Correlation feature now lets you define and use a combination of multiple rules to correlate events. The Advanced Event Correlation feature enables you to define multiple conditions in a rule. Multi-conditioning lets you define the rules that support up to five user activities in a sequence. You can create a conclusion when a sequence of a specified pattern is detected for one combination of one-to-many fields within a specified time period. Multi-conditioning provides flexibility and extensibility of the correlation rules. This flexibility significantly extends the ability of Information Manager to detect attacks and to identify the threats. Event definition with negatives is possible in the Information Manager server. You now have the ability to generate incidents based on negative occurrences. This means that the Information Manager can generate incidents based on expected events not occurring. Information Manager supports the definition of a rule that creates a conclusion when two user activities occur after one another that can be harmful. In addition to this type of rule definition, Information Manager also supports the definition of rules when a certain user activity does not occur after a valid user activity. The ability of Information Manager to generate events based on negative occurrences extends the possibility of threat detection. The Information Manager server supports the following rule types: Lookup Table Update Many Sources, One Target Many Symantec Signatures, One Source Many Symantec Signatures, One Target Many Targets, One Event Many Targets, One Source Many to One Multi-condition Single Event Symmetric Traffic Transitive Traffic

25 Overview Features of Information Manager 25 X not followed by X X not followed by Y Y not preceded by X Trending Queries The Information Manager lets you create a new query based on trends. The Trending Queries feature gives you a breakup of trend data for the Top N Events by Category (such as Product or Organizational Units) over a selected time frame. For example, you can view the Top Five Events Counts by Product over the last week. The results of the trending query can be displayed in a table, line bar, stacked, or multiple pie graphs. The user can query the trends over the following time slice parameters: Last 5 minutes Last 10 minutes Last 15 minutes Last 30 minutes Last 45 minutes Last hour Last 8 hours Last 12 hours Last 24 hours Last 48 hours Last 7 days Last 14 days Trend for the last five minutes plotted for each minute of the last five minutes. Trend for the last 10 minutes plotted for each minute of the last 10 minutes. Trend for the last 15 minutes plotted for each minute of the last 15 minutes. Trend for the last 30 minutes plotted for each minute of the last 30 minutes. Trend for the last 45 minutes plotted for each minute of the last 45 minutes. Trend for the last hour that is plotted for each minute of the last hour. Trend for the last eight hours plotted for each hour of the last eight hours. Trend for the last 12 hours plotted for each hour of the last 12 hours. Trend for the last 24 hours plotted for each hour of the last 24 hours. Trend for the last 48 hours plotted for each hour of the last 48 hours. Trend for the last seven days that is plotted for each day of the last seven days. Trend for the last 14 days that is plotted for each day of the last 14 days.

26 26 Overview Features of Information Manager Last 30 days Today Yesterday This week Last Week This Month This Month (Daily Trend) Last Month Last Month (Daily Trend) This Quarter This Quarter (Weekly trend) Last Quarter Last Quarter (Weekly Trend) This Year Last Year Trend for the last 30 days that is plotted for each day of the last 30 days. Trend for the present day that is plotted for every hour. Trend for the day before today that is plotted for every hour. Trend for this week that is plotted for each day of the week. Trend for the last week that is plotted for each day of the week. Trend for this month that is plotted for each week of the month. Trend for this month that is plotted for each day of the month. Trend for the last month that is plotted for each week of the month. Trend for the last month that is plotted for each day of the month. Trend for this quarter that is plotted for each month of the quarter. Trend for this quarter that is plotted for each week of the quarter. Trend for the last quarter that is plotted for each month of the quarter. Trend for the last quarter that is plotted for each week of the quarter. Trend for this year that is plotted for each month of the year Trend for the last year that is plotted for each month of the year. Information Manager lets you back up and restore data selectively. You can select the items for backup from the various components available for backup. From the list of backup files, you can select the components that need to be restored. You can select and restore only those data items that you require,

27 Overview About estimating system performance 27 instead of restoring all the data to an earlier state. Further you can also select and purge the backup files. Only those backup files that were selectively backed up can be purged. About estimating system performance To determine the performance of an Information Manager server or set of servers. consider your unique environment. Information Manager integrates with a wide range of event collectors, and by nature requires the customization of settings to match each environment. Hence, the physical performance depends greatly on the collectors and settings that you choose. The observed events per second (EPS) rates under optimal circumstances are provided here which can be used for general planning purposes. You can create a rough estimate of system performance by using the information available in these tables. However, you must note that the system performance may vary widely from these figures depending on your specific environment. Your estimates need to be adjusted over time as your policies, settings, and storage requirements are refined. Note: The performance figures are currently being updated. An addendum to Symantec Security Information Manager Administrator Guide will be available soon with the new performance figures. See About Symantec Security Information Manager on page 19.

28 28 Overview About estimating system performance

29 Chapter 2 Understanding the Information Manager components This chapter includes the following topics: About workflow in Information Manager About Information Manager components About workflow in Information Manager The Symantec Security Information Manager workflow includes the following steps: Event collectors gather events from Symantec and third-party point products. See About Event Collectors and Information Manager on page 163. Events are filtered and aggregated. See Configuring event filtering on page 197. See Configuring event aggregation on page 200. Symantec Event Agent forwards both the raw and the processed events to the Information Manager server. See About forwarding events to an Information Manager server on page 241. See Activating event forwarding on page 245. The Information Manager server stores the event data in event archives. See About event archives on page 210. The Information Manager server correlates the events with threat and asset information based on the various correlation rules.

30 30 Understanding the Information Manager components About Information Manager components See About the Correlation Manager on page 115. Information Manager security events trigger a correlation rule and create a security incident. About Information Manager components Symantec Security Information Manager has the following components: Security products and devices See About security products and devices on page 31. Event collectors See About event collectors on page 31. Information Manager servers See About Information Manager servers on page 32. Global Intelligence Network See About the Symantec Global Intelligence Network on page 32. Web service See About the Information Manager Web service on page 32. Figure 2-1 Components in an Information Manager setup

31 Understanding the Information Manager components About Information Manager components 31 About security products and devices About event collectors The security products and devices in your enterprise can generate overwhelming amounts of security data. Many firewalls can generate over 500 GB of security data per day; intrusion detection systems can trigger over 250,000 alerting incidents per week. Most security products store event data in a proprietary format, accessible only by the tools that the security products provide. To secure your enterprise effectively, you need to collect, normalize, and analyze the data from all parts of your enterprise. See About Information Manager components on page 30. Event collectors gather security events from a variety of event sources, such as databases, log files, and syslog applications. Event collectors translate the event data into a standard format, and optionally filter and aggregate the events. The event collectors then send the events to Symantec Security Information Manager. You can configure event collectors to also send the event data in its original format. You install event collectors either on the security product computer or at a location with access to the security product events. To facilitate installation and setup, event collectors for third-party firewalls are preinstalled on the Information Manager server. After the event collector is registered with Information Manager, you can configure event collector settings from the Information Manager console. The event collector settings include the event source specification and any event filter or aggregation rules. Symantec provides event collectors for the following types of products: Firewalls Routers, switches, and VPNs Intrusion detection and prevention systems Vulnerability scanners Web servers, filters, and proxies Databases Mail and groupware Enterprise antivirus Microsoft authentication services Windows and UNIX system logs

32 32 Understanding the Information Manager components About Information Manager components For access to the extensive library of event collectors, visit Symantec support at the following Web site: See About Information Manager components on page 30. About the Symantec Global Intelligence Network Information Manager has access to current vulnerability, attack pattern, and threat resolution information from the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network powers the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity. See About Information Manager components on page 30. About the Information Manager Web service The Web service of Symantec Security Information Manager lets you securely access and update the data that is stored on a server. You can use the Web service to publish event, asset, incident, ticket, and system setting information. You can also use the Web service to integrate Information Manager with help desk, inventory, or notification applications. See About Information Manager components on page 30. For more information on interfacing your application to use the Web service, see the application documentation or your application vendor. About Information Manager servers Symantec Security Information Manager is hardware independent. You can install the Information Manager server on any approved hardware that meets the minimum system requirements. You can deploy one or more Information Manager servers in various roles to satisfy the event gathering, archiving, and event correlation requirements for your enterprise. To account for traffic variation, a single Information Manager is only recommended for a security environment that generates up to 1,000 events per second (EPS) on average and that requires a maximum of 4 MB to 8 MB per day of event data storage. To increase the overall event processing rate, you can add multiple load sharing Information Managers to your deployment. You can configure each server for dedicated event collection, event archiving, or event

33 Understanding the Information Manager components About Information Manager components 33 correlation. In most cases, a combination of multiple servers that share the event and the incident processing load is preferred. See About Information Manager components on page 30.

34 34 Understanding the Information Manager components About Information Manager components

35 Section 2 Managing roles, permissions, users, and organizational units Chapter 3. Managing roles and permissions Chapter 4. Managing user and user groups Chapter 5. Managing organizational units and computers Chapter 6. Configuring a service provider

36 36

37 Chapter 3 Managing roles and permissions This chapter includes the following topics: About managing roles About working with permissions About managing roles A role is a group of access rights for a product. Users who are members of a role have access to the event viewing and management capabilities that are defined for that role. A user can be a member of more than one role. See About planning for role creation on page 38. You create new roles in the Symantec Security Information Manager console. When you click Roles on the System view of the console, you can perform the following tasks: Create a role. See Creating a role on page 40. Edit role properties. See Editing role properties on page 48. Delete a role. See Deleting a role on page 55. Note: Only members of the SES Administrator role and the Domain Administrator role can add or modify roles. See About the administrator roles on page 39.

38 38 Managing roles and permissions About managing roles About planning for role creation Roles control user access; therefore, before you create roles you should plan carefully. You need to identify the tasks that are done in your security environment, and who performs them. The tasks determine the type of roles that you must create. The users who perform these tasks determine which users should be members of each role. See About managing roles on page 37. Consider the following issues: Who allocates responsibilities within your security environment? If these users need to create roles, they must be members of the Domain Administrator role. Who administers your security network by creating management objects such as users and organizational units? These users must be members of the roles that provide management access and the ability to access the System view. Which products are installed, and who is responsible for configuring them? These users must be members of management roles for the products for which they are responsible. They may need access to the System view only. Who is responsible for monitoring events and incidents? These users must be members of event viewing roles for the products for which they are responsible. Users who monitor events must have access to the Events view. Users who monitor incidents must have access to the Events view and the Incidents view. Who responds to problems and threats? These users must have access to the Events view and the Incidents view. Users who create and manage help desk tickets must also have access to the Tickets view. Table 3-1 lists the common roles in a security environment and the responsibilities that belong to each role. Table 3-1 Role name Typical roles and responsibilities Responsibilities Domain Administrator System Administrator Defines the user roles and role authority. Manages Information Manager. Verifies that events flow into the system and that the system functions normally.

39 Managing roles and permissions About managing roles 39 Table 3-1 Role name Typical roles and responsibilities (continued) Responsibilities User Administrator Creates the correlation rules and collection filters. Performs the user and the device administration. Information Manager Views all incidents, events, reports, and actions. Report Writer Views the incidents, events, and reports for assigned devices. Reviews and validates incident response. Provides the affirmation of incident review and response by administrators to GAO and others. Report User Rule Editor Views the events and reports for assigned devices. Creates, edits, and deploys rules. About the administrator roles When you install the Information Manager, the following default administrator roles are created: SES Administrator Domain Administrator This role has full authority over all of the domains in the environment. This role has full authority over one specific domain in the environment. If you have only one domain, the rights of the SES Administrator role and the Domain Administrator role are the same. If you have multiple domains (for example one for each geographic region of your company), each domain has a Domain Administrator. Members of this role can perform functions such as creating users and additional roles within that domain. The SES Administrator role can perform these functions for all of the domains that you configure. The default user, administrator, is also created when Information Manager is installed. The administrator is automatically a member of the SES Administrator and Domain Administrator roles. To access Information Manager for the first time, you must log on as this default user. The password for the administrator user account is specified at the time of installation. You can add users to the administrator roles, but you cannot change any other characteristics of these roles. If a user is a member of the SES Administrator role, that user should not be assigned to any other roles.

40 40 Managing roles and permissions About managing roles Creating a role See Editing role properties on page 48. You can create roles using the Role Wizard in the Information Manager console. Only a user who has either the Domain Administrator role or the SES Administrator role can create roles. See About planning for role creation on page 38. Note: If the Role members will have access to all archives option is selected, role members can access new archives automatically. If the Role members will have access to only the selected archives option is selected, role members cannot access new archives automatically. To create a role 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Roles. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Role Wizard, click Next. 5 In the General panel, do the following, and click Next: In the Role name text box, type a name for the role. In the Description text box, type a description of the role (optional). 6 In the Products panel, do one of the following: To give the role members access to all of the listed products, click Role members will have access to all products, and click Next. To limit the role member's access to certain products, click Role members will have access to only the selected products and select the appropriate products. Then click Next. Symantec Security Information Manager is checked by default in the Product List. 7 In the SSIM Permissions panel, do one of the following: To give role members all permissions that apply to Information Manager, click Enable all Permissions, and click Next. To give role members a limited set of permissions, click Enable specific Permissions. From the permissions list, uncheck the permissions that you do not want to enable and click Next.

41 Managing roles and permissions About managing roles 41 8 In the Console Access Rights panel, do one of the following: To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and click Next. To limit what role members can see when they display the console, click Role members will have only the selected console access rights. From the list, enable at least one of the console access rights, and click Next. See Modifying Information Manager console access rights on page In the Organizational Units panel, do one of the following: To give role members access to all organizational units, click Role members will have access to all organizational units, and click Next. To give role members access to specific organizational units, click Role members will have access to only the selected organizational units. In the organizational unit tree, select at least one organizational unit to associate with this role, and click Next. When you select an organizational unit that has additional organizational units, users of the role are given access to those additional organizational units also. If you add an organizational unit to a role, the following users can see the events that are generated by the security products: Users who are role members Users who have event viewing access These users can view only those events that are generated by the security products that are installed on the computers of that organizational unit. Role members can see events only from computers in the organizational units that have been added to their roles. 10 In the Servers panel, do one of the following: To give role members access to all of the Information Manager servers in your security environment, click Role members will have access to all servers, and click Next. To limit role members' access to certain servers, click Role members will have access to only the selected servers. In the server tree, select at least one server to associate with this role, and click Next. Members of the role can modify configurations on the selected servers. The role members can also view event archives that reside on the selected servers. 11 In the Members panel, do one of the following:

42 42 Managing roles and permissions About managing roles To add individual users to the role now, click Add Members. In the Find Users dialog box, add one or more users, from the Available Users list to the Selected Users list and click OK. In the Members panel, click Next. To add the users who are members of a specific user group, click Add Members From Groups. In the Find User Groups dialog box, add one or more user groups, and click OK. The users that are associated with the groups you selected are added to the Selected Users list. When you are finished, click Next. To continue without adding users to the role, click Next. You can add users to the role later by editing the role s properties. See Adding a user to a role on page 43. You can also associate a role with a user by editing the user s properties. You can assign users to a role only if you have already created those users. See Creating a new user on page In the Role Summary panel, review the information that you have specified, and click Finish. The role properties that are created are shown in the list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed. 13 Click Close. Editing role properties After you create a role in Information Manager, you can modify it by editing its properties. For example, as you create new organizational units or users, you can add them to existing roles. You can edit the properties of a role by selecting the role in the right pane. You can also edit the role properties from any dialog box that displays the role s properties. To edit role properties 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 Use the Editing Role Properties dialog box to make changes to the role. 4 To save changes and close the dialog box, click OK. See Adding a user to a role on page 43.

43 Managing roles and permissions About managing roles 43 See Modifying Information Manager console access rights on page 47. See Modifying product access rights on page 44. See Modifying server access rights on page 48. See Modifying access permissions in roles on page 49. Adding a user to a role When a user logs on to Information Manager, the user s role membership determines the user's access to the various products and event data. You can assign a user to a role in the following ways: Assign each user individually to one or more roles. Assign users to groups, and assign user groups to roles. When you assign a user group to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. Note: Before you assign users and user groups to roles, you must create users and user groups in the Directory. See Creating a new user on page 63. See Creating a user group on page 65. To add a user to a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the Editing Role Properties dialog box, in the left pane, click Members. 4 Click Add Members. 5 In the Find Users dialog box, in the list of available users, search for a user within a domain or a user group. You can also search for a user by entering the logon name, last name, or first name and then click Start Search. All of the users who meet the criteria you entered appear in the available users list. Select a user name (or Ctrl + click multiple user names), and click Add. The user name appears in the Selected users list. 6 To view or edit the properties of a user, click the user name, and click Properties.

44 44 Managing roles and permissions About managing roles 7 In the User Properties dialog box, view or make changes to the properties, and click OK. 8 In the Find Users dialog box, click OK. 9 In the Editing Role Properties dialog box, click OK. To add a user group to a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the Editing Role Properties dialog box, in the left pane, click Members. 4 Click Add Members From Groups. 5 In the Find User Groups dialog box, select the domain of the group from the drop-down list. 6 In the list of available user groups, click a user group name (or Ctrl + click multiple user names), and click Add. The user group name appears in the Selected user groups list. 7 To view or edit the properties of a user group, click the user group name, and click Properties. 8 In the User Group Properties dialog box, view or make changes to the properties, and click OK. 9 In the Find User Groups dialog box, click OK. 10 In the Editing Role Properties dialog box, click OK. See Editing role properties on page 48. Modifying product access rights The Products property lets you select and modify the products to which role members have access. To modify product access rights 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the left pane, click Products. 4 Do one of the following: To give the role members access to all of the listed products, click Role members will have access to all products.

45 Managing roles and permissions About managing roles 45 To limit the role members' access to specified products, click Role members will have access to only the selected products. Enable (check) or disable (uncheck) access to individual products in the list. Consider the tasks that role members perform as you select products from the list. Modifying access permissions in roles describes the access requirements of typical enterprise security roles. 5 Click OK. See Editing role properties on page 48. Modifying SIM permissions Use the SIM Permissions property to enable or disable several types of Information Manager permissions that are assigned to a role. See About managing roles on page 37. To modify SIM permissions 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the left pane click SIM Permissions. 4 Do one of the following: 5 Click OK. To assign all Information Manager permissions to the role, click Enable all Permissions. To limit the permissions that are assigned to the role, click Enable specific Permissions. Then click the check boxes as needed to enable or disable permissions for the role. Table 3-2 lists the permissions that the users who perform specific functions need. About the Bypass Event RBAC option When you create or modify a role, you can choose to enable the Bypass Event RBAC option. Bypass Event RBAC gives unrestricted access to all of the event archives for which role a user has been granted access. When a user with this role performs an event query, the query bypasses any additional permission settings based on Organizational Unit, Domain, or Product settings. The query returns a complete data set from the archives for which the user has been given access. Enabling Bypass Event RBAC enhances query

46 46 Managing roles and permissions About managing roles performance by reducing the set of permissions criteria against which the query must be processed. See About managing roles on page 37. About the Bypass Event RBAC option When you create or modify a role, you can choose to enable the Bypass Event RBAC option. Bypass Event RBAC gives unrestricted access to all of the event archives for which role a user has been granted access. When a user with this role performs an event query, the query bypasses any additional permission settings based on Organizational Unit, Domain, or Product settings. The query returns a complete data set from the archives for which the user has been given access. Enabling Bypass Event RBAC enhances query performance by reducing the set of permissions criteria against which the query must be processed. See About managing roles on page 37. Enabling access to the Event Query Templates The View Event Query Templates permission in a role controls the access to the Templates folder in the Events view. If this permission is enabled for a role, the user who is assigned with the role can access the Event Query Templates. For example, the Information Manager administrator creates two roles, IncidentAnalyst and EventAnalyst. The View Event Query Templates permission is disabled for the IncidentAnalyst role, and enabled for the EventAnalyst Role. The IncidentAnalyst role is assigned to user A and the EventAnalyst role is assigned to user B. From the Events view, user A who is assigned with the IncidentAnalyst role cannot view the Event Query Templates. User B who is assigned with the EventAnalyst role can view the Event Query Templates and run the corresponding queries. You can edit the existing roles to enable the View Event Query Templates permission. To enable View Event Query Templates permission for existing roles 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Roles. 3 On the right panel, right-click the role that you want to edit and select Properties. 4 In the Editing Role Properties dialog box, select SIM Permissions. 5 Click Enable specific permissions.

47 Managing roles and permissions About managing roles 47 6 From the permissions list, check View Event Query Templates. 7 Click Save and then click OK. By default, this permission is enabled for new roles. While creating a role, you can disable the View Event Query Templates permission for a new role. Select the Enable specific permissions option from the SIM Permissions panel and then uncheck View Event Query Templates. See Creating a role on page 40. See Role-based access to the Event Query Templates on page 22. Modifying Information Manager console access rights Console access rights control the views that a role member can access when they log on to the Information Manager console. You can modify the Console access rights that you assigned when you created the role. Based on the Console access rights, various views of the console are visible to the role members whenever they log on to Information Manager. To modify console access rights 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the left pane, click Console Access Rights. 4 Do one of the following: To give members of the role the ability to see all components of the Information Manager console, click Role members will have all console access rights. To limit what members of the role can see when they display the Information Manager console, click Role members will have only the selectedconsoleaccessrights. From the list that appears, enable or disable console access rights as you want. The following table describes the tiles (views in the Information Manager console) that are available to members: Show Assets Tile Show Dashboard Tile Displays the Assets view in the console. Displays the Dashboard view in the console.

48 48 Managing roles and permissions About managing roles Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Rules Tile Show Statistics Tile Show System Tile Show Tickets Tile Displays the Events view in the console. Displays the Incidents view in the console. Displays the Intelligence view in the console. Displays the Reports view in the console. Displays the Rules view in the console. Displays the Statistics view in the console. Displays the System view in the console. Displays the Tickets view in the console. Modifying access permissions in roles lists the console access rights that the users who perform specific functions need. 5 Click OK. See Editing role properties on page 48. Modifying server access rights Use the Servers property to select the servers to which role members have access. The selections for this property determine the servers that the role members can see on the following console locations: The Testing tab on the Rules view that can be used for testing a specific rule. The servers and archives that are available for each query on the Events view. The Server Configurations tab on the System view. To modify server access rights 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties.

49 Managing roles and permissions About managing roles 49 3 In the left pane, click Servers. 4 Do one of the following: To give role members access to all Information Manager servers in the network configuration, click Role members will have access to all servers. To limit role members' access to certain servers, click Role members will have access to only the selected servers. In the server tree, select at least one server to associate with this role, and click OK. See Editing role properties on page 48. Modifying access permissions in roles Roles include the permissions that determine the types of access (for example, Read and Delete) for a role member. Based on these permissions a role member can access various functions on the Information Manager console. Permissions are assigned to roles on various functions and the users belonging to those roles can perform tasks accordingly. You can change the access permissions for the following types of objects: Container objects that were created when you installed Information Manager, such as organizational units. The new objects that you create within the container objects. When you view the properties of a role, you can view and modify the permissions by selecting tabs in the Editing Role Properties dialog box. Warning: Permission modification is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works. See About working with permissions on page 55. Table 3-2 describes the access requirements of typical enterprise security roles.

50 50 Managing roles and permissions About managing roles Table 3-2 Access requirements for roles Role Products Symantec Security Information Manager permissions Console access Access permissions SES Administrator and Domain Administrator All All All All Note: You cannot modify access permissions of the SES Administrator and Domain Administrator roles. System Administrator Information Manager Allow Asset Edits Move Computers Show Dashboard Tile Show Intelligence Tile Show Statistics Tile Read and Search on Published / System Query groups Show System Tile User Administrator All Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Show Assets Tile Show Dashboard Tile Show Intelligence Tile Show Rules Tile Show System Tile Read and Search on Published /System Query groups Read and Write on users and user groups Read and Write on rules and roles

51 Managing roles and permissions About managing roles 51 Table 3-2 Access requirements for roles (continued) Role Products Symantec Security Information Manager permissions Console access Access permissions Information Manager Information Manager Create Incidents Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read and Write on Published/System Query groups. In addition, Read and Write on Report groups based on the Symantec Security Information Manager permissions that are granted to the role. Read All Incidents Read Unassigned Incidents View Event Query Templates Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services

52 52 Managing roles and permissions About managing roles Table 3-2 Access requirements for roles (continued) Role Products Symantec Security Information Manager permissions Console access Access permissions Report Writer Information Manager Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read and Write on Published /System Query groups Read and Write on Report groups Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Report User Information Manager Create new queries Create new reports Allow Dashboard Auto Refresh Show Dashboard Tile Show Events Tile Show Reports Tile Read and Search on Published /System Query groups Read and Write on Report groups

53 Managing roles and permissions About managing roles 53 Table 3-2 Access requirements for roles (continued) Role Products Symantec Security Information Manager permissions Console access Access permissions Rule Editor Information Manager Create new queries Show Events Tile Show Rules Tile Show Statistics Tile Read and Write on Rules and Roles Read and Search on Published /System Query groups Read and Search on Report groups Note: When a role s access permissions to a Published Query Group or a System Query Group are changed, the role s database permissions may be incorrectly modified. If a user cannot view queries on the Events view, it may be because the user s role lacks the necessary database permissions. To correct this problem, do the following: Log on as a Domain Administrator or SES Administrator and open the Editing Role Properties dialog box for the user s role. On the DataStores tab, check the role s database permissions. If the role does not have both Read and Search permissions, add the missing permissions. See To modify access permissions in roles on page 53. To modify access permissions in roles 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the Editing Role Properties dialog box, in the left pane, click the type of permissions to modify. For example, to change the role members' directory permissions, choose Directories. 4 When you finish setting permissions, click OK. See Editing role properties on page 48. Using examples of modifying permissions in roles You can modify permissions for the following purposes, among others: To hide a query group from members of a role. When members of this role open the Query Chooser on the dashboard, they cannot see the restricted query group in the query tree.

54 54 Managing roles and permissions About managing roles To hide all users from members of a role. When members of this role view the System view, they do not see users in the left pane. To prevent role members from adding and deleting user groups Role members can view and modify user groups, but they cannot add and delete user groups. See About permissions on page 56. To hide a query group from members of a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to restrict, and select Properties. 3 In the left pane, click System Query Groups. 4 Click Add. 5 In the Find System Query Groups window, select Product Queries.Symantec Client Security, and click Add. 6 Click OK. 7 On the Product Queries.Symantec Client Security row, uncheck Read and Search. 8 Click OK. Members of this role cannot view Symantec Client Security queries. If a role member selects System Queries > Product Queries in the Query Chooser on the dashboard, the role member cannot view Symantec Client Security in the tree. To hide all users from members of a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to restrict, and select Properties. 3 In the left pane, click Users. 4 Under Default permissions for all users, uncheck all permission types (for example, Read and Add). 5 Click OK. When role members click Users in the left pane of the System view, they see only their own details in the right pane. Other users are not listed.

55 Managing roles and permissions About working with permissions 55 Deleting a role To prevent role members from adding and deleting user groups 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to restrict, and select Properties. 3 In the left pane, click User Groups. 4 On the top line of permissions, check Read, Write, and Search. Make sure that Add and Delete are not checked. 5 Click OK. Role members can view, search, and modify all user groups in the domain. They cannot create new user groups or delete user groups. You can delete roles when they are no longer in use. Before you delete a role, you can view the properties of the role to ensure that none of your users requires it. To delete a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to delete, and select Properties. 3 Review the role properties to make sure that no users require this role. 4 Click Cancel. 5 If you still want to delete the role, on the toolbar, click - (the minus symbol). A message warns you that all members of the selected role would be removed. Then, although the user accounts are not deleted, the users no longer have access to the role. 6 In the confirmation dialog box, click Yes to delete the role. See About managing roles on page 37. About working with permissions Permissions define the access that members of a role have to specific objects. Along with other role properties, permissions control what users can see and do when they log on to the Information Manager console.

56 56 Managing roles and permissions About working with permissions As with roles, you can work with permissions only if you are a member of the SES Administrator or Domain Administrator role. The permissions of objects are defined initially when you create roles and when you create new objects. You can then modify the permissions to fine-tune your roles. Warning: You should customize permissions only if you have a clear understanding of how access control works in the security (LDAP) directory. About permissions See About permissions on page 56. Permissions are always associated with roles and are applied when a member of a role logs on to the console. Table 3-3 shows the permissions that role members can have to view and work with objects. Table 3-3 Object permissions Permission Read Description Lets the role members see the attributes of objects. Read must be enabled for the other access permissions to work. Write Add Delete Search Lets the role members modify objects. Lets the role members create a new child object within the selected container. Lets the role members delete objects. Lets the role members search the database or the LDAP directory for objects. Search must be enabled for the other access permissions to work. The following objects have permissions: Container objects Container objects are created when the Datastore (database) and Directory are installed. These objects contain all of the new objects that you create.

57 Managing roles and permissions About working with permissions 57 In the console, container objects appear in the left pane of the Administration tab on the System view. Examples of the container objects that have permissions are users, user groups, roles, and organizational units. Objects that you create within container objects When you create new objects to represent your security environment, they are stored within the container objects. On the System view, the objects that you create appear in the right pane when you select their container object in the left pane. For example, when you select Users in the left pane, the individual users that you have created within the Users container are displayed. These created objects are sometimes known as child or leaf objects. You must understand the relationship between the permissions of container objects and the permissions of the objects you create within these containers. See About the propagation of permissions on page 57. About the propagation of permissions As you create new management objects, it is important to understand the relationship between the permissions of container objects and the permissions of the objects you create within these containers. In most cases, the permissions of a container object propagate to all new objects that you create within the container. When you create new objects on a role-by-role basis, the current permissions of the container object are propagated to the new objects. For example, in Role A, on the Users tab, you disable Write permission for the Users container. In Role B, you disable Delete permission for the Users container. When you create new users, members of Role A do not have Write permission, so they cannot modify the properties of the new users. Members of Role B do not have Delete permission, so they cannot delete the new users. However, if a user is assigned to two roles A and B. Role A that has the Add access for users and Role B that do not have Add access for users. In this case, the user who is assigned to these roles can add new users. Permissions of Role A take precedence over permissions of Role B

58 58 Managing roles and permissions About working with permissions Note: Most roles should have at least Read and Search permissions for all objects. These permissions allow role members to view information about the objects and perform searches for the objects. For example, if you enable Write access for a container object and disable Read access, the role members cannot modify the objects, because they cannot view the objects. Propagation occurs only when you create new objects. For example, you may create several users and assign them to role A before you disable the Write permission in role A. These permissions are not disabled for the original users unless you disable them explicitly for the existing user's of Role A. See About permissions on page 56. Modifying permissions from the Permissions dialog box You can use the following methods to modify permissions: Edit the role using the Editing Role Properties dialog box. Use this method to modify permissions for several objects within one role. See Modifying access permissions in roles on page 49. You can edit the permissions of software products and their configurations through the Products Tab on the Editing Role Properties dialog box. Use the Permissions dialog box for a particular object. Use this method to modify the permissions for a specific object. Note: Some objects do not have permissions. To modify permissions for a container object 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, right-click the container object (for example, Users) and select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Some container objects do not have permissions. 3 Do any of the following: To modify permissions for this object, check (enable) or uncheck (disable) the permissions corresponding to the listed roles, as needed.

59 Managing roles and permissions About working with permissions 59 You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and click Remove. To edit a role s properties, click the role name, and click Properties. 4 Click OK when you finish modifying permissions. To modify permissions for a created object 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, click the container that contains the created object. For example, click Users. 3 In the right pane, right-click the object whose permissions you want to modify, and select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Some created objects do not have permissions, such as Policies. 4 Do any of the following: To modify permissions for this object, check (enable) or uncheck (disable) the permissions corresponding to the listed roles, as needed. You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and click Remove. To edit a role s properties, click the role name, and click Properties. 5 Click OK when you finish modifying permissions.

60 60 Managing roles and permissions About working with permissions

61 Chapter 4 Managing user and user groups This chapter includes the following topics: About users and passwords Creating a new user Creating a user group About editing user properties About modifying user permissions Modifying a user group Deleting a user or a user group Customizing the password policy About users and passwords The Symantec Security Information Manager server uses accounts from Linux and the IBM DB2 Service. Both types of accounts use the password that is specified during installation. The default password is password. By default, the installation program creates the following Linux accounts: root simuser Default Linux administrative account Used by the Information Manager text console process

62 62 Managing user and user groups About users and passwords sesuser db2admin dasusr1 symcmgmt Used by the HTTP and the Tomcat processes Used by the database process Used for the DB2 Admin Tools database Used by the database process Warning: For security, change the Linux passwords periodically, according to your company's security policy. The password for all Linux accounts must be changed using the Change Password option (available under Settings > Passwords) from the Web configuration interface. Do not change these account passwords or permissions by standard Linux commands as it may result in errors with server operation. The password for the symcmgmt Linux account cannot be changed from the Web configuration interface. The password for a symcmgmt Linux account can be changed by using the standard Linux commands. This change in the password must be followed with an update in the Information Manager console under System > Administration > Data Stores. See Changing the password for Linux accounts on page 309. See Changing the password for symcmgmt Linux account on page 310. Usually, you are not required to create new Linux accounts. However, you may want to create an account with limited permissions to a file share to allow a user or process to copy LDAP backups. Refer to your Linux documentation for information on how to create Linux accounts. By default, the installation program also creates the administrator account in the IBM LDAP directory. This account is used for logging in to the Information Manager console and Information Manager Web configuration interface initially. With the proper permissions, you can also create new LDAP directory accounts for users who use the Information Manager console and Web configuration interface. These accounts are for the administrators of your security products, contacts for notifications, or both. Users who are administrators are members of the roles that define their administrative permissions. All users who need access to the Information Manager console must be members of one or more roles. If a user tries to log on to the console using an account that is not a member of a role, an error message is displayed. Users who only receive notifications do not have to be members of a role. See Creating a new user on page 63.

63 Managing user and user groups Creating a new user 63 Creating a new user See About editing user properties on page 66. See About modifying user permissions on page 72. See Deleting a user or a user group on page 74. See Creating a user group on page 65. See Modifying a user group on page 73. See Deleting a user or a user group on page 74. Use the Create a new User wizard to create a user. The wizard prompts you for the required information that the user needs to log on to Symantec Security Information Manager. It also lets you specify notification information, permissions, and other user properties. You can provide all the information at the time that you create the user. Alternatively, you can provide only the required information and add more information later by editing the user s properties. See About editing user properties on page 66. To create a new user 1 In the console of the Information Manager client, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 On the toolbar, click + (the plus symbol) or right-click the Users node and select New. 4 In the first panel of the Create a new User wizard, click Next. 5 In the General panel, do the following: Logon name Last name First name Type the logon name for the new user. Type the user s last name. Type the user s first name. The other fields on this panel are optional. Click Next after you enter the details.

64 64 Managing user and user groups Creating a new user 6 In the Password panel, type a password in the Password text box and type the same characters in the Confirm password box. Click Next. The password that you choose must comply with the policy settings chosen by the administrator. The password is case sensitive. Green check marks under Password rules indicate that your password meets the requirements. 7 (Optional) In the Business panel, specify business information for the user, and click Next. See Specifying user business and contact information on page (Optional) In the Contact Information panel, specify contact information for the user, and click Next. 9 (Optional) In the Notifications panel, specify addresses and pager numbers for the user, and times when those contacts can be used for notifications. Click Next. See Specifying notification information on page In the Roles panel, you can assign the user to one or more roles that define the user s permissions, and click Next. You can also assign or change a user's roles later. A new user cannot log on unless a role is assigned to the user. See Managing role assignments and properties on page 68. You must create roles before you can assign users to roles. See Creating a role on page In the UserGroups panel, you can assign the user to one or more user groups, and click Next. You can also assign users to groups later. See Managing user group assignments on page 69. You must create user groups before you can assign users to groups. If no groups appear on the Find User Groups panel, you have not yet created any groups. See Creating a user group on page In the User Summary panel, review the information that you have specified, and click Finish. The user properties that are created are shown in the task status list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed. 13 Click Close.

65 Managing user and user groups Creating a user group 65 Creating a user group After you create users, you can assign them to groups. User groups are particularly useful when you have large numbers of users who need to have the same system roles. You can assign an entire user group to a role. All of the users in the group inherit the rights and the permissions that are assigned to that role. Implementing user groups also facilitates the auto-assignment of incidents, using correlation rules. The Create a new User Group wizard enables you to create user groups and add users to the groups. You can assign users at the time you create a group, or you can add users to the group later. Note: If you create a user group and assign it to a role, the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. To create a user group 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click User Groups. 3 On the toolbar, click + (the plus symbol). 4 In the first panel of the Create a new User Group wizard, click Next. 5 In the General panel, type a name and (optional) description for the user group, and click Next. 6 In the Members panel, click Add. In the Find Users dialog box, the Available Users list shows all users for the domain, up to the number of users that the Maximum search count text box indicates. 7 Select one or more users from the Available Users list, and click Add. The users appear in the Selected users list. 8 If you want to review information about a specific user, click the user name, and click Properties. You can view or change the user's properties, and click OK. 9 When you finish adding users to the group, click OK. 10 In the Members panel, click Next.

66 66 Managing user and user groups About editing user properties 11 In the User Group Summary panel, click Finish. Properties for the created user group are shown in the task status list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed. 12 Click Close. See Modifying a user group on page 73. About editing user properties Changing a user s password User properties are the attributes that can be added for a user when you create a new user or edit the user properties. User properties include general information about the user, change password facility, and the role that can be assigned to a user. User properties also include the user group to which a user can be assigned, business and contact information about the user, and contact methods and schedule for alert notifications. After you create a user, you can edit the user properties to perform the following tasks: Change a user's password. See Changing a user s password on page 66. Specify user business and contact information. See Specifying user business and contact information on page 67. Assign roles to a user. See Managing role assignments and properties on page 68. Assign user to a user group. See Managing user group assignments on page 69. Specify contact methods and schedule for alert notifications. See Specifying notification information on page 70. Passwords can be changed in the following ways: Users can change their own passwords by using the Change Password option on the Tools menu in the Information Manager console. Administrators can change a user s password by editing the user s properties. To change a user s password 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users.

67 Managing user and user groups About editing user properties 67 3 In the right pane, right-click the user whose password you want to change, and select Properties. 4 In the User Properties dialog box, on the Password tab, in the Password text box, type a new password. The password that you choose must comply with the policy settings that the administrator chooses. 5 In the Confirm password text box, type the password again to confirm it. 6 Click OK. See About editing user properties on page 66. Specifying user business and contact information In the User Properties dialog box, the Business tab and the Contact Information tab let you supply detailed information about the user. You can specify this information when you create a user or by editing an existing user s properties. See About editing user properties on page 66. To specify user business and contact information 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose information you want to change, and select Properties. 4 In the User Properties dialog box, on the Business tab, type the business information for the user. 5 To identify the user s manager, click the browse button (...) next to the Manager text box to display the Find Users dialog box. The manager must exist as a user in the LDAP directory. 6 In the Find Users dialog box, select the user who is the manager, and click OK. The Available users list shows all users for the domain, up to the number of users that the Maximum search count text box indicates. 7 To identify the user s administrative assistant, click the browse button (...) next to the Administrative assistant text box. In the Find Users dialog box, select the administrative assistant. The administrative assistant must exist as a user in the LDAP directory.

68 68 Managing user and user groups About editing user properties 8 On the Contact Information tab, type the contact information for the user. 9 Click OK. Managing role assignments and properties The roles that a user is assigned define the user s permissions in the console. Roles are product-specific and are created as one or both of the following: Roles that allow the management of policies and configurations for a product. Users who are members of these roles can change the security configurations of an integrated product and distribute them to specific computers and organizational units. Roles that allow the viewing of the events that a product generates. Users who are members of these roles can view alerts and events for a product, and create alerts and customized reports. Note: You must be a member of the Domain Administrator role to make a user a member of a role. Also, the role must exist in the LDAP directory before you can add a user to the role. See Creating a role on page 40. To manage role assignments and properties 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose information you want to change, and select Properties. 4 In the User Properties dialog box, on the Roles tab, click Add. 5 In the Find Roles dialog box, from the Look in drop-down list, select the domain in which to find the role. Users can have access to roles in multiple domains. 6 In the Available roles list, select one or more roles, and click Add. The Find Roles dialog box displays a list of roles only if you are a member of the Domain Administrator role. 7 Click OK.

69 Managing user and user groups About editing user properties 69 8 To remove a user from a role, click the role name and click Remove. This action does not remove the role from the LDAP directory. 9 To view or edit the properties of a role, click the role name and click Properties. 10 (Optional) Use the Editing Role Properties dialog box to make changes to the role. See Editing role properties on page Click OK until you return to the System view. Managing user group assignments You can modify the composition of a user group by adding users to the group and removing users from the group. You can also view and modify user group properties. You can manage user group assignments in the following ways: Manage one user's assignment by adding to or removing from one or more user groups. Manage a single user group by adding or removing multiple users at one time. See About editing user properties on page 66. To manage a single user's user group assignments 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose user group assignment you want to manage, and select Properties. 4 In the User Properties dialog box, on the User Groups tab, click Add. 5 In the Find User Groups dialog box, from the Look in drop-down list, select the domain in which to find the user group. 6 In the Available user groups list, select one or more user groups, and click Add. The user groups that you selected appear in the Selected user groups list. 7 Click OK. 8 To remove a user from a user group, click the user group name and click Remove. This action does not remove the user group from the LDAP directory.

70 70 Managing user and user groups About editing user properties 9 To view or edit the properties of a user group, click the user group name and click Properties. 10 (Optional) Use the User Group Properties dialog box to make changes to the user group. For example, you can add members to the group and remove users from the group. 11 Click OK until you return to the System view. To manage multiple users' user group assignments 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click User Groups. 3 In the right pane, right-click the user group whose membership you want to manage, and select Properties. 4 In the User Group Properties dialog box, on the Members tab, click Add. 5 In the Find Users dialog box, from the Look in drop-down list, select the domain in which to find the users. 6 In the Available users list, select one or more users, and click Add. The users that you selected appear in the Selected users list. 7 Click OK. 8 To remove a user from a user group, click the user name and click Remove. This action does not remove the user from the LDAP directory. 9 To view or edit the user's properties, click the user name and click Properties. 10 (Optional) Use the User Properties dialog box to make changes to the user. 11 Click OK until you return to the System view. Specifying notification information When you create custom correlation rules, you can identify users to notify when particular incidents or alerts occur. See Creating custom correlation rules on page 136. For each user, you can specify the addresses and pager numbers that are used to send these notifications. You can also specify when the user is notified. For example, you can specify one address to be used Monday through Friday from 8:00 A.M. to 5:00 P.M., and a pager to be used during off-hours. You can specify the following: addresses

71 Managing user and user groups About editing user properties 71 Pager numbers The day and the time ranges when the contact method can be used to send user notifications of alerts. Note: The number of addresses and pager numbers cannot exceed five for a single rule. To specify a user s address 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose address you want to change, and select Properties. 4 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click . 5 Click Add. 6 In the dialog box, in the address text box, type an address. 7 If the user receives on a device with a small screen, such as a handheld device, check Send shortened message. This option sends an abbreviated message that is easier to read. 8 Click OK. 9 (Optional) Specify notification times. 10 Do any of the following: To add additional addresses, repeat steps 5 through 9. To edit an existing address, click it and click Properties. To remove an existing address, click it and click Delete. 11 When you finish, click OK. To specify a user s pager number 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose pager number you want to change, and select Properties.

72 72 Managing user and user groups About modifying user permissions 4 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click Pager. 5 Click Add. 6 In the Pager dialog box, in the Number text box, type a pager number. 7 In the Notification service drop-down list, select the notification service to use. If you do not see the service that you want to select, you can add it using the Paging Services node. This node is located in the left pane of the System view. 8 Click OK. 9 (Optional) Specify notification times. 10 Do any of the following: To add more pager numbers, repeat steps 5 through 8. To edit an existing pager number, click it and click Properties. To remove an existing pager number, click it and click Delete. 11 Click OK. To specify notification times 1 In the User Properties dialog box, on the Notifications tab, click an address or pager number. 2 Using the Day controls, check the days when the contact method can be used to contact the user. 3 Using the From and To controls, specify the range of time when the contact method can be used. 4 Repeat these steps to establish notification times for other addresses and pager numbers. 5 When you finish, click OK. About modifying user permissions When you create a role, permissions are assigned for each user with regard to that role. These permissions control whether role members who log on to the console can view, modify, or delete the user. You can modify these permissions in the following ways: By displaying and editing the roles that contain the permissions.

73 Managing user and user groups Modifying a user group 73 See Modifying access permissions in roles on page 49. By displaying the Permissions dialog box for the User container object or an individual user. See Modifying permissions from the Permissions dialog box on page 58. Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Modifying a user group You can modify a user group by adding and removing members, and by changing the user group name and description. You can also modify individual group members' properties. To modify a user group 1 In the Information Manager console, click System. 2 On Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups. 3 In the right pane, right-click the user group to modify, and click Properties. 4 On the General tab, add or change the user group's name and description. 5 On the Members tab, you can do the following: Add members Click Add. In the FindUsers dialog box, select one or more users from the Available Users list, and click Add. When you finish adding members, click OK. Remove members Select the member name, and click Remove. Modify a member's properties Select the member name, and click Properties. In the User Properties dialog box, use the tabs to modify the properties of individual user group members. When you finish modifying properties, click OK. 6 Click OK. See Creating a user group on page 65.

74 74 Managing user and user groups Deleting a user or a user group Deleting a user or a user group You can delete users who are no longer participants in your security network. You can also delete the user groups that are no longer needed. See Creating a new user on page 63. See Creating a user group on page 65. To delete a user or a user group 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users or User Groups. 3 In the right pane, right-click the user or the user group to delete, and click Delete. 4 In the confirmation dialog box, click Yes. Customizing the password policy The Information Manager includes the ability to enforce strong password requirements for all users. As an administrator, you can customize the password policy for Information Manager to match the password standards that apply to your environment. You must provide the LDAP cn=root password to change the password settings. When the password policy changes, users whose existing passwords are non-compliant with the new policy are prompted to change their password at the next logon. Note: When you enable the EAL4 password policy and a user locks their account the same day that they change it, you cannot reset the password for 24 hours. This behavior is a result of the value that is defined for the setting Minimumtime between password changes (seconds). This setting is set at 24 hours in the EAL4 password policy. This behavior is expected due to the strict EAL4 password policy definition. If you do not want to enable the EAL4 policy, you can choose the Custom password policy option, change the Minimum time between password changes (seconds) setting to a lower value, and save the configuration. You can configure the password policy by using any of the following methods:

75 Managing user and user groups Customizing the password policy 75 Default EAL4 Custom The default settings that Information Manager uses. The settings that comply with Evaluation Assurance Level 4 (EAL4) standards. User-defined settings. Note: If you choose this column but do not change any settings, clicking Save reverts to the policy that was previously enabled. To change the Information Manager password policy 1 Log on to the Web configuration interface using administrator credentials, and click Settings > Password. In the tree pane, click Password Policy. 2 In the LDAP cn=root Password field, type the password, and click Enter Admin Mode. 3 In the User Password Settings and Administrator Password Settings tables, choose the type of password management you want to use. If you choose Custom, configure each option, and check Password policy enabled:. 4 Click Save. 5 Click Leave Admin Mode. See About users and passwords on page 61.

76 76 Managing user and user groups Customizing the password policy

77 Chapter 5 Managing organizational units and computers This chapter includes the following topics: About organizational units About managing organizational units About managing computers within organizational units About organizational units Organizational units are a useful way to structure your security environment in Symantec Security Information Manager. Before you create organizational units, it is important that you understand your security network and create a security plan. See About managing organizational units on page 77. Organizational units let you group the computers and servers that you manage. You can then add configurations for the Information Manager components that may be installed on those computers. These capabilities enable the distribution of the configurations to all computers and servers in the organizational unit. About managing organizational units On the Administration tab of the System view, select Organizational Units to perform the following tasks: Create a new organizational unit. See Creating a new organizational unit on page 78.

78 78 Managing organizational units and computers About managing organizational units Edit organizational properties. See Editing organizational unit properties on page 80. Delete an organizational unit. See Deleting an organizational unit on page 80. Creating a new organizational unit Organizational units are logical groupings. You can create them to organize the computers that are in the same physical location or belong to structural groups within your corporation: for example, divisions or task groups. However, it is not required that an organizational unit reflect these relationships. See About organizational units on page 77. You can create all the organizational units that you require at a single level, or you can create a hierarchy of nested organizational units. The combined maximum length of the distinguished name of an organizational unit must be no longer than 170 bytes. Keep in mind that some characters, such as accented characters or Japanese characters, take more space to store. The distinguished name of an organizational unit is a concatenation of the names that precede it in the hierarchy. Therefore, nesting organizational units with long names can exceed this limit. A screen message informs you if you exceed the limit. To create a new organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Organizational Units. 3 Take one of the following actions: To create a new organizational unit at the top level of the tree, click + (the plus icon) on the toolbar. Go to step 5. To create a new organizational unit within an existing organizational unit, expand the organizational unit tree and select the level that you want. Then click + (the plus icon) on the toolbar. Go to step 4. 4 In the Computer or Organizational Unit dialog box, click Organizational Unit, and click OK. 5 In the first panel of the Create a new Organizational Unit wizard, click Next. 6 In the General panel, do the following: In the Organizational Unit Name text box, type a name for the organizational unit.

79 Managing organizational units and computers About managing organizational units 79 (Optional) In the Description text box, type a description of the organizational unit. 7 Click Next. 8 In the Organizational Unit Summary panel, review the information that you have specified, and click Finish. 9 Click Close. About determining the length of the organizational unit name Information Manager imposes limits on the length of the name of an organizational unit. It also imposes limits on the total length of the distinguished name that is stored in the LDAP directory. These limits become important when you nest organizational units. See About organizational units on page 77. The distinguished name for a nested organizational unit includes the following: The name you give the organizational unit when you create it The names of each organizational unit that precedes it in the hierarchy The name of the top node in the organizational unit tree The name of the domain within which you create the organizational unit hierarchy Additional bytes of overhead You can view the distinguished name of an organizational unit by looking at the organizational unit s properties. The maximum length of the name you assign in the Create a new Organizational Unit wizard is 64 UTF-8 bytes. For the Roman character set, this means that the name cannot exceed 64 characters. Some characters take more space to store. For example, accented characters take two bytes to store, and Japanese characters take three bytes or four bytes to store. When these characters are used, fewer characters are allowed in the name. Information Manager adds other information for internal use to the distinguished name. Therefore, the maximum recommended length of the distinguished name of an organizational unit in the security directory is 170 bytes. If a distinguished name is longer than 256 characters, performance issues occur. Table 5-1 describes how to calculate the UTF-8 byte length of the distinguished name of the organizational unit.

80 80 Managing organizational units and computers About managing organizational units Table 5-1 Name string Determining the organizational unit name length Formula and example Domain name length sum(4+domain component name length) + 17 bytes Example: usa.ses 4 + length(usa) + 4 +length(ses) + 17 bytes overhead or = 31 bytes Organizational unit (OU) name length sum(4 + OU name length) + domain name length + 13 bytes For example: Paris OU under the Sales OU in the usa.ses domain 4 + length(paris) + domain name length + 13-bytes overhead or = 53 bytes Editing organizational unit properties You can modify an existing organizational unit's description. You cannot change the name or the distinguished name of the organizational unit. See About organizational units on page 77. To edit organizational unit properties 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to edit, and click Properties. 4 In the Organizational Unit Properties dialog box, change the description. 5 When you finish, click OK. Deleting an organizational unit Before you can delete an organizational unit, you must move or delete all computers that belong to the organizational unit. See Moving a computer to a different organizational unit on page 93. See Deleting a computer from an organizational unit on page 94.

81 Managing organizational units and computers About managing computers within organizational units 81 Note: When you delete an organizational unit, all of the organizational units that are below it in the navigational structure are also deleted. To delete an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to delete, and click Delete. 4 To confirm to delete the organizational unit and its subgroups, click Yes. About managing computers within organizational units Organizational units contain computer objects representing the computers that run your security products. Note: The term computer covers a variety of equipment, from traditional desktop computers to servers and handheld devices. In the context of the Information Manager console, a computer is any device that you manage as part of your enterprise security environment. Computers are placed in organizational units in the following ways: When an agent is installed. When you install Symantec Event Agent on a computer, it is represented as a computer within an organizational unit. Symantec Event Agent is added to the default organizational unit. You can move the agent to a different organizational unit later. When you create the computer using the Create a new Computer wizard. You can use this method to create computers other than the agent computers. Note: Do not create a computer using the wizard if you plan to install the Symantec Event Agent on the computer at a later time. If you do, a duplicate instance of the computer is added to the LDAP directory.

82 82 Managing organizational units and computers About managing computers within organizational units A computer can belong to only one organizational unit at a time. However, based on the requirements of your network, you can easily move computers from one organizational unit to another. When you select a computer in the right pane, you can perform the following tasks: Create computers within organizational units. Creating computers within organizational units Edit computer properties. About editing computer properties Move a computer to a different organizational unit. Moving a computer to a different organizational unit Modify computer permissions. About modifying computer permissions Delete a computer from an organizational unit. Deleting a computer from an organizational unit Creating computers within organizational units Computers are defined in the LDAP directory as part of the organizational units in which you create them. If you delete a computer from an organizational unit, it is permanently removed from the LDAP directory. See About managing computers within organizational units on page 81. To create a computer within an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Right-click the name of the organization unit, and click New > Computer. 4 In the first panel of the Create a new Computer wizard, click Next. 5 In the General panel, do the following, and click Next: In the Computer name text box, type the computer name. (Optional) In the Description text box, type a description. 6 In the Information panel, do one of the following: Type information in some or all of the optional text boxes, and click Next. Supply the information later by editing the computer s properties.

83 Managing organizational units and computers About managing computers within organizational units 83 7 In the Identification panel, do one of the following: Provide the host name, IP addresses, and MAC addresses of the computer, and click Next. Provide the identification information later by editing the computer s properties. 8 In the Configurations panel, do one of the following: To directly associate configurations with the computer, click Add. When you are finished, click Next. Add configurations later by editing the computer s properties. 9 In the Computer summary panel, review the information that you have specified, and click Finish. 10 Click Close. About editing computer properties The computer properties that you can view and change depend on whether Symantec Event Agent is installed on the computer. If the computer has Symantec Event Agent, you can associate configurations with the computer and view the services running on the computer. However, you cannot change the identification information for the computer. See Editing the agent computer on page 83. See Viewing the services running on a computer on page 91. If the computer does not have an agent, you can edit the network identification information for the computer. However, you cannot view services running on the computer. See Editing a computer that does not have an agent on page 84. See Providing identification information for a computer on page 85. Editing the agent computer When a computer has an agent installed, most of the identification information about the computer is captured during the installation. You can learn about the computer by viewing the information that the agent provides. This information includes the state of the services running on the computer and the computer s heartbeat status. You can also specify configurations to be associated with the computer. If the computer is an Information Manager server, you can add access to other domains.

84 84 Managing organizational units and computers About managing computers within organizational units To edit the agent computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, you can modify the Primary Owner and Owner contact information text boxes. The remaining information is provided during the agent installation. 7 On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 86. To remove a configuration, select it, and click Remove. To view a configuration s properties, select it, and click Properties. See About agent configurations on page You can view information on any of the following tabs: On the Identification tab, view the host name, IP addresses, and MAC addresses of the computer. On the Services tab, view information about the services running on the computer. See Viewing the services running on a computer on page Click OK. Editing a computer that does not have an agent When you create a computer using the Create a New Computer wizard, you can modify most of the computer s properties. Services are reported only if an agent is installed on the computer.

85 Managing organizational units and computers About managing computers within organizational units 85 To edit a computer that does not have an agent 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, modify the text boxes as you want. To enable the Other OS Type text box, select OTHER from the operating system type drop-down list. 7 On the Identification tab, change the host name and add or remove IP addresses and MAC addresses, as needed. See Providing identification information for a computer on page On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 86. To remove a configuration, select it, and click Remove. To view a configuration s properties, select it, and click Properties. 9 On the Services tab, view information about the services running on the computer. See Viewing the services running on a computer on page Click OK. Providing identification information for a computer After you create a computer using the Create a new Computer wizard, you can provide the network identification information for the computer by editing its properties. When you create a computer by installing a collector, the identification information is supplied automatically by the installation. See About editing computer properties on page 83.

86 86 Managing organizational units and computers About managing computers within organizational units To provide identification information for a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the Identification tab, in the Host name text box, type an FQDN or a DNS host name. 6 To add an IP address, under IP addresses, click Add. 7 In the IP addresses dialog box, type the IP address of the computer, and click OK. 8 If the computer has multiple network interface cards, repeat steps 6 and 7 for each IP address. 9 To add a MAC address, under MAC addresses, click Add. 10 In the MAC addresses dialog box, type the MAC address of the computer, and click OK. The MAC address must consist of six hexadecimal pairs. 11 If the computer has multiple network interface cards, repeat steps 9 and 10 for each MAC address. 12 Click OK. Associating configurations directly with a computer Configurations control the behavior of Information Manager components. To distribute configurations to a computer, you can associate a configuration with the computer. You can then distribute the configuration either immediately or at a later date, depending on your needs. See About editing computer properties on page 83. Associating configurations directly with a computer defines each of the available configurations that can be associated directly with a computer. Note: Only those configurations that are shipped with the default installation of Information Manager are listed here. If additional collectors or products are added to your Information Manager, the configurations list may be different.

87 Managing organizational units and computers About managing computers within organizational units 87 Configuration Symantec Event Agent and Manager Manager Configurations Symantec Event Agent and Manager Manager Component Configurations Symantec Event Agent and Manager Manager Connection Configurations Description Contains the common Information Manager server settings, which may affect one or more components on an Information Manager server. For example, configuration settings define which directory service and database the server should use. Contains the settings for services within the Information Manager server, such as the event logging subsystem or the configuration service. Lets you control how failover is performed from the Information Manager server to directory service and Information Manager server to database. Symantec Event Agent and Manager Agent Connection Configurations Symantec Event Agent and Manager Agent Configurations Sets the agent to Information Manager server failover. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. Lets the agent communicate with the corresponding Information Manager server. They include which primary and secondary server to connect to and how to get configuration information and report inventory. In addition, they include how these computers should receive LiveUpdate information. Symantec Critical System Protection Event Collector LiveUpdate 1.0 LiveUpdate Configures Symantec Critical System Protection Event Collector to collect DB sensor data from various platforms. Configures LiveUpdate to obtain software updates for the various software components of Information Manager, such as event collectors, relays, security content, rules, and filters.

88 88 Managing organizational units and computers About managing computers within organizational units Configuration LiveUpdate 1.0 Java LiveUpdate ISS SiteProtector Event Collector Check Point Firewall 1 Event Collector Cisco ASA Event Collector Generic Syslog Event Collector Juniper NSM Event Collector Juniper Netscreen Firewall Event Collector Snare for Windows Event Collector Snort Syslog Event Collector Symantec Endpoint Protection 11.0 Event Collector Symantec Endpoint Protection State 11.0 Event Collector Description Configures Java LiveUpdate to obtain software updates for the various software components of Information Manager, such as event collectors, relays, security content, rules, and filters. Configures the Internet Security Systems RealSecure SiteProtector Event Collector to collect DB sensor data from various platforms. Configures Check Point FireWall-1 Event Collector to collect OpsecLea sensor data from various platforms. Configures Cisco ASA Event Collector to collect Syslog sensor data from various platforms. Configures Generic Syslog Event Collector to collect Syslog sensor from various platforms. Configures Juniper Networks NetScreen Security Manager Event Collector to collect Syslog sensor data from various platforms. Configures Juniper NetScreen Event Collector to collect Syslog sensor data from various platforms. Configures Snare for Windows Event Collector to collect Syslog sensor data from various platforms. Configures Snort Event Collector to collect SyslogFile sensor data from various platforms. Configures Symantec Endpoint Protection 11.0 Event Collector to collect DB sensor data from various platforms. Configures Symantec Endpoint Protection State 11.0 Event Collector to collect DB sensor data from various platforms.

89 Managing organizational units and computers About managing computers within organizational units 89 Configuration Symantec Security Information Manager Local Event Collector Syslog Director Universal Logfile Event Collector UNIX OS Event Collector Description Configures the Information Manager Event Collector to collect SyslogFile sensor data. The Local Event Collector tracks the events that the Linux operating system that runs Information Manager generates. Examples include ssh commands and wrong password entries. Configures Syslog Director. Configures the Universal Logfile Event Collector to collect events from the products that log to text files. Configures UNIX OS Event Collector to collect syslog data from various platforms. In addition, the UNIX Event Collector collects data from ISC BIND9, Linux iptables, and the Linux Audit daemon AUDITD. Universal Syslog Event Collector Universal Event Collector for Microsoft Windows Vista Universal Event Collector for Microsoft Windows Qualys Guard Event Collector Configures the Universal Syslog Event Collector to collect events from the products that log events by using the Syslog protocol. Configures Universal Event Collector for Microsoft Windows Vista to collect events from Microsoft Windows Vista, Windows Server 2008, and Windows 7 event logs. Configures Universal Event Collector for Microsoft Windows to collect events from Microsoft Windows event logs. Configures QualysGuard Event Collector to collect QualysGuard sensor data from various platforms. For more details about the Collectors you must refer to the specific Collector guides. To associate configurations directly with the computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree.

90 90 Managing organizational units and computers About managing computers within organizational units 3 Click the name of the organizational unit that contains the computer that you want to edit. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the Configurations tab, click Add. 6 In the Find Configurations dialog box, in the Look-in drop-down list, select the product whose configurations you want to associate with the computer. The configurations are displayed in the Available configurations list. See Associating configurations directly with a computer on page In the Available configurations list, select a configuration, and click Add. The selected configuration is listed in the Selected configuration list. If the computer already contains a configuration, and you now select a different configuration, the new configuration replaces the old one. 8 To select a configuration for a different product, repeat steps 6 and 7. 9 When you finish adding configurations, click OK. 10 In the Computer Properties dialog box, do one of the following: To remove a configuration, select it, and click Remove. To view a configuration s properties, select it, and click Properties. 11 Click OK. Making a computer a member of a configuration group In addition to belonging to an organizational unit, a computer can be a member of a configuration group. Configuration groups are used to distribute special configurations to their member computers. A computer can belong only to one configuration group. To make a computer a member of a configuration group 1 In the Information Manager console, on the System tab, in the left pane, expand the Organizational Units navigational tree until you can select the organizational unit containing the computer that you want to edit. 2 In the right pane, select the computer. 3 On the Selection menu, click Properties. 4 In the Computer Properties dialog box, on the Configuration Groups tab, click Add.

91 Managing organizational units and computers About managing computers within organizational units 91 5 In the Available Configuration Groups list, select a configuration group. If the computer is already a member of a configuration group, the configuration group you select here replaces the original configuration group. 6 Click Add. 7 Click OK. 8 On the Configuration Groups tab, do any of the following, as needed: To remove a computer from configuration group membership, select the configuration group, and click Remove. To view a configuration group s properties, select it, and click Properties. 9 Click OK. Viewing the services running on a computer You can view information about the services running on a computer: for example, which configurations are in use and whether the configurations are up-to-date. See About editing computer properties on page 83. To view the services running on a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer whose services you want to view. 4 In the right pane, right-click the computer name, and click Properties. 5 In the Computer Properties dialog box, on the Services tab, review the In Sync column to determine whether the correct configurations are in use. If the value for a specific service is Yes, the current configuration and the expected configuration are synchronized. That is, they are identical. If the value for a specific service is No, the configurations are not synchronized. Double-click the row to view the information on the Configuration tab of the Service Properties dialog box. You may need to distribute the latest configurations to this computer. 6 Take any of the following actions:

92 92 Managing organizational units and computers About managing computers within organizational units In the Computer Properties dialog box, to notify the computer that it should download new configurations, click Distribute. Then click Yes to confirm your intention to distribute configurations. To refresh the Computer Properties dialog box display, click Refresh. Click Details to open the Service Properties dialog box and view the details of services. 7 When you finish, click OK. Distributing configurations to computers in an organizational unit Information Manager includes a Distribute option, which sends a message to all the computers in an organizational unit to check for new configurations. When a computer receives this message, it contacts Information Manager to request a download of the configurations. See About managing computers within organizational units on page 81. Using the Distribute feature is optional. When you change a product configuration or move a computer to a different organizational unit, the change is distributed when you click Save. You can do the following to distribute configurations to computers in an organizational unit: You can distribute the configurations that are associated with an organizational unit to all computers that belong to the organizational unit. You can select specific computers to receive the latest configurations. Note: The timing of configuration distribution varies depending on the amount of Information Manager traffic. To distribute configurations to all computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to which you want to distribute configurations, and then click Distribute. 4 In the confirmation message box, click Yes.

93 Managing organizational units and computers About managing computers within organizational units 93 To distribute configurations to selected computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers to which you want to distribute configurations. 4 In the right pane, select only those computers that you want to notify. 5 Right-click on the selected computers, and then click Distribute. 6 To confirm your intention to distribute configurations, click Yes. Moving a computer to a different organizational unit Although a computer can only belong to one organizational unit, you can move computers from one organizational unit to another. See About organizational units on page 77. Warning: Before you move a computer, make sure that the security products you manage let you move computers. To move a computer to a different organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers that you want to move. 4 In the right pane, right-click a computer, and then click Move. You may select multiple computers if you want to move all of them to the same organizational unit. 5 To confirm that you want to move the computers, click Yes.

94 94 Managing organizational units and computers About managing computers within organizational units 6 In the Find Organizational Units dialog box, select the organizational unit to which you want to move the computers, and then click OK. 7 To verify that the move was successful, in the left pane, select the organizational unit to which you moved the computers. Look at the right pane to see if the computers that you moved are now in the list. If you move a computer that is an Information Manager server, you may have to log on again before you see the computer in the organizational unit. Agents that connect to the Information Manager server may need to be restarted. About modifying computer permissions When you create a role, permissions are assigned for each computer with regard to that role. These permissions control whether role members who log on to the Information Manager console can view, modify, or move the computer. To modify the permissions for a computer, you must display the Permissions dialog box for the computer. You cannot modify permissions for computers using the Role Properties dialog box. See Modifying permissions from the Permissions dialog box on page 58. Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Deleting a computer from an organizational unit If you want to delete an organizational unit, you must first remove any computers within the organizational unit by moving them or deleting them. You may also want to delete a computer that you no longer want to have under Information Manager management. If the computer was created by installing an agent as part of a security product installation, you should uninstall the collectors and agent from the computer before you delete the computer from the Organizational Units container in the Information Manager console. See Creating computers within organizational units on page 82. Deleting a computer from an organizational unit removes it from the LDAP directory.

95 Managing organizational units and computers About managing computers within organizational units 95 Warning: If you delete a computer that is an Information Manager server, you must perform extra steps to add it to an organizational unit again. To restore a deleted Information Manager server to the LDAP directory, you must do one of the following: re-register the deleted server with the LDAP directory in which it was previously registered, or reinstall the Information Manager on the server. About the Visualizer To delete a computer from an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer that you want to delete. 4 In the right pane, right-click the computer name, and then click Delete. 5 To confirm your intention to delete the computer from the organizational unit, click Yes. The Visualizer provides a convenient way to view your Symantec Security Information Manager environment, including the computers that are assigned to organizational units. You can use it to monitor events per second (EPS) rates and CPU usage on your network devices. You can also view and modify properties of elements such as the Information Manager server and agents. See About using the Visualizer on page 95. See Viewing and modifying element properties on page 98. About using the Visualizer The Visualizer provides a graphical view of your Information Manager environment. When you click the Visualizer tab on the System view, you see a set of icons. The icons represent such elements as correlation servers, collection servers, agents, and directories. The Icons tab in the Legend pane illustrates and defines each type of icon that can appear in the diagram. See About the Visualizer on page 95. The Overview pane that is located on the top left corner provides a visual summary of the layout in which the various components are arranged in your Information Manager environment. You can click a specific item in the overview and easily reach the selected item in the graphical view.

96 96 Managing organizational units and computers About managing computers within organizational units Colored lines join elements to indicate the nature of their interactions. For example, a green line appears between an Information Manager server and its event archive. A blue line indicates that event forwarding is configured between a collection server and the correlation server. The arrow shows the direction in which the event data flows. To see an explanation of each color, click the Edges tab in the Legend pane. You can place the icons where you want them by dragging them with the mouse. The associated text moves with the icon. You can also move the text to a different position relative to its icon. Click and hold the mouse over the text, and then move the mouse. Empty text boxes appear on each side of the icon. Drag the text into one of the boxes and release the mouse. The toolbar includes tools to help you examine the graphic. The colored dots that appear next to an element indicate the activity level of these elements. Some dots reflect the volume of EPS, and other dots reflect the percentage of appliance CPU in use. The meaning of each color is as follows: EPS Green = less than or equal to 2.5 K Yellow = 2.5 K to 5 K Red = greater than 5 K CPU usage Green = less than 60% Yellow = 60% to 80% Red = greater than 80% Note: The EPS display on the Visualizer tab depends on the value of the Agent Queue Statistics Report Interval setting under System > Product Configuration > SSIM Agent and Manager > Agent Configurations > Logging. By default, this value is set to 300 seconds and the EPS is updated after that interval only. You can configure it to a lower interval. However, setting a lower value may result in a lower performance by the agent. You must update (push) the configuration to the agent for the change to take effect. Table 5-2 describes the tools in the toolbar.

97 Managing organizational units and computers About managing computers within organizational units 97 Table 5-2 Tool Layout menu Visualizer tools Purpose This option lets you view your network topology using the following layouts: Organic Circular Hierarchic Orthogonal Tree Refresh Zoom in Zoom out Zoom selected Fit to window Save as Export Image Print This option lets you update the display after you make configuration changes. For example, after you add a collector, click Refresh to re-draw the diagram and show a new icon for the added collector. This option lets you expand the diagram view. This option lets you minimize the diagram view. This option lets you enlarge the view of a selected portion in the diagram. Select a portion of the diagram by clicking the mouse and dragging a box around the required area. Then click the ZoomSelected icon to enlarge the area that you selected. This option returns the diagram to its original size, to fit the entire diagram in the right pane of the System view. This option lets you save the information in the diagram as an XML file. Symantec Technical Support may request this file to assist in troubleshooting. This option lets you export the Visualizer image as a.gif or.jpg file. You can also adjust the image width and height, and define the clip area as a view or a graph. This option lets you print the diagram. On the Print Options dialog box, you can select the height (Poster Rows) and width (Poster Columns) if you print a very large diagram. The default setting (one poster row and one poster column) prints the entire diagram on a single page.

98 98 Managing organizational units and computers About managing computers within organizational units Table 5-2 Tool Table view Visualizer tools (continued) Purpose This option displays a table with one row for each element that is involved in processing events. The table dynamically displays such information as EPS and the total number of events that the element has processed since it was last started. The details that are displayed in the table view can be saved into CSV format. A green check mark means that the element is running; a red X means that the element is not responding. Use Magnifier This option lets you magnify any selected portion of the diagram. Viewing and modifying element properties You can view the properties of many of the elements in the Visualizer diagram. You can also modify some of these properties. See About using the Visualizer on page 95. The same properties are also accessible through other tabs on the System view. You use these tabs to add and delete elements, such as collectors. After you add an element, you distribute it; the element appears in the Visualizer. Table 5-3 explains how to access each of the element categories on other System view tabs. Table 5-3 Category Computers Accessing element properties on System view tabs How to access This category includes appliances, agents, and collectors. Directories Select Administration > Organizational Units. Select an organizational unit. In the list in the right pane, double-click the name of a computer. A dialog box displays the computer's properties. Select Administration > Directories. In the list in the right pane, double-click the name of a directory. A dialog box displays the directory's properties. Products This category includes products such as collectors and firewalls. Select Product Configurations. In the left pane, click the name of a product. The right pane displays the product's properties.

99 Managing organizational units and computers About managing computers within organizational units 99 To view and modify element properties 1 On the System view of the Information Manager console, click the Visualizer tab. 2 Right-click on an icon in the diagram, and then click Properties. A dialog box displays a set of tabs that let you access the element's properties. The displayed properties depend on the type of element that you selected. For example, a collection appliance has different properties than an agent. 3 View and modify any of the available properties in the dialog box, using the tabs to navigate through the properties. 4 When you finish viewing and modifying properties, click OK.

100 100 Managing organizational units and computers About managing computers within organizational units

101 Chapter 6 Configuring a service provider This chapter includes the following topics: About using Information Manager in a service provider context About responding to a client incident About setting up a Service Provider environment Disconnecting a client from a Service Provider Master About using Information Manager in a service provider context Information Manager can be used to offer services to manage security incidents to multiple business clients and physical locations. In a service provider context, Information Manager can be used to gather, correlate, monitor, and initiate resolution of security incidents in real time. An instance of Information Manager that is configured as a service provider can also create and work with tickets. It can also generate and deliver custom reports. See About using Information Manager in a service provider context on page 101. Correlation can now be enabled on the Service Provider Master. This feature can be used to trigger the rules on the Service Provider Master and create incidents based on local Service Provider events. Using Information Manager in a service provider context has the following minimum requirements: For a service provider client: At least one instance of Information Manager must be configured to monitor and correlate security events, and forward the

102 102 Configuring a service provider About using Information Manager in a service provider context resulting incidents. A copy of the incidents that are created at the client correlation server is forwarded to the Service Provider Master. For a service provider: At least one instance of Information Manager must be configured as a Service Provider Master. You can add multiple correlation servers for a single domain through the client configuration user interface on the console of the Service Provider Master. The Service Provider Master receives a copy of the incident data that the client server forwards. Using the Information Manager console, a Service Provider Master provides a centralized view of all of the incidents that each client generates. If the service provider uses more than one Service Provider Master to manage clients, each master operates independently from any other Service Provider servers. Figure 6-1 displays the relationship between multiple clients that use instances of Information Manager and a service that manages incident management using the server of the Service Provider Master. Each client maintains their own event and incident management policies and topologies. The only requirement is that the client configures the primary correlation server to forward any incidents that are generated to the Service Provider Master.

103 Configuring a service provider About using Information Manager in a service provider context 103 Figure 6-1 Service Provider Master with Correlation Service enabled About the service provider environment from the client perspective When a client uses the services of an Information Manager service provider, the client environment is configured as a completely autonomous Information Manager solution. All raw event data is gathered, stored, managed, and correlated within the environment of the client. All the information about the client Information Manager's asset, ticket, incident, and users is exclusive to the client environment. See About using Information Manager in a service provider context on page 101. The key connection to the Service Provider is through a primary correlation server, which is configured to gather and forward a copy of incidents to the Service Provider Master Server. The service provider that receives the copy of client incidents then processes, analyzes, and monitors the incidents. When necessary, the service provider then initiates the appropriate remediation steps by notifying the client.

104 104 Configuring a service provider About using Information Manager in a service provider context About the service provider environment from the provider perspective Incident management on the Service Provider Master begins as soon as the following conditions are met: At the client site, incident forwarding is enabled on the primary correlation server and network connectivity with the off-site management service is established. The Information Manager server at the service provider management site is configured to receive incidents as a Service Provider Master. The Service Provider Master is also configured with a client account. This account includes the client location, the service provider analyst who is assigned to the account, and the contact information for the client. When these prerequisites are met and incident forwarding is enabled, the incidents that a client server creates can be managed at the Service Provider Master. Incidents that were created before the enabling of incident forwarding can be forwarded. To forward these incidents, use the Incident Synchronization feature in the Web configuration interface for the client. See Synchronizing the Service Provider Master with client incidents on page 110. About customizing the Incidents view in a Service Provider Master console When you configure a server to perform the duties of a Service Provider Master Server, the view in the Information Manager console is modified. The view is modified to match the features that are available in a service provider context. The primary differences in the console appear on the Incidents view. A Service Provider Server uses a configurable single incident that is a streamlined version of the Incidents view. See About using Information Manager in a service provider context on page 101. The client configuration user interface on the console of the Service Provider Master lets you add multiple correlation servers for a single domain. The Incidents view on the Service Provider Master displays the host name with a domain that corresponds to a particular incident of a client. When you view incidents in a Service Provider console, the Original ID and the Reference ID are for two distinct purposes. If you use multiple clients, the Original ID is the incident number that the client generates and then forwards to the Service Provider. The Reference ID is the incident number that the Service Provider generates. Changes to the Incidents view include the following:

105 Configuring a service provider About responding to a client incident 105 Contacts, Tickets, and Remediation tabs are now available from within the incident details. The Contacts tab is not available for clients having the same domain as Service Provider Master. Incident details are now displayed in a separate Information Manager console window, unlike the browser window that is displayed in earlier versions of Information Manager. About responding to a client incident In the Incidents view of the Information Manager console, when you click an incident that a Service Provider client generates, you can use the fields and information on the tabs available to take the appropriate action. See About using Information Manager in a service provider context on page 101. To view the incident details, you can quickly review the incident by double-clicking the incident in the summary table. Double-clicking an incident in this view opens the Client Incident viewer, which is a browser instance that communicates over a secure browser session (HTTPS). This console lets you analyze the incident without having to open an additional Information Manager console session. The Client Incident viewer provides a streamlined view of the incident details. The viewer also lets you perform tasks to address the incident immediately, such as selecting an Assignee, State, Priority, Severity, and so forth. Creating Information Manager tickets in a Service Provider Master context When you view client incidents on a Service Provider Master, you can view, create, and resolve the following types of tickets: See About using Information Manager in a service provider context on page 101. An Information Manager Service Provider ticket. When you work in an Information Manager console that is logged on to a Service Provider Master, the ticket that is displayed in the Incidents or Tickets view is exclusive to the environment of the Service Provider Master. A service provider analyst or administrator uses the information in this ticket to perform certain duties: For example, following the steps that are required to notify a client that an incident has occurred. An Information Manager client ticket. When you open the Client Incident viewer, a ticket that is displayed in that browser session is local to the client environment. A client uses the information in this ticket to perform certain duties: For example, the tasks that are necessary to address the incident within the client environment.

106 106 Configuring a service provider About responding to a client incident To create an Information Manager Service Provider ticket, you use the Information Manager console that is logged on to the Service Provider Master. The service provider analysts or administrators used the Service Provider Master ticket. The client does not see Service Provider tickets. To create an Information Manager client ticket, you use the Client Incident viewer browser session. Alternatively, you can use a separate instance of the Information Manager console that is logged directly on to the client's correlation Server. The Client Incident viewer and the Information Manager console instance that is logged on to the client server share the same client ticket information. A ticket that is created from within the Client Incident viewer is local to that client, applies only to the client's resources, and so forth. For example, this type of ticket may include the instructions that client IT personnel must act upon to reduce the spread of an outbreak. To create a ticket for the client environment 1 In the Information Manager console for the Service Provider Master, on the Incidents view, double-click the incident. 2 In the Client Incident viewer, click Create Ticket. 3 In the Ticket Details area, enter the ticket information for the client in the available fields. The Summary field is required. 4 In the Creator area, enter the contact information for the appropriate service provider contact in the available fields. 5 In the Help Desk Assignee area, assign the ticket to the appropriate client assignee. 6 (Optional) Add any necessary instructions. 7 Click Save. After the ticket is saved, you can view, add, or remove any associated tasks using the Tasks tab. You can also add a note on the Log tab. To create a ticket for the Service Provider Master environment 1 In the Information Manager console for the Service Provider Master, on the Incidents view, click the incident. 2 In the lower pane, on the Tickets tab, click Create Ticket. 3 In the Ticket Details window, use the available fields to provide the necessary ticket information. The Summary field is required. The Assignee field provides a list of Service Provider environment users. 4 When you are finished, click OK.

107 Configuring a service provider About setting up a Service Provider environment 107 Exporting incident information from the Client Incident viewer You can export incident data from the Client Incident viewer using the Export button and the save feature of the browser that you use. See About responding to a client incident on page 105. To export incident information from the Client Incident viewer 1 In the Information Manager console, on the Incidents view, double-click the incident that you want to export. 2 In the Client Incident viewer, click Export. Specify a new name or accept the default name for the CSV file. 3 Save the exported CSV file in the required location. About setting up a Service Provider environment When you configure Information Manager servers in a Service Provider context, you must configure the following: The client server that creates incidents. In distributed client environments, this server is generally the primary correlation server. The service provider server that receives the forwarded incidents. See About using Information Manager in a service provider context on page 101. Configuring an instance of Information Manager as a Service Provider client To configure an instance of Information Manager as a client of a Service Provider Master, configure the client server to forward incidents to the Service Provider Master. See About using Information Manager in a service provider context on page 101. To configure an instance of Information Manager as a Service Provider client 1 Using the Information Manager console, connect to the client instance of Information Manager. 2 On the System view, click the Server Configurations tab and expand the server to configure as the Service Provider client. 3 Click Incident Forwarding Rules, and then click the Add icon. 4 In the Incident Forwarding Rules window, type a name for the rule in the Rule name field.

108 108 Configuring a service provider About setting up a Service Provider environment 5 Enter the server host name or IP address of the Service Provider Master. 6 Click OK. 7 Ensure that Enabled is checked and then click Apply to apply the incident forwarding rule. Configuring an Information Manager server as a Service Provider Master To enable an Information Manager server to perform the duties of a Service Provider Master, you enable this feature in the System view. See About setting up a Service Provider environment on page 107. Correlation can now be enabled on the Service Provider Master. This feature can be used to trigger the rules on the Service Provider Master and create incidents based on local Service Provider events. Note: Ensure that the Event Forwarding rule is enabled if Correlation Service is enabled on the Service Provider Master. To configure a server as a Service Provider Master 1 Using the Information Manager console, connect to the instance of Information Manager that is to be the Service Provider Master. 2 On the System view, on the Server Configurations tab, expand the server that is to be configured as the Service Provider Master. 3 Click the server folder. 4 In the right tile, under Service Provider, check Service Provider Master. 5 Click Apply. 6 Close and restart the Information Manager console. To enable the correlation service on a Service Provider server 1 Using the Information Manager console, connect to the Service Provider Master and log on as an administrator. 2 On the System view, on the Server Configurations tab, click on the server folder. 3 In the Server options area, select the option for Enable Correlation. 4 Click Apply.

109 Configuring a service provider About setting up a Service Provider environment 109 Configuring service provider client management accounts To manage a service provider client, you configure a client account. The account must include the network and physical location, the assigned service provider analyst, and contact information that is associated with the client. See About setting up a Service Provider environment on page 107. You can add multiple clients that have the same domain as the Service Provider Master. You can also add multiple clients that have a different domain, and provide a single incident view for incidents from all Correlation Servers. To add a service provider Client management account 1 Using the Information Manager console, connect to the instance of Information Manager that is to be the Service Provider Master. 2 On the System view, expand the domain, and click Clients. 3 Click New (+). 4 In the Add Client wizard, in the Client Information window, describe the client using the fields provided, and then click Next. 5 In the Client Setup window, click New. 6 In the Client Account fields, do the following for each analyst to assign to this account: In the Client Username and Client Password fields, enter the appropriate client user name and password information. In the Analyst field, use the ellipses (...) to open the Find Users dialog box and choose the analyst (or analysts) to whom the account is to be assigned. If you want the assigned analyst to receive notifications for incidents, select Analyst Notification. The settings for the user determine the notifications. 7 Click Save to add the analyst to the list. 8 When you are finished, click Next. 9 In the Contact Information window, click New. 10 In the Add/Edit Contact area, enter the relevant client contact information. This contact is the client representative that is contacted when an incident requires remediation, for example. You can add multiple contacts if necessary. 11 Click Finish.

110 110 Configuring a service provider Disconnecting a client from a Service Provider Master To delete a service provider client management account 1 Using the Information Manager console, connect to the Service Provider Master. 2 On the System view, expand the domain, and click Clients. 3 Click Delete (-). 4 In the Delete Client Configurations dialog box, click Yes. Synchronizing the Service Provider Master with client incidents The correlation server for a Service Provider client can create Information Manager incidents when the client and Service Provider Master are not connected. You can synchronize the Service Provider Master when the connection is available. When you synchronize client and Service Provider Master incidents, you forward an updated set of incident data. The data is forwarded from the client's correlation server to the Service Provider Master. See About setting up a Service Provider environment on page 107. The synchronization tool is available in the Web configuration interface for the client's correlation server. To synchronize the Service Provider Master with client incidents 1 On the Correlation Server that forwards incidents to the Service Provider Master, log on to the Web configuration interface using administrator credentials. 2 On the Maintenance view, click Incident Synchronization. 3 In the details pane, click Start. Disconnecting a client from a Service Provider Master You can disconnect a client from a Service Provider Master by disabling Incident Forwarding on the client instance of Information Manager. See About setting up a Service Provider environment on page 107. To disconnect a client from a Service Provider Master 1 Using the Information Manager console, connect to the client instance of Information Manager. 2 In the System view, on the Server Configurations tab, expand the domain that you want to disconnect from the Service Provider Master.

111 Configuring a service provider Disconnecting a client from a Service Provider Master On the Incident Forwarding Rules view, select the forwarding rule that forwards incidents to the Service Provider Master, and click Delete (-). 4 Click Apply. 5 If you want to delete the client configuration, do the following: Using the Information Manager console, connect to the Service Provider Master On the System view, on the Administration tab, click Clients. Choose the client configuration that you want to remove, and click Delete. In the Delete Configurations dialog box, click Yes.

112 112 Configuring a service provider Disconnecting a client from a Service Provider Master

113 Section 3 Planning for security management Chapter 7. Managing the correlation environment Chapter 8. Defining rules strategy

114 114

115 Chapter 7 Managing the correlation environment This chapter includes the following topics: About the Correlation Manager About the Correlation Manager knowledge base About the default rules set About the Correlation Manager The Correlation Manager component of Information Manager performs automated real-time event correlation, aggregation, filtering, and incident creation. To perform these functions, it uses a set of rule files and a knowledge base to compare events to patterns of common network security threats. See About the Correlation Manager knowledge base on page 116. To facilitate security analysis, the Correlation Manager filters false positive events from networks, including the events that your company security policy permits. The Correlation Manager also identifies attacks based on patterns of firewall, Intrusion Detection System, and antivirus activity across desktops, gateways, and servers. The Correlation Manager can then declare the incidents that warrant further action and closure. The Correlation Manager can provide conclusions regarding the overall analysis or cause of attacks. It also aggregates information about source, destination, attack types, and all related events into the incident record for forensic analysis. See About the default rules set on page 116.

116 116 Managing the correlation environment About the Correlation Manager knowledge base About the Correlation Manager knowledge base The Correlation Manager knowledge base consists of the tables that contain information about the network, security policies, and normalized event categories and subcategories. The Information Manager default rules reference this information to allow the correlation engine to make a more effective evaluation of incoming security events. Custom rules can also reference the information in the Correlation Manager knowledge base tables. The information in the knowledge base is a combination of the following: Updated information from Symantec DeepSight Threat Management System and the information that you can edit from the Lookup Tables option of the Rules view. If you have a valid DeepSight license, you can receive frequent updates directly from DeepSight. If you do not have a license, you receive updates to security content through LiveUpdate packages. See About the Correlation Manager on page 115. See About managing Global Intelligence Network content on page 327. About the default rules set Information Manager includes a set of rules that identify the most common security threats. Information Manager also provides default filters to help reduce common false positives. New rules are developed regularly and are distributed through the LiveUpdate process. You can also create your own rules from the Rules view of the Information Manager console. See About the Correlation Manager on page 115. See About the Correlation Manager knowledge base on page 116. Table 7-1 lists the default rules and the types of security products with which they are usually associated.

117 Managing the correlation environment About the default rules set 117 Table 7-1 Security product Correlation Manager rules by security product type Associated rules Antivirus Firewall AntiVirus Disabled Critical Malicious Code Detection Incomplete AV Scan Malicious Code via Not Quarantined Malicious Code Not Quarantined Malicious Code Outbreak Malicious Code Propagation Outbound Spam Zombie Spyware Not Quarantined Spyware Outbreak Worm Activity Block Scan Check FTP Transfers Distributed DoS High Volume DoS High Volume External Port Sweep Internal Port Sweep IP Watchlist Destination IP Watchlist Source IRC Bot Net Malicious URL Organization IP in Watchlist Activity Outbound Spam Zombie Ping Scan Detector Port Scan Detector Potential Staged Attack Scan Followed By Exploit Single Event DoS Smurf Attack Firewall Traffic to a Monitored Address Trojan Connections Unauthorized Outbound Domain Unauthorized Port Inbound Unauthorized Port Outbound Traffic to a Monitored Address Watchlist Potential Policy Violators

118 118 Managing the correlation environment About the default rules set Table 7-1 Security product Correlation Manager rules by security product type (continued) Associated rules Network intrusion detection system (NIDS) Attempted DNS Exploit Attempted FTP Exploit Attempted WWW Exploit Attempted Service Exploit Block Scan Departed Employee Username DoS High Volume Distributed DoS High Volume Intrusion Threshold (Disabled by default) IP Watchlist Destination IP Watchlist Source IRC Bot Net Malicious Code Propagation NULL Login Authentication Violation Ping Scan Detector Return Trojan Traffic Scan Followed By Exploit Single Event DoS Smurf Attack IDS TFTP from WebServer Traffic to a Monitored Address Vulnerability Scan Vulnerability Scan Detector Watchlist Potential Policy Violators Web Vulnerability Scan

119 Managing the correlation environment About the default rules set 119 Table 7-1 Security product Correlation Manager rules by security product type (continued) Associated rules Host intrusion detection system (HIDS) Account Guessing Attack Departed Employee Username DoS High Volume IP Watchlist Destination IP Watchlist Source Multiple Files Modified NULL Login Authentication Violation Password Guessing Attack Potential Staged Attack Scan Followed By Exploit Single Event DoS Trojan Connections Vulnerability Scan Vulnerability Scan Detector Watchlist Potential Policy Violators Web Vulnerability Scan Vulnerability assessment Potential Staged Attack Vulnerability Scan Policy compliance Departed Employee user name Activity Policy Compliance Violation Windows Events Account guessing attack Non Business Hours Logins Password guessing attack Potential Staged Attack Windows Account Lockout (Disabled by default) Windows Audit Log Cleared Windows Privileged Activities by user Windows Privileged User Created Windows Security Violation (Disabled by default) Windows Sensitive File Access

120 120 Managing the correlation environment About the default rules set Table 7-1 Security product Correlation Manager rules by security product type (continued) Associated rules Information Manager System Agent Queue Monitor Cert Expiration Warning Incident Creation Alert (Disabled by default) Invalid Event Date Alert Low Disk Space Warning MultiEvent Rule Example Negative Rule Type Example Password Guessing Attack Validate Archive

121 Chapter 8 Defining rules strategy This chapter includes the following topics: About creating the right rule set for your business About defining a rules strategy About correlation rules About rule conditions About the Event Count, Span, and Table Size rule settings About the Tracking Key and Conclusion Creation fields About the Correlate By and Resource fields Importing existing rules Creating custom correlation rules Enabling and disabling rules Working with the Lookup Tables window About creating the right rule set for your business A good approach to creating custom rules is to start with the generalized rules provided by Symantec and fine-tune them. Another good approach is to add new rules based upon real event data from your network. See About defining a rules strategy on page 123. The customizations usually belong to one of the following categories:

122 122 Defining rules strategy About creating the right rule set for your business Incidents stemming from machine-generated events Incidents relating to human events or policies These include all of the security devices on your network that generate the events that you collect. For example, firewall products such as Checkpoint Firewall generate a huge amount of event data. In most cases, you should edit default rules or create new rules to filter out false positive incidents. These incidents include your corporate IT security policies and regulatory compliance requirements. They also include any unique characteristics about user activity in your network that machine-generated events would typically miss, or that result in false positive incidents. The following is a general overview of the process for developing rules: Set up Information Manager in a lab environment. Update the Assets view to include the IP addresses of hosts that are mission-critical or that host sensitive information. Collect event data from your network for a week. This data should include events from all of the security products that you want Information Manager to correlate. For example, antivirus, host intrusion detection systems, network intrusion detection systems, and firewalls. Run the default rules and review the incidents created. Look for any false positives that you can easily filter out. Following are examples of good candidates for filtering: Incidents from the failed connections that the firewall reports, and the Windows-only attacks that computers running Linux report. Look at any known security incidents that occurred during the week that you collected the data. Adjust the filters and rules if there are any incidents that should have been created and were not. Look for the incidents that are the result of firewall rules being too lax. Tuning firewall and Information Manager rules is an on-going process based upon the changes in your network. Opening a firewall port to enable an essential line-of-business application may suddenly result in a huge number of false-positive incidents. When that occurs, you need to create a new rule to filter out events from an approved use of that application. You may also discover that there is a port that is still open long after the application that required it has been retired. Create rules to support security practices in your company. For example, you can create a rule to assign a weekly help desk ticket for security IT to contact users who are not running antivirus software.

123 Defining rules strategy About defining a rules strategy 123 As you change rules, use the Information Manager rule test feature to assess whether the customizations work. Of particular concern should be any rules that never create conclusions or those that create conclusions too often. With your Information Manager server still in a test environment, forward live network events to it. Continue to refine your rules. After you are satisfied with the incidents that are declared, migrate the server to your live network. About defining a rules strategy To develop a security plan that incorporates correlation rules and filters, you must understand the business needs of your organization from a security perspective. See About creating the right rule set for your business on page 121. For example, if your implementation protects and monitors network resources relating to financial transactions, you can develop and refine your rule set accordingly. Your area of concern might focus on authentication on the servers that contain sensitive financial data. In addition, you may need to evaluate the rules that you deploy based on regulatory compliance concerns. This evaluation ensures that the event data that is evaluated is handled in a way that meets the requirements of the policies. About correlation rules Correlation rules describe the logic that is applied to an event or a set of events to detect possible security concerns. See About creating the right rule set for your business on page 121. Conceptually, correlation rules can be classified into the following general categories: An event identifies an attacker who attempts to intrude on a specific computer or resource. Some unknown system or a number of systems that attempts to cause a specific system to malfunction or cease functioning. The organization or analyst wants to group events into particular types of incidents to make viewing and analysis simpler. For example, these types of rules may aggregate the events that are related to policies or products. Correlation rules consist of the following:

124 124 Defining rules strategy About rule conditions Rule type Identifies the pattern that best describes the event. See About rule types on page 125. Event criteria The specific values or threats that the rule applies to, including the number of events that occurs over a specified period of time. See About event criteria on page 129. Rule settings Conclusion and correlation settings (Actions tab) Auto assignment and notification settings The event count, span, table size, tracking keys, and description of an event. The fields that are used to correlate existing event conclusions with new events as they occur within the specified time period. If the number of events that are specified in the Count field is met, the conclusion is escalated to an incident. In addition, the incident is then correlated with existing incidents where applicable. Additionally the severity of a match for the rule is determined. Additional details are also available by the variables that you can specify in the Description field. Describes how alert and incident assignment tasks are handled when an incident is created. The Auto Assignment area incidents can be assigned to a specific user or user group (team). The Notification area let you notify to the additional recipients that the incident has occurred. For example, an Antivirus Disabled incident might be assigned to a response technician who is responsible for immediately assessing the event. An additional notification can be sent to the network administrator who monitors the overall health of the network segment from which the incident occurred. About rule conditions The rule conditions describe the fields and conditions that the rule is processed against to determine if the event applies to a conclusion. See About correlation rules on page 123.

125 Defining rules strategy About rule conditions 125 About rule types The Rule Conditions panel provides access to all available event and schema field data. The analyst can use this data to further identify and define the events that should be escalated as a potential security threat. A rule type determines the underlying behavioral patterns that a rule uses to identify a match. For example, if the rule type is set to Single Event, the rule evaluates each event for a criteria match. It only requires a single event to trigger a conclusion. A rule that uses the Many to One rule type evaluates each event against the criteria. However, it then creates a conclusion when a specified number of matching events have aggregated over a predetermined period of time. See About rule conditions on page 124. Conclusions that involve more than one event use the One to Many and Many to One event correlation tables. In addition, the Tracking field is provided. It identifies the element that is used as the basis for additional events to be correlated to existing events and conclusions. Table 8-1 describes the rule types that are available and provides examples. Table 8-1 Rule types Rule Type Trigger Condition Possible Scenarios Many Sources, One Target Creates a conclusion when the events that match the specified criteria are detected from multiple unique source IP addresses to a single destination IP address within the specified period. Denial-of-service events can often be identified using this rule type. A Smurf attack uses ICMPEchoReply events from a large number of source computers to a single target. Predefined rule examples: Distributed DoS High Volume, Smurf Attack Many Symantec Signatures, One Source Creates a conclusion when the events of different types that match the specified criteria are detected from a single source IP address within the specified period. A rule that detects a vulnerability scan can use this rule type. Within the criteria for that rule, EMR values can be set to identify multiple exploit events (such as Mechanism: Buffer Overflow, or Application Exploitation). In this example, the criteria for this rule includes multiple types of Mechanisms. Therefore, the rule would track multiple types of exploit events coming from the same source. Predefined rule example: Vulnerability Scan Detector

126 126 Defining rules strategy About rule conditions Table 8-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios Many Symantec Signatures, One Target Many Targets, One Event Many Targets, One Source Creates a conclusion when events of different types matching the specified criteria are detected to a single destination IP address within the specified period. Creates a conclusion when events of the same type matching the specified criteria are detected from many unique destination IP addresses within the specified period. Creates a conclusion when events matching the specified criteria are detected from a single source IP address to multiple unique destination IP addresses within the specified period. A rule that detects malicious IP hopping activity can use this rule type. To conceal scanning activity, an attacker may attempt one type of attack from one IP address. The attacker then changes to a different IP address to try a different attack until the most useful vulnerabilities have been identified. Attackers use this method to avoid detection as a vulnerability scan. Attackers know that vulnerability scanners often operate from a single source. Using this rule type, you can detect conditions where multiple attack types are targeted at a single host, regardless of the attack origin. A rule that detects a Malicious Code Outbreak can use this rule type. To identify a Malicious Code Outbreak, a rule can be configured to identify instances of a particular virus on multiple targets. Using the EMR fields, the criteria can be set to Virus. Since the rule looks for the same event type, this rule would trigger only if it was the same virus event on each target. A rule that identifies a reconnaissance attack on multiple targets (such as a port scan) can use this rule type. To configure this example, you would choose the Many Targets, One Source rule type, and then set the EMR criteria value to Portscan. Predefined rule examples: Block Scan, IRC Bot Net, Ping Scan Detector

127 Defining rules strategy About rule conditions 127 Table 8-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios Many to One Creates a conclusion when events matching the specified criteria are detected in a pattern that is set using the Many To One Fields, and the One To Many Field options. In addition to the Event Criteria, the fields that must contain the same information for each event (One-Many Fields) and the fields that can contain different values in each event (Many-One Fields) are used to correlate similar events occurring within a predetermined timeframe. A rule to create a port sweep can use this rule type. A port sweep is typically described as a single IP address that scans for a specific port on multiple computers. After you choose this rule type and set the event criteria for the rule, you set the One-Many and the Many-One field options. In the One-Many Fields area, select IP Source Address and IP DestinationPort. This selection means that the event originates from the same IP address that is evaluating the same port). In the Many-One Fields area select the IP Destination Address option. (Note that the event destination can be a different IP address for each event.) The Many to One rule requires the Tracking field to be populated. For this type of rule, the Tracking field generally matches a One-Many Fields entry. Predefined rule examples: MaliciousCodeOutbreak, SpywareOutbreak, DoS High Volume, External Port Sweep, Internal Port Sweep, Port Scan Detector, Intrusion Threshold, MultipleFilesModified, AccountGuessingAttack, Password Guessing Attack Multi-condition Single Event Creates a conclusion when a sequence of specified patterns is detected for one combination of one-to-many fields within a specified time period. Creates a conclusion if an event matches the specified criteria. This rule type requires the Tracking field to be populated. User logs on to a Windows computer and establishes an SSH connection to a UNIX computer. The user then logs on the FTP server, and downloads files from the FTP location. Predefined rule examples: AntiVirus Disabled, Malicious Code Not Quarantined, Spyware Not Quarantined, Check FTP Transfers, Malicious URL, Trojan Connections, AttemptedDNSExploit, Attempted FTPExploit, AttemptedWWWExploit, TFTPfrom WebServer, WindowsSecurityViolationWindows Account Lockout, Windows Audit Log Cleared, Windows Privileged Activities by User

128 128 Defining rules strategy About rule conditions Table 8-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios Symmetric Traffic Creates a conclusion when the specified pattern of events is detected from a single source IP address to a single destination IP address, then from that destination IP address back to the original source IP address within the specified period. A rule that identifies BackOrifice exploit traffic between a single target and source can use this rule type. To monitor for BackOrifice symmetric traffic events, after you choose the Symmetric Traffic rule type, set the criteria to Symantec Signature for BackOrifice (attackid 1414). The rule triggers if an Intrusion Detection System logs both the connection from a source to a target, and from that target back to the source as being BackOrifice traffic. Transitive Traffic Creates a conclusion when the specified pattern of events is detected from a single source IP address to a single destination IP address. Then, the pattern is detected from that destination IP address to a new destination IP address within the specified period. Predefined rule example: Return Trojan Traffic A rule that identifies the BackOrifice exploit traffic that moves from one source to a target backdoor, and then the targeted computer becomes the source that accesses the backdoor of a new target can use this rule type. To monitor for BackOrifice transitive traffic events, after you choose the TransitiveTraffic rule type, set the criteria to Symantec Signature for BackOrifice (attackid 1414). The rule triggers if an Intrusion Detection System logs both the connection from a source to a target as BackOrifice traffic and then identifies the target connecting to a new target with the same event signature. Predefined rule example: Malicious Code Propagation X followed by Y Creates a conclusion when a specified pattern is detected from a single source IP address to a single destination IP address. This pattern is followed by a different pattern from the same source IP address to the same destination IP address within the specified time period. Predefined rule examples: Scan Followed by Exploit, Null Login Authentication Violation Note: This rule is deprecated and is not supported. Use a Multi-condition rule type.

129 Defining rules strategy About rule conditions 129 Table 8-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios X not followed by X X not followed by Y Y not preceded by X Lookup Table Update Creates a conclusion when an event that matches the defined criteria cannot be detected in a pattern during a predefined number of times during timeout. Creates a conclusion when an event occurs that is defined by an X rule criteria. However, an event that is defined by the Y rule criteria does not. Creates a conclusion when an event that is defined by an X rule criteria does not occur. However, the next event that is defined by the Y rule criteria occurs. Updates the configured lookup table if an event matches the specified criteria. A rule to monitor user authentication failure for a specific period of time can use this rule type. User logon fails for a specific period of time and the user does not log in again. A rule to detect a non-occurrence of a user action after a valid user action can use this rule type. User logs on to a critical server but does not log off for a long time. A rule to detect a deletion of user before the user is added can use this rule type. A rule to dynamically update the lookup table with the configured event field values for the specified event criteria. About event criteria The Event Criteria field contains a vast array of possible values that a rule can use to identify an event pattern. The Event Criteria field includes event data and schema information. See About rule conditions on page 124. Table 8-2 describes the tabs available in the drop-down list. Table 8-2 Event Criteria tabs Name Common Description Contains the data from the Normalization fields, the Symantec DeepSight Threat Management System database (using the Symantec Signature), and the Asset and the Network tables.

130 130 Defining rules strategy About rule conditions Table 8-2 Event Criteria tabs (continued) Name Derived Events Other Fields Table Lookups Description Contains the customized data from the Normalization fields, the DeepSight database (using the Symantec Signature), and the Asset and the Network tables. The system applies logic to the source and the destination IP addresses that results in several fields or flags being added to the event. For fields, this information is primarily data from the Asset and Network table. For flags, this information includes: traffic direction, Source is Internal, Destination is Internal, service info, Destination Port is Open, whether the Asset entry has the destination_port value that is listed as available, whether the asset is Vulnerable, or whether the Asset entry for the event s destination_ip value is listed as being vulnerable to one or more of the BugTraq IDs associated with the event s Symantec Event Code. Includes all of the events that have been identified for each product that is associated with your installation of Information Manager. This information is based on a combination of the default set of events (the Information Manager schema) and any SIPs that have been installed. These fields do not contain the Information Manager normalized values. Provides a means of creating a product-specific field that uses a string or an integer value that may not be accessible through the schema provided. Event data is included with some of the events that are sent to Information Manager that a specific point product uses. However, this data is not accounted for as an identified field in the Information Manager schema that the collector uses (also known as out-of-band data). This data can be included either by the collector or it can be added during normalization. Provides access to the fields that are associated with the knowledge base tables that Information Manager and the environment provide. Also provides access to the resource-specific data that the user provides. For example, the Asset and Network tables. These fields are dynamically generated based on the current state of each of the knowledge base tables. The Event Criteria rows include a logical decision field that provides the operator that is used to determine how the event criteria are evaluated. Table 8-3 describes the decision option operators available. Note: The available operators vary with each criteria type. Table 8-3 Event Criteria operators Name Equal Not Equal Greater than Description The field value is an exact match to the criteria value. The field value does not match the criteria value. The field value is greater than the specified value.

131 Defining rules strategy About rule conditions 131 Table 8-3 Event Criteria operators (continued) Name Less than Greater than or equal to Less than or equal to Null Not Null Is in Is not in True False Contains Doesn't contain Matches Doesn't match Description The field value is less than the specified value. The field value is greater than or equal to the specified value. The field value is less than or equal to the specified value. The field is empty. The field contains a value. The field value contains a value that is contained in the specified table. The field value does not match a value that is contained in the specified table. The field value is True. The field value is False. The field value contains the specified string. The usage of this operator varies with the field against which the data is compared. For example, if you use EMR values, a drop-down list of possible values appears. However, if you evaluate the string data in a field such as target_resource, the value that you type is used to perform a substring search. For example, if you want to find out if the string root.exe was contained in the target_resource field, if target_resource field contained root.exe is identified and causes a match. The field value does not contain the specified string. The usage of this operator varies with the field that the data is compared with. For example, if you use EMR values, a drop-down list of possible values appear. However, if you evaluate the string data in a field such as target_resource, the value that you type is used to perform a substring search. For example, if you wanted to verify that the string root.exe was not included in the target_resource field, if target_resource field contained root.exe is identified and indicates that Doesn't contain condition is not met. The field value matches the value that is specified as a regular expression. The field value does not match the value that is specified as a regular expression.

132 132 Defining rules strategy About the Event Count, Span, and Table Size rule settings About the Event Count, Span, and Table Size rule settings The Rules Editor includes the settings that let you specify how many events must occur within a specified period of time to meet the criteria for the rule. In addition, you can also determine the table size for the event data that is stored. See About correlation rules on page 123. Table 8-4 Event Count, Span, and Table Size rule settings Setting Event Count Span Table Size Description Determines the number of events that must occur within a specific time period to trigger an incident. The time period is specified in the Span settings. This setting is used primarily with the Many-One Field area on the Actions tab. Indicates the time period for the number of events that are specified in the Event Count field to occur. Specifies the state table size, in rows, that is maintained in memory for each rule. For example, the Account Guessing Attack predefined rule requires that two events be identified within 10 minutes for the rule to trigger an incident. After the first event matches the rule criteria, an internal aggregation table is created that contains the event details. When the second matching event occurs, data from the second event is added to the same aggregation table. In this case, the Table Size setting is relatively small. However, if the Event Count were raised to a much larger number, the aggregation table could potentially run out of space. In that case, the table wraps (the new event data begins to overwrite the original event data in sequential order). To prevent the data from being overwritten, the Table Size should be adjusted according to the event size expectations for the rule. Event data sizes vary widely with each implementation, but using the predefined rules as a starting point helps to identify general size parameters. About the Tracking Key and Conclusion Creation fields The Tracking Key and Conclusion Creation fields are used to further refine rules settings. Use these fields to establish whether an event should be correlated to the existing events that are tracked in aggregation tables. In addition, the Tracking Key and Conclusion Creation fields include the Severity and the Description fields. These fields provide a means for security analysts to escalate conclusions based on severity, and to include additional extracted information within the Conclusion Description. Table 8-5 describes the Tracking Key fields on the Conditions tab.

133 Defining rules strategy About the Tracking Key and Conclusion Creation fields 133 Table 8-5 Tracking Key fields (Conditions tab) Field One-Many Fields Description Describes the elements that must remain consistent across each event in order for the event to be correlated to an existing event aggregation table. For example, to define a rule that tracks a single user name connecting to multiple target IP addresses (in other words, one user name to many IP addresses), set the rule type to One to Many, and in the One-Many Fields area, select User Name. This field must be the same in each event for any subsequent events to be correlated with previous events. Many-One Fields Describes the elements that must be different for each event in order for the event to be correlated to an existing event aggregation table. This field is used with the Event Count field to determine when the conditions for a One to Many rule have been met. For example, you want to define a rule that tracks a single user name connecting to multiple target IP addresses: in other words, one user name to many IP addresses. Set the rule type to One to Many, and in the Many-One Fields select Target IP. The IP address in this field must be different in each event for any subsequent events to be correlated with previous events. Tracking Fields Describes the field upon which a matching event is correlated to an existing conclusion. If an event matches the criteria for a rule, it is compared against the tracking fields for any existing conclusion. If the event matches an existing conclusion it is correlated to that event rather than being considered for a new conclusion. Required with the ManytoOne and Single Event rule types. With OnetoMany rules, this field is typically used to track the same value as in the One-Many Field area. The event field data that must remain the same across each new event that is to be added to the aggregation table. Table 8-6 describes the Conclusion Creation fields on the Actions tab. Table 8-6 Conclusion Creation fields (Actions tab) Field Alerting Incident Description Describes whether an incident should be treated as an alert rather than a security incident.

134 134 Defining rules strategy About the Correlate By and Resource fields Table 8-6 Conclusion Creation fields (Actions tab) (continued) Field Severity Description Describes the severity of the event conclusion which can determine whether an incident is created. The Severity values include the following: 1- Informational: Purely informational events. 2 - Warning: User decides if any action is needed. 3 - Minor: Action is required, but the situation is not serious at this time. 4 - Major/Critical: Action is required immediately and the scope may be broad. 5 - Fatal: An error occurred, but it is too late to take remedial action and the scope is broad. Description Remediation Provides a user input area for security analysts to further define the conditions that led to the creation of the conclusion. This field also supports the use of field name variables that can be populated with event data. Provides a user input area for security analysts to include remediation notes for each incident that is created. The notes appear on the Remediation tab for the incident. About the Correlate By and Resource fields The Correlate By field determines whether a conclusion that is created should be mapped to an existing incident. See About correlation rules on page 123. For example, if a Virus Outbreak incident is in progress, using the appropriate setting in the Correlate By field causes each Virus Outbreak conclusion with the same virus name to be mapped to the existing incident. In addition, you can use the Resource field drop-down list to further refine the characteristics of the correlation requirements for the incident. Table 8-7 describes the Correlation types available in the Correlate By field. Table 8-7 Correlate By fields Type None Resource and Conclusion Type Description Correlation does not occur for the new incidents that match this rule. Correlation is based on the Resource and the Conclusion type. For example, the same Virus Outbreak Conclusion type occurs on the same host that is specified in the Resource field. Therefore, the new conclusion is correlated to an existing incident.

135 Defining rules strategy Importing existing rules 135 Table 8-7 Correlate By fields (continued) Type Source and Destination Source and Conclusion Type Source Destination and Conclusion Type Destination Conclusion Type Description Correlation is based on the Source and the Destination fields. For example, a new conclusion is created and the source IP and destination IP are the same. Therefore, the conclusion is correlated to the existing incident. Correlation is based on the Source and the Conclusion type. For example, the same IP address causes PortScan conclusions. Therefore, any new PortScan conclusion that originates from the same source is mapped to the existing incident. Correlation is based on the Source field. If the Source matches, any conclusion that originates from that source is correlated to the existing incident. Correlation is based on the Destination and the Conclusion type. For example, the conclusion is a denial-of-service attack that targets the same destination IP. Therefore, the conclusion is mapped to the existing incident. Correlation is based on the Destination field. If the Destination is the same, any conclusion that applies to that destination is correlated to the existing incident. Correlation is based on the Conclusion type. For example, all AntiVirusDisabled conclusions are mapped to the existing incident regardless of source or destination values. Importing existing rules You can import rules from separate instances of Information Manager using the Import and the Export features available in each version. If import a rule that references custom lookup tables, you must also import those tables. See About correlation rules on page 123. If you import a rule from a previous supported version of Information Manager, use the Rules view to delete any imported policy information. Then, apply the current policies. Java-based rules are imported as jar files. Note: In the User Monitor folder, you can import only those monitors that are created by using Information Manager version 4.5. When you import rules from a previous version of Information Manager that include user, team, or role assignments, verify that the assignments are configured correctly after the import completes. Sometimes a user, team, or role that existed in a previous version is not identical to the version that exists in the upgraded version. If so, you may need to reconfigure the rule assignment values to match the assignee information in the upgraded version.

136 136 Defining rules strategy Creating custom correlation rules To import an existing rule 1 In the console from which you want to export the rules, navigate to the Rules view. Then, export the rules you want to apply to the new console. 2 In the current Information Manager console, on the Rules view, expand the Correlation Rules folder. 3 Under the Correlation Rules folder, expand the User Rules folder. 4 Click Import from disk. 5 In the Select File(s) to Import dialog box, locate the file or files to import, and click Import... To import a Java-based rule 1 In the Information Manager console, on the Rules view, click the User Monitors folder and then click Import from disk. 2 In the Select File(s) to Import dialog box, locate the jar file or files to import. 3 Click Import... Creating custom correlation rules The correlation rules describe the logic that is applied to an event or a set of events to detect possible security concerns. See About creating the right rule set for your business on page 121. You can create correlation rules from the Rules view of the console of the Information Manager client. See About correlation rules on page 123. The process for creating the correlation rules is as follows: Define a name for the rule. See To define a name for the rule on page 137. Configure rule condition. See To configure the rule conditions on page 137. Configure the rule action. See To configure the rule actions on page 138. Deploy the rule on the server. See To deploy the rule on the server on page 140.

137 Defining rules strategy Creating custom correlation rules 137 To define a name for the rule 1 On the Information Manager console, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. You can now define a rule condition. A conclusion is generated if the set of events satisfies the defined conditions. Note: You can configure multi-conditioned rules. Multi-conditioning lets you define the rules that support up to five user activities in a sequence. You can create a conclusion when a sequence of specified pattern is detected for one combination of one-to-many fields within a specified time period. See Creating a multicondition rule on page 141. To configure the rule conditions 1 On the Conditions tab, in the Description window, type a description for the rule. 2 On Conditions > Rule Type, click the entry that best matches the type of event and target combination that applies to the new rule. For example, to declare an incident whenever a specific event is detected, select Single Event. To declare an incident after a specific number of events are detected from a specific IP address, select Many Targets, One Source. See About rule types on page In the Event Criteria area, click Add. 4 Select the left column of the new entry, and then choose an event field. 5 Select the center column and specify the operator. 6 Select the right column. Based on the operator that you chose, specify the value that must be true for the event type. 7 Repeat steps 3 through 6 for any other event criteria that you want applied to the rule. You can select multiple event criteria and apply logical operators (AND/OR) to them. 8 In Event Count, specify the number of times that the event criteria that you specified must be true for an incident to be declared.

138 138 Defining rules strategy Creating custom correlation rules 9 In Span, specify the time that is required for the number of events that are specified in the Event Count to occur. For example, you can specify that 30 events of a specific type must occur within 60 minutes, before an incident is declared. 10 In Table Size, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. The Table Size setting divided by the Event Count setting is equal to the maximum number of event groups that the rule can manage. 11 In the Tracking Keys area, specify the fields to include in the incident. This field can be any of the One-Many, Many-One, or Tracking fields that are associated with the incident. You can now define the rule actions. A conclusion is generated if the set of events satisfies the defined conditions. Note: You can create rules to detect threats based on the absence of the events that you expect to occur. See Creating a correlation rule based on the X not followed by Y rule type on page 145. To configure the rule actions 1 On the Actions tab, check Alerting Incident (not a Security Incident) to specify that an incident is an alert incident and not a security incident. Alerting incidents notify about a situation that requires your attention if there is a discrepancy on a system. Security incidents notify about a situation where there is a potential threat due to a security breach in the organization. 2 From the Severity options, select the severity that you want to be associated with the incident. 3 In the Description area, type a description of the problem. This information appears to users who are assigned the incidents or the tickets based upon the incidents that this rule triggers. (Optional) Click Add(+) to include the fields from the final event that triggered the conclusion. When a conclusion is generated, these fields are replaced with their corresponding values in the description. 4 (Optional) Click Remediation to populate the Custom Remediation library for this conclusion and to instruct the analysts with a remedy that is specific for your organization.

139 Defining rules strategy Creating custom correlation rules In the Correlate By list box, select the method by which conclusions are grouped into incidents. 6 If you selected Resource and Conclusion Type from the Correlate By list box, you can select a field in Resource Field. This field is used to correlate conclusions within an incident. Conclusions can be correlated together into incidents based on the value of the resource field. 7 To specify that a user or team is automatically assigned to incidents that this rule creates, do the following: Turn on Enable Auto Assign and then click Add. If you want to assign incidents based upon the IP address of the affected target computer, in the left column select IP Address or Network options. Any Address is the default option. Retain the default option to ensure that all the occurrences of the incident get assigned irrespective of the IP address. To assign incidents to an individual user, in the User column, select the user who should be assigned with the incidents. To assign incidents to a group of users, in the User Group column, select the team that should be assigned with the incidents. At any time, you can click Clear to clear the selections. If you want to automatically assign incidents to the least busy member in a user group, check Assign to least busy user and then select the corresponding user group. See About automatically assigning incidents on page In the Notification area, check Enable if you want to notify users about the incident activity. If you want to notify users only when an incident is created, check Send notification for incident creation only. 9 Click Recipients to select the method of notification for each recipient. The options are Address Entry, User, User Group, Syslog, SNMP Trap. Once the method of notification is selected, you are prompted to enter details corresponding to the option that you selected. After you specify the condition and the action, you can test the rule and then deploy it on the server.

140 140 Defining rules strategy Creating custom correlation rules To deploy the rule on the server 1 On the Testing tab, select the archive containing event data, and then click Start Test. 2 When you are satisfied with the incidents and the conclusions that the rule creates, turn on the rule in the Rules list. 3 On the top toolbar, click Deploy to the server. See Enabling and disabling rules on page 152. About automatically assigning incidents In Information Manager, an incident is created when an event matches a criterion that is specified in the Rules and Monitors. Based on the rules that are set, these incidents can be automatically assigned to a specific user group or an individual user. Rules or Monitors can be set to assign incidents automatically to the least busy member in a user group. See Assigning incidents automatically to the least busy member in a user group on page 141. Incidents are automatically assigned to the individual with the lowest load factor. The load factor is calculated based on the incident count and the incident state. Each incident state is assigned a value. Incidents that are in the New state are assigned the highest value, whereas incidents in the Waiting state are assigned the lowest value. A user group member who has many incidents in the New state is considered busy. Therefore the incidents in the New state have the highest value. The incidents in the Working state have lower value and the incidents in the Waiting state has the lowest value. The number of incidents that are already assigned to a user and the value that is assigned to the incident state determines the load factor. The members with the lowest load factor are given priority when they assign an incident. When two or more users have the same load factor, Information Manager uses the timestamp to determine which user is the least busy. Table 8-8 shows how Information Manager calculates the incident load factor. Three users are assigned the same count of incidents in different incident states. Although each user has the same number of incidents, their load factors are different because the values of their incidents are different. In the example, Information Manager automatically assigns incidents to User C because User C has the lowest load factor.

141 Defining rules strategy Creating custom correlation rules 141 Table 8-8 Incident load factor User Incidents: New Incidents: Working Incidents: Waiting Formula (incident count * value of incident state) Load Factor A (4*3) + (2*2) + (1*1) 17 B (2*3) + (4*2) + (1*1) 15 C (1*3) + (2*2) + (4*1) 11 Assigning incidents automatically to the least busy member in a user group Rules and Monitors can be set to assign incidents automatically to a user group or a user within the user group. You can also set rules and monitors to automatically assign incidents to the least busy member in a user group. Only user groups are considered when incidents are automatically assigned to the least busy member. The member with the lowest incident load factor is considered the least busy member in a user group. See About automatically assigning incidents on page 140. When incidents are assigned automatically to a user group for the first time, the first user in the user group becomes eligible for incident assignment. When an incident gets assigned to a member in the user group, a log entry is created for that incident. In the Incident log, this entry is listed as SSIM against the user name of that member. To assign incidents automatically to the least busy user 1 In the Information Manager console, click Rules. 2 Select a rule or a monitor that must be automatically assigned. 3 On the Actions tab, check Enable Auto Assign. 4 Check Assign to least busy user and then select the corresponding user group. When the rule is deployed, the incidents are automatically assigned to the least busy member in the user group. Creating a multicondition rule Consider a sample scenario for creating an event when a combination of conditions is fulfilled. See About rule conditions on page 124.

142 142 Defining rules strategy Creating custom correlation rules If the following conditions are met, then an event must be triggered: The user logs on to a Windows domain controller. The user creates a new user. The user modifies the privileges for the newly created user. (For example, the user gives the new user domain admin privileges.) The user logs out. Note: The event codes in the procedures are applicable to Microsoft Windows They may vary for other operating systems. To create a new rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. The rule name appears in red color under the User Rules folder. 5 In the description box, type the description for the rule. (For example, monitor for the events that occur when all the conditions that are specified are fulfilled.) Once you create a new rule, you must configure the rule conditions that are required based on the scenario. To configure the rule conditions 1 On the Conditions tab, in the Description window, type a description for the rule. 2 On the Conditions tab, on the Rule Type menu, click MultiCondition as it applies to the new rule. 3 In the Event Criteria area, click Add. Add the conditions that are required to trigger the rule. To add Condition 1 1 Select the left column of the new entry. From the drop-down list that appears, select the Events tab and click on the Host Intrusion Activity folder. From the collapsible list that is displayed, select Intrusion Action ID. 2 Select the center column and select the = operator.

143 Defining rules strategy Creating custom correlation rules Select the right column, and then select Login. This value corresponds to the logon action. 4 If the events must occur more than once for an incident to be declared, specify the count of events in the EventCount list that is located in the EventCriteria area. Add the other conditions that are required to trigger the rule. To add Condition 2 1 Under Rule Type, click Add to add a second condition. 2 Select the left column of the new entry for Condition 2. From the drop-down list that appears, click the Common tab and select Symantec Event Code. 3 Select the center column and select the = operator. 4 Select the right column, and then select 722. This value corresponds to a new user account created. 5 If the events must occur more than once for an incident to be declared, in the Event Criteria area, specify the count of events in the Event Count. Add the other conditions that are required to trigger the rule. To add Condition 3 1 Under Rule Type, click Add to add a third condition. 2 Select the left column of the new entry for Condition 3. From the drop-down list that appears, click the Common tab and select Vendor Signature. 3 Select the center column and select the = operator. Select the right column, and then select 632. This value corresponds to a new user account being added to domain admin group for the third condition. 4 If the events must occur more than once for an incident to be declared, in the Event Criteria area, specify the count of events in the Event Count list. Add the other conditions that are required to trigger the rule. To add Condition 4 1 Under Rule Type, click Addto add a fourth condition. 2 Select the left column of the new entry for Condition 4. From the drop-down list that appears, click the Common tab and select Symantec Event Code. 3 Select the center column and select the = operator. 4 Select the right column, and then select 720. This value corresponds to the user account Log-off for the fourth condition.

144 144 Defining rules strategy Creating custom correlation rules 5 In the Tracking Keys area, under the One-Many field, click Add and select Agent Host. Under the Tracking field, click Add and select IP destination address. 6 If the events must occur more than once for an incident to be declared, in the Event Criteria area, specify the count of events in the Event Count list. 7 In Span, set the time span equal to 20 minutes. 8 In Table Size, specify the maximum number of events that the rule can track at any one time. After you configure the rule conditions you must configure the rule actions. To configure the rule actions 1 On the Actions tab, in the Conclusion Severity option, specify the severity that you want associated with the incident. 2 In the Conclusion Description area, type a description of the problem. This information appears to users who are assigned the incidents or the tickets that are based upon the incidents that this rule triggers. (Optional) Click Add (+) to include the values of fields from the final event that triggered the conclusion. 3 In the Correlate By drop-down list, specify the method by which conclusions are grouped into incidents. 4 In the Resource Field menu, choose the desired event fields. Conclusions can be correlated together into the incidents that are based on the value of this resource field. 5 To specify that a user or team is automatically assigned to incidents that this rule creates, do the following: Turn on Enable Auto Assign. If you want to automatically assign incidents to the least busy member in a user group, check Assign to least busy user and then select the corresponding user group. To assign the incident that is based upon the IP address of the affected target computer, in the left column, type the IP address or netmask. In the User column, click the user to whom you want to assign the incidents. In the User Group column, click the help desk team to which you want to assign the incidents.

145 Defining rules strategy Creating custom correlation rules 145 After you specify the conditions and the actions, you can test the rule and then deploy it on the server. To deploy the rule on the server 1 On the Testing tab, specify the location of a file containing event data, and then click Start Test. 2 When you are satisfied with the incidents and conclusions that this rule creates, turn on the rule in the Rules list. 3 On the top toolbar, click Deploy to the server. Creating a correlation rule based on the X not followed by Y rule type Consider a sample scenario wherein a user logs on to a critical system and carries out some activity. However, the user fails to log off within an hour. Normally such a logon should last for less than an hour. If the user does not log off within an hour, this suspicious activity results in an event with a conclusion. This sample scenario is an example of Y not following X. See About rule types on page 125. To create a correlation rule for X not followed by Y 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. The rule name appears in red color under the User Rules folder. Example: Rule for Event Definition with negatives 5 In the Descriptions box, type the description for the rule. Example: Monitor for the events that have not occurred in a defined sequence. You can now define the required rule condition. An event is generated if the set of user actions satisfies the defined condition. In this example, X is the normal activity of a logon. Y is an activity of a logoff. Normally, Y follows X. However, in this example the logoff does not happen even after an hour. Therefore, use the rule type of X not followed by Y to trigger an event.

146 146 Defining rules strategy Creating custom correlation rules To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, click the rule X not followed by Y. 2 In the Event Criteria area, click + to add a criteria for X. 3 Select the left column of the new entry, and then choose the event type as Mechanisms. 4 Select the center column and select the operator contains. 5 Select the right column, and then specify the value Login. 6 To add the criteria for Y, in the Event Criteria Postcondition area, select the left column of the new entry, and then choose the Mechanisms event type. 7 Select the center column and select the operator contains. 8 Select the right column, and then specify the value Logout. 9 In the Tracking Keys area under the One-Many fields, click Add to specify the fields that you want to track: for example, the Source IP address. Under the Tracking field's column, if you want to track the date of the event, you can add Event Date. 10 In the Event Count box, specify the number of times that the event criteria that you specified must be true for an incident to be declared. 11 In the Span box, specify the amount of time for the two events X and Y that are specified to occur. For example, you can specify that the two events X and Y must occur within 60 minutes, failing which an incident is declared. 12 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. 13 On the Actions tab, you can specify whether the incident is an Alerting incident and not a security incident. You can add the description and the remediation for that incident. 14 In the following areas for Autoassignments and Notifications you can specify whether the incident should be assigned automatically to the users or groups selected. 15 In the Notification area, you can enable notifications and specify the address of the recipients. You can add one or more recipients to receive the notifications. You must deploy the rule after you have created and configured the rule.

147 Defining rules strategy Creating custom correlation rules 147 To deploy the rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule that you want to deploy. 3 In the top toolbar, click Deploy. Creating a correlation rule based on the X not followed by X rule type Consider a sample scenario wherein a user tries to log on, fails, and does not attempt to log on again for 30 minutes. Normally, an authorized user tries to log on again within 30 minutes. However, this user waits for more than 30 minutes before attempting to log on again. This behavior indicates the suspicious activity that results in an event with a conclusion. This sample scenario is an example of X not following X. See About rule conditions on page 124. To create a correlation rule for X not followed by X 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. Example: Rule for Event Definition with negatives 5 In the Descriptions box, type a brief description for the rule. Example: Monitors for predefined behavior of events. You can now define the required rule condition. An event is generated if the set of user actions satisfies the defined condition. In this example, X is the normal activity of a logon. Normally, a failed logon attempt is followed by another logon attempt within a 30-minute period. However, in this example the user does not attempt to log on for more than 30 minutes. Therefore, you can use the rule type XnotfollowedbyX to trigger an event. To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, click the rule X not followed by X. 2 In the Event Criteria area, click + to add a criteria for X.

148 148 Defining rules strategy Creating custom correlation rules 3 Select the left column of the new entry, and then choose the event type as Mechanisms. 4 Select the center column and select the operator contains. 5 Select the right column and then specify the value Login. 6 Click Add to add the second criteria for X. Then select the left column of the new entry, and in the drop-down list under Events, collapse the Intrusion Activity folder. Select Intrusion Outcome ID. 7 Select the center column and select the operator =. 8 Select the right column, and then specify the value Failed. 9 In the Tracking Keys area under the One-Many fields, click Add to specify the fields to track: for example, the Source IP address. Under the Tracking fields column, if you want to track the date of the event, add Event Date. 10 In the Event Count box, specify the number of times that the event criteria that you specified must be true for an incident to be declared. 11 In the Span box, specify the amount of time for the event. For example, you can specify 30 minutes, failing which an incident is declared. 12 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. 13 On the Actions tab, specify whether the incident is an Alerting incident and not a security incident. Add the description and the remediation for that incident. 14 In the following areas for Auto assignments and Notifications, specify whether the incident should be assigned automatically to the users or groups selected. 15 In the Notification area, enable notifications and specify the address of the recipients. You can add one or more recipients to receive the notifications. You must deploy the rule after you have created and configured the rule. To deploy the rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule to deploy. 3 In the top toolbar, click Deploy.

149 Defining rules strategy Creating custom correlation rules 149 Creating a correlation rule for the Y not preceded by X rule type Consider a sample scenario wherein a user logs on to a Linux system. The user uses putty or another secure connection mode to log on the su (superuser) role and creates another user. Normally, to create a new user role, you log on as the root. However, this uses bypasses the root logon and a new user account is created. This sample scenario is an example of X not preceding Y. To create a correlation rule for Y not preceded by X 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. Example: Rule for Event Definition with negatives 5 In the Descriptions box, enter a brief description for the rule. Example: Monitors for the events occurring in correct sequence. In this example, X is an activity of the root logon. Y corresponds to the creation of a new user account. Normally, a new user is created by logging on as root. However, in this example, the user does not log on as root but as a normal user. The user is able to create a new user account. Therefore, you can use the rule type of Y not preceded by X to trigger an event. You can now define the required rule condition. An event is generated if the set of user actions satisfies the defined condition. To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, click the rule Y not preceded by X. 2 In the Event Criteria area, click + to add a criteria for X. 3 Select the left column of the new entry, and then choose the event type as Symantec Event Code. 4 Select the center column and then select the operator =. 5 Select the right column, and then specify the value 733 which correspond to the user action. 6 Click Add to add the second criteria for X. Then select the left column of the new entry, and in the drop-down list under the Events tab, collapse the folder for Intrusion Activity. Select Intrusion Outcome ID. 7 Select the center column and select the operator =.

150 150 Defining rules strategy Creating custom correlation rules 8 Select the right column, and then specify the value Failed. 9 In the Tracking Keys area under the One-Many fields, click Add to specify the fields to track: for example, the source IP address. Under the Tracking fields column, to track the date of the event, add Event Date. 10 In the Event Count box, specify the number of times that the event criteria that you specified must be true for an incident to be declared. 11 In the Span box, specify the amount of time for the event. For example, you can specify 30 minutes, failing which an incident is declared. 12 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. 13 On the Actions tab, you can specify whether the incident is an Alerting incident and not a security incident. You can add the description and the remediation for that incident. 14 In the following areas for Autoassignments and Notifications you can specify whether the incident should be assigned automatically to the users or groups selected. 15 In the Notification area, you can enable notifications and specify the address of the recipients. You can add one or more recipients to receive the notifications. You must deploy the rule after you have created and configured the rule. To deploy the rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule to deploy. 3 In the top toolbar, click Deploy. Creating a correlation rule for the Lookup Table Update The Lookup Table Update rule is set to dynamically collect information in the lookup tables. Any rule can refer to this information to generate incidents, tickets, and assets. You can create a correlation rule which refers to an existing lookup table that gets dynamically updated. After you create a rule, you can configure the rule conditions and actions and deploy it. This rule is created only for updating the lookup table. Therefore, conclusions are not created for the Lookup Table Update rule. See About rule types on page 125.

151 Defining rules strategy Creating custom correlation rules 151 Consider a sample scenario wherein a stack of intentionally bad credit cards is distributed to serve as bait for malicious users. A malicious user intending to commit fraud can use one of the bait cards that have been distributed. A list of such baited credit cards is maintained in a lookup table. Whenever a credit card usage event contains any of these baited credit card numbers, the source IP address of this event is immediately stored in the lookup table of the Information Manager. Later, if a legitimate usage event originates from the stored source IP address, it indicates fraudulence by the malicious user. A correlation rule that is set to refer to the dynamically updated lookup table generates an incident for the events that occur from the stored source IP address. Here a lookup table must be configured with a Lookup Table Update rule to get updates of the source IP address. To create a correlation rule for Lookup Table Update 1 In the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new rule (+). 4 In the Descriptions box, enter a brief description for the rule. You can now configure the required rule conditions and actions. An event is generated whenever the lookup table is updated with the specified event criteria. To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, select Lookup Table Update Rule. 2 In the Event Criteria area, click + and specify the event criteria. 3 On the Actions tab, configure the actions for the Lookup Table Update rule by editing any of the following properties: Lookup Table Table Column Event Field Timeout in hours Lets you select the User Lookup Table that is modified dynamically if the event satisfies the specified event criteria. Automatically updates the key column in the Lookup Table. Lets you select the existing event fields. If an event satisfies the specified event criteria, the value of this event field is used to populate the key column in the Lookup Tables. Lets you specify the period after which an entry in the configured Lookup Tables is removed. The value can be specified in hours. If the value specified is 0, entries in the Lookup Tables do not expire.

152 152 Defining rules strategy Enabling and disabling rules After configuring the rule conditions, you must enable and deploy the rule. To deploy the rule 1 In the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule to deploy. 3 In the top toolbar, click Deploy. Enabling and disabling rules By enabling or disabling rules in the Rules view of the Information Manager console, you can temporarily filter certain network events. You can also change the way the Correlation Manager declares incidents. See About correlation rules on page 123. Note: In some cases, such as when the server is under a heavy event load, disabling or deleting a rule may not take effect immediately. To enable or disable a rule 1 From the Information Manager console, click Rules. 2 In the left navigation pane, check or uncheck the box next to a rule. A check mark against the rule indicates that the rule is selected to be enabled. 3 In the top toolbar, click Deploy. Working with the Lookup Tables window You can view and update the lookup table information from the Rules view. List entries change over time due to updates from LiveUpdate. You can also create user-defined lookup tables under the User Lookup Tables folder. See About correlation rules on page 123. The Lookup Tables provide a set of configurable tables that let you extend the functioning of rules. To ensure that some correlation rules function properly, you must populate the Lookup Tables with the information that is applicable to your network and resources. Key settings include the domains that apply to your network, files to be monitored, and users to be monitored. If required, additional user tables can be added based on your specifications. Table 8-9 lists the Lookup Tables and the types of information that they contain.

153 Defining rules strategy Working with the Lookup Tables window 153 Table 8-9 Lookup Tables Category Administrative Users Authorized Ports Inbound Authorized Ports Outbound Critical Servers default usernames ip watchlist Description List of users who can perform administrative activities. List of authorized ports through which incoming traffic is allowed as per the policies. List of authorized ports through which outgoing traffic is allowed as per the policies. List the IP addresses of the servers that are critical from business perspective. List of authorized users. Lists the IP addresses of known attackers. An incident is created if an event is detected from one of these IP addresses. TheIPWatchList table is a configurable table that is available for manually tracking known bad IP addresses. DeepSight and LiveUpdate updates maintain separate internal IP Watch List. The list contains IP addresses known to be malicious in the larger Internet environment. IP Whitelist Table Monitored Logging Devices Organization Domains P2P Programs Potential Policy Violation IPs Rapid Response Monitored Address Traffic sensitive files Lists the Whitelist IP addresses. These IP addresses and domain names are reputed and can be trusted. You can add your trusted domain names and IP addresses to the list. Lists the logging devices that must be monitored after a specific time span for idle state. Provides a table for the user to describe the organizational domains monitored. Lists the P2P programs. Lists the IP addresses of the hosts that can potentially violate the policy. Lists of all the bad IP addresses on which your sensitive data can communicate. Lists the file names to monitor during FTP transfers.

154 154 Defining rules strategy Working with the Lookup Tables window Table 8-9 Category sensitive urls services trojans user watchlist Weekdays Weekend windows events Lookup Tables (continued) Description Lists the text strings that are often included in malicious URLs. Lists the services that are associated with each port number. Lists known Trojan horse exploits. Provides a table in which you can list users and the user names that formerly had access to the network. Lists the days of the week to allow further refinement of queries based on the day or days associated with an event. Lists the days of the weekend to allow further refinement of queries based on the day or days associated with an event. Lists the windows events that may indicate violations of security policies or other malicious activities. Note: Additional lookup tables can be downloaded into the system through LiveUpdates. To add an entry to the Organization Domains watchlist 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click Organization Domains. 5 Click New Record (+). 6 In the spaces provided, type a name and description. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change.

155 Defining rules strategy Working with the Lookup Tables window 155 To add an entry to the IP watchlist 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click ip watchlist (if it is not selected). 5 Click New Record (+). 6 In the spaces provided, type the desired IP address and description. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the sensitive files list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click sensitive files. 5 Click New Record (+). 6 In the space that is provided, type the name of the file. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the sensitive urls list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click sensitive urls. 5 Click New Record (+). 6 In the URL Substring column, type the URL. 7 In the Attack Type column, type the kind of attack that is associated with this URL. 8 Click Deploy to Server. 9 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change.

156 156 Defining rules strategy Working with the Lookup Tables window To add an entry to the services list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click services. 5 Click New Record (+). 6 In the Service column, type a description. 7 In the Port column, type the port number to add. 8 Click Deploy to Server. 9 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the Trojan horses list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click trojans. 5 Click New Record (+). 6 In the Port column, type the port number that is associated with the attack. 7 In the Protocol column, type the network protocol (such as TCP or UDP) that is associated with the attack. 8 In the Trojan Name(s) column, type the name of the Trojan horse. 9 Click Deploy to Server. 10 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the user watchlist 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click user watchlist. 5 Click New Record (+). 6 In the spaces provided, type the user name, name, and departure date of the employee or account to add.

157 Defining rules strategy Working with the Lookup Tables window Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the Windows Events list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click windows events. 5 Click New Record (+). 6 In the ID column, type the desired Microsoft Windows event type. 7 In the Category column, type the kind of activity that is associated with the event. 8 In the Description column, type a description for this kind of event. 9 Click Deploy to Server. 10 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To delete an entry from the Lookup Tables 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click the table with the entry to be deleted and select the entry. 5 Click Delete Records. 6 Click Yes to confirm the deletion. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the deletion of the entry. 9 Click OK to deploy the change. Creating a user-defined Lookup Table To create a user-defined lookup table, you first define the columns in the table, and then you add the data. See Working with the Lookup Tables window on page 152.

158 158 Defining rules strategy Working with the Lookup Tables window To create a user-defined lookup table 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the User Lookup Tables folder. 3 Click Create new filter or rule (+). 4 In the Input dialog that appears, type the name of the table you want to create, and click OK. The name of the table must not match the name of an existing table or rule. 5 On the Content tab, click Add Records (+). Enter the Name, Type, and Description values for a column that you want to use in your table. You can select any of the following types of values for a record in a column: Float IP Mask Date String IP address Integer 6 For each additional column, repeat step 5. 7 After creating the columns, select the Key option button corresponding to the column that forms the primary column in the table. 8 Click Done. 9 To add data to the table that you have created, do one of the following: Click Add Records and enter the information in the available fields. Click Import Records. After you choose the file that you want to import, a wizard guides you through the steps to map the data that is stored in the file to the columns that you have added in the Lookup Table. 10 When you are finished, click Deploy. 11 In the Deploy Modified Items dialog box, choose the items that you want to deploy. You can enter an optional comment in the available field. 12 Click OK.

159 Defining rules strategy Working with the Lookup Tables window 159 Importing Lookup Tables and records You can import a previously exported Information Manager Lookup Table from a file. Alternatively, you can import the records that are stored in comma-separated or tabbed format into an existing Lookup Table. See Working with the Lookup Tables window on page 152. Note: When you import records into an existing Lookup Table, you can import a maximum of 1024 entries. To import an exported Lookup Table 1 On the Information Manager console, click Rules. 2 In the left navigation pane, click the User Lookup Tables folder. 3 Click Import from Disk. 4 In the Select File(s) to Import dialog, choose the file, and click Import. To import records into an existing Lookup Table 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the User Lookup Tables folder. 3 In the table into which you want to import records, on the Content tab, click Import Records. 4 In the Open dialog box, choose the file that contains the data to be imported, and click Open. 5 In the Import Lookup Table Records wizard, choose the delimiter that is used in the file, and the appropriate options. The preview pane displays a representation of your choices. 6 Click Next. 7 In the next pane, use the Field Options area to specify how the data in the file maps to the columns in the Lookup Table. Click Next. 8 In the next pane, click Start. 9 When the import process is finished, click Finish.

160 160 Defining rules strategy Working with the Lookup Tables window

161 Section 4 Understanding event collectors Chapter 9. Introducing event collectors Chapter 10. Installing event collectors Chapter 11. Configuring point products and collectors Chapter 12. Configuring collectors for event filtering and aggregation

162 162

163 Chapter 9 Introducing event collectors This chapter includes the following topics: About Event Collectors and Information Manager Components of collectors About Event Collectors and Information Manager Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. Symantec Event Collectors gather, filter, and aggregate these events and forward both the raw and the processed events to Information Manager. See Components of collectors on page 164. Event Collectors collect information from security devices, critical applications, and services, such as the following product types: Firewalls Routers, switches, and VPNs Enterprise Antivirus Intrusion detection and intrusion prevention Vulnerability scanners Authentication servers Windows and UNIX system logs Information Manager stores the event data in event archives and correlates the events with threat and asset information. If a security event triggers a correlation rule, Information Manager creates a security incident.

164 164 Introducing event collectors Components of collectors Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. For more details on event collectors, refer to Symantec Event Collectors Integration Guide. Components of collectors Event collectors gather, filter, and aggregate security events and forward both the raw and the processed events to Information Manager. See About Event Collectors and Information Manager on page 163. Table 9-1 Component Major components of collectors Description Information Manager Symantec Event Agent Collector Sensor Security or Point product Refers to the Symantec Security Information Manager where events are processed, filtered, and stored. Allows for the centralized collection, classification, and normalization of events to enable alerts and reports across managed security products. Refers to the Java application that performs the communication functions for the Information Manager components on the system on which it is installed. Refers to an application that collects events from security products, processes them, and passes them to the Agent. Refers to the component that reads events from a file, database, syslog, Windows event log, or other medium. The sensor then passes the events to the remaining collector components. The information is then delivered to the Agent to be sent to Information Manager. Refers to the software product, such as a firewall, antivirus software, or an operating system. The security product ensures that data is not vulnerable to unauthorized use or access and is the source of events to the collector. See About Event Collectors and Information Manager on page 163.

165 Chapter 10 Installing event collectors This chapter includes the following topics: Before you install collectors About installation and configuration tasks for collectors Registering Collectors Installing the Symantec Event Agent Installing the collector on a remote computer Installing collectors on an Information Manager server About Symantec Universal Collectors Downloading and installing the Symantec Universal Collectors Before you install collectors You must perform the following tasks before you install the collector: Meet requirements for both the point product and the collector. See Requirements for point products and the collectors on page 165. Update the hosts file. See Updating the hosts file on page 166. Run LiveUpdate before upgrading an earlier collector. Requirements for point products and the collectors Each collector is compatible with specific versions of a point product. Collectors can generally be installed on a variety of operating systems. Please refer to the specific collector guide to confirm compatibility with the operating system.

166 166 Installing event collectors Before you install collectors See Before you install collectors on page 165. In general, the following operating systems are supported: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later Microsoft Windows Server 2003 Standard Edition with Service Pack 2 or later Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Red Hat Enterprise Linux AS 5.0 Sun Solaris (SPARC) 8.0, 9.0, and 10.0 Note: You can install version 4.3 collectors and later on both 32-bit and 64-bit versions of Windows Server 2000/2003. You can install version 4.2 collectors only on the 32-bit version of Windows Server 2000/2003. Minimum system requirements for a remote collector installation are as follows: Intel Pentium 133-MHz processor (up to and including Xeon processor), or SPARC IIIi or later 512-MB minimum; 1 GB of memory for the Symantec Event Agent 35 MB of available hard disk space for collector program files 95 MB of available hard disk space to accommodate the Symantec Event Agent, the JRE and the collector TCP/IP connection to a network from a static IP address Updating the hosts file The hosts file contains IP address and host name mapping information. You must manually update the hosts file if there is no fully-qualified domain name for the Information Manager server. You must also manually update the hosts file if you do not use a Domain Name System (DNS) server. You must add the IP address and host name information that is relevant to Information Manager and to the collectors that collect event data. Host names must be fully qualified domain names. See Before you install collectors on page 165.

167 Installing event collectors About installation and configuration tasks for collectors 167 To update the hosts file 1 Navigate to the directory of the hosts file as follows: On Windows, the hosts file is located in C:\WINDOWS\system32\drivers\etc folder. On UNIX, the hosts file is located in the /etc directory. 2 Use a text editor such as Notepad in Windows or vi on UNIX to open the hosts file. 3 Add the IP address and host name entries for the Information Manager server. Follow the instructions that are provided in the hosts file to add IP address and host name mapping information to the file. Use a tab between the IP address and host name. 4 After you have added the IP address and host name, save and close the file. You should ensure that the text editor that you use does not add a file extension. About installation and configuration tasks for collectors See About Event Collectors and Information Manager on page 163. Collector installation and configuration include the following major tasks: Preinstallation requirements Depending on the collector, a collector can run on various operating systems. See Requirements for point products and the collectors on page 165. You must manually update the hosts file if there is no fully qualified domain for the Information Manager server. See Updating the hosts file on page 166. Registration of the collector For all off-server collector installations, the Information Manager server requires you to register the collector for configuration settings and event schema. See Registering Collectors on page 170.

168 168 Installing event collectors About installation and configuration tasks for collectors Installation of the Symantec Event Agent You must install the Symantec Event Agent on the same computer as the collector computer. You should also verify Symantec Event Agent installation and operation. Installation of the collector component You must install the collector component to read data from the point product. You can install all collectors on a remote computer. You can install most collectors on the Information Manager server itself. However, universal collectors are installed by default on the Information Manager server. You do not need to install the universal collectors on the server. See Installing the collector on a remote computer on page 181. See Installing collectors on an Information Manager server on page 182. You should also verify collector installation. See Verifying collector installation on page 182. Configuration of the point product See About configuring a point product to work with a collector on page 189.

169 Installing event collectors About installation and configuration tasks for collectors 169 Configuration of the collector Depending on the collector, you can configure the collector in the following ways: Create and configure the sensor. See Creating and configuring sensors on page 190. You can enable the collector to collect the entire raw event message from the point product instead of the parsed fields. See Configuring collector raw event logging on page 195. Configure event filtering and aggregation. See Configuring event filtering on page 197. See Configuring event aggregation on page 200. You should also verify collector configuration. See Verifying collector configuration on page 184. The following installation and configuration tasks depend on various factors: A collector that uses a database sensor to collect events requires the completion of additional tasks. Before you use a database sensor collector, you must complete the various installation and configuration tasks that are related to the database that is used. A collector that uses a Syslog sensor to collect events can possibly use Syslog Director. Syslog Director accepts syslog events from any point product that is installed on the Information Manager server. You can configure a Logfile sensor to read logs from the log files. Agent service must have access to the file which will be read by the agent. Retrieval of support for new events and query updates. You can run LiveUpdate to receive collector updates such as support for new events and query updates. Deploying many collectors. If you need to configure many collectors at once, you can create a csv-formatted file.

170 170 Installing event collectors Registering Collectors Uninstallation of the collector and its components. You can uninstall the collector and its components. Registering Collectors The Information Manager Web configuration interface provides a page to register and to unregister the configuration settings and event schema. The Information Manager server requires these settings and schema to recognize and to log events from the point product. You must register the collector for all remote installations. If you use a collector that resides on the Information Manager server, you do not need to install the agent and you do not need to register the collector. To register a collector 1 Launch the Information Manager Web configuration interface at the following URL: Symantec recommends that you use the Fully Qualified Domain Name of the Information Manager. If you have the Information Manager Client console open, you should close it. 2 From the Information Manager Web configuration interface, click Settings > Collector Registration. 3 On the page that appears, click Register. 4 In the first box provided, type (or click Browse to select) the path to the collector_name.sip file that was provided with your collector installation package. You can select paths for up to 5 files. The default location for this file is the sip/ subdirectory of the collector installation package. 5 Click Begin Registration. Installing the Symantec Event Agent The Symantec Event Agent sends the data that the collector collects to the Information Manager server. The agent is always installed on the same computer as the collector component. In some cases, you may need to install agents on the

171 Installing event collectors Installing the Symantec Event Agent 171 Preinstallation requirements same computer as the security product is installed on for which it collects events. In other cases, you can install the collector on a separate computer from the security product for which it collects events. This computer must have network access to the Information Manager server. See About installation and configuration tasks for collectors on page 167. The prerequisites for installing the Symantec Event Agent 4.7 are as follows: The host name should be resolvable from the computer on which you want to install Symantec Event Agent 4.7. The installation process stops if any previous installations of the Event Agent are detected. You must uninstall all previous versions of the Event Agent to continue. See About installation and configuration tasks for collectors on page 167. About installing the Event Agent You can install the Event Agent on the following platforms: Windows See Installing the Event Agent on Windows on page 172. Solaris See Installing the Event Agent on Solaris on page 173. Linux See Installing the Event Agent on Linux on page 175. See About installation and configuration tasks for collectors on page 167. Before you install the Symantec Event Agent, you should complete the following steps in the order presented: Uninstall any previous version of the agent. Ensure that there is network connectivity between the system where the agent is installed and the Information Manager server. If there is a firewall between the agent computer and the Information Manager server, ensure that the following ports are open: Note: Using this port is a new option with Symantec Event Agent 4.7 and it is optional.

172 172 Installing event collectors Installing the Symantec Event Agent TCP 5998 TCP 443 TCP 80 When you complete the Symantec Event Agent operation, you can verify installation by doing the following: Verify Symantec Event Agent installation. See Verifying Symantec Event Agent installation on page 178. Verify Symantec Event Agent operation. See Verifying Symantec Event Agent operation on page 179. Installing the Event Agent on Windows To install the Event Agent on Windows 1 Download the installation file for Windows and the corresponding md5 file from the Download page of the Web configuration interface. 2 Verify the integrity of the downloaded installation file using the downloaded md5 file. 3 Click on the install.exe file to start the installation process and then click Next. 4 The Choose Install folder panel displays. The installation process stops if any previous installations are detected. You can continue only after the detected installation is removed. See About uninstalling the Event Agent on page Browse and select the destination folder for the installation files or retain the default folder and click Next. 6 Enter the IP address or host name of the Information Manager server when prompted. Ensure that you check the option box for Run Connection and communication tests during installation and then click Next. 7 The connection to the Information Manager server is checked. On a successful connection to the server, a Connectivity Test was successful message is displayed. In case the connection is not successful, check the connectivity and try again. Click Next to continue. The panel to install a third-party CA root certificate displays.

173 Installing event collectors Installing the Symantec Event Agent Click Next to continue. If you want to install a third-party CA root certificate, enable the option box for installing the third-party CA root certificate and then click Next. 9 Click the Choose option and browse to the folder that contains the certificate. A list of available certificates in that folder is displayed. 10 Select the required certificate and then click Next. The Pre-Installation Summary panel displays the product name, installation folder, the Information Manager server IP address and the disk space information. 11 Click Install. The Verify Agent communications panel displays. 12 Click Next to continue. The Install Complete panel displays with the installation folder. Installing the Event Agent on Solaris To install the Event Agent on Solaris 1 Connect to the Information Manager server using an account with administrative privileges either by using an SSH client or by logging on locally. You must log on as root to install the Event Agent. 2 Download the following files to the /tmp folder from the download links for Solaris Client. The download links are found on the download page of the thin client of the Information Manager server. symevtagent_solaris_r xx.md5sum symevtagent_solaris_r xx.tar.gz and xx should be replaced with the build number of the release. You must use binary mode when transferring the files to the Information Manager server. Some FTP utilities use ASCII mode by default, which corrupts the installation file. 3 Verify the integrity of the downloaded.tar file by using md5sum. Both the.md5sum and.gz files must be present in the same directory for md5sum to execute correctly. For more information on md5sum, see the man pages.

174 174 Installing event collectors Installing the Symantec Event Agent 4 To unpack the Event Agent 4.7 release, execute the commands: gunzip symevtagent_solaris_r xx.tar.gz tar -xvf symevtagent_solaris_r xx.tar xx should be replaced with the build number of the release. This command creates an Agent directory and unpacks the installation file to it. 5 Change directories to the Event Agent 4.7 release folder as shown: cd Agent 6 Execute the following commands: chmod + x install.sh./install.sh The installation process stops if any previous installations are detected. You can continue only after the detected installation is removed. See About uninstalling the Event Agent on page Enter the destination folder path or accept the default path to continue when prompted. 8 Enter the IP address or host name of the Information Manager server when prompted. The connection to the Information Manager server is checked and a message is displayed if the connection is successful. 9 If you want to install third-party CA root certificates, enter the path for the folder that contains the certificates when prompted.

175 Installing event collectors Installing the Symantec Event Agent 175 Installing the Event Agent on Linux To install the Event Agent on Linux 1 Connect to the Information Manager server using an account with administrative privileges either by using an SSH client or by logging on locally. You must log on as root to install the Event Agent. 2 Download the following files to the /tmp folder from the download links for Linux Client. The download links are found on download page of the Web configuration interface of the Information Manager. symevtagent_linux_r xx.tar.gz symevtagent_linux_r xx.md5sum and xx should be replaced with the build number of the release. Use binary mode to transfer the files to the Information Manager server. Some FTP utilities use ASCII mode by default, which corrupts the installation file. 3 Verify the integrity of the downloaded.tar file by using md5sum. Both the.md5sum and.gz files must be present in the same directory for md5sum to execute correctly. For more information on md5sum, see the man pages. 4 Unpack the Event Agent 4.7 release by executing the following command: gunzip symevtagent_linux_r xx.tar.gz tar -xvf symevtagent_linux_r xx.tar xx should be replaced with the build number of the release. This command creates an Agent directory and unpacks the installation file to it. 5 Change directories to the Event Agent 4.7 release folder by executing the following command: cd Agent 6 Execute the following command: sh install.sh The installation process stops if any previous installations are detected. You can continue only after the detected installation is removed. See About uninstalling the Event Agent on page Enter the destination folder path or accept the default path to continue when prompted.

176 176 Installing event collectors Installing the Symantec Event Agent 8 Enter the IP address or host name of the Information Manager server when prompted. The connection to the Information Manager server is checked and a message is displayed if the connection is successful. 9 If you want to install third-party CA root certificates, enter the path for the folder which contains the certificates when prompted. About uninstalling the Event Agent You can uninstall the Event Agent installation on Windows, Linux, or Solaris if required using the following options. Uninstalling the Event Agent on Windows See About uninstalling the Event Agent on Windows on page 176. Uninstalling the Event Agent on Linux and Solaris See About uninstalling the Event Agent on Linux and Solaris on page 176. About uninstalling the Event Agent on Windows Use one of the following methods to uninstall the Event Agent: Remove the Event Agent program through the Add or Remove Programs. This feature is applicable only for Symantec Event Agent 4.7 release. Note: Add or Remove Programs is known as Programs and Features in all the versions of Windows Execute the Uninstall Symantec Event Agent.exe file in the Event Agent folder. See About installation and configuration tasks for collectors on page 167. About uninstalling the Event Agent on Linux and Solaris If you want to uninstall the Event Agent, change to the Event Agent installation folder and run the install.sh script with the u switch as follows:./install.sh -u See About installation and configuration tasks for collectors on page 167. Event Agent Management with agentmgmt.bat utility Table 10-1 lists the options that are available when you run the agentmgmt.bat utility.

177 Installing event collectors Installing the Symantec Event Agent 177 See About installation and configuration tasks for collectors on page 167. Table 10-1 Option Option 1 Show Agent Status Option 2 Flush Agent Queue Options available with the agentmgmt.bat utility Information Shows the following information about the agent status: Port to which it is connected Connection status Number of events received Number of events sent Name of the server it is connected to Forces the agent to reconnect and send data to the server. If agent is in disconnected mode, then flushing the queue resets the agent to connected mode and send events to the server. Option 3 Reload Agent Configurations Option 4 Force Agent to send its Software Inventory and state Updates Option 5 View log files Option 6 Force Re-Bootstrap of Agent to same or to different server Option 7 Gather data for Technical Support Option 8 Reloads the agent configuration from the Information Manager server without restarting the agent Forces the agent to send information about software inventory and state updates to LDAP directory. Opens the log files to see using Swing based UI. Note: Selecting this option displays an error if UI is not supported on the Linux and Solaris terminal. Re-bootstraps the agent to the existing or to different server, used to reconnect to the same server or different server. Gathers the data such as logs, configurations which are added into a compress file named sesa-<hostname>-<guid>.zip. Changes the log level to debug. Enable or disable Collector Debug

178 178 Installing event collectors Installing the Symantec Event Agent Table 10-1 Option Option 9 Options available with the agentmgmt.bat utility (continued) Information Starts the agent. Start the Agent Option 10 Stops the agent. Stop the Agent Option 11 Quits the menu-based script file. Quit the menu Verifying Symantec Event Agent installation To verify installation of the Symantec Event Agent, you can perform the following tasks in the order presented: Verify Symantec Event Agent connectivity from Information Manager. Verify the Information Manager IP address and Symantec Event Agent port. See About installation and configuration tasks for collectors on page 167. To verify Symantec Event Agent connectivity from Information Manager 1 From a Windows computer that has the Information Manager Client installed, log on with an Information Manager user account with sufficient rights to view events. The Information Manager user must belong to a role that has rights to the Information Manager-integrated collector. 2 In the Information Manager console, in the left pane, click System. 3 On the Administration tab, expand the tree until you see Organizational Units. 4 Expand Organizational Units > Default. 5 Verify that the name of the collector computer is listed. 6 Right-click the computer name, and then click Properties. 7 In the Computer Properties dialog box, on the Services tab, verify that the Agent Service displays Yes in the Started column.

179 Installing event collectors Installing the Symantec Event Agent 179 To verify the Information Manager IP address and the Symantec Event Agent port 1 From the collector computer, navigate to the Symantec Event Agent installation folder. On Windows, the default location is C:\Program Files\Symantec\Event Agent On UNIX, the default location is /opt/symantec/sesa/agent On UNIX, you must become superuser. 2 In a text editor, such as Notepad on Windows or vi on UNIX, open the configprovider.cfg file. 3 Verify that the following options contain the correct settings for the collector product to which you want to send events: MgmtServer contains the correct Symantec Security Information Manager IP address. MgmtPort contains the correct Symantec Event Agent port number (default value is 443). Verifying Symantec Event Agent operation You can verify that the Symantec Event Agent is operating correctly by running the Show Agent Status script. To run the Show Agent Status script Symantec Event Agent operation 1 On the collector computer, navigate to the Agent directory as follows: On Windows, the default location is C:\Program Files\Symantec\Event Agent. On UNIX, the default location is /opt/symantec/sesa/agent. On UNIX, you must become superuser. 2 To access the Collector and Agent Management scripts, at the command prompt, do one of the following steps: On Windows, type the following command: agentmgmt.bat On UNIX, type the following command:./agentmgmt.sh 3 At the SSIM Collector / Agent Management Scripts menu, select the following option: 1. Show Agent Status If the Agent is not running, the following message appears:

180 180 Installing event collectors Installing the Symantec Event Agent The agent command cannot be executed. Failed to make a connection to the agent. The Symantec Event Agent is possibly not running. If the Agent is running, something similar to the following message appears: Symantec Event Agent (v ) - Copyright(c) - Symantec Corporation Symantec Event Agent status: running Listening on: :8086 SSL: Off SESA Manager URL: Outbound Thread State: CONNECTED Java Version Queue Status Total events accepted: 502 Total events forwarded: 502 Entries waiting in queue: 0 Direct events accepted: 0 Queue File:.\agent.que Flush Size (KB): 2000 Flush Count: 1000 Flush Time (sec): 4 Spool Size (KB): Max Queue Size (KB): Forwarding Provider: Symc_SESAEventForwardingProvider Post failures due to unexpected response code: 6 Total number of post failures: 0 Event Acceptor HTTP ThreadPool: Thread 0 state = IDLE Thread 1 state = IDLE Thread 2 state = IDLE Thread 3 state = IDLE Last state update time: Mon Apr 28 18:24:17 PDT 2008 Last configuration download request time: Mon Apr 28 18:24:17 PDT 2008 Last configuration update invocation time: Mon Apr 28 18:24:17 PDT 2008 Last configuration update completion time: Mon Apr 28 18:24:17 PDT 2008

181 Installing event collectors Installing the collector on a remote computer 181 Installing the collector on a remote computer The collector component reads the data from the security product, formats the data, and forwards it to the Symantec Event Agent. The collector computer must have access to the product to monitor. Before you install the collector component, you must complete the following tasks in the order shown: Register the collector. Refer the online Help on the Web configuration interface for more information on how to register the collectors. Install the Symantec Event Agent. Note: You must install the agent for all remote installations. If you use a collector that resides on the Information Manager server, you do not have to install the agent. See About installation and configuration tasks for collectors on page 167. When you have completed the installation of the collector on a remote computer, you should verify that the Symantec Event Agent and collector are running. See Verifying collector installation on page 182. To install the collector on a remote computer 1 On the collector computer, navigate to install subdirectory of the collector installation files. The installation files are located in a temporary directory. You must install some collectors on the same computer as the product for which it collects events. 2 At a command prompt, do one of the following steps: On Windows, type the following command: install.bat On UNIX, type the following command: sh./install.sh 3 Follow the installation wizard prompts. Symantec recommends that you run LiveUpdate at the end of the installation.

182 182 Installing event collectors Installing collectors on an Information Manager server Installing collectors on an Information Manager server If you install the collector on the server, you do not need to register the collector nor install the Symantec Event Agent. See About installation and configuration tasks for collectors on page 167. To install a collector on an Information Manager server 1 Unzip the installation package onto your Information Manager client computer. You can obtain the collector package from The installation package includes a subdirectory that is named server. The server subdirectory contains a file that is named as follows: install-collector_name collector.jar where collector_name represents the name of the collector. 2 On the Web configuration interface, click Maintenance > System Updates. 3 Click Install in the tree pane, and then browse to the server directory where you unzipped the installation package. 4 Select the install-collector_name collector.jar file and click Upload and Install. 5 On the Confirm Installation page, click Continue. The status of the install process is displayed. 6 When you have completed the steps required, close the Information Manager Web configuration interface. Verifying collector installation To verify the collector installation, you must complete the following procedures in the order presented: On the collector computer, verify that the appropriate services or daemons are started. On a Windows computer, you verify that services have started. On a UNIX computer, you verify that daemons have started. See To verify that the appropriate services have started on Windows on page 183. See To verify that the appropriate daemons have started on UNIX on page 183. Verify that the Symantec Event Agent and collector are running.

183 Installing event collectors Installing collectors on an Information Manager server 183 See To verify that the Symantec Event Agent and collector are running on page 183. To verify that the appropriate services have started on Windows 1 On the collector computer, on the Start menu, click Settings > Control Panel. 2 In the Control Panel window, select Administrative Tools. 3 In the Administrative Tools window, select Services. 4 In the Services dialog box, verify that the Symantec Event Agent Service is listed and is started. To verify that the appropriate daemons have started on UNIX 1 On the collector computer, log on as superuser. 2 At the command prompt, type the following command: ps -ef grep sesagentd 3 Verify that the sesagentd process exists. To verify that the Symantec Event Agent and collector are running 1 On the collector computer, navigate to the agent directory as follows: On Windows, the default location is C:\Program Files\Symantec\Event Agent On UNIX, the default location is /opt/symantec/sesa/agent On UNIX, you must become superuser. 2 To access the Collector and Agent Management scripts, on the command prompt, do one of the following: On Windows, type the following command: agentmgmt.bat On UNIX, type the following command:./agentmgmt.sh 3 On the SSIM Collector / Agent Management Scripts menu, select the following option: 1. Show Agent Status If the Agent is not running, the following message appears: The agent command cannot be executed. Failed to make a connection to the agent. The Symantec Event Agent is possibly not running. If the Agent is running, something similar to the following message appears:

184 184 Installing event collectors Installing collectors on an Information Manager server Symantec Event Agent (v ) - Copyright(c) Symantec Corporati Symantec Event Agent status: running Listening on: :8086 Sending on Port: SSL: Off SSIM Server URL: Outbound Thread State: CONNECTED Java Version 1.6.0_26 Queue Status Total events accepted: Total events forwarded: Entries waiting in queue: 0 Queue File:./QueueFiles/filequeue que Flush Size (KB): 2000 Flush Count: 512 Flush Time (sec): 4 Spool Size (KB): Max Queue Size (KB): HTTP forwarding statistics: Post failures due to HTTP response code 400: 12 Total number of HTTP post failures: 12 Event Acceptor HTTP ThreadPool: Thread 0 state = IDLE Thread 1 state = IDLE Thread 2 state = IDLE Thread 3 state = IDLE Last state update time: Mon Aug 29 16:11:49 IST 2011 Last configuration download request time: none Last configuration update invocation time: Tue Aug 30 07:59:36 IST 2011 Last configuration update completion time: Tue Aug 30 07:59:39 IST 2011 Verifying collector configuration You verify collector configuration by performing the following procedures in the order shown: View audit events. The audit events display whether or not a successful connection was made to the data source. You can view audit events again to troubleshoot a problem. See To view audit events on page 185.

185 Installing event collectors Installing collectors on an Information Manager server 185 Verify that the Symantec Event Agent and sensor are up. See To verify that the Symantec Event Agent and Sensor are up on page 185. To view audit events 1 On a Windows computer that has the Information Manager console installed, start the console. 2 Log on with an administrator account. 3 In the Information Manager console, in the left pane, click Events. 4 In the tree, click System Queries > SSIM > SSIM system > Audit events for SSIM. 5 In the right pane, check the name of the Information Manager server, and then click Run Query. 6 Check for the following entry in the Event Type ID column: Successful Connection to Data Source. The Severity ID for this type of event is 1 - Informational. 7 Right-click on rows with a Severity ID that is higher than 1, and click Event Details. The EventDetails window includes a more detailed description of the problem. Following is an example of an event with a Severity ID of 6: Report file rename failed. To verify that the Symantec Event Agent and Sensor are up 1 On a Windows computer that has the Information Manager Java client installed, start the client. 2 Log on with an administrator account. 3 In the Information Manager console, in the left pane, click System. 4 On the Visualizer tab, click Table View. 5 In the Statistics Viewer, locate the collector by the Product ID field, and the sensor and agent in the Type field. 6 In the Status field, check for the following entries: Agent Up Sensor Up If the Agent and Sensor are not up, the status field displays the following entry: Unknown

186 186 Installing event collectors About Symantec Universal Collectors About Symantec Universal Collectors Symantec provides universal collectors. These universal collectors gather, filter, and aggregate events from security devices, critical applications, and services. The collectors then forward both the raw and the processed events to Information Manager. Universal collectors are used in scenarios where standard options are not available. You can use the Custom Logs view on the Web configuration interface to map the log information to the fields that the Information Manager supports. Universal collectors are installed on an Information Manager by default. To install the universal collectors on an off-box system, you can download the following universal collectors from the Downloads option on the Home view of the Web configuration interface: Universal Collector for Windows Universal Collector for Windows Vista Universal Collector for Syslog Universal Collector for Log file See Downloading and installing the Symantec Universal Collectors on page 186. Downloading and installing the Symantec Universal Collectors To collect logs from a proprietary application, first download and install the universal collectors on the computer on which Symantec Event Agent is installed. See About Symantec Universal Collectors on page 186. To download the universal collectors 1 Log on to the Web configuration interface as an administrator. 2 In the Web configuration interface of Information Manager, click Home > Downloads. 3 Click the download link for the universal collector that you want to download. 4 Save the installation zip file for the universal collector on the computer where you want to install the collector.

187 Installing event collectors Downloading and installing the Symantec Universal Collectors 187 To install the universal collector on a remote computer that has Symantec Event Agent installed 1 On the computer on which Symantec Event Agent is installed, log on as administrator. 2 Unzip the installation package. The installation package includes a subdirectory that is named install. The installation files are located in a temporary directory. You must install some collectors on the same computer as the product for which it collects events. 3 On the command prompt, do one of the following: On Windows, type the following command: install.bat On UNIX, type the following command: sh./install.sh 4 Follow the installation wizard prompts. All the universal collectors are installed by default on the Information Manager server. The universal log file and syslog collectors are also installed by default on the Information Manager server.

188 188 Installing event collectors Downloading and installing the Symantec Universal Collectors

189 Chapter 11 Configuring point products and collectors This chapter includes the following topics: About configuring a point product to work with a collector Creating and configuring sensors Creating a new sensor configuration Configuring the collector sensor to receive security events Adding, renaming, deleting, and disabling sensors Importing and exporting sensor properties Updating sensor properties globally Configuring collector raw event logging About configuring a point product to work with a collector After you have installed the necessary collector components, you may need to configure the point product to make the event information available to the collector. For example, if the collector uses a syslog sensor, you must configure the point product to send syslog events to the collector. See Requirements for point products and the collectors on page 165.

190 190 Configuring point products and collectors Creating and configuring sensors Creating and configuring sensors You must create a new sensor configuration for each collector. See About configuring a point product to work with a collector on page 189. The creation of sensor configurations includes the following tasks: Creating a new sensor configuration. All collectors include a sensor configuration named Default that you cannot use. You must create a new one. See Creating a new sensor configuration on page 191. Configuring the collector sensor to receive security events. After you create a sensor configuration, you create and configure the sensor. Adding, renaming, deleting, and disabling sensors. See Configuring the collector sensor to receive security events on page 192. You can add, rename, delete, and disable sensors. Note: Avoid using the special characters such as <, &, and ' (single quotes) for sensor names. See Adding, renaming, deleting, and disabling sensors on page 193. Configuring sensor properties. Most collectors use one of the following sensor types, that you must configure: Syslog sensor Database sensor Log sensor Syslog file sensor Log file sensor Windows Event Log sensor OPSEC Lea sensor Importing and exporting sensor properties, optional. Some database sensor collectors are compatible with more than one type of database. An alternate sensor property file is provided for this purpose. See Importing and exporting sensor properties on page 193.

191 Configuring point products and collectors Creating a new sensor configuration 191 Globally updating sensor properties. If you have many sensors that are within the same configuration, you can update them all at once. See Updating sensor properties globally on page 194. See About installation and configuration tasks for collectors on page 167. Creating a new sensor configuration Collectors use the sensors that you configure to receive security events. The sensors are grouped according to the sensor configurations. The collectors include a sensor configuration named Default. You cannot use this configuration; you must create a new configuration. See Creating and configuring sensors on page 190. See Configuring the collector sensor to receive security events on page 192. Note: In case of custom logs, Administrators can create the sensor configuration through the Information Manager console only after the log type is added and the direct and the literal mappings are specified through the Custom Logs view in the Web configuration interface. Note: Avoid using the special characters such as <, &, and ' (single quotes) for sensor names. To effectively use the custom log management feature, you must maintain unique sensor names across different configurations for each universal collector type. To create a new sensor configuration 1 In the Information Manager console, in the left pane, click System. 2 From the Product Configurations tab, expand the tree until you see the collector name. 3 Right-click the collector name, and choose New. 4 On the Create a New Configuration wizard page, click Next. 5 On the General page, enter a name and a description for the new configuration, and click Next. 6 On the Computers page, do the following steps in the order given: Click Add.

192 192 Configuring point products and collectors Configuring the collector sensor to receive security events Under the Available computers column, click a system from the list, and click Add. In order for a computer to be listed, the Symantec Event Agent on that computer must be bootstrapped to the Information Manager Click OK, and then click Next. 7 On the Configuration summary panel, make changes to any of your previous selections. 8 Click Finish, and then click Close. Configuring the collector sensor to receive security events Before you configure a sensor, you must create a sensor configuration. See Creating a new sensor configuration on page 191. After you create a sensor configuration, you must configure its sensor or sensors to receive security events. After the sensors are configured, or when a change is made to sensor properties, the sensor properties are distributed to the collector computers. See Creating and configuring sensors on page 190. To configure the collector sensor to receive security events 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name. 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the Sensor tab, under the list of sensors, click the sensor. You can rename the sensor, add new sensors, and delete sensors. See Adding, renaming, deleting, and disabling sensors on page In the sensor property table under the Value column, change any of the information. 6 Click Save. 7 In the left pane, right-click the appropriate configuration, and then click Distribute. 8 When you are prompted to distribute the configuration, click Yes.

193 Configuring point products and collectors Adding, renaming, deleting, and disabling sensors 193 Adding, renaming, deleting, and disabling sensors When you create a new sensor configuration, a sensor is automatically created for you. You may create additional sensors, rename the sensor, delete the sensor, or disable the sensor. Note: Avoid using the special character <, &, and ' (single quote) for sensor names. See Creating a new sensor configuration on page 191. See Creating and configuring sensors on page 190. To add, rename, delete, or disable a sensor 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name. 3 In the left pane, select the appropriate configuration. 4 In the right pane, select the sensor tab, and then, under the list of sensors, do one of the following: To add a sensor, click the + (plus sign) icon. By default, the sensors that you create are named Sensor 0, Sensor 1, Sensor 2, Sensor 3, and so on. To rename a sensor, double-click in the sensor name box, and type in a new name. To delete a sensor, click the - (minus sign) icon. You cannot delete the default sensor. You are required to have at least one sensor. To delete all sensors, click the trash can icon. To disable a sensor without deleting it, uncheck the sensor. 5 Click Save. 6 In the left pane, right-click the appropriate sensor, and then click Distribute to update the collector on the target computer with new properties. 7 When you are prompted to distribute the configuration, click Yes. Importing and exporting sensor properties Some database sensor collectors are compatible with more than one type of database. An alternate sensor property file is provided.

194 194 Configuring point products and collectors Updating sensor properties globally You can both import sensor properties from an XML file and export sensor properties to an XML file. See Creating and configuring sensors on page 190. To import and export sensor properties 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name. 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the sensor tab, do one of the following tasks: To import a configuration from an XML file, click the Import Sensors icon. Then, in the Import Configuration From File window that appears, specify the XML file from which you want to import the configuration. To export the selected configuration to an XML file, click the Export Sensors icon. Then, in the Export Configuration to File window that appears, specify a file name to which to export the configuration. Updating sensor properties globally You can copy the selected sensor properties to other sensors that are within the same configuration. You can use the Global Update function if you have many sensors that you need to update. See Configuring the collector sensor to receive security events on page 192. See Creating and configuring sensors on page 190. To globally update sensor properties 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name. 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the sensor tab, select a sensor so that it appears highlighted. 5 In the right pane, on the lower right, click Global Update. 6 In the Select Properties for Global Update window, place a checkmark next to the property whose value you want to propagate to all other sensors within the same configuration. 7 Click OK to complete the global update process.

195 Configuring point products and collectors Configuring collector raw event logging Proceed to change the sensor properties as needed. 9 In the left pane, right-click the configuration, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes. Configuring collector raw event logging You can enable the collector to collect the entire raw event message from the point product instead of the parsed fields. Raw event messages are useful for forensics, incident investigation, and log retention requirements. It also lets you preserve unaltered event messages. See About configuring a point product to work with a collector on page 189. Note: Raw event logging substantially increases event sizes.

196 196 Configuring point products and collectors Configuring collector raw event logging

197 Chapter 12 Configuring collectors for event filtering and aggregation This chapter includes the following topics: Configuring event filtering Configuring event aggregation Configuring event filtering You can use event filtering to exclude events from being forwarded to Information Manager. Event filters let you reduce the event traffic and the number of events that are stored in the event database. Filters also let you discard the data that is less important to your organization s security. You can also import and export filtering configurations. Filtering configurations are exported in an XML file format; you must use the same XML file format to import the configuration. Event filtering is not advisable for all collectors. The XML file for filtering should be in the following format: <?xml version="1.0" encoding="utf-8"?> <filter> <filter-spec enabled="false" index="0" name="specification 0"> <filter-field comparator="eq" name="queue_product_id">1</filter-field> </filter-spec> <filter-spec enabled="true" index="1" name="specification 1">

198 198 Configuring collectors for event filtering and aggregation Configuring event filtering <filter-field comparator="eq" name="server">33</filter-field> </filter-spec> </filter> Event filter configuration consists of the following actions: Adding and enabling the event filtering rules See To add and enable event filtering rules on page 198. Changing the existing event filtering rules See To change existing event filtering rules on page 199. Importing and exporting the event filtering rules See To import and export event filtering rules on page 200. Some collectors include predefined filtering rules. Some of these predefined filtering rules are also pre-enabled. To add and enable event filtering rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach the sensor configuration of a collector. 3 In the right pane, on the Filter tab, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and click OK. 5 Under the rule properties table, click Add, and perform the following tasks in the order shown: In the Name column, type a name for the event filter property (for example, IP Destination Port). You can also double-click in the Name text box to bring up an Information Manager fields window. You can choose from the list of items that are presented in the expanded directories of the Information Manager fields window. In the Operator column, select an operator from the drop-down list (for example, equal to). In the Value column, type a value or select a preset value for the event filter property (for example, 80 for the port number). You can filter events by pattern by using a regular expression function. For example, to filter all events that contain "SUCCESS", enter the following in the Value column: regex(.*success.*)

199 Configuring collectors for event filtering and aggregation Configuring event filtering 199 Where all characters within the parentheses are part of the regular expression "." and "*" are both metacharacters "." matches any character "*" matches zero or more occurrences of the preceding element. Therefore, match zero or more occurrences of any character, followed by the literal string SUCCESS, followed by zero or more occurrences of any character. To rephrase, match the literal string SUCCESS anywhere within the field. 6 Repeat step 5 to add more event filtering information for the rule. All rules within a given specification use the Boolean AND to determine whether an event is a candidate for filtering. If there are multiple specifications, each specification uses the Boolean OR. 7 When you are finished adding information for the rule, in the filter list, check the filter name. 8 Click Save. 9 In the left pane, right-click the appropriate configuration, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes. 11 In the Configuration Viewer window, click Close. To change existing event filtering rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach a sensor configuration of a collector. 3 In the right pane, on the Filter tab, perform any of the following tasks: To add a specification, click Add. To delete a specification, select the specification, and then click Remove. To delete all specifications, click Remove All. 4 Perform any of the following tasks: To determine the order in which Information Manager invokes the event filters, next to the list of specifications, click the arrow icons. To change the name of the specification, double-click the specification in the specification list, and then, in the Name text box, type a new name. If you want to disable a specification, but you do not want to delete it, in the filter list, uncheck the filter name.

200 200 Configuring collectors for event filtering and aggregation Configuring event aggregation 5 In the rule properties table, change the information in any of the following columns: Name Operator Value 6 Under the rule properties table, perform any of the following tasks: To add a rule property, click Add. To delete a rule property, select the rule property, and click Remove. To delete all rule properties, click Remove All. 7 Click Save. 8 In the left pane, right-click the appropriate collector configuration, and then click Distribute. 9 When you are prompted to distribute the configuration, click Yes. 10 In the Configuration Viewer window, click Close. To import and export event filtering rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach a sensor configuration of a collector. 3 In the right pane, on the Filter tab, perform one of the following tasks: If you want to import, click Import configuration from XML file. If you want to export, click Export configuration to XML file. 4 Perform one of the following tasks: In the Import Configuration From File window that appears, specify the XML file to import into the collector. In the Export Configuration to File window that appears, specify a file name to export the configurations. Configuring event aggregation Collectors include a feature that lets you group similar events. By grouping events, you reduce event traffic and the number of events that are stored in the event datastore. The first event of a given type is sent to Symantec Security Information Manager immediately. All subsequent events of the same type are sent as one

201 Configuring collectors for event filtering and aggregation Configuring event aggregation 201 aggregated event. Aggregated events contain start and end times, but all other event fields are taken from the first event in the aggregated set. Not all collectors should use event aggregation. You can also import and export aggregation configurations. Aggregation configurations are exported in an XML file format; you must import configurations in the same XML file format. See About Event Collectors and Information Manager on page 163. The XML file for aggregation should be in the following format: <?xml version="1.0" encoding="utf-8"?> <aggregator maxbuffer="0"> <aggregator-spec enabled="true" index="0" name="specification 0" time="124"> <aggregator-fields> <aggregator-field name="display_id" operator="eq">15</aggregator-field> </aggregator-fields> <similarity-fields> <similarity-field name="data_scan_guid"/> </similarity-fields> </aggregator-spec> <aggregator-spec enabled="false" index="1" name="specification 1" time="234"> <aggregator-fields> <aggregator-field name="connection_type_name" operator="neq">1 </aggregator-field> </aggregator-fields> <similarity-fields/> </aggregator-spec> </aggregator> Event aggregation configuration includes the following actions: Adding and enabling event aggregation rules See To add and enable event aggregation rules on page 202. Changing existing event aggregation rule configurations See To change existing event aggregation rule configurations on page 202. Importing and exporting event aggregation rules See To import and export event aggregation rules on page 203. This feature is not advisable with all collectors. Event aggregation rules are not configured by default. You must add the rules before you can enable or configure them.

202 202 Configuring collectors for event filtering and aggregation Configuring event aggregation To add and enable event aggregation rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach the sensor configuration of a collector. 3 In the right pane, on the Aggregator tab, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule. 5 Under the rule properties table, click Add, and perform the following tasks in the order shown: In the Name column, select or type a name for the event aggregation property (for example, Event Date). You can also double-click in the Name text box to open an Information Manager fields window. You can choose a name from the list of items that are presented in the expanded directories of the Information Manager fields window. In the Operator column, select an operator from the drop-down list (for example, greater than). In the Value column, type a value or select a preset value for the event aggregation property (for example, :18:31). 6 Repeat step 5 to add more event aggregation information for the rule. All rules within a given specification use the Boolean AND to determine whether or not an event is a candidate for aggregation. If there are multiple specifications, each specification uses the Boolean OR. 7 In the Aggregationtime(ms) text box, type the time in milliseconds by which a subsequent event should occur to be aggregated by this rule. The default value is 100. This property applies to all aggregation rules. 8 When you are finished adding information for the rule, in the aggregator list, check the aggregator name. 9 Click Save. 10 In the left pane, right-click the appropriate configuration, and click Distribute. 11 When you are prompted to distribute the configuration, click Yes. To change existing event aggregation rule configurations 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach a sensor configuration of a collector.

203 Configuring collectors for event filtering and aggregation Configuring event aggregation In the right pane, on the Aggregator tab, under the list of rules, perform any of the following tasks: To add a specification, click Add. To delete a specification, select the rule, and click Remove. To delete all specifications, click Remove All. 4 To determine the order in which Information Manager follows the event aggregation specifications, next to the list of specifications, click the arrow icons. 5 To change the name of the specification, double-click the specification in the specification list, and, in the Name box, type a new name. 6 To change the time by which a subsequent event should occur for aggregation by this rule, in the Aggregation time (ms) box, type the new time in milliseconds. The default value is 100. This property applies to all aggregation rules. 7 To disable a specification without deleting it, in the aggregator list, uncheck the aggregator name. 8 In the rule properties table, change information in any of the following columns: Name Operator Value 9 Under the rule properties table, perform any of the following tasks: To add a rule property, click Add. To delete a rule property, select the rule property, and click Remove. To delete all rule properties, click Remove All. 10 Click Save. 11 In the left pane, right-click the appropriate collector configuration, and click Distribute. 12 When you are prompted to distribute the configuration, click Yes. To import and export event aggregation rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, and expand the tree until you see a sensor configuration of a collector.

204 204 Configuring collectors for event filtering and aggregation Configuring event aggregation 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the Aggregator tab, perform one of the following tasks: If you want to import, click Import configuration from XML file. If you want to export, click Export configuration to XML file. 5 Perform one of the following tasks: If you want to import, in the Import Configuration From File window that appears, specify the XML file you want to import into the collector. If you want to export, in the Export Configuration to File window that appears, specify a file name to which to export the configurations.

205 Section 5 Working with events and event archives Chapter 13. Managing event archives Chapter 14. Forwarding events to an Information Manager server Chapter 15. Understanding event normalization Chapter 16. About Effects, Mechanisms, and Resources Chapter 17. Collector-based event filtering and aggregation Chapter 18. Working with the Assets table

206 206

207 Chapter 13 Managing event archives This chapter includes the following topics: About events, conclusions, and incidents About the Events view About the event lifecycle About event archives About multiple event archives Creating new event archives Restoring event archives Specifying event archive settings Creating a local copy of event archives on a network computer Viewing event data in the archives About working with event queries About events, conclusions, and incidents Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. A conclusion occurs when one or more events match a correlation rule pattern. Information Manager normalizes events from multiple security products and looks for the patterns that indicate potential threats. An incident is the result of one or more conclusions that are identified as a type of an attack. There can be many conclusions that are mapped to a single incident.

208 208 Managing event archives About the Events view For example, if a single attacker causes a number of different patterns to be matched; those are grouped into a single incident. Similarly, if a vulnerability scan uncovers a computer that suffers from a number of different vulnerabilities; these are all grouped into a single incident. Or, if a number of different computers report the same virus, Information Manager creates a single outbreak incident. About the Events view See About security products and devices on page 31. The Events view provides access to all of the event archives used by Information Manager server. Each archive stores events that are based on the Event Storage Rules that you configure on the System view. To view the events that are stored in any archive, you can do the following: Use the preconfigured query templates or system queries. The preconfigured templates and queries provide the parameters that you can set. You can choose the archive that you want to search, the time period within which you want to search for events, and so forth. Some templates and queries have more parameters than others depending on the purpose of the query. Save a copy of any preconfigured template query with the parameters that you have chosen, and customize the copy. Create a new query using the Query Wizard. Schedule queries to be distributed as CSV reports. When a template or query is run, the results are displayed in the results pane of the Events view. The results pane enables you to view and search for information about archived events in both graphical formats and text formats. You select the archive you want to research, and the viewer displays a histogram that represents the data that are stored in that archive. You can then narrow the display to a particular historical period (for example, the previous month or a specific one-hour period). You can display event details in a table and drill down to get all details about one event at a time. You can also filter the results in this view. See About events, conclusions, and incidents on page 207. About the event lifecycle Figure 13-1 shows the lifecycle of an Information Manager event.

209 Managing event archives About the event lifecycle 209 Figure 13-1 Event lifecycle Information Manager processes security event data in the following manner: The event collector collects the raw event data from the security product. The event collector normalizes the event data and filters and aggregates the events according to the event collector configuration settings. The agent sends the normalized events and if configured, the raw event data to the designated Information Manager. Information Manager stores the event in the event archive. Information Manager updates the event summary tables with the event information. Information Manager correlates the event, and, if the event triggers a correlation rule, creates an incident. Information Manager stores the incident in the incident database. Information Manager console users view incident and event reports. See About events, conclusions, and incidents on page 207.

210 210 Managing event archives About event archives About event archives Event archives provide a compact, convenient way to store event data for regulatory compliance, forensic research, and long-term data retention. Event archives contain event data from the security products that are set up to forward events to a Symantec Security Information Manager Server. Note: By default, newly created event archives are stored for seven days, but you can adjust this period to meet your requirements. However, when the available server disk space runs low, the server purges event archives. The default maximum quota is 90%, and the default free space quota is 1%. If your company requires long-term retention of event data, you can use scp or rsync over an SSH connection to copy the event archives from the server. See About events, conclusions, and incidents on page 207. About multiple event archives You can create multiple event archives to organize events into the logical folders that Information Manager stores. You can create up to 16 archives on any server. Multiple event archives lets you distribute the events Information Manager receives into separate folders and across multiple servers based on the criteria that you choose. For example, you can create an individual archive for each product that you monitor, such as an antivirus product. You can store the product generates events in a separate archive. You can create multiple archives on a single instance of Information Manager, on an attached storage device such as a DAS. You can also spread out the archives across multiple servers. To query the event data for further analysis, you can perform a query on any or all of the event archives that you have created. That includes the archives that are stored on separate instances of Information Manager. For example, if you created an archive that is exclusively used for antivirus events, you can choose to search the contents of that single archive or any combination of archives. By organizing events into individual archives, you can improve the performance of the queries used. When an event is received, the event is evaluated against the filter criteria in the order that is listed for the event filters in the console. Beginning with the first filter in the list, the event is passed through the filter to see if there is a match. If a match is found, the event is stored in the archive that you have specified for that filter, and event storage is complete. If the event does not match, it moves to the next filter in the list for evaluation. If no match is found in any of the filters that you have created, the event falls into the default archive.

211 Managing event archives Creating new event archives 211 To create a new event archive, you use create a set of event filters that are used to distribute the events into the appropriate archive. When you define a filter that specifies an archive in which the events are stored, you define a subfolder on the server that behaves as a separate archive. See About event archives on page 210. Creating new event archives When you install the Information Manager, two archives are created namely SSIM Logs and Default Archive. Note: An archive ID must be unique throughout the entire Information Manager domain. You cannot use the same archive ID in any other Event Storage Rule on any other server in the Information Manager domain. See About event archives on page 210. To create a new event archive 1 On the console of the Information Manager client, click System. 2 In the left pane of the Server Configurations tab, expand the tree for the Information Manager server you want to configure, and click Event Storage Rules. 3 Click the Add (plus sign) icon. 4 In the Archive Rule Properties dialog box, in the Rule name field, type a name for the new archive. 5 In the Inclusion Filter area, add the criteria for the events that you want to store. For example, to store all Information Manager System events in this archive, the filter would be Product = SSIM System. If you do not select any filter criteria, the archive stores all events by default. 6 In the Enter data retention (days) field, type the number of days that you want the archive the data. Events that are outside of this range are purged. A setting of 0 for retention days means that events are purged based on their age. 7 In the Max archive quota drop-down list, choose a percentage. 8 In the Free space quota drop-down list, choose a percentage. 9 In the Archive ID field, type an ID if you use customized IDs for archives, or accept the default setting.

212 212 Managing event archives Restoring event archives 10 In the Archive Path field, you can specify a path relative to the Events folder on the server or accept the default path. The path name that you specify cannot start with a slash, and must be alpha-numeric. The path is created in the server s file system from the /eventarchive folder. For example, if a user entered the archive path as collectors/pix, then a folder in the file system will exist as /eventarchive/collectors/pix. 11 Click OK and then click Apply. Restoring event archives To be able to view new archives in the Events view in the console, you must first log out then log on again. You can view events from the archives that were copied from other computers. To view the archives that were copied from another computer you must copy the entire archive folder to the appropriate location. When you copy archives from another computer, only the owner has read and write permissions on the archive folder. Group users and other users do not have any permission on the files and folders. To be able to view events from the archives that were copied from another computer, you must grant read permissions to group and other users. To grant appropriate permissions, you must do the following: See About event archives on page 210. Change the permissions on the files in the destination archive folder from 600 to 644. All folders under the /eventarchive partition should have permissions 755 or (drwxr-s). You must also change the ownership of the folder to sesuser. To restore archives from another computer 1 Copy the archive folder that you want to the /eventarchive partition into its appropriate location (archive path). 2 All folders under the eventarchive partition should have the owner and group as sesuser:ses. Run the following commands to change the ownership of the folders: cd /eventarchive chown -R sesuser:ses default chown -R sesuser:ses ssimlogs

213 Managing event archives Specifying event archive settings All folders under the eventarchive partition should have permissions 755 or (drwxr-sr-x). You must change the permissions on the folders to 755 as shown in the following example: cd /eventarchive chmod /R 755 default chmod /R 755 ssimlogs 4 All the files in the archive folders must have the permissions as 644 (-rw-r--r--). You must change the permissions on all the files in the archive folders to 644 as given in the following example: chmod 644 /eventarchive/default/2009/08/01/ edx You must change the permissions for all the files in the folder. Specifying event archive settings The event archive feature has several settings that determine how much data is stored and how long the data is stored. You can change the default settings in the Information Manager console. Event archiving is automatically enabled during Information Manager installation. The name of the Information Manager server appears in the left pane of the System view. If you have multiple Information Manager servers or multiple archives, each one appears in the tree. If you also use direct-attached storage for off-box storage, use the Information Manager Web configuration interface to specify the event archive settings for it. See About event archives on page 210. After you have configured the event archives, you should verify that the necessary summarizers have been enabled. You can enable the summarizers from the Database option under the Settings view of the Web configuration interface. To specify event archive settings 1 In the Information Manager console, click System. 2 In the left pane of the Server Configurations tab, expand the tree, including the Information Manager server to configure. 3 Under the Information Manager server, click Event Storage Rules. 4 In the Event Storage Rules area of the details pane, double-click the archive to configure.

214 214 Managing event archives Specifying event archive settings 5 In the Archive Rule Properties dialog box, change the following as required: Archive ID Rule name Inclusion filter Enter the data retention (days) Max archive quota Free space quota You can change the Archive ID. However, the ID must be unique across the Information Manager domain. You can change the name of the rule. Lets you add the criteria for the events that you want to store. For example, to store all Information Manager System events in this archive, the filter would be Product = SSIM System. If you do not select any filter criteria, the archive stores all events by default. Lets you specify the number of days that you want to archive the data. Events that are outside this range are purged. A setting of 0 for retention days means that events should be retained forever, unless there are any space constraints. Lets you specify the proportion of server disk space that can be used for storing event archives. Note: You should modify the default setting only under the guidance of Symantec personnel. Choosing the wrong setting can cause the server to run out of disk space. Specify the proportion of server disk space that must be available to continue storing event archives. Note: You should modify the default setting only under the guidance of Symantec personnel. Choosing the wrong setting can cause the server to run out of disk space. 6 Click OK. 7 To enable the rule, in the Event Storage Rules area select the rule using the checkbox under Enabled column. 8 Click Apply. 9 Close the Information Manager console, and then logon to the Information Manager server again. Events are filtered through the list of archives based on the order of the event archive rules. The first archive in the list that matches the characteristics of the event stores the event, and event archive rules evaluation for that event stops.

215 Managing event archives Creating a local copy of event archives on a network computer 215 Creating a local copy of event archives on a network computer You can copy event archives from the Information Manager server to another computer. Later you can access these archives through an instance of the Information Manager console on that computer. Use this procedure to create a local event archive on a computer on your network. Warning: Do not copy individual files, because they do not work as expected. You must follow the steps in this procedure to preserve the directory structure, which contains necessary date information. You should also perform this procedure during lower event and incident periods. See About event archives on page 210. To create a local event archive 1 Make sure that you have sufficient space on the Information Manager server for the.tar file that this procedure generates. 2 In a command window, type the following command: cd / 3 Type the following command: tar -cz eventarchive >eventarchive.tar.gz Information Manager creates a gzip.tar file in the root directory on the server. This file contains the all of the event archives on a server, and the archive directory structure. You can also create a copy of a single archive by identifying the archive in the /eventarchive folder and specifying that archive in the command in this step. 4 Transfer the gzip.tar file to the desired location, by using SCP or another method of your choice. 5 Unzip the gzip.tar file. The events in the new local archive are now viewable in the Information Manager console. The user can view the events only if the user has access to the location where the local archive resides. See To view the events that are stored in a local copy of an archive on page 216.

216 216 Managing event archives Viewing event data in the archives Viewing event data in the archives You can view the events for each archive that is created for each Information Manager server in your network. You can also view the events that are stored on the local event archive of the computer on which the console is installed. You can view event archives in the following ways: Use the preinstalled templates and queries to view the events that are stored in any of the archives that you choose. See To view the events that are stored in a local copy of an archive on page 216. Use the Query Wizard to create a query to be executed on a particular archive or set of archives. See About working with event queries on page 225. To view the events that are stored in the event archives 1 In the Information Manager console, click Events. 2 Expand the tree in the left pane to view the events template and query folders. 3 Choose an event query that returns the event data that you want to view. For example, in the Templates folder, click the All Events template. 4 In the details pane, select the archives that contain the events that you want to view. 5 Click RunTemplate, or if you use a query from one of the Query folders, click Run Query. To view the events that are stored in a local copy of an archive 1 In the Information Manager console, click Events. The tree in the left pane displays the ID of the Information Manager server, where the live archive is stored. 2 To access a local archive, click Local Event Archives, click the + icon (the plus sign) on the toolbar, and then navigate to the location of the archive. 3 Select Add Archive. 4 Click All Events under the appropriate address in the left pane. 5 Select Local archive, and click Run template. Archived event data is displayed in a histogram in the right pane.

217 Managing event archives Viewing event data in the archives 217 To save displayed data to a file 1 After you have run the template or query, click the Export icon on the toolbar. 2 Navigate to the location where you want to save the file, and type a name in the File name box. 3 Click Save. To remove a local archive from the viewer 1 In the left pane, click the name of the local archive that you want to remove. 2 Click the icon (the minus sign) on the toolbar. Information Manager removes the event archive from the viewer. You can now use the left pane to navigate to a different event archive. About the event archive viewer right pane The right pane of the event archive viewer contains the following components, which you can manipulate to display the data that you want: Event data histogram Event details table See Viewing event data in the archives on page 216. Manipulating the event data histogram The X-axis of the event data histogram is the time dimension, and the Y-axis is the event count (by default). To identify specific time periods, move the mouse over the histogram and hover (without clicking) on one bar at a time. A label displays the date, time, and number of events that correspond to that bar. Note: The histogram is available only for the All Events Query. See Viewing event data in the archives on page 216. The toolbar above the histogram includes several tools to change the appearance of the histogram to help you access the information that you want. You can manipulate the histogram in the following ways: To change the timeframe of the view, select an option from the View drop-down list; for example, select Last 12 hours. You can also choose a custom view. See Setting a custom date and time range on page 218. To expand the amount of data that is displayed in the current view of the histogram, click the Zoom Out icon. If you keep clicking, you gradually display

218 218 Managing event archives Viewing event data in the archives the entire dataset in this window. To gradually narrow the amount of data that is displayed in the current view of the histogram, click the Zoom In icon. To change the time resolution on the x-axis, make a selection from the Resolution drop-down list. For example, select Hours to group the data in hour-long units. To search for a specific time period and event type, click the Filter icon. The Event Filter dialog box that appears lets you choose a time range and filter criteria. See To filter with the advanced filter option on page 224. To move forward and backward in time, click the right-facing and left-facing arrows beside the histogram. To change the y-axis to display events per second, select Events per second. To return to the event count, select Event Count. Setting a custom date and time range If you want to fine-tune the period of time that is displayed in the histogram, select a custom view. See Viewing event data in the archives on page 216. To set a custom date and time range 1 On the toolbar, click the calendar icon, next to the View selection box. 2 In the Archive Time Range dialog box, in the Between: box, choose the start date and time of the time range. You can type the information in the box or use the up and down arrows. You can also click the calendar icon and then set the date and time on the Calendar dialog box. 3 In the and: box, choose the end date and time of the time range. You can type the information in the box or use the up and down arrows. You can also click the calendar icon and then set the date and time on the Calendar dialog box. 4 Click OK. About viewing event details The event data histogram now displays data for the time range that you selected. In the lower area of the right pane, you can display a table that contains details for the entire range of events in the histogram. The table can also display a selected portion of the events.

219 Managing event archives Viewing event data in the archives 219 See Viewing event data in the archives on page 216. You can show details in the following ways: To display details for the entire set of events in the histogram, click the Select All (green check) icon on the toolbar. To remove all event details from the table, click the Deselect (red X) icon on the toolbar. Click one of the bars in the histogram to display event details for the time period that is displayed in the bar. To select a time range, click any bar on the histogram, and then press the Shift key and click another bar on the histogram. The table displays details for all of the events in that time range. In the lower-right corner of the details table, you can see the total number of events that are selected within the displayed subset. You also can see the total number of events in the displayed subset. To view the next group of events, click the forward arrow in the lower-right corner of the table. To view all of the details in one event record, double-click one row in the table. Modifying the format of the event details table Each column in the event details table represents one field from the event record. You can add, delete, and reorganize the columns in the table. Note: An event record may include several date fields. Most events have a single event date, which is the time when the event occurred (not the date when Information Manager captured the event). In this case, the Event Date value and the Ending Event Date value are identical. Note: If an event represents an aggregation of activity that takes place over a period of time, Event Date is the beginning of the time period. Ending Event Date is the end time. Occasionally the event service registers an event with an incorrect Event Date or Ending Event Date. Information Manager corrects the times in these fields and replaces the original (incorrect) times in the Original Event Date and Original Ending Event Date fields. See Viewing event data in the archives on page 216.

220 220 Managing event archives Viewing event data in the archives To add, delete, and organize table columns 1 Right-click on a column heading, and click Add Column. In the Column Filter dialog box that appears, the Selected Columns box shows all of the fields currently in the table. Occasionally a collector sends data to Information Manager that does not correspond to any fields that are defined in the existing schema. When this scenario occurs, the Column Filter dialog box displays the raw field name from the collector: for example bugtraq_ids. This scenario may also occur if a collector's SIP is not installed on the server. 2 Complete any of the tasks: To add a column, click a field name in the Available Columns box, and click Add. You may also use the Ctrl key to select multiple field names, and click Add. To add all of the available columns, click Add All. To delete a column, click one or more field names in the SelectedColumns box, and click Remove. To delete all of the columns, click Remove All. To change the position of a column, click a field name and click Move Up or Move Down until the name is in the desired position. You can also click Move To Top or Move To Bottom. 3 When you finish making changes, click OK. The changes are reflected in the event details table. After you have modified the event details table to display the data that you want, you must save it as a query. By saving it as a query, you can see the same data and the same format the next time you log on to the Information Manager server. See To save the modified table format on page 220. To save the modified table format 1 After you finish modifying the table format, click the Save View icon. 2 Type a query name, and click OK. The query is saved in the My Queries folder in the tree pane. The next time that you log on to Information Manager, you can select that query. The table format appears the way that you modified and saved it.

221 Managing event archives Viewing event data in the archives 221 Searching within event query results Filtering event data When you perform an event query, you can search for a specific event that is within the initial query results. You can perform a text search or use regular expressions to further refine the search. You can choose whether the search spans all of the available event fields or a specific field. See Viewing event data in the archives on page 216. To search within event query results 1 After you run the query, in the Events table in the bottom pane, click Search for events. 2 In the Search Events dialog, in the Text Search field, type the text or regular expression. 3 In the Options area, place a check next to the appropriate options. If the text is a regular expression, ensure that Regular Expression is checked. 4 In the Look in area, take the following action: If you want to search in all of the available fields for the set of events, click All fields. If you want to search for a value that is stored in a specific field, click Selected field, and from the drop-down list, choose the field. 5 Click Search. The results are displayed in the events table. 6 In the Search Events dialog, click Close. 7 After you have analyzed the search results, to return to the original query data, click Reset event search. You can filter event data in the following ways: Filter on an individual cell in the event details table. You can filter on a cell that has data in it. Information Manager displays only the rows that have the same value in that column. You can also filter on an empty cell, and Information Manager displays only the rows in which that column is not empty. Use the advanced filter option to select multiple filtering conditions in one operation. Filter based on unique column value. This filter creates a snapshot of the events that were returned for the query based on the column that you chose for the filter. For example, in the query results for an All Events query, if you

222 222 Managing event archives Viewing event data in the archives right-click any value in the Product column and choose Filter on unique column value, Information Manager creates a condensed view of the results that shows which product names occur in that column. If you had 5000 events returned that only involved three products, filtering on unique column value in the Products column creates a snapshot that shows that those three products were the only products that are returned in the results. An additional filtering method is a sort of hybrid of an advanced filter and filtering on a cell. It is called filtering manually on a cell, and it lets you create a more complex query than the cell filtering method. However, it presets the first filtering condition for you. See To filter manually on a table cell on page 223. To filter on a table cell 1 Right-click the cell that you want use as the filter condition. For example, to display only level 3 events, right-click a cell with severity level 3 in the Severity ID column. 2 Click Filter on cell. If you right-clicked an empty cell, click Filter where cell is not empty. One of the following occurs: If you clicked Filter on cell, a new table displays only the events that have the same value as the cell where you clicked: For example, severity level 3. The table has a tab at the top that is labeled Untitled. If you clicked Filter where cell is not empty, a new table displays all rows in which this cell is not empty. 3 Take any of the following actions: To save the displayed view as a query, click the Save View icon. Then type the query name and click OK. If you view event data from a local archive, you cannot save the view as a query. Saving a query works only when you view event data from the live archive on the Information Manager server. To filter the displayed data even further, repeat steps 1 and 2, or use the advanced filter option. See To filter with the advanced filter option on page 224. To delete the table, click the red X in the upper right corner. If no events meet the filter criteria, Information Manager displays a blank table. If a very large number of events meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel.

223 Managing event archives Viewing event data in the archives 223 To filter manually on a table cell 1 Right-click a cell that you want use as a filter condition. For example, to display only level 3 events, right-click a cell with severity level 3 in the Severity ID column. 2 Click Manually filter on cell. If you right-clicked an empty cell, click Manually filter where cell is not empty. The Event Filter dialog box appears. One of the following occurs: If you clicked Manually filter on cell, the first condition in the Filter criteria area contains the value of the cell in which you clicked. In this example, the condition would display Severity ID = 3. If you clicked Manually filter where cell is not empty, the Filter criteria area displays the column name with the condition null. 3 To add more filter conditions, click the + icon (the plus symbol). 4 Click the first drop-down box, and then click an event field that you want to use as a filter. 5 Click the drop-down box to the right of the event field, and then click an operator: for example, the equals (=) symbol. 6 Click the drop-down box at the far right, and then click or type a value. 7 Take any of the following actions: To add more conditions, repeat steps 3 through 6. Use the AND and OR logical operators as needed. The default operator is AND. To change it to OR, press Ctrl, and then click on the desired boxes, then click OR. To remove a field, click on the row and then click the icon (the minus sign). To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup. In the Time range area, select the desired time range. 8 Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria. 9 When you finish creating the query, click OK. A new table displays only the events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled. 10 Take one of the following actions:

224 224 Managing event archives Viewing event data in the archives To save the displayed view as a query, click the Save View icon. Then type the query name and click OK. If you view event data from a local archive, you cannot save the view as a query. Saving a query works only when you view event data from the live archive on the Information Manager server. To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell. See To filter on a table cell on page 222. To delete the table, click the X in the upper right corner. If no events meet the filter criteria, Information Manager displays a blank table. If the number of events that meet the filter criteria is large, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel. To filter with the advanced filter option 1 Click Filter at the top of the table. 2 In the Event Filter dialog box, select the desired time range. 3 In the Filter criteria area, click the + icon (the plus symbol). 4 Click the first drop-down box, and then click an event field that you want to use as a filter. 5 Click the drop-down box to the right of the event field, and then click an operator: for example, the equals (=) symbol. 6 Click the drop-down box at the far right, and then click or type a value. 7 Take any of the following actions: To filter on only one field, go to step 8. To add more conditions, repeat steps 2 through 6. Use the AND and OR logical operators as needed. The default operator is AND. To change it to OR, press Ctrl, and then click on the desired boxes, then click OR. To remove a field, click on the row and then click the icon (the minus sign). To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup. 8 Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria.

225 Managing event archives About working with event queries When you finish creating the query, click OK. A new table displays only the events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled. 10 Take one of the following actions: To save the displayed view as a query, click the Save View icon. Then type the query name and click OK. If you view event data from a local archive, you cannot save the view as a query. Saving a query works only when you view the event data from the live archive on the Information Manager server. To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell. See To filter on a table cell on page 222. To delete the table, click the red X in the upper right corner. If no events meet the filter criteria, Information Manager displays a blank table. If the number of events that meet the filter criteria is large, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel. To filter within the results of a query 1 Click Filter at the top of the table. 2 In the Event Filter dialog box, select the desired time range. 3 In the Filter criteria area, on the Filter Within Results tab, create the filter criteria using the table provided. See To filter with the advanced filter option on page When you are finished creating the criteria, click OK. To filter on unique column values 1 After you run an event query, Right-click a column that you want use as a filter condition. 2 Click Filter on unique column values. About working with event queries You can query the event archives in the following ways: Import a query from another location and save it in the My Queries folder or the Published Queries folder. See To import a query on page 236.

226 226 Managing event archives About working with event queries Use the Query Wizard to create a query against the event archives (event query). See To create an event query on page 228. Use the Query Wizard to create a query against the summarized event data (summary query). See To create a summary query on page 229. Use the Query Wizard to create a custom SQL query against the summarized event data (SQL query). See To create an SQL query on page 231. After you create and save a query, you can insert it on the dashboard and use it in reports. You can also schedule queries to be distributed as reports in the CSV format. See Scheduling queries that can be distributed as reports on page 238. Using the Source View query and Target View query The Source View query and Target View query replace the Source and the Target views that were available in previous versions of Information Manager. These queries return the IP address and host name of each system that Information Manager identifies. To run either query, double-click an entry in the list to view the incidents and the tickets that are associated with that host. If the host is not already an asset, you can add the host to the assets table by selecting the host and clicking Create Asset. Note: The Source View query and Target View query cannot be modified in the My Queries or the Published Queries folders. See About working with event queries on page 225. To use the Source View query or the Target View query 1 In the Information Manager console, click Events. 2 In the left pane, click System Queries > SSIM > SSIM. 3 Select either the Source View query or the Target View query. 4 Select the database to query, and click Run Query. 5 When you view the results, you can do the following: To create an asset from a host in the list, click the host, and click Create Asset.

227 Managing event archives About working with event queries 227 To view the incidents or the tickets that are associated with a host, click Details. You can also double-click the entry. To refresh the view, click Refresh. To export the current view to a file, click Export current view. Creating query groups You can create query groups in the My Queries and the Published Queries folders of the Events view of the Information Manager console. You can also create query group subfolders in each of these folders. See About working with event queries on page 225. To create a query group Creating custom queries 1 In the left pane of the Events view, right-click either My Queries or Published Queries, and click Add Query Group. 2 (Optional) Type the group name and the group description, and click OK. The name of the new query group appears as a subfolder under the folder you selected in step 1. You can create a custom query using different methods and save it for reuse. When you create a query, you must assign it a unique name. Be sure to follow these rules for assigning a valid query name: It must not be null. It must have at least one alphanumeric character. It must consist only of alphanumeric characters and the white spaces that are created with the space bar. It must not exceed 64 characters, including alphanumeric characters and white spaces. See About working with event queries on page 225.

228 228 Managing event archives About working with event queries To create an event query 1 In the left pane of the Events view, navigate to the location where you want to save the query. You can save the query in My Queries folder or the Published Queries folder. The My Queries folder is available only to you. The Published Queries folder is available to you and other users. You can also save the query in a query group folder under either of these folders. 2 Right-click the name of the folder where you want to save the query, click Query Wizard. 3 On the first panel of the QueryBuilderWizard, select EventQuery, and click Next. 4 Select the event query type, and then click Next. Select a query from the following query types that are displayed: Event Details Generates a table that contains all of the fields in the event archive. Event Counts by Field Generates a Top N summary query that is sorted by the field that you select in the By box. You also select the event count value in the Top box. Trending Event Counts by Field Generates a trend of the events over the selected time period 5 In the Archives area, you can select the archive that you want to query. By default, the Prompt at run-time option is selected. This option lets you select the archives at run-time. You can uncheck the default option and select the archive that you want to query. 6 Specify the time range and filter criteria in one of the following options: If you select View, select a time-period option from the drop-down list. If you select Between, use the calendar drop-down lists to set the time range. If you select Complete, Information Manager queries the entire event archive. If you want to filter the data, specify the filter criteria. See To filter with the advanced filter option on page Click Next and then choose the columns that must be displayed. 8 Click Next. One of the following panels appears:

229 Managing event archives About working with event queries 229 If you selected Event Details in step 4, the Archive Events panel appears. Go to step 12. If you selected Event Counts by Field in step 4, the Chart Presentation panel appears. Go to step 9. A panel displays a sample table that is based on the filtering options that you selected. 9 Click Chart Properties and use the Chart Type drop-down box to select a type. For example, you can select a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 10 If you want to see a preview of the query results, click Preview. 11 When you finish customizing the appearance of the chart, click Next. A chart sample appears, displaying the title and any labels that you assigned. 12 In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. If this query is an Event Details query, you can click Preview to see a preview of the query results. 13 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane. To create a summary query 1 In the left pane of the Events view, navigate to the location where you want to save the query. You can save the query in My Queries folder or the Published Queries folder. The My Queries folder is available only to you. The Published Queries folder is available to you and other users. You can also save the query in a query group folder under either of these folders. 2 Right-click the name of the folder where you want to save the query, and click Query Wizard. 3 On the first panel of the Query Builder Wizard, select Summary Query, and click Next. 4 Select a database and then click Next.

230 230 Managing event archives About working with event queries 5 In the Summary Table box, expand Events, and select a table from the list of presummarized tables in the database. A description of the table appears in the Table Description box. The icon next to the table name indicates its type, which is spelled out in the Legend box. 6 After you select the table that you want, click Next. 7 Select a column index from the drop-down list. A list of indexed fields from the database index appears in the Display Columns area. 8 Click to select one or more columns to display in the query, and click Next. 9 Specify the time range: If you select View, select a time-period option from the drop-down list. If you select Between, use the calendar drop-down lists to set the time range. If you select Complete, Information Manager queries the entire event archive. 10 If you want to filter the data, specify the filter criteria, and click Next. See To filter with the advanced filter option on page Sort the columns in the query (optional for use with the Table format). See To sort columns in a summary query on page Click Chart Properties and use the Chart Type drop-down box to select a type. For example, a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 13 Click Next. A query sample appears, displaying the title and any labels that you assigned.

231 Managing event archives About working with event queries In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. 15 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane. When you view the results of a Summary query, clicking chart elements to view the details for that portion of the chart is not supported. Symantec recommends that you disable summarizers on the Web configuration interface if you do not use summary queries. The summarizers are maintained in Symantec Security Information Manager 4.7 only to provide backward compatibility to previous versions of Information Manager. The summarizers re listed under Settings > Database > Event Summarizers. To sort columns in a summary query 1 On the right side of the Column Sorting panel, click Add Column. 2 Click in the Sort Column, and select a field to be sorted in the query table. 3 Click Asc (ascending) or Desc (descending) to determine the way the data in the column must appear. 4 Repeat steps 1 through 3 if you want to sort more fields. 5 Use the other icons (for example, Move Up) until you have the columns arranged in the proper order. 6 For Max Rows Return, take one of the following actions: To return every row in the database, click All. To return a specific number of rows, click Top, and select a number. 7 Click Next to continue creating a summary query. Return to the step in which you select the format for the query results. See To create a summary query on page 229. To create an SQL query 1 In the left pane of the Events view, navigate to the location where you want to save the query. You can save the query in My Queries folder or the Published Queries folder. The My Queries folder is available only to you. The Published Queries folder is available to you and other users. You can also save the query in a query group folder under either of these folders. 2 Right-click the name of the folder where you want to save the query, and click Query Wizard.

232 232 Managing event archives About working with event queries 3 On the first panel of the Query Builder Wizard, select Advanced SQL Query, and click Next. Note: You must be a member of the Domain Administrators group to create and execute Advanced SQL Queries. 4 Select a database and then click Next. 5 In the text box, type or paste an SQL statement. The following actions are optional: In the Maximum rows box, select the maximum number of rows to appear in the table. View a list of tables and fields in the database by clicking Show Schema. 6 Click Test Query. Information Manager runs the SQL query and displays the result in table form. While the query runs, you may stop it by clicking Stop Query. 7 Repeat steps 5 and 6 until you are satisfied with the query, and click Next. 8 Click Chart Properties and use the Chart Type drop-down box to select a type. For example you can select a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 9 If you want to see actual data in a preview chart, click Preview. 10 When you finish customizing the appearance of the chart, click Next. A chart sample appears, displaying the title and any labels that you assigned. 11 In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. 12 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane.

233 Managing event archives About working with event queries 233 Querying across multiple archives When you run a query, you can choose to retrieve event data from multiple archives. The query description includes a list of all of the known archives in the right pane of each query. In some cases, the query that you run may include the archives that are unavailable. For example, if you save a query and then run it later, a change may have been made that makes an archive unavailable. If you run a query using Run Query on the Events view and an archive is unavailable, when the query runs you are prompted to choose from the following options: OK Ignore Ignore all Allows the query to continue to run on any other archives that are part of the query and that are available Same as OK, except that you are not prompted again in the current session for that archive if it continues to be unavailable. Same as OK, except that you are not prompted for any of the unavailable archives in the current session. Note: When you run a scheduled report, Information Manager generates the report using the available archives if an archive is unavailable. You are not notified of an unavailable archive when the report is created, and no indication is given in the generated report. When scheduled reports are executed, queries run on all available archives and skip the archives that are not accessible. Therefore, results can be inaccurate. The user is not warned that some archives were not processed. To query across multiple archives 1 In the Information Manager console, click Events. 2 In the left pane, navigate to the desired query and select it. 3 In the right pane, under Please select archives to query, place a check in the checkbox for each archive that you want to include. 4 If necessary, configure any of the other required fields, and then click Run Query. Some queries may take longer than others to return the expected results. If a query may return a large amount of data, create a scheduled report to run the query at a specified time. See About working with event queries on page 225.

234 234 Managing event archives About working with event queries Managing the color scheme that is used in query results Editing queries When you run a query, you can use a customized color scheme for the queries that are displayed in chart format. You can add or remove colors, and change the order in which they appear in the query results view. You can then save your changes as template. To create a customized color template 1 In the Information Manager console, click System. 2 Click the Administration tab. 3 Expand the domain tree, and then click Reporting. 4 Click Add Color. 5 In the Add Color box, on the Swatches tab, make your selection. You can make additional adjustments to the color on the HSB and the RGB tabs. 6 Click OK. 7 If you want to move up the color in the reporting list, click Move Up. 8 When you have finished making your modifications, click Create Template. 9 Type a name for the template, and then click OK. To adjust the color configuration in an existing template 1 In the Information Manager console, click System. 2 Click the Administration tab. 3 Expand the domain tree, and then click Reporting. 4 From the drop-down menu, select the template you want to modify. 5 After you make your changes, click Create Template. 6 Type the name of the template modify, and then click OK. See About working with event queries on page 225. You can edit any query in the My Queries folder or the Published Queries folder. If you want to edit a predefined query or use one as a template, you can make a copy of the predefined query and then paste it into the My Queries folder or the Published Queries folder. See About working with event queries on page 225.

235 Managing event archives About working with event queries 235 Note: If you cannot view queries on the Events view, your role may lack the necessary permissions. You must have Read and Search permission for the appropriate query groups and the database. A user who is a member of an Administrator role can assign permissions. Table 13-1 provides some examples of the methods with which you can edit predefined queries to suit your needs. Table 13-1 Predefined query editing examples Query group in System Queries Query Field Sample modifications Product Queries > MS SQL Server Database Failed Logins Product In the Filter criteria, change the Product code to create an identical query for Oracle. Security Queries > Firewall Blocked Connections on Port 80 or 443 by IP address Time range (View) Filter criteria To increase the queried time period, change the time range from Last week to Last month. To query a different port, change the value for IP Destination Port in the Filter criteria. After changing the port, rename the query to reflect the new port number. Right-click the query name, and then select Rename. SSIM > SSIM system SSIM Failed Logins Filter criteria In the Filter criteria, add a filter to show only events with Severity ID=4. Note: In a tabular query, you can add and remove columns from the table in which data is displayed. However, if you place the modified query in a report, the column changes do not persist. You must insert the query in the report, and then add and remove table columns. To edit a predefined query 1 In the Information Manager console, click Events. 2 In the left pane, navigate to the desired query in the System Queries folder and select it. 3 Drag and drop the query into the MyQueries folder or the PublishedQueries folder. A customizable copy of the query is created. 4 In the new folder, right-click the query name, and then select Edit Query. 5 Modify the desired query parameters, and then click OK.

236 236 Managing event archives About working with event queries Importing queries Exporting queries Information Manager lets you import a query (a file with the.qml extension) from a folder on your computer. You can place the query in the My Queries folder, the Published Queries folder, or in any query group in one of those folders. To import a query 1 In the left pane of the Events view, click on the location where you want to save the query. You can save the query in My Queries (available only to you) or Published Queries (available to you and other users). You can also save the query in a query group folder under either of these folders. 2 On the toolbar, click Import Query. 3 Browse to the location where the query resides, and click the name of the query file. 4 Click Open. The name of the query appears in the left pane under the folder that you selected. The results of the query appear in the right pane. See About working with event queries on page 225. You can save a query in a different location. For example, you can save a query as a file on a computer hard drive or CD. You can then attach the query to an message or copy it to another computer. The export feature also lets you export a System Query, which you can then import into the My Queries folder or the Published Queries folder for editing. To export a query to a file 1 In the left pane of the Events view, click the name of the query that you want to export. The query parameters appear in the right pane. 2 On the toolbar, click Export Query. 3 In the Save dialog box, navigate to the location where you want to save the file and type a name in the File Name box. 4 Select the file type from the Files of Type drop-down list. If you want to be able to edit the file, select QML Files as the file type. 5 Click Save. Information Manager saves the query in the location that you specified.

237 Managing event archives About working with event queries 237 See About working with event queries on page 225. Publishing queries You are the only user who can access the queries in the My Queries folder and its subfolders. If you want to make a query available to other users, you can copy it to the Published Queries folder. To publish a query 1 In the left pane of the Events view, locate the query under My Queries that you want to publish. 2 Right-click the query name, and then click Publish Query. 3 Click Yes to confirm that you want to publish the query. The query name appears under the Published Queries folder in the left pane. 4 If you want to move the query into a query group under Published Queries, use the mouse to drag the query name to the desired group. See About working with event queries on page 225. About querying for IP addresses When you create a custom SQL query for an IP address, Information Manager returns an integer value of the address. To return an IP address in the more familiar nnn.nnn.nnn.nnn format, use the following macro in your SQL query. SELECT CASE WHEN E.SOURCE_IP >= 0 THEN rtrim(char(mod(e.source_ip/ ,256))) '.' rtrim(char(mod(e.source_ip/65536,256))) '.' rtrim(char(mod(e.source_ip/256,256))) '.' rtrim(char(mod(e.source_ip,256))) ELSE rtrim(char(mod(( E.SOURCE_IP) / , 256))) '.' rtrim(char(mod(( E.SOURCE_IP) / 65536, 256))) '.' rtrim(char(mod(( E.SOURCE_IP) / 256, 256))) '.' rtrim(char(mod( E.SOURCE_IP, 256))) END as "Source IP" FROM <Parameter to filter events> SYMCMGMT.SYMC_SIM_EVENT E WHERE See About working with event queries on page 225. For more information, refer to your SQL manual.

238 238 Managing event archives About working with event queries Deleting queries If you no longer need a query, you can delete it. Note: You can delete only the queries under My Queries folder and Published Queries folder. You cannot delete the System Queries folder or its contents. To delete a query 1 In the left pane of the Events view, navigate to the query to delete. 2 Right-click the query name, and then click Delete Query. 3 Click Yes to confirm. The query name is removed from the list in the left pane. See About working with event queries on page 225. Scheduling queries that can be distributed as reports You can now schedule queries to be distributed in a report as a CSV file. The Schedule option is available on the Events view when you select a query from the Published and System queries. On saving the scheduled queries in the Events view, the scheduled query reports are created under the Published Reports folder under the Reports view. You can send the scheduled query reports by as a compressed CSV file, and make them available by a URL link within the mail. You can also download these reports from the Web configuration interface under Manage Reports > Scheduled Query Reports in CSV format in a compressed file. The maximum row limit of the CSV file is 1 million rows corresponding to 1 million events. The maximum size of the CSV file that you can send by is limited to 15 MB. Note: Scheduled queries are limited to one query only. If the scheduled query contains a chart, it is converted to a table in the created reports. Note: The Design option is not available for scheduled query reports. See About working with event queries on page 225. You can schedule the following types of queries: Summary data query Event detail query

239 Managing event archives About working with event queries 239 Custom SQL query Note: Top N by Field and Trending Event Count by Field queries cannot be scheduled from the Events view as scheduled query reports. To schedule a query as a report 1 In the console of the Information Manager client, click Events. 2 In the Explorer pane, under Published Queries or System Queries, click the name of the query that you want to schedule and distribute as a report. 3 In the right pane, click Schedule. 4 Type the name of scheduled query. 5 In the Set Schedule for Query dialog box, specify the time, date, and recipients for the generated reports. Set the message subject and body text as required. 6 Select the option for CSV attachment or a URL link as required. When the recipient clicks the link, the report is directly accessible. Note that the user must be logged on to the Web configuration interface using the host name of Information Manager. If the user has logged on using the IP address of Information Manager, then the user is prompted for authentication. The report becomes accessible. 7 Take one or more of the following actions as required: To save the query report to the Published Reports folder and close the Set Schedule for Query dialog box without scheduling the query, click OK. To enable the Schedule and Test icons and save the query report in the Published Reports folder, click Save. To ignore any changes that were made since the last save and exit the dialog box, click Cancel. To verify the entered details, click Test to send the query to the specified recipients. To schedule the query, click Schedule. The published query report is also available under the Scheduled Query Reports option under Manage > Reports on the Web configuration interface.

240 240 Managing event archives About working with event queries

241 Chapter 14 Forwarding events to an Information Manager server This chapter includes the following topics: About forwarding events to an Information Manager server About registering a security directory Registering the Information Manager with a security domain Activating event forwarding Stopping event forwarding About forwarding events to an Information Manager server Event forwarding lets you create the distributed configurations that can handle higher event loads more efficiently by allowing events to be forwarded to multiple servers. Event forwarding lets you forward events to multiple servers. For example, you can set up one event forwarding rule to send all events to Information Manager server A. You can set up another event forwarding rule to send all events to Information Manager server B. This setup is good for redundancy. You can also archive different event types on different systems. You specify different event criteria on each event forwarding rule and point them to the appropriate Information Manager server. A Collection Server is an instance of the Information Manager server that collects and forward events from multiple sources to another server. A Correlation Server is an instance of Information Manager on which correlation is enabled and events are received.

242 242 Forwarding events to an Information Manager server About forwarding events to an Information Manager server For example, you can have multiple Information Manager servers store events from security products. You can then forward only those events that are needed for determining security incidents to a Correlation Server. The Collection Servers store the uncorrelated events (when archiving is enabled) to support compliance with policies such as Sarbanes-Oxley. The Correlation Server processes the forwarded events to allow monitoring of the security incidents in your network. See About event archives on page 210. During the Information Manager installation process, one default event forwarding rule is created. This rule is created on the Information Manager server to forward events from the event service to the correlation manager at If you have multiple Information Manager servers, you may need to configure this forwarding rule. You can configure the rule to specify the destination Information Manager server to which to forward events. You may also choose to forward events to an event service (port 10012) on the destination server, instead of the correlation manager (port 10010). You can create additional event forwarding rules on a single instance of Information Manager for backup purposes. You can also create these rules if you want to store certain types of events separately. For example, you can set up one forwarding rule to send events to Information Manager A. You can set up another forwarding rule to send events to Information Manager B. You can define event criteria to filter certain events to be forwarded to Information Manager A. Then you can specify that other types of events are forwarded to Information Manager B. To configure event forwarding from one server to another, you must do the following: Register the collector of each security product that you want to monitor with the destination Information Manager server. See Registering Collectors on page 170. Use the Web configuration interface of the Information Manager to join the Collection Server with the security directory of the Correlation Server. See Registering the Information Manager with a security domain on page 244. Configure the Collection Server to forward events. See Activating event forwarding on page 245. Note: You cannot create incidents manually on an Information Manager server that is configured as a Collection Server. After you set up an instance of Information Manager as a Collection Server, you cannot reconfigure Information Manager to correlate events using software settings.

243 Forwarding events to an Information Manager server About registering a security directory 243 To forward events through a firewall, make sure to open the ports that are required for the Information Manager servers to communicate. When the Correlation Server is unavailable, by default the forwarding server continues to queue events until the Correlation Server is available again. If the queue on the forwarding server fills up, the forwarding server stops receiving events. When the forwarding server stops receiving events, the collectors try to queue events until the forwarding server is able to accept events again. The event criteria determine which events are forwarded to the destination Information Manager server. You set event criteria in the console of the Information Manager client, on the System view, Server Configurations tab. If the Event Criteria pane is empty, all events are sent to the Information Manager server. If you add a condition to the event criteria, only the events that match those criteria are sent. To view forwarded events, a user in the console of the Information Manager client must have sufficient rights to view those types of events. The product, domain, or organizational unit might not match those allowed by the role that is assigned to the user. However, the events do not appear. The ability to view the forwarded events also depends on whether archiving is enabled on the console or not. Note: Information Manager Event Services cannot forward events to a Correlation Server if they cannot resolve the host name that generates the Correlation Server's SSL certificate. To resolve this problem, add a DNS entry for the IP address and host name of the Correlation Server. You can also generate a new certificate for the Information Manager server that is based on its IP address. If you forward events to an event service on the destination Information Manager server, you can enable data encryption. The data encryption option is not available when you forward events to a correlation manager. About registering a security directory You can register the security directory of an Information Manager server with the security directory of another Information Manager server. The registration can be performed from the Directory Registration view of the Web configuration interface. Using the Register option on the Directory Registration view configures a Collection Server to use the same LDAP directory as the Correlation Server. After you register, the Collection Server also inherits the same LDAP configuration as the Correlation Server. If the Correlation Server is configured to use a local or a remote LDAP, then the Collection Server uses that database to store event

244 244 Forwarding events to an Information Manager server Registering the Information Manager with a security domain information. However, if the Correlation Server is configured as a Correlation-only Server (event pass-through enabled, events not stored), the Collection Server inherits similar settings. In that case, you must create a new database configuration on the Collection Server if you want to store events in its database. Note: You can perform a directory registration of an Information Manager server with another Information Manager server. However, the User Filters, User Monitors, User Rules, and User Lookup Tables that existed on the first Information Manager server before registration become unavailable. For information on creating database configurations, refer to the Help of the Web configuration interface. When you specify the name of the remote directory to which you register, ensure that you specify the correct domain name. In addition, make sure that you use the correct case (for example, symantec.ses instead of symantec.ses). LDAP directory connections are not case-sensitive, but database connections are. If you use the wrong case, the Collection Server connects to the LDAP directory of the Correlation Server but not to the database. When this situation occurs, no events appear in queries and reports. See About events, conclusions, and incidents on page 207. Registering the Information Manager with a security domain The Information Manager Web configuration interface lets you add Information Manager to the security domain of the destination Information Manager server. The process of registering the Information Manager with the security directory of the other Information Manager may take 10 minutes. To register the Information Manager with a security domain 1 Log on to the Information Manager Web configuration interface with the administrative credentials. 2 Click Settings > Directory Registration. 3 In the Directory Registration view, click Register.

245 Forwarding events to an Information Manager server Activating event forwarding In the details pane, under Directory Registration, type the following information in the provided fields: Host name or IP address LDAP port LDAP cn=root password Administrator Password Domain The host name or IP address of the external security directory. The LDAP communications port that the security directory uses. The default is 636. The password for the cn=root account. The Domain Administrator account on the remote Information Manager server. The SSIM Domain Administrator password for the external Information Manager server. The name of the remote security directory, such as Symantec.SES. 5 Click Register. You can use the Visualizer tab on the System view to confirm that the directory registration is successful. 6 Configure the primary Information Manager server to forward events to the destination Information Manager server. See Activating event forwarding on page 245. Activating event forwarding You can modify the default event forwarding rule, and can create additional event forwarding rules. You can also delete or modify an existing event forwarding rule. When an Information Manager server receives the forwarded events, it stores the events according to the Event Storage Rules that are configured for that server. To specify the archive in which the forwarded events are stored, you must do the following: Configure the forwarding Information Manager server to send the events to the receiving Information Manager server. Configure the receiving Information Manager server to store the events in the appropriate archive.

246 246 Forwarding events to an Information Manager server Activating event forwarding Note: Before completing the following steps, make sure that you have connected network cabling between the collection and the correlation Information Manager server. See About forwarding events to an Information Manager server on page 241. To configure the default event forwarding rule 1 In the console of the Information Manager client, click System. 2 On the Server Configurations tab, expand the Information Manager server that forwards the events to the Correlation Server and click EventForwarding Rules. 3 In the right pane, double-click the rule. 4 In the Event Forwarding Rules dialog box, in the Inclusion filter area, do not insert any filter criteria. Leaving this area empty ensures that all events are forwarded to the default correlation Information Manager server. You can create additional event forwarding rules to specify forwarding criteria. 5 Under Primary and Failover Servers, type the host name or IP address of the correlation Information Manager server. You may choose not to configure the failover server. You can also forward to the servers that are not Correlation Servers. Usually, the failover is configured to fail over to another collection server. 6 Under Select the service to forward to, select one of the following: To forward events to a Correlation Server, select Correlation Service. To save the events in the destination Information Manager server's event archive, select Event Service. If you want the forwarded event data to be encrypted between the collection servers and the correlation servers, go to step 7 7 To encrypt the event data between the collection servers and the correlation Information Manager servers, select Event Service (Encrypted). If you choose to encrypt event data, the data is sent using HTTPS (port 443). 8 By default, event forwarding rules queue events on the host if the destination Information Manager server is not available. If you do not want Information Manager to queue events, uncheck Queue events if target service is unavailable.

247 Forwarding events to an Information Manager server Activating event forwarding You can enable the Use Persistent Queues option. This option enables all events to be written on the hard disk queue and then forwarded to the specified destination. If the destination is not available, the event service continues to write events to the disk queue (without blocking the event stream). It flushes the queue when it detects that the destination is back online. Enabling the PersistentQueues may affect the event forwarding performance. 10 Click OK. 11 Make sure that the appropriate event forwarding rule is selected (enabled) in the pane. For example, to enable the default event forwarding rule on a collection Information Manager server named Denver, select the Correlation Forwarding box under the Denver folder. 12 Click Apply. To create a new event forwarding rule 1 In the Information Manager console, click System. 2 On the Server Configurations tab, expand the Information Manager server to which you want to add an event forwarding rule. Click Event Forwarding Rules. 3 On the toolbar, click + (the Add icon). 4 In the Rule name box, type the name of the new rule. 5 By default, all events are forwarded. To limit the types of events forwarded, complete the following steps in order: In the Inclusion filter area, click Add (+). In the left column, click an entry in the Common, Events, or Other Fields tabs. In the middle column, specify a logical operator. In the right column, specify the value that you filter on. Repeat these steps for any other conditions that you want to include. 6 To complete the configuration, click OK. 7 To apply, click Apply.

248 248 Forwarding events to an Information Manager server Stopping event forwarding To delete an event forwarding rule (stop event forwarding to an Information Manager server) 1 In the Information Manager console, click System. 2 On the Server Configurations tab, expand the Information Manager server for which you want to delete an event forwarding rule. Click EventForwarding Rules. 3 Select the rule to delete. 4 In the toolbar, click Remove (-). 5 Click Apply. Stopping event forwarding To stop event forwarding, disable the event forwarding rule from the Server Configurations tab of the System view on the console of the Information Manager server. See About forwarding events to an Information Manager server on page 241.

249 Chapter 15 Understanding event normalization This chapter includes the following topics: About event normalization About normalization (.norm) files About event normalization Normalization occurs when the server receives an event after the collector has harvested the raw data. The normalization process analyzes received event data and adjusts the fields to prepare the data for interpretation by Information Manager, including any applicable rules. A normalization configuration file with a.norm file extension is used to adjust the fields where necessary. The.norm file maps the event fields that the collectors provide to the event fields that Information Manager requires. Normalization accomplishes tasks such as populating empty fields and locating information about source and target. For example, if you try to trap a consistent target IP address, the point product that harvested the data may have placed the IP address in a field that does not indicate the nature of the contents of the field. For example, the field name may be ip_address, which may not indicate whether the IP is the address of the source or the target. Information Manager includes a set of mapping files that identify and parse the data in the fields that the supported products provide. It maps these values to the appropriate database schema fields. Symantec creates and updates the.norm files using LiveUpdate as more information from each of the point products becomes available. Normalization adds information to events using a standardized set of fields that can be used to refine rules processing. For example, a unique event identifier can

250 250 Understanding event normalization About event normalization be mapped to a Standard Event Code (Symantec Signature). This information allows multiple product events to be correlated despite unique identifiers for each product. Normalization also uses the information that you provided in the Asset and Network tables. It uses this information to uniquely identify the elements that are related to the event which can be used during rules creation. Additional fields from the Asset table include the assigned Confidentiality, Integrity, and Availability (CIA) values and the host name. These fields also identify who owns the system, the current operating system and what policies or roles apply to the computer. In addition, the fields identify what services are open by a computer (populated by a vulnerability scanner). They also identify what vulnerabilities are on that computer (for example, if specific patches have not been rolled out to a computer). For example, if a system has been assigned the role of a vulnerability scanner, the events that vulnerability scanners usually generate can be filtered if they are associated with that computer. The Network table information is used to identify the location and directional flow of the event. Normalization can help to identify whether an event is internal only (contains IP addresses within your network). Normalize can also help identify whether the traffic is inbound, outbound, traveling to or from specific locations. For example, if the source of a virus event is an internal source, the event can be flagged as an internal virus infection. Normalization also adds any information available with the Symantec Signature using the Symantec DeepSight Threat Management System database. For example, when a security incident occurs that is mapped to a Symantec Signature, the following pieces of information may be provided: The Symantec Event Code, which facilitates cross-product correlation EMR categorization, helping the analyst to aggregate attack data to better understand the outbreak Vulnerability IDs (BugTraq) that include information on the vulnerabilities that are typical to this type of security threat Exposure IDs that include the potential attack exposure information that Information Manager provides. For example, telnet is enabled or weak passwords are used. Malicious code IDs that include the information that Symantec Security Response creates to describe the known malicious code activity that is associated with an attack See About normalization (.norm) files on page 251.

251 Understanding event normalization About normalization (.norm) files 251 About normalization (.norm) files When you create a rule, it is often helpful to view the mapping that takes place during normalization by using the normalization (.norm) files. Normalization files are included in the file system of the server. They are not available from the Information Manager Web configuration interface. Collectors usually populate the event fields with the data that matches the descriptive name that is specified in the schema. However, the event fields the collector provides may contain additional information that Information Manager can parse. In these cases, you can view the normalization (.norm) file to understand from where the event data comes, and how Information Manager interprets it. The Information Manager server contains a default.norm file. It also contains the.norm files that are specific to the collectors that are used on your network. The mapping in a.norm file may be a direct one-to-one mapping. In this mapping, the value in the collector field can be directly imported into the field that Information Manager expects. In other cases, the collector field may contain more data than the Information Manager field expects. In these cases, regular expressions are commonly used to parse the collector field for the data that Information Manager expects. Note: Although you can alter the contents of the.norm files, do not rely on this method as a means of modifying how data is normalized and accessed through the rule set. If you have LiveUpdate or Symantec DeepSight Threat Management System updates enabled, the default.norm file is often refreshed during the update process. Any changes you make to the.norm file are lost. In the following example, the first line of each block specifies the schema used. The field name to the left is the field name that the collector uses. The values on the right indicate the data and the field name that is the Information Manager server uses. The parsed data may include a data type in parentheses, followed by the name of the field that Information Manager uses. The right side may also include the regular expressions that are used to parse the event data from the collector field. (intrusion_data ^ "Failure Audit") & (intrusion_data ^ "User Name") intrusion_symc_sig -> (string)devicealert machine_ip -> (ip)sourceip (ip)targetip machine -> (string)sourcehost (string)targethost intrusion_data -> /User\s+Name:\s+(\S+)/ (string)eventresource intrusion_target_type_id := intrusion_outcome_id := vendor_device_id := 36

252 252 Understanding event normalization About normalization (.norm) files See About event normalization on page 249.

253 Chapter 16 About Effects, Mechanisms, and Resources This chapter includes the following topics: About Effects, Mechanisms, and Resources (EMR) About Effects values About Mechanisms values About Resources values EMR examples About Effects, Mechanisms, and Resources (EMR) Effects, Mechanisms, and Resources (EMR) values define the event classification scheme that Information Manager uses. EMR replaces the Category and Subcategory fields that were used in previous versions of Information Manager. All of the events that are assigned a Symantec Signature use EMR classification. In addition, EMR has been established as a DMTF (Distributed Management Task Force) standard. EMR values provide security classification data that applies to each event type. However, EMR values only represent potential threat conditions. The process of determining whether an event is an actual attack is performed at the Rules processing, Event Correlation, and security analysis phase. The assigned EMR values should not be interpreted as conclusions as to whether any particular event is a security incident. For example, an incorrect logon event may include EMR data that suggests a Guess Password mechanism. However, it is up to the security analyst to create a rule that describes a Guess Password threat (such as a rule that triggers when three or more failed logon attempts occurs over a specified period).

254 254 About Effects, Mechanisms, and Resources About Effects values About Effects values Alternatively, the security analyst can analyze the event manually to determine whether the event constitutes a threat. EMR values are most useful when they are used with other available fields to further identify whether a security incident has taken place. See About events, conclusions, and incidents on page 207. Effects values describe the effects of the event from the detector's point of view (for example, Degradation or Reconnaissance). Symantec Signatures can have more than one value in the Effects field (for example, Access and Reconnaissance). The Effects values reflect the Confidentiality, Integrity, and Availability (CIA) values that describe security events. For example, what is the effect of this event to the Intrusion Detection System? The Intrusion Detection System does not evaluate whether the event is a false positive. It only knows the potential effects of the event that has occurred. See About Effects, Mechanisms, and Resources (EMR) on page 253. Security devices such as packet filters may not be able to detect the notion of an event's effect. In these cases, the Effects field is populated with Unknown. Although the effect of an attack is intended, not all attacks have a known intent. For example, viruses or other malicious code may have multiple varied effects. If more than one value is in the Effects field, the first element in the list generally represents what the detector considers the most significant or the most severe effect. Three of the values correspond exactly to the standard security attributes: confidentiality, integrity, and availability. Table 16-1 describes the EMR Effects values that are available. Table 16-1 Effects value Access Degradation Reconnaissance EMR Effects values Description Access to data or services has been attempted or accomplished. An attempt was made to damage or impair usability, performance, service availability, and so forth. An attempt was made to gather information useful for attacks, or a probe for vulnerabilities occurred that did not exploit them.

255 About Effects, Mechanisms, and Resources About Mechanisms values 255 Table 16-1 Effects value System Compromised EMR Effects values (continued) Description The integrity of the targeted system has been compromised. A system is said to be compromised when an attacker gains unauthorized system access or privileges allowing for remote execution of code. For example, a compromised system is likely to be susceptible to remote execution. The events that use this Effect type are the events that may lead to an intruder gaining access to the system. Access may occur if the intruder uses a remote management method (SNMP). Access may also occur if the intruder uses a shell prompt and bypasses or otherwise nullifies the required authentication scheme. Integrity Unknown An attempt was made to modify or delete data. The Effect of the event is unknown. About Mechanisms values The Mechanisms values describe the method of attack that was used to generate an event from the detector's point of view: for example, a virus or a port sweep. A Symantec Signature may have more than one mechanism: for example, SSH CRC32 Corruption has mechanisms Buffer Overflow, and Remote Execution. The Mechanisms values can be used with any of the Effects values, depending on the method that was employed in an attack or probe. For example, a denial-of-service attack that uses ICMP packets has an Effects value of Degradation and a Mechanisms value of NetworkICMP. If the attack is a port sweep, the Effects value is Reconnaissance and the Mechanisms value is Port Sweep. If the event contains more than one mechanism, the first element usually represents one of the following: the most specific, the most significant, or the most severe mechanism from the detector's point of view. However, implementation of this guideline is not enforced. Consequently, the order should not be used as a determining factor of the characteristics of the mechanisms that the event uses. See About Effects, Mechanisms, and Resources (EMR) on page 253. Although the value map is a flat enumeration, hierarchical relationships are selected in most-specific to most-general ascending order in the list of values. For example, Network Protocol is a parent value to Network ICMP. If Network ICMP

256 256 About Effects, Mechanisms, and Resources About Mechanisms values is the desired value, Network Protocol is selected and placed as the next element in the list of mechanism values. Table 16-2 describes the Mechanisms values that are available. Table 16-2 EMR Mechanisms values Mechanisms value Adware Application Exploit ARP Poisoning Backdoor Description The mechanism matches adware behavior. The mechanism appears to take advantage of a flaw in the operation of a program. Alternatively, the mechanism may appear to be an unintended behavior of the program to compromise the program or the host system in some way. This attack differs from a buffer overflow because it is not recompiling code. Instead, the application is used to perform a task that is possible with the released version of the product or system. Address Resolution Protocol (ARP) poisoning (also known as ARP Spoofing) sends fake ARP requests to a network using a forged MAC address. Using this technique, a network device may send packets to a forged, sniffable address or may halt traffic across the device. The mechanism appears to be a backdoor. A backdoor bypasses normal authentication or security of remote access to a system, while also attempting to remain hidden from casual inspection. Worms such as Mydoom and Sobig create backdoors on non-secure systems to propagate traffic. A backdoor may be an installed program (for example, BackOrifice) or an unintended modification to an existing program. A backdoor in a logon system can take the form of a hard-coded user and password combination which gives access to the system. Buffer Overflow Cross-site Scripting Data Manipulation Guess Password Host Sweep Login Logout Network Sweep The mechanism appears to be a buffer overflow attack. The mechanism appears to be code that has been executed within a URL or similar cross-site code execution. For example, Apache and IIS can detect this activity when a client requests a URL that contains the <script></script> tag set. The mechanism appears to have altered data with malicious intent. For example, a DNS server cache is forced to update with a malicious IP mapping. This type of attack is typically performed as part of an HTTP hijack attack. The mechanism appears to be a Guess Password attack. For example, some point products log multiple failed logon events, which may indicate a Guess Password condition. The mechanism appears to be a host sweep. The mechanism was a logon event. The mechanism was a logoff event. The mechanism appears to be a network sweep.

257 About Effects, Mechanisms, and Resources About Mechanisms values 257 Table 16-2 EMR Mechanisms values (continued) Mechanisms value Network ICMP Network TCP Network UDP Non-Viral Malicious Network Protocol Network HTTP Overloading Congestion Overloading Saturation Overloading Port Sweep Phishing Port Scan Redirection Remote Execution Description Child of Network Protocol. The event uses the ICMP protocol. For example, this mechanism is common in ping attacks and probes. Child of Network Protocol. The event uses the TCP protocol. Child of Network Protocol. The event uses the UDP protocol. The mechanism appears to be malicious code of a non-viral (non-propagating) nature. The parent for any attack mechanism that uses a network protocol. Child of Network Protocol. The event uses the HTTP protocol. The mechanism appears to be a network flood or denial-of-service attack that attempts to overload the available bandwidth for a network. For example, a Ping flood triggers this condition because the number of packets that are involved prevents any other traffic from passing over the network. The mechanism appears to be a host flood or denial-of-service attack that overloaded or attempts to overload the available resources for a particular host. For example, a Syn flood would trigger this condition, as a Syn flood does not affect the network itself but focuses on a particular host. Consequently, it prevents other computers from establishing connections with the targeted computer. Parent of the Overloading Congestion and Overloading Saturation types. This mechanism often indicates a generic denial of service condition. The mechanism appears to be a port sweep. The mechanism matches the behavior of a phishing attack. The mechanism appears to be a port scan. The mechanism appears to indicate that the attack has caused the redirection of the victim's session to a malicious server instead of the intended server: for example, an HTTP hijack sessions in which a malicious site impersonates a bank site and causes the victim to connect to the impersonated site instead of the actual bank site. When the user types in their logon information, the logon information is collected, and then the customer is redirected to the authentic bank site. The event that is capable of being executed remotely.

258 258 About Effects, Mechanisms, and Resources About Resources values Table 16-2 EMR Mechanisms values (continued) Mechanisms value Rootkit Replay attack Spoof Identity Description A rootkit is used for a variety of covert system activities. These activities include terminal and connection sniffing, keystroke monitoring, and cleaning up or obscuring logon records, processes, and event logs. Kernel-level rootkits replace system calls with the binary code that is hidden in a Trojan horse. Application-level rootkits replace application code with the code that is hidden in a Trojan horse. The mechanism may be a Replay attack. A Replay attack is a fraudulent repetition of a valid data transmission. Any technique that attempts to represent one end of a client-server relationship or network session as a different entity from the actual entity. This mechanism can be used to attack a network session to hijack the session: for example, a Man-in-the-Middle attack Script Injection Spyware Stale Data Scan SQL Injection Trojan Unknown Virus Worm The mechanism appears to be a script injection. The mechanism matches spyware behavior. The mechanism appears to be a stale data scan. A stale data scan is defined as when a tool reads the memory that has been deallocated but not erased. Confidential or secure information may still be present in the memory. The mechanism may be a SQL injection. A SQL injection is a method in which malicious code is inserted into strings for parsing and execution to the SQL server. The mechanism appears to be a Trojan horse. The mechanism is unknown. The mechanism appears to be a virus. The mechanism appears to be a worm. About Resources values The EMR Resource value indicates the type or types of resources that the event is likely to affect: for example, Mail or Host. A Symantec Signature may have more than one Resource value. For example, DB indicates that an attack was made against a database server. Mail indicates that some type of mail server is affected. DB, DNS, and other values can indicate a server or service. No distinction exists between a DNS server resource and a DNS service resource. If there is more than one Resource value,

259 About Effects, Mechanisms, and Resources About Resources values 259 the first element usually represents the most specific resource or the most significant resource from the detector's point of view. Although the value map is a flat enumeration, hierarchical relationships are selected in most-specific to most-general ascending order of values. For example, Remote Service is a parent value to DNS. If DNS is the desired value, Remote Service is the next element in the list. See About Effects, Mechanisms, and Resources (EMR) on page 253. Table 16-3 describes the Resource values that are available. Table 16-3 EMR Resource values Resource value Application Application Configuration Application Data Cookies CIFS CPU DB DNS Firewall FTP File System Group Host Hardware LDAP Mail Description Parent of Application Data and Application Configuration. The affected resource was a non-operating system program that runs on a single host computer. Child of Application. The affected resource was an application configuration. Child of Application. The affected resource was Application Data. The affected resource was a cookie. Child of Remote Share. The affected resource was a Windows file share. CPU. Requires the Host value. The affected resource was a CPU. Child of Remote Service. The affected resource was a database server. Child of Remote Service. The affected resource was a DNS service. The affected resource was a firewall, which includes a packet filter or application proxy that discriminates and filters network packets and application sessions. Child of Remote Service. The affected resource was an FTP service. Child of OS. The subsystem of the operating system that allows basic persistence, inputs, and output. Requires the OS and the Host values. Child of OS. Requires the OS and the Host values. The affected resource was a group policy. The affected resource was a host computer. The affected resource was a hardware device. Child of Naming Service. The affected resource was an LDAP directory. Child of Remote Service. The affected resource was a mail server, such as an SMTP server.

260 260 About Effects, Mechanisms, and Resources About Resources values Table 16-3 EMR Resource values (continued) Resource value Naming Service Network Device Network Session Description Child of Remote Service. The affected resource was a naming service. Parent of Firewall, Router, Switch. The affected resource was a network device. Session Hijack target resource. A related set of packets traveling between two or more entities communicating from different endpoints on a network. For example, the target of a TCP spoofing mechanism like Spoof Identity for the purpose of a session hijack or a Man-in-the-Middle attack. NFS Network Data OS Kernel OS Configuration OS Session OS Process Privileges Remote Share RPC Remote Service Registry SNMP Service Child of Remote Share. The affected resource was a Network File System service. The affected resource was network data. Child of OS. The affected resource was the trusted computing base of the operating system. Requires the OS and the Host values. Child of OS. A particular configuration of the operating system based on settings and policies. Requires the OS and the Host values. Child of OS. A particular instance of an interactive or batch-running environment on the operating system. Requires the OS and the Host values. Parent of OS Kernel, OS Configuration, OS Session, File System, Process, Service, User Account, Privileges, User Policy, Group, Registry, and File. The affected resource was an operating system that runs on a single host computer. This value requires the Host value to be provided. Child of OS. Requires the OS and the Host values. The affected resource was a process on the target computer. Child of OS. Requires the OS and the Host values. The affected resource was the target of a privilege escalation attack (Integrity). Child of Remote Service. The affected resource was a remote share. Child of Remote Service. The affected resource was a remote procedure call service. Parent of RemoteShare, NamingService, DB, FTP, Mail, RPC, and Web. The affected resource was a remote service. Child of OS. Requires the OS and the Host values. The affected resource was a registry value. Child of Remote Service. The affected resource was an SNMP Agent. Child of OS. Requires the OS and the Host values. The affected resource was a service on the target computer.

261 About Effects, Mechanisms, and Resources EMR examples 261 Table 16-3 EMR Resource values (continued) Resource value SMB Router Switch URL User Policy User Account User Activity Unknown Web Description Child of Remote Share. The affected resource was a Windows file share, or Simple Message Blocks (SMB). Child of Network Device. The affected resource was a router. Child of Network Device. The affected resource was a switch. The affected resource was a URL. Child of OS. Requires the OS and the Host values. The affected resource was a user policy. Child of OS. Requires the OS and the Host values. The affected resource was a user account. The affected resource was user activity. The affected resource type was unknown. Child of Remote Service. The affected resource was an HTTP server. EMR examples You can use examples to understand EMR values. See About Effects, Mechanisms, and Resources (EMR) on page 253. Table 16-4 provides examples of the application of EMR values for attacks. Table 16-4 EMR examples Attack Effect(s) Mechanism(s) Resource(s) DNS Exploit x86 Linux (Snort) Degradation Buffer overflow DNS DNS Exploit x86 Freebsd (Snort) Access, Integrity Buffer overflow DNS XS BIND TSIG attempt (Snort) Access, Integrity Buffer overflow, NetworkUDP, NetworkTCP, NetworkProtocol DNS WEB-MISC sml3com access (Snort) Degradation NetworkHTTP, NetworkProtocol Network Device DOS Cisco null snmp Degradation NetworkSNMP, Network Protocol Network Device (BlackIce) Degradation NetworkHTTP, Network Protocol, Application Exploitation Network Device

262 262 About Effects, Mechanisms, and Resources EMR examples Table 16-4 EMR examples (continued) Attack Effect(s) Mechanism(s) Resource(s) FTP:PASS-4DGIFTS (Dragon) Access Guess Password FTP FTP:PASS-LRKR0X (Dragon) Access Guess Password FTP FTP-rhosts (Snort) Access, Integrity Application Exploit FTP FTP-BOUNCE Access Application Exploit FTP

263 Chapter 17 Collector-based event filtering and aggregation This chapter includes the following topics: About collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation About preparing to create collector-based rules Accessing event data in the Information Manager console Creating collector-based filtering and aggregation specifications Examples of collector-based filtering and aggregation rules About collector-based event filtering and aggregation Information Manager lets you filter and aggregate security events before they are sent to the server. Information Manager provides the filtering and aggregation capabilities that can be used at the collector. Filtering and aggregating event data before it reaches the server can improve network and server performance. Collector-based filtering and aggregation can also effectively increase event storage capacity on the server. Collector-based filtering and aggregation discards unnecessary events or stores summaries of events, which typically use less storage space. When an event collector gathers events from security products, it parses the event for the information that can be sent to the server. When relevant data is identified, it is translated into fields in the Information Manager schema. Information Manager uses the schema to correlate existing events, create incidents, and so forth.

264 264 Collector-based event filtering and aggregation About collector-based event filtering and aggregation Security products are responsible for identifying security breaches and threats. In many cases, these products also act as event identification and storage devices for any event that may be used for forensics research. Some products store these events locally. Others offload the event data to a storage device such as a Syslog server or a Windows event log. In general, Information Manager collectors monitor these devices, databases, and log files for security-related events. The collectors then forward all of these events to the Information Manager server. By default, event collectors gather all security-related events, and do not discriminate based on event severity or relevance. This feature is useful for policy compliance. However, many organizations prefer to use the powerful event reporting and correlation features of Information Manager on the security events that are more threat-related. You can limit (or restrict) the events that are sent to the server to those events that represent potential security threats and incidents. In contrast to event filtering and correlation at the server, collector-based filtering lets you exclude events from forwarding to Symantec Security Information Manager. Similarly, collector-based aggregation lets you group similar events to reduce event traffic. Grouping also lets you reduce the number of single events that are stored in the event database. Event aggregation groups the events that contain identical event information into a single summary event which is forwarded to the server. This summary event includes a count of the events that matched the aggregation criteria. Note: When aggregation occurs, the summary event that is created and sent to the server does not contain the raw event data for each individual event. A summary event cannot be separated into the individual events that comprise the aggregated event. Collector-based event filtering and aggregation rules (also referred to as specifications) are created using the Information Manager console, and then deployed to the corresponding collectors. When you filter events at the collector, you remove the events from the event storage, correlation, and incident creation processes. Use caution when you determine which events you want to filter at the collector. Note: Collector-based filtering or aggregation should not be used if you use Information Manager as your primary tool for policy compliance. Filtering or aggregating event data may exclude the events or the event details that are unnecessary for security monitoring but are necessary for compliance.

265 Collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation 265 See About identifying common events for collector-based filtering or aggregation on page 265. About identifying common events for collector-based filtering or aggregation Table 17-1 describes filtering and aggregation guidelines for specific security device types. Table 17-1 Filter and aggregation guidelines Device type All Firewall Suggestions Test networks can generate the security events that do not indicate any actual threat. Consider filtering all events originating from isolated test networks. Firewalls generate many events that are not required for correlation. Consider filtering or aggregating the following types of events: Connection rejected. These indicate that the firewall operates as it is configured. These events do not ordinarily pose a security threat and can be filtered at the Event Collector. Connection accepted. Typically, legitimate network traffic generates these events. These events can be filtered entirely or they can be aggregated according to IP address. If an individual unwanted connection is accepted, the Intrusion Detection System identifies and reports the attack. Possible attack. Not all possible attack events indicate a true security threat. Consider filtering or aggregating possible attack events based upon specific attack IDs. Enterprise Antivirus Enterprise antivirus systems customarily report a number of informational events for each protected system. If you use a product such as Symantec Client Security, consider filtering or aggregating the following types of events: Scan start and scan stop These events do not pose a security threat and can be filtered or aggregated. Virus repaired These events indicate that the antivirus software has repaired infected systems. If there are infections in your environment that are commonly repaired, consider aggregating virus repaired events by the virus name. Irreparable virus These events may indicate a virus outbreak. The spread of a virus can generate many redundant events. To avoid unwanted event traffic during an outbreak, consider aggregating irreparable virus events.

266 266 Collector-based event filtering and aggregation About preparing to create collector-based rules Table 17-1 Filter and aggregation guidelines (continued) Device type Vulnerability Intrusion Detection Windows Event Log Suggestions Typically, all vulnerability scan events should be sent to Information Manager for correlation. Vulnerability assessment events in some cases can be aggregated to reduce network traffic. Typically, all intrusion detection and intrusion prevention events should be sent to Information Manager for correlation. The Windows event log stores both operating system events and application events. Because each Windows system may have different applications installed, broad filtering or aggregation is not advised. All aggregation and filtering must be based upon specific event criteria. Consider filtering or aggregating the following types of events: Application Some applications generate an excessive number of informational and warning events. These events can be filtered or aggregated based upon the specific event source and event identifier. Security Success audit events do not indicate a security threat and can be aggregated based upon the specific user. System System event sources such as the Service Control Manager generate many informational events. These events can be filtered or aggregated based upon the event source and identifier. See About collector-based event filtering and aggregation on page 263. About preparing to create collector-based rules Before you create collector-based filtering and aggregation rules, you need to understand the event data that is generated on your network. You need to gather event data over a period of time and evaluate the event fields that are included in each event. In the Information Manager console, you can use the Event Viewer to view a summary of the events that the enabled collectors identified. The Event Viewer may give you an idea of the categories or types of data that can be used. However, the event field is the most accurate source of information for creating event filters. Each product has customized event fields specific to that product. Therefore, you should create filtering and aggregation rules based on the events that are specifically related to that product. You can view the event fields by double-clicking an event in the Event Viewer. You can then analyze the fields that appear in the Event Details window. Informational firewall events may be good filtering candidates. The firewall events that are classified as informational can often be filtered at the collector to reduce traffic to the server. The firewall events that are categorized as informational are generally used for accounting purposes. These events usually do not indicate an

267 Collector-based event filtering and aggregation About preparing to create collector-based rules 267 attempted security breach. However, the collector correctly detects these events as security-related events. The collector sends them to Information Manager by default. It may be unnecessary to analyze these events to maintain the security policies of your organization. If analysis is unnecessary, you can filter the events at the collector to reduce event traffic. To filter these events, analyze the event details to find the fields on which the filter for this specific event can be created. To understand the event data and create a filtering rule to filter informational firewall events, you perform the following tasks: With the collector enabled, generate a series of informational firewall events. In most cases, bringing a firewall online and performing connection tasks through the firewall generates these types of events. To make the event data more useful, generate the common firewall events that might more accurately resemble a live network environment: For example, FTP sessions and failed connection attempts. After you generate a series of events, use the Event Viewer or an available event report in the Dashboard. Double-click an event to open the Event Details window. In the Event Details window, analyze the field names that are included in the event. Many of these fields are added at the server rather than at the collection point as part of the normalization process. Therefore, the most effective fields to base a filter on are generally the fields that are generated in the raw event data: For example, the fields that contain event IDs that are specific to the monitored device. For example, if you use the Cisco Pix collector, the firewall generates a unique value in the Event Info 4 field. Make note of the field and value pair that you want to base your filter on and open the configuration on the Product Configurations tab. To create a new specification 1 On the System view, in the Product Configurations tab, find the collector for the product that you want to monitor. For example, if you use the Check Point Firewall, navigate to the settings for Check Point FireWall-1 Collector. Note: You cannot edit the default configuration. You must create a new configuration and specify the settings for that configuration. 2 Select the product and right-click to create a new configuration. Type a name and description for the new configuration, and then click Next. 3 Add computers to the configuration using the + icon. Then click Next. 4 Click Finish. Click Close to save and exit the Configuration Wizard.

268 268 Collector-based event filtering and aggregation Accessing event data in the Information Manager console 5 Select the newly created configuration. In the right pane, on the Filter tab, create a new specification. 6 In the new specification, double-click the name field and find the field name in the list. Alternatively, type the name of the field exactly as it appears in the event details. 7 In the operator column, choose the appropriate operator. In most cases, this value is the equal to operator. 8 In the Value field, type the value exactly as it appears in the event details. 9 Enable the specification, save, and then distribute using the Distribute settings to computers icon. See About collector-based event filtering and aggregation on page 263. Accessing event data in the Information Manager console The Information Manager console provides several different ways to access the event data that each collector gathers. To gain an understanding of the events that can be filtered, you should analyze the event data that is viewable in the Event Details view. You can also create custom reports for specific events. For more information on how to create custom reports, see the documentation that is provided with each collector. Accessing event data using the Events view 1 In the Information Manager console, click Events. 2 In the Events view, expand the Templates folder. 3 Under the Templates folder, click All Events. Note: This example uses the All Events query. However, you can use any of the event queries in the Events view that return the event data for which you search. 4 In the right pane, select the archives that contain the event data that you want to review, and then click Run Template. 5 After the query completes, use the results view to find the event you want to analyze.

269 Collector-based event filtering and aggregation Creating collector-based filtering and aggregation specifications Find the event that you want to analyze, and click View the event details. 7 In the Event Details window, analyze the event fields and data. Many events have unique event IDs that can be used to create the filters that are specific to the event that you want to filter. See About identifying common events for collector-based filtering or aggregation on page 265. Creating collector-based filtering and aggregation specifications After you analyze your event data, you can create filtering and aggregation specifications based on the fields that are viewable in the Event Details window. The Filters and Aggregation tabs let you create, enable, and edit filters to exclude events from being forwarded to the server (filtering). You can also use these tabs to create, enable, and editor filters to gather multiple events into a single event (aggregation). No event filtering or aggregation rules are configured by default. You must add the rules before you can enable or configure them. See About collector-based event filtering and aggregation on page 263. To create a collector-side filtering rule 1 In the Information Manager console, on the System view, click Product Configurations. 2 In the left pane, expand the product to which you want to add a filtering rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you must create a new configuration. The Default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the on-screen instructions. 3 Select the configuration you want to modify, and then in the right pane, on the Filter tab, under the list of filters, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, double-click the name field and find the value in the event fields list that appears. If you know the exact name of the field that the collector created you can also type a name for the event filter property. Fields are case-sensitive. In the Operator column, select an operator from the drop-down list.

270 270 Collector-based event filtering and aggregation Creating collector-based filtering and aggregation specifications In the Value column, type a value for the event filter property. To add more event filtering information for the rule, repeat this step. 6 When you are finished, in the filter list, check the filter name. 7 Click Save. 8 In the left pane, right-click the appropriate default folder, and then click Distribute. 9 When you are prompted to distribute the configuration, click Yes. To create a collector-based aggregation rule 1 In the Information Manager console, on the System view, click Product Configurations. 2 In the left pane, expand the product to which you want to add an aggregation rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you must create a new configuration. The default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the on-screen instructions. 3 In the right pane, on the Aggregator tab, under the list of filters, click Add. 4 Double-click Specification (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, select the name for the event aggregation property. In the Operator column, select an operator from the drop-down list. In the Value column, type a value for the event aggregation property. To add more event aggregation information for the rule, repeat this step. 6 In the Aggregation time (ms) box, type the time in milliseconds in which the aggregated events should correspond to the rule property. The default value is 100. This property applies to all aggregation filters. 7 When you are done, in the aggregation list, check the aggregation name. 8 Click Save and enable the rule before you distribute. 9 In the left pane, right-click the appropriate default folder, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes.

271 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 271 Examples of collector-based filtering and aggregation rules As you begin to understand the details of the event fields populated, you would discover the common filtering and aggregation candidates. These candidates can be safely implemented at the collector level. You are provided with general guidelines for filtering and aggregation. Before you deploy these examples, each configuration should be carefully evaluated to ensure that the configuration conforms to the specific needs of your security environment. The examples that are provided are common to many deployments, but may not be in compliance with your security policies. Creating filtering and aggregation specifications is an iterative process. This process is based on a careful evaluation of the event data that is specific to your security environment. Filtering at the collector prevents event data from being sent to the Information Manager server for evaluation. Consequently, analysts do not have access to this data for forensic analysis unless the events are stored separately from Information Manager. For example, the events that are classified as informational can be good candidates for event filtering or aggregation at the collector. In some cases, a network may generate a large number of informational events that may not constitute an immediate security threat. From a threat perspective, these events may not be as useful in evaluating a high priority security incident in progress. The informational event details may subsequently help to gain a better understanding of the series of events that led to the security breach. For this reason, an event filter or aggregation specification at the collector should be carefully evaluated before it is deployed. When you determine which events can be safely filtered or aggregated, base your collector-based filtering or aggregation specification on specific event criteria. Basing a filter on a broad field such as severity level may have unintended results. When you create filtering rules, specificity helps to prevent unexpected gaps in the information that is available to the analyst. For example, you should use the event IDs generated by the monitored product to control the information that is discarded from Information Manager. This option is more effective than using a broader severity category to control that information. See About collector-based event filtering and aggregation on page 263. Filtering events generated by specific internal networks You can filter events from the particular subnets that generate a high volume of events that do not pose a threat. For example, a network that is dedicated to testing and developing software applications may generate many events that do not

272 272 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules threaten internal network resources. These events can be filtered at the collector to reduce this type of false positive. See Examples of collector-based filtering and aggregation rules on page 271. To filter network events generated by a specific subnet and acquired by the Windows event log collector 1 On the System view, on the Product Configurations tab, expand the default configuration for the Snare for Windows Event Log collector. On the Filters tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, choose Machine Numeric Subnet. 2 Set the Operator to equal to, and in the Value field, enter the subnet that you want to filter against. 3 Save and enable the rule, and then distribute the configuration. Filtering common firewall events Firewall products typically generate a large number of events. Many of these events are recorded primarily for lower priority, informational purposes. Depending on the security policies that you have in place, you may be able to safely filter these events at the collector. By filtering at the collector, you can reduce network traffic and increase overall performance. See Examples of collector-based filtering and aggregation rules on page 271. Filtering Connection Rejected events Events that are classified as Connection Rejected events can often be filtered based on the severity of the event and the event ID. For example, in many cases, TCP Connection Rejected events that the Cisco PIX collector (PIX ) detects can be filtered at the collector. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data to evaluate. If you want to filter additional events, you can add additional event types to the specification. For example, you can use the Event Info 4 field to identify No route todest_addrfromsrc_addr(pix ) or HTTPdaemoninterfaceint_name: connection denied from IP_addr (PIX ) PIX events. To filter Cisco PIX TCP Connection Rejected events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification.

273 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that PIX uses. 4 Set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX ). 5 Save and enable the rule, and then distribute the configuration. Filtering Connection Accepted events Events that are classified as Connection Accepted can often be filtered based on the severity of the event and specifically the event ID. For example, the Connection Accepted events that the Cisco PIX collector detects can be filtered at the collector. The user user_name executed cmd: command (PIX ). PIX events are generally used for accounting purposes only. These events indicate that the command that the user entered was not capable of modifying the configuration. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data to evaluate. To filter Cisco PIX Connection Accepted events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that PIX uses. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX ). 5 Save and enable the rule, and then distribute the configuration. Filtering Possible Attack events In many cases, events that are classified as possible attacks can be either filtered or aggregated. For example, if you use the Cisco PIX collector, the collector gathers events such as failed telnet session attempts as possible attacks. It displays them in the console.. Based on your policies, you can filter or aggregate these events at the collector to reduce the amount of data to evaluate. If you want to filter similar events (or the events that carry a similar severity), you can add additional event types to the specification. For example, you can use

274 274 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules the Event Info 4 field to identify Telnet Login Session Failed (PIX ) events, or Retrieved IP address for FTP session (PIX ). To filter Cisco PIX failed telnet session events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that PIX uses. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX ). 5 Save and enable the rule, and then distribute the configuration. Filtering Remote Management Connection events Remote Management Connection events can often be aggregated if you expect remote management connections to take place from trusted sources or on an expected host computer. Remote Management Connection events often include the events that are classified as Informational, and in many cases can be safely aggregated. For example, if you use the Juniper Netscreen Firewall collector, you can create an aggregation specification that gathers specific types of Remote Management Connection events into a single summary event that is sent to the server. For example, you may have a host computer that manages remote connections for which you expect many Remote Management events to take place. You can aggregate these events into a single event summary. To aggregate events for the Juniper Netscreen Firewall collector based on a specific host computer 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 Expand the default configuration for the Juniper Netscreen Firewall Event Collector. 3 On the Aggregation tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, navigate to Common Event > Destination Host Name. 4 Set the Operator to equal to, and then enter the host name in the value field.

275 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules In the Aggregation time (ms) box, type the time in milliseconds in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering common Symantec AntiVirus events Symantec AntiVirus generates the events that can often be filtered or aggregated. For example, most antivirus products provide proactive event notifications of maintenance tasks such as data scan start and stop events. As these security-related events indicate expected behavior, they can often be safely filtered or aggregated at the collector. To filter the events that Symantec AntiVirus generates, edit the configuration file (.conf) that is included when the collector is installed on the Symantec AntiVirus parent server. The collector monitors the parent server for events, and uses the configuration files to determine which events are forwarded to the server. See Examples of collector-based filtering and aggregation rules on page 271. The following events are common Symantec AntiVirus events that can be filtered at the collector: Unscannable Violation Data Scan Start Data Scan End Data Scan Cancel Data Scan Pause Data Scan Resume Application Start Application Stop Note: Application Stop events can indicate that Symantec AntiVirus has been disabled. The AntiVirus Disabled event correlation rule on the server detects this event. If you filter Application Stop events at the collector, this rule does not trigger during correlation. Symantec AntiVirus and Symantec Client Security configuration files are stored on the parent server on which the collector is installed. The files are stored by default in the following locations: Symantec AntiVirus: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg

276 276 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules Symantec Client Firewall: C:\Program Files\Symantec\Collector\Plugins\SCFSesa\scfsesa.cfg Symantec Client Security: C:\Program Files\Symantec\Collector\Plugins\SCSState\scsstate.cfg You can also filter the events that are forwarded from individual clients or servers using the Log Event Forwarding wizard. The wizard is available through the Symantec System Center interface that is provided with Symantec AntiVirus and Symantec Client Security. The Log Event Forwarding wizard lists a complete set of events that can be forwarded to parent servers. For more information on using Symantec System Center, see the documentation that is provided with Symantec AntiVirus and Symantec Client Security. To enable event filtering on a Symantec AntiVirus parent server 1 On the parent server that you are monitoring, use a text editor such as Notepad to open the following file: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg. 2 In the conf file, find the ExcludeEvents section. 3 From the list of events in this section, remove the comment symbol (;) from before the event type or types you want to filter. 4 Save the file as a.cfg file. You may need to restart the collector. Filtering or aggregating vulnerability assessment events Typically all vulnerability assessment scans should be sent to the Correlation Manager for analysis. However, vulnerability assessment events in some cases can be aggregated to reduce the number of events that are sent individually to the Information Manager server. For example, the Symantec ESM collector detects the vulnerability assessment events that are related to whether files are backed up on the systems that it scans (Backup Integrity events). This information is useful for a variety of network analysis tasks. However, based on the policies of your organization, this information may not represent an immediate security threat. A Different ACL entry event is another potential candidate for aggregation of vulnerability assessment events. A Different ACL entry event typically indicates a permissions misconfiguration rather than an actual security breach. See Examples of collector-based filtering and aggregation rules on page 271.

277 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 277 To aggregate Backup Integrity events for the Symantec ESM collector 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Aggregation list that appears, expand the list. From the list of categories, choose Vulnerability > Vulnerability Custom 2. For the Symantec ESM collector, the Vulnerability Custom 2 field contains the type of event that the vulnerability assessment scan generates. 4 Set the Operator to equal to. Then in the Value field, type Backup Integrity exactly as it appears in the Event Details entry for the Vulnerability Custom 2 field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. To aggregate Different ACL entry events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Vulnerability>VulnerabilityName. For the Symantec ESM collector, the Short Descriptive Name field contains a brief description of the event that the vulnerability assessment scan generates. 4 After you have selected the field name, set the Operator to equal to. Then in the Value field, type Different ACL entry exactly as it appears in the Event Details entry for the Vulnerability Name field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering Windows Event Log events If you use the Windows event log collector, you can reduce traffic by filtering the common network events that generally do not pose a threat. The Windows event logs generate a large number of events that track a variety of activities, including those related to security. These events produce the unique event codes that are

278 278 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules included in the raw event data. You can use these event codes to create collector-based filters to reduce the number of events that has passed to the server. For example, Successful Network Logon events (Windows event ID 540) do not typically pose a security risk if the appropriate security measures are in place: For example, secure passwords, multiple layers of access defense, and limiting administrator privileges. Another example of a Windows event log event that can be filtered is the successful login Application event. As an alternative, you can also choose the Event ID field with a value of See Examples of collector-based filtering and aggregation rules on page 271. To filter Windows Successful Network Logon events (540) 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows event log entries. For more information on the Windows Event Log option fields, see the documentation that Microsoft provides. 4 Set the Operator to equal to. In the Value field, type Security:540 exactly as it appears in the Event Details entry for the Option 8 field. As an alternative, you can also choose the Event ID field with a value of Save and enable the rule, and then distribute the configuration. To filter Windows successful login Application events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows event log entries. For more information on the Windows Event Log option fields, see the documentation that Microsoft provides.

279 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules Set the Operator to equalto. In the Value field, type Application:17055 exactly as it appears in the Event Details entry for the Option 8 field. 5 Save and enable the rule, and then distribute the configuration.

280 280 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules

281 Chapter 18 Working with the Assets table This chapter includes the following topics: About the Assets table About vulnerability information in the Assets table Using the Assets table to help reduce false positives About the Assets table The Assets table provides a centralized list of network assets that Information uses for event correlation and rules processing. You can identify the Confidentiality, Integrity, and Availability (CIA) values for each asset. You can also identify the applicable policies, the ports that are potentially vulnerable, and the specific vulnerabilities of each asset. In addition, you can associate the host name of an asset with the IP address, as well as the operating system, operating system version, and distinguished name for each system. Assets can be added to the Assets table using the following techniques: Manually entering each asset in the Assets list Importing a list of the assets that are stored in a comma-separated value (.CSV) file or an Extensible Markup Language (.XML) file. In the Incidents view, clicking the Create Asset icon on the Target tab of the Incident Details view adds the targeted IP address to the asset list. Automatically populating the table using a supported vulnerability scanner. This method also populates the Services and Vulnerabilities tabs for each asset.

282 282 Working with the Assets table About the Assets table Note: Information Manager requires that the IPv4 address of each computer be unique. If you use network address translation (NAT) and you have two or more computers on separate subnets that use the same IP address, automatically populating the asset table overwrites the asset entry with the most recently scanned computer's information. To use the same IP address for two or more computers using a NAT table, use a separate instance of Information Manager for each subnet. The Assets table provides an automated means of identifying vulnerabilities on the assets that are listed when used with a supported vulnerability scan. By having this information available in the Information Manager console, an analyst can quickly gain an accurate understanding of the vulnerabilities of a target during an attack. By adding assets to the Assets table, you can use a variety of fields on the Rules view to correlate events with the specific characteristics of the target or source asset that is identified in the event. For example, the Destination Host Availability, Destination Host Confidentiality, and Destination Host Integrity fields access the Confidentiality, Integrity, and Availability settings that you select for each asset in the Assets table. This information can help to reduce the amount of data that security analysts must evaluate. If you do not add the assets that you want to track, with the corresponding details for each asset, these fields cannot be leveraged. See About the Assets table on page 281. See About CIA values in the Assets table on page 283. See Searching, filtering, and sorting assets on page 284. About how event correlation uses Assets table entries The Assets table lets analysts identify the network assets that range from critical business assets to less important systems from a business or operations perspective. The Assets table lets the security analyst or network administrator quantify the importance of the listed assets based on Confidentiality, Integrity, and Availability (CIA) values. Information Manager can use these values to escalate the security incidents that are related to a particular asset. You can also use the Assets table to identify the policies that are associated with each asset. You can use the Rules view to create the rules that access the list of policies that you have assigned. You can configure a rule to discard the events that do not apply to the policies that are associated with the target. Alternatively, you can configure the rule to escalate the event to an incident if the threat applies.

283 Working with the Assets table About the Assets table 283 You can use information on the Services and Vulnerabilities tabs to help further identify potential threats to the assets that you have listed. The Services tab includes a list of ports available on each asset. You can either manually choose these ports, or you can use a vulnerability scanner to automatically identify available ports. The Vulnerabilities tab is automatically populated by a vulnerability scanner. The information is used primarily during the analysis phase to provide an immediate summary of the known vulnerabilities on a particular asset. The information in the Vulnerabilities tab can only be added through a vulnerability scanner. This information is used during correlation to increase or decrease the priority of the incident. If any vulnerability is discovered during a vulnerability scan of a particular asset, the asset is automatically flagged as vulnerable. You can access the information that is entered for each asset through the Normalized fields accessible through the Rules view. By using these fields, you can filter false positives or refine the incidents generated based on the asset information you provide. See About the Assets table on page 281. About CIA values in the Assets table The assignment of Confidentiality, Integrity, and Availability values should be an integral part of a network security audit. CIA values are unique to each network environment, and are typically determined as part of risk assessment. The CIA values can be used as components of event processing rules that you create in the Rules view. The correlation engine also uses the CIA values to adjust the priority of an incident when appropriate. The CIA values that are available in the Assets table range from 1 (non-critical) to 5 (critical) for each CIA category. The values determine the importance of the computer or device relative to other assets listed. For example, a financial services company might rate a publicly facing server that manages account information using the following: Confidentiality value of 5 (critical that the data stays secure and confidential) Integrity value of 5 (critical that the data is not altered in a way that is not intended) Availability value of 5 (critical that the publicly facing server is online all the time, and likely needs redundancy to prevent failure) In this example, the CIA values would be assigned because of the server s business importance. By contrast, the administrator or analyst might list an internal, non-public FTP server that only hosts lightweight applications for internal download as a 1 or 2 for each CIA value. This rating reflects the administrator or

284 284 Working with the Assets table About the Assets table analyst's view that the internal server is less important from a business perspective. After you enter the CIA values for the assets that you track in the Asset table, you can export a backup copy of these assets. To export a copy, click the Export icon in the Assets table and export the list in the CSV or the XML format as required. See About the Assets table on page 281. Importing assets into the Assets table You can use a comma-separated value (CSV) file or an.xml file to import asset information into the Assets table. Note: If you import assets using a CSV file, policy and services information is not included during the import. To retain this information for the assets that are already listed in the console, export the assets to an XML file. Use the XML file to re-import the assets. The XML files that Information Manager generates include any existing policy and services data that is available for each asset. The CSV files do not include this information. See About the Assets table on page 281. To import assets into the Assets table 1 Create a CSV file containing comma-separated values using the appropriate format. To see the correct format, create an asset in the Asset table, and then export the asset list as a CSV file. Use the exported list as a template for adding assets to the file. If you use the Active Directory Users and Computers snap-in that Microsoft provides, export the list of computers that Active Directory tracks. Save the file as a CSV file. 2 In the Information Manager console, on the Assets view, click Import. 3 In the Import Assets dialog box, navigate to the folder in which you saved the assets file, select the file, and click Open. If you import a set of assets that includes non-utf-8 character data, you must select the appropriate set from the Character Set drop-down list. 4 Follow the on-screen instructions. Searching, filtering, and sorting assets You can search for assets and filter the results using the tools provided. You can also sort the results using the columns provided.

285 Working with the Assets table About the Assets table 285 Note: Searches for assets may take several minutes depending on the number of results returned and the filter settings you choose. The results tile is limited to the first 5000 assets that the asset search retrieves. When possible you should refine the filter to reduce the number of results returned. See About the Assets table on page 281. To create a filter for an asset search 1 In the Information Manager console, on the Assets view, click Filter. 2 In the Asset Filters window, click Add. 3 In the New Filter window, under Filter Criteria, click Add (+). 4 Using the row that appears, choose your criteria using the cells available. 5 When you are finished selecting the filter criteria, click OK. 6 In the Input dialog box, provide a name for the filter, and click OK. 7 Click OK to close any remaining filter windows. The new filter is added to the Filter: drop-down list. You can filter the results of a search using the filters you have created either before or after you perform the search. To filter the results of an Asset search 1 In the Information Manager console, on the Assets tab, from the Filter drop-down list choose the filter that you want to use. 2 In the Search Asset text box, type the element you want to search for. 3 Click the Search button, or press Enter. To sort the order of the assets display area 1 In the Information Manager console, click Assets. 2 In the Assets list, click the column on which you want to sort. Searching for an asset by substring value To find a specific asset or set of assets within the group you view, you can use the Search Asset text box. The Search Asset feature searches the assets in the group for the occurrence of a specified substring in any of the string-based asset fields. Non-string values, such as date or system-defined integer values are not included in the search. The search is not case-sensitive. To search the entire set of assets, change the Group By selection to None and then click All, which displays all of the available assets. The fields searched include the following:

286 286 Working with the Assets table About vulnerability information in the Assets table Host name DN OS Version Location Organizational Unit Description External ID Owner OS Name To search for an asset by substring value 1 In the Information Manager console, on the Assets view, in the Search Asset text box, type the substring. 2 Click Search Asset. Visual identification of the IP addresses also on the IP Watchlist When an IP address is displayed in a table and it is also found in a watchlist, the IP address appears in bold red. You can right-click an IP address to view a dialog box that contains all of the known information about this IP address. See About the Assets table on page 281. About vulnerability information in the Assets table In the Assets table, each asset includes a Vulnerabilities tab that contains the vulnerability information that a vulnerability scanner identified. The information on the Vulnerabilities tab for each asset lists the CVE ID (Common Vulnerabilities and Exposures ID). It also lists the BugTraq ID, the date that the vulnerability was discovered, and the source that identified the vulnerability. in addition, the CVE ID may describe the vulnerability type. A security analyst can use the list of specific vulnerabilities to gain a better understanding of the characteristics of a particular computer. The vulnerabilities are not accessible by rules entries. If an incident is created, the vulnerabilities list is used during event correlation to adjust the priority of the incident. For example, if an incident involves a vulnerability that is not on the list of the vulnerabilities for the specific target, the priority of the incident is reduced. See About the Assets table on page 281.

287 Working with the Assets table About vulnerability information in the Assets table 287 About using a vulnerability scanner to populate Assets table Information Manager integrates with supported vulnerability scanner data by automatically importing vulnerability information into the Assets table when a scan is performed. Every asset that is listed in the Assets table includes the fields that describe the services that are running and the vulnerabilities that are associated with that asset. When a scan is performed, the services and the vulnerabilities tabs are populated with the data that is specific to each asset. To automatically populate the Assets table with scan information, you must have the collector installed that corresponds to the supported scan. When you use the ESM collector, DNS resolution must be implemented to allow the collector to map IP addresses to host names. See About vulnerability information in the Assets table on page 286. Managing which vulnerability scanners update the Assets table Some environments include multiple vulnerability scanners that monitor the environment. You may not want all of the vulnerability information that is gathered from separate scanners to be used to automatically populate the Assets table. You can use the Asset Detector monitor on the Rules view to choose which scanners are used for auto populating the Assets table. Note: When you view a product that is capable of auto-populating the Asset table but has not been configured to do so, the product ID is displayed rather than the product name. To ensure that the product does not auto-populate the Asset table, move the product ID for that product to the left pane. To manage which vulnerability scanners update the Assets table 1 In the Information Manager console, click Rules. 2 In the left pane, expand Monitors > System Monitors. 3 Click Asset Detector. 4 On the Properties tab, click the ellipses (...) to open the Property Editor. 5 In the Property Editor, use the options that are available to add or remove the appropriate products. 6 Click OK. 7 When you are finished, click Deploy to Server. To ensure that the configuration is current, you can uncheck the monitor. Then click Deploy to Server and recheck the monitor. Click Deploy to Server again.

288 288 Working with the Assets table Using the Assets table to help reduce false positives See About using a vulnerability scanner to populate Assets table on page 287. About locked and unlocked assets in the Assets table When you list an asset in the Assets table, you have the option of locking the asset information or leaving it in the default (unlocked) state. When a supported vulnerability scan is performed, the Assets table overwrites any unlocked assets (including the settings that you have manually changed) that were identified in a previous scan. Table 18-1 describes the Locked and the Unlocked states. Table 18-1 Setting Locked Unlocked Locked and Unlocked assets in the Assets table Description Prevents the asset from being overwritten when a new vulnerability scan is performed. The Services and Vulnerabilities tabs are updated. Allows the asset to be overwritten with current asset information when a supported vulnerability scan is performed. See About vulnerability information in the Assets table on page 286. Using the Assets table to help reduce false positives You can use the Assets table to reduce false positives by affecting the priority of incidents that are generated. See About the Assets table on page 281. To use the Assets table to reduce false positives: 1 Populate the Assets table with the assets that you want to track. Include the systems that may generate large amounts of the traffic that can be filtered or aggregated, such as firewalls or intrusion detection devices. Include the IP address, Host name, Distinguished name, and operating system details. 2 For each asset, assign the CIA values that have been determined as part of a network security audit or external risk assessment. Higher CIA values generate incidents with higher priority. 3 Use a supported vulnerability scanner to scan the assets listed. The Services and Vulnerabilities tabs are automatically populated with the ports and services available and the potential vulnerabilities for each asset. If you do not use a supported vulnerability scanner, select the Services that you want to identify for filtering and correlation purposes for each asset.

289 Working with the Assets table Using the Assets table to help reduce false positives For each asset, on the Policies tab, choose any policies that apply to the asset. For example, if the asset is a firewall, add the Firewall policy to the list of policies that apply to that asset. 5 On the Rules view, create any new filters (or correlation rules) based on the settings in the Assets table for each asset. You can combine the fields that access the Assets table with other conditions, such as EMR values. For example, you can create a rule that checks to see if the asset has a Vulnerable value of True, the Mechanism equals Buffer Overflow, and then create an incident. 6 Save and distribute the new rules or filters. About filtering events based on the operating system An example of using the Assets table information to reduce false positives is to use the Destination Operating System field available in the Rules view with a specific event ID. The DestinationOperatingSystem field accesses the information that is entered in the OS Name field in the Asset Details window. The events that are specific to a UNIX or Linux operating system often do not apply to a computer that uses Windows. This situation can be a source of false positives. For example, a BIND Transaction Signature Overflow event primarily applies to UNIX or Linux systems. If the Vendor Event Code field uses a BugTraq ID, you could create a filter that uses the following logic: If the Vendor Event Code field contains 2302 (the BugTraq ID for this event), and the Destination Operating System field contains Windows, then filter the event. See Using the Assets table to help reduce false positives on page 288. About using CIA values to identify critical events After you populate the Assets table with the assets you want to track,, you assign CIA values for each asset. You can use the CIA values associated with an asset to build the rules that create incidents based on those values. For example, to create a rule that escalates ESM events on the assets that have a CIA value of 3 or greater for any CIA category, create a rule that uses the following logic: If the Product equals ESM, and the Destination Host Confidentiality field, the Destination Host Availability field, or the Destination Host Integrity field has a value that is greater than or equal to 3, then create an incident. See Using the Assets table to help reduce false positives on page 288.

290 290 Working with the Assets table Using the Assets table to help reduce false positives About using Severity to identify events related to critical assets About using the Services tab You can use the Severity setting for a rule with the information that you provided in the Assets table. You can use this information to help identify the critical events that are related to specific assets. By adjusting the severity of an incident, a security analyst can focus on the highest priority events from a security perspective. Using CIA values with the Severity setting of a rule lets you correlate more important systems on your network with a higher visibility for the analyst. They are likely to analyze higher severity incidents first. Identifying systems with lower CIA values and correlating that information with a lower severity level helps to reduce the number of incidents that an analyst must review. For example, you use the Vulnerable field to identify whether a vulnerability exists on the Destination asset. You want to escalate an incident that uses a Virus Mechanism. Use the following logic: If Vulnerable equals Yes, and the Mechanism field contains Virus, then create an Incident. You can also increase the importance of this event for the analyst. On the Actions tab for this rule, set the Severity to a high number, such as 5. You can further refine this rule by adding the conditions that use the Destination Host Availability, Destination Host Confidentiality, and Destination Host Integrity fields. See Using the Assets table to help reduce false positives on page 288. For each asset that is listed in the Assets table, the Services tab lists the ports that are available for that asset. These ports may also be potentially vulnerable. The Services tab can be manually populated by choosing the ports from the provided list that you are interested in. A vulnerability scanner can also populate it. Running a supported scan on an asset that is listed in the Assets table automatically populates the Services view with the available ports. It overwrites any services you added manually. A number of fields in the Rules view use the Services tab to identify potential incidents. You can use the information in the Services tab to reduce false positives. You create the rules and the filters that access the list of ports that have been identified for each asset. You filter or aggregate based on this information. For example, the Attempted DNS Exploit rule uses the Destination Host Services field. This field references the services information in the Assets table. The rule uses this field to determine whether a buffer overflow event is associated with a target computer that acts as a Domain Name Server (port 53). If the asset that is targeted has port 53 listed on the Services tab, this condition for the rule is met. If the other conditions that are listed in this rule also match this event, a security incident is created.

291 Working with the Assets table Using the Assets table to help reduce false positives 291 You can customize the services that are available to choose from by editing a list. The list is in System > Services. The Services tab of the System view determines the list of services that you can choose from when describing an asset in the Assets table. See Using the Assets table to help reduce false positives on page 288. About associating policies with assets to reduce false positives or escalate events to incidents You can populate the Assets table with the assets on your network, and associate policies with each asset. Associating policies with assets helps describe each system with more granularity. In the Assets view, on the Policies tab, you can choose from a predetermined set of policies. The policies describe the use of the asset from a policy perspective. Several fields in the Rules view use policy association to further identify the type of asset that is associated with an event. For example, the External Port Sweep rule uses the Source Host Policies field. It uses this field to determine whether the source host for the event is associated with the Firewall or Proxy policy. If the Source Host Policies field contains either value, the event does not match the correlation criteria for that rule. Assign policies to assets to use the power of the Correlation Engine to reduce the number of events that the security analyst reviews. If you have a large number of assets that are used for a similar purpose such as a firewall or a vulnerability scanner, you can create a rule for them. The rule identifies events based on the policies that are associated with the assets involved with the event. You may have assets on your network that are required to be in compliance with a specific regulatory policy, such as the Visa Cardholder Information Security Program (Visa CISP). If you have identified the servers or the devices that are used to meet the compliance requirements for Visa CISP, you can add this policy to the description of the asset in the table. If an attack relates to the potential compromise of the data related to this policy (such as unauthorized logon attempts detected by an Intrusion Detection System), you can develop a set of rules that immediately escalate these events as security incidents. The set of policies that are available may be periodically updated by a mechanism such as Symantec DeepSight Threat Management System or LiveUpdate. When the policies are updated, the policies that you have assigned to each asset are not affected. In addition, you can create the custom policies that are added in the System view under the Policies tab. When you add a policy to the list in the System view, the policy can then be assigned to an asset in the Asset Details window under the Policies tab. See Using the Assets table to help reduce false positives on page 288.

292 292 Working with the Assets table Using the Assets table to help reduce false positives

293 Section 6 Configuring the Information Manager Chapter 19. Configuring the Console Chapter 20. Configuring general settings in the Web configuration interface Chapter 21. Managing Global Intelligence Network content Chapter 22. Working with Information Manager configurations

294 294

295 Chapter 19 Configuring the Console This chapter includes the following topics: About configuring Information Manager Identifying critical systems Adding a policy Specifying networks About configuring Information Manager For the correlation rules to function properly, it is essential that you specify the information that is used to determine incident severity. Key settings include specifying the systems that host critical or sensitive information and the systems that require high availability. You can also specify the networks that exist in your organization so that you can increase the priority of incidents based on the affected network. For example, the incidents that affect the networks that reside within your firewall can be assigned a higher priority than those that reside outside the firewall. See Identifying critical systems on page 296. You can specify the policies that are used within your network. Symantec Security Information Manager includes default policies. You can also add custom policies. Once you have defined the available policies, you can associate them with network computers when you add entries to the Assets list. See Adding a policy on page 297. See Specifying networks on page 298. You should also create your list of response teams so that Information Manager can automatically assign incidents to these teams based on the rules settings. You

296 296 Configuring the Console Identifying critical systems use the Information Manager console to create the teams. However, the list of members that you can assign to those teams is maintained on the System view. Another key factor that lets you determine incident severity and the functioning of rules is the information that is stored in the knowledge base. The Global Intelligence Network Integration Manager provides some of this information. You can configure some settings. For example, you can add entries to the IP watchlist. Note: When you add a new policy or service to the Policies or Services lists, the new entries appear in the Event Criteria on the Rules view after you restart the console for the Information Manager. Identifying critical systems For the correlation rules to function properly, you must specify the information that is used to determine incident severity. Key settings include specifying the systems that host critical or sensitive information and the systems that require high availability. See About configuring Information Manager on page 295. Complete the following steps to identify critical systems in your organization. To identify critical systems 1 In the console of the Information Manager client, click Assets. 2 On the toolbar, click + (the plus icon). 3 In the Asset Editor dialog box, in the IP Address box, type the IP address of the system. 4 Fill in the following optional information, if you want: In the Host Name box, type the host name of the system. In the MAC Address box, type the MAC address of the system. In the DN box, type the Distinguished Name of the system. In the Description box, type a description of the system.

297 Configuring the Console Adding a policy (Optional) In the Asset Priority area, select values for Confidentiality, Integrity, and Availability as follows: Confidentiality Integrity Availability Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of confidentiality. Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of integrity. Value range 1 5, where level 5 means that the computer hosts applications and the content that must always be available for your business. 6 (Optional) In the Additional Information area, provide in the following information: The name of the organization that uses this system The physical location of the system The name of the operating system that is running on the system The version of the OS that is running on the system The owner of the system External ID information if used Adding a policy 7 Select Lock for Auto Update if you do not want the Assets list entry for this host to be overwritten when new information is imported from a vulnerability scanner. 8 Click the Save Asset icon. You can add a policy against which you want to check the compliance. See About configuring Information Manager on page 295. You can add a policy from the Assets view. The policy is added for the specific asset that you select from the Assets view. To add a policy from the Assets view 1 In the console of the Information Manager client, click Assets. 2 Select an asset to which you want to add the policy.

298 298 Configuring the Console Specifying networks 3 Double-click the asset or go to the details pane in the Assets view. 4 In the Asset Details dialog box, under the Policies tab, click the (+) plus icon. 5 Select a policy and click OK. You can add an entirely new policy from the System view. To add a new policy from the System view 1 In the Information Manager console, click System. 2 On the Administration tab, click Policies. 3 On the toolbar, click + (the plus icon). 4 Type a name and description in the spaces that are provided. 5 Click OK. Specifying networks You can specify the networks that exist in your organization to be associated with the Information Manager server. See About configuring Information Manager on page 295. To specify a network 1 In the Information Manager console, click System. 2 On Administration tab, click Networks. 3 On the toolbar, click + (the plus icon). 4 In the Create New Network dialog box, type a name for the network in the Name box. 5 In the Netmask box, type the subnet IP address and subnet mask for the network. 6 (Optional) In the Physical Location box, type the location of the network. 7 (Optional) From the Time Zone list, select a time zone to specify the time zone in which this network is situated. You can also type the time zone details in the GMT +/- HH:MM format. When the time zone is specified, the time information from where an event has originated can be tracked. 8 (Optional) In the Logical Location box, type the logical location or select the logical location of the network. 9 (Optional) In the Description box, type a description of the network.

299 Configuring the Console Specifying networks Check Auto-Updateable if you want the new entry to be overwritten when the new network information is imported from a vulnerability scanner. 11 Click OK.

300 300 Configuring the Console Specifying networks

301 Chapter 20 Configuring general settings in the Web configuration interface This chapter includes the following topics: About the Settings view Editing the Hosts file Changing the network settings Changing date and time settings Changing a Network Time Protocol Server About the Password view Changing the password for Linux accounts Changing the password for symcmgmt Linux account About the Global Intelligence Network configuration view About running LiveUpdate Running LiveUpdate from the Information Manager Web configuration interface About integrating Active Directory with the Information Manager server Managing Active Directory configurations Adding the CA root certificate

302 302 Configuring general settings in the Web configuration interface About the Settings view Shutting down the Information Manager server Restarting the Information Manager server About using the multipath feature for storage options About External Storage Creating NAS Configuration Deleting NAS configuration Connecting Information Manager to a SAN Connecting Information Manager to a DAS Configuring Information Manager with DAS/SAN Storage Extending the storage capacity of an existing DAS/SAN configuration Unmounting the DAS/SAN configuration Restoring a DAS/SAN configuration Deleting a DAS/SAN configuration About the Settings view The Settings view on the Web configuration interface of the Information Manager lets you configure the various settings for the Information Manager server remotely. See About configuring Information Manager on page 295. The Settings view contains the following options: GIN Lets you configure the GIN update settings. See About the Global Intelligence Network configuration view on page 311. Database Lets you enable or disable Event Summarizers and specify the maintenance options.

303 Configuring general settings in the Web configuration interface About the Settings view 303 Directory Registration Lets you add an Information Manager server to the LDAP domain of another Information Manager server. See About registering a security directory on page 243. Collector Registration Lets you register and unregister the collector definitions which contain configuration settings and the event schemas that the Information Manager server requires. The Information Manager server needs the information to recognize and log events from a security product. Custom Logs Lets you map application log data to fields that are defined in the Information Manager server. Active Directory Lets you create Active Directory Configurations for addition of users from an Active Directory to the SSIM configuration. See About integrating Active Directory with the Information Manager server on page 313. Licensing Lets you manage the Symantec Security Information Manager and Global Intelligence Network licenses. Certificate Lets you configure the certificate settings. External Storage Lets you configure an external storage device for use with the Information Manager. Password Lets you change passwords for Linux accounts and modify the password policy for the Information Manager. See Changing the password for Linux accounts on page 309. See Changing the password for symcmgmt Linux account on page 310. See Customizing the password policy on page 74.

304 304 Configuring general settings in the Web configuration interface Editing the Hosts file Network Lets you configure the network settings for the Information Manager. See Changing the network settings on page 305. Date Time Lets you configure the date and the time settings. See Changing date and time settings on page 307. Editing the Hosts file To make the host names resolvable, add the IP address of the Information Manager servers and the names of the hosts file on the Information Manager server. See About the Settings view on page 302. To add entries to the hosts file of the Information Manager 1 On the Web configuration interface, click Settings > Network > Hosts File. 2 In the details pane of the Edit Hosts File view, append the host IP address and host name in the text area in the format. Make this entry similar to the previous lines in the hosts file. 3 Click Save Hosts File to save the entered information. If you change the contents of the hosts file or load an earlier version it and click Save Hosts file, the current hosts file is overwritten. The original hosts file on the Information Manager server is modified and a sequence number is appended to the name. The new hosts file contains all of the changes that are made through the Web configuration interface. All of the versions of the hosts file appear in a table under the text area. 4 To view and edit any previous hosts file that is displayed in the table, click on the file name. The contents of the file are displayed in the text area of the Edit Hosts file view. 5 Add the host IP address and name to the next line in the display in the format of the previous lines. Click Save Hosts File to save the entered information. The hosts file is located in the /etc directory.

305 Configuring general settings in the Web configuration interface Changing the network settings 305 Changing the network settings You can use the Information Manager Web configuration interface to change network settings. Warning: You cannot change the domain name after you specify a domain name or accept the default name. You must reinstall the Information Manager software in case you want to change the domain name. See About the Settings view on page 302. Changing the host name or IP address of the primary Ethernet connection (eth0) creates a new self-signed certificate for the Information Manager server. If you use a signed certificate from a Certified Signing Authority, generate a new signed certificate using the CA. Then install it the certificate after changing the host name or IP address. If you change the host name or IP address of an Information Manager server, all remote agents that communicate with it must be configured to use the new settings. This requirement does not apply to the agent that is running on the Information Manager server. Warning: The Information Manager server restarts if the network settings are changed. To change the network settings 1 On the Web configuration interface, click Settings > Network > Network Card Settings. 2 In the details pane of the Network Card Settings view, type the host name in the provided box. 3 In the Search Domain box, type the search domain for the Information Manager server. You can enter up to six domain names. Separate the names by using spaces, and use a total of 256 characters. This parameter defines the domains that must be looked up in case a domain is not specified. Therefore, adding the domain names that are not local may generate network traffic and slow down the system.

306 306 Configuring general settings in the Web configuration interface Changing the network settings 4 (Optional) Enter the names of up to three Domain Name Servers in the boxes that are provided. Note: You can provide an IPv4 address as well as an IPv6 address for the Domain Name Servers. 5 In the Network interface 0 (eth0) Settings area, do the following: In the box that is provided, type the IP address for the first network interface card of the Information Manager server. In the Netmask text box, type the mask that is used for addresses in the network or subnet where the Information Manager is used. In the Gateway text box, type the IP address of the gateway server for the Information Manager server. In the IPv6 Address text box specify the IPv6 address for the network interface card of the Information Manager server. In the IPv6 Prefix type the decimal value that is the contiguous, higher-order bits of the address that form the network part of the address. The prefix can be any integer value between 0 and 64. For example, 10FA:6604:8136:6502::/64. In the IPv6Gateway text box, type the IPv6 address of the gateway server for the Information Manager server. You can select the Speed mode from the options available in the drop-down list. If you select an option other than Auto Negotiate, you must specify the duplex mode also (whether full or half). 6 If you use the second Ethernet connection on the Information Manager server, do the following in the Network interface 1 (eth1) Settings area: In the box that is provided, type the IP address for the second network interface card in the Information Manager server. In the Netmask box, type the mask that is used for addresses in the network or subnet where the Information Manager server is used. In the Gateway box, type the IP address of the gateway server for the Information Manager server. In the IPv6 Address text box specify the IPv6 address for the network interface card of the Information Manager server. In the IPv6 Prefix type the decimal value that is the contiguous, higher-order bits of the address that form the network part of the address.

307 Configuring general settings in the Web configuration interface Changing date and time settings 307 The prefix can be any integer value between 0 and 64. For example, 10FA:6604:8136:6502::/64. In the IPv6Gateway text box, type the IPv6 address of the gateway server for the Information Manager server. You can select the Speed mode from the options available in the drop-down list. If you select an option other than Auto Negotiate, you must specify the duplex mode also (whether full or half). 7 If you have changed the IP address or the host name of network interface 0, complete the following steps. Otherwise, skip to step 8. In the Management Directory Logon area of the Network Card Settings view, select Force hostname and eth0 IP address update. In the username(dn) text box, type a user name with administrator rights for the current LDAP directory that the Information Manager uses. In the Password box, type a password. In the Domain text box, type the domain of the Information Manager. The default user name for the security directory is cn=root. 8 Click Change Settings. Changing date and time settings You can use the Information Manager Web configuration interface to specify the Information Manager server date and time settings. See About the Settings view on page 302. To specify date and time settings 1 On the Web configuration interface, click Settings > Date Time > Date/Time. 2 Use the controls that are provided to specify the date, time, and time zone settings. 3 To ensure the proper functioning of the system, a new self-signed certificate is created when you change the system date or time. Specify the details for the self-signed certificate. 4 Specify the LDAP directory user name and password. 5 Click Update. You can also synchronize the time on your Information Manager to an NTP time server.

308 308 Configuring general settings in the Web configuration interface Changing a Network Time Protocol Server Warning: The Information Manager restarts when you add an NTP server. To synchronize the Information Manager to a new NTP server 1 On the Web configuration interface, click Settings > Date Time > NTP Status. 2 NTP is disabled by default. Remove the checkmark against the NTP Disabled box. 3 Click Apply. 4 Click Settings > Date Time > NTP Server Settings. 5 In the NTP Server to be Added text box, add the IP address or the host name of the NTP server that you want to add. 6 Click Add. The Information Manager restarts when you change your NTP server settings. Therefore, you must close your browser session and log on again. Changing a Network Time Protocol Server You can configure the Information Manager to get time settings from a network time protocol (NTP) Server. By default, NTP synchronization is disabled. See About the Settings view on page 302. To add an NTP Server Warning: The Information Manager restarts when you add an NTP server. 1 On the Web configuration interface, click Settings > Date Time > NTP Status. 2 In the details pane of the NTP Status view, clear the NTP Disabled checkbox. 3 Click Apply. 4 Click OK in the confirmation dialog box. 5 Click NTP Server Settings in the tree pane. In the details pane, specify the IP address or the host name of the NTP Server to be added and then click Apply. 6 In the NTP Status view, select the NTP Server in the drop-down list and click Apply. The Information Manager restarts when you change your NTP server settings. Therefore, you must close your browser session and log on again.

309 Configuring general settings in the Web configuration interface About the Password view 309 To remove an NTP Server 1 On the Web configuration interface, click Settings > Date Time > NTP Server. In the details pane, select the server to be deleted. 2 Click Delete. About the Password view The Password view lets you change the passwords of Linux accounts on this server and set the password policy for the system. See About the Settings view on page 302. You can access the Password view from Settings > Password. The Password view contains the following options: Change Password Password Policy Lets you change the password of Linux accounts on server. Lets you set the password policy for the system. See Changing the password for Linux accounts on page 309. See Changing the password for symcmgmt Linux account on page 310. Changing the password for Linux accounts You can use the Information Manager Web configuration interface to change the password that is used for Linux administrative accounts of root and simuser. Console administrator accounts and other Information Manager accounts are changed in the Information Manager console. See About the Settings view on page 302. To change system settings such as account passwords, do not attempt to manually run the scripts that are included on the Information Manager server. You should be able to use the Information Manager Web configuration interface to accomplish most system level tasks. To change the password for Linux accounts 1 On the Web configuration interface, click Settings > Password > Change Password. 2 In the details pane of the Change Password view, type the name of a user account on the Information Manager server in the box provided.

310 310 Configuring general settings in the Web configuration interface Changing the password for symcmgmt Linux account 3 Type the current password for the account in the box provided. 4 Type the new password and then confirm the new password in the boxes that are provided. 5 Click Change Password. Note: The password for the symcmgmt linux account cannot be changed from the Web configuration interface. You can change the symcmgmt password by using the standard Linux commands. Later, the symcmgmt password must be updated from the Information Manager console. See Changing the password for symcmgmt Linux account on page 310. If you need to perform an operation on an Information Manager server that is not available through the Web configuration interface or the Information Manager client, contact technical support. Changing the password for symcmgmt Linux account The symcmgmt account is a Linux account, but must also have its password changed in the Information Manager client. You can change the symcmgmt password by using the standard Linux commands. Later, the symcmgmt password must be updated from the Information Manager console under System > Administration > Data Stores. To change the symcmgmt account in Linux 1 Log on to Information Manager server as root or connect using db2admin credentials and then obtain the root environment. 2 Run the command passwd symcmgmt. 3 Enter the new password when prompted. 4 Confirm the new password. To update the symcmgmt account password in the Information Manager Client 1 From the Information Manager client, log on to the Directory server using the Administrator privileges. 2 Go to System > Administration and navigate to DataStores. 3 In the right pane, right-click the datastore for the appropriate Information Manager server and then click Properties.

311 Configuring general settings in the Web configuration interface About the Global Intelligence Network configuration view Go to the Connection tab and type the new password in the Password text box. 5 Confirm the new password in the Confirm password text box. See Changing the password for Linux accounts on page 309. About the Global Intelligence Network configuration view The Information Manager server has access to current vulnerability, attack pattern, and threat resolution information from the DeepSight Threat and Vulnerability Management Service. This service powers the Symantec Global Intelligence Network. The Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. It is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity. See About the Settings view on page 302. The GIN configuration view on the Web configuration interface lets you check the statistics for the Global Intelligence Network. You can access the GIN configuration view from Settings > GIN. The GIN configuration view presents the following options: Tree pane The tree pane of the GIN view presents the following options: GIN Lets you configure the Global Intelligence Network update settings. Click Close to close the tree pane.

312 312 Configuring general settings in the Web configuration interface About running LiveUpdate Details pane The details pane of the GIN view presents the following options that let you configure Global Intelligence Network update settings: Source of security content area Lets you select the source for the updates. Global Intelligence Network Server Settings area Lets you specify the server URL, polling interval, and IP address limit details. GlobalIntelligenceNetworkIntegration Manager Server Chaining area Lets you enter the Global Intelligence Network Integration Manager server host and polling details, if applicable. Proxy Server Settings area Lets you specify the URL, port, user name, and password of the proxy server for the updates. Click Save to save the settings. Click Reset to clear data and restore default values. See Receiving Global Intelligence Network content updates on page 329. About running LiveUpdate The Information Manager server lets you obtain updates for software components such as event collectors, relays, security content, rules, and filters through the LiveUpdate feature. You can update the predefined reports folders with the latest versions that are available on the LiveUpdate Web site. You can run the LiveUpdate process from the Web configuration interface of the Information Manager server. Note: To be able to run LiveUpdate successfully, your license to update LiveUpdate content must be valid. See Running LiveUpdate from the Information Manager Web configuration interface on page 313.

313 Configuring general settings in the Web configuration interface Running LiveUpdate from the Information Manager Web configuration interface 313 Running LiveUpdate from the Information Manager Web configuration interface The Information Manager server lets you obtain updates for software components such as event collectors, relays, security content, rules, and filters through the LiveUpdate feature. You can update the predefined reports folders with the latest versions that are available on the LiveUpdate Web site. You can run the LiveUpdate process from the Web configuration interface of the Information Manager server. See About running LiveUpdate on page 312. To run LiveUpdate from the Information Manager Web configuration interface 1 On the Web configuration interface, click Maintenance > LiveUpdate. 2 In the Update column on the details pane, select the components that you want to update and then click Update. By default, no component is selected. Note: To be able to run LiveUpdate successfully, your license to update LiveUpdate content must be valid. If the license has expired, install a valid license using the Information Manager Licensing view at Settings > Licensing > SSIM on the Web configuration interface. About integrating Active Directory with the Information Manager server The Active Directory Integration feature on the Web configuration interface of Information Manager lets you synchronize the Information Manager server with an Active Directory server. This integration enables Active Directory users to access the Information Manager server. You can create and add more than one Active Directory configuration to the Information Manager server. You can set the synchronization schedule for each configuration as required so that the users are periodically refreshed with each synchronization cycle. The synchronized Active Directory users can log on to the Information Manager server through the console as well as the Web configuration interface. Members of the External Users role do not have any Information Manager privileges. This role is used only by Active Directory users for Pass-through Authentication. The Active Directory user must be assigned another Information Manager role to log on to the Information Manager server. See Managing Active Directory configurations on page 314.

314 314 Configuring general settings in the Web configuration interface Managing Active Directory configurations Managing Active Directory configurations The Active Directory Integration feature on the Settings view of the Web configuration interface lets you create and synchronize Information Manager with Active Directory servers. The view also lets you create, add, edit, or synchronize the Active Directory configurations as required. See About integrating Active Directory with the Information Manager server on page 313. Prerequisites for creating an Active Directory configuration are as follows: If the Active Directory server and Symantec Security Information Manager are not in the same DNS, you must add the FQDN and the IP address of the Active Directory server to the Information Manager hosts file. Certificate authority (CA) must be installed on the domain controller with which Information Manager is to integrate. The CA Root certificate must be assigned to the user to be used in the Active Directory integration configuration. Add the CA root certificate of the Active Directory that you want to synchronize on the Information Manager server. See Adding the CA root certificate on page 316. For more details on obtaining an Active Directory root certificate, refer to the Microsoft Web site. To create a new Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click Create Configuration. 3 Fill in the required details of the host name, IP address, user name, and password. If possible, keep the port number as 636 ( the LDAP service runs on Port 636 by default). 4 In a scenario in which the Active Directory domain name and Information Manager domain name are identical, check the box for Active Directory overrides SSIM. This setting gives the Active Directory user a preference over the Information Manager user when the user logs on to the Information Manager server.

315 Configuring general settings in the Web configuration interface Managing Active Directory configurations Enter the users and groups that you want to synchronize or exclude in the respective boxes. The default Active Directory group domain users cannot be added to the Information Manager because it is a special group that does not have member attributes for the users. 6 Enter the password. The user name appears by default and cannot be modified. 7 Check the Disable Scheduling box if you want to disable the synchronization. 8 Enter the synchronization schedule in minutes, hours, or days as required. 9 Click Save to apply. Configurations are saved and listed by the domain name. You can edit or delete the configurations that are listed. The ibmldap service of the Information Manager server restarts when you save the Active Directory configuration. Note: The External Users Role on Information Manager grants access permission to Active Directory domain users. Therefore, this role must not be removed for Active Directory users. Members of the External Users Role do not have any Information Manager privileges. Therefore, the Active Directory user must be assigned another Information Manager role to log on to the Information Manager server. To edit an Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click List Configurations. 3 Select the configuration that you want to work with. 4 Click the Edit icon. 5 Change the details in appropriate fields as required. 6 Click Save. To remove an Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click List Configurations. 3 Select the configuration that you want to remove.

316 316 Configuring general settings in the Web configuration interface Adding the CA root certificate 4 Click the Remove icon. 5 Enter the cn=root password in the RemoveActiveDirectoryConfigurations dialog box, and click Ok. To synchronize an Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click List Configurations. 3 Select the configuration with which you want to synchronize Information Manager. 4 Click the Synchronize Now icon. 5 Click View Synchronization Log to see the results. Adding the CA root certificate You must add the CA root certificate from the Active Directory to the Information Manager server. This addition ensures that Information Manager accepts the certificates from that authority. Information Manager supports the root certificates that are encoded and exported in the following formats: DER encoded binary X.509 Base 64 encoded X. 509 For more details on obtaining an Active Directory CA root certificate, refer to the Microsoft Web site. You must also add the FQDN and the IP address of Active Directory to the hosts file. This addition ensures that the Active Directory Server and the Information Manager server are not on the same DNS. See Editing the Hosts file on page 304. To add the root CA certificate 1 On the Web configuration interface of the Information Manager server, click Settings > Certificate. 2 In the tree pane, click Add CA Root. 3 In the details pane, in the Certificate File option, click Browse, and then navigate to the root certificate file.

317 Configuring general settings in the Web configuration interface Shutting down the Information Manager server In the Key Label text box, type a name for this root certificate. 5 Click Add. This operation restarts the Information Manager server. Shutting down the Information Manager server You can shut down the Information Manager server by using the Shutdown option on the Home view. Symantec recommends that you use the Shutdown option on the Home view and not turn off the Information Manager server. The Shutdown option shuts down the services and leaves the onboard database in a stable state before the server shuts downs. To shut down the Information Manager 1 ClickHome > Shutdown/Restart. 2 In the details pane of the Shutdown/Restart view, click Shutdown. 3 Click OK to confirm the server shutdown or click Cancel to cancel the shutdown action. See Restarting the Information Manager server on page 317. Restarting the Information Manager server You can restart the Information Manager server using the Shutdown/Restart option on the Home view. Symantec recommends that you use the Restart option on the Home view and not turn off or restart the Information Manager server. The Restart option shuts down the services and leaves the onboard database in a stable state. To restart the Information Manager server 1 Click Home > Shutdown/Restart. 2 In the details pane of the Shutdown/Restart view, click Restart. 3 Click OK in the confirmation message to confirm the server restart or click Cancel to cancel the restart action. See Shutting down the Information Manager server on page 317.

318 318 Configuring general settings in the Web configuration interface About using the multipath feature for storage options About using the multipath feature for storage options As a system administrator, you must avoid single points of failure in the system to minimize downtime and service disruptions. To use storage area networks with Information Manager, set up multiple redundant data paths (multipaths) between the Information Manager server and the storage systems. This setup helps you to avoid interruptions in data flow should a hardware failure occur. Configure the multipath I/O feature in Linux to properly access data from the storage systems and fail over to secondary data paths. See About the Settings view on page 302. The Information Manager supports device-mapper multipath and EMC PowerPath multipath I/O applications. For more details on configuring the multipath feature in Linux, visit the Red Hat knowledge base Web site. Note: The Web configuration interface supports detection of multipath configurations on a new installation of using the installation DVD. To detect and manage multipath devices through the Web configuration interface in version 4.7.4, you may need to perform additional steps: for example, installing multipath software and modifying the configuration files. This feature was not supported in previous releases. Configurations that are created manually for multipath in previous versions are retained after you upgrade to However, these configurations cannot be managed using the Web configuration interface. About External Storage Network attached storage (NAS), Direct attached storage (DAS) and the storage that resides on a Storage area network (SAN) can be used as external storage by Information Manager to store event archives. To use external storage, you can create external storage configurations from the Web configuration Interface of the Information Manager. Any external storage configurations are specific to that server on which they are created. These configurations cannot be shared or accessed from other servers in the setup. See Creating NAS Configuration on page 319. See Connecting Information Manager to a DAS on page 322. See Connecting Information Manager to a SAN on page 320. See Configuring Information Manager with DAS/SAN Storage on page 322.

319 Configuring general settings in the Web configuration interface Creating NAS Configuration 319 Creating NAS Configuration Before configuring NAS ensure that the NFS server can be reached from the Information Manager server. The NFS directory or volume must be exported from the NFS server. Moreover the NFS directory or volume must be configured to provide read or write permission to the Information Manager server. To create a NAS configuration 1 Go to Web Configuration Interface > Settings > External Storage > NAS Configuration. If you have already created NAS configurations then those configurations are displayed. 2 Click Create and specify the following parameters: NAS IP Address Type the IP address of the NFS Server which has the exported directory or volume. NAS Mount Point Type the absolute path for the directory or volume that is exported by the NFS Server. Local Mount Point Type the folder name and not the absolute path of the mount point. This folder gets created in the /eventarchive directory of the Information Manager server. The remote directory is mounted on this folder. Mount Automatically on Restart Check this option, if you want to mount the remote directory after restarting Information Manager server. (This option should be checked if you intend to create an Event Storage rule to use the NAS for event archive storage.) 3 Click Apply Configuration. The mount point that is set when you create a NAS configuration may now be used in to store event archives. You must also create an Event Storage Rule and configure the rule to use that mount point as the archive path. You can create Event Storage Rule from the Information Manager console for the respective Information Manager server. See Creating new event archives on page 211. While creating Event Storage Rule, enter the same archive path that is specified for the Local Mount Point folder. See About External Storage on page 318. See Deleting NAS configuration on page 320.

320 320 Configuring general settings in the Web configuration interface Deleting NAS configuration Deleting NAS configuration Before deleting any logical volume you must ensure to delete the corresponding Event Storage Rule that is associated with that logical volume. To delete an existing Configuration 1 Go to Web Configuration interface > Settings > External Storage > NAS Configuration. 2 On the details pane, click Unmount. The configured NAS archives are listed which can be deleted. Note: Before deleting a NAS configuration, ensure that the Event Storage Rule that is associated with that NAS configuration is either disabled or deleted. 3 Select the NAS configuration to be deleted. 4 Click Unmount Configuration. Note: Only one configuration can be deleted at a time. See Creating NAS Configuration on page 319. Connecting Information Manager to a SAN The following components are required for attaching a SAN to Information Manager: Storage server network Fiber Channel switch Fiber cables Host bus adapter (HBA) Information Manager server

321 Configuring general settings in the Web configuration interface Connecting Information Manager to a SAN 321 To configure SAN with Information Manager 1 Attach host bus adapter (HBA) to Information Manager server. Information Manager is tested with QLogic and Emulex HBA cards only. 2 Download HBA card driver that corresponds to the Information Manager server s current kernel. Restart is necessary to load drivers, once installation is finished. To install a driver for Linux 32-bit operating system, refer to the Driver documentation. 3 Connect your HBA to your SAN. HBA card has a port or ports which must be connected to a fiber channel switch by fiber optic cables. For more details consult with your organization's storage administrator. 4 Provide your HBA s unique World Wide Name (WWN) or WWNs (in the case of HBAs with multiple ports) to your storage administrator. A unique WWN is assigned to each fiber channel port. Your storage administrator allocates storage LUNs that can be used by your HBA s WWNs. If you intend to use multipath storage, your storage administrator must be also informed about multipath usage to configure the SAN infrastructure accordingly. 5 If you have SAN multipath configuration, then you need to install device-mapper-multipath or EMCpowerPath rpm. Information Manager supports only these two multipath software programs. The configuration that is specific to a user environment can be specified for these multipath software programs. For example, if you install device-mapper-multipath rpm then configuration file is /etc/multipathd.conf. Administrator must change the file corresponding to the environment. If you have DAS or SAN without multipath configuration, then execute the following command to verify that disks of expected sizes are shown in the output: fdisk -l If device-mapper-multipath rpm multipath software is used, then verify that the /dev/mapperfolder has device files such as mapth0 or mpath1. If the multipath software that is used is EMCpowerPath rpm, then verify that the/dev folder has device files such as emcpowera or emcpowerb See About External Storage on page 318.

322 322 Configuring general settings in the Web configuration interface Connecting Information Manager to a DAS Connecting Information Manager to a DAS If you want to use third-party DAS device with Information Manager, ensure that it meets the following requirements: Configured as RAID-5 (For high availability) Uses the drivers for RHEL 4.8 Uses the SCSI adapters that support PCIe Compatible with supported hardware for SSIM Once the physical disks are attached to the Information Manager server, you must configure the virtual disks by entering the RAID Controller BIOS. You need to initialize virtual disks before you use them. For more information regarding setting the RAID configuration refer to the respective hardware documentation. If the Information Manager server has more than two internal disks that are attached to it, with the exception of these two disks all the remaining disks are shown as DAS on the External Storage page of the Web configuration interface which is configured for event archives. See About External Storage on page 318. Configuring Information Manager with DAS/SAN Storage Use the following steps to configure Information Manager with DAS/SAN Storage. To configure Information Manager with DAS/SAN Storage 1 Go to Web Configuration interface > Setting > External Storage > DAS/SAN Configuration. If you have already created DAS/SAN configuration then those configurations are displayed along with the corresponding disk size. 2 From the toolbar on the details pane, click Create. The disks available for creating a new configuration are displayed. If you use DAS or SAN without multipath, these disks are displayed as /dev/sda or /dev/hda. For multipath SAN configurations these disks are displayed as /dev/mapper/mapth0 or /dev/emcpowera depending on the multipath rpm installed. 3 Select the disks that you want to configure for an archive.

323 Configuring general settings in the Web configuration interface Extending the storage capacity of an existing DAS/SAN configuration Enter the logical volume name for configuration. A directory is created and the name of this directory must be unique in the /eventarchive folder. 5 Click Create Configuration. If the configuration is successfully created, the DAS/SAN status page is displayed. In case an error occurs, you can check the log file and analyze the root cause of the error. You must create an Event Storage Rule and configure that rule to use the mount point as the archive path. You can create Event Storage Rule from the Information Manager console for the respective Information Manager server. See Creating new event archives on page 211. While creating Event Storage Rule, specify the local volume name as the archive path. See About External Storage on page 318. See Restoring a DAS/SAN configuration on page 324. See Unmounting the DAS/SAN configuration on page 324. See Deleting a DAS/SAN configuration on page 325. Extending the storage capacity of an existing DAS/SAN configuration For an attached DAS/SAN, you may require more storage capacity in the future. This extended storage facility can be provided in the form of disks. To extend the storage capacity of the attached DAS/SAN in Information Manager, you must add the details of the disk to the DAS/SAN configurations. To extend the storage facility for a DAS/SAN configuration 1 Go to Web Configuration interface > Setting > External Storage > DAS/SAN Configuration. If you have already created DAS/SAN configuration then those configurations are displayed along with the corresponding disk size. 2 Click Extend. The disks available are displayed which can be used for extending the size of logical volume that is already created. 3 Select any number of disks and select one logical volume which needs to be extended. 4 Click Extend Configuration. The selected disks are added to the configuration and the size of the logical volume is automatically increased.

324 324 Configuring general settings in the Web configuration interface Unmounting the DAS/SAN configuration See Configuring Information Manager with DAS/SAN Storage on page 322. Unmounting the DAS/SAN configuration An Administrator can move the data in a logical volume from one Information Manager server to another by using the Unmount option. This option exports the selected logical volume to another Information Manager server without loss of any data. Before unmounting ensure that, the Event Storage Rule that is associated with the logical volume which is to be unmounted is either disabled or deleted. To unmount a DAS/SAN configuration 1 Go to Web Configuration interface > Setting > External Storage > DAS/SAN Configuration. 2 Click Unmount and then select a logical volume that must be unmounted. 3 Click Unmount Configuration. Note: Unmount operation is not supported for multipath configuration. After successfully unmounting detach DAS/SAN from the Information Manager server. You must now restore the DAS/SAN configuration to another Information Manager server. See Configuring Information Manager with DAS/SAN Storage on page 322. Restoring a DAS/SAN configuration The restoration of the DAS/SAN configuration must be performed on the Information Manager server to which the DAS/SAN is attached. The logical volume is unmounted from the previous Information Manager server. Restoring the DAS/SAN configuration reverts the unmount operation. The restoration must be performed carefully as this operation cannot accept repeated attempts. An unsuccessful attempt may lead to an unstable logical volume configuration. Note: If a restoration operation fails, you must immediately contact the Symantec Support team before attempting further operations. Such attempts may lead to further loss in data. Before you restore the DAS/SAN configuration, login to the Information Manager server and execute the following command:

325 Configuring general settings in the Web configuration interface Deleting a DAS/SAN configuration 325 vgdisplay Note: If there are any errors during the execution of this command, you must check and set the LVM configuration appropriately. To restore DAS/SAN configuration 1 Go to Web Configuration interface > Setting > External Storage > DAS/SAN Configuration. Note: The DAS/SAN configuration that is already created is displayed along with the attached disks and size. However, the logical volume configuration is not displayed since it is in the unmount state. 2 Click Restore and enter the logical volume name which is in the unmount state. 3 Click Restore Configuration. On a successful restore the DAS/SAN status page is displayed with the newly restored configuration. You can use it as an event archive. See Configuring Information Manager with DAS/SAN Storage on page 322. Deleting a DAS/SAN configuration Before deleting any logical volume you must ensure to delete the corresponding Event Storage Rule that is associated with that logical volume. To delete a DAS/SAN configuration 1 Go to Web Configuration interface > Setting > External Storage > DAS/SAN Configuration. 2 Click Delete. 3 Select the logical volume that you want to delete and then click Delete Configuration. If the deletion fails, check the log file and analyze the root cause of the error. See Configuring Information Manager with DAS/SAN Storage on page 322.

326 326 Configuring general settings in the Web configuration interface Deleting a DAS/SAN configuration

327 Chapter 21 Managing Global Intelligence Network content This chapter includes the following topics: About managing Global Intelligence Network content Registering a Global Intelligence Network license Viewing the status of Global Intelligence Network content Receiving Global Intelligence Network content updates About managing Global Intelligence Network content The Symantec Global Intelligence Network is comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity. See About the Global Intelligence Network configuration view on page 311. The Global Intelligence Network provides information about the current ThreatCon level. The network also provides advice and instructions on how to guard against and respond to the current threats. The Web configuration interface of Information Manager lets you configure your Information Manager server to update the Global Intelligence Network content. The content is from the Global Intelligence Network Web site. You can use the Internet or a proxy server to obtain this content. By updating Global Intelligence Network content or receiving updates from a proxy server, the Information

328 328 Managing Global Intelligence Network content Registering a Global Intelligence Network license Manager server maintains current security content without being connected to the Internet. Registering a Global Intelligence Network license If you have purchased the license for the Global Intelligence Network, complete the following steps to activate your Global Intelligence Network content updates. See About managing Global Intelligence Network content on page 327. To register a Global Intelligence Network license 1 On the Web configuration interface of the Information Manager, click Settings > Licensing. 2 On the tree pane, click GIN. 3 Click Browse, and then navigate to the Global Intelligence Network license file. 4 When you locate the file, click Open. 5 Click Import License. Viewing the status of Global Intelligence Network content The Status view provides the following information about the status of Global Intelligence Network content: The status and version of the server that provides the updated security content The status of the Global Intelligence Network content license, including expiration date The number of entries under the category of the server database Refresh timestamps for DataFeed and Intelligence updates See About managing Global Intelligence Network content on page 327.

329 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 329 To view the status of Global Intelligence Network content 1 On the Web configuration interface of the Information Manager, click Monitor > SSIM. 2 Click GIN Status. The Status view displays information about the security content server, the content license, and the server database. It also displays timestamps for the latest content updates. In the Content License Status area, you can see the number of days before the license expires, along with the expiration date. If you have multiple licenses, the latest expiration date appears. Receiving Global Intelligence Network content updates The Global Intelligence Network configuration view provides controls to specify the following sources for security content updates: Static (or LiveUpdate) Global Intelligence Network Internet service (requires a Global Intelligence Network license) An additional Integration Manager server Global Intelligence Network Internet service The Global Intelligence Network configuration view also lets you specify proxy server settings. To receive Global Intelligence Network content from an Internet connection 1 On the Web configuration interface of the Information Manager, click Settings > GIN. 2 In the GIN configuration view, in the Source of Security Content area, select Global Intelligence Network Internet Service. To select this option, you must have an active Global Intelligence Network license. 3 In the Global Intelligence Network Server Settings area, make sure that the DataFeed Service URL is set to the following: If you use an IP address instead of deepsightinfo.symantec.com, the proxy test fails.

330 330 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 4 In the Global Intelligence Network Server Settings area, make sure that the IP Service URL is set to the following: If you use an IP address instead of deepsightinfo.symantec.com, the proxy test fails. 5 In the DataFeed Polling Interval box, specify how often the server should check for updates. 6 In the IP Polling Interval box, specify how often the server checks for updates to the IP watchlist. The watchlist is a list of IP addresses that are known to be associated with security exploits. 7 In the IPaddressLimit box, specify how many IP addresses to download with each update. 8 Click Save. To receive Global Intelligence Network content updates from a network server 1 On the Web configuration interface of the Information Manager, click Settings > GIN. 2 In the Source of Security Content area, click Another Global Intelligence Network Integration Manager Server. 3 In the Global Intelligence Network Integration Manager Server Chaining area, in the Global Intelligence Network Integration Manager Server Host box, type the host name or the IP address of the Information Manager server that provides content updates. 4 In the Global Intelligence Network Integration Manager Polling Interval box, specify how often (in minutes) the Information Manager server checks for updates. For example, if you want to update every hour, type 60. If you want to disable this function, type 0. 5 Click Save. To receive Global Intelligence Network content by LiveUpdate 1 On the Web configuration interface of the Information Manager, click Settings > GIN. 2 On the GIN Configuration view, in the Source of Security Content area, select Static. 3 Click Save.

331 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 331 To specify proxy server settings 1 On the Web configuration interface of the Information Manager, click Settings > GIN. 2 On the GIN Configuration view, in the Proxy Server Settings area, ensure that a check mark is placed in Use Proxy Server. 3 In the HTTPS/Secure Proxy Server box, type the URL of the proxy server. 4 In the HTTPS/Secure Proxy Port box, type the port that is used to communicate with the proxy server. 5 If the proxy server you use requires a user name and password to connect, type them in the HTTPS/Secure Proxy Username and HTTPS/Secure Proxy Password boxes, respectively. 6 Click Save.

332 332 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates

333 Chapter 22 Working with Information Manager configurations This chapter includes the following topics: About agent configurations About Agent Connection Configurations Configuring Agent to Manager failover About the Information Manager configurations About the Manager components configurations Setting up blacklisting for logon failures Modifying administrative settings About Manager configurations Increasing the minimum free disk space requirement in high logging volume situations About Manager connection configurations About configuring Information Manager directories About configuring LiveUpdate About agent configurations Agent configurations describe how agents behave and how they communicate with their corresponding Managers.

334 334 Working with Information Manager configurations About agent configurations The settings include which primary and secondary server to connect to and how to get configuration information and report inventory. In addition, the settings include how these computers should receive LiveUpdate information. See Components of collectors on page 164. For more information on the Symantec Event Agent refer the Symantec Event Agent 4.7 Release Notes. Table 22-1 lists the tabs on which you can change settings for Agent Configurations. Table 22-1 Tab General Configuration Agent Configuration tabs Description Contains the name, description, and last modification date of the configuration. Lets you specify how often the Agent Configuration Provider checks with its Manager for configuration updates. This value is independent of using Distribute to send configurations to the Agent directly through the Command Servlet. This setting refers to how long the client waits before it asks for new configurations, if it is not contacted sooner. See Table 22-2 on page 335. Inventory Lets you configure the Agent Inventory Provider to report inventory information for each Agent. This inventory contains information as to what components are installed, and what version of those components resides on the Agent. You can set how often to report inventory, and how long to wait between failed inventory attempts. State Lets you configure the Agent State Provider to report state information for all Agent providers. Each provider is given the opportunity to report its operational state to its Manager. This information includes what Manager it is currently connected to, what its starting mode is, and what configuration it currently uses.

335 Working with Information Manager configurations About agent configurations 335 Table 22-1 Tab Logging Agent Configuration tabs (continued) Description Manages the Information Manager Event Logging Provider so that all events that are logged through the Agent are sent reliably to its Manager. The logging provider stores events locally if it cannot forward them immediately to its Manager. You can specify the listening port, what Manager servlet to contact, and how to cache events before sending them to the Manager. Many of these settings control how events are forwarded to the Manager. You can also specify the Statistics reporting interval. If you change the Logging Servlet value to an incorrect value, you may not be able to forward events to the Agent s Manager. See Table 22-3 on page 336. LiveUpdate Lets you schedule a one-time LiveUpdate for the Agent. You can also set several retry and delay settings that relate to running a LiveUpdate session on the Agent. Table 22-2 describes the various settings for the Agent configuration that can be configured on the Information Manager console. Table 22-2 Setting Config poll time Agent configuration settings Description The interval in minutes after which the agent automatically requests a new configuration from the configuration servlet on its Information Manager server. The maximum value is minutes. The minimum value is 0. If the agent is unable to receive a configuration at startup, it retries the request at an increasing (doubling) interval. The initial retry interval is one minute. Default: 480 minutes Allow Anonymous SSL connection Specifies that Anonymous SSL communication with the Information Manager server is allowed. Default: On

336 336 Working with Information Manager configurations About agent configurations Table 22-2 Setting Agent configuration settings (continued) Description Use Fully Qualified Domain Name Use Direct Event Port Throttling schedule Event Feeder Retry Interval Event Feeder Retry Count Event Feeder Switch Back Time Specifies FQDNs to be used in configuration update requests. Default setting: Off Lets you configure the Agent to send events on Direct Event Port (port 10012) which is unsecured. Note: The on-box agent always sends events on Direct Event port. Lets you specify the throttling schedule to limit the bandwidth as required. Lets you specify the interval for the Event Feeder retry in milliseconds. Lets you specify the Event Feeder Retry Count Lets you specify the switch back time. Table 22-3 describes the various Agent logging settings that can be configured on the Java client of the Information Manager. Table 22-3 Agent logging Settings Setting Listen IP Description The IP address that the agent listens on for all requests. If not specified, the first IP address that is configured for the local computer is used. If it is specified, the dotted-decimal IP address on the local computer that the agent listens on is used. Default: Listen port The port number that the agent listens on for requests from integrating products. Valid values are any positive integer under 65,535 that refers to a free port address on the IP address that are specified in ListenIP. Default: 8086

337 Working with Information Manager configurations About agent configurations 337 Table 22-3 Setting Agent logging Settings (continued) Description Event logging servlet Identifies the Information Manager server servlet to which the agent sends messages. Set to any valid servlet name running on the Information Manager server that is specified in the Primary manager server setting on the Common tab. Use extreme caution if you decide to change this setting. Default: EventLogger Disconnected mode retry interval The time in minutes that the agent waits before it sends events to the Information Manager server when it runs in disconnected mode. The agent goes into disconnected mode automatically when the Information Manager server cannot be contacted. Consequently, this value is the retry interval for sending events to the Information Manager server. The minimum value is 0 minutes. Default: 0 minutes Maximum queue size The maximum size in kilobytes of any single application s queue. Once an application s queue reaches this size any future log requests are refused. Other applications may continue to log events until their queue has also reached this number. The most likely cause for an application s queue to reach this size is if the Information Manager server cannot be contacted. The value should be an integer between 60 KB and 1,000,000 KB. Default: 80,000 KB

338 338 Working with Information Manager configurations About agent configurations Table 22-3 Setting Agent logging Settings (continued) Description Event queue flush time The number of seconds that the agent queues up events for the given ProductId before the agent sends the events to the Information Manager server. The value should be an integer between 1 and 600. Default: 4 seconds Event queue flush size The size in kilobytes of an application s queue that the agent holds before it sends the events to the Information Manager server. The value should be an integer between 768 KB and 10,000 KB. Default: 2000 KB Event queue flush count The number of items in an application s queue that cause the agent to send the events to the Information Manager server. The value should be an integer between 256 and 10,000. Default: 512 Event queue spool size The size in kilobytes of an application s queue that the agent holds in memory when not able to send the normal queue to the Information Manager server. If the queue exceeds this size and continues to increase, the queue is written to disk. A disk-based queue is slower than a memory-based queue because all queue information that is written to disk is encrypted. The value should be an integer between 1 and 50,000. Default: 20,000 KB

339 Working with Information Manager configurations About Agent Connection Configurations 339 Table 22-3 Setting Encrypt config file Agent logging Settings (continued) Description Indicates that the configuration file that is located at the agent should be encrypted. This feature prevents anyone from obtaining sensitive information by opening the configuration. Default: Disabled Event Compression Enables or disables event compression. Default: Enabled Agent Queue Statistics Report Interval Specifies the interval for reporting agent statistics. Default: 300 seconds Maximum File Queue Size Lets you specify the maximum File Queue Size. About Agent Connection Configurations Agent Connection Configurations let you configure Agent to Manager failover. See Configuring Agent to Manager failover on page 340. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. After you configure failover, distribute the configurations to computers that require failover protection. Table 22-4 lists the tabs on which you can change the failover setting for the Agent. Table 22-4 Tab General Agent Connection Configurations tabs Description Contains the name, description, and the last modification date of the configuration. SSIM Manager Failover Lets you specify the primary Manager and an ordered list of Managers to which the Agent can failover if the primary Manager becomes unavailable.

340 340 Working with Information Manager configurations Configuring Agent to Manager failover Configuring Agent to Manager failover You configure Manager failover to identify a primary Manager and provide an ordered list of failover Managers to which the Agent can connect if the primary Manager fails. See About Agent Connection Configurations on page 339. To configure Agent to Manager failover 1 In the Information Manager console, on the System view, on the Product Configurations tab, expand the domain, expand SSIM Agent and Manager and click Agent Connection Configurations. 2 Select the custom configuration to edit. You cannot edit the Default configuration. 3 In the right pane, on the SSIM Manager Failover tab, next to the Primary Manager text box, click the browse button (...). 4 In the Find Computers dialog box, do one of the following: 5 Click OK. To proceed without modifying the Available computers list, select a computer to be the primary manager, and then continue at step 6. The Available computers list shows all Managers for the domain, up to the number of the computers that is indicated by the Maximum search count text box. To modify the Available computers list by specifying search criteria, in the revised Available computers list, select one or more computers. 6 On the SSIM Manager Failover tab, check Enable automatic Manager Failover. 7 Under Primary Manager Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Agent should attempt to connect to the Primary Manager before it fails over to the first Manager in the Secondary Managers list. In the Seconds between reconnect attempts text box, type the time interval in seconds to elapse between each reconnect attempt. 8 Under Secondary Manager Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Agent should attempt to connect to the initial Secondary Manager before it fails over to the next computer in the Secondary Manager list.

341 Working with Information Manager configurations Configuring Agent to Manager failover 341 In the Seconds between reconnect attempts text box, type the time interval in seconds to elapse between each reconnect attempt. 9 To create an ordered list of failover Managers, do the following: Under the Secondary (failover) Managers list, click Add. In the Find Computers dialog box, in the Available computers list, select the computer to make the first failover Manager. If you cannot immediately find the computer that you want, on the left side of the dialog box, enter search criteria. Then click Start Search, and in the Available computers list, select a computer. Click Add. Continue selecting and adding computers in the order in which you want them to be used for failover. Click OK. The computers that you selected are added to the Secondary (failover) Managers list. To change the order of the failover Managers, select a Manager and use the Move Up and Move Down arrows to the right of the list to move the Manager relative to the other Managers in the list. 10 To have the Agent automatically attempt to failback to the primary Manager, do the following: Ensure that Enable automatic failback recovery is checked. In the Seconds between failback connection attempts text box, type the number of seconds that should elapse between attempts to failback. In the Maximum failback retry period (minutes) text box, type the maximum amount of time to wait before all failback attempts end and a new, permanent primary Manager is established. After a new, permanent primary Manager is established, if you want to reset the connection between the Agent and the original Manager, you must do it manually, using the Primary Manager drop-down list. 11 To generate a single event when multiple connection failures occur, under Generate a Multiple Connection Failure Event, do the following: In the Number of connection failures that must occur text box, type a number. In the Time span during which connection failures occur (seconds) text box, type a time period.

342 342 Working with Information Manager configurations About the Information Manager configurations When the specified number of failovers occurs within the specified time period, an event is logged. If you enable Manager failover, connection failure events occur with the same frequency as failovers, based on the values for reconnect attempts. If you do not enable failover, connection failures can still occur. The values you provide here determine how often events are logged for these occurrences. 12 Click Save. About the Information Manager configurations Information Manager relies on the following to collect, store, process, and report security events to the Information Manager console: agents, Information Manager directory, Information Manager datastore, manager, and archives. These components also distribute configuration changes to Information Manager and integrated products. Information Manager configurations lets you configure these components. See About the Manager components configurations on page 342. Note: You can create customized configurations for each of the collectors that are installed. For more information on creating collector configurations, refer to the documentation that is provided with each collector. About the Manager components configurations Manager Components Configurations contain specific settings for each of the Manager components. They let you configure the specific settings for each component individually, based on the component's configuration requirements. These components generally refer to specific services within the Manager, such as the Event Logging subsystem or the Configuration Service. See About the Information Manager configurations on page 342. Table 22-5 lists the tabs on which you can change settings for the Manager Components Configurations. Table 22-5 Tab General Manager Components Configurations tabs Description Lets you specify the name, description, and modification date of the configuration.

343 Working with Information Manager configurations About the Manager components configurations 343 Table 22-5 Tab Notifications Manager Components Configurations tabs (continued) Description Lets you specify the and the retry settings that the alert servlet uses. These settings control how alerts are sent from Information Manager. Configuration Lets you configure the Information Manager Configuration Service by specifying how many times a client can request its configuration during a polling interval. If a client exceeds this value, it is flagged as hyperactive, and is not allowed to get its configuration again for a configured interval. Command Lets you controls the settings for the command servlet. When you use the Distribute option to initiate the distribution of configurations, the Command servlet contacts each computer using the configuration. The servlet notifies it to reload its configuration. These settings let you configure throttling information for how many Agents to notify in a given period of time. They can be adjusted based on your environment. If you make this setting too high, you run the risk of overloading your Managers. If the throttling is set too low, it could take a long time to push new settings to a large number of computers. Administrative Lets you modify administrative protections such as how long a console session should be idle before it times out. You can lengthen the session idle interval to keep the console from timing out quickly or shorten it to increase security. You can also specify the character set that the console uses to export information. This toggle lets you select US English ANSI exporting or Unicode encoding for most double-byte character sets, such as Japanese. SNMP Lets you specify the settings that control how alert notifications are sent to an SNMP Server. You can specify the host, port, and community of the SNMP Server to which alerts are forwarded. You can also specify the version of SNMP traps to send to that server. LiveUpdate Lets you schedule a one-time update for the Manager. In addition, lets you schedule several retry and delay settings that are related to updating the Manager using LiveUpdate.

344 344 Working with Information Manager configurations Setting up blacklisting for logon failures Setting up blacklisting for logon failures When failed attempts to log on to the Information Manager console occur repeatedly, it may indicate an attempt to break in to the system. Information Manager blacklists computers from which repeated failed logon attempts are made. See About agent configurations on page 333. The Administrative tab lets you control how Information Manager responds to logon failures. To set up blacklisting for logon failures 1 In the Information Manager console, on the System view, on the Product Configurations tab, expand the domain, expand SSIM Agent and Manager and click Manager Components Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 On the Administrative tab, to control how Information Manager handles blacklisting for logon failures, do the following: Blacklist threshold time Adjust the window of time during which failed logon attempts are accumulated. When the accumulated count is larger than the blacklist threshold count, the IP address from which the logon attempts originate is added to the blacklist. Blacklist threshold count Blacklist entry duration Specify the number of failed logon attempts within the blacklist threshold time that causes an IP address to be placed on the blacklist. Specify the length of time for the IP address to remain on the blacklist before it is automatically removed and logons from the IP address are again permitted. 4 Click Save. Modifying administrative settings You can control the following behaviors of the Information Manager console by changing administrative settings: How long a console session is idle before it times out

345 Working with Information Manager configurations About Manager configurations 345 The character set that is used when you export reports How Information Manager responds to repeated failed logon attempts See About the Manager components configurations on page 342. To modify administrative settings 1 In the Information Manager console, on the System view, on the Product Configurations tab, expand the domain, expand SSIM Agent and Manager and click Manager Components Configurations. 2 Select the custom configuration that to edit. You cannot edit the Default configuration. 3 In the right pane, on the Administrative tab, next to Session idle interval, do one of the following: To increase the time before the Information Manager console times out, type a higher value. Increase the value if you do not want the Information Manager console session to time out so quickly. To decrease the time before the Information Manager console times out, type a lower value. Lower the value to increase security. 4 If the Datastore contains double-byte characters for languages such as Japanese, next to Export character set selector, select the check box. This setting configures the Manager to export data in Unicode encoding, which lets you export reports with double-byte characters to the HTML or the CSV formats. 5 If necessary, configure the blacklist settings. See Setting up blacklisting for logon failures on page To compress the results, select Compress the results. 7 Click Save. If session timeout occurs on an Information Manager console, the logon screen is displayed so that the user can log on again. About Manager configurations Common settings in the Manager configurations may affect one or more of the manager components across Managers. These common settings include selecting

346 346 Working with Information Manager configurations About Manager configurations the Information Manager Directory and Datastore for the domain, and setting throttle options that control connection attempts to Managers. See About agent configurations on page 333. Table 22-6 lists the tabs on which you can change settings for Manager configurations. Table 22-6 Tab General Throttle Manager Configuration tabs Description Contains the name, description, and the date of last modification of the configuration. Lets you balance security and scalability issues on a Manager by controlling when or how often events are sent to the Information Manager Datastore. For example, you can set a threshold for all Managers. When an Agent tries to contact a Manager too many times in a given time period, the computer is denied access to the Manager for an allotted time. If you make the timeouts shorter, you protect yourself more against hyperactive clients, or denial-of-service attacks. If you make the time allotments longer, you may increase the performance of the server and avoid problems with false positives for hyperactive clients. Client Validation Controls how Information Manager handles the validation of clients. For example, on this tab, you can set how Information Manager reacts to clients who provide bogus passwords. If Information Manager attempts to validate a client and fails, the client is blacklisted until the entry times out. This tab lets you set how long those timeouts last. Web Server Other This tab is deprecated and should not be used. Contains the miscellaneous settings that let you fine-tune the operation of your Manager. For example, one setting lets you configure the minimum disk space that the Manager requires before its logging and other functions are suspended. See Increasing the minimum free disk space requirement in high logging volume situations on page 347.

347 Working with Information Manager configurations Increasing the minimum free disk space requirement in high logging volume situations 347 Increasing the minimum free disk space requirement in high logging volume situations The Other tab of the Manager Configurations includes the free space minimum size property. This configuration specifies the amount of free space that is needed for the Manager to function properly. The amount of free space is checked every two minutes and an event is created if the free space is less than the minimum specified. See About Manager configurations on page 345. In an environment that generates a high volume of log messages, you should increase the free space minimum size. To increase the free space minimum size 1 In the Information Manager console, in the System view, on the Product Configurations tab, expand the domain, expand SSIM Agent and Manager and click Manager Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the Other tab and for the Free space minimum size property, increase the value to meet the needs of your environment. By default, the free space minimum size is 50 MB. In an environment with a high volume of log messages, you should increase the minimum disk space to at least 100 MB or higher. If the Manager is installed on the operating system drive, you should set the free space minimum to at least 2 GB. 4 Click Save. About Manager connection configurations Manager connection configurations let you configure failover for Managers. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. You can configure the Directory on one Information Manager server to fail over to the Directory on another Information Manager server. See About Manager configurations on page 345.

348 348 Working with Information Manager configurations About configuring Information Manager directories After you configure failover, distribute the configurations to Managers that require failover protection. Table 22-7 lists the tabs on which you can change the failover settings for the Manager. Table 22-7 Tab General Manager Connection Configurations tabs Description Contains the name, description, and date of the last modification of the configuration. SSIM Directory Failover Lets you specify the primary Information Manager Directory and control how failover takes place when that primary Information Manager Directory becomes unavailable. About configuring Information Manager directories Failover enables Information Manager to automatically switch to a standby Information Manager Directory if the primary Information Manager Directory fails or terminates abnormally. See About Manager configurations on page 345. The SSIM Directory Failover tab of the Manager Connection Configurations lets you do the following tasks: Configure the Information Manager to Information Manager directory failover. Log Information Manager directory connection failures. About configuring LiveUpdate About Java LiveUpdate LiveUpdate is the Symantec technology that lets installed Symantec products connect to a server automatically for program updates. You can use LiveUpdate to update the Manager and the agent components. Symantec LiveUpdate uses Java LiveUpdate to update Information Manager components such as lookup tables, normalization content, rules, system queries, filters, monitors, collectors, and sensors. When you install the Symantec Event Agent on a computer, Java LiveUpdate automatically installs. You can also distribute the Java LiveUpdate configurations to any of the computers in an organizational unit.

349 Working with Information Manager configurations About configuring LiveUpdate 349 When Java LiveUpdate runs, it connects to the server that is specified in liveupdate.conf. The compressed catalog file (livetri.zip) is downloaded into the local LiveUpdate package directory and the LiveUpdt.tri files are extracted. Java LiveUpdate determines if there are updates available for the specified products. For each update that is found, a temporary directory is created under the local directory into which the compressed files are copied. The packages are authenticated, decompressed, and installed. Java LiveUpdate tracks configuration information about multiple LiveUpdate servers or hosts. It tries each of the servers in the order in which they are listed in the Java LiveUpdate configuration file. When a specified server is unreachable, it automatically fails over to the next host. Java LiveUpdate requires Java Runtime Edition or later. Information Manager and Symantec Event Agent uses Java LiveUpdate 3.7 which is the latest version of Java LiveUpdate. When you upgrade Information Manager to 4.7 Maintenance Pack 3, Java LiveUpdate 3.7 gets installed on the Information Manager server. See Creating Java LiveUpdate configurations on page 349. See Modifying Java LiveUpdate configurations on page 351. See Editing Java LiveUpdate configuration properties on page 357. See Distributing a Java LiveUpdate configuration on page 358. Creating Java LiveUpdate configurations Java LiveUpdate is installed with a default configuration specified in the LiveUpdate.conf configuration file. However, you may want to modify or distribute additional configurations to the client computers. You can use the Information Manager console to create and distribute additional Java LiveUpdate configurations to the computers on which Java LiveUpdate 3.7 is installed. When you create or modify a Java LiveUpdate configuration, you must specify the client computers to associate with the configuration. Before distributing a Java LiveUpdate configuration, you must first configure it for distribution. You can do this configuration by modifying an existing configuration, or you can create a new Java LiveUpdate configuration. To create a new LiveUpdate configuration, you must use the Create a new Configuration wizard. See Modifying Java LiveUpdate configurations on page 351. See Distributing a Java LiveUpdate configuration on page 358. Host data is not passed from Java LiveUpdate server to the Java LiveUpdate client if there are blank entries in the host settings. For example, if you enter host data for Host 2, but leave Host 1 settings empty, host information is not sent to the

350 350 Working with Information Manager configurations About configuring LiveUpdate Java LiveUpdate client computer. As soon as you enter data for Host 1, host information is sent to Host 1 as well as to Host 2. To create Java LiveUpdate configuration 1 In the Information Manager console, go to System > Product Configurations and navigate to LiveUpdate. 2 Expand the tree view and select Java LiveUpdate. 3 Click Add. You can enter the details about the configuration in the Create new configuration wizard. You can also add the computers on which this configuration is applied. 4 Click Finish. See About Java LiveUpdate on page 348. See Editing Java LiveUpdate configuration properties on page 357. Scheduling LiveUpdate requests In the Information Manager console, you can schedule a LiveUpdate request for new versions of the Manager and the agent. See About configuring LiveUpdate on page 348. Note: Events are not generated when a Manager or an agent LiveUpdate occurs. To schedule a LiveUpdate request 1 In the Information Manager console, on the System view, on the Product Configurations tab, do one of the following: To schedule LiveUpdate of the Manager, expand the domain, expand SSIM Agent and Manager and click Manager Components Configurations. To schedule LiveUpdate of the agent, expand the domain, expand SSIM Agent and Manager and click Agent Configuration. 2 Select the custom configuration that you want to edit. You cannot edit the default configuration. 3 In the right pane, on the LiveUpdate tab, specify the date and time to perform the LiveUpdate by clicking the ellipses (...) to the right of the Datetime value.

351 Working with Information Manager configurations About configuring LiveUpdate In the Calendar dialog box, set the date and time for LiveUpdate to run: Month drop-down list Year Calendar Time control Select a month. Select a year. Select a day. Click each section of the time control (hours, minutes) to change the value. Select from AM or PM as relevant. 5 Click OK. 6 On the LiveUpdate tab, do one or more of the following: Retry interval Random delay Enable Use local time Specify how often to retry the LiveUpdate if the first attempt is not successful. Specify a random delay to be used to stagger update requests. Select this check box to enable LiveUpdate to take place at the time that is scheduled on the LiveUpdate tab. Specify whether the local time should be used for scheduling purposes. 7 Click Save. Modifying Java LiveUpdate configurations To change an existing Java LiveUpdate configuration, you can modify one or more settings on the Java LiveUpdate tabs. To modify a Java LiveUpdate configuration 1 In the Information Manager console, go to System > Product Configurations and navigate to LiveUpdate > Java LiveUpdate. 2 Under Java LiveUpdate, select the configuration that you want to modify. Java LiveUpdate configuration settings tabs appear in the right pane. 3 Modify the configuration using the following tabs as necessary: General See Java LiveUpdate: General tab on page 352. Java LiveUpdate

352 352 Working with Information Manager configurations About configuring LiveUpdate See Java LiveUpdate: Java LiveUpdate tab on page 352. Hosts See Java LiveUpdate: Hosts on page 356. Java LiveUpdate: General tab The General tab displays the name and description of the selected Java LiveUpdate configuration. A Java LiveUpdate configuration is a collection of settings that you can apply to products on computers directly. The Default Java LiveUpdate configuration is used by default. The General tab contains the following options: Option Configuration name Description Last Modified On Description Name of the configuration. You cannot modify this name after creating it. A description of the configuration. You cannot change the description of the Default configuration. The date and time the configuration was last modified. The value is set automatically when you change a configuration. You cannot change it manually. See Modifying Java LiveUpdate configurations on page 351. See Java LiveUpdate: Java LiveUpdate tab on page 352. See Java LiveUpdate: Hosts on page 356. Java LiveUpdate: Java LiveUpdate tab The Java LiveUpdate tab lets you specify the network proxy server settings that may be required for Java LiveUpdate sessions in your network environment. You can also specify additional LiveUpdate HTTP or FTP servers to use for downloading product updates. Java LiveUpdate tab also lets you specify the maximum size of LiveUpdate log files. You can also enable the cachemode option which ensures storage of LiveUpdate package data until the data size reaches a threshold. This threshold is defined in the downloadcachesize field. Once the threshold is reached, the cached data is purged and maintained to the size that is defined in the downloadcachesize field.

353 Working with Information Manager configurations About configuring LiveUpdate 353 Option Proxy server ProxyServerPort ProxyUsername ProxyPassword Description Specifies a proxy server address. If you use an HTTP proxy server for Java LiveUpdate, use the FQDN (fully qualified domain name) or the IP address of the network proxy server. Specifies the port on which the proxy server listens (optional). If a port number is not specified, it defaults to 80. The address must be either the TCP/IP address or the FQDN of the proxy server. The port must be the TCP/IP port that the proxy server listens on. This setting is not supported for FTP. Specifies a proxy server address. If you use an HTTP proxy server for Java LiveUpdate, use the user name for the account that is used to log on to the proxy server. The user name and password let Java LiveUpdate authenticate itself to the proxy server. This authentication is not SSL authentication. Specifies the password that is associated with the specified proxyusername account. If you use an HTTP proxy server for Java LiveUpdate, use the password for the account that is used to log on to the proxy server. The user name and password let Java LiveUpdate authenticate itself to the proxy server. This authentication is not SSL authentication.

354 354 Working with Information Manager configurations About configuring LiveUpdate Option OverrideExistingConfig Description Check this option if you want to overwrite the existing configuration data in the LiveUpdate.conf file with the Java LiveUpdate configuration settings. Uncheck this option if you want to append the existing configuration data in the LiveUpdate.conf file with the Java LiveUpdate configuration settings. When you distribute the Java LiveUpdate configuration, the configuration data in the LiveUpdate.conf file is overwritten or appended, accordingly. You can use the Java LiveUpdate Hosts tab to append additional host server entries to the existing LiveUpdate.conf file. If you do, make sure that you type the information in a numbered Host field that is not already used in the LiveUpdate.conf file. Each numbered Host field corresponds to the numbered host entries in LiveUpdate.conf. As a result, if you type an entry for Host 0 in the Hosts tab, and the existing LiveUpdate.conf file already has a Host 0 value, then the Host 0 value overwrites the existing Host 0 value, regardless of whether the option is checked or unchecked. You can check this option to configure Java LiveUpdate to have all users use the same proxy server user name and password. You can uncheck this option, if you have already set up individual user names and passwords for each Java LiveUpdate computer in your network environment. The default setting is false.

355 Working with Information Manager configurations About configuring LiveUpdate 355 Option AllowConfigSwapping Description Check this option, if you want Java LiveUpdate to use an alternative method of retrieving host- and connection-based information. When you uncheck this option, Java LiveUpdate uses the default LiveUpdate.conf file to obtain its connection settings. However, when you set the value to true, Java LiveUpdate obtains host- and connection-based settings another way. The method depends on how the LiveUpdate environment is set up to get information either from a.hst (host) file that was created using the LiveUpdate Administration Utility, or from a LiveUpdate.conf file other than the default one. To set up Java LiveUpdate to use a.hst file for its host- and connection-based information, an administrator must edit the default LiveUpdate.conf file to include a.hst value for the host file entry. A host file is typically used to let corporate clients connect to an intranet server designated as an internal LiveUpdate or Java LiveUpdate server. An administrator can also set up Java LiveUpdate to use a LiveUpdate.conf file other than the default one to obtain hostand connection-based information. Append a -c command-line switch along with the full path of the non-default LiveUpdate.conf file when the Java LiveUpdate session is executed at the command line. For either method to work, the Allow Configuration Swapping option must be checked. If it is unchecked, Java LiveUpdate ignores the -c command-line switch and the.hst file entry, and uses the configuration settings in the Default LiveUpdate.conf file instead. The default setting is false.

356 356 Working with Information Manager configurations About configuring LiveUpdate Option MaxLogFileSize cachemode downloadcachesize Description You can modify the maximum size of the LiveUpdate log file on the end-user computers. When a log file reaches its maximum size, the earliest log entry or entries are deleted to make room for the most recent log entry. The default setting is 1024 KB. If you enable this option, the LiveUpdate package data is cached after each Java LiveUpdate session. This data is stored until the cache size reaches the threshold that is defined in the downloadcachesize field. Once this threshold is reached, the cached data is purged and maintained to the size that is defined in downloadcachesize field. By default the cachemode option is enabled. Lets you specify the threshold for downloading the cache. When the threshold reaches its maximum size, the earliest cache entries are deleted. You can set the downloadcachesize value between 16 MB to 4096 MB. The default setting is 2048 MB. See Modifying Java LiveUpdate configurations on page 351. See Java LiveUpdate: General tab on page 352. See Java LiveUpdate: Hosts on page 356. Java LiveUpdate: Hosts The Hosts tab lets you configure up to 10 different LiveUpdate servers for updating Information Manager components. For each Java LiveUpdate server in your network environment, you must specify a URL. If the server uses the FTP protocol for Java LiveUpdate, you must also specify the FTP user name and password.

357 Working with Information Manager configurations About configuring LiveUpdate 357 Option Host#URL Host#Username Host#Password Description The URL of the computer that can be used as a LiveUpdate server. You can use HTTP or FTP protocols (HTTPS and FTPS are not supported). If you do not specify a protocol in the URL, Java LiveUpdate uses the HTTP protocol. The FTP user name if the LiveUpdate server uses the FTP protocol. The FTP password if the LiveUpdate server uses the FTP protocol. See Modifying Java LiveUpdate configurations on page 351. See Java LiveUpdate: General tab on page 352. See Java LiveUpdate: Java LiveUpdate tab on page 352. Editing Java LiveUpdate configuration properties You can edit the Java LiveUpdate configuration properties and add the computers that can use the Java LiveUpdate configuration before you distribute the configuration. To edit Java LiveUpdate configuration properties 1 On the Product Configurations tab, in the left pane, under the top-level SESA domain, expand LiveUpdate > Java LiveUpdate. 2 Under Java LiveUpdate, right-click the configuration that you want to modify and then click Properties. 3 In the Configuration Properties dialog box, on the Computers tab, click Add. 4 In the Find Computers dialog box, in the Computer name text box, type a computer name or a combination of letters and an asterisk. Click Start Search. 5 By default, the Computer name text box contains an asterisk (*), which serves as a wildcard character, displaying all computers that have been defined. 6 From the Available computers view, select one or more computers and click Add. 7 In the Configuration Properties dialog box, click OK. See About Java LiveUpdate on page 348. See Creating Java LiveUpdate configurations on page 349.

358 358 Working with Information Manager configurations About configuring LiveUpdate See Modifying Java LiveUpdate configurations on page 351. See Distributing a Java LiveUpdate configuration on page 358. Distributing a Java LiveUpdate configuration After you have created or modified a Java LiveUpdate configuration as appropriate, you can distribute it to Java LiveUpdate client computers. These configurations can be distributed to any of the following computer platforms: Windows 32-bit Windows 64-bit Solaris RHEL 4.0 RHEL 5.0 To successfully distribute a Java LiveUpdate configuration, you must specify the target computers when you create or modify the Java LiveUpdate configuration. To distribute a Java LiveUpdate configuration 1 On the Product Configurations view tab, in the left pane, under the top-level SESA domain, expand LiveUpdate > Java LiveUpdate. 2 Under Java LiveUpdate, right-click a configuration and then click Distribute. 3 When you are prompted to distribute the configuration, click Yes. A message is sent to all the computers to check for new configurations. When a computer receives this message, it contacts Information Manager to request a download of the configurations. See About Java LiveUpdate on page 348. See Creating Java LiveUpdate configurations on page 349. See Modifying Java LiveUpdate configurations on page 351. See Editing Java LiveUpdate configuration properties on page 357.

359 Section 7 Managing application data Chapter 23. Maintaining the Information Manager database Chapter 24. Managing data backup, restore, and purge

360 360

361 Chapter 23 Maintaining the Information Manager database This chapter includes the following topics: About database maintenance Checking database status About the database health monitor service About purging event summary, alerts, and incident data About database maintenance The Symantec Security Information Manager uses an IBM DB2 database to store event summary, incident, ticket, asset, rule, and report data. These elements are stored in separate tablespace containers in the database. The most common maintenance tasks have been automated to make the database largely self-maintaining. The status of the database is checked regularly, and such tasks as database reorganization and statistics-gathering occur automatically as they are required. See Checking database status on page 361. Checking database status The Database Status view displays the current information about the overall health of the Information Manager database. The Jobs status area in the details

362 362 Maintaining the Information Manager database About the database health monitor service pane displays the status of maintenance jobs that run to keep the database healthy. The information in the details pane of Database Status view is updated automatically as conditions change. On the Web configuration interface, you can access the Database Status view from Monitor > SSIM > Database Status. The Status view includes the following: Database Health Monitor Indicates the current health status of the database. See About the database health monitor service on page 362. Database Space Displays the amount of space that the incidents and tablespaces currently use. For each tablespace, the value is expressed as a percentage of the total space that is available to that tablespace. Job Status Lists the current status of data maintenance activities. Regularly scheduled jobs are listed, along with any jobs that you initiate manually. To check database status 1 Log on as an administrator to the Web configuration interface of the Information Manager server. 2 Go to Monitor > SSIM Database Status. 3 To refresh the status information immediately, click Refresh. About the database health monitor service The database on the Symantec Security Information Manager server includes a health monitor service that checks the health status of the database. The page refreshes every 60 seconds. You can access the Database Health Monitor Service from Monitor > SSIM > Database Status. In the details pane of the Database Status view, the Database Health Monitor area displays one of the following status indicators: OK, Warning, Alarm, or Critical. The Warning, Alarm, and Critical status indicators appear in the following circumstances: The Warning indicator appears if a tablespace reaches 60 percent of total capacity. It also appears if a tablespace reaches the Safe Level parameter in the Automated Purge area of Settings > Database > Maintenance Options.

363 Maintaining the Information Manager database About purging event summary, alerts, and incident data 363 The Alarm indicator appears if a tablespace reaches 70 percent of total capacity. It also appears if a tablespace reaches the Alarm Level parameter in the Automated Purge area of Settings > Database > Maintenance Options. If a tablespace reaches the Alarm threshold, data is purged automatically until the size falls under the configured safe level. The Critical indicator appears if the tablespace reaches 95 percent of total capacity. The tablespace size can reach the critical level in certain situations. For example, a lengthy backup might delay a scheduled health check at the same time that a high number of new incidents are generated. In this case, the tablespace size can reach the critical level before the health check is run. If the tablespace size reaches the critical level, data is purged automatically. Event logging and correlation are suspended during the purge. Event logging and correlation resume once the size falls under the configured safe level. About purging event summary, alerts, and incident data Summary events, alerts and incidents data are purged as follows: See About database maintenance on page 361. Daily maintenance purge An automatic daily purge is performed for all the data that does not meet the configured retention criteria. You can configure the retention period for the data. You can also configure the types of incidents and alerts that should be retained or purged, based on the status. See Adjusting parameters for automated purges on page 364. Manual purge A purge of data that you can initiate at any time. See Purging incident or event summary data on page 376. See Purging selective backup files on page 378. The database is automatically reorganized after a purge whenever necessary. Note: In some situations, the size of a tablespace can reach the critical level, which is 95 percent of total capacity. When this threshold is reached, a purge is initiated automatically, and event logging and correlation are suspended until the size falls under the safe level.

364 364 Maintaining the Information Manager database About purging event summary, alerts, and incident data Adjusting parameters for automated purges During the daily maintenance purge, the data is purged automatically using the following default criteria: All Hourly (Short Term) Summary events more than eight days old are purged from the event data. All Daily, Weekly, Monthly (Long Term) Summary events more than 60 days old are purged from the event data. Summary event data is used in event reports. By default, report data is retained for 30 days. All Closed incidents or Open incidents more than 30 days old are purged. All Closed Alerts, and Deleted Alerts that are more than 30 days old are purged. You can adjust the parameter values for the daily maintenance purge to suit your needs. Do not increase the retention periods unless it is necessary. Depending on your deployment, event data can fill the tablespace quickly, and lead to frequent size-based purges. To adjust parameters for daily automated purges 1 In the Web configuration interface, go to Settings>Database>Maintenance Options. 2 In the details pane, under the Automated Purge area, to specify the type of data to purge, select the options that you want from the following: Hourly (or Short Term) Event Summary Data Daily (or Long Term) Event Summary Data Incidents, Alerts, and Tickets 3 Under Incidents, Alerts and Tickets, select one or more of the following: Closed Incidents Deleted Incidents Open Incidents Closed Tickets Open Tickets Closed Alerts Deleted Alerts Open Alerts

365 Maintaining the Information Manager database About purging event summary, alerts, and incident data In the box where you specify how many days of data to retain, type a number. The default data retention value is seven days. Only the summary events incidents and alerts that are more than seven days old are purged. 5 You also need to set the values for the safe level and alarm levels in the corresponding boxes. See Setting the safe level and the alarm level for automated purges on page To apply your changes, click Apply. Setting the safe level and the alarm level for automated purges In most deployments you do not need to adjust the thresholds for automated purges. They are designed to help maintain the Information Manager server automatically, and to help you evaluate database usage on the Information Manager server. If the alarm threshold for summary events is triggered frequently, consider ways to reduce the flow of data to the server instead of increasing the threshold values. If necessary, you can configure the following parameters for automated purges based on size: Alarm Level The percentage of total tablespace capacity at which the automated, size-based purge is triggered. The Alarm Level value must be less than the critical level, which is 95 percent of total capacity. The critical level cannot be changed. By default, the Alarm Level for both events and incidents is 70 percent. Safe Level The percentage of total capacity at which the size-based purge operation stops. The Safe Level value must be at least 10 percent less than the Alarm Level. By default, the Safe Level for both summary events and incidents is 60 percent. The summary events and incidents tablespaces are monitored independently. For example, the thresholds for incidents apply to the size of the incidents tablespace, regardless of the size of the summary events tablespace.

366 366 Maintaining the Information Manager database About purging event summary, alerts, and incident data To configure the alarm level and safe level values for automated purges 1 Go to Settings > Database > Maintenance Options. 2 In the details pane, in theautomatedpurge section, in SafeLevel and Alarm Level, type a new percentage value. 3 To apply your changes, click Apply.

367 Chapter 24 Managing data backup, restore, and purge This chapter includes the following topics: About backup, restore, and purge Performing a complete LDAP directory server backup Performing a complete LDAP directory server restore Performing a complete database backup Performing a complete database restore Performing a selective backup Performing a selective restore Scheduling a backup Editing a scheduled backup Deleting a scheduled backup Purging incident or event summary data Purging selective backup files About backup, restore, and purge Symantec Security Information Manager uses an IBM DB2 database to store event summary, incidents, tickets, assets, rules, and report data. The BackupandRestore feature in Information Manager lets you perform maintenance tasks such as backup, restore, and purge. You can backup an existing Information Manager

368 368 Managing data backup, restore, and purge Performing a complete LDAP directory server backup database. You can also back up the LDAP directory server and perform selective backup. You can use an existing backup to restore an Information Manager database. You can also restore the LDAP directory server from an existing backup. Moreover you can perform selective restore of the components that are selectively backed up. Event summary data, incidents, tickets, and alerts can be purged manually. You can also perform selective purge of the files that were selectively backed up. Purges can be carried out automatically as per configured options on a daily basis to prevent the database overload. See Adjusting parameters for automated purges on page 364. Performing a complete LDAP directory server backup To perform an LDAP backup operation, you must use LDAP credentials with the administrative privileges. You can also enter an encryption password which is used to encrypt the backup file. Using the encryption password, the LDAP directory can be restored with the backup. A complete LDAP backup is permitted only on the directory server. Warning: If you work with the Information manager client during the backup process, there can be some authentication errors. These errors occur due to the directory server that gets shut down during the backup process. To back up the LDAP directory server 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Backup. 3 From the options, select Full LDAP Backup. 4 Type the directory administrator (cn=root) user name in the LDAP distinguished name format and the password. The user name in the LDAP distinguished name format and the password of the LDAP user are mandatory. 5 (Optional) You can also supply an encryption password that encrypts the data. If a password is supplied here, then the encryption password is required during restore. 6 Click Backup Data. See Performing a selective backup on page 371.

369 Managing data backup, restore, and purge Performing a complete LDAP directory server restore 369 See Performing a complete database backup on page 370. Performing a complete LDAP directory server restore You can initiate a complete restore of the LDAP directory server by using the Full LDAP Restore option on the Restore view of the Web configuration interface. To perform an LDAP restore operation, you must use LDAP credentials with the administrative privileges. The tools in the LDAP Restore script use the ldifbackup file to restore the directory. To use a different file, you must rename the file to ldifbackup and ensure that the file is included in the following folder on the server: /dbsesa/backup/ldap The root directory includes the /dbsesa/backup/ldap folder and the ldifbackup file in the ldap folder. You must connect to the Information Manager server over an SSH connection, change to the root user, and run the following commands: chown root:root /dbsesa/backup/ldap chown root:root /dbsesa/backup/ldap/ldifbackup You must not restore an LDAP backup on the Information Manager server for which replication is configured. Doing so may corrupt the data on the Information Manager server and stop some services from functioning normally. To perform a complete LDAP directory server restore 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Restore. 3 From the options, select Full LDAP Directory Server Restore. 4 Type the directory administrator (cn=root) user name in the LDAP distinguished name format and the password. The user name in the LDAP distinguished name format and the password of the LDAP user are mandatory. 5 (Optional) You can also supply an encryption password that encrypts the data. If a password is supplied here, then the encryption password is required during restore. 6 Click Restore. Once the restoration is completed the Information Manager Web configuration interface is closed and the Information Manager server restarts automatically. An active Information Manager console is also closed after the restoration.

370 370 Managing data backup, restore, and purge Performing a complete database backup See Performing a selective restore on page 373. See Performing a complete database restore on page 370. Performing a complete database backup You can initiate a complete backup of the database using the FullDatabaseBackup option on the Backup view of the Web configuration interface. This backup operation is independent of the automated backup operations that may be enabled. The complete database backup can affect the performance of the Information Manager server. To perform a complete Database backup 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Backup. 3 From the options, select Full Database Backup and then click Backup. 4 Click OK in the confirmation message box. The full backup operation is a lengthy process and affects server performance. The complete backup process is initiated for the database and the notification is displayed on the details pane. See Performing a selective backup on page 371. See Performing a complete LDAP directory server backup on page 368. Performing a complete database restore You can initiate a complete restore of the database using the FullDatabaseRestore option on the Restore view of the Web configuration interface. All the available backup images are listed according to the date and time of when the backup was created. The complete database backup can affect the performance of the Information Manager server. To perform a complete database restore 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Restore. 3 From the options, select Full Database Restore.

371 Managing data backup, restore, and purge Performing a selective backup In the details pane, from the Restore from drop-down list, select the backup file that you want to restore. Here, the date and time of the backup file creation is listed. 5 Click Restore. Warning: The Information Manager server is offline during this operation. Once the restoration is completed the Information Manager Web configuration interface is closed and the Information Manager server restarts automatically. An active Information Manager console is also closed after the restoration. See Performing a selective restore on page 373. See Performing a complete LDAP directory server restore on page 369. Performing a selective backup Information Manager lets you back up and restore data selectively. You can select the items for backup from the various components available for backup. The backup can be run immediately or you can schedule it for a later period. The backup data can be also stored on a mounted file system which may be a remote location. The destination location can be configured through the Web configuration interface. The directory administrator (cn=root) logon credentials for LDAP must be provided for selective backup. You can subsequently select any or all of these items for backup: Incidents Data Assets Data Services Networks Policies Locations Lets you back up the data that is associated with incidents, alerts, and tickets. Lets you back up the data that is associated with assets used in Information Manager. Lets you back up the data that is associated with services used in Information Manager. Lets you back up the data that is associated with networks in Information Manager. Lets you back up the data that is associated with policies used in Information Manager. Lets you back up the data that is associated with locations used in Information Manager.

372 372 Managing data backup, restore, and purge Performing a selective backup Operating systems Product Configurations Published Reports Published Queries Rules Event Filters Monitors Lookup tables Paging services Users User groups Roles Lets you back up the data that is associated with the operating systems used by Information Manager. Lets you back up the data that is associated with Collectors, Agent Sensors, Appliances, Agents, and Help desk configurations. Lets you back up the published reports. Lets you back up the published queries. Lets you back up the data that is associated with user rules as well as system rules. Lets you back up the data that is associated with user filters as well as system filters. Lets you back up the data that is associated with user monitors as well as system monitors. Lets you back up the data that is associated with user lookup tables as well as system lookup tables. Lets you back up the data that is associated with paging services in Information Manager. Lets you back up the data that is associated with the users in Information Manager such as My Reports or My Queries. The roles that are assigned with users are not backed up when you back up the User component. Lets you back up the data that is associated with the user groups in Information Manager. Lets you back up the data that is associated with the roles assigned to users as well as the user groups in Information Manager. Applianceconfigurations Lets you back up the data that is associated with Event Storage rules, Incident Forwarding rules, and Correlation Forwarding rules. Managed reports Lets you back up the reports that can be downloaded from the Information Manager Web configuration interface. To perform a selective backup 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Backup.

373 Managing data backup, restore, and purge Performing a selective restore From the options, select Selective Backup and then type the directory administrator (cn=root) user name and password in the LDAP distinguished name format. Providing the directory administrator (cn=root) logon credentials for LDAP is mandatory for selective backup. 4 From the Components list, select the items for backup. 5 Type the file path or click Reset to default to set the default file path for storing the backup file. You can provide the path of the mounted file system in case you choose to store the backup files there. 6 Click Backup for running an immediate backup or click Schedule Backup. The backup complete notification is displayed on the details pane. The selected items are backed up and saved at the file path provided. See Performing a complete database backup on page 370. See Performing a complete LDAP directory server backup on page 368. See Scheduling a backup on page 374. Performing a selective restore Information Manager lets you back up and restore data selectively. From the list of backup files, you can select the components that need to be restored. You can select and restore only those data items that you require, instead of restoring all the data to an earlier state. If the backup file is created on a different Information Manager server, components that are associated with the database may not be available for restore. Some of the LDAP components are also not available for restore if the backup file is created on a different Information Manager server. The directory administrator (cn=root) logon credentials for LDAP must be provided for selective restore. Warning: In case you have used Network File System (NFS) mounted directory for backup, during selective restore you must ensure that the NFS server is running. If the NFS server is not running, you must ensure that the Information Manager server does not use any NFS mounted directory from that NFS server.

374 374 Managing data backup, restore, and purge Scheduling a backup To perform a selective restore 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Restore. 3 From the options, select Selective Restore and then type the directory administrator (cn=root) user name and password in the LDAP distinguished name format. Providing the directory administrator (cn=root) logon credentials for LDAP is mandatory for selective restore. 4 From the backup files list, select the file whose backup components need to be restored. 5 From the restore list, check the components that need to be restored. These listed components are the items selected during a selective backup. 6 Click Restore. Warning: The Information Manager server is offline during this operation. Once the restoration is completed the Information Manager Web configuration interface is closed and the Information Manager server restarts automatically. An active Information Manager console is also closed after the restoration. Scheduling a backup See Performing a complete database restore on page 370. See Performing a complete LDAP directory server restore on page 369. You can schedule a backup to run once on a specific date, daily, weekly, or monthly. A user must have administrative privileges to schedule a backup. You can schedule selective backups only; you cannot schedule full database backups or full LDAP backups. You must provide the directory administrator (cn=root) logon credentials for LDAP when you schedule a backup process. Information Manager lets you schedule only one backup at a time. To create a new schedule, you can either edit the current schedule or delete the current schedule and create a new schedule. To schedule a backup 1 Log on to the Web configuration interface using Administrator credentials. 2 Click Maintenance > Backup and Restore > Backup.

375 Managing data backup, restore, and purge Scheduling a backup From the options, select Selective Backup and then type the directory administrator (cn=root) user name and password in the LDAP distinguished name format. Providing the directory administrator (cn=root) logon credentials for LDAP is mandatory for selective backup. 4 From the Components list, select the items for backup. 5 Type the file path or click Reset to default to set the default file path for storing the backup file. You can provide the path of the mounted file system in case you choose to store the backup files there. 6 Click Schedule Backup and specify the details for scheduling the backup. Enter the following details as required: Frequency At Starts on Lets you select the frequency for scheduling a backup. This frequency can be once on a specified day, daily, weekly, or monthly. Lets you select the time when the scheduled backup must be run. Lets you select the date when the scheduled backup must begin. You can select today's date or any date after today's date. Every Daily frequency - Lets you select the period range in days to run the scheduled backup. Weekly Frequency - Lets you select the period range in weeks to run the scheduled backup. Monthly Frequency - Lets you select the period range in months to run the scheduled backup. On Weekly Frequency - Lets you select the day in the week to begin the scheduled backup. Monthly Frequency - Lets you select either a day in a month or the last day of the month to run the scheduled backup. If a backup is already scheduled, Schedule Backup is disabled. To create a new schedule, you can edit the current schedule or delete the current schedule and create a new one. 7 Click Save Schedule. See Editing a scheduled backup on page 376.

376 376 Managing data backup, restore, and purge Editing a scheduled backup See Deleting a scheduled backup on page 376. Editing a scheduled backup Information Manager lets you run a single schedule at a time. Therefore, to create a new schedule, you can modify or delete the existing schedule. To edit a scheduled backup 1 Log on to the Web configuration interface using Administrator credentials. 2 Click Maintenance > Backup and Restore > Backup. 3 From the options, select Selective Backup. 4 Click Edit and edit the details of the schedule. 5 Click Save Schedule. See Scheduling a backup on page 374. See Deleting a scheduled backup on page 376. Deleting a scheduled backup Information Manager lets you run a single schedule at a time. Therefore, to create a new schedule, you can modify or delete the existing schedule. To delete a scheduled backup 1 Log on to the Web configuration interface using Administrator credentials. 2 Click Maintenance > Backup and Restore > Backup. 3 From the options, select Selective Backup and then click Delete. See Editing a scheduled backup on page 376. Purging incident or event summary data On the Information Manager, you can select and purge event, incidents, tickets, and alerts based on the status or on the data type. You also have the option to purge all the data associated with the incidents and event summary. The Information Manager server restarts automatically after all of the selected data is purged. You must ensure to back up the database before purging data. To purge selected incident or event summary data 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Purge.

377 Managing data backup, restore, and purge Purging incident or event summary data From the options, select Purge Incident or Event Summary Data. 4 From the Purge view, check the data type items that you want to purge. Hourly (or Short Term) Event Summary Data Daily, Weekly, Monthly (or Long Term) Event Summary Data Incidents, Alerts and Tickets Lets you purge hourly event summary data older than the specified number of days. Type the required value of days in the Older than column. By default, the value is set to seven days. Lets you purge daily event summary data based on age. Type the required value of days in the Older than column. By default, the value is set to seven days. Lets you select incidents, alerts, and tickets for purging based on their age and state. Type the required value of days in the Older than column. By default, the value is set to seven days. Closed Incidents Lets you purge Closed Incidents that are older than the specified number of days. Deleted Incidents Lets you purge deleted incidents. Open Incidents Lets you purge open incidents. Closed Alerts Lets you purge closed alerts. Open Alerts Lets you purge open alerts. Deleted Alerts Lets you purge deleted alerts. Closed Tickets Lets you purge closed tickets. Open Tickets Lets you purge open tickets. 5 Click Purge. To purge all incident or event summary data 1 Log on to the Web configuration interface with Administrator credentials. 2 Go to Maintenance > Backup and Restore > Purge. 3 From the options, select Purge Incident or Event Summary Data.

378 378 Managing data backup, restore, and purge Purging selective backup files 4 From the Purge All view, check the options that are required for purging. 5 Click Purge All. See Purging selective backup files on page 378. Purging selective backup files In Information Manager, you can select and purge backup files. Only those backup files that were selectively backed up can be purged. You can view and select any of the components that are backed up in a.bckp file for purging. Warning: In case you have used Network File System (NFS) mounted directory for backup, during purge you must ensure that the NFS server is running. If the NFS server is not running, ensure that the Information Manager server does not use any NFS mounted directory from that NFS server. To purge selective backup files 1 Log on to the Web configuration interface with Administrator credentials. 2 Click Maintenance > Backup and Restore > Purge. 3 From the options, select Purge Selective Backup Files. 4 From the list of backup files, select the file that you want to purge and then click Purge. See Purging incident or event summary data on page 376.

379 Section 8 Appendix Appendix A. Firewall Settings for the Information Manager

380 380

381 Appendix A Firewall Settings for the Information Manager This appendix includes the following topics: Firewall settings Firewall settings The IP table firewall policy has been configured to block all ports except the following: 22 (SSH) 443 (HTTPS) 636 (LDAPS) 3539 (ibmdiradm) 3700 (db2tcpcm) (simserver) (eventservice) (db2tcp) (Ethereal ports) (Collector ports) Table A-1 shows the list of ports that Symantec Security Information Manager uses. It also shows the service that uses that port and whether the service is blocked by the firewall that is running on the server. In addition, it shows the network protocol that is associated with the service.

382 382 Firewall Settings for the Information Manager Firewall settings Table A-1 Ports used by Information Manager Port Service/Process Blocked by firewall Protocol 22 Linux Secure Shell (SSH) service/ssh No TCP 80 IBM Apache Web server (HTTPD)/http Yes TCP 443 Secure Sockets Layer (HTTPS)/https No TCP 636 IBM Tivoli (LDAP) Directory Service/ldaps No TCP 3539 IBM Tivoli (LDAP) Directory Service/ibmdiradm No TCP 3700 IBM DB2 database service/db2tcpcm No TCP 5998 Symantec Event Agent No TCP 8090 Information Manager Tomcat event service/eventservice Yes TCP simserver No TCP Event forwarding port/eventservice No TCP simserver Yes TCP The simserver service is responsible for correlating events and generating incidents eventservice Yes TCP Information Manager service monitor/svclauncher Yes UDP IBM DB2 database service/db2tcpcm No TCP

383 Firewall Settings for the Information Manager Firewall settings 383 Table A-1 Ports used by Information Manager (continued) Port Service/Process Blocked by firewall Protocol :8005 Shut down port for Information Manager Tomcat service/manager Yes TCP :8009 modjk connector for Information Manager Tomcat service/manager Yes TCP :8015 modjk connector for Information Manager Tomcat event service/eventservice Yes TCP :8019 modjk connector for Information Manager Tomcat event service/eventservice Yes TCP :8025 Web Services/Wsrf Yes TCP :8029 Web Services/Wsrf Yes TCP :8086 Symantec Event Agent Yes TCP Collects and forwards the events to the Information Manager server :8889 QueueMonitor Yes TCP :10030 Information Manager Database Management Utility/Simdbmu Yes TCP :10050 HelpDeskEvent Sink/Manager Yes TCP :10080 assetsvc Yes TCP The assetsvc service is responsible for storing the assets information :55550 Rx protocol service/rxservice Yes TCP :55557 assetsvc Yes TCP

384 384 Firewall Settings for the Information Manager Firewall settings Table A-1 Ports used by Information Manager (continued) Port Service/Process Blocked by firewall Protocol :55558 notificationsvc Yes TCP The notificationsvc service notifies the users of the various activities happening on the Information Manager server. A notification needs to be created for the service :55559 rulesvc Yes TCP The rulesvc service is responsible for the creating, updating, and deployment of rules :55560 dimserver Yes TCP The dimserver service is responsible for polling the GIN Server and retrieving Global Intelligence data and intelligence feeds :55561 schedulersvc Yes TCP The schedulersvc service lets you schedule execution of different activities on a given time period. For example, scheduling reports :55562 icesvc Yes TCP The ice service is responsible for storing and retrieving incidents, conclusions, and events into and from the database.

385 Firewall Settings for the Information Manager Firewall settings 385 Table A-1 Ports used by Information Manager (continued) Port Service/Process Blocked by firewall Protocol :55566 kbsvc Yes TCP The kbsvc service provides the knowledge base for LiveUpdate data :55567 ticketsvc Yes TCP The ticketsvc service is used for creating and storing tickets :55568 eventfindersvc Yes TCP The eventfindersvc service provides the functionality for accessing the event archives :55569 querysvc Yes TCP The querysvc service is used for querying the database and to manage Queries and Reports :55570 statsvc Yes TCP The statsvc service provides statistics for the Information Manager server :55571 configurationsvc Yes TCP The configurationsvc service synchronizes the Information Manager role and services running on Information Manager server.

386 386 Firewall Settings for the Information Manager Firewall settings

387 Index A access rights 47 See also permissions Information Manager console 47 account Administrator 62 default password 61 Linux 61 Active Directory about integrating 313 configuration creating a 314 editing a 315 removing 315 synchronize a 316 Active Directory configurations creating editing 314 list remove 314 administrative settings modifying 344 Agent configuring Manager failover 340 scheduling LiveUpdate 350 agent editing agent computer 83 Agent Configurations 333 batch logging 333 for 1.1 Agent 333 Agent to Manager failover configuring 340 aggregation exporting 200 importing 200 aggregation tables 132 archives. See event archives viewing event data 216 assets identifying 296 Assets table 250 about 281 CIA values 283 filtering based on operating system 289 how event correlation uses entries 282 importing assets 284 locked and unlocked assets 288 managing vulnerability scanners 287 policies 291 Services tab overview 290 using a vulnerability scanner to populate the table 287 using CIA values to identify critical events 289 using Severity settings 290 using to reduce false positives 288 vulnerability information 286 attacks sample EMR values 261 B backup about backup and restore view 367 deleting scheduled backup 376 editing schedule 376 performing complete database backup 370 performing complete LDAP directory server 368 performing selective backup 371 scheduling 374 batch logging, Agent 333 blacklisting, configuring 344 BugTraq 250 business information users 67 Bypass Event RBAC C CA root certificate adding 316 Category field. See EMR client validation, configuring 346

388 388 Index collector filtering and aggregation antivirus examples 275 creating specifications 269 events generated by specific internal networks 271 examples 271 firewall examples 272 overview 263 policy compliance 264 preparing to create 266 suggestions 265 vulnerability assessment examples 276 Windows Event Log examples 277 collectors. See event collectors before you install 165 components of 164 configuring point product 189 configuring raw event logging 195 installating on remote computer 181 installation and configuration tasks 167 installing on Information Manager server 182 overview 163 registration 170 requirements 165 sensor configuring to receive security events 192 creating new configuration 191 deleting 193 disabling 193 globally updating properties 194 importing and exporting properties 193 renaming 193 sensors creating and configuring 190 universal 186 downloading and installing 186 updating hosts file 166 verifying configuration 184 verifying installation 182 column sorting in queries 231 Command servlet, configuring 342 computers adding configuration groups 90 configurations 86 adding to organizational units 82 creating 82 defined 81 deleting 94 computers (continued) distributing configurations 93 editing agent with agent 83 editing properties 83 editing without agent 84 identification information 85 modifying permissions 94 moving 93 specifying IP addresses 85 MAC addresses 85 viewing service properties 91 services 91 with agents 81 conclusions about 207 escalating based on severity 132 Confidentiality, Integrity, and Availability values assigning 283 configuration groups adding to computers 90 Configuration service, configuring 342 configurations adding to computers 86 organizational units 78 Agent Configurations 333 Agent Connection Configurations 339 distributing by way of computer Service properties 91 to computers 93 using organizational units 92 Manager 346 Manager components 342 console configuring 295 contact information users 67 Correlation Manager about 115 knowledge base 116 rule set 116 correlation rules 123. See rules about 123 creating custom 136

389 Index 389 create Java LiveUpdate configuration general configuration settings 352 host configuration settings 356 Java LiveUpdate configuration settings 352 critical systems. See assets D DAS connecting Information Manager 322 DAS/SAN configuration delete 325 extend storage capacity 323 restore 324 unmount 324 DAS/SAN storage configuring Information Manager 322 data purge adjusting parameters 364 setting levels 365 data retention 210 data retention entry(days) 214 Database Capacity Critical level 363 database alarm level 365 capacity viewing percentage used 361 health monitoring 362 job status 361 maintenance of 361 purging 363 purge types 363 safe level 365 status indicators 362 Date setting changing the 307 date values for events 219 DeepSight Threat Management normalization and 251 Direct attached storage connecting Information Manager 322 diskspace, configuring minimum free space 347 Distribute menu option domain 305 Domain Administrator role 39 permissions 56 domain name 305 double-byte characters, for exported Information Manager reports 344 E effects. See EMR address notification 71 EMR described 253 Effects values 255 effects 254 examples 261 Mechanisms values 258 mechanisms 255 Resource values 261 resources 258 Ending Event Date column 219 environment diagram. See Visualizer Event Agent uninstalling on Linux and Solaris 176 event archive specifying settings 213 event archive viewer right pane 217 event archives about 210 about multiple 210 adding and removing table columns 220 calendar setting 218 creating new 211 date and time range 218 event details 218 event date values 219 filtering modifying table columns 220 exporting a query 236 graph 217 histogram 217 importing a query 236 live 216 local 216 local client copy creating 215 querying Event Query wizard 228 naming rules 227

390 390 Index event archives (continued) querying (continued) SQL Query wizard 231 Summary Query wizard 229 removing an archive from event viewer 217 restoring 212 saving data from event viewer 217 settings 213 zooming 218 event collectors 31 functions 31 installing and configuring 31 types 31 Event Count rule setting 132 Event Criteria field 129 operators 130 event data purging 363 Event Date column 219 event forwarding activating 245 configuring default forwarding rule 246 creating a rule 247 deleting a forwarding rule 248 described 241 stopping 248 Event Logger 241 event logging configuring for Agent 333 event queries about working with 225 color scheme managing used in query results 234 creating groups 227 deleting 238 editing 234 importing 236 IP addresses 237 multiple archives 233 publishing 237 scheduling to be distributed as reports 238 using Source view 226 using Target View 226 event query searching within 221 Event Query wizard 228 event summary data purging 376 Event to Conclusion Correlation fields 132 events 249 See also normalization about 207 about normalization 249 accessing data in the console 268 aggregation 200 filtering 197 lifecycle 209 mapping during normalization 251 role for viewing 40 events view about 208 exporting queries 235 external storage about 318 F failover configuring Agent to Manager 340 fields Event Criteria 129 Event to Conclusion Correlation 132 operators for event criteria 130 filter configurations exporting 197 importing 197 filtering events 197 filters event data 221 forwarding events. See event forwarding Free space quota setting 214 G gateway 305 GIN about managing 327 Global Intelligence Network 32 about 311 configuring view 311 receiving content updates 329 registering a license 328 viewing content status 328 H histogram manipulating the 217

391 Index 391 histogram (continued) viewing event details 218 host criticality. See assets hosts file editing 304 I importing queries 235 incident data purging 363, 376 Incident Forwarding disabling from Service Provider Master 110 incidents about 207 automatic assigment to least busy member 141 automatic assignment 140 exporting from Client Incident viewer 107 synchronizing with Service Provider Master 110 Information Manager about 19 components 30 event lifecycle 208 features 22 overview 19 workflow 29 Information Manager components event collectors 31 Global Intelligence Network 32 Information Manager server 32 security products and devices 31 Web service 32 Information Manager configurations about 342 Information Manager console creating tickets for Service Provider Master 106 modify access rights 47 Move menu option 93 preventing timeout 344 Information Manager console access rights adding to roles 47 Information Manager server 32 configuring for Service Provider Master 107 Service Provider examples 102 using as a service provider 101 Information Manager Web service 32 Information Manager workflow 29 installation collector remote computer 181 inventory, configuring for Agent 333 IP address 305 specifying for computers 85 IP addresses querying for 237 K knowledge base Correlation Manager 116 L LDAP directory accounts 62 Linux account 61 LiveUpdate normalization and 251 running from Web configuration interface 313 running the 312 scheduling Agent 350 Manager 350 LiveUpdate Java about 348 creating configuration 349 distribute configuration 358 edit configuration properties 357 modify configuration 351 local event archives viewing 216 logging configuring for Agent 333 logon failure, configuring blacklisting 344 Lookup Table Update create rule 150 Lookup Tables 152 records 159 user-defined 157 M MAC addresses specifying for computers 85 Manager configuring 342, 346 Agent connections 339 Manager connections 347 scheduling LiveUpdate 350

392 392 Index Max archive quota setting 214 Mechanisms values 255 mechanisms. See EMR minimum free disk space, configuring 347 multipath using for storage options 318 N NAS configuration create 319 delete 320 network settings changing 305 Network table 250 networks specifying 298 normalization described 249 example 251 files 251 modifying 251 normalization files about 251 notification address 71 user information 70 address 71 pager numbers 71 times 72 NTP Server specifying 308 NTP server add synchronize 307 O operators Event Criteria 130 organizational units adding computers to 82 creating 78 deleting 80 deleting computers 94 description 77 distributing configurations 92 editing 80 managing 77 organizational units (continued) moving computers 93 name length limits 79 Original Ending Event Date column 219 Original Event Date column 219 P pager numbers 71 password view changing 309 Passwords changing the 309 passwords 61 changing 66 customizing policies 74 security recommendation 62 permissions 47 See also access rights description 56 examples of modifying permissions 53 in roles 45, 49 modifying 58 computers 94 propagating 57 user 72 Permissions dialog box 58 policy adding a 297 publishing queries 237 purge about backup and restore view 367 purging alerts 363 purging data purge types 363 Q queries column sorting 231 editing 235 event 228 exporting importing 235 naming rules 227 SQL 231 summary 229 tables in 235 query groups 227

393 Index 393 R registering collectors 170 reports, exporting configuring character set 344 resources. See EMR restarting server 317 restore about backup and restore view 367 performing complete database 370 performing complete LDAP directory server 369 performing seletive 373 role membership assigning to users 68 roles adding user groups 43 adding users 43 administrator roles 39 creating 40 definition 37 deleting 55 Domain Administrator 39 permissions 56 editing role properties 42 Information Manager console access rights 47 management of policies and configurations 40 managing 37 permissions 49, 56 examples 53 planning 38 product access assignment modifying 44 SES Administrator 39 permissions 56 SIM permissions 45 viewing events 40 rsync 210 rule creating multicondition 141 importing existing 135 X not followed by X 147 X not followed by Y 145 Y not preceded by X 149 rule set creating 121 rule type Lookup Table Update 150 rules categories 123 Correlate By field 134 creating correlation rule for lookup table update 150 creating multicondition 141 criteria 125 default 116 editor 132 enabling/disabling 152 query naming 227 Resource field 134 settings 132 types 125 rules strategy defining strategy 123 S SAN connecting Information Manager 320 scp 210 security directory registering a collection server 243 security domain registering Information Manager with 244 security environment diagram. See Visualizer selective backup files purging 378 server restarting 317 shutting down 317 server access modifying 48 service provider client perspective 103 configuring an Information Manager server 108 configuring client management accounts 109 minimum requirements for Information Manager 101 See also Service Provider Master provider perspective 104 responding to a client incident 105 Service Provider Master configuring client 107 configuring Information Manager as 107 customizing the Incidents tile 104 disconnecting a client from 110 overview and examples 102 synchronizing with client incidents 110

394 394 Index Service Provider Master (continued) viewing client incidents 105 services viewing for a computer 91 viewing properties 91 SES Administrator role 39 permissions 56 Settings view features of 302 shutdown server 317 Span rule setting 132 SQL Query wizard 231 SSIM Web Start 21 standard event code 250 state information, configuring for Agent 333 Storage area network connecting Information Manager 320 Subcategory field. See EMR Summary Query wizard 229 Symantec Event Agent installing installing on Linux 175 installing on Solaris 173 installing on Windows 172 management with agentmgmt.bat utility 176 preinstallation requirements 171 uninstalling 176 uninstalling on Windows 176 verifying installation 178 verifying operation 179 Symantec Event Code 250 Symantec Signature incident mapped to 250 system criticality. See assets system performance estimating 27 T Table Size rule setting 132 tables aggregation 132 Lookup 152 tables in queries 235 tablespace containers 361 template queries enable role-based access 46 throttling, configuring 346 time specifying NTP Server 308 Time setting changing the 307 timeout, preventing, in Information Manager console 344 U updates Agent 350 LiveUpdate technology 348 Manager 350 user groups adding to a role 43 creating 65 deleting 74 managing the composition of 69 modifying 73 users adding to a role 43 assigning role membership 68 business information 67 contact information 67 creating 63 deleting 74 description 62 notification information 70 addresses 71 notification times 72 pager numbers 71 permissions 72 properties 66 V values Mechanisms 255 Visualizer about 95 about using 95 modifying properties 98 tools 98 W Web server, configuring 346 wizards Event Query 228 SQL Query 231 Summary Query 229