Symantec Security Information Manager 4.7.4 User Guide
Symantec Security Information Manager 4.7.4 User Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 4.7.4 Legal Notice Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com
Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level
Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support web page at the following URL: www.symantec.com/business/support/ Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Managed Services Consulting Services Education Services Managed Services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Education Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about enterprise services, please visit our web site at the following URL: www.symantec.com/business/services/ Select your country or language from the site index.
Contents Technical Support... 4 Section 1 Introducing Symantec Security Information Manager... 15 Chapter 1 Overview... 17 About Symantec Security Information Manager... 17 What's new in this release... 18 New features... 19 About workflow in Information Manager... 20 About Information Manager components... 21 About security products and devices... 22 About event collectors... 22 About Information Manager servers... 23 About the Symantec Global Intelligence Network... 23 About the Information Manager Web service... 23 About estimating system performance... 24 Chapter 2 Symantec Security Information Manager Console... 29 About the Information Manager console... 29 About the Dashboard view... 30 About the Intelligence view... 31 About the Incidents view... 32 About the Events view... 35 About the Tickets view... 37 About the Assets view... 39 About the Reports view... 41 About the Rules view... 44 About the System view... 61 About the Statistics view... 62 About the features of the Information Manager console... 63 About the incident and the alert monitors... 63 About the event activity monitor... 64
8 Contents About the Notes feature... 64 Creating and editing notes... 65 Searching the notes... 66 About user actions... 68 Creating and modifying user actions... 68 Opening the Information Manager console from the command line... 69 Changing a password... 70 Chapter 3 Symantec Security Information Manager Web configuration interface... 71 About the Information Manager server Web configuration interface... 71 Accessing the Web configuration interface... 72 About the features of the Web configuration interface... 72 Section 2 Planning for security management... 77 Chapter 4 Managing the correlation environment... 79 About the Correlation Manager... 79 About the Correlation Manager knowledge base... 80 About the default rules set... 80 Chapter 5 Defining rules strategy... 85 About creating the right rule set for your business... 85 About defining a rules strategy... 87 About correlation rules... 87 About rule conditions... 88 About rule types... 89 About event criteria... 93 About the Event Count, Span, and Table Size rule settings... 96 About the Tracking Key and Conclusion Creation fields... 96 About the Correlate By and Resource fields... 98 Importing existing rules... 99 Creating custom correlation rules... 100 Creating a multicondition rule... 104 Creating a correlation rule based on the X not followed by Y rule type... 107 Creating a correlation rule based on the X not followed by X rule type... 109
Contents 9 Creating a correlation rule for the Y not preceded by X rule type... 111 Creating a correlation rule for the Lookup Table Update... 113 Enabling and disabling rules... 115 Working with the Lookup Tables window... 115 Creating a user-defined Lookup Table... 120 Importing Lookup Tables and records... 121 Section 3 Getting started with the Information Manager... 123 Chapter 6 Configuring the Console... 125 About configuring Information Manager... 125 Identifying critical systems... 126 Adding a policy... 127 Specifying networks... 128 About customizations for a Service Provider Master console... 129 Chapter 7 Managing roles and permissions... 131 About managing roles... 131 About the administrator roles... 132 About the default roles in the Information Manager server... 132 About planning for role creation... 133 Creating a role... 134 Editing role properties... 140 Deleting a role... 149 About working with permissions... 149 About permissions... 150 About the propagation of permissions... 151 Modifying permissions from the Permissions dialog box... 152 Chapter 8 Managing users and user groups... 155 About users and passwords... 155 Customizing the password policy... 157 Creating a new user... 158 Creating a user group... 160 About editing user properties... 161 Changing a user s password... 162 Specifying user business and contact information... 162 Managing role assignments and properties... 163
10 Contents Managing user group assignments... 164 Specifying notification information... 166 About modifying user permissions... 168 Modifying a user group... 168 Deleting a user or a user group... 169 About integrating Active Directory with the Information Manager server... 170 Managing Active Directory configurations... 170 Chapter 9 Managing organizational units and computers... 173 About organizational units... 173 About managing organizational units... 173 Creating a new organizational unit... 174 About determining the length of the organizational unit name... 175 Editing organizational unit properties... 176 About modifying organizational unit permissions... 176 Deleting an organizational unit... 177 About managing computers within organizational units... 177 Creating computers within organizational units... 178 About editing computer properties... 179 Distributing configurations to computers in an organizational unit... 197 Moving a computer to a different organizational unit... 198 About modifying computer permissions... 199 Deleting a computer from an organizational unit... 199 Section 4 Understanding event collectors... 201 Chapter 10 Introducing event collectors... 203 About Event Collectors and Information Manager... 203 Components of collectors... 204 About Symantec Universal Collectors... 205 About Custom Log Management... 205 Downloading and installing the Symantec Universal Collectors... 207 Correlating the logs collected in a file from a proprietary application... 208
Contents 11 Chapter 11 Section 5 Configuring collectors for event filtering and aggregation... 211 Configuring event filtering... 211 Configuring event aggregation... 214 Working with events and event archives... 219 Chapter 12 Managing event archives... 221 About events, conclusions, and incidents... 221 About the Events view... 222 About the event lifecycle... 222 About event archives... 224 About multiple event archives... 224 Creating new event archives... 225 Specifying event archive settings... 226 Creating a local copy of event archives on a network computer... 227 Restoring event archives... 228 Viewing event data in the archives... 230 About the event archive viewer right pane... 231 Manipulating the event data histogram... 231 Setting a custom date and time range... 232 About viewing event details... 232 Modifying the format of the event details table... 233 Searching within event query results... 235 Filtering event data... 235 About working with event queries... 239 Using the Source View query and Target View query... 240 Creating query groups... 241 Querying across multiple archives... 241 Creating custom queries... 242 Editing queries... 248 Managing the color scheme that is used in query results... 249 About querying for IP addresses... 250 Importing queries... 250 Exporting queries... 251 Publishing queries... 251 Scheduling queries that can be distributed as reports... 337 Deleting queries... 253
12 Contents Chapter 13 Forwarding events to the Information Manager Server... 255 About forwarding events to an Information Manager server... 255 About registering a security directory... 257 Registering Collectors... 258 Registering with a security domain... 259 Activating event forwarding... 260 Stopping event forwarding... 263 Chapter 14 Understanding event normalization... 265 About event normalization... 265 About normalization (.norm) files... 267 Chapter 15 Collector-based event filtering and aggregation... 269 About collector-based event filtering and aggregation... 269 About identifying common events for collector-based filtering or aggregation... 271 About preparing to create collector-based rules... 272 Accessing event data in the Information Manager console... 274 Creating collector-based filtering and aggregation specifications... 275 Examples of collector-based filtering and aggregation rules... 277 Filtering events generated by specific internal networks... 277 Filtering common firewall events... 278 Filtering common Symantec AntiVirus events... 281 Filtering or aggregating vulnerability assessment events... 282 Filtering Windows Event Log events... 283 Section 6 Working with incidents... 287 Chapter 16 Managing Incidents... 289 About incident management... 289 Incident identification... 290 Example: Information Manager automates incident management during a Blaster worm attack... 291 Threat containment, eradication, and recovery... 291 Follow-up... 291 Viewing incidents... 291 About the incident list... 292
Contents 13 Viewing and modifying the incident list... 293 About creating and modifying incidents... 294 Creating incidents manually... 295 Modifying incidents... 296 Merging incidents... 297 Closing an incident... 298 Reopening a closed incident... 299 Printing incident details... 299 Printing the incident, ticket, or asset list... 300 Exporting the incident, ticket, or asset list... 300 Assigning incidents automatically to the least busy member in a user group... 302 Chapter 17 Working with filters in the Incidents view... 303 About filtering incidents... 303 Modifying a custom filter... 303 Creating a custom filter... 304 Deleting a custom filter... 304 Searching within incident filtering results... 305 Section 7 Working with tickets... 307 Chapter 18 Managing tickets... 309 About tickets... 309 About creating tickets... 310 Creating a ticket manually... 310 Creating a ticket category... 311 Viewing tickets... 312 About the Ticket Details window... 312 Viewing tickets associated with a specific incident... 313 Setting ticket task dispositions... 314 Changing the priority of a ticket... 314 Adding a ticket note... 315 Closing a ticket... 315 Printing the ticket list... 316 Chapter 19 Working with filters in Tickets view... 317 Filtering tickets... 317 Modifying a custom ticket filter... 318 Deleting a custom ticket filter... 319
14 Contents Chapter 20 Working with Assets... 321 About the Assets view... 321 Importing assets into the Assets table... 323 Section 8 Working with reports and dashboards... 325 Chapter 21 Managing reports... 327 Working with reports... 327 About reports... 327 Creating custom reports... 327 Creating a report group or folder... 330 Editing tabular queries in reports... 331 Publishing reports... 331 Enabling the email distribution of reports... 332 Scheduling and distributing reports... 333 Scheduling queries that can be distributed as reports... 337 Modifying the report distribution... 338 Viewing reports... 339 Configuring a report for portrait or landscape mode... 340 Printing and saving reports... 341 Exporting reports... 341 Importing reports... 342 Performing a drill-down on reports... 343 Chapter 22 Managing dashboards... 345 About the dashboard... 345 Viewing dashboards... 346 Viewing queries in the Dashboard... 348 Performing a drill-down on dashboards... 348 Refreshing the dashboard... 349 Customizing the dashboard... 350 Index... 351
Section 1 Introducing Symantec Security Information Manager Chapter 1. Overview Chapter 2. Symantec Security Information Manager Console Chapter 3. Symantec Security Information Manager Web configuration interface
16
Chapter 1 Overview This chapter includes the following topics: About Symantec Security Information Manager What's new in this release About workflow in Information Manager About Information Manager components About estimating system performance About Symantec Security Information Manager Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects and archives security events from across the enterprise. These events are correlated with the known asset vulnerabilities and current security information from the Global Intelligence Network. The resulting information provides the basis for real-time threat analysis and security incident identification. Information Manager archives the security data for forensic and regulatory compliance purposes. Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following: Firewalls Routers, switches, and VPNs Enterprise antivirus Intrusion detection systems and Intrusion Prevention Systems Vulnerability scanners
18 Overview What's new in this release Authentication servers Windows and UNIX system logs Information Manager provides the following features to help you recognize and respond to threats in your enterprise: Normalization and correlation of events from multiple vendors. Event archives to retain events in both their original (raw) and normalized formats. Distributed event filtering and aggregation to ensure that only relevant security events are correlated. Real-time security intelligence updates from Global Intelligence Network. These updates keep you apprised of global threats and let you correlate internal security activity with external threats. Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment. Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies that are associated with the affected assets. An Event Viewer that lets you easily mine large amounts of event data and identify the computers and users that are associated with each event. A client-based console from which you can view all security incidents and drill down to the related event details. These details include affected targets, associated vulnerabilities, and recommended corrective actions. Predefined and customizable queries to help you demonstrate compliance with the security and the data retention policies in your enterprise. A Web-based configuration interface that lets you view and customize the dashboard, configure settings, and manage events, incidents, and tickets remotely. You can download various utilities and perform routine maintenance tasks such as backup and restore. You can use the custom logs feature with the universal collectors to collect and map information from devices for which standard collectors are not available. What's new in this release Information Manager 4.7.4 contains enhanced features. It also includes fixes for the known issues that existed in the previous versions. See New features on page 19.
Overview What's new in this release 19 New features Information Manager 4.7.4 includes the following new features in addition to known issues and fixes: Symantec SIEM 9700 Series appliances SSIM Web Start Client Role-based access to the Event Query Templates Navigation option for Event Storage Rules list Symantec SIEM 9700 Series appliances Symantec SIEM 9700 Series appliances are scalable security information and event management appliances. These appliances provide reliable performance with Information Manager software. The SIEM 9700 Series is comprised of three models; the 9750, the 9751, and the 9752. Each model provides 3.9TB of redundant event storage and dedicated Remote Management Module features to allow remote management of the appliance. In addition, the 9751 and 9752 provide enterprise connectivity through 8GB Fibre Channel. Each physical appliance can be combined seamlessly with virtual appliances to ease interoperability. For more information, see the following guides: Symantec SIEM 9700 Series Appliances Maintenance Guide Symantec SIEM 9700 Series Appliances Installation Guide Symantec SIEM 9700 Series Appliances Product Description Guide Symantec SIEM 9700 Series Appliances Hardware Troubleshooting Guide Symantec SIEM 9700 Series Appliances Safety Guide See New features on page 19. SSIM Web Start Client By using SSIM Web Start Client, you can now reach the Information Manager console directly without downloading and installing the Information Manager console. The Launch SSIM Web Start Client link, that is located on the logon page of the Information Manager Web configuration interface, launches the Information Manager console. You can also access this link from the Downloads option on the Home view of the Web configuration interface. See New features on page 19.
20 Overview About workflow in Information Manager Role-based access to the Event Query Templates In Information Manager, an administrator can restrict the access of a user to Event Query Templates. Access to Event Query Templates can be controlled based on the View Event Query Templates permission that is granted to a role. By default, this permission is enabled for new roles. If the View Event Query Templates permission is disabled for a role, the user who is assigned with this role cannot access the Templates folder on the Events view. If the View Event Query Templates permission is enabled for a role, the user who is assigned with this role can access and run the Event Query Templates. See Enabling access to the Event Query Templates on page 142. See New features on page 19. Navigation option for Event Storage Rules list A Move to top option and a Move to bottom option are now available in the Event Storage rules list. These options can be used to move a rule directly to the top or to the bottom of the list. See New features on page 19. About workflow in Information Manager The Symantec Security Information Manager workflow includes the following steps: Event collectors gather events from Symantec and third-party point products. See About Event Collectors and Information Manager on page 203. Events are filtered and aggregated. See Configuring event filtering on page 211. See Configuring event aggregation on page 214. Symantec Event Agent forwards both the raw and the processed events to the Information Manager server. See About forwarding events to an Information Manager server on page 255. See Activating event forwarding on page 260. The Information Manager server stores the event data in event archives. See About event archives on page 224. The Information Manager server correlates the events with threat and asset information based on the various correlation rules. See About the Correlation Manager on page 79.
Overview About Information Manager components 21 Information Manager security events trigger a correlation rule and create a security incident. See About incident management on page 289. About Information Manager components Symantec Security Information Manager has the following components: Security products and devices See About security products and devices on page 22. Event collectors See About event collectors on page 22. Information Manager servers See About Information Manager servers on page 23. Global Intelligence Network See About the Symantec Global Intelligence Network on page 23. Web service See About the Information Manager Web service on page 23. Figure 1-1 Components in an Information Manager setup
22 Overview About Information Manager components About security products and devices About event collectors The security products and devices in your enterprise can generate overwhelming amounts of security data. Many firewalls can generate over 500 GB of security data per day; intrusion detection systems can trigger over 250,000 alerting incidents per week. Most security products store event data in a proprietary format, accessible only by the tools that the security products provide. To secure your enterprise effectively, you need to collect, normalize, and analyze the data from all parts of your enterprise. See About Information Manager components on page 21. Event collectors gather security events from a variety of event sources, such as databases, log files, and syslog applications. Event collectors translate the event data into a standard format, and optionally filter and aggregate the events. The event collectors then send the events to Symantec Security Information Manager. You can configure event collectors to also send the event data in its original format. You install event collectors either on the security product computer or at a location with access to the security product events. To facilitate installation and setup, event collectors for third-party firewalls are preinstalled on the Information Manager server. After the event collector is registered with Information Manager, you can configure event collector settings from the Information Manager console. The event collector settings include the event source specification and any event filter or aggregation rules. Symantec provides event collectors for the following types of products: Firewalls Routers, switches, and VPNs Intrusion detection and prevention systems Vulnerability scanners Web servers, filters, and proxies Databases Mail and groupware Enterprise antivirus Microsoft authentication services Windows and UNIX system logs
Overview About Information Manager components 23 For access to the extensive library of event collectors, visit Symantec support at the following Web site: http://www.symantec.com/enterprise/support/ See About Information Manager components on page 21. About Information Manager servers Symantec Security Information Manager is hardware independent. You can install the Information Manager server on any approved hardware that meets the minimum system requirements. You can deploy one or more Information Manager servers in various roles to satisfy the event gathering, archiving, and event correlation requirements for your enterprise. To account for traffic variation, a single Information Manager is only recommended for a security environment that generates up to 1,000 events per second (EPS) on average and that requires a maximum of 4 MB to 8 MB per day of event data storage. To increase the overall event processing rate, you can add multiple load sharing Information Managers to your deployment. You can configure each server for dedicated event collection, event archiving, or event correlation. In most cases, a combination of multiple servers that share the event and the incident processing load is preferred. See About Information Manager components on page 21. About the Symantec Global Intelligence Network Information Manager has access to current vulnerability, attack pattern, and threat resolution information from the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network powers the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity. See About Information Manager components on page 21. About the Information Manager Web service The Web service of Symantec Security Information Manager lets you securely access and update the data that is stored on a server. You can use the Web service to publish event, asset, incident, ticket, and system setting information. You can also use the Web service to integrate Information Manager with help desk, inventory, or notification applications. See About Information Manager components on page 21.
24 Overview About estimating system performance For more information on interfacing your application to use the Web service, see the application documentation or your application vendor. About estimating system performance To determine the performance of an Incident Manager server or set of servers. consider your unique environment. Information Manager integrates with a wide range of event collectors, and by nature requires the customization of settings to match each environment. Hence, the physical performance depends greatly on the collectors and settings that you choose. The observed events per second (EPS) rates under optimal circumstances are provided here which can be used for general planning purposes. You can create a rough estimate of system performance by using the information available in these tables. However, you must note that the system performance may vary widely from these figures depending on your specific environment. Your estimates need to be adjusted over time as your policies, settings, and storage requirements are refined. Table 1-1 lists the details of the hardware models that are used for testing the performances of the various roles of the Symantec Security Information Manager server. The other tables list the roles in Information Manager on which the hardware models are tested. In addition, the tables list the corresponding methods in which the performances are calculated for each role. Table 1-1 Hardware model specifications Hardware CPU Cache size Processor type RAM HP DL 380 Intel Xeon CPU E5430 @ 2.66 GHz 6144 KB Single Quad Core processor 32 GB 8 GB HP DL 360 Intel Xeon CPU E5405 @ 2.00 GHz 6144 KB Single Dual Core Processor 16 GB 8 GB IBM X3550 Intel Xeon CPU E5430 @ 2.66 GHz 6144 KB Single Dual Core Processor 16 GB Dell R610 Intel Xeon CPU E5520 @ 2.27 GHz 8192 KB Double Quad Core Processor 8 GB Dell R710 Intel Xeon CPU E5520 @ 2.27 GHz 8192 KB Double Quad Core Processor 16 GB
Overview About estimating system performance 25 Table 1-1 Hardware model specifications (continued) Hardware CPU Cache size Processor type RAM Dell 1950 Intel Xeon CPU E5320 @ 1.86 GHz 4096 KB Single Quad core processor 16 GB Dell 2950 Intel Xeon CPU E5410 @ 2.33 GHz 6144 KB Single Quad core processor 16 GB Dell R710 Intel Xeon CPU E5640 @2.67 GHz 12 MB Double Quad Core Processor 32 GB The tables that are listed provide the typical EPS rates that are observed under test conditions for the recommended hardware in various roles. These numbers are intended as sample guidelines only, and vary greatly with each deployment. Table 1-2 Performance figures for HP DL 380 with 32 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 10000 60% Collection only 10000 9100 55% Correlation only 13000 13000 29% Collection + Archive 12000 12000 53% Table 1-3 Performance figures for Dell R710 with 16 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 10000 43% Collection only 10000 9400 40% Correlation only 12000 12000 23% Collection + Archive 12000 10450 40% Table 1-4 Performance figures for Dell R610 with 8 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 8450 86% Collection only 10000 9000 74% Correlation only 12000 10650 86%
26 Overview About estimating system performance Table 1-4 Performance figures for Dell R610 with 8 GB RAM (continued) Role Input EPS Output EPS CPU utilization Collection + Archive 10000 8300 76% Table 1-5 Performance figures for HP DL 380 with 16 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 10000 60% Collection only 10000 9100 55% Correlation only 12000 12000 37% Collection + Archive 12000 12000 53% Table 1-6 Performance figures for HP-DL 380 with 8 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 10000 60% Collection only 10000 9000 52% Correlation only 12000 12000 38% Collection + Archive 10000 10000 57% Table 1-7 Performance figures for IBM X3550 with 16 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 9000 90% Collection only 12000 11000 75% Correlation only 12000 10590 84% Collection + Archive 10000 7800 75% Table 1-8 Performance figures for Dell 2950 with 16 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 10000 60% Collection only 12000 12000 23%
Overview About estimating system performance 27 Table 1-8 Performance figures for Dell 2950 with 16 GB RAM (continued) Role Input EPS Output EPS CPU utilization Correlation only 12000 12000 34% Collection + Archive 10000 10000 50% Table 1-9 Performance figures for Dell 1950 with 16 GB RAM Role Input EPS Output EPS CPU utilization All in One 10000 8600 60% Collection only 10000 10000 55% Correlation only 12000 12000 42% Collection + Archive 10000 10000 52% Table 1-10 Performance figures for HP-DL 360 with 8 GB RAM Role Input EPS Output EPS CPU utilization All in One 8000 8000 82% Collection only 12000 12000 50% Correlation only 10000 10000 86% Collection + Archive 8000 8000 76% Table 1-11 Performance figures for HP-DL 360 with 16 GB RAM Role Input EPS Output EPS CPU utilization All in One 7000 7000 82% Collection only 10000 9700 80% Correlation only 10000 10000 80% Collection + Archive 10000 10000 75%
28 Overview About estimating system performance Table 1-12 Roles All in One Collection only Correlation only Roles for performance calculation of hardware models Performance calculation Performance is calculated on an Information Manager server which performs the role of a collection server, an archiving server, and a correlation server. Performance is calculated on a collection server of a two-server, multiappliance setup. This setup consists of a collection server and a server performing the role of an archiving server and a correlation server. Performance is calculated on a correlation server of a two-server, multiappliance setup. This setup consists of a server performing the role of a forwarding server as well as of an archiving server and a correlation server. Collection + Archive Performance is calculated on a server which performs the role of a collection server and of an archiving server of a two-server, multiappliance setup. This setup consists of a server performing the role of a collection server as well as of an archiving server and a correlation server. The details of the setup that was used for the performance estimation are as follows: The test run was performed with the summarizers turned off. Symantec recommends that you disable summarizers on the Web configuration interface if you do not use summary queries. Summarizers are maintained in Symantec Security Information Manager 4.7 only to provide backward compatibility with previous versions of Information Manager. The test run used a run feeder tool with an archive comprised of WEC, Juniper NetScreen, and Cisco PIX events. The average event size that was used for performance is 512 bytes. The time span to calculate the EPS for each test was 15 minutes, and total time for test was 67 hours. See About Symantec Security Information Manager on page 17.
Chapter 2 Symantec Security Information Manager Console This chapter includes the following topics: About the Information Manager console About the features of the Information Manager console About the Information Manager console You must install the Java client of the Information Manager on a Microsoft Windows 2000, 2003, XP, or Vista computer to access the console. The client can be downloaded from the Home > Downloads view of the Web configuration interface. The console of the Information Manager client enables you to perform the following security monitoring functions: Define rules to identify security incidents. Identify critical network hosts. View Symantec Global Intelligence Network information Manage incidents Manage tickets Create reports Perform Service Provider management tasks.
30 Symantec Security Information Manager Console About the Information Manager console The console consists of the following views that help you manage the Information Manager Server: Dashboard view Intelligence view Incidents view Events view Tickets view Assets view Reports view Rules view System view Statistics view See About Information Manager components on page 21. About the Dashboard view The Dashboard view on the console of the Information Manager client provides a high-level view of the critical security information in your environment. Information Manager users can customize the dashboard to display the required event, ticket, and incident information. The Dashboard view provides an overview of the incident activity that is presented in the following default set of queries: Closed incident count for each assignee by priority Closed incident count for each assignee by severity Open incident count for each assignee by severity Open incident count for each assignee by priority Count of both open incident and closed incident by assignee Incidents count for each of the last seven days The toolbar of the Dashboard view presents the following options: Refresh Refreshes the queries
Symantec Security Information Manager Console About the Information Manager console 31 Turn Auto Refresh On Toggles the automatic refresh of the dashboard queries. When Auto Refresh is on, the dashboard queries are refreshed every five minutes, by default. Add Delete Lets you add a new query to the dashboard. Lets you remove a query from the dashboard. You can also remove the query by closing the query window. Tile Cascade Tiles the dashboard charts. Cascades the dashboard charts. About the Intelligence view See Viewing dashboards on page 346. See Customizing the dashboard on page 350. The Intelligence view displays the security information that the Symantec Global Intelligence Network gathers. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity. The Intelligence view provides information about the current ThreatCon level. It also provides advice and instructions on how to guard against and respond to the current threats. The Intelligence view presents detailed information under the following tabs: Analyst Watch IDS Statistics TheAnalystWatch tab provides information about IP addresses and URLs known to be involved in malicious activity. The IDSStatistics tab displays the five most frequently occurring intrusion detection events. It also lists offending ISPs, IP addresses, destination ports, attack products, and source and destination countries.
32 Symantec Security Information Manager Console About the Information Manager console Firewall Statistics AntiVirus Statistics Honeynet The Firewall Statistics tab displays the top five ports on the rise and lists offending ISPs, IP addresses, destination ports, and source and destination countries. The AntiVirus Statistics tab displays the five most frequent corporate and consumer virus sample submissions. The Honeynet tab displays up-to-date information from the Symantec Global Intelligence Network and data analysis of threats in the wild. Note: The features that appear on the Intelligence view may vary depending on the type of Global Intelligence Network services subscription that you have purchased. Contact your Symantec sales representative for more information. About the Incidents view See About the Information Manager console on page 29. The Incidents view lets you look at and manage Information Manager incidents. You can customize the Incidents view by selecting from the security filters or the alert filters or by creating your own custom filter. When you select an incident filter, the incident list displays only the incidents that satisfy the filter criteria. Selecting an incident in the list updates the incident pane with the detailed information for the selected incident. To update the incident, modify the incident attributes and click Save. To maximize or minimize the display area for the incident pane, click the expand and collapse arrows correspondingly in the upper-left corner. Double-clicking an incident in the list opens the Incident Details dialog box. To update the incident, modify the incident information and then click the Save icon. To export the incident details, click the Export icon. The incident details are exported to a CSV file that you can save to the desired location on your computer. To edit multiple incidents, highlight the incidents, and edit settings in the Details tab. From the Incidents view toolbar, you can perform the following tasks: Select a filter to apply to the Incidents view. The filters available for you depend on the roles to which you are assigned. The filters are grouped by Security Incidents, Alerts, and Custom filters in various states.
Symantec Security Information Manager Console About the Information Manager console 33 See Table 2-1 on page 33. Create a custom incident view filter. Search for an incident by incident Reference ID. Create a new incident. Open the Incident Details dialog box for the selected incident. Create a ticket for the selected incident or incidents. Export the incident list to a file. You can export the list in HTML, CSV, and XML format, as required. Merge the selected incidents. Close the selected incidents. You must provide the disposition (for example, normal, false-positive, resolved, duplicate, or merged) and provide notes when you close an incident. Lock the incident list. You can lock the incident list to prevent the display of newly created or recently assigned incidents in the list. When you unlock the list, it is updated with the latest incidents. Table 2-1 describes the Logical Groups for the filters. Table 2-1 My Incidents My Team Incidents All Incidents Logical Groups for filters The incidents that are assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed. The incidents that are assigned to the current user's teams. Teams are created in the UserGroups section of the System view, on the Administration tab. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed. All incidents that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed. Unassigned Open Incidents My Alerts All incidents which are open and unassigned. The incident alerts assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.
34 Symantec Security Information Manager Console About the Information Manager console Table 2-1 My Team Alerts All Alerts Logical Groups for filters (continued) The incident alerts assigned to the current user's teams. Teams are created in the UserGroups section of the System view, on the Administration tab. Following are the states of this group of incident: Open, New, In-Work, Waiting, and Closed. All incident alerts that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed. Unassigned Open Alerts Custom Filters All incident alerts that are open and unassigned. All user-defined incident and alert filters. The Incidents view details pane contains tabs from which you can view or update the selected incident. Table 2-2 lists the details pane tabs and their functions. Table 2-2 Tab Details Conclusions Incident view details pane tabs Description Displays the incident details that include the ID, status, severity, description, creator, assignee, and priority. Displays the event conclusions that are associated with the incident. To view the details of a conclusion that is associated with the incident, select a conclusion and click the Conclusion Details icon. You can also select an event from the list and view the particular event details. Events Targets Sources Attack Diagram Displays the events that are associated with the incident. To view the details of an event that is associated with the incident, select the event and click the Event Details icon. Displays the target computers that are associated with the incident. To view the details for a target computer, select the target computer and click the Details icon. To create an asset from a target computer, select the target computer and click the Create Asset icon. Displays the source computers that are associated with the incident. To view details for a source computer, select the source computer and click the Details icon. Displays a visual representation of the progress of the attack that generated the incident along with the Symantec Event Code.
Symantec Security Information Manager Console About the Information Manager console 35 Table 2-2 Tab Intelligence Tickets Incident view details pane tabs (continued) Description Displays Symantec signature information, including the malicious code or vulnerability information that may be associated with the event. You can view the intelligence information that is organized by associated signatures or by target computers. Displays the tickets that have been created for the incident. To view the details of the tickets that are associated with the incident, select the ticket and click the Ticket Details icon. To create a ticket based on this incident, click the Create Ticket icon. When you create a ticket, the Create Ticket dialog box includes the following tabs: Details: Provides the fields that describe the characteristics of the ticket: A summary description, the priority, the ticket category, the creator of the ticket, the assignee of the ticket, and the related incidents. Instructions: Lets you correlate Intelligence data from the Global Intelligence Network with the ticket, if information is available. Tasks: Provides the fields to describe any additional remediation tasks that the creator of the ticket recommends. Note that the Tasks tab of the Create Ticket dialog differs from the steps that are listed in the Remediation tab for the incident. The Remediation tab contains the instructions that are automatically created when the incident is created, based on settings in the rule that triggered the incident. Remediation Log Displays the remediation suggestions that have been associated with the rule that triggered the incident. Remediation entries can be added to a rule on the Rules view. Displays the information that is available on the history of the incident. The incident history contains entries for incident creation, modifications, and closure. You can add entries to the log to record the information and the activities that are related to the incident. See About the Information Manager console on page 29. About the Events view The Events view lets you explore the Information Manager event archives. Event archives contain correlated and uncorrelated event data from the security products that are set up to forward events to Symantec Security Information Manager. You can create multiple event archives that can be stored on any instance of
36 Symantec Security Information Manager Console About the Information Manager console Information Manager. When you perform an event query, you can search across any available combination of archives, regardless of on which instance of Information Manager the archive is stored. The archives that are visible on the Events view are created with an ordered series of event storage rules. These rules are created on the System view. To view the events that are stored in the event archives, you can use templates and queries to search for events you need to view. Templates are generally more complex preconfigured queries that can be customized with chosen parameters. System queries are the queries that focus on specific products or common aspects of security management. When you run a template or a query, you set the parameters for the query, including which archives to search. Each template and query contains the parameters specific to data that the query harvests: for example, a specific IP address or a time range in which the search is to be conducted. After you run the query, the results are displayed in the right pane of the Events view. The presentation of data depends on each query, and can include graphs, pie charts, and lists of events. If a query returns a list of events, you can click on a particular event to see the event details. You can change table columns if you want to see different information about the events. You can view details about a particular event by double-clicking the table row. You can also filter data in the table so that it displays only the events that interest you. You can filter on a particular event parameter by right-clicking a cell and clicking Filter on cell. You can also filter results based on a unique column value. Alternatively, you can use the advanced filtering option to create a more complex query. You can also use the Query Builder Wizard to query the event archives. This wizard helps you create the following types of queries: Event queries Trending queries The trending feature is available only after you select the Event Query option. Summary queries Advanced SQL queries Note: The Query Builder Wizard icon is available only when the folder for My Queries or Published Queries is selected. Table 2-3 describes the items that are in the left pane of the Events view.
Symantec Security Information Manager Console About the Information Manager console 37 Table 2-3 Item Local Event Archives Templates Events view left pane items Description Access the static copies of the events that are archived and that are stored somewhere other than the Information Manager server. Local event archives are often created as a backup copy of an active archive. Local event archives are not updated after the copy of the archive has been made. Provides a set of preconfigured query templates that generally provide a system-wide view of event activity. The templates use the parameters you choose, such as the event archives or the time period from which the query gathers information. A template can be customized by placing a copy in either the My Queries or the Published Queries folder and then adjusting the copy. Access to the Template queries are controlled based on the roles. See Role-based access to the Event Query Templates on page 20. My Queries Displays a list of queries that you have created for your own use. You can move any of these queries into the Published Queries folder to make them available to others. PublishedQueries Displays a list of the queries that have been created at your site and that you want some or all of your users to be able to use. System Queries Displays a list of queries that are included in the Information Manager package. You can use any of these queries as a template for a customized query. To create a customized query, export the selected query as a QML file, and then copy or import the query in the My Queries folder or the Published Queries folder. You can modify it as required. About the Tickets view You can schedule queries to be distributed in a report as a CSV file. See About working with event queries on page 239. See Viewing event data in the archives on page 230. The Tickets view lets you view and manage Information Manager tickets. You can customize the ticket view by selecting from one of several ticket filters, or by creating a custom ticket filter. The filters that are available to you depend upon the roles to which you have been assigned. When you select a ticket filter, the ticket list displays only the tickets that satisfy the filter criteria.
38 Symantec Security Information Manager Console About the Information Manager console Selecting a ticket in the ticket list updates the ticket pane with the detailed information for the selected ticket. To update the ticket, modify the ticket attributes and click Apply. Double-clicking a ticket in the ticket list opens the Ticket Details dialog box. To update the ticket, modify the ticket information, and click Save or OK. You can edit multiple tickets simultaneously by opening a Ticket Details dialog box for each ticket to view or modify. The Tickets view toolbar contains icons for the following tasks: Select a filter to apply to the ticket view. The filters that are available to you depend upon the roles to which you are assigned, and may include one or more of the following: My Open Tickets My Closed Tickets All Tickets All Open Tickets All Closed Tickets My Assigned Tickets The open tickets that are associated with the incidents assigned to the current user The closed tickets that are associated with the incidents assigned to the current user All tickets The open tickets The closed tickets All tickets that are assigned to the current user, both open and closed Create a custom ticket view filter. Search for a ticket by ticket ID. Refresh the tickets view. Open the Ticket Details dialog box for the selected ticket. Export the list of tickets to a file. The ticket preview pane contains tabs from which you can view or update the selected ticket. Table 2-4 lists the preview pane tabs and their functions. Table 2-4 Tab Details Ticket preview pane tabs Description Displays the ticket details such as the ID, summary, category, status, priority, timestamp, creator, and help desk assignee.
Symantec Security Information Manager Console About the Information Manager console 39 Table 2-4 Tab Incidents Ticket preview pane tabs (continued) Description Displays the incidents that are associated with the ticket. To associate a new incident with a ticket, click the Add icon. To disassociate an incident from the ticket, select the incident and click the Remove icon. To view the incident details, click the Incident Details icon. To close the incident from the tickets view, select the incident and click the Close icon. Tasks Displays the user tasks that are assigned to each ticket. To add a new task to the ticket, click the Add icon. To remove a task from the ticket, select the task and click the Remove icon. To edit tasks, select the task and click the Edit icon. To add intelligence to the task, click the Intelligence icon. Instructions Displays the instructions that are associated with the ticket. To add or modify the instructions, edit the field and click Save. The instruction field accepts a maximum of 3000 characters. The Instructions tab also displays the Reset icon. You can also use the Add Intelligence to Instructions icon. Log Displays the ticket history that contains entries for ticket creation, ticket modifications, and ticket closure. To add log entries to record information and the activities that are related to the ticket, click the Add icon. About the Assets view See About the Information Manager console on page 29. The Assets view lets you view and manage Information Manager assets. Use the Assets view to identify critical assets in your environment, and track the incidents and the tickets that are related to those assets. Identify the network assets that have one or more of the following attributes: Host critical information or services Host confidential information Have specific roles on the network, such as firewall or vulnerability scanning devices
40 Symantec Security Information Manager Console About the Information Manager console Require high availability Comply with regulatory policies The correlation manager uses the asset information to identify and prioritize incidents. The correlation manager creates an incident when a threat exploits an asset's vulnerabilities. The correlation manager sets the incident priority based upon the confidentiality, integrity, and availability ratings that you assign to the asset. The correlation rules depend upon the asset information, so identifying key network assets on the Assets view is a critical configuration step. You can populate the list of assets in any of the following ways: Manually add entries in the Assets view. On the Incidents view, in the Targets tab for an incident, create assets based upon computers. On the Events view, under System Queries > SSIM > SSIM System, create assets from the query results of the Source view query and Target view query. On the Assets view, import a list of assets in XML or CSV format. For example, you can export a list of network computers from Microsoft Active Directory, convert the file to CSV format, and then import the file into the Information Manager. Create assets by integrating Information Manager with a policy compliance assessment tool, such as Symantec Control Compliance Suite or Symantec Enterprise Security Manager. Create assets by integrating Information Manager with a network vulnerability scanner. Use the Asset Detector rule under Monitor > System Monitors on the Rules view to choose the vulnerability scan products that automatically populate the assets table. If you run vulnerability scans periodically on your network, lock the asset information for particular computers. If you lock an asset, the vulnerability scan does not modify the list of the services that are hosted on the asset. A vulnerability scan always updates the asset vulnerabilities, regardless of the asset lock status. You can filter the view of the assets in your environment using the filtering options or asset groups. Search for an asset from each of the views by entering the IP address host name in the Search Asset field, and then clicking the Search icon. Double-clicking an asset in the asset list opens the Asset Details dialog box. To update the asset, modify the asset fields and then click the Save icon. You can
Symantec Security Information Manager Console About the Information Manager console 41 update multiple assets simultaneously by opening the Asset Editor dialog box for each asset to modify. Table 2-5 lists the Assets view tabs and their functions. Table 2-5 Tab Details Policies Services Incidents Tickets Vulnerabilities Assets view tabs Description Displays the network identification, description, priority, organization, operating system, and lock information for the selected asset. Displays any policy that is applied to the selected asset. You can add policies to an asset from a customizable list of regulatory policies. To customize the list of available policies, select the Administration tab on the System view. You can also delete policies from the asset. Displays the network services that the selected computer hosts. You can add services to an asset from a customizable list of well-known services. To customize the list of services, select the Administration tab on the System view. You can also delete services from the asset. Lists any incidents that pertain to the selected asset. Using the incident list is a convenient way to monitor the security activity that is related to an asset. Lists any tickets that pertain to the selected asset. The ticket list is a convenient way to monitor the work-order activity that is related to an asset. Displays the discovery date, CVE ID, BugTraq ID, and description of any vulnerability that is discovered on the asset. The vulnerability information is tracked when the assets are imported from a vulnerability scanner. About the Reports view See About the Information Manager console on page 29. The Reports view lets you create and manage Information Manager reports. To create a report, you insert one or more queries into a report template. You can also add graphic elements and text, including a header and footer. Reports can span multiple views, or you can subdivide a single view and insert multiple queries on that view.
42 Symantec Security Information Manager Console About the Information Manager console You can distribute a report immediately, or you can schedule it to be generated at a specific time and then distributed automatically. You can also export and import reports in RML format. The Reports toolbar contains icons for report management tasks. The tasks available to you depend upon the roles to which you have been assigned, and may include one or more of the following: Refresh the Explorer pane. Create a folder. Create a report. Save a report. Remove the selected report or folder. Import a report from an RML format file. Export the selected report to an RML format file. Adjust the view settings for a report, including the view size and orientation. Publish the selected report by placing the report in the Published Reports folder. The Reports view has the following panes: Explorer The Explorer pane lets you manage the My Reports folder and the Published Reports folders, as well as any new folders that you create. When you create a report in the My Reports folder, it is only available to the user who created it. When you create a report in the Published Reports folder, it is available to all of the users who have the applicable permissions for the contents of the report. To publish a report, drag it from your private folder to the Published Reports folder. When you publish a report by dragging it into the Published Reports folder, the two reports are not linked. In addition to creating, publishing, and deleting reports, you can create and delete report folders. You can also import reports, export reports, and move reports from one folder to another. Properties The Properties pane lets you view and edit the selected report property values, such as the background color or line thickness. Report The Report pane provides the tabs that let you design, preview, and distribute the selected report.
Symantec Security Information Manager Console About the Information Manager console 43 Table 2-6 describes the tabs that appear in the right pane when you create a new report or select an existing report from the list in the left pane. Table 2-6 Tab Design Preview Report pane tabs Description Lets you specify and format the contents of your report. You can include multiple data queries, images, annotation text, and grids in your report. The queries that are available to you depend upon the roles to which you are assigned. For example, you may have access to queries that pertain to firewall and VPN data, but may not have access to queries on antivirus data. Displays a preview of the report. You can also save or print the report from the Preview tab. You can also drill down on the following query types by clicking on the reports that are displayed: Top N by Field Trending for Top N by Field Summary Data Queries See Performing a drill-down on reports on page 343. Distribute Lets you schedule the report and specify report recipients. You can compose an email report notification message, attach the report as a PDF and RTF, or include a URL link to the report. Note: When the recipient clicks on the URL link, the report can be accessed directly if the user has already logged on to the Web configuration interface using the host name of Information Manager. However if the user has logged on using the IP address of Information Manager, then the user is prompted for authentication to access the report. You can also test the report distribution configuration with the Test option. The reports are immediately distributed after you perform the testing. To schedule a report for distribution, you must first publish the report by placing it in the Published Reports folder. Note: The Distribute option is available only for the Published Reports. See About the Information Manager console on page 29.
44 Symantec Security Information Manager Console About the Information Manager console About the Rules view The Rules view lets you create, test, and manage the rules that Information Manager uses to filter known false positives and declare security incidents. Default rules provide a starting point for determining the most common kinds of security incidents, including denial-of-service attacks and blended threats. The default filtering rules provide a set of common filters that can also be used to create customized filters. You can enable, disable, and fine-tune the default rules and filters based on the needs of your organization and the security products that are running. The Rules view also includes folders for monitors and lookup tables. Monitoring rules are used to detect unexpected security-related changes to systems or periods of inactivity from the systems that are monitored. The lookup tables provide a set of tables that can be configured to list known malicious IP addresses, sensitive files, sensitive URLs, services, Trojan horses, and Windows events that can be used to fine-tune rules and filters. For example, if you have detected a set of IP addresses that routinely attempt to maliciously infiltrate your network, you can add these IP addresses to an IP address lookup table. You can then create a custom rule that checks the table for these known malicious IP addresses during rules processing. When you define the actions that take place when an incident is triggered, you can create remediation notes. These notes appear on the Remediation tab for an incident that is created. When you add remediation information to a rule and save the changes, the remediation information is updated for the new and the existing incidents. The Rules view toolbar contains icons for the following tasks: Refresh the Rules list. Create a rule. Create a new folder. Delete a rule. Import rules Export rules Copy a rule. Deploy a rule. Revert changes to a rule. Enable rules. Disable rules.
Symantec Security Information Manager Console About the Information Manager console 45 Each folder in the navigation tree includes two subfolders: a System subfolder and a User subfolder. By default, the System subfolder contains the predefined rules, filters, monitors, and lookup tables that are included with Information Manager. You can enable or disable the items in the System subfolders However, you cannot make changes to these predefined elements. To create a modified version of a preconfigured rule, filter, monitor, or lookup table, you can create a custom version of the rule and save it in the corresponding User folder. If you create a custom rule or lookup table, you must deploy and enable the new element before it can be used during event processing. Table 2-7 describes the items that are displayed in the Event Filters list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list. Table 2-7 Item Event Filters list Conditions tab Testing tab History tab Event filters Description Displays the list of default filters in the System Filters folder and custom filtering rules in the User Filters folder. Use the checkboxes to turn on the rules and turn off the rules. Displays the event criteria that the filtering rules use to filter events. If you create a custom filter, you can add or remove event criteria from this pane. Lets you test filtering rules with saved event data so that you can evaluate whether the rule filters when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from filtering events. Shows the date and the time that a user last edited a rule. Table 2-8 describes the items that are displayed in the Monitors list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list. Table 2-8 Category Monitors list Monitors Description Displays the list of default monitors in the System Monitors folder and custom monitors in the UserMonitors folder. Use the checkboxes to turn on the rules and turn off the rules
46 Symantec Security Information Manager Console About the Information Manager console Table 2-8 Category Properties tab Actions tab Monitors (continued) Description Lists the monitor properties that let you configure the system monitors. Lets you specify the follow-up actions that are required to resolve the incident. You can also specify the user or the team that is assigned to investigate and resolve the incident. See About automatically assigning incidents on page 59. See Assigning incidents automatically to the least busy member in a user group on page 302. History tab Shows the date and time when a user last edited a monitoring rule. Table 2-9 describes the items that are displayed in the Correlation Rules list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list. Table 2-9 Category Rules list Conditions tab Actions tab Correlation rules Description Displays the list of default rules in the SystemRules folder and custom rules in the UserRules folder. Use the checkboxes to turn on the rules and turn off the rules. Displays the event criteria that the rules use to declare a security incident. If you create a custom rule, you can add or remove event criteria from this pane. Specify the follow-up actions that are required to resolve the incident. You can specify the user or the team that is assigned to investigate and resolve the incident. See About automatically assigning incidents on page 59. See Assigning incidents automatically to the least busy member in a user group on page 302. You can also create the remediation notes that are associated with each incident that this rule creates. You can also configure the notifications when the rule conditions are triggered.
Symantec Security Information Manager Console About the Information Manager console 47 Table 2-9 Category Testing tab History tab Correlation rules (continued) Description Lets you test rules with saved event data to let you evaluate whether the rule declares incidents when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from declaring incidents when it should. Shows the date and time when a user last edited a rule. Table 2-10 describes the items that are displayed in the Lookup Tables list in the left pane. It also describes each of the lookup tables that are listed under System Lookup Tables. Table 2-10 Lookup tables Tables Lookup Tables list Administrative Users Authorized Ports Inbound Authorized Ports Outbound Critical Servers default usernames IP Watch List Description Lists the default lookup tables in the System Lookup Tables folder and custom tables in the User Lookup Tables folder. Lists the users who can perform administrative activities. Lists the authorized ports through which incoming traffic is allowed as per the policies. Lists the authorized ports through which outgoing traffic is allowed as per the policies. Lists the IP addresses of the servers that are critical from business perspective. Lists the authorized users. Lists the IP addresses of known attackers. An incident is created if an event is detected from one of these IP addresses. A configurable table that is available for manually tracking known bad IP addresses. DeepSight and LiveUpdate updates maintain separate internal IP Watch List. The list contains IP addresses known to be malicious in the larger Internet environment.
48 Symantec Security Information Manager Console About the Information Manager console Table 2-10 Tables IP Whitelist Lookup tables (continued) Description Lists the Whitelist IP addresses. These IP addresses and domain names are reputed and can be trusted. You can add your trusted domain names and IP addresses to the list. Monitored Logging Devices Organization Domains P2P Programs Potential Policy Violation IPs RapidResponseMonitoredAddressTraffic sensitive files sensitive urls services trojans user watchlist Weekdays Weekend Windows events Lists the logging devices that must be monitored after a specific time span for idle state. Provides a table for the user to describe the organizational domains that are monitored. Lists the P2P programs. Lists the IP addresses of the hosts that can potentially violate the policy. Lists of all of the bad IP addresses on which your sensitive data can communicate. Lists the file names to monitor during FTP transfers. Lists the text strings that are often included in malicious URLs. Lists the services that are associated with each port number. Lists the known Trojan horse exploits. Provides a table in which you can list users and the user names that formerly had access to the network. Lists the days of the week to allow further refinement of queries based on the day or days associated with an event. Lists the days of the weekend to allow further refinement of queries based on the day or days associated with an event. Lists the Windows events that may indicate violations of security policies or other malicious activities.
Symantec Security Information Manager Console About the Information Manager console 49 The following tables list the event criteria available and their descriptions. Table 2-11 Field Agent Host Agent IP Agent Mac Agent Numeric IP Agent Subnet Category ID Event Criteria: Common tab Description The host name of the computer on which the agent is installed. The IP address of the computer on which the agent is installed. The MAC address of the computer on which the agent is installed. The numeric IP address of the computer on which the agent is installed. The subnet to which the agent computer belongs. Lets you select the criteria on category of the event from among Application, Communication, Device, Diagnostics, Environment, QS, and Security. Collection Device Host Collection Device IP Collection Device ID Collection Device Mac Collection Device Numeric IP Collector Sensor Configuration ID The host name of computer on which the product (collector) is installed. The IP address of computer on which the product (collector) is installed. The device ID of computer on which the product (collector) is installed. The MAC address of computer on which the product (collector) is installed. The numeric IP of computer on which the product (collector) is installed. Identifies the sensor that recorded the event that a collector sent. The ID of the configuration.
50 Symantec Security Information Manager Console About the Information Manager console Table 2-11 Field Created Date Event Criteria: Common tab (continued) Description The date that the event was created. Server Time - When the event occurs, the time zone of the server is considered for the event correlation. Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation. Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation. If the time zone is not specified, by default the time zone of the server is considered for the event correlation. CVSS Description Destination Host name Device Action Domain Effects Event ending date The numeric value that describes the CVS score for the vulnerability, if detected. A description of the event. The destination host name. Describes the action that the point product took (the event was prevented, permitted, failed, successful, or denied ). The domain from which the data object originated. The effects of malicious activity. The date when event ended. Server Time - When the event occurs, the time zone of the server is considered for the event correlation. Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation. Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation. If the time zone is not specified, by default the time zone of the server is considered for the event correlation. Event Archive ID The ID of the archive to which the event belongs (used in summarizers).
Symantec Security Information Manager Console About the Information Manager console 51 Table 2-11 Field Event class ID Event Count Event Date Event Criteria: Common tab (continued) Description The possible values: symc_hdr_tkt_update_class or symc_hdr_task_update_class. The number of times that an event occurred to cause the event to be logged. The date when the event occurred. Server Time - When the event occurs, the time zone of the server is considered for the event correlation. Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation. Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation. If the time zone is not specified, by default the time zone of the server is considered for the event correlation. Event Day The day when the event occurred. Server Time - When the event occurs, the time zone of the server is considered for the event correlation. Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation. Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation. If the time zone is not specified, by default the time zone of the server is considered for the event correlation. Event Type ID Host Domain IP Destination Address IP Destination Port IP Source Address IP Source Port The event type such as Host Intrusion Event, or Vulnerability Detected. The domain of the computer on which the product is installed. The IP address of the destination. The port of the destination or target. The IP address of the source. The port address of the source.
52 Symantec Security Information Manager Console About the Information Manager console Table 2-11 Field Logged at Event Criteria: Common tab (continued) Description The location where the event was created. Server Time - When the event occurs, the time zone of the server is considered for the event correlation. Source Network Time Zone - When the event occurs the time zone of the Source Network is considered for the event correlation. Destination Network Time Zone - When the event occurs the time zone of the Destination Network is considered for the event correlation. If the time zone is not specified, by default the time zone of the server is considered for the event correlation. Logging Device IP Logging Device Mac Logging Device Name Logging Device Numeric IP Logging User Mechanisms Network Protocol Network Traffic Direction NumericIPDestinationAddress Numeric IP Source Address Organizational Unit Original Ending Event Date The IP of the device that logged the event. The MAC of the device that logged the event. The name of the device that logged the event. The numeric IP of the device that logged the event. The account name that was used to log the event. The comma-separated integer values that represent the mechanisms categorization. Contains a normalized protocol value. This field is populated by the developer based on mapping the value of nw_protocol or network_protocol_id to a standardized protocol identifier such as TCP, UDP, ICMP, IGMP, or ARP. The direction of the network traffic such as external, internal, inbound, outbound, or unknown. The numeric IP of the destination address. The numeric IP of source address. The Information Manager organizational unit of the computer. The data that the event ended if the event end date was replaced during normalization.
Symantec Security Information Manager Console About the Information Manager console 53 Table 2-11 Field Event Criteria: Common tab (continued) Description Original Event Date The date that the event occurred if the event date was replaced during normalization Server Time - When the event occurs, the time zone of the server is considered for the event correlation. Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation. Destination Network Time Zone - When the event occurs the time zone of the Destination Network is considered for the event correlation. If the time zone is not specified, by default the time zone of the server is considered for the event correlation. Point Product Version Posted at Product Raw Event Resources Severity ID Software Feature ID Source Host Name The version of the point product from which you collect logs. The timestamp that the agent sets before it sends the event to the event service. The name of the product from which you collect logs. The raw event as it is received from the logging device or application. The comma-separated integer values that represent the resources categorization. Severity of the event being reported. The value is in parentheses. The software feature ID as defined for the collector. Each collector must have at least one software feature that is defined for logging and configuration purposes. The host name of the source of the event. SSIM Event Insert Symantec Event Code Symantec Vendor Signature ID A standard ID event code that Symantec has approved Information Manager use to report the associated event. The signature ID that is used to identify Symantec vendors.
54 Symantec Security Information Manager Console About the Information Manager console Table 2-11 Field Target Resource Event Criteria: Common tab (continued) Description The target of the attack. This information can be the URL for an HTTP or an FTP connection, or a file name or server name. Time adjustment in seconds Unique Event ID User name Vendor Device ID Vendor Severity Vendor Signature Version The number of seconds to adjust the event date that was logged on the agent when events are collected from another time zone. Unique ID assigned to each event. Contains the user name or group account of the user or group at which the event is targeted. The Global Intelligence Network cross-reference of the vendor product. This ID is a two-digit code that is only available in certified, Tier 1, and Premium collectors. The event severity identifier that the point product uses. Contains the unique event signature from the point product. This signature is used in retrieving data from the Global Intelligence Network integration. The version of the collector. Table 2-12 Field Bugtraq ID List CVE ID List Events Criteria: Derived tab Description A security mailing list that includes a detailed discussion and announcement of computer security vulnerabilities,. The list describes what they are, how to exploit them, and how to fix them. A publicly known list of information security vulnerabilities and exposures. Destination Host Availability Destination Host Bid List Contains the Availability setting for the destination host at which the event was targeted. List of Bugtraq IDs that are known for the destination address (asset).
Symantec Security Information Manager Console About the Information Manager console 55 Table 2-12 Field Events Criteria: Derived tab (continued) Description Destination Confidentiality Contains the Confidentiality setting for the destination host at which the event was targeted. The Confidentiality values include the following: 1 - Non-critical 2-3 - Medium 4-5 - Critical Destination CVE List Destination Host Integrity Destination Host is internal Destination Host Location Destination Host OS Destination Host OS Version Destination Host Policies Destination Host Services Destination is critical Destination Network Logical Location Destination Network Name List of the common vulnerabilities and the exposures that are known for the destination address (asset). Contains the Integrity setting for the destination host at which the event was targeted. The Integrity values include the following: 1 - Non-critical, 2 and 3 - Medium, and 4 and 5 - Critical. The Boolean value that describes whether the destination host is internal. The string value that describes the destination host location. The string value that describes the destination host operating system. The string value that describes the operating system version. Contains the host policy for the destination host. Policies are added in the Systems view, under the Policies tab. Contains the destination host service that the event affected. Services are added in the Systems pane, under the Services tab. The Boolean value that describes whether the target of the event has been categorized as critical. This value is set to True if the Asset exists in the Assets table. The string value that describes the logical location of the destination of the event (as opposed to the physical location). The string value that contains the descriptive name of the destination network.
56 Symantec Security Information Manager Console About the Information Manager console Table 2-12 Field Events Criteria: Derived tab (continued) Description Destination Network Physical Location Destination Port is open Effects Mechanisms Resources Source Host Availability Source Host Bid List Source Host Confidentiality Source Host CVE List Source Host Integrity Source Host is internal Source Host Location The string value that describes the physical location of the destination of the event. The Boolean value that describes whether the port that was affected is still open. The Effects values describe the effects of the event from the detector's point of view (for example, Degradation or Reconnaissance). The Mechanisms values describe the method of attack that was used to generate an event from the detector's point of view: for example, Virus or Port Sweep. The EMR resource value indicates the type or types of resources that the event is like to affect: for example, Mail or Host. Contains the Availability setting for the host from which the event originated. The Availability values include the following: 1 - Non-critical, 2 and 3 - Medium, and 4 and 5 - Critical. List of Bugtraq IDs that are known for source address (asset). Contains the Confidentiality setting for the host from which the event originated. The Confidentiality values include the following: 1 - Non-critical, 2 and 3 - Medium, and 4 and 5 - Critical List containing the Common Vulnerabilities and Exposures ID for the source. Contains the Integrity setting for the host from which the event originated. This value is set in the Asset table by the user. The Availability values include the following: 1 - Non-critical, 2 and 3 - Medium, and 4 and 5 - Critical. Boolean value that describes whether the source host is internal. String value that describes the host location. This value is set in the Network table by the user.
Symantec Security Information Manager Console About the Information Manager console 57 Table 2-12 Field Source Host OS Events Criteria: Derived tab (continued) Description String value that describes the host operating system. This value is set in the Asset table by the user. Source Host Policies Source Host Services Source Host is critical Source Network Logical Location Source Network Name Vulnerable Contains the host policy for the source. Policies are added in the Systems pane, under the Policies tab. For a rule to use this value, the policy must be added to the asset that is referenced as the source IP in the event. Contains the service that the event affected. Services are added in the Systems pane, under the Services tab. For a complete list of the services available, see the drop-down list for this event field. Boolean value that describes whether the source of the event has been categorized as critical. This value is set in the Asset table by the user. String value that describes the logical location of the source of the event (as opposed to the physical location). String value that contains the descriptive name of the source network. Value that determines whether the system that is specified in the Target IP field is listed as vulnerable in the Asset table. The possible values for this field include the following: True, False, and Can't Determine. Table 2-13 Field Events Criteria: Events tab Description Application Update Audit Activity Backup and Recovery Activity Application update is used for indicating the status of updates in versions. Possible values are current version and previous version. Lets you set the type of audit activity that is carried out. Examples are Audit Authentication, Audit Result, and so forth. Lets you select the device type, session name, integrity marker, or any other additional information under options 1, 2, and 3.
58 Symantec Security Information Manager Console About the Information Manager console Table 2-13 Field Common Event Events Criteria: Events tab (continued) Description Lets you select and set a value for from the common event types such as those available under the Common tab.. Compliance Activity Configuration Update Data Incident Data Virus Incident Definition Update Firewall Connection Statistics Firewall Network Event Host Intrusion Activity Lets you set a value for the compliance events that are logged by software components to determine if they meet certain security criteria. Lets you enter values for configuration change source, name, and revision. Lets you set the values for classes and event IDs for logging an incident in a top-level data object or one of its subcomponents. The single event that describes the top-level data object, the subcomponent name (if applicable), the incident rule that was triggered, why the incident rule was triggered, and the status of the top-level data object and the subcomponent (if applicable). Lets you enter the values for quarantine server, definition number, QS, or type of a known virus, unknown virus, worm, Trojan horse, or other type of malware that the virus scanner detected. Lets you set the values for the version, date, and information of the current and the previous versions. Lets you set the values about the events that provide details about a connection, for reporting on byte counts, services used, and connection durations. Lets you set the values for the base set of the fields that allow common data to be logged by all firewalls in a consistent manner. Lets you set the values for the information fields that are specific to activity that is detected at the host. Incident Message Intrusion Activity Lets you set the values for the information that is common to the intrusion activity that is detected at both the network and the host levels. Network Event
Symantec Security Information Manager Console About the Information Manager console 59 Table 2-13 Field Events Criteria: Events tab (continued) Description Network Intrusion Activity Lets you enter the values for type, MAC ID of source, and destination. SAV Catalog SAV Snapshots Scan Events System Information VPN Connection Statistics VPN Network Event Vulnerability Vulnerability Audit Vulnerability Audit Error Windows and Novell Event Lets you enter the values for scan name, type, and GUID. Lets you enter the information about the system. Lets you enter the values for VPN index and ID. Lets you set the type of VPN network event. Lets you set the values for the fields that are associated with vulnerability. Lets you set the values for the vulnerability audit ID or the human readable name of the audit. Lets you enter a description of the error. Lets you enter the values for the fields that are related to all of the events that the Windows and Novell event logs generate. See About the Information Manager console on page 29. About automatically assigning incidents In Information Manager, an incident is created when an event matches a criterion that is specified in the Rules and Monitors. Based on the rules that are set, these incidents can be automatically assigned to a specific user group or an individual user. Rules or Monitors can be set to assign incidents automatically to the least busy member in a user group. See Assigning incidents automatically to the least busy member in a user group on page 302. Incidents are automatically assigned to the individual with the lowest load factor. The load factor is calculated based on the incident count and the incident state. Each incident state is assigned a value. Incidents that are in the New state are assigned the highest value, whereas incidents in the Waiting state are assigned the lowest value.
60 Symantec Security Information Manager Console About the Information Manager console A user group member who has many incidents in the New state is considered busy. Therefore the incidents in the New state have the highest value. The incidents in the Working state have lower value and the incidents in the Waiting state has the lowest value. The number of incidents that are already assigned to a user and the value that is assigned to the incident state determines the load factor. The members with the lowest load factor are given priority when they assign an incident. When two or more users have the same load factor, Information Manager uses the timestamp to determine which user is the least busy. Table 2-14 shows how Information Manager calculates the incident load factor. Three users are assigned the same count of incidents in different incident states. Although each user has the same number of incidents, their load factors are different because the values of their incidents are different. In the example, Information Manager automatically assigns incidents to User C because User C has the lowest load factor. Table 2-14 Incident load factor User Incidents: New Incidents: Working Incidents: Waiting Formula (incident count * value of incident state) Load Factor A 4 2 1 (4*3) + (2*2) + (1*1) 17 B 2 4 1 (2*3) + (4*2) + (1*1) 15 C 1 2 4 (1*3) + (2*2) + (4*1) 11 Assigning incidents automatically to the least busy member in a user group Rules and Monitors can be set to assign incidents automatically to a user group or a user within the user group. You can also set rules and monitors to automatically assign incidents to the least busy member in a user group. Only user groups are considered when incidents are automatically assigned to the least busy member. The member with the lowest incident load factor is considered the least busy member in a user group. See About automatically assigning incidents on page 59. When incidents are assigned automatically to a user group for the first time, the first user in the user group becomes eligible for incident assignment.
Symantec Security Information Manager Console About the Information Manager console 61 About the System view When an incident gets assigned to a member in the user group, a log entry is created for that incident. In the Incident log, this entry is listed as SSIM against the user name of that member. To assign incidents automatically to the least busy user 1 In the Information Manager console, click Rules. 2 Select a rule or a monitor that must be automatically assigned. 3 On the Actions tab, check Enable Auto Assign. 4 Check Assign to least busy user and then select the corresponding user group. When the rule is deployed, the incidents are automatically assigned to the least busy member in the user group. The System view includes information about the Information Manager configuration, the security products that you manage, and the event management. The System view also lets you create and maintain the objects such as users, roles, and policies. Table 2-15 lists the System view tabs and their functions. Table 2-15 Tab Administration Server Configurations Product Configurations Visualizer System view tabs Description Lets you view and maintain administrative information, such as user accounts and roles, policies, and paging services. Lets you manage correlation, whether events are stored locally, whether Information Manager agent bootstrapping is enabled, and whether the server is designated as a Service Provider master. You can also configure event storage rules, event forwarding, and incident forwarding. Displays a list of all the security products that can be managed on your network. Right-click a product name to view or modify its properties and permissions. Displays an illustration that represents your Information Manager network. Right-click an object in the graphic to view or modify the properties. See About the Information Manager console on page 29.
62 Symantec Security Information Manager Console About the Information Manager console About the Statistics view The Statistics view provides information about the health and performance of the Information Manager server. You can display statistics for the server to which the console is connected. Alternatively, you can select to view the statistics for an alternate server that shares the same directory. Table 2-16 lists the Statistics view tabs and their functions. Table 2-16 Statistics view tabs Tab System Status Correlation Filters Rules Event Service Description Displays the server's memory and CPU utilization, database statistics, and the status of any database jobs, such as backup and purge. Displays the processing rate statistics for processes such as correlating events, declaring conclusions, and inserting incident data into the Information Manager database. Displays the filtering statistics for the correlation engine. You can monitor the Filter tab to determine how many events are excluded from the correlation engine. Displays trigger statistics for each correlation rule. You can monitor the Rules tab to confirm that rules are triggered as expected. Displays the rate statistics for the following event services: Events received Event normalization Event archiving Event correlation forwarding In the upper right corner of the console, a graph is displayed. The graph displays the events being processed per second by the server. You can always see the overall event activity from any view in the console. See About the Information Manager console on page 29.
Symantec Security Information Manager Console About the features of the Information Manager console 63 About the features of the Information Manager console You can download and install the Java client for Information Manager from the Web configuration interface. The console of the Information Manager client lets you perform the following tasks: Monitor the incident or the alert count for either the current user or all users. See About the incident and the alert monitors on page 63. Monitor event activity. See About the event activity monitor on page 64. Attach a note to a column-and-value pair in tabular data. See Creating and editing notes on page 65. Search for the notes that you or other users have created. See Searching the notes on page 66. Change your password. See Changing a password on page 70. Execute a predefined set of user actions. See About user actions on page 68. Create new user actions and edit existing user actions. See Creating and modifying user actions on page 68. About the incident and the alert monitors The incident and the alert monitors display in real time the number of incidents or alerts as they are created. The incident and the alert monitors appear at the bottom of the Information Manager console. You can choose which count you want to monitor using the right-click menu. The right-click menu also provides shortcuts to view details. The incident monitor and the alert monitor offer the following options: View My Open Incidents View All Open Incidents View My Open Alerts Displays the Incident details for the open incidents for the current user. Displays the incident details for the open incidents for all users. Displays the incident details for the open alerts for the current user.
64 Symantec Security Information Manager Console About the features of the Information Manager console View All Open Alerts Count My Open Incidents Count All Open Incidents Count My Open Alerts Count All Open Alerts Displays the incident details for the open alerts for all users. Displays the open incident count for the current user. Displays the open incident count for all users. Displays the open alert count for the current user. Displays the open alert count for all users. See About the features of the Information Manager console on page 63. About the event activity monitor The event activity monitor provides a real-time display of event activity. The display includes the option to view real-time event statistics, and a shortcut option to open a standalone event details dialog. The event activity monitor appears at the bottom of the Information Manager console. To configure the event activity monitor, right-click the monitor and choose from the available options. The event activity monitor options include the following: Open Details Panel Display Total Received Events Display Average Rate Display Rate Color options Select view type Opens the Statistics view in a standalone dialog box. Displays the total number of events that have been received. Displays the average event rate. Displays the actual event rate. Provides you with options to customize the color of the graph that displays. Lets you choose the visual representation of the event count as follows: Bar graph Line graph See About the features of the Information Manager console on page 63. About the Notes feature The Information Manager console includes the Notes feature. This feature lets you create the notes that you associate with data fields on the console views that display tabular data. For example, you can create notes to explain the meaning
Symantec Security Information Manager Console About the features of the Information Manager console 65 of each incident severity level. You can later search for these notes, using several search criteria. The Notes feature is enabled on the following console views: Incidents Events Tickets Assets Creating and editing notes See About the features of the Information Manager console on page 63. When you create a note, you can attach it to a particular value in a table column. For example, in the Event details table, you can annotate the value Host Intrusion Event in the EventTypeID column. The note is then associated with each instance of that particular value in any table that includes the Event Type ID column. These notes provide additional reference information about any column-and-value pair. See About the Notes feature on page 64. To create or edit a note 1 In the Information Manager console, open the view where you want to create a note. You can create a note on any of the following views: Incidents Events Tickets Assets 2 In the displayed table, identify the column-and-value pair that you want to annotate. 3 Right-click a table cell that contains the desired value, and then click Notes. 4 In the Notes dialog box, take any of the following actions: To add a note, click Add. In the Add Comment dialog box, type the note, and click OK. To edit an existing note, select the note in the text area, and then click Edit. In the Edit Comment dialog box, revise the note, and click OK.
66 Symantec Security Information Manager Console About the features of the Information Manager console To remove an existing note, select the note in the text area, and then click Remove. Click Yes to confirm your intention to remove the note. Searching the notes 5 When you finish adding and editing notes, click OK. If you added any notes, the table displays a red triangular flag in each cell that contains the value that you selected. The Search Notes feature lets you search for specific notes, using a variety of search criteria. To search for notes 1 In the Information Manager console, open any of these views: Incidents Events Tickets Assets 2 On the Tools menu, click Search Notes.
Symantec Security Information Manager Console About the features of the Information Manager console 67 3 Define the search criteria by using any of the following non-case-sensitive data fields: Category Value Author Note Text Start Date End Date Type or use the drop-down menu to select the column name to search on. Clicking the drop-down arrow displays a list of all table columns for which notes exist. You must select the exact column name. For example, selecting Severity yields different results than selecting Severity ID. Type the full text of the value from the annotated column-and-value pair. For example, if the value in the Severity ID column is 2 - Warning, you must type it exactly this way, including the space before and after the hyphen. Type the user name of the person who created the note: for example, Administrator. Type all or any portion of the note text. For example, to find the note This severity level is for informational messages only, you can type this severity or information or any other text string from the note. Use the default start date and time or change it by using the calendar icon. The Search Notes feature looks for the notes that were created on or after this date and time. Use the default end date and time or change it by using the calendar icon. The Search Notes feature looks for the notes that were created on or before this date and time. 4 Click Search. The bottom pane displays a list of the notes that meet the search criteria. A recently created note may not appear in the list because the server clock time is different from the client clock time. To remedy this situation, expand the time range by using the Start Date and End Date fields, and click Search again. 5 Take one of the following actions: To further narrow the search, type additional search criteria in the fields that are described in step 3, and click Search. You can also clear the search fields and type different search criteria. To access the dialog box where you can add, edit, and remove notes, select a note and click Comment Details. 6 When you click Comment Details, you can take of the following actions:
68 Symantec Security Information Manager Console About the features of the Information Manager console To add a note, click Add. In the Add Comment dialog box, type the note, and click OK. To edit an existing note, select the note in the text area, and click Edit. In the Edit Comment dialog box, revise the note, and click OK. To remove an existing note, select the note in the text area, and click Remove. Click Yes to confirm your intention to remove the note. About user actions 7 When you finish adding and editing notes, click OK. If you have added any notes, the table now displays a red triangular flag in each cell that contains the value that you selected. 8 To finish, click Close. Information Manager includes several predefined user actions. These actions can help you find the information that is related to IP addresses and the host names that are included in some tabular data. If you right-click a cell that contains an IP address or a host name, you can select from one of the following options: Finger Ping Trace route Displays the information about a user on the specified computer. Note that the output varies based on the remote system; therefore, the command is of limited value. Sends a ping message to the computer and reports the reply in a command window. Traces a route to the host, but does not perform DNS lookups on the hops from host to host. Reports the results in a command window. User actions are available in any table that displays IP addresses or host names. User actions are available in the tables on the Assets view and on the queries on the dashboard that include this type of data. You can also modify the existing user actions and create your own user actions. See Creating and modifying user actions on page 68. Creating and modifying user actions You can create your own user actions, and you can customize the standard user actions. You can create and modify user actions by using the Events view or the Tools menu on the console view. See About user actions on page 68.
Symantec Security Information Manager Console About the features of the Information Manager console 69 To create a user action 1 In the Information Manager console, click Events. 2 From the Tools menu, select Preferences. 3 Click + (the plus icon). 4 Type a name for the user action in the Name box and the command to be executed in the Command box. 5 Select one or both of the following options: To make the user action available to all users, select Public. To provide a command-line window in which to view the command output, select Use Output Viewer. 6 Click OK. 7 In the Preferences dialog box, click OK. The new user action now appears in the pop-up menu that appears when you right-click on a table cell. To modify a user action 1 In the Information Manager console, click Events. 2 From the Tools menu, select Preferences. 3 Select the user action that you want to modify, and then click the Edit icon. 4 You can modify any of the following: Change the user action name in the Name box. Change the command syntax in the Command box. Select Public to make the user action available to all users. Select Use Output Viewer if you want Information Manager to provide a command-line window in which to view the command output. 5 Click OK. 6 In the Preferences dialog box, click OK. The modified user action now appears in the pop-up menu when you right-click a table cell. Opening the Information Manager console from the command line You can open the Information Manager console using the command line. See About the Information Manager console on page 29.
70 Symantec Security Information Manager Console About the features of the Information Manager console To open the Information Manager console from the command line 1 On the client computer, open the command-line interface. 2 Change the directory to the location in which the console was installed. For example: C:\Program Files\Symantec\Security Information Manager 3 Type the following command and press Enter, where [user] is the user name for the console and [password] is the password for that account. Do not include the brackets. >"Security Information Manager.exe" -user [user] -pw [password] -address 10.0.30.140 -autologin Changing a password You can use the Information Manager console to change your own password at any time. If the administrator has changed the password settings to a stronger authentication policy, you may be required to change your password. You can change your password by logging out and then logging back in to the console. See About the features of the Information Manager console on page 63. To change your password 1 In the Information Manager console, open any view. 2 On the Tools menu, click Change Password. 3 In the Change Password text box, type your current password. 4 Type a new password in the New password text box, and then type exactly the same characters in the Confirm new password text box. 5 Click Save. 6 Click OK.
Chapter 3 Symantec Security Information Manager Web configuration interface This chapter includes the following topics: About the Information Manager server Web configuration interface Accessing the Web configuration interface About the features of the Web configuration interface About the Information Manager server Web configuration interface The Web configuration interface for the Information Manager server provides several control features to help you work with ease and efficiency. You can use an Internet browser to access the Web configuration interface. You can use the Web configuration interface to view security information and manage critical tasks on the Information Manager server remotely. See Accessing the Web configuration interface on page 72. The Web configuration interface lets you perform various tasks: Monitor the vital parameters and perform maintenance tasks. Configure the Information Manager server. View reports remotely. Download the report templates, universal collectors, and other utilities.
72 Symantec Security Information Manager Web configuration interface Accessing the Web configuration interface Install the licenses for Information Manager and the Symantec Global Intelligence Network. Use the Custom Logs feature to correlate the information from the devices that Information Manager does not support. Accessing the Web configuration interface You can use a Web browser to access the Web configuration interface of the Information Manager server. The Web configuration interface lets you view security information and manage critical tasks on the Information Manager server remotely. See About the features of the Web configuration interface on page 72. To access the Web configuration interface of the Information Manager server 1 Open a Web browser, and in the address bar, type the IP address of the Information Manager server. For example: https://192.168.0.10 By default, the server uses self-signed certificates, which cannot be verified by certificate authentication services such as VeriSign. If you are prompted, click Yes to accept the server certificate. 2 Log on to the Web configuration interface using the administrator credentials that you created during the Symantec Security Information Manager installation. About the features of the Web configuration interface The Web configuration interface of the Information Manager server provides several control features to help you work with ease and efficiency. See About the Information Manager server Web configuration interface on page 71. The Web configuration interface provides the following control features: Status bar The status bar appears across the top of the Web configuration interface. The status bar displays the name of the Information Manager server to which the Web configuration interface is connected. The status bar also displays the role of the connected user.
Symantec Security Information Manager Web configuration interface About the features of the Web configuration interface 73 View bar The view bar contains links to the views that allow access to the options that are outlined under that view. The following main views are available in the console: Home Monitor Manage Settings Maintenance Navigation bar The navigation bar appears on the top across the console. The navigation bar displays the links to available views under the selected parent view. Tree pane The tree pane appears on the left side of the console window under the navigation bar. The tree pane displays a hierarchical, folder-based structure of the options available under the view. View indicator The view indicator appears across the top of the tree pane and the details pane. The view indicator displays the selected task in the hierarchical structure. Details pane Timestamp bar The details pane appears in the right side of the console window under the taskbar. This pane displays details about the selected option. The timestamp bar appears at the lower end across the console. The timestamp displays the date and timestamp for the generated page. The Web configuration interface provides the views that allow control of the features of the Information Manager server. Table 3-1 describes the various tasks that you can perform from each view.
74 Symantec Security Information Manager Web configuration interface About the features of the Web configuration interface Table 3-1 View menu Home Monitor Manage Options Event Service Status Downloads Shutdown/Restart SSIM System Statistics Network Statistics Reports Intelligence Description The Event Service status view lets you monitor the status for the Event Servlet, Event Service Queues, and Servelet Batch Queue. You can download the installers for Symantec Event Agent and Java client, log files, universal collectors, and other utilities from the Downloads view. Lets you restart or shut down the Information Manager server remotely. Lets you monitor critical aspects of the Information Manager server. Lets you view the standard reports, and the reports for the scheduled queries. Lets you access intelligence-related information from the Deep -Sight Threat Management Services Web site.
Symantec Security Information Manager Web configuration interface About the features of the Web configuration interface 75 Table 3-1 View menu Settings Maintenance (continued) Options GIN Database Directory Registration Collector Registration Custom Logs Active Directory Licensing Certificates External Storage Password Network Date Time LiveUpdate System Updates Backup and Restore Incident Synchronization Description Lets you view and manage the Information Manager configuration settings. You can also manage the summarizers, perform collector and directory registration, and install the Information Manager licenses through this view. Lets you perform routine maintenance tasks such as updates, backup and restore, purge, and incident synchronization. Note: The Web configuration interface does not support the use of Back and Refresh browser options. Using these options may produce unpredictable results.
76 Symantec Security Information Manager Web configuration interface About the features of the Web configuration interface
Section 2 Planning for security management Chapter 4. Managing the correlation environment Chapter 5. Defining rules strategy
78
Chapter 4 Managing the correlation environment This chapter includes the following topics: About the Correlation Manager About the Correlation Manager knowledge base About the default rules set About the Correlation Manager The Correlation Manager component of Information Manager performs automated real-time event correlation, aggregation, filtering, and incident creation. To perform these functions, it uses a set of rule files and a knowledge base to compare events to patterns of common network security threats. See About the Correlation Manager knowledge base on page 80. To facilitate security analysis, the Correlation Manager filters false positive events from networks, including the events that your company security policy permits. The Correlation Manager also identifies attacks based on patterns of firewall, Intrusion Detection System, and antivirus activity across desktops, gateways, and servers. The Correlation Manager can then declare the incidents that warrant further action and closure. The Correlation Manager can provide conclusions regarding the overall analysis or cause of attacks. It also aggregates information about source, destination, attack types, and all related events into the incident record for forensic analysis. See About the default rules set on page 80.
80 Managing the correlation environment About the Correlation Manager knowledge base About the Correlation Manager knowledge base The Correlation Manager knowledge base consists of the tables that contain information about the network, security policies, and normalized event categories and subcategories. The Information Manager default rules reference this information to allow the correlation engine to make a more effective evaluation of incoming security events. Custom rules can also reference the information in the Correlation Manager knowledge base tables. The information in the knowledge base is a combination of the following: Updated information from Symantec DeepSight Threat Management System and the information that you can edit from the Lookup Tables option of the Rules view. If you have a valid DeepSight license, you can receive frequent updates directly from DeepSight. If you do not have a license, you receive updates to security content through LiveUpdate packages. See About the Correlation Manager on page 79. About the default rules set Information Manager includes a set of rules that identify the most common security threats. Information Manager also provides default filters to help reduce common false positives. New rules are developed regularly and are distributed through the LiveUpdate process. You can also create your own rules from the Rules view of the Information Manager console. See About the Correlation Manager on page 79. See About the Correlation Manager knowledge base on page 80. Table 4-1 lists the default rules and the types of security products with which they are associated.
Managing the correlation environment About the default rules set 81 Table 4-1 Security product Correlation Manager rules by security product type Associated rules Antivirus Firewall AntiVirus Disabled Critical Malicious Code Detection Incomplete AV Scan Malicious Code via Email Not Quarantined Malicious Code Not Quarantined Malicious Code Outbreak Malicious Code Propagation Outbound Spam Zombie Spyware Not Quarantined Spyware Outbreak Worm Activity Block Scan Check FTP Transfers Distributed DoS High Volume DoS High Volume External Port Sweep Internal Port Sweep IP Watchlist Destination IP Watchlist Source IRC Bot Net Malicious URL Organization IP in Watchlist Activity Outbound Spam Zombie Ping Scan Detector Port Scan Detector Potential Staged Attack Scan Followed By Exploit Single Event DoS Smurf Attack Firewall Traffic to a Monitored Address Trojan Connections Unauthorized Outbound Email Domain Unauthorized Port Inbound Unauthorized Port Outbound Traffic to a Monitored Address Watchlist Potential Policy Violators
82 Managing the correlation environment About the default rules set Table 4-1 Security product Correlation Manager rules by security product type (continued) Associated rules Network intrusion detection system (NIDS) Attempted DNS Exploit Attempted FTP Exploit Attempted WWW Exploit Attempted Service Exploit Block Scan Departed Employee Username DoS High Volume Distributed DoS High Volume Intrusion Threshold (Disabled by default) IP Watchlist Destination IP Watchlist Source IRC Bot Net Malicious Code Propagation NULL Login Authentication Violation Ping Scan Detector Return Trojan Traffic Scan Followed By Exploit Single Event DoS Smurf Attack IDS TFTP from WebServer Traffic to a Monitored Address Vulnerability Scan Vulnerability Scan Detector Watchlist Potential Policy Violators Web Vulnerability Scan
Managing the correlation environment About the default rules set 83 Table 4-1 Security product Correlation Manager rules by security product type (continued) Associated rules Host intrusion detection system (HIDS) Account Guessing Attack Departed Employee Username DoS High Volume IP Watchlist Destination IP Watchlist Source Multiple Files Modified NULL Login Authentication Violation Password Guessing Attack Potential Staged Attack Scan Followed By Exploit Single Event DoS Trojan Connections Vulnerability Scan Vulnerability Scan Detector Watchlist Potential Policy Violators Web Vulnerability Scan Vulnerability assessment Potential Staged Attack Vulnerability Scan Policy compliance Departed Employee user name Activity Policy Compliance Violation Windows Events Account guessing attack Non Business Hours Logins Password guessing attack Potential Staged Attack Windows Account Lockout (Disabled by default) Windows Audit Log Cleared Windows Privileged Activities by user Windows Privileged User Created Windows Security Violation (Disabled by default) Windows Sensitive File Access
84 Managing the correlation environment About the default rules set Table 4-1 Security product Correlation Manager rules by security product type (continued) Associated rules Information Manager System Agent Queue Monitor Cert Expiration Warning Incident Creation Alert (Disabled by default) Invalid Event Date Alert Low Disk Space Warning MultiEvent Rule Example Negative Rule Type Example Password Guessing Attack Validate Archive
Chapter 5 Defining rules strategy This chapter includes the following topics: About creating the right rule set for your business About defining a rules strategy About correlation rules About rule conditions About the Event Count, Span, and Table Size rule settings About the Tracking Key and Conclusion Creation fields About the Correlate By and Resource fields Importing existing rules Creating custom correlation rules Enabling and disabling rules Working with the Lookup Tables window About creating the right rule set for your business A good approach to creating custom rules is to start with the generalized rules provided by Symantec and fine-tune them. Another good approach is to add new rules based upon real event data from your network. See About defining a rules strategy on page 87. The customizations usually belong to one of the following categories:
86 Defining rules strategy About creating the right rule set for your business Incidents stemming from machine-generated events Incidents relating to human events or policies These include all of the security devices on your network that generate the events that you collect. For example, firewall products such as Symantec Gateway Security generate a huge amount of event data. In most cases, you should edit default rules or create new rules to filter out false positive incidents. These incidents include your corporate IT security policies and regulatory compliance requirements. They also include any unique characteristics about user activity in your network that machine-generated events would typically miss, or that result in false positive incidents. The following is a general overview of the process for developing rules: Set up Information Manager in a lab environment. Update the Assets view to include the IP addresses of hosts that are mission-critical or that host sensitive information. Collect event data from your network for a week. This data should include events from all of the security products that you want Information Manager to correlate. For example, antivirus, host intrusion detection systems, network intrusion detection systems, and firewalls. Run the default rules and review the incidents created. Look for any false positives that you can easily filter out. Following are examples of good candidates for filtering: Incidents from the failed connections that the firewall reports, and the Windows-only attacks that computers running Linux report. Look at any known security incidents that occurred during the week that you collected the data. Adjust the filters and rules if there are any incidents that should have been created and were not. Look for the incidents that are the result of firewall rules being too lax. Tuning firewall and Information Manager rules is an on-going process based upon the changes in your network. Opening a firewall port to enable an essential line-of-business application may suddenly result in a huge number of false-positive incidents. When that occurs, you need to create a new rule to filter out events from an approved use of that application. You may also discover that there is a port that is still open long after the application that required it has been retired. Create rules to support security practices in your company. For example, you can create a rule to assign a weekly help desk ticket for security IT to contact users who are not running antivirus software.
Defining rules strategy About defining a rules strategy 87 As you change rules, use the Information Manager rule test feature to assess whether the customizations work. Of particular concern should be any rules that never create conclusions or those that create conclusions too often. With your Information Manager server still in a test environment, forward live network events to it. Continue to refine your rules. After you are satisfied with the incidents that are declared, migrate the server to your live network. About defining a rules strategy To develop a security plan that incorporates correlation rules and filters, you must understand the business needs of your organization from a security perspective. See About creating the right rule set for your business on page 85. For example, if your implementation protects and monitors network resources relating to financial transactions, you can develop and refine your rule set accordingly. Your area of concern might focus on authentication on the servers that contain sensitive financial data. In addition, you may need to evaluate the rules that you deploy based on regulatory compliance concerns. This evaluation ensures that the event data that is evaluated is handled in a way that meets the requirements of the policies. About correlation rules Correlation rules describe the logic that is applied to an event or a set of events to detect possible security concerns. See About creating the right rule set for your business on page 85. Conceptually, correlation rules can be classified into the following general categories: An event identifies an attacker who attempts to intrude on a specific computer or resource. Some unknown system or a number of systems that attempts to cause a specific system to malfunction or cease functioning. The organization or analyst wants to group events into particular types of incidents to make viewing and analysis simpler. For example, these types of rules may aggregate the events that are related to policies or products. Correlation rules consist of the following:
88 Defining rules strategy About rule conditions Rule type Identifies the pattern that best describes the event. See About rule types on page 89. Event criteria The specific values or threats that the rule applies to, including the number of events that occurs over a specified period of time. See About event criteria on page 93. Rule settings Conclusion and correlation settings (Actions tab) Auto assignment and notification settings The event count, span, table size, tracking keys, and description of an event. The fields that are used to correlate existing event conclusions with new events as they occur within the specified time period. If the number of events that are specified in the Count field is met, the conclusion is escalated to an incident. In addition, the incident is then correlated with existing incidents where applicable. Additionally the severity of a match for the rule is determined. Additional details are also available by the variables that you can specify in the Description field. Describes how alert and incident assignment tasks are handled when an incident is created. The Auto Assignment area incidents can be assigned to a specific user or user group (team). The Notification area let you notify to the additional recipients that the incident has occurred. For example, an Antivirus Disabled incident might be assigned to a response technician who is responsible for immediately assessing the event. An additional notification can be sent to the network administrator who monitors the overall health of the network segment from which the incident occurred. About rule conditions The rule conditions describe the fields and conditions that the rule is processed against to determine if the event applies to a conclusion. See About correlation rules on page 87.
Defining rules strategy About rule conditions 89 About rule types The Rule Conditions panel provides access to all available event and schema field data. The analyst can use this data to further identify and define the events that should be escalated as a potential security threat. A rule type determines the underlying behavioral patterns that a rule uses to identify a match. For example, if the rule type is set to Single Event, the rule evaluates each event for a criteria match. It only requires a single event to trigger a conclusion. A rule that uses the Many to One rule type evaluates each event against the criteria. However, it then creates a conclusion when a specified number of matching events have aggregated over a predetermined period of time. See About rule conditions on page 88. Conclusions that involve more than one event use the One to Many and Many to One event correlation tables. In addition, the Tracking field is provided. It identifies the element that is used as the basis for additional events to be correlated to existing events and conclusions. Table 5-1 describes the rule types that are available and provides examples. Table 5-1 Rule types Rule Type Trigger Condition Possible Scenarios Many Sources, One Target Creates a conclusion when the events that match the specified criteria are detected from multiple unique source IP addresses to a single destination IP address within the specified period. Denial-of-service events can often be identified using this rule type. A Smurf attack uses ICMPEchoReply events from a large number of source computers to a single target. Predefined rule examples: Distributed DoS High Volume, Smurf Attack Many Symantec Signatures, One Source Creates a conclusion when the events of different types that match the specified criteria are detected from a single source IP address within the specified period. A rule that detects a vulnerability scan can use this rule type. Within the criteria for that rule, EMR values can be set to identify multiple exploit events (such as Mechanism: Buffer Overflow, or Application Exploitation). In this example, the criteria for this rule includes multiple types of Mechanisms. Therefore, the rule would track multiple types of exploit events coming from the same source. Predefined rule example: Vulnerability Scan Detector
90 Defining rules strategy About rule conditions Table 5-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios Many Symantec Signatures, One Target Many Targets, One Event Many Targets, One Source Creates a conclusion when events of different types matching the specified criteria are detected to a single destination IP address within the specified period. Creates a conclusion when events of the same type matching the specified criteria are detected from many unique destination IP addresses within the specified period. Creates a conclusion when events matching the specified criteria are detected from a single source IP address to multiple unique destination IP addresses within the specified period. A rule that detects malicious IP hopping activity can use this rule type. To conceal scanning activity, an attacker may attempt one type of attack from one IP address. The attacker then changes to a different IP address to try a different attack until the most useful vulnerabilities have been identified. Attackers use this method to avoid detection as a vulnerability scan. Attackers know that vulnerability scanners often operate from a single source. Using this rule type, you can detect conditions where multiple attack types are targeted at a single host, regardless of the attack origin. A rule that detects a Malicious Code Outbreak can use this rule type. To identify a Malicious Code Outbreak, a rule can be configured to identify instances of a particular virus on multiple targets. Using the EMR fields, the criteria can be set to Virus. Since the rule looks for the same event type, this rule would trigger only if it was the same virus event on each target. A rule that identifies a reconnaissance attack on multiple targets (such as a port scan) can use this rule type. To configure this example, you would choose the Many Targets, One Source rule type, and then set the EMR criteria value to Portscan. Predefined rule examples: Block Scan, IRC Bot Net, Ping Scan Detector
Defining rules strategy About rule conditions 91 Table 5-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios Many to One Creates a conclusion when events matching the specified criteria are detected in a pattern that is set using the Many To One Fields, and the One To Many Field options. In addition to the Event Criteria, the fields that must contain the same information for each event (One-Many Fields) and the fields that can contain different values in each event (Many-One Fields) are used to correlate similar events occurring within a predetermined timeframe. A rule to create a port sweep can use this rule type. A port sweep is typically described as a single IP address that scans for a specific port on multiple computers. After you choose this rule type and set the event criteria for the rule, you set the One-Many and the Many-One field options. In the One-Many Fields area, select IP Source Address and IP DestinationPort. This selection means that the event originates from the same IP address that is evaluating the same port). In the Many-One Fields area select the IP Destination Address option. (Note that the event destination can be a different IP address for each event.) The Many to One rule requires the Tracking field to be populated. For this type of rule, the Tracking field generally matches a One-Many Fields entry. Predefined rule examples: MaliciousCodeOutbreak, SpywareOutbreak, DoS High Volume, External Port Sweep, Internal Port Sweep, Port Scan Detector, Intrusion Threshold, MultipleFilesModified, AccountGuessingAttack, Password Guessing Attack Multi-condition Single Event Creates a conclusion when a sequence of specified patterns is detected for one combination of one-to-many fields within a specified time period. Creates a conclusion if an event matches the specified criteria. This rule type requires the Tracking field to be populated. User logs on to a Windows computer and establishes an SSH connection to a UNIX computer. The user then logs on the FTP server, and downloads files from the FTP location. Predefined rule examples: AntiVirus Disabled, Malicious Code Not Quarantined, Spyware Not Quarantined, Check FTP Transfers, Malicious URL, Trojan Connections, AttemptedDNSExploit, Attempted FTPExploit, AttemptedWWWExploit, TFTPfrom WebServer, WindowsSecurityViolationWindows Account Lockout, Windows Audit Log Cleared, Windows Privileged Activities by User
92 Defining rules strategy About rule conditions Table 5-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios Symmetric Traffic Creates a conclusion when the specified pattern of events is detected from a single source IP address to a single destination IP address, then from that destination IP address back to the original source IP address within the specified period. A rule that identifies BackOrifice exploit traffic between a single target and source can use this rule type. To monitor for BackOrifice symmetric traffic events, after you choose the Symmetric Traffic rule type, set the criteria to Symantec Signature for BackOrifice (attackid 1414). The rule triggers if an Intrusion Detection System logs both the connection from a source to a target, and from that target back to the source as being BackOrifice traffic. Transitive Traffic Creates a conclusion when the specified pattern of events is detected from a single source IP address to a single destination IP address. Then, the pattern is detected from that destination IP address to a new destination IP address within the specified period. Predefined rule example: Return Trojan Traffic A rule that identifies the BackOrifice exploit traffic that moves from one source to a target backdoor, and then the targeted computer becomes the source that accesses the backdoor of a new target can use this rule type. To monitor for BackOrifice transitive traffic events, after you choose the TransitiveTraffic rule type, set the criteria to Symantec Signature for BackOrifice (attackid 1414). The rule triggers if an Intrusion Detection System logs both the connection from a source to a target as BackOrifice traffic and then identifies the target connecting to a new target with the same event signature. Predefined rule example: Malicious Code Propagation X followed by Y Creates a conclusion when a specified pattern is detected from a single source IP address to a single destination IP address. This pattern is followed by a different pattern from the same source IP address to the same destination IP address within the specified time period. Predefined rule examples: Scan Followed by Exploit, Null Login Authentication Violation Note: This rule is deprecated and is not supported. Use a Multi-condition rule type.
Defining rules strategy About rule conditions 93 Table 5-1 Rule types (continued) Rule Type Trigger Condition Possible Scenarios X not followed by X X not followed by Y Y not preceded by X Lookup Table Update Creates a conclusion when an event that matches the defined criteria cannot be detected in a pattern during a predefined number of times during timeout. Creates a conclusion when an event occurs that is defined by an X rule criteria. However, an event that is defined by the Y rule criteria does not. Creates a conclusion when an event that is defined by an X rule criteria does not occur. However, the next event that is defined by the Y rule criteria occurs. Updates the configured lookup table if an event matches the specified criteria. A rule to monitor user authentication failure for a specific period of time can use this rule type. User logon fails for a specific period of time and the user does not log in again. A rule to detect a non-occurrence of a user action after a valid user action can use this rule type. User logs on to a critical server but does not log off for a long time. A rule to detect a deletion of user before the user is added can use this rule type. A rule to dynamically update the lookup table with the configured event field values for the specified event criteria. About event criteria The Event Criteria field contains a vast array of possible values that a rule can use to identify an event pattern. The Event Criteria field includes event data and schema information. See About rule conditions on page 88. Table 5-2 describes the tabs available in the drop-down list. Table 5-2 Event Criteria tabs Name Common Description Contains the data from the Normalization fields, the Symantec DeepSight Threat Management System database (using the Symantec Signature), and the Asset and the Network tables.
94 Defining rules strategy About rule conditions Table 5-2 Event Criteria tabs (continued) Name Derived Events Other Fields Table Lookups Description Contains the customized data from the Normalization fields, the DeepSight database (using the Symantec Signature), and the Asset and the Network tables. The system applies logic to the source and the destination IP addresses that results in several fields or flags being added to the event. For fields, this information is primarily data from the Asset and Network table. For flags, this information includes: traffic direction, Source is Internal, Destination is Internal, service info, Destination Port is Open, whether the Asset entry has the destination_port value that is listed as available, whether the asset is Vulnerable, or whether the Asset entry for the event s destination_ip value is listed as being vulnerable to one or more of the BugTraq IDs associated with the event s Symantec Event Code. Includes all of the events that have been identified for each product that is associated with your installation of Information Manager. This information is based on a combination of the default set of events (the Information Manager schema) and any SIPs that have been installed. These fields do not contain the Information Manager normalized values. Provides a means of creating a product-specific field that uses a string or an integer value that may not be accessible through the schema provided. Event data is included with some of the events that are sent to Information Manager that a specific point product uses. However, this data is not accounted for as an identified field in the Information Manager schema that the collector uses (also known as out-of-band data). This data can be included either by the collector or it can be added during normalization. Provides access to the fields that are associated with the knowledge base tables that Information Manager and the environment provide. Also provides access to the resource-specific data that the user provides. For example, the Asset and Network tables. These fields are dynamically generated based on the current state of each of the knowledge base tables. The Event Criteria rows include a logical decision field that provides the operator that is used to determine how the event criteria are evaluated. Table 5-3 describes the decision option operators available. Note: The available operators vary with each criteria type. Table 5-3 Event Criteria operators Name Equal Not Equal Greater than Description The field value is an exact match to the criteria value. The field value does not match the criteria value. The field value is greater than the specified value.
Defining rules strategy About rule conditions 95 Table 5-3 Event Criteria operators (continued) Name Less than Greater than or equal to Less than or equal to Null Not Null Is in Is not in True False Contains Doesn't contain Matches Doesn't match Description The field value is less than the specified value. The field value is greater than or equal to the specified value. The field value is less than or equal to the specified value. The field is empty. The field contains a value. The field value contains a value that is contained in the specified table. The field value does not match a value that is contained in the specified table. The field value is True. The field value is False. The field value contains the specified string. The usage of this operator varies with the field against which the data is compared. For example, if you use EMR values, a drop-down list of possible values appears. However, if you evaluate the string data in a field such as target_resource, the value that you type is used to perform a substring search. For example, if you want to find out if the string root.exe was contained in the target_resource field, if target_resource field contained http://www.example.com/cgi-bin/root.exe?blah, root.exe is identified and causes a match. The field value does not contain the specified string. The usage of this operator varies with the field that the data is compared with. For example, if you use EMR values, a drop-down list of possible values appear. However, if you evaluate the string data in a field such as target_resource, the value that you type is used to perform a substring search. For example, if you wanted to verify that the string root.exe was not included in the target_resource field, if target_resource field contained http://www.domain.com/cgi-bin/root.exe?blah, root.exe is identified and indicates that Doesn't contain condition is not met. The field value matches the value that is specified as a regular expression. The field value does not match the value that is specified as a regular expression.
96 Defining rules strategy About the Event Count, Span, and Table Size rule settings About the Event Count, Span, and Table Size rule settings The Rules Editor includes the settings that let you specify how many events must occur within a specified period of time to meet the criteria for the rule. In addition, you can also determine the table size for the event data that is stored. See About correlation rules on page 87. Table 5-4 Event Count, Span, and Table Size rule settings Setting Event Count Span Table Size Description Determines the number of events that must occur within a specific time period to trigger an incident. The time period is specified in the Span settings. This setting is used primarily with the Many-One Field area on the Actions tab. Indicates the time period for the number of events that are specified in the Event Count field to occur. Specifies the state table size, in rows, that is maintained in memory for each rule. For example, the Account Guessing Attack predefined rule requires that two events be identified within 10 minutes for the rule to trigger an incident. After the first event matches the rule criteria, an internal aggregation table is created that contains the event details. When the second matching event occurs, data from the second event is added to the same aggregation table. In this case, the Table Size setting is relatively small. However, if the Event Count were raised to a much larger number, the aggregation table could potentially run out of space. In that case, the table wraps (the new event data begins to overwrite the original event data in sequential order). To prevent the data from being overwritten, the Table Size should be adjusted according to the event size expectations for the rule. Event data sizes vary widely with each implementation, but using the predefined rules as a starting point helps to identify general size parameters. About the Tracking Key and Conclusion Creation fields The Tracking Key and Conclusion Creation fields are used to further refine rules settings. Use these fields to establish whether an event should be correlated to the existing events that are tracked in aggregation tables. In addition, the Tracking Key and Conclusion Creation fields include the Severity and the Description fields. These fields provide a means for security analysts to escalate conclusions based on severity, and to include additional extracted information within the Conclusion Description. Table 5-5 describes the Tracking Key fields on the Conditions tab.
Defining rules strategy About the Tracking Key and Conclusion Creation fields 97 Table 5-5 Tracking Key fields (Conditions tab) Field One-Many Fields Description Describes the elements that must remain consistent across each event in order for the event to be correlated to an existing event aggregation table. For example, to define a rule that tracks a single user name connecting to multiple target IP addresses (in other words, one user name to many IP addresses), set the rule type to One to Many, and in the One-Many Fields area, select User Name. This field must be the same in each event for any subsequent events to be correlated with previous events. Many-One Fields Describes the elements that must be different for each event in order for the event to be correlated to an existing event aggregation table. This field is used with the Event Count field to determine when the conditions for a One to Many rule have been met. For example, you want to define a rule that tracks a single user name connecting to multiple target IP addresses: in other words, one user name to many IP addresses. Set the rule type to One to Many, and in the Many-One Fields select Target IP. The IP address in this field must be different in each event for any subsequent events to be correlated with previous events. Tracking Fields Describes the field upon which a matching event is correlated to an existing conclusion. If an event matches the criteria for a rule, it is compared against the tracking fields for any existing conclusion. If the event matches an existing conclusion it is correlated to that event rather than being considered for a new conclusion. Required with the ManytoOne and Single Event rule types. With OnetoMany rules, this field is typically used to track the same value as in the One-Many Field area. The event field data that must remain the same across each new event that is to be added to the aggregation table. Table 5-6 describes the Conclusion Creation fields on the Actions tab. Table 5-6 Conclusion Creation fields (Actions tab) Field Alerting Incident Description Describes whether an incident should be treated as an alert rather than a security incident.
98 Defining rules strategy About the Correlate By and Resource fields Table 5-6 Conclusion Creation fields (Actions tab) (continued) Field Severity Description Describes the severity of the event conclusion which can determine whether an incident is created. The Severity values include the following: 1- Informational: Purely informational events. 2 - Warning: User decides if any action is needed. 3 - Minor: Action is required, but the situation is not serious at this time. 4 - Major/Critical: Action is required immediately and the scope may be broad. 5 - Fatal: An error occurred, but it is too late to take remedial action and the scope is broad. Description Remediation Provides a user input area for security analysts to further define the conditions that led to the creation of the conclusion. This field also supports the use of field name variables that can be populated with event data. Provides a user input area for security analysts to include remediation notes for each incident that is created. The notes appear on the Remediation tab for the incident. About the Correlate By and Resource fields The Correlate By field determines whether a conclusion that is created should be mapped to an existing incident. See About correlation rules on page 87. For example, if a Virus Outbreak incident is in progress, using the appropriate setting in the Correlate By field causes each Virus Outbreak conclusion with the same virus name to be mapped to the existing incident. In addition, you can use the Resource field drop-down list to further refine the characteristics of the correlation requirements for the incident. Table 5-7 describes the Correlation types available in the Correlate By field. Table 5-7 Correlate By fields Type None Resource and Conclusion Type Description Correlation does not occur for the new incidents that match this rule. Correlation is based on the Resource and the Conclusion type. For example, the same Virus Outbreak Conclusion type occurs on the same host that is specified in the Resource field. Therefore, the new conclusion is correlated to an existing incident.
Defining rules strategy Importing existing rules 99 Table 5-7 Correlate By fields (continued) Type Source and Destination Source and Conclusion Type Source Destination and Conclusion Type Destination Conclusion Type Description Correlation is based on the Source and the Destination fields. For example, a new conclusion is created and the source IP and destination IP are the same. Therefore, the conclusion is correlated to the existing incident. Correlation is based on the Source and the Conclusion type. For example, the same IP address causes PortScan conclusions. Therefore, any new PortScan conclusion that originates from the same source is mapped to the existing incident. Correlation is based on the Source field. If the Source matches, any conclusion that originates from that source is correlated to the existing incident. Correlation is based on the Destination and the Conclusion type. For example, the conclusion is a denial-of-service attack that targets the same destination IP. Therefore, the conclusion is mapped to the existing incident. Correlation is based on the Destination field. If the Destination is the same, any conclusion that applies to that destination is correlated to the existing incident. Correlation is based on the Conclusion type. For example, all AntiVirusDisabled conclusions are mapped to the existing incident regardless of source or destination values. Importing existing rules You can import rules from separate instances of Information Manager using the Import and the Export features available in each version. If import a rule that references custom lookup tables, you must also import those tables. See About correlation rules on page 87. If you import a rule from a previous supported version of Information Manager, use the Rules view to delete any imported policy information. Then, apply the current policies. Java-based rules are imported as jar files. Note: In the User Monitor folder, you can import only those monitors that are created by using Information Manager version 4.5. When you import rules from a previous version of Information Manager that include user, team, or role assignments, verify that the assignments are configured correctly after the import completes. Sometimes a user, team, or role that existed in a previous version is not identical to the version that exists in the upgraded version. If so, you may need to reconfigure the rule assignment values to match the assignee information in the upgraded version.
100 Defining rules strategy Creating custom correlation rules To import an existing rule 1 In the console from which you want to export the rules, navigate to the Rules view. Then, export the rules you want to apply to the new console. 2 In the current Information Manager console, on the Rules view, expand the Correlation Rules folder. 3 Under the Correlation Rules folder, expand the User Rules folder. 4 Click Import from disk. 5 In the Select File(s) to Import dialog box, locate the file or files to import, and click Import... To import a Java-based rule 1 In the Information Manager console, on the Rules view, click the User Monitors folder and then click Import from disk. 2 In the Select File(s) to Import dialog box, locate the jar file or files to import. 3 Click Import... Creating custom correlation rules The correlation rules describe the logic that is applied to an event or a set of events to detect possible security concerns. See About creating the right rule set for your business on page 85. You can create correlation rules from the Rules view of the console of the Information Manager client. See About correlation rules on page 87. The process for creating the correlation rules is as follows: Define a name for the rule. See To define a name for the rule on page 101. Configure rule condition. See To configure the rule conditions on page 101. Configure the rule action. See To configure the rule actions on page 102. Deploy the rule on the server. See To deploy the rule on the server on page 104.
Defining rules strategy Creating custom correlation rules 101 To define a name for the rule 1 On the Information Manager console, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. You can now define a rule condition. A conclusion is generated if the set of events satisfies the defined conditions. Note: You can configure multi-conditioned rules. Multi-conditioning lets you define the rules that support up to five user activities in a sequence. You can create a conclusion when a sequence of specified pattern is detected for one combination of one-to-many fields within a specified time period. See Creating a multicondition rule on page 104. To configure the rule conditions 1 On the Conditions tab, in the Description window, type a description for the rule. 2 On Conditions > Rule Type, click the entry that best matches the type of event and target combination that applies to the new rule. For example, to declare an incident whenever a specific event is detected, select Single Event. To declare an incident after a specific number of events are detected from a specific IP address, select Many Targets, One Source. See About rule types on page 89. 3 In the Event Criteria area, click Add. 4 Select the left column of the new entry, and then choose an event field. 5 Select the center column and specify the operator. 6 Select the right column. Based on the operator that you chose, specify the value that must be true for the event type. 7 Repeat steps 3 through 6 for any other event criteria that you want applied to the rule. You can select multiple event criteria and apply logical operators (AND/OR) to them. 8 In Event Count, specify the number of times that the event criteria that you specified must be true for an incident to be declared.
102 Defining rules strategy Creating custom correlation rules 9 In Span, specify the time that is required for the number of events that are specified in the Event Count to occur. For example, you can specify that 30 events of a specific type must occur within 60 minutes, before an incident is declared. 10 In Table Size, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. The Table Size setting divided by the Event Count setting is equal to the maximum number of event groups that the rule can manage. 11 In the Tracking Keys area, specify the fields to include in the incident. This field can be any of the One-Many, Many-One, or Tracking fields that are associated with the incident. You can now define the rule actions. A conclusion is generated if the set of events satisfies the defined conditions. Note: You can create rules to detect threats based on the absence of the events that you expect to occur. See Creating a correlation rule based on the X not followed by Y rule type on page 107. To configure the rule actions 1 On the Actions tab, check Alerting Incident (not a Security Incident) to specify that an incident is an alert incident and not a security incident. Alerting incidents notify about a situation that requires your attention if there is a discrepancy on a system. Security incidents notify about a situation where there is a potential threat due to a security breach in the organization. 2 From the Severity options, select the severity that you want to be associated with the incident. 3 In the Description area, type a description of the problem. This information appears to users who are assigned the incidents or the tickets based upon the incidents that this rule triggers. (Optional) Click Add(+) to include the fields from the final event that triggered the conclusion. When a conclusion is generated, these fields are replaced with their corresponding values in the description. 4 (Optional) Click Remediation to populate the Custom Remediation library for this conclusion and to instruct the analysts with a remedy that is specific for your organization.
Defining rules strategy Creating custom correlation rules 103 5 In the Correlate By list box, select the method by which conclusions are grouped into incidents. 6 If you selected Resource and Conclusion Type from the Correlate By list box, you can select a field in Resource Field. This field is used to correlate conclusions within an incident. Conclusions can be correlated together into incidents based on the value of the resource field. 7 To specify that a user or team is automatically assigned to incidents that this rule creates, do the following: Turn on Enable Auto Assign and then click Add. If you want to assign incidents based upon the IP address of the affected target computer, in the left column select IP Address or Network options. Any Address is the default option. Retain the default option to ensure that all the occurrences of the incident get assigned irrespective of the IP address. To assign incidents to an individual user, in the Usercolumn, select the user who should be assigned with the incidents. To assign incidents to a group of users, in the User Group column, select the team that should be assigned with the incidents. At any time, you can click Clear to clear the selections. If you want to automatically assign incidents to the least busy member in a user group, check Assign to least busy user and then select the corresponding user group. 8 In the Notification area, check Enable if you want to notify users about the incident activity. If you want to notify users only when an incident is created, check Send notification for incident creation only. 9 Click Recipients to select the method of notification for each recipient. The options are Email Address Entry, User, User Group, Syslog, SNMP Trap. Once the method of notification is selected, you are prompted to enter details corresponding to the option that you selected. After you specify the condition and the action, you can test the rule and then deploy it on the server.
104 Defining rules strategy Creating custom correlation rules To deploy the rule on the server 1 On the Testing tab, specify the location of a file containing event data, and then click Start Test. 2 When you are satisfied with the incidents and the conclusions that the rule creates, turn on the rule in the Rules list. 3 On the top toolbar, click Deploy to the server. See Enabling and disabling rules on page 115. Creating a multicondition rule Consider a sample scenario for creating an event when a combination of conditions is fulfilled. See About rule conditions on page 88. If the following conditions are met, then an event must be triggered: The user logs on to a Windows domain controller. The user creates a new user. The user modifies the privileges for the newly created user. (For example, the user gives the new user domain admin privileges.) The user logs out. Note: The event codes in the procedures are applicable to Microsoft Windows 2000. They may vary for other operating systems. To create a new rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. The rule name appears in red color under the User Rules folder. 5 In the description box, type the description for the rule. (For example, monitor for the events that occur when all the conditions that are specified are fulfilled.) Once you create a new rule, you must configure the rule conditions that are required based on the scenario.
Defining rules strategy Creating custom correlation rules 105 To configure the rule conditions 1 On the Conditions tab, in the Description window, type a description for the rule. 2 On the Conditions tab, on the Rule Type menu, click MultiCondition as it applies to the new rule. 3 In the Event Criteria area, click Add. Add the conditions that are required to trigger the rule. To add Condition 1 1 Select the left column of the new entry. From the drop-down list that appears, select the Events tab and click on the Host Intrusion Activity folder. From the collapsible list that is displayed, select Intrusion Action ID. 2 Select the center column and select the = operator. 3 Select the right column, and then select Login. This value corresponds to the logon action. 4 If the events must occur more than once for an incident to be declared, specify the count of events in the EventCount list that is located in the EventCriteria area. Add the other conditions that are required to trigger the rule. To add Condition 2 1 Under Rule Type, click Add to add a second condition. 2 Select the left column of the new entry for Condition 2. From the drop-down list that appears, click the Common tab and select Symantec Event Code. 3 Select the center column and select the = operator. 4 Select the right column, and then select 722. This value corresponds to a new user account created. 5 If the events must occur more than once for an incident to be declared, in the Event Criteria area, specify the count of events in the Event Count list. Add the other conditions that are required to trigger the rule. To add Condition 3 1 Under Rule Type, click Add to add a third condition. 2 Select the left column of the new entry for Condition 3. From the drop-down list that appears, click the Common tab and select Vendor Signature.
106 Defining rules strategy Creating custom correlation rules 3 Select the center column and select the = operator. Select the right column, and then select 632. This value corresponds to a new user account being added to domain admin group for the third condition. 4 If the events must occur more than once for an incident to be declared, in the Event Criteria area, specify the count of events in the Event Count list. Add the other conditions that are required to trigger the rule. To add Condition 4 1 Under Rule Type, click Addto add a fourth condition. 2 Select the left column of the new entry for Condition 4. From the drop-down list that appears, click the Common tab and select Symantec Event Code. 3 Select the center column and select the = operator. 4 Select the right column, and then select 720. This value corresponds to the user account Log-off for the fourth condition. 5 In the Tracking Keys area, under the One-Many field, click Add and select Agent Host. Under the Tracking field, click Add and select IP destination address. 6 If the events must occur more than once for an incident to be declared, in the Event Criteria area. specify the count of events in the Event Count list. 7 In Span, set the time span equal to 20 minutes. 8 In Table Size, specify the maximum number of events that the rule can track at any one time. After you configure the rule conditions you must configure the rule actions. To configure the rule actions 1 On the Actions tab, in the Conclusion Severity option, specify the severity that you want associated with the incident. 2 In the Conclusion Description area, type a description of the problem. This information appears to users who are assigned the incidents or the tickets that are based upon the incidents that this rule triggers. (Optional) Click Add (+) to include the values of fields from the final event that triggered the conclusion. 3 In the Correlate By drop-down list, specify the method by which conclusions are grouped into incidents.
Defining rules strategy Creating custom correlation rules 107 4 In the Resource Field menu, choose the desired event fields. Conclusions can be correlated together into the incidents that are based on the value of this resource field. 5 To specify that a user or team is automatically assigned to incidents that this rule creates, do the following: Turn on Enable Auto Assign. If you want to automatically assign incidents to the least busy member in a user group, check Assign to least busy user and then select the corresponding user group. To assign the incident that is based upon the IP address of the affected target computer, in the left column, type the IP address or netmask. In the User column, click the user to whom you want to assign the incidents. In the User Group column, click the help desk team to which you want to assign the incidents. After you specify the conditions and the actions, you can test the rule and then deploy it on the server. To deploy the rule on the server 1 On the Testing tab, specify the location of a file containing event data, and then click Start Test. 2 When you are satisfied with the incidents and conclusions that this rule creates, turn on the rule in the Rules list. 3 On the top toolbar, click Deploy to the server. Creating a correlation rule based on the X not followed by Y rule type Consider a sample scenario wherein a user logs on to a critical system and carries out some activity. However, the user fails to log off within an hour. Normally such a logon should last for less than an hour. If the user does not log off within an hour, this suspicious activity results in an event with a conclusion. This sample scenario is an example of Y not following X. See About rule types on page 89. To create a correlation rule for X not followed by Y 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules.
108 Defining rules strategy Creating custom correlation rules 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. The rule name appears in red color under the User Rules folder. Example: Rule for Event Definition with negatives 5 In the Descriptions box, type the description for the rule. Example: Monitor for the events that have not occurred in a defined sequence. You can now define the required rule condition. An event is generated if the set of user actions satisfies the defined condition. In this example, X is the normal activity of a logon. Y is an activity of a logoff. Normally, Y follows X. However, in this example the logoff does not happen even after an hour. Therefore, use the rule type of X not followed by Y to trigger an event. To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, click the rule X not followed by Y. 2 In the Event Criteria area, click + to add a criteria for X. 3 Select the left column of the new entry, and then choose the event type as Mechanisms. 4 Select the center column and select the operator contains. 5 Select the right column, and then specify the value Login. 6 To add the criteria for Y, in the Event Criteria Postcondition area, select the left column of the new entry, and then choose the Mechanisms event type. 7 Select the center column and select the operator contains. 8 Select the right column, and then specify the value Logout. 9 In the Tracking Keys area under the One-Many fields, click Add to specify the fields that you want to track: for example, the Source IP address. Under the Tracking field's column, if you want to track the date of the event, you can add Event Date. 10 In the Event Count box, specify the number of times that the event criteria that you specified must be true for an incident to be declared. 11 In the Span box, specify the amount of time for the two events X and Y that are specified to occur. For example, you can specify that the two events X and Y must occur within 60 minutes, failing which an incident is declared.
Defining rules strategy Creating custom correlation rules 109 12 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. 13 On the Actions tab, you can specify whether the incident is an Alerting incident and not a security incident. You can add the description and the remediation for that incident. 14 In the following areas for Autoassignments and Notifications you can specify whether the incident should be assigned automatically to the users or groups selected. 15 In the Notification area, you can enable notifications and specify the email address of the recipients. You can add one or more recipients to receive the notifications. You must deploy the rule after you have created and configured the rule. To deploy the rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule that you want to deploy. 3 In the top toolbar, click Deploy. Creating a correlation rule based on the X not followed by X rule type Consider a sample scenario wherein a user tries to log on, fails, and does not attempt to log on again for 30 minutes. Normally, an authorized user tries to log on again within 30 minutes. However, this user waits for more than 30 minutes before attempting to log on again. This behavior indicates the suspicious activity that results in an event with a conclusion. This sample scenario is an example of X not following X. See About rule conditions on page 88. To create a correlation rule for X not followed by X 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+).
110 Defining rules strategy Creating custom correlation rules 4 In the Input dialog box, type a name for the rule. Example: Rule for Event Definition with negatives 5 In the Descriptions box, type a brief description for the rule. Example: Monitors for predefined behavior of events. You can now define the required rule condition. An event is generated if the set of user actions satisfies the defined condition. In this example, X is the normal activity of a logon. Normally, a failed logon attempt is followed by another logon attempt within a 30-minute period. However, in this example the user does not attempt to log on for more than 30 minutes. Therefore, you can use the rule type XnotfollowedbyX to trigger an event. To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, click the rule X not followed by X. 2 In the Event Criteria area, click + to add a criteria for X. 3 Select the left column of the new entry, and then choose the event type as Mechanisms. 4 Select the center column and select the operator contains. 5 Select the right column and then specify the value Login. 6 Click Add to add the second criteria for X. Then select the left column of the new entry, and in the drop-down list under Events, collapse the Intrusion Activity folder. Select Intrusion Outcome ID. 7 Select the center column and select the operator =. 8 Select the right column, and then specify the value Failed. 9 In the Tracking Keys area under the One-Many fields, click Add to specify the fields to track: for example, the Source IP address. Under the Tracking fields column, if you want to track the date of the event, add Event Date. 10 In the Event Count box, specify the number of times that the event criteria that you specified must be true for an incident to be declared. 11 In the Span box, specify the amount of time for the event. For example, you can specify 30 minutes, failing which an incident is declared. 12 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting.
Defining rules strategy Creating custom correlation rules 111 13 On the Actions tab, specify whether the incident is an Alerting incident and not a security incident. Add the description and the remediation for that incident. 14 In the following areas for Auto assignments and Notifications, specify whether the incident should be assigned automatically to the users or groups selected. 15 In the Notification area, enable notifications and specify the email address of the recipients. You can add one or more recipients to receive the notifications. You must deploy the rule after you have created and configured the rule. To deploy the rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule to deploy. 3 In the top toolbar, click Deploy. Creating a correlation rule for the Y not preceded by X rule type Consider a sample scenario wherein a user logs on to a Linux system. The user uses putty or another secure connection mode to log on the su (superuser) role and creates another user. Normally, to create a new user role, you log on as the root. However, this uses bypasses the root logon and a new user account is created. This sample scenario is an example of X not preceding Y. To create a correlation rule for Y not preceded by X 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. Example: Rule for Event Definition with negatives 5 In the Descriptions box, enter a brief description for the rule. Example: Monitors for the events occurring in correct sequence. In this example, X is an activity of the root logon. Y corresponds to the creation of a new user account. Normally, a new user is created by logging on as root. However, in this example, the user does not log on as root but as a normal user.
112 Defining rules strategy Creating custom correlation rules The user is able to create a new user account. Therefore, you can use the rule type of Y not preceded by X to trigger an event. You can now define the required rule condition. An event is generated if the set of user actions satisfies the defined condition. To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, click the rule Y not preceded by X. 2 In the Event Criteria area, click + to add a criteria for X. 3 Select the left column of the new entry, and then choose the event type as Symantec Event Code. 4 Select the center column and then select the operator =. 5 Select the right column, and then specify the value 733 which correspond to the user action. 6 Click Add to add the second criteria for X. Then select the left column of the new entry, and in the drop-down list under the Events tab, collapse the folder for Intrusion Activity. Select Intrusion Outcome ID. 7 Select the center column and select the operator =. 8 Select the right column, and then specify the value Failed. 9 In the Tracking Keys area under the One-Many fields, click Add to specify the fields to track: for example, the source IP address. Under the Tracking fields column, to track the date of the event, add Event Date. 10 In the Event Count box, specify the number of times that the event criteria that you specified must be true for an incident to be declared. 11 In the Span box, specify the amount of time for the event. For example, you can specify 30 minutes, failing which an incident is declared. 12 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. 13 On the Actions tab, you can specify whether the incident is an Alerting incident and not a security incident. You can add the description and the remediation for that incident.
Defining rules strategy Creating custom correlation rules 113 14 In the following areas for Autoassignments and Notifications you can specify whether the incident should be assigned automatically to the users or groups selected. 15 In the Notification area, you can enable notifications and specify the email address of the recipients. You can add one or more recipients to receive the notifications. You must deploy the rule after you have created and configured the rule. To deploy the rule 1 On the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule to deploy. 3 In the top toolbar, click Deploy. Creating a correlation rule for the Lookup Table Update The Lookup Table Update rule is set to dynamically collect information in the lookup tables. Any rule can refer to this information to generate incidents, tickets, and assets. You can create a correlation rule which refers to an existing lookup table that gets dynamically updated. After you create a rule, you can configure the rule conditions and actions and deploy it. This rule is created only for updating the lookup table. Therefore, conclusions are not created for the Lookup Table Update rule. See About rule types on page 89. Consider a sample scenario wherein a stack of intentionally bad credit cards is distributed to serve as bait for malicious users. A malicious user intending to commit fraud can use one of the bait cards that have been distributed. A list of such baited credit cards is maintained in a lookup table. Whenever a credit card usage event contains any of these baited credit card numbers, the source IP address of this event is immediately stored in the lookup table of the Information Manager. Later, if a legitimate usage event originates from the stored source IP address, it indicates fraudulence by the malicious user. A correlation rule that is set to refer to the dynamically updated lookup table generates an incident for the events that occur from the stored source IP address. Here a lookup table must be configured with a Lookup Table Update rule to get updates of the source IP address.
114 Defining rules strategy Creating custom correlation rules To create a correlation rule for Lookup Table Update 1 In the console of the Information Manager client, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click User Rules. 3 On the Rules tab, click Create new rule (+). 4 In the Descriptions box, enter a brief description for the rule. You can now configure the required rule conditions and actions. An event is generated whenever the lookup table is updated with the specified event criteria. To configure the rule conditions and actions 1 On the Conditions tab, on the Rule Type menu, select Lookup Table Update Rule. 2 In the Event Criteria area, click + and specify the event criteria. 3 On the Actions tab, configure the actions for the Lookup Table Update rule by editing any of the following properties: Lookup Table Table Column Event Field Timeout in hours Lets you select the User Lookup Table that is modified dynamically if the event satisfies the specified event criteria. Automatically updates the key column in the Lookup Table. Lets you select the existing event fields. If an event satisfies the specified event criteria, the value of this event field is used to populate the key column in the Lookup Tables. Lets you specify the period after which an entry in the configured Lookup Tables is removed. The value can be specified in hours. If the value specified is 0, entries in the Lookup Tables do not expire. After configuring the rule conditions, you must enable and deploy the rule. To deploy the rule 1 In the console of the Information Manager client, click Rules. 2 In the left navigation pane, place a check mark in the box next to the rule to deploy. 3 In the top toolbar, click Deploy.
Defining rules strategy Enabling and disabling rules 115 Enabling and disabling rules By enabling or disabling rules in the Rules view of the Information Manager console, you can temporarily filter certain network events. You can also change the way the Correlation Manager declares incidents. See About correlation rules on page 87. Note: In some cases, such as when the server is under a heavy event load, disabling or deleting a rule may not take effect immediately. To enable or disable a rule 1 From the Information Manager console, click Rules. 2 In the left navigation pane, check or uncheck the box next to a rule. A check mark against the rule indicates that the rule is selected to be enabled. 3 In the top toolbar, click Deploy. Working with the Lookup Tables window You can view and update the lookup table information from the Rules view. List entries change over time due to updates from Symantec DeepSight Threat Management System and LiveUpdate. You can also create user-defined lookup tables under the User Lookup Tables folder. See About correlation rules on page 87. The Lookup Tables provide a set of configurable tables that let you extend the functioning of rules. To ensure that some correlation rules function properly, you must populate the Lookup Tables with the information that is applicable to your network and resources. Key settings include the email domains that apply to your network, files to be monitored, and users to be monitored. If required, additional user tables can be added based on your specifications. Table 5-8 lists the Lookup Tables and the types of information that they contain. Table 5-8 Lookup Tables Category Administrative Users Authorized Ports Inbound Description List of users who can perform administrative activities. List of authorized ports through which incoming traffic is allowed as per the policies.
116 Defining rules strategy Working with the Lookup Tables window Table 5-8 Category Lookup Tables (continued) Description Authorized Ports Outbound Critical Servers default usernames ip watchlist List of authorized ports through which outgoing traffic is allowed as per the policies. List the IP addresses of the servers that are critical from business perspective. List of authorized users. Lists the IP addresses of known attackers. An incident is created if an event is detected from one of these IP addresses. TheIPWatchList table is a configurable table that is available for manually tracking known bad IP addresses. DeepSight and LiveUpdate updates maintain separate internal IP Watch List. The list contains IP addresses known to be malicious in the larger Internet environment. IP Whitelist Table Monitored Logging Devices Organization Domains P2P Programs Potential Policy Violation IPs Rapid Response Monitored Address Traffic sensitive files sensitive urls services Lists the Whitelist IP addresses. These IP addresses and domain names are reputed and can be trusted. You can add your trusted domain names and IP addresses to the list. Lists the logging devices that must be monitored after a specific time span for idle state. Provides a table for the user to describe the organizational domains monitored. Lists the P2P programs. Lists the IP addresses of the hosts that can potentially violate the policy. Lists of all the bad IP addresses on which your sensitive data can communicate. Lists the file names to monitor during FTP transfers. Lists the text strings that are often included in malicious URLs. Lists the services that are associated with each port number.
Defining rules strategy Working with the Lookup Tables window 117 Table 5-8 Category trojans user watchlist Weekdays Weekend windows events Lookup Tables (continued) Description Lists known Trojan horse exploits. Provides a table in which you can list users and the user names that formerly had access to the network. Lists the days of the week to allow further refinement of queries based on the day or days associated with an event. Lists the days of the weekend to allow further refinement of queries based on the day or days associated with an event. Lists the windows events that may indicate violations of security policies or other malicious activities. To add an entry to the Organization Domains watchlist 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click Organization Domains. 5 Click New Record (+). 6 In the spaces provided, type a name and description. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the IP watchlist 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click ip watchlist (if it is not selected). 5 Click New Record (+). 6 In the spaces provided, type the desired IP address and description.
118 Defining rules strategy Working with the Lookup Tables window 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the sensitive files list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click sensitive files. 5 Click New Record (+). 6 In the space that is provided, type the name of the file. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the sensitive urls list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click sensitive urls. 5 Click New Record (+). 6 In the URL Substring column, type the URL. 7 In the Attack Type column, type the kind of attack that is associated with this URL. 8 Click Deploy to Server. 9 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the services list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click services. 5 Click New Record (+). 6 In the Service column, type a description.
Defining rules strategy Working with the Lookup Tables window 119 7 In the Port column, type the port number to add. 8 Click Deploy to Server. 9 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the Trojan horses list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click trojans. 5 Click New Record (+). 6 In the Port column, type the port number that is associated with the attack. 7 In the Protocol column, type the network protocol (such as TCP or UDP) that is associated with the attack. 8 In the Trojan Name(s) column, type the name of the Trojan horse. 9 Click Deploy to Server. 10 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the user watchlist 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click user watchlist. 5 Click New Record (+). 6 In the spaces provided, type the user name, name, and departure date of the employee or account to add. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To add an entry to the Windows Events list 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder.
120 Defining rules strategy Working with the Lookup Tables window 4 Click windows events. 5 Click New Record (+). 6 In the ID column, type the desired Microsoft Windows event type. 7 In the Category column, type the kind of activity that is associated with the event. 8 In the Description column, type a description for this kind of event. 9 Click Deploy to Server. 10 In the Deployed Modified Items dialog box, enter a comment which describes the addition of the entry and then click OK to deploy the change. To delete an entry from the Lookup Tables 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click the table with the entry to be deleted and select the entry. 5 Click Delete Records. 6 Click Yes to confirm the deletion. 7 Click Deploy to Server. 8 In the Deployed Modified Items dialog box, enter a comment which describes the deletion of the entry. 9 Click OK to deploy the change. Creating a user-defined Lookup Table To create a user-defined lookup table, you first define the columns in the table, and then you add the data. See Working with the Lookup Tables window on page 115. To create a user-defined lookup table 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the User Lookup Tables folder. 3 Click Create new filter or rule (+). 4 In the Input dialog that appears, type the name of the table you want to create, and click OK. The name of the table must not match the name of an existing table or rule.
Defining rules strategy Working with the Lookup Tables window 121 5 On the Content tab, click Add Records (+). Enter the Name, Type, and Description values for a column that you want to use in your table. You can select any of the following types of values for a record in a column: Float IP Mask Date String IP address Integer 6 For each additional column, repeat step 5. 7 After creating the columns, select the Key option button corresponding to the column that forms the primary column in the table. 8 Click Done. 9 To add data to the table that you have created, do one of the following: Click Add Records and enter the information in the available fields. Click Import Records. After you choose the file that you want to import, a wizard guides you through the steps to map the data that is stored in the file to the columns that you have added in the Lookup Table. 10 When you are finished, click Deploy. 11 In the Deploy Modified Items dialog box, choose the items that you want to deploy. You can enter an optional comment in the available field. 12 Click OK. Importing Lookup Tables and records You can import a previously exported Information Manager Lookup Table from a file. Alternatively, you can import the records that are stored in comma-separated or tabbed format into an existing Lookup Table. See Working with the Lookup Tables window on page 115. Note: When you import records into an existing Lookup Table, you can import a maximum of 1024 entries.
122 Defining rules strategy Working with the Lookup Tables window To import an exported Lookup Table 1 On the Information Manager console, click Rules. 2 In the left navigation pane, click the User Lookup Tables folder. 3 Click Import from Disk. 4 In the Select File(s) to Import dialog, choose the file, and click Import. To import records into an existing Lookup Table 1 On the Information Manager console, click Rules. 2 In the left navigation pane, expand the User Lookup Tables folder. 3 In the table into which you want to import records, on the Content tab, click Import Records. 4 In the Open dialog box, choose the file that contains the data to be imported, and click Open. 5 In the Import Lookup Table Records wizard, choose the delimiter that is used in the file, and the appropriate options. The preview pane displays a representation of your choices. 6 Click Next. 7 In the next pane, use the Field Options area to specify how the data in the file maps to the columns in the Lookup Table. Click Next. 8 In the next pane, click Start. 9 When the import process is finished, click Finish.
Section 3 Getting started with the Information Manager Chapter 6. Configuring the Console Chapter 7. Managing roles and permissions Chapter 8. Managing users and user groups Chapter 9. Managing organizational units and computers
124
Chapter 6 Configuring the Console This chapter includes the following topics: About configuring Information Manager Identifying critical systems Adding a policy Specifying networks About customizations for a Service Provider Master console About configuring Information Manager For the correlation rules to function properly, it is essential that you specify the information that is used to determine incident severity. Key settings include specifying the systems that host critical or sensitive information and the systems that require high availability. You can also specify the networks that exist in your organization so that you can increase the priority of incidents based on the affected network. For example, the incidents that affect the networks that reside within your firewall can be assigned a higher priority than those that reside outside the firewall. See Identifying critical systems on page 126. You can specify the policies that are used within your network. Symantec Security Information Manager includes default policies. You can also add custom policies. Once you have defined the available policies, you can associate them with network computers when you add entries to the Assets list. See Adding a policy on page 127. See Specifying networks on page 128.
126 Configuring the Console Identifying critical systems You should also create your list of response teams so that Information Manager can automatically assign incidents to these teams based on the rules settings. You use the Information Manager console to create the teams. However, the list of members that you can assign to those teams is maintained on the System view. Another key factor that lets you determine incident severity and the functioning of rules is the information that is stored in the knowledge base. The Global Intelligence Network Integration Manager provides some of this information. You can configure some settings. For example, you can add entries to the IP watchlist. See About customizations for a Service Provider Master console on page 129. Note: When you add a new policy or service to the Policies or Services lists, the new entries appear in the Event Criteria on the Rules view after you restart the console for the Information Manager. Identifying critical systems For the correlation rules to function properly, you must specify the information that is used to determine incident severity. Key settings include specifying the systems that host critical or sensitive information and the systems that require high availability. See About configuring Information Manager on page 125. Complete the following steps to identify critical systems in your organization. To identify critical systems 1 In the console of the Information Manager client, click Assets. 2 On the toolbar, click + (the plus icon). 3 In the Asset Editor dialog box, in the IP Address box, type the IP address of the system. 4 Fill in the following optional information, if you want: In the Host Name box, type the host name of the system. In the MAC Address box, type the MAC address of the system. In the DN box, type the Distinguished Name of the system. In the Description box, type a description of the system.
Configuring the Console Adding a policy 127 5 (Optional) In the Asset Priority area, select values for Confidentiality, Integrity, and Availability as follows: Confidentiality Integrity Availability Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of confidentiality. Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of integrity. Value range 1 5, where level 5 means that the computer hosts applications and the content that must always be available for your business. 6 (Optional) In the Additional Information area, provide in the following information: The name of the organization that uses this system The physical location of the system The name of the operating system that is running on the system The version of the OS that is running on the system The owner of the system External ID information if used Adding a policy 7 Select Lock for Auto Update if you do not want the Assets list entry for this host to be overwritten when new information is imported from a vulnerability scanner. 8 Click the Save Asset icon. You can add a policy against which you want to check the compliance. See About configuring Information Manager on page 125. You can add a policy from the Assets view. The policy is added for the specific asset that you select from the Assets view. To add a policy from the Assets view 1 In the console of the Information Manager client, click Assets. 2 Select an asset to which you want to add the policy.
128 Configuring the Console Specifying networks 3 Double-click the asset or go to the details pane in the Assets view. 4 In the Asset Details dialog box, under the Policies tab, click the (+) plus icon. 5 Select a policy and click OK. You can add an entirely new policy from the System view. To add a new policy from the System view 1 In the Information Manager console, click System. 2 On the Administration tab, click Policies. 3 On the toolbar, click + (the plus icon). 4 Type a name and description in the spaces that are provided. 5 Click OK. Specifying networks You can specify the networks that exist in your organization to be associated with the Information Manager server. See About configuring Information Manager on page 125. To specify a network 1 In the Information Manager console, click System. 2 On Administration tab, click Networks. 3 On the toolbar, click + (the plus icon). 4 In the Create New Network dialog box, type a name for the network in the Name box. 5 In the Netmask box, type the subnet IP address and subnet mask for the network. 6 (Optional) In the Physical Location box, type the location of the network. 7 (Optional) From the Time Zone list, select a time zone to specify the time zone in which this network is situated. You can also type the time zone details in the GMT +/- HH:MM format. When the time zone is specified, the time information from where an event has originated can be tracked. 8 (Optional) In the Logical Location box, type the logical location or select the logical location of the network. 9 (Optional) In the Description box, type a description of the network.
Configuring the Console About customizations for a Service Provider Master console 129 10 Check Auto-Updateable if you want the new entry to be overwritten when the new network information is imported from a vulnerability scanner. 11 Click OK. About customizations for a Service Provider Master console Customizations to the Incidents view include the following: Contacts, Tickets, and Remediation tabs are available from within the incident details. The Contacts tab is not available for clients having the same domain as the Service Provider Master. Incident details are displayed in a separate Information Manager console window. See About configuring Information Manager on page 125.
130 Configuring the Console About customizations for a Service Provider Master console
Chapter 7 Managing roles and permissions This chapter includes the following topics: About managing roles About working with permissions About managing roles A role is a group of access rights for a product. Users who are members of a role have access to the event viewing and management capabilities that are defined for that role. A user can be a member of more than one role. See About planning for role creation on page 133. You create new roles in the Symantec Security Information Manager console. When you click Roles on the System view of the console, you can perform the following tasks: Create a role. See Creating a role on page 134. Edit role properties. See Editing role properties on page 140. Delete a role. See Deleting a role on page 149. Note: Only members of the SES Administrator role and the Domain Administrator role can add or modify roles. See About the administrator roles on page 132.
132 Managing roles and permissions About managing roles About the administrator roles When you install the Information Manager, the following default administrator roles are created: SES Administrator Domain Administrator This role has full authority over all of the domains in the environment. This role has full authority over one specific domain in the environment. If you have only one domain, the rights of the SES Administrator role and the Domain Administrator role are the same. If you have multiple domains (for example one for each geographic region of your company), each domain has a Domain Administrator. Members of this role can perform functions such as creating users and additional roles within that domain. The SES Administrator role can perform these functions for all of the domains that you configure. The default user, administrator, is also created when Information Manager is installed. The administrator is automatically a member of the SES Administrator and Domain Administrator roles. To access Information Manager for the first time, you must log on as this default user. The password for the administrator user account is specified at the time of installation. You can add users to the administrator roles, but you cannot change any other characteristics of these roles. If a user is a member of the SES Administrator role, that user should not be assigned to any other roles. See Editing role properties on page 140. About the default roles in the Information Manager server The Information Manager server has the following predefined roles by default: SES Administrator This role grants ownership to the entire Symantec Enterprise Security directory tree. Top-level administrators use this role. Domain Administrator This role grants ownership to a Symantec Enterprise Security domain and its subdomains. Domain administrators use this role. External Users Role This role grants base access permissions for the users that are imported from an external LDAP server. You can integrate Active Directory with the Information Manager server and add the Active Directory users. After Active Directory synchronizes with
Managing roles and permissions About managing roles 133 Information Manager, the Active Directory users can access the Information Manager server. Members of the External Users role do not have any automatic Information Manager privileges. Only Active Directory users use this role for Pass-through Authentication. The user must be assigned another Information Manager role to log on to the Information Manager server. See About managing roles on page 131. About planning for role creation Roles control user access; therefore, before you create roles you should plan carefully. You need to identify the tasks that are done in your security environment, and who performs them. The tasks determine the type of roles that you must create. The users who perform these tasks determine which users should be members of each role. See About managing roles on page 131. Consider the following issues: Who allocates responsibilities within your security environment? If these users need to create roles, they must be members of the Domain Administrator role. Who administers your security network by creating management objects such as users and organizational units? These users must be members of the roles that provide management access and the ability to access the System view. Which products are installed, and who is responsible for configuring them? These users must be members of management roles for the products for which they are responsible. They may need access to the System view only. Who is responsible for monitoring events and incidents? These users must be members of event viewing roles for the products for which they are responsible. Users who monitor events must have access to the Events view. Users who monitor incidents must have access to the Events view and the Incidents view. Who responds to problems and threats? These users must have access to the Events view and the Incidents view. Users who create and manage help desk tickets must also have access to the Tickets view.
134 Managing roles and permissions About managing roles Table 7-1 lists the common roles in a security environment and the responsibilities that belong to each role. Table 7-1 Role name Typical roles and responsibilities Responsibilities Domain Administrator System Administrator Defines the user roles and role authority. Manages Information Manager. Verifies that events flow into the system and that the system functions normally. User Administrator Creates the correlation rules and collection filters. Performs the user and the device administration. Incident Manager Views all incidents, events, reports, and actions. Report Writer Views the incidents, events, and reports for assigned devices. Reviews and validates incident response. Provides the affirmation of incident review and response by administrators to GAO and others. Report User Rule Editor Views the events and reports for assigned devices. Creates, edits, and deploys rules. Creating a role You can create roles using the Role Wizard in the Information Manager console. Only a user who has either the Domain Administrator role or the SES Administrator role can create roles. See About planning for role creation on page 133. Note: If the Role members will have access to all archives option is selected, role members can access new archives automatically. If the Role members will have access to only the selected archives option is selected, role members cannot access new archives automatically. To create a role 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Roles. 3 On the toolbar, click + (the plus icon).
Managing roles and permissions About managing roles 135 4 In the first panel of the Role Wizard, click Next. 5 In the General panel, do the following, and click Next: In the Role name text box, type a name for the role. In the Description text box, type a description of the role (optional). 6 In the Products panel, do one of the following: To give the role members access to all of the listed products, click Role members will have access to all products, and click Next. To limit the role member's access to certain products, click Role members will have access to only the selected products and select the appropriate products. Then click Next. Symantec Security Information Manager is checked by default in the Product List. 7 In the SSIM Permissions panel, do one of the following: To give role members all permissions that apply to Information Manager, click Enable all Permissions, and click Next. To give role members a limited set of permissions, click Enable specific Permissions. From the permissions list, uncheck the permissions that you do not want to enable and click Next. You must check at least one permission. 8 In the Console Access Rights panel, do one of the following: To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and click Next. To limit what role members can see when they display the console, click Role members will have only the selected console access rights. From the list, enable at least one of the console access rights, and click Next. See Modifying Information Manager console access rights on page 139. 9 In the Organizational Units panel, do one of the following: To give role members access to all organizational units, click Role members will have access to all organizational units, and click Next. To give role members access to specific organizational units, click Role members will have access to only the selected organizational units. In the organizational unit tree, select at least one organizational unit to associate with this role, and click Next.
136 Managing roles and permissions About managing roles When you select an organizational unit that has additional organizational units, users of the role are given access to those additional organizational units also. If you add an organizational unit to a role, the following users can see the events that are generated by the security products: Users who are role members Users who have event viewing access These users can view only those events that are generated by the security products that are installed on the computers of that organizational unit. Role members can see events only from computers in the organizational units that have been added to their roles. 10 In the Servers panel, do one of the following: To give role members access to all of the Information Manager servers in your security environment, click Role members will have access to all servers, and click Next. To limit role members' access to certain servers, click Role members will have access to only the selected servers. In the server tree, select at least one server to associate with this role, and click Next. Members of the role can modify configurations on the selected servers. The role members can also view event archives that reside on the selected servers. 11 In the Members panel, do one of the following: To add individual users to the role now, click Add Members. In the Find Users dialog box, add one or more users, from the Available Users list to the Selected Users list and click OK. In the Members panel, click Next. To add the users who are members of a specific user group, click Add Members From Groups. In the Find User Groups dialog box, add one or more user groups, and click OK. The users that are associated with the groups you selected are added to the Selected Users list. When you are finished, click Next. To continue without adding users to the role, click Next. You can add users to the role later by editing the role s properties. See Adding a user to a role on page 137. You can also associate a role with a user by editing the user s properties. You can assign users to a role only if you have already created those users. See Creating a new user on page 158.
Managing roles and permissions About managing roles 137 12 In the Role Summary panel, review the information that you have specified, and click Finish. The role properties that are created are shown in the list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed. 13 Click Close. Editing role properties After you create a role in Information Manager, you can modify it by editing its properties. For example, as you create new organizational units or users, you can add them to existing roles. You can edit the properties of a role by selecting the role in the right pane. You can also edit the role properties from any dialog box that displays the role s properties. To edit role properties 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 Use the Editing Role Properties dialog box to make changes to the role. 4 To save changes and close the dialog box, click OK. See Adding a user to a role on page 137. See Modifying Information Manager console access rights on page 139. See Modifying product access rights on page 140. See Modifying server access rights on page 141. See Modifying access permissions in roles on page 143. Adding a user to a role When a user logs on to Information Manager, the user s role membership determines the user's access to the various products and event data. You can assign a user to a role in the following ways: Assign each user individually to one or more roles. Assign users to groups, and assign user groups to roles. When you assign a user group to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user
138 Managing roles and permissions About managing roles group, those users are not automatically added to the role. You must assign each user to the role individually. Note: Before you assign users and user groups to roles, you must create users and user groups in the Directory. See Creating a new user on page 158. See Creating a user group on page 160. To add a user to a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the Editing Role Properties dialog box, in the left pane, click Members. 4 Click Add Members. 5 In the Find Users dialog box, in the list of available users, search for a user within a domain or a user group. You can also search for a user by entering the logon name, last name, or first name and then click Start Search. All of the users who meet the criteria you entered appear in the available users list. Select a user name (or Ctrl + click multiple user names), and click Add. The user name appears in the Selected users list. 6 To view or edit the properties of a user, click the user name, and click Properties. 7 In the User Properties dialog box, view or make changes to the properties, and click OK. 8 In the Find Users dialog box, click OK. 9 In the Editing Role Properties dialog box, click OK. To add a user group to a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the Editing Role Properties dialog box, in the left pane, click Members. 4 Click Add Members From Groups. 5 In the Find User Groups dialog box, select the domain of the group from the drop-down list.
Managing roles and permissions About managing roles 139 6 In the list of available user groups, click a user group name (or Ctrl + click multiple user names), and click Add. The user group name appears in the Selected user groups list. 7 To view or edit the properties of a user group, click the user group name, and click Properties. 8 In the User Group Properties dialog box, view or make changes to the properties, and click OK. 9 In the Find User Groups dialog box, click OK. 10 In the Editing Role Properties dialog box, click OK. See Editing role properties on page 140. Modifying Information Manager console access rights Console access rights control the views that a role member can access when they log on to the Information Manager console. You can modify the Console access rights that you assigned when you created the role. Based on the Console access rights, various views of the console are visible to the role members whenever they log on to Information Manager. To modify console access rights 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the left pane, click Console Access Rights. 4 Do one of the following: To give members of the role the ability to see all components of the Information Manager console, click Role members will have all console access rights. To limit what members of the role can see when they display the Information Manager console, click Role members will have only the selectedconsoleaccessrights. From the list that appears, enable or disable console access rights as you want. The following table describes the tiles (views in the Information Manager console) that are available to members: Show Assets Tile Displays the Assets view in the console.
140 Managing roles and permissions About managing roles Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Rules Tile Show Statistics Tile Show System Tile Show Tickets Tile Displays the Dashboard view in the console. Displays the Events view in the console. Displays the Incidents view in the console. Displays the Intelligence view in the console. Displays the Reports view in the console. Displays the Rules view in the console. Displays the Statistics view in the console. Displays the System view in the console. Displays the Tickets view in the console. Modifying access permissions in roles lists the console access rights that the users who perform specific functions need. 5 Click OK. See Editing role properties on page 140. Modifying product access rights The Products property lets you select and modify the products to which role members have access. To modify product access rights 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the left pane, click Products. 4 Do one of the following:
Managing roles and permissions About managing roles 141 To give the role members access to all of the listed products, click Role members will have access to all products. To limit the role members' access to specified products, click Role members will have access to only the selected products. Enable (check) or disable (uncheck) access to individual products in the list. Consider the tasks that role members perform as you select products from the list. Modifying access permissions in roles describes the access requirements of typical enterprise security roles. 5 Click OK. See Editing role properties on page 140. Modifying server access rights Use the Servers property to select the servers to which role members have access. The selections for this property determine the servers that the role members can see on the following console locations: The Testing tab on the Rules view that can be used for testing a specific rule. The servers and archives that are available for each query on the Events view. The Server Configurations tab on the System view. To modify server access rights 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the left pane, click Servers. 4 Do one of the following: To give role members access to all Information Manager servers in the network configuration, click Role members will have access to all servers. To limit role members' access to certain servers, click Role members will have access to only the selected servers. In the server tree, select at least one server to associate with this role, and click OK. See Editing role properties on page 140. Modifying SIM permissions Use the SIM Permissions property to enable or disable several types of Information Manager permissions that are assigned to a role.
142 Managing roles and permissions About managing roles See About managing roles on page 131. To modify SIM permissions 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the left pane click SIM Permissions. 4 Do one of the following: To assign all Information Manager permissions to the role, click Enable all Permissions. To limit the permissions that are assigned to the role, click Enable specific Permissions. Then click the check boxes as needed to enable or disable permissions for the role. Table 7-2 lists the permissions that the users who perform specific functions need. 5 Click OK. About the Bypass Event RBAC option When you create or modify a role, you can choose to enable the Bypass Event RBAC option. Bypass Event RBAC gives unrestricted access to all of the event archives for which role a user has been granted access. When a user with this role performs an event query, the query bypasses any additional permission settings based on Organizational Unit, Domain, or Product settings. The query returns a complete data set from the archives for which the user has been given access. Enabling Bypass Event RBAC enhances query performance by reducing the set of permissions criteria against which the query must be processed. See About managing roles on page 131. Enabling access to the Event Query Templates The View Event Query Templates permission in a role controls the access to the Templates folder in the Events view. If this permission is enabled for a role, the user who is assigned with the role can access the Event Query Templates. For example, the Information Manager administrator creates two roles, IncidentAnalyst and EventAnalyst. The View Event Query Templates permission is disabled for the IncidentAnalyst role, and enabled for the EventAnalyst Role. The IncidentAnalyst role is assigned to user A and the EventAnalyst role is assigned to user B. From the Events view, user A who is assigned with the IncidentAnalyst role cannot view the Event Query Templates. User B who is
Managing roles and permissions About managing roles 143 assigned with the EventAnalyst role can view the Event Query Templates and run the corresponding queries. You can edit the existing roles to enable the View Event Query Templates permission. To enable View Event Query Templates permission for existing roles 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Roles. 3 On the right panel, right-click the role that you want to edit and select Properties. 4 In the Editing Role Properties dialog box, select SIM Permissions. 5 Click Enable specific permissions. 6 From the permissions list, check View Event Query Templates. 7 Click Save and then click OK. By default, this permission is enabled for new roles. While creating a role, you can disable the View Event Query Templates permission for a new role. Select the Enable specific permissions option from the SIM Permissions panel and then uncheck View Event Query Templates. See Creating a role on page 134. See Role-based access to the Event Query Templates on page 20. Modifying access permissions in roles Roles include the permissions that determine the types of access (for example, Read and Delete) for a role member. Based on these permissions a role member can access various functions on the Information Manager console. Permissions are assigned to roles on various functions and the users belonging to those roles can perform tasks accordingly. You can change the access permissions for the following types of objects: Container objects that were created when you installed Information Manager, such as organizational units. The new objects that you create within the container objects. When you view the properties of a role, you can view and modify the permissions by selecting tabs in the Editing Role Properties dialog box.
144 Managing roles and permissions About managing roles Warning: Permission modification is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works. See About working with permissions on page 149. Table 7-2 describes the access requirements of typical enterprise security roles. Table 7-2 Access requirements for roles Role Products Symantec Security Information Manager permissions Console access Access permissions SES Administrator and Domain Administrator All All All All Note: You cannot modify access permissions of the SES Administrator and Domain Administrator roles. System Administrator Information Manager Allow Asset Edits Move Computers Show Dashboard Tile Show Intelligence Tile Show Statistics Tile Read and Search on Published / System Query groups Show System Tile User Administrator All Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Show Assets Tile Show Dashboard Tile Show Intelligence Tile Show Rules Tile Show System Tile Read and Search on Published /System Query groups Read and Write on users and user groups Read and Write on rules and roles
Managing roles and permissions About managing roles 145 Table 7-2 Access requirements for roles (continued) Role Products Symantec Security Information Manager permissions Console access Access permissions Incident Manager Information Manager Create Incidents Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read and Write on Published/System Query groups. In addition, Read and Write on Report groups based on the Symantec Security Information Manager permissions that are granted to the role. Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services
146 Managing roles and permissions About managing roles Table 7-2 Access requirements for roles (continued) Role Products Symantec Security Information Manager permissions Console access Access permissions Report Writer Information Manager Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read and Write on Published /System Query groups Read and Write on Report groups Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Report User Information Manager Create new queries Create new reports Allow Dashboard Auto Refresh Show Dashboard Tile Show Events Tile Show Reports Tile Read and Search on Published /System Query groups Read and Write on Report groups
Managing roles and permissions About managing roles 147 Table 7-2 Access requirements for roles (continued) Role Products Symantec Security Information Manager permissions Console access Access permissions Rule Editor Information Manager Create new queries Show Events Tile Show Rules Tile Show Statistics Tile Read and Write on Rules and Roles Read and Search on Published /System Query groups Read and Search on Report groups Note: When a role s access permissions to a Published Query Group or a System Query Group are changed, the role s database permissions may be incorrectly modified. If a user cannot view queries on the Events view, it may be because the user s role lacks the necessary database permissions. To correct this problem, do the following: Log on as a Domain Administrator or SES Administrator and open the Editing Role Properties dialog box for the user s role. On the DataStores tab, check the role s database permissions. If the role does not have both Read and Search permissions, add the missing permissions. See To modify access permissions in roles on page 147. To modify access permissions in roles 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to edit, and select Properties. 3 In the Editing Role Properties dialog box, in the left pane, click the type of permissions to modify. For example, to change the role members' directory permissions, choose Directories. 4 When you finish setting permissions, click OK. See Editing role properties on page 140. Using examples of modifying permissions in roles You can modify permissions for the following purposes, among others: To hide a query group from members of a role. When members of this role open the Query Chooser on the dashboard, they cannot see the restricted query group in the query tree.
148 Managing roles and permissions About managing roles To hide all users from members of a role. When members of this role view the System view, they do not see users in the left pane. To prevent role members from adding and deleting user groups Role members can view and modify user groups, but they cannot add and delete user groups. See About permissions on page 150. To hide a query group from members of a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to restrict, and select Properties. 3 In the left pane, click System Query Groups. 4 Click Add. 5 In the Find System Query Groups window, select Product Queries.Symantec Client Security, and click Add. 6 Click OK. 7 On the Product Queries.Symantec Client Security row, uncheck Read and Search. 8 Click OK. Members of this role cannot view Symantec Client Security queries. If a role member selects System Queries > Product Queries in the Query Chooser on the dashboard, the role member cannot view Symantec Client Security in the tree. To hide all users from members of a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to restrict, and select Properties. 3 In the left pane, click Users. 4 Under Default permissions for all users, uncheck all permission types (for example, Read and Add). 5 Click OK. When role members click Users in the left pane of the System view, they see only their own details in the right pane. Other users are not listed.
Managing roles and permissions About working with permissions 149 Deleting a role To prevent role members from adding and deleting user groups 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to restrict, and select Properties. 3 In the left pane, click User Groups. 4 On the top line of permissions, check Read, Write, and Search. Make sure that Add and Delete are not checked. 5 Click OK. Role members can view, search, and modify all user groups in the domain. They cannot create new user groups or delete user groups. You can delete roles when they are no longer in use. Before you delete a role, you can view the properties of the role to ensure that none of your users requires it. To delete a role 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain, and click Roles. 2 In the right pane, right-click the role to delete, and select Properties. 3 Review the role properties to make sure that no users require this role. 4 Click Cancel. 5 If you still want to delete the role, on the toolbar, click - (the minus symbol). A message warns you that all members of the selected role would be removed. Then, although the user accounts are not deleted, the users no longer have access to the role. 6 In the confirmation dialog box, click Yes to delete the role. See About managing roles on page 131. About working with permissions Permissions define the access that members of a role have to specific objects. Along with other role properties, permissions control what users can see and do when they log on to the Information Manager console.
150 Managing roles and permissions About working with permissions As with roles, you can work with permissions only if you are a member of the SES Administrator or Domain Administrator role. The permissions of objects are defined initially when you create roles and when you create new objects. You can then modify the permissions to fine-tune your roles. Warning: You should customize permissions only if you have a clear understanding of how access control works in the security (LDAP) directory. About permissions See About permissions on page 150. Permissions are always associated with roles and are applied when a member of a role logs on to the console. Table 7-3 shows the permissions that role members can have to view and work with objects. Table 7-3 Object permissions Permission Read Description Lets the role members see the attributes of objects. Read must be enabled for the other access permissions to work. Write Add Delete Search Lets the role members modify objects. Lets the role members create a new child object within the selected container. Lets the role members delete objects. Lets the role members search the database or the LDAP directory for objects. Search must be enabled for the other access permissions to work. The following objects have permissions: Container objects Container objects are created when the Datastore (database) and Directory are installed. These objects contain all of the new objects that you create.
Managing roles and permissions About working with permissions 151 In the console, container objects appear in the left pane of the Administration tab on the System view. Examples of the container objects that have permissions are users, user groups, roles, and organizational units. Objects that you create within container objects When you create new objects to represent your security environment, they are stored within the container objects. On the System view, the objects that you create appear in the right pane when you select their container object in the left pane. For example, when you select Users in the left pane, the individual users that you have created within the Users container are displayed. These created objects are sometimes known as child or leaf objects. You must understand the relationship between the permissions of container objects and the permissions of the objects you create within these containers. See About the propagation of permissions on page 151. About the propagation of permissions As you create new management objects, it is important to understand the relationship between the permissions of container objects and the permissions of the objects you create within these containers. In most cases, the permissions of a container object propagate to all new objects that you create within the container. When you create new objects on a role-by-role basis, the current permissions of the container object are propagated to the new objects. For example, in Role A, on the Users tab, you disable Write permission for the Users container. In Role B, you disable Delete permission for the Users container. When you create new users, members of Role A do not have Write permission, so they cannot modify the properties of the new users. Members of Role B do not have Delete permission, so they cannot delete the new users. However, if a user is assigned to two roles A and B. Role A that has the Add access for users and Role B that do not have Add access for users. In this case, the user who is assigned to these roles can add new users. Permissions of Role A take precedence over permissions of Role B
152 Managing roles and permissions About working with permissions Note: Most roles should have at least Read and Search permissions for all objects. These permissions allow role members to view information about the objects and perform searches for the objects. For example, if you enable Write access for a container object and disable Read access, the role members cannot modify the objects, because they cannot view the objects. Propagation occurs only when you create new objects. For example, you may create several users and assign them to role A before you disable the Write permission in role A. These permissions are not disabled for the original users unless you disable them explicitly for the existing user's of Role A. See About permissions on page 150. Modifying permissions from the Permissions dialog box You can use the following methods to modify permissions: Edit the role using the Editing Role Properties dialog box. Use this method to modify permissions for several objects within one role. See Modifying access permissions in roles on page 143. You can edit the permissions of software products and their configurations through the Products Tab on the Editing Role Properties dialog box. Use the Permissions dialog box for a particular object. Use this method to modify the permissions for a specific object. Note: Some objects do not have permissions. To modify permissions for a container object 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, right-click the container object (for example, Users) and select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Some container objects do not have permissions. 3 Do any of the following: To modify permissions for this object, check (enable) or uncheck (disable) the permissions corresponding to the listed roles, as needed.
Managing roles and permissions About working with permissions 153 You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and click Remove. To edit a role s properties, click the role name, and click Properties. 4 Click OK when you finish modifying permissions. To modify permissions for a created object 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, click the container that contains the created object. For example, click Users. 3 In the right pane, right-click the object whose permissions you want to modify, and select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Some created objects do not have permissions, such as Policies. 4 Do any of the following: To modify permissions for this object, check (enable) or uncheck (disable) the permissions corresponding to the listed roles, as needed. You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and click Remove. To edit a role s properties, click the role name, and click Properties. 5 Click OK when you finish modifying permissions.
154 Managing roles and permissions About working with permissions
Chapter 8 Managing users and user groups This chapter includes the following topics: About users and passwords Customizing the password policy Creating a new user Creating a user group About editing user properties About modifying user permissions Modifying a user group Deleting a user or a user group About integrating Active Directory with the Information Manager server Managing Active Directory configurations About users and passwords The Symantec Security Information Manager server uses accounts from Linux and the IBM DB2 Service. Both types of accounts use the password that is specified during installation. The default password is password. By default, the installation program creates the following Linux accounts: root Default Linux administrative account
156 Managing users and user groups About users and passwords simuser sesuser db2admin dasusr1 symcmgmt Used by the Information Manager text console process Used by the HTTP and the Tomcat processes Used by the database process Used for the DB2 Admin Tools database Used by the database process Warning: For security, change the Linux passwords periodically, according to your company's security policy. The password for all Linux accounts must be changed using the Change Password option (available under Settings > Passwords) from the Web configuration interface. Do not change these account passwords or permissions by standard Linux commands as it may result in errors with server operation. The password for the symcmgmt Linux account cannot be changed from the Web configuration interface. The password for a symcmgmt Linux account can be changed by using the standard Linux commands. This change in the password must be followed with an update in the Information Manager console under System > Administration > Data Stores. Usually, you are not required to create new Linux accounts. However, you may want to create an account with limited permissions to a file share to allow a user or process to copy LDAP backups. Refer to your Linux documentation for information on how to create Linux accounts. By default, the installation program also creates the administrator account in the IBM LDAP directory. This account is used for logging in to the Information Manager console and Information Manager Web configuration interface initially. With the proper permissions, you can also create new LDAP directory accounts for users who use the Information Manager console and Web configuration interface. These accounts are for the administrators of your security products, contacts for notifications, or both. Users who are administrators are members of the roles that define their administrative permissions. All users who need access to the Information Manager console must be members of one or more roles. If a user tries to log on to the console using an account that is not a member of a role, an error message is displayed. Users who only receive notifications do not have to be members of a role. See Creating a new user on page 158. See About editing user properties on page 161.
Managing users and user groups Customizing the password policy 157 See About modifying user permissions on page 168. See Deleting a user or a user group on page 169. See Creating a user group on page 160. See Modifying a user group on page 168. See Deleting a user or a user group on page 169. Customizing the password policy The Information Manager includes the ability to enforce strong password requirements for all users. As an administrator, you can customize the password policy for Information Manager to match the password standards that apply to your environment. You must provide the LDAP cn=root password to change the password settings. When the password policy changes, users whose existing passwords are non-compliant with the new policy are prompted to change their password at the next logon. Note: When you enable the EAL4 password policy and a user locks their account the same day that they change it, you cannot reset the password for 24 hours. This behavior is a result of the value that is defined for the setting Minimumtime between password changes (seconds). This setting is set at 24 hours in the EAL4 password policy. This behavior is expected due to the strict EAL4 password policy definition. If you do not want to enable the EAL4 policy, you can choose the Custom password policy option, change the Minimum time between password changes (seconds) setting to a lower value, and save the configuration. You can configure the password policy by using any of the following methods: Default EAL4 Custom The default settings that Information Manager uses. The settings that comply with Evaluation Assurance Level 4 (EAL4) standards. User-defined settings. Note: If you choose this column but do not change any settings, clicking Save reverts to the policy that was previously enabled.
158 Managing users and user groups Creating a new user To change the Information Manager password policy 1 Log on to the Web configuration interface using administrator credentials, and click Settings > Password. In the tree pane, click Password Policy. 2 In the LDAP cn=root Password field, type the password, and click Enter Admin Mode. 3 In the User Password Settings and Administrator Password Settings tables, choose the type of password management you want to use. If you choose Custom, configure each option, and check Password policy enabled:. 4 Click Save. 5 Click Leave Admin Mode. Creating a new user See About users and passwords on page 155. Use the Create a new User wizard to create a user. The wizard prompts you for the required information that the user needs to log on to Symantec Security Information Manager. It also lets you specify notification information, permissions, and other user properties. You can provide all the information at the time that you create the user. Alternatively, you can provide only the required information and add more information later by editing the user s properties. See About editing user properties on page 161. To create a new user 1 In the console of the Information Manager client, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 On the toolbar, click + (the plus symbol) or right-click the Users node and select New. 4 In the first panel of the Create a new User wizard, click Next.
Managing users and user groups Creating a new user 159 5 In the General panel, do the following: Logon name Last name First name Type the logon name for the new user. Type the user s last name. Type the user s first name. The other fields on this panel are optional. Click Next after you enter the details. 6 In the Password panel, type a password in the Password text box and type the same characters in the Confirm password box. Click Next. The password that you choose must comply with the policy settings chosen by the administrator. The password is case sensitive. Green check marks under Password rules indicate that your password meets the requirements. 7 (Optional) In the Business panel, specify business information for the user, and click Next. See Specifying user business and contact information on page 162. 8 (Optional) In the Contact Information panel, specify contact information for the user, and click Next. 9 (Optional) In the Notifications panel, specify email addresses and pager numbers for the user, and times when those contacts can be used for notifications. Click Next. See Specifying notification information on page 166. 10 In the Roles panel, you can assign the user to one or more roles that define the user s permissions, and click Next. You can also assign or change a user's roles later. A new user cannot log on unless a role is assigned to the user. See Managing role assignments and properties on page 163. You must create roles before you can assign users to roles. See Creating a role on page 134.
160 Managing users and user groups Creating a user group 11 In the UserGroups panel, you can assign the user to one or more user groups, and click Next. You can also assign users to groups later. See Managing user group assignments on page 164. You must create user groups before you can assign users to groups. If no groups appear on the Find User Groups panel, you have not yet created any groups. See Creating a user group on page 160. 12 In the User Summary panel, review the information that you have specified, and click Finish. The user properties that are created are shown in the task status list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed. 13 Click Close. Creating a user group After you create users, you can assign them to groups. User groups are particularly useful when you have large numbers of users who need to have the same system roles. You can assign an entire user group to a role. All of the users in the group inherit the rights and the permissions that are assigned to that role. Implementing user groups also facilitates the auto-assignment of incidents, using correlation rules. The Create a new User Group wizard enables you to create user groups and add users to the groups. You can assign users at the time you create a group, or you can add users to the group later. Note: If you create a user group and assign it to a role, the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. To create a user group 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click User Groups. 3 On the toolbar, click + (the plus symbol). 4 In the first panel of the Create a new User Group wizard, click Next.
Managing users and user groups About editing user properties 161 5 In the General panel, type a name and (optional) description for the user group, and click Next. 6 In the Members panel, click Add. In the Find Users dialog box, the Available Users list shows all users for the domain, up to the number of users that the Maximum search count text box indicates. 7 Select one or more users from the Available Users list, and click Add. The users appear in the Selected users list. 8 If you want to review information about a specific user, click the user name, and click Properties. You can view or change the user's properties, and click OK. 9 When you finish adding users to the group, click OK. 10 In the Members panel, click Next. 11 In the User Group Summary panel, click Finish. Properties for the created user group are shown in the task status list at the bottom of the panel. A green check mark next to a task indicates that it was successfully completed. 12 Click Close. See Modifying a user group on page 168. About editing user properties User properties are the attributes that can be added for a user when you create a new user or edit the user properties. User properties include general information about the user, change password facility, and the role that can be assigned to a user. User properties also include the user group to which a user can be assigned, business and contact information about the user, and contact methods and schedule for alert notifications. After you create a user, you can edit the user properties to perform the following tasks: Change a user's password. See Changing a user s password on page 162. Specify user business and contact information. See Specifying user business and contact information on page 162. Assign roles to a user. See Managing role assignments and properties on page 163. Assign user to a user group.
162 Managing users and user groups About editing user properties See Managing user group assignments on page 164. Specify contact methods and schedule for alert notifications. See Specifying notification information on page 166. Changing a user s password Passwords can be changed in the following ways: Users can change their own passwords by using the Change Password option on the Tools menu in the Information Manager console. Administrators can change a user s password by editing the user s properties. To change a user s password 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose password you want to change, and select Properties or click the Properties icon on the toolbar. 4 In the User Properties dialog box, on the Password tab, in the Password text box, type a new password. The password that you choose must comply with the policy settings that the administrator chooses. 5 In the Confirm password text box, type the password again to confirm it. 6 Click OK. See About editing user properties on page 161. Specifying user business and contact information In the User Properties dialog box, the Business tab and the Contact Information tab let you supply detailed information about the user. You can specify this information when you create a user or by editing an existing user s properties. See About editing user properties on page 161. To specify user business and contact information 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose information you want to change, and select Properties.
Managing users and user groups About editing user properties 163 4 In the User Properties dialog box, on the Business tab, type the business information for the user. 5 To identify the user s manager, click the browse button (...) next to the Manager text box to display the Find Users dialog box. The manager must exist as a user in the LDAP directory. 6 In the Find Users dialog box, select the user who is the manager, and click OK. The Available users list shows all users for the domain, up to the number of users that the Maximum search count text box indicates. 7 To identify the user s administrative assistant, click the browse button (...) next to the Administrative assistant text box. In the Find Users dialog box, select the administrative assistant. The administrative assistant must exist as a user in the LDAP directory. 8 On the Contact Information tab, type the contact information for the user. 9 Click OK. Managing role assignments and properties The roles that a user is assigned define the user s permissions in the console. Roles are product-specific and are created as one or both of the following: Roles that allow the management of policies and configurations for a product. Users who are members of these roles can change the security configurations of an integrated product and distribute them to specific computers and organizational units. Roles that allow the viewing of the events that a product generates. Users who are members of these roles can view alerts and events for a product, and create alerts and customized reports. Note: You must be a member of the Domain Administrator role to make a user a member of a role. Also, the role must exist in the LDAP directory before you can add a user to the role. See Creating a role on page 134.
164 Managing users and user groups About editing user properties To manage role assignments and properties 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose information you want to change, and select Properties. 4 In the User Properties dialog box, on the Roles tab, click Add. 5 In the Find Roles dialog box, from the Look in drop-down list, select the domain in which to find the role. Users can have access to roles in multiple domains. 6 In the Available roles list, select one or more roles, and click Add. The Find Roles dialog box displays a list of roles only if you are a member of the Domain Administrator role. 7 Click OK. 8 To remove a user from a role, click the role name and click Remove. This action does not remove the role from the LDAP directory. 9 To view or edit the properties of a role, click the role name and click Properties. 10 (Optional) Use the Editing Role Properties dialog box to make changes to the role. See Editing role properties on page 140. 11 Click OK until you return to the System view. Managing user group assignments You can modify the composition of a user group by adding users to the group and removing users from the group. You can also view and modify user group properties. You can manage user group assignments in the following ways: Manage one user's assignment by adding to or removing from one or more user groups. Manage a single user group by adding or removing multiple users at one time. See About editing user properties on page 161.
Managing users and user groups About editing user properties 165 To manage a single user's user group assignments 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose user group assignment you want to manage, and select Properties. 4 In the User Properties dialog box, on the User Groups tab, click Add. 5 In the Find User Groups dialog box, from the Look in drop-down list, select the domain in which to find the user group. 6 In the Available user groups list, select one or more user groups, and click Add. The user groups that you selected appear in the Selected user groups list. 7 Click OK. 8 To remove a user from a user group, click the user group name and click Remove. This action does not remove the user group from the LDAP directory. 9 To view or edit the properties of a user group, click the user group name and click Properties. 10 (Optional) Use the User Group Properties dialog box to make changes to the user group. For example, you can add members to the group and remove users from the group. 11 Click OK until you return to the System view. To manage multiple users' user group assignments 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click User Groups. 3 In the right pane, right-click the user group whose membership you want to manage, and select Properties. 4 In the User Group Properties dialog box, on the Members tab, click Add. 5 In the Find Users dialog box, from the Look in drop-down list, select the domain in which to find the users. 6 In the Available users list, select one or more users, and click Add. The users that you selected appear in the Selected users list. 7 Click OK.
166 Managing users and user groups About editing user properties 8 To remove a user from a user group, click the user name and click Remove. This action does not remove the user from the LDAP directory. 9 To view or edit the user's properties, click the user name and click Properties. 10 (Optional) Use the User Properties dialog box to make changes to the user. 11 Click OK until you return to the System view. Specifying notification information When you create custom correlation rules, you can identify users to notify when particular incidents or alerts occur. See Creating custom correlation rules on page 100. For each user, you can specify the email addresses and pager numbers that are used to send these notifications. You can also specify when the user is notified. For example, you can specify one email address to be used Monday through Friday from 8:00 A.M. to 5:00 P.M., and a pager to be used during off-hours. You can specify the following: Email addresses Pager numbers The day and the time ranges when the contact method can be used to send user notifications of alerts. Note: The number of email addresses and pager numbers cannot exceed five for a single rule. To specify a user s email address 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose email address you want to change, and select Properties. 4 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click Email. 5 Click Add. 6 In the Email dialog box, in the Email address text box, type an email address.
Managing users and user groups About editing user properties 167 7 If the user receives email on a device with a small screen, such as a handheld device, check Send shortened email message. This option sends an abbreviated email message that is easier to read. 8 Click OK. 9 (Optional) Specify notification times. 10 Do any of the following: To add additional email addresses, repeat steps 5 through 9. To edit an existing email address, click it and click Properties. To remove an existing email address, click it and click Delete. 11 When you finish, click OK. To specify a user s pager number 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users. 3 In the right pane, right-click the user whose pager number you want to change, and select Properties. 4 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click Pager. 5 Click Add. 6 In the Pager dialog box, in the Number text box, type a pager number. 7 In the Notification service drop-down list, select the notification service to use. If you do not see the service that you want to select, you can add it using the Paging Services node. This node is located in the left pane of the System view. 8 Click OK. 9 (Optional) Specify notification times. 10 Do any of the following: To add more pager numbers, repeat steps 5 through 8. To edit an existing pager number, click it and click Properties. To remove an existing pager number, click it and click Delete. 11 Click OK.
168 Managing users and user groups About modifying user permissions To specify notification times 1 In the User Properties dialog box, on the Notifications tab, click an email address or pager number. 2 Using the Day controls, check the days when the contact method can be used to contact the user. 3 Using the From and To controls, specify the range of time when the contact method can be used. 4 Repeat these steps to establish notification times for other email addresses and pager numbers. 5 When you finish, click OK. About modifying user permissions When you create a role, permissions are assigned for each user with regard to that role. These permissions control whether role members who log on to the console can view, modify, or delete the user. You can modify these permissions in the following ways: By displaying and editing the roles that contain the permissions. See Modifying access permissions in roles on page 143. By displaying the Permissions dialog box for the User container object or an individual user. See Modifying permissions from the Permissions dialog box on page 152. Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Modifying a user group You can modify a user group by adding and removing members, and by changing the user group name and description. You can also modify individual group members' properties. To modify a user group 1 In the Information Manager console, click System. 2 On Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups.
Managing users and user groups Deleting a user or a user group 169 3 In the right pane, right-click the user group to modify, and click Properties. 4 On the General tab, add or change the user group's name and description. 5 On the Members tab, you can do the following: Add members Click Add. In the FindUsers dialog box, select one or more users from the Available Users list, and click Add. When you finish adding members, click OK. Remove members Select the member name, and click Remove. Modify a member's properties Select the member name, and click Properties. In the User Properties dialog box, use the tabs to modify the properties of individual user group members. When you finish modifying properties, click OK. 6 Click OK. See Creating a user group on page 160. Deleting a user or a user group You can delete users who are no longer participants in your security network. You can also delete the user groups that are no longer needed. See Creating a new user on page 158. See Creating a user group on page 160. To delete a user or a user group 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Users or User Groups. 3 In the right pane, right-click the user or the user group to delete, and click Delete. 4 In the confirmation dialog box, click Yes.
170 Managing users and user groups About integrating Active Directory with the Information Manager server About integrating Active Directory with the Information Manager server The Active Directory Integration feature on the Web configuration interface of Information Manager lets you synchronize the Information Manager server with an Active Directory server. This integration enables Active Directory users to access the Information Manager server. You can create and add more than one Active Directory configuration to the Information Manager server. You can set the synchronization schedule for each configuration as required so that the users are periodically refreshed with each synchronization cycle. The synchronized Active Directory users can log on to the Information Manager server through the console as well as the Web configuration interface. Members of the External Users role do not have any Information Manager privileges. This role is used only by Active Directory users for Pass-through Authentication. The Active Directory user must be assigned another Information Manager role to log on to the Information Manager server. See Managing Active Directory configurations on page 170. Managing Active Directory configurations The Active Directory Integration feature on the Settings view of the Web configuration interface lets you create and synchronize Information Manager with Active Directory servers. The view also lets you create, add, edit, or synchronize the Active Directory configurations as required. See About integrating Active Directory with the Information Manager server on page 170. Prerequisites for creating an Active Directory configuration are as follows: If the Active Directory server and Symantec Security Information Manager are not in the same DNS, you must add the FQDN and the IP address of the Active Directory server to the Information Manager hosts file. Certificate authority (CA) must be installed on the domain controller with which Information Manager is to integrate. The CA Root certificate must be assigned to the user to be used in the Active Directory integration configuration. Add the CA root certificate of the Active Directory that you want to synchronize on the Information Manager server. For more details on obtaining an Active Directory root certificate, refer to the Microsoft Web site.
Managing users and user groups Managing Active Directory configurations 171 To create a new Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click Create Configuration. 3 Fill in the required details of the host name, IP address, user name, and password. If possible, keep the port number as 636 ( the LDAP service runs on Port 636 by default). 4 In a scenario in which the Active Directory domain name and Information Manager domain name are identical, check the box for Active Directory overrides SSIM. This setting gives the Active Directory user a preference over the Information Manager user when the user logs on to the Information Manager server. 5 Enter the users and groups that you want to synchronize or exclude in the respective boxes. The default Active Directory group domain users cannot be added to the Information Manager because it is a special group that does not have member attributes for the users. 6 Enter the password. The user name appears by default and cannot be modified. 7 Check the Disable Scheduling box if you want to disable the synchronization. 8 Enter the synchronization schedule in minutes, hours, or days as required. 9 Click Save to apply. Configurations are saved and listed by the domain name. You can edit or delete the configurations that are listed. The ibmldap service of the Information Manager server restarts when you save the Active Directory configuration. Note: The External Users Role on Information Manager grants access permission to Active Directory domain users. Therefore, this role must not be removed for Active Directory users. Members of the External Users Role do not have any Information Manager privileges. Therefore, the Active Directory user must be assigned another Information Manager role to log on to the Information Manager server. To edit an Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click List Configurations.
172 Managing users and user groups Managing Active Directory configurations 3 Select the configuration that you want to work with. 4 Click the Edit icon. 5 Change the details in appropriate fields as required. 6 Click Save. To remove an Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click List Configurations. 3 Select the configuration that you want to remove. 4 Click the Remove icon. 5 Enter the cn=root password in the RemoveActiveDirectoryConfigurations dialog box, and click Ok. To synchronize an Active Directory configuration 1 On the Web configuration interface, click Settings > Active Directory. 2 On the details pane, click List Configurations. 3 Select the configuration with which you want to synchronize Information Manager. 4 Click the Synchronize Now icon. 5 Click View Synchronization Log to see the results.
Chapter 9 Managing organizational units and computers This chapter includes the following topics: About organizational units About managing organizational units About managing computers within organizational units About organizational units Organizational units are a useful way to structure your security environment in Symantec Security Information Manager. Before you create organizational units, it is important that you understand your security network and create a security plan. See About managing organizational units on page 173. Organizational units let you group the computers and servers that you manage. You can then add configurations for the Information Manager components that may be installed on those computers. These capabilities enable the distribution of the configurations to all computers and servers in the organizational unit. About managing organizational units On the Administration tab of the System view, select Organizational Units to perform the following tasks: Create a new organizational unit. See Creating a new organizational unit on page 174.
174 Managing organizational units and computers About managing organizational units Edit organizational properties. See Editing organizational unit properties on page 176. Delete an organizational unit. See Deleting an organizational unit on page 177. Creating a new organizational unit Organizational units are logical groupings. You can create them to organize the computers that are in the same physical location or belong to structural groups within your corporation: for example, divisions or task groups. However, it is not required that an organizational unit reflect these relationships. See About organizational units on page 173. You can create all the organizational units that you require at a single level, or you can create a hierarchy of nested organizational units. The combined maximum length of the distinguished name of an organizational unit must be no longer than 170 bytes. Keep in mind that some characters, such as accented characters or Japanese characters, take more space to store. The distinguished name of an organizational unit is a concatenation of the names that precede it in the hierarchy. Therefore, nesting organizational units with long names can exceed this limit. A screen message informs you if you exceed the limit. To create a new organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and click Organizational Units. 3 Take one of the following actions: To create a new organizational unit at the top level of the tree, click + (the plus icon) on the toolbar. Go to step 5. To create a new organizational unit within an existing organizational unit, expand the organizational unit tree and select the level that you want. Then click + (the plus icon) on the toolbar. Go to step 4. 4 In the Computer or Organizational Unit dialog box, click Organizational Unit, and click OK. 5 In the first panel of the Create a new Organizational Unit wizard, click Next. 6 In the General panel, do the following: In the Organizational Unit Name text box, type a name for the organizational unit.
Managing organizational units and computers About managing organizational units 175 (Optional) In the Description text box, type a description of the organizational unit. 7 Click Next. 8 In the Organizational Unit Summary panel, review the information that you have specified, and click Finish. 9 Click Close. About determining the length of the organizational unit name Information Manager imposes limits on the length of the name of an organizational unit. It also imposes limits on the total length of the distinguished name that is stored in the LDAP directory. These limits become important when you nest organizational units. See About organizational units on page 173. The distinguished name for a nested organizational unit includes the following: The name you give the organizational unit when you create it The names of each organizational unit that precedes it in the hierarchy The name of the top node in the organizational unit tree The name of the domain within which you create the organizational unit hierarchy Additional bytes of overhead You can view the distinguished name of an organizational unit by looking at the organizational unit s properties. The maximum length of the name you assign in the Create a new Organizational Unit wizard is 64 UTF-8 bytes. For the Roman character set, this means that the name cannot exceed 64 characters. Some characters take more space to store. For example, accented characters take two bytes to store, and Japanese characters take three bytes or four bytes to store. When these characters are used, fewer characters are allowed in the name. Information Manager adds other information for internal use to the distinguished name. Therefore, the maximum recommended length of the distinguished name of an organizational unit in the security directory is 170 bytes. If a distinguished name is longer than 256 characters, performance issues occur. Table 9-1 describes how to calculate the UTF-8 byte length of the distinguished name of the organizational unit.
176 Managing organizational units and computers About managing organizational units Table 9-1 Name string Determining the organizational unit name length Formula and example Domain name length sum(4+domain component name length) + 17 bytes Example: usa.ses 4 + length(usa) + 4 +length(ses) + 17 bytes overhead or 4 + 3 + 4 + 3 + 17 = 31 bytes Organizational unit (OU) name length sum(4 + OU name length) + domain name length + 13 bytes For example: Paris OU under the Sales OU in the usa.ses domain 4 + length(paris) + domain name length + 13-bytes overhead or 4 + 5 + 31 + 13 = 53 bytes Editing organizational unit properties You can modify an existing organizational unit's description. You cannot change the name or the distinguished name of the organizational unit. See About organizational units on page 173. To edit organizational unit properties 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to edit, and click Properties. 4 In the Organizational Unit Properties dialog box, change the description. 5 When you finish, click OK. About modifying organizational unit permissions When you create a role, permissions are assigned for each organizational unit with regard to that role. These permissions control whether role members who log on to the Information Manager console can view, modify, or delete the organizational unit. You can modify these permissions in the following ways: By displaying and editing the roles that contain the permissions.
Managing organizational units and computers About managing computers within organizational units 177 See Modifying access permissions in roles on page 143. By displaying the Permissions dialog box for the organizational unit container object or an individual organizational unit. See Modifying permissions from the Permissions dialog box on page 152. Note: To modify permissions, you must be logged on as a member of the SES Administrator role or the Domain Administrator role. Deleting an organizational unit Before you can delete an organizational unit, you must move or delete all computers that belong to the organizational unit. See Moving a computer to a different organizational unit on page 198. See Deleting a computer from an organizational unit on page 199. Note: When you delete an organizational unit, all of the organizational units that are below it in the navigational structure are also deleted. To delete an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to delete, and click Delete. 4 To confirm to delete the organizational unit and its subgroups, click Yes. About managing computers within organizational units Organizational units contain computer objects representing the computers that run your security products. Note: The term computer covers a variety of equipment, from traditional desktop computers to servers and handheld devices. In the context of the Information Manager console, a computer is any device that you manage as part of your enterprise security environment.
178 Managing organizational units and computers About managing computers within organizational units Computers are placed in organizational units in the following ways: When an agent is installed. When you install Symantec Event Agent on a computer, it is represented as a computer within an organizational unit. Symantec Event Agent is added to the default organizational unit. You can move the agent to a different organizational unit later. When you create the computer using the Create a new Computer wizard. You can use this method to create computers other than the agent computers. Note: Do not create a computer using the wizard if you plan to install the Symantec Event Agent on the computer at a later time. If you do, a duplicate instance of the computer is added to the LDAP directory. A computer can belong to only one organizational unit at a time. However, based on the requirements of your network, you can easily move computers from one organizational unit to another. When you select a computer in the right pane, you can perform the following tasks: Create computers within organizational units. Creating computers within organizational units Edit computer properties. About editing computer properties Move a computer to a different organizational unit. Moving a computer to a different organizational unit Modify computer permissions. About modifying computer permissions Delete a computer from an organizational unit. Deleting a computer from an organizational unit Creating computers within organizational units Computers are defined in the LDAP directory as part of the organizational units in which you create them. If you delete a computer from an organizational unit, it is permanently removed from the LDAP directory. See About managing computers within organizational units on page 177.
Managing organizational units and computers About managing computers within organizational units 179 To create a computer within an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Right-click the name of the organization unit, and click New > Computer. 4 In the first panel of the Create a new Computer wizard, click Next. 5 In the General panel, do the following, and click Next: In the Computer name text box, type the computer name. (Optional) In the Description text box, type a description. 6 In the Information panel, do one of the following: Type information in some or all of the optional text boxes, and click Next. Supply the information later by editing the computer s properties. 7 In the Identification panel, do one of the following: Provide the host name, IP addresses, and MAC addresses of the computer, and click Next. Provide the identification information later by editing the computer s properties. 8 In the Configurations panel, do one of the following: To directly associate configurations with the computer, click Add. When you are finished, click Next. Add configurations later by editing the computer s properties. 9 In the Computer summary panel, review the information that you have specified, and click Finish. 10 Click Close. About editing computer properties The computer properties that you can view and change depend on whether Symantec Event Agent is installed on the computer. If the computer has Symantec Event Agent, you can associate configurations with the computer and view the services running on the computer. However, you cannot change the identification information for the computer.
180 Managing organizational units and computers About managing computers within organizational units See Editing the agent computer on page 180. See Viewing the services running on a computer on page 193. If the computer does not have an agent, you can edit the network identification information for the computer. However, you cannot view services running on the computer. See Editing a computer that does not have an agent on page 181. See Providing identification information for a computer on page 182. Editing the agent computer When a computer has an agent installed, most of the identification information about the computer is captured during the installation. You can learn about the computer by viewing the information that the agent provides. This information includes the state of the services running on the computer and the computer s heartbeat status. You can also specify configurations to be associated with the computer. If the computer is an Information Manager server, you can add access to other domains. To edit the agent computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, you can modify the Primary Owner and Owner contact information text boxes. The remaining information is provided during the agent installation. 7 On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 183. To remove a configuration, select it, and click Remove. To view a configuration s properties, select it, and click Properties. 8 You can view information on any of the following tabs:
Managing organizational units and computers About managing computers within organizational units 181 On the Identification tab, view the host name, IP addresses, and MAC addresses of the computer. On the Services tab, view information about the services running on the computer. See Viewing the services running on a computer on page 193. 9 Click OK. Editing a computer that does not have an agent When you create a computer using the Create a New Computer wizard, you can modify most of the computer s properties. Services are reported only if an agent is installed on the computer. To edit a computer that does not have an agent 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, modify the text boxes as you want. To enable the Other OS Type text box, select OTHER from the operating system type drop-down list. 7 On the Identification tab, change the host name and add or remove IP addresses and MAC addresses, as needed. See Providing identification information for a computer on page 182. 8 On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 183. To remove a configuration, select it, and click Remove. To view a configuration s properties, select it, and click Properties.
182 Managing organizational units and computers About managing computers within organizational units 9 On the Services tab, view information about the services running on the computer. See Viewing the services running on a computer on page 193. 10 Click OK. Providing identification information for a computer After you create a computer using the Create a new Computer wizard, you can provide the network identification information for the computer by editing its properties. When you create a computer by installing a collector, the identification information is supplied automatically by the installation. See About editing computer properties on page 179. To provide identification information for a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the Identification tab, in the Host name text box, type an FQDN or a DNS host name. 6 To add an IP address, under IP addresses, click Add. 7 In the IP addresses dialog box, type the IP address of the computer, and click OK. 8 If the computer has multiple network interface cards, repeat steps 6 and 7 for each IP address. 9 To add a MAC address, under MAC addresses, click Add. 10 In the MAC addresses dialog box, type the MAC address of the computer, and click OK. The MAC address must consist of six hexadecimal pairs. 11 If the computer has multiple network interface cards, repeat steps 9 and 10 for each MAC address. 12 Click OK.
Managing organizational units and computers About managing computers within organizational units 183 Associating configurations directly with a computer Configurations control the behavior of Information Manager components. To distribute configurations to a computer, you can associate a configuration with the computer. You can then distribute the configuration either immediately or at a later date, depending on your needs. See About editing computer properties on page 179. Associating configurations directly with a computer defines each of the available configurations that can be associated directly with a computer. Configuration Symantec Event Agent and Manager Manager Configurations Symantec Event Agent and Manager Manager Component Configurations Symantec Event Agent and Manager Manager Connection Configurations Description Contains the common Information Manager server settings, which may affect one or more components on an Information Manager server. For example, configuration settings define which directory service and database the server should use. Contains settings for services within the Information Manager server, such as the event logging subsystem or the configuration service. Lets you control how failover is performed from the Information Manager server to directory service and Information Manager server to database. Symantec Event Agent and Manager Agent Connection Configurations Symantec Event Agent and Manager Agent Configurations Sets the agent to Information Manager server failover. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. Lets the agent communicate with the corresponding Information Manager server. They include which primary and secondary server to connect to and how to get configuration information and report inventory. In addition, they include how these computers should receive LiveUpdate information.
184 Managing organizational units and computers About managing computers within organizational units Configuration Symantec Critical System Protection Event Collector Description Configures Symantec Critical System Protection Event Collector to collect DB sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 LiveUpdate 1.0 LiveUpdate LiveUpdate 1.0 Java LiveUpdate Configures LiveUpdate to obtain software updates for the various software components of Information Manager, such as event collectors, relays, security content, rules, and filters. Configures Java LiveUpdate to obtain software updates for the various software components of Information Manager, such as event collectors, relays, security content, rules, and filters.
Managing organizational units and computers About managing computers within organizational units 185 Configuration ISS SiteProtector Event Collector Description Configures the Internet Security Systems RealSecure SiteProtector Event Collector to collect DB sensor data from the following platforms: ISS RealSecure Gigabit Network Sensor 7.0 ISS RealSecure Network Sensor 6.5/7.0 ISS RealSecure Server Sensor 6.0.1/6.5/7.0 on Windows 2000 ISS RealSecure Server Sensor 6.0.1/6.5/7.0 on Windows 2000 ISS Internet Scanner 7.0 ISS Proventia Integrated Security Appliance (M Series) Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0
186 Managing organizational units and computers About managing computers within organizational units Configuration Check Point Firewall 1 Event Collector Description Configures Check Point FireWall-1 Event Collector to collect OpsecLea sensor data from the following platforms: Check Point FireWall-1NG Application Intelligence R55 and NGX6.x (including 6.0, 6.2, and 6.5) that runs on one of the following operating systems: Microsoft Windows 2000 Advanced Server with Service Pack 4 or later Red Hat Enterprise Linux AS 3.0 Check Point Provider-1 NG and NGX 6.x (including 6.0, 6.2, and 6.5 on Red Hat) Enterprise 3, Sun Solaris, and Check Point SecurePlatform with the following configurations: Check Point Provider-1 with MDS/CMA/log server all on one computer Check Point Provider-1 with separate MLM/CLM computers Check Point R55 and 6.x (including 6.0, 6.2, and 6.5) that runs on the Nokia IP series appliances Check Point version R70 (including IPS and Antivirus blades) is supported as long as the September 2009 (or later) LiveUpdate package is applied Check Point version R71 Check Point Connectra NGX R66 The collector runs on the following operating systems: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0
Managing organizational units and computers About managing computers within organizational units 187 Configuration Cisco ASA Event Collector Description Configures Cisco ASA Event Collector to collect Syslog sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows Server 2008 with Service Pack 1 or later Microsoft Windows XP with Service Pack 2 or later Microsoft Windows Vista with Service Pack 1 or later Microsoft Windows 7 Red Hat Enterprise Linux AS 4.0 Red Hat Enterprise Linux 5.0 (32-bit x86 only) Sun Solaris (SPARC) 8, 9, and 10 Generic Syslog Event Collector Configures Generic Syslog Event Collector to collect Syslog sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0
188 Managing organizational units and computers About managing computers within organizational units Configuration Juniper NSM Event Collector Description Configures Juniper Networks NetScreen Security Manager Event Collector to collect Syslog sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Juniper Netscreen Firewall Event Collector Configures Juniper NetScreen Event Collector to collect Syslog sensor data from the following platforms: Symantec Security Information Manager 4.6 and 4.7. Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows Server 2008 with Service Pack 1 or later Microsoft Windows XP with Service Pack 2 or later Microsoft Windows Vista with Service Pack 1 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Red Hat Enterprise Linux 5.0 (32-bit x86 only) Sun Solaris (SPARC) 8, 9, and 10 SUSE Linux Enterprise 10
Managing organizational units and computers About managing computers within organizational units 189 Configuration Snare for Windows Event Collector Description Configures Snare for Windows Event Collector to collect Syslog sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Snort Syslog Event Collector Configures Snort Event Collector to collect SyslogFile sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Symantec Endpoint Protection 11.0 Event Collector Configures Symantec Endpoint Protection 11.0 Event Collector to collect DB sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0
190 Managing organizational units and computers About managing computers within organizational units Configuration Symantec Endpoint Protection State 11.0 Event Collector Description Configures Symantec Endpoint Protection State 11.0 Event Collector to collect DB sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Symantec Security Information Manager Local Event Collector Syslog Director Universal Logfile Event Collector UNIX OS Event Collector Configures the Information Manager Event Collector to collect SyslogFile sensor data. The Local Event Collector tracks the events that the Linux operating system that runs Information Manager generates. Examples include ssh commands and wrong password entries. Configures Syslog Director. Configures the Universal Logfile Event Collector to collect events from the products that log to text files. Configures UNIX OS Event Collector to collect syslog data from the following platforms: HP-UX 11i IBM AIX 5.3 and 6.x Red Hat Enterprise Linux 3.0, 4.0, and 5.0 SUSE Linux Enterprise 9 and 10 Sun Solaris 8, 9, and 10 Nokia IPSO Other Linux distributions based on the 2.6 kernel Debian Linux 3.1 Macintosh OS X 10.4, 10,5, and 10.6 In addition, the UNIX Event Collector collects data from ISC BIND9, Linux iptables, and the Linux Audit daemon AUDITD.
Managing organizational units and computers About managing computers within organizational units 191 Configuration Universal Syslog Event Collector Universal Event Collector for Microsoft Windows Vista Universal Event Collector for Microsoft Windows Qualys Guard Event Collector Description Configures the Universal Syslog Event Collector to collect events from the products that log events by using the Syslog protocol. Configures Universal Event Collector for Microsoft Windows Vista to collect events from Microsoft Windows Vista, Windows Server 2008, and Windows 7 event logs. Configures Universal Event Collector for Microsoft Windows to collect events from Microsoft Windows event logs. Configures QualysGuard Event Collector to collect QualysGuard sensor data from the following platforms: Microsoft Windows 2000 (all editions) with Service Pack 4 or later Microsoft Windows Server 2003 (all editions) with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Red Hat Enterprise Linux 5.0 (32-bit x86 only) To associate configurations directly with the computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer that you want to edit. 4 In the right pane, right-click the name of the computer, and click Properties. 5 In the Computer Properties dialog box, on the Configurations tab, click Add. 6 In the Find Configurations dialog box, in the Look-in drop-down list, select the product whose configurations you want to associate with the computer. The configurations are displayed in the Available configurations list. See Associating configurations directly with a computer on page 183.
192 Managing organizational units and computers About managing computers within organizational units 7 In the Available configurations list, select a configuration, and click Add. The selected configuration is listed in the Selected configuration list. If the computer already contains a configuration, and you now select a different configuration, the new configuration replaces the old one. 8 To select a configuration for a different product, repeat steps 6 and 7. 9 When you finish adding configurations, click OK. 10 In the Computer Properties dialog box, do one of the following: To remove a configuration, select it, and click Remove. To view a configuration s properties, select it, and click Properties. 11 Click OK. Making a computer a member of a configuration group In addition to belonging to an organizational unit, a computer can be a member of a configuration group. Configuration groups are used to distribute special configurations to their member computers. A computer can belong only to one configuration group. To make a computer a member of a configuration group 1 In the Information Manager console, on the System tab, in the left pane, expand the Organizational Units navigational tree until you can select the organizational unit containing the computer that you want to edit. 2 In the right pane, select the computer. 3 On the Selection menu, click Properties. 4 In the Computer Properties dialog box, on the Configuration Groups tab, click Add. 5 In the Available Configuration Groups list, select a configuration group. If the computer is already a member of a configuration group, the configuration group you select here replaces the original configuration group. 6 Click Add. 7 Click OK. 8 On the Configuration Groups tab, do any of the following, as needed: To remove a computer from configuration group membership, select the configuration group, and click Remove.
Managing organizational units and computers About managing computers within organizational units 193 To view a configuration group s properties, select it, and click Properties. 9 Click OK. Viewing the services running on a computer You can view information about the services running on a computer: for example, which configurations are in use and whether the configurations are up-to-date. See About editing computer properties on page 179. To view the services running on a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer whose services you want to view. 4 In the right pane, right-click the computer name, and click Properties. 5 In the Computer Properties dialog box, on the Services tab, review the In Sync column to determine whether the correct configurations are in use. If the value for a specific service is Yes, the current configuration and the expected configuration are synchronized. That is, they are identical. If the value for a specific service is No, the configurations are not synchronized. Double-click the row to view the information on the Configuration tab of the Service Properties dialog box. You may need to distribute the latest configurations to this computer. 6 Take any of the following actions: In the Computer Properties dialog box, to notify the computer that it should download new configurations, click Distribute. Then click Yes to confirm your intention to distribute configurations. To refresh the Computer Properties dialog box display, click Refresh. Click Details to open the Service Properties dialog box and view the details of services. 7 When you finish, click OK. About the Visualizer The Visualizer provides a convenient way to view your Symantec Security Information Manager environment, including the computers that are assigned
194 Managing organizational units and computers About managing computers within organizational units to organizational units. You can use it to monitor events per second (EPS) rates and CPU usage on your network devices. You can also view and modify properties of elements such as the Information Manager server and agents. See About using the Visualizer on page 194. See Viewing and modifying element properties on page 196. About using the Visualizer The Visualizer provides a graphical view of your Information Manager environment. When you click the Visualizer tab on the System view, you see a set of icons. The icons represent such elements as correlation servers, collection servers, agents, and directories. The Icons tab in the Legend pane illustrates and defines each type of icon that can appear in the diagram. See About the Visualizer on page 193. Colored lines join elements to indicate the nature of their interactions. For example, a green line appears between an Information Manager server and its event archive. A blue line indicates that event forwarding is configured between a collection server and the correlation server. The arrow shows the direction in which the event data flows. To see an explanation of each color, click the Edges tab in the Legend pane. You can place the icons where you want them by dragging them with the mouse. The associated text moves with the icon. You can also move the text to a different position relative to its icon. Click and hold the mouse over the text, and then move the mouse. Empty text boxes appear on each side of the icon. Drag the text into one of the boxes and release the mouse. The toolbar includes tools to help you examine the graphic. In the toolbar, the colored dots that appear next to some elements indicate the activity level of these elements. Some dots reflect the volume of EPS, and other dots reflect the percentage of appliance CPU in use. The meaning of each color is as follows: EPS Green = less than or equal to 2.5 K Yellow = 2.5 K to 5 K Red = greater than 5 K CPU usage Green = less than 60% Yellow = 60% to 80% Red = greater than 80%
Managing organizational units and computers About managing computers within organizational units 195 Note: The EPS display on the Visualizer tab depends on the value of the Agent Queue Statistics Report Interval setting under System > Product Configuration > SSIM Agent and Manager > Agent Configurations > Logging. By default, this value is set to 300 seconds and the EPS is updated after that interval only. You can configure it to a lower interval. However, setting a lower value may result in a lower performance by the agent. You must update (push) the configuration to the agent for the change to take effect. Table 9-2 describes the tools in the toolbar. Table 9-2 Tool Layout menu Visualizer tools Purpose This option lets you view your network topology using the following layouts: Organic Circular Hierarchic Orthogonal Tree Refresh Zoom in Zoom out Zoom selected Fit to window Save as Export Image This option lets you update the display after you make configuration changes. For example, after you add a collector, click Refresh to re-draw the diagram and show a new icon for the added collector. This option lets you expand the diagram view. This option lets you minimize the diagram view. This option lets you enlarge the view of a selected portion in the diagram. Select a portion of the diagram by clicking the mouse and dragging a box around the required area. Then click the ZoomSelected icon to enlarge the area that you selected. This option returns the diagram to its original size, to fit the entire diagram in the right pane of the System view. This option lets you save the information in the diagram as an XML file. Symantec Technical Support may request this file to assist in troubleshooting. This option lets you export the Visualizer image as a.gif or.jpg file. You can also adjust the image width and height, and define the clip area as a view or a graph.
196 Managing organizational units and computers About managing computers within organizational units Table 9-2 Tool Print Table view Visualizer tools (continued) Purpose This option lets you print the diagram. On the Print Options dialog box, you can select the height (Poster Rows) and width (Poster Columns) if you print a very large diagram. The default setting (one poster row and one poster column) prints the entire diagram on a single page. This option displays a table with one row for each element that is involved in processing events. The table dynamically displays such information as EPS and the total number of events that the element has processed since it was last started. The details that are displayed in the table view can be saved into CSV format. A green check mark means that the element is running; a red X means that the element is not responding. Use Magnifier This option lets you magnify any selected portion of the diagram. Viewing and modifying element properties You can view the properties of many of the elements in the Visualizer diagram. You can also modify some of these properties. See About using the Visualizer on page 194. The same properties are also accessible through other tabs on the System view. You use these tabs to add and delete elements, such as collectors. After you add an element, you distribute it; the element appears in the Visualizer. Table 9-3 explains how to access each of the element categories on other System view tabs. Table 9-3 Category Computers Accessing element properties on System view tabs How to access This category includes appliances, agents, and collectors. Select Administration > Organizational Units. Select an organizational unit. In the list in the right pane, double-click the name of a computer. A dialog box displays the computer's properties. About managing organizational units.
Managing organizational units and computers About managing computers within organizational units 197 Table 9-3 Category Accessing element properties on System view tabs (continued) How to access Directories Select Administration > Directories. In the list in the right pane, double-click the name of a directory. A dialog box displays the directory's properties. Products This category includes products such as collectors and firewalls. Select Product Configurations. In the left pane, click the name of a product. The right pane displays the product's properties. To view and modify element properties 1 On the System view of the Information Manager console, click the Visualizer tab. 2 Right-click on an icon in the diagram, and then click Properties. A dialog box displays a set of tabs that let you access the element's properties. The displayed properties depend on the type of element that you selected. For example, a collection appliance has different properties than an agent. 3 View and modify any of the available properties in the dialog box, using the tabs to navigate through the properties. 4 When you finish viewing and modifying properties, click OK. Distributing configurations to computers in an organizational unit Information Manager includes a Distribute option, which sends a message to all the computers in an organizational unit to check for new configurations. When a computer receives this message, it contacts Information Manager to request a download of the configurations. See About managing computers within organizational units on page 177. Using the Distribute feature is optional. When you change a product configuration or move a computer to a different organizational unit, the change is distributed when you click Save. You can do the following to distribute configurations to computers in an organizational unit: You can distribute the configurations that are associated with an organizational unit to all computers that belong to the organizational unit. You can select specific computers to receive the latest configurations.
198 Managing organizational units and computers About managing computers within organizational units Note: The timing of configuration distribution varies depending on the amount of Information Manager traffic. To distribute configurations to all computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to which you want to distribute configurations, and then click Distribute. 4 In the confirmation message box, click Yes. To distribute configurations to selected computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers to which you want to distribute configurations. 4 In the right pane, select only those computers that you want to notify. 5 Right-click on the selected computers, and then click Distribute. 6 To confirm your intention to distribute configurations, click Yes. Moving a computer to a different organizational unit Although a computer can only belong to one organizational unit, you can move computers from one organizational unit to another. See About organizational units on page 173. Warning: Before you move a computer, make sure that the security products you manage let you move computers. To move a computer to a different organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers that you want to move.
Managing organizational units and computers About managing computers within organizational units 199 4 In the right pane, right-click a computer, and then click Move. You may select multiple computers if you want to move all of them to the same organizational unit. 5 To confirm that you want to move the computers, click Yes. 6 In the Find Organizational Units dialog box, select the organizational unit to which you want to move the computers, and then click OK. 7 To verify that the move was successful, in the left pane, select the organizational unit to which you moved the computers. Look at the right pane to see if the computers that you moved are now in the list. If you move a computer that is an Information Manager server, you may have to log on again before you see the computer in the organizational unit. Agents that connect to the Information Manager server may need to be restarted. About modifying computer permissions When you create a role, permissions are assigned for each computer with regard to that role. These permissions control whether role members who log on to the Information Manager console can view, modify, or move the computer. To modify the permissions for a computer, you must display the Permissions dialog box for the computer. You cannot modify permissions for computers using the Role Properties dialog box. See Modifying permissions from the Permissions dialog box on page 152. Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Deleting a computer from an organizational unit If you want to delete an organizational unit, you must first remove any computers within the organizational unit by moving them or deleting them. You may also want to delete a computer that you no longer want to have under Information Manager management. If the computer was created by installing an agent as part of a security product installation, you should uninstall the collectors and agent from the computer before you delete the computer from the Organizational Units container in the Information Manager console. See Creating computers within organizational units on page 178.
200 Managing organizational units and computers About managing computers within organizational units Deleting a computer from an organizational unit removes it from the LDAP directory. Warning: If you delete a computer that is an Information Manager server, you must perform extra steps to add it to an organizational unit again. To restore a deleted Information Manager server to the LDAP directory, you must do one of the following: re-register the deleted server with the LDAP directory in which it was previously registered, or reinstall the Information Manager on the server. To delete a computer from an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer that you want to delete. 4 In the right pane, right-click the computer name, and then click Delete. 5 To confirm your intention to delete the computer from the organizational unit, click Yes.
Section 4 Understanding event collectors Chapter 10. Introducing event collectors Chapter 11. Configuring collectors for event filtering and aggregation
202
Chapter 10 Introducing event collectors This chapter includes the following topics: About Event Collectors and Information Manager Components of collectors About Symantec Universal Collectors About Custom Log Management Downloading and installing the Symantec Universal Collectors Correlating the logs collected in a file from a proprietary application About Event Collectors and Information Manager Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. Symantec Event Collectors gather, filter, and aggregate these events and forward both the raw and the processed events to Information Manager. See Components of collectors on page 204. Event Collectors collect information from security devices, critical applications, and services, such as the following product types: Firewalls Routers, switches, and VPNs Enterprise Antivirus Intrusion detection and intrusion prevention Vulnerability scanners
204 Introducing event collectors Components of collectors Authentication servers Windows and UNIX system logs Information Manager stores the event data in event archives and correlates the events with threat and asset information. If a security event triggers a correlation rule, Information Manager creates a security incident. Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. For more details on event collectors, refer to Symantec Event Collectors Integration Guide. Components of collectors Event collectors gather, filter, and aggregate security events and forward both the raw and the processed events to Information Manager. See About Event Collectors and Information Manager on page 203. Table 10-1 Component Major components of collectors Description Information Manager Symantec Event Agent Collector Sensor Security or Point product Refers to the Symantec Security Information Manager where events are processed, filtered, and stored. Allows for the centralized collection, classification, and normalization of events to enable alerts and reports across managed security products. Refers to the Java application that performs the communication functions for the Information Manager components on the system on which it is installed. Refers to an application that collects events from security products, processes them, and passes them to the Agent. Refers to the component that reads events from a file, database, syslog, Windows event log, or other medium. The sensor then passes the events to the remaining collector components. The information is then delivered to the Agent to be sent to Information Manager. Refers to the software product, such as a firewall, antivirus software, or an operating system. The security product ensures that data is not vulnerable to unauthorized use or access and is the source of events to the collector.
Introducing event collectors About Symantec Universal Collectors 205 See About Event Collectors and Information Manager on page 203. About Symantec Universal Collectors Symantec provides universal collectors. These universal collectors gather, filter, and aggregate events from security devices, critical applications, and services. The collectors then forward both the raw and the processed events to Information Manager. Universal collectors are used in scenarios where standard options are not available. You can use the Custom Logs view on the Web configuration interface to map the log information to the fields that the Information Manager supports. You can download the following universal collectors from the Downloads option on the Home view of the Web configuration interface. Universal Collector for Windows Universal Collector for Windows Vista Universal Collector for Syslog Universal Collector for Log file See Downloading and installing the Symantec Universal Collectors on page 207. About Custom Log Management Information Manager uses the event collectors that can be installed on the Information Manager server or on a computer that runs Symantec Event Agent. The collectors translate the collected data before it is handed over to the event service for archival and correlation service for correlation. Information Manager provides collectors for over 250 products. If a collector does not exist for an application in an environment, it is not possible to collect and normalize the data for the application. The custom log management feature lets you collect logs from an application from which Information Manager does not support collection. You can analyze the received log data and adjust the fields where necessary to prepare the data for interpretation by Information Manager. To collect the logs, you can download and install the universal collectors that are available on the Web configuration interface. You can install universal collectors on the computers on which Symantec Event Agent is installed. Custom log management works with the following components:
206 Introducing event collectors About Custom Log Management Universal log collector Transports the log data that is collected from a point product or application to Information Manager. The universal log collectors can be installed on the Information Manager server on other computers that have Symantec Event Agent installed on them. See Downloading and installing the Symantec Universal Collectors on page 207. You can download the following universal collectors from the Home > Download view of the Web configuration interface of Information Manager. Universal Collector for Log File Collects the events that are from different log files. Universal Collector for Windows Collects the events that are from Windows logs. Universal Collector for Syslog Collects the events that are from syslog. Universal Collector for Windows Vista Collects the events that are from Windows Vista Note: The universal collectors are preinstalled on the Information Manager server. The Universal Collector for Windows is not installed on the Information Manager server because it cannot run on Linux.
Introducing event collectors Downloading and installing the Symantec Universal Collectors 207 Collector mapping tool Maps the log data that the universal collectors collect to the event fields that are defined within Information Manager. The mapping is done with the.norm files that are used for event normalization within Information Manager. See About normalization (.norm) files on page 267. You can provide the log data mappings in the following ways: Pattern mapping Lets you map the entire pattern of the log entries. The fields from the pattern are mapped to fields that Information Manager supports. Direct mapping Lets you map a field to another field. The mapped field is used to create new rules. In this case, both the fields have the same value. For example, you can map the Agent IP to Source IP. In this case, the value of the Source IP field always corresponds to the value of the Agent IP field. Literal mapping Lets you assign the Literal constant values to the output event fields. For example, you can assign a constant value <###> to the Source Host field. Downloading and installing the Symantec Universal Collectors To collect logs from a proprietary application, first download and install the universal collectors on the computer on which Symantec Event Agent is installed. See About Symantec Universal Collectors on page 205. To download the universal collectors 1 Log on to the Web configuration interface as an administrator. 2 In the Web configuration interface of Information Manager, click Home > Downloads.
208 Introducing event collectors Correlating the logs collected in a file from a proprietary application 3 Click the download link for the universal collector that you want to download. 4 Save the installation zip file for the universal collector on the computer where you want to install the collector. To install the universal collector on a remote computer that has Symantec Event Agent installed 1 On the computer on which Symantec Event Agent is installed, log on as administrator. 2 Unzip the installation package. The installation package includes a subdirectory that is named install. The installation files are located in a temporary directory. You must install some collectors on the same computer as the product for which it collects events. 3 On the command prompt, do one of the following: On Windows, type the following command: install.bat On UNIX, type the following command: sh./install.sh 4 Follow the installation wizard prompts. All the universal collectors are installed by default on the Information Manager server. The universal log file and syslog collectors are also installed by default on the Information Manager server. Correlating the logs collected in a file from a proprietary application By using the Custom Logs feature, you can correlate the logs that are collected from a proprietary application with the fields that Information Manager supports. Consider an example of a log entry from a Linux system. The log entry should be in the following format: <ip address>,<source host>,<user name> <operating system>. Assume that the log entry is as follows: 1.23.45.67,ssim2,john,Linux
Introducing event collectors Correlating the logs collected in a file from a proprietary application 209 You can analyze the application log data that is collected from the Linux system in Information Manager. The custom log management feature lets you map the collected logs with the fields that Information Manager supports. Ensure that the following requirements are met before you begin the analysis of the application log data: Symantec Event Agent is installed on the computer on which the application logs are saved. The Universal Collector for Log Files is downloaded and installed from Home > Downloads view of the Web configuration interface. In a multi-server setup, Information Manager must be registered with the Correlation Manager. To achieve the objective of collecting and mapping the logs from a proprietary application, you must complete the following steps: Download and install the universal collector. See Downloading and installing the Symantec Universal Collectors on page 207. Create a new sensor configuration. Configure a reporting sensor from which the logs are collected. See Downloading and installing the Symantec Universal Collectors on page 207. Map the log fields to the fields that the Information Manager supports.
210 Introducing event collectors Correlating the logs collected in a file from a proprietary application
Chapter 11 Configuring collectors for event filtering and aggregation This chapter includes the following topics: Configuring event filtering Configuring event aggregation Configuring event filtering You can use event filtering to exclude events from being forwarded to Information Manager. Event filters let you reduce the event traffic and the number of events that are stored in the event database. Filters also let you discard the data that is less important to your organization s security. You can also import and export filtering configurations. Filtering configurations are exported in an XML file format; you must use the same XML file format to import the configuration. Event filtering is not advisable for all collectors. The XML file for filtering should be in the following format: <?xml version="1.0" encoding="utf-8"?> <filter> <filter-spec enabled="false" index="0" name="specification 0"> <filter-field comparator="eq" name="queue_product_id">1</filter-field> </filter-spec> <filter-spec enabled="true" index="1" name="specification 1">
212 Configuring collectors for event filtering and aggregation Configuring event filtering <filter-field comparator="eq" name="server">33</filter-field> </filter-spec> </filter> Event filter configuration consists of the following actions: Adding and enabling the event filtering rules See To add and enable event filtering rules on page 212. Changing the existing event filtering rules See To change existing event filtering rules on page 213. Importing and exporting the event filtering rules See To import and export event filtering rules on page 214. Some collectors include predefined filtering rules. Some of these predefined filtering rules are also pre-enabled. To add and enable event filtering rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach the sensor configuration of a collector. 3 In the right pane, on the Filter tab, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and click OK. 5 Under the rule properties table, click Add, and perform the following tasks in the order shown: In the Name column, type a name for the event filter property (for example, IP Destination Port). You can also double-click in the Name text box to bring up an Information Manager fields window. You can choose from the list of items that are presented in the expanded directories of the Information Manager fields window. In the Operator column, select an operator from the drop-down list (for example, equal to). In the Value column, type a value or select a preset value for the event filter property (for example, 80 for the port number). You can filter events by pattern by using a regular expression function. For example, to filter all events that contain "SUCCESS", enter the following in the Value column: regex(.*success.*)
Configuring collectors for event filtering and aggregation Configuring event filtering 213 Where all characters within the parentheses are part of the regular expression "." and "*" are both metacharacters "." matches any character "*" matches zero or more occurrences of the preceding element. Therefore, match zero or more occurrences of any character, followed by the literal string SUCCESS, followed by zero or more occurrences of any character. To rephrase, match the literal string SUCCESS anywhere within the field. 6 Repeat step 5 to add more event filtering information for the rule. All rules within a given specification use the Boolean AND to determine whether an event is a candidate for filtering. If there are multiple specifications, each specification uses the Boolean OR. 7 When you are finished adding information for the rule, in the filter list, check the filter name. 8 Click Save. 9 In the left pane, right-click the appropriate configuration, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes. 11 In the Configuration Viewer window, click Close. To change existing event filtering rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach a sensor configuration of a collector. 3 In the right pane, on the Filter tab, perform any of the following tasks: To add a specification, click Add. To delete a specification, select the specification, and then click Remove. To delete all specifications, click Remove All. 4 Perform any of the following tasks: To determine the order in which Information Manager invokes the event filters, next to the list of specifications, click the arrow icons. To change the name of the specification, double-click the specification in the specification list, and then, in the Name text box, type a new name. If you want to disable a specification, but you do not want to delete it, in the filter list, uncheck the filter name.
214 Configuring collectors for event filtering and aggregation Configuring event aggregation 5 In the rule properties table, change the information in any of the following columns: Name Operator Value 6 Under the rule properties table, perform any of the following tasks: To add a rule property, click Add. To delete a rule property, select the rule property, and click Remove. To delete all rule properties, click Remove All. 7 Click Save. 8 In the left pane, right-click the appropriate collector configuration, and then click Distribute. 9 When you are prompted to distribute the configuration, click Yes. 10 In the Configuration Viewer window, click Close. To import and export event filtering rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach a sensor configuration of a collector. 3 In the right pane, on the Filter tab, perform one of the following tasks: If you want to import, click Import configuration from XML file. If you want to export, click Export configuration to XML file. 4 Perform one of the following tasks: In the Import Configuration From File window that appears, specify the XML file to import into the collector. In the Export Configuration to File window that appears, specify a file name to export the configurations. Configuring event aggregation Collectors include a feature that lets you group similar events. By grouping events, you reduce event traffic and the number of events that are stored in the event datastore. The first event of a given type is sent to Symantec Security Information Manager immediately. All subsequent events of the same type are sent as one
Configuring collectors for event filtering and aggregation Configuring event aggregation 215 aggregated event. Aggregated events contain start and end times, but all other event fields are taken from the first event in the aggregated set. Not all collectors should use event aggregation. You can also import and export aggregation configurations. Aggregation configurations are exported in an XML file format; you must import configurations in the same XML file format. See About Event Collectors and Information Manager on page 203. The XML file for aggregation should be in the following format: <?xml version="1.0" encoding="utf-8"?> <aggregator maxbuffer="0"> <aggregator-spec enabled="true" index="0" name="specification 0" time="124"> <aggregator-fields> <aggregator-field name="display_id" operator="eq">15</aggregator-field> </aggregator-fields> <similarity-fields> <similarity-field name="data_scan_guid"/> </similarity-fields> </aggregator-spec> <aggregator-spec enabled="false" index="1" name="specification 1" time="234"> <aggregator-fields> <aggregator-field name="connection_type_name" operator="neq">1 </aggregator-field> </aggregator-fields> <similarity-fields/> </aggregator-spec> </aggregator> Event aggregation configuration includes the following actions: Adding and enabling event aggregation rules See To add and enable event aggregation rules on page 216. Changing existing event aggregation rule configurations See To change existing event aggregation rule configurations on page 216. Importing and exporting event aggregation rules See To import and export event aggregation rules on page 217. This feature is not advisable with all collectors. Event aggregation rules are not configured by default. You must add the rules before you can enable or configure them.
216 Configuring collectors for event filtering and aggregation Configuring event aggregation To add and enable event aggregation rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach the sensor configuration of a collector. 3 In the right pane, on the Aggregator tab, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule. 5 Under the rule properties table, click Add, and perform the following tasks in the order shown: In the Name column, select or type a name for the event aggregation property (for example, Event Date). You can also double-click in the Name text box to open an Information Manager fields window. You can choose a name from the list of items that are presented in the expanded directories of the Information Manager fields window. In the Operator column, select an operator from the drop-down list (for example, greater than). In the Value column, type a value or select a preset value for the event aggregation property (for example, 2004-03-30 19:18:31). 6 Repeat step 5 to add more event aggregation information for the rule. All rules within a given specification use the Boolean AND to determine whether or not an event is a candidate for aggregation. If there are multiple specifications, each specification uses the Boolean OR. 7 In the Aggregationtime(ms) text box, type the time in milliseconds by which a subsequent event should occur to be aggregated by this rule. The default value is 100. This property applies to all aggregation rules. 8 When you are finished adding information for the rule, in the aggregator list, check the aggregator name. 9 Click Save. 10 In the left pane, right-click the appropriate configuration, and click Distribute. 11 When you are prompted to distribute the configuration, click Yes. To change existing event aggregation rule configurations 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, expand the tree until you reach a sensor configuration of a collector.
Configuring collectors for event filtering and aggregation Configuring event aggregation 217 3 In the right pane, on the Aggregator tab, under the list of rules, perform any of the following tasks: To add a specification, click Add. To delete a specification, select the rule, and click Remove. To delete all specifications, click Remove All. 4 To determine the order in which Information Manager follows the event aggregation specifications, next to the list of specifications, click the arrow icons. 5 To change the name of the specification, double-click the specification in the specification list, and, in the Name box, type a new name. 6 To change the time by which a subsequent event should occur for aggregation by this rule, in the Aggregation time (ms) box, type the new time in milliseconds. The default value is 100. This property applies to all aggregation rules. 7 To disable a specification without deleting it, in the aggregator list, uncheck the aggregator name. 8 In the rule properties table, change information in any of the following columns: Name Operator Value 9 Under the rule properties table, perform any of the following tasks: To add a rule property, click Add. To delete a rule property, select the rule property, and click Remove. To delete all rule properties, click Remove All. 10 Click Save. 11 In the left pane, right-click the appropriate collector configuration, and click Distribute. 12 When you are prompted to distribute the configuration, click Yes. To import and export event aggregation rules 1 In the Information Manager console, in the left pane, click System. 2 On the Product Configurations tab, in the middle pane, and expand the tree until you see a sensor configuration of a collector.
218 Configuring collectors for event filtering and aggregation Configuring event aggregation 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the Aggregator tab, perform one of the following tasks: If you want to import, click Import configuration from XML file. If you want to export, click Export configuration to XML file. 5 Perform one of the following tasks: If you want to import, in the Import Configuration From File window that appears, specify the XML file you want to import into the collector. If you want to export, in the Export Configuration to File window that appears, specify a file name to which to export the configurations.
Section 5 Working with events and event archives Chapter 12. Managing event archives Chapter 13. Forwarding events to the Information Manager Server Chapter 14. Understanding event normalization Chapter 15. Collector-based event filtering and aggregation
220
Chapter 12 Managing event archives This chapter includes the following topics: About events, conclusions, and incidents About the Events view About the event lifecycle About event archives About multiple event archives Creating new event archives Specifying event archive settings Creating a local copy of event archives on a network computer Restoring event archives Viewing event data in the archives About working with event queries About events, conclusions, and incidents Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. A conclusion occurs when one or more events match a correlation rule pattern. Information Manager normalizes events from multiple security products and looks for the patterns that indicate potential threats. An incident is the result of one or more conclusions that are identified as a type of an attack. There can be many conclusions that are mapped to a single incident.
222 Managing event archives About the Events view For example, if a single attacker causes a number of different patterns to be matched; those are grouped into a single incident. Similarly, if a vulnerability scan uncovers a computer that suffers from a number of different vulnerabilities; these are all grouped into a single incident. Or, if a number of different computers report the same virus, Information Manager creates a single outbreak incident. About the Events view See About security products and devices on page 22. The Events view provides access to all of the event archives used by Information Manager server. Each archive stores events that are based on the Event Storage Rules that you configure on the System view. To view the events that are stored in any archive, you can do the following: Use the preconfigured query templates or system queries. The preconfigured templates and queries provide the parameters that you can set. You can choose the archive that you want to search, the time period within which you want to search for events, and so forth. Some templates and queries have more parameters than others depending on the purpose of the query. Save a copy of any preconfigured template query with the parameters that you have chosen, and customize the copy. Create a new query using the Query Wizard. Schedule queries to be distributed as CSV reports. When a template or query is run, the results are displayed in the results pane of the Events view. The results pane enables you to view and search for information about archived events in both graphical formats and text formats. You select the archive you want to research, and the viewer displays a histogram that represents the data that are stored in that archive. You can then narrow the display to a particular historical period (for example, the previous month or a specific one-hour period). You can display event details in a table and drill down to get all details about one event at a time. You can also filter the results in this view. See About events, conclusions, and incidents on page 221. About the event lifecycle Figure 12-1 shows the lifecycle of an Information Manager event.
Managing event archives About the event lifecycle 223 Figure 12-1 Event lifecycle Information Manager processes security event data in the following manner: The event collector collects the raw event data from the security product. The event collector normalizes the event data and filters and aggregates the events according to the event collector configuration settings. The agent sends the normalized events and if configured, the raw event data to the designated Information Manager. Information Manager stores the event in the event archive. Information Manager updates the event summary tables with the event information. Information Manager correlates the event, and, if the event triggers a correlation rule, creates an incident. Information Manager stores the incident in the incident database. Information Manager console users view incident and event reports. See About events, conclusions, and incidents on page 221.
224 Managing event archives About event archives About event archives Event archives provide a compact, convenient way to store event data for regulatory compliance, forensic research, and long-term data retention. Event archives contain event data from the security products that are set up to forward events to a Symantec Security Information Manager Server. Note: By default, newly created event archives are stored for seven days, but you can adjust this period to meet your requirements. However, when the available server disk space runs low, the server purges event archives. The default maximum quota is 90%, and the default free space quota is 1%. If your company requires long-term retention of event data, you can use scp or rsync over an SSH connection to copy the event archives from the server. See About events, conclusions, and incidents on page 221. About multiple event archives You can create multiple event archives to organize events into the logical folders that Information Manager stores. You can create up to 16 archives on any server. Multiple event archives lets you distribute the events Information Manager receives into separate folders and across multiple servers based on the criteria that you choose. For example, you can create an individual archive for each product that you monitor, such as an antivirus product. You can store the product generates events in a separate archive. You can create multiple archives on a single instance of Information Manager, on an attached storage device such as a DAS. You can also spread out the archives across multiple servers. To query the event data for further analysis, you can perform a query on any or all of the event archives that you have created. That includes the archives that are stored on separate instances of Information Manager. For example, if you created an archive that is exclusively used for antivirus events, you can choose to search the contents of that single archive or any combination of archives. By organizing events into individual archives, you can improve the performance of the queries used. When an event is received, the event is evaluated against the filter criteria in the order that is listed for the event filters in the console. Beginning with the first filter in the list, the event is passed through the filter to see if there is a match. If a match is found, the event is stored in the archive that you have specified for that filter, and event storage is complete. If the event does not match, it moves to the next filter in the list for evaluation. If no match is found in any of the filters that you have created, the event falls into the default archive.
Managing event archives Creating new event archives 225 To create a new event archive, you use create a set of event filters that are used to distribute the events into the appropriate archive. When you define a filter that specifies an archive in which the events are stored, you define a subfolder on the server that behaves as a separate archive. See About event archives on page 224. Creating new event archives When you install the Information Manager, a single archive is created by default. Note: An archive ID must be unique throughout the entire Information Manager domain. You cannot use the same archive ID in any other Event Storage Rule on any other server in the Information Manager domain. See About event archives on page 224. To create a new event archive 1 On the console of the Information Manager client, click System. 2 In the left pane of the Server Configurations tab, expand the tree for the Information Manager server you want to configure, and click Event Storage Rules. 3 Click the Add (plus sign) icon. 4 In the Archive Rule Properties dialog box, in the Rule name field, type a name for the new archive. 5 In the Inclusion Filter area, add the criteria for the events that you want to store. For example, to store all Information Manager System events in this archive, the filter would be Product = SSIM System. If you do not select any filter criteria, the archive stores all events by default. 6 In the Enter data retention (days) field, type the number of days that you want the archive the data. Events that are outside of this range are purged. A setting of 0 for retention days means that events are purged based on their age. 7 In the Max archive quota drop-down list, choose a percentage. 8 In the Free space quota drop-down list, choose a percentage. 9 In the Archive ID field, type an ID if you use customized IDs for archives, or accept the default setting.
226 Managing event archives Specifying event archive settings 10 In the Archive Path field, you can specify a path relative to the Events folder on the server or accept the default path. The path name that you specify cannot start with a slash, and must be alpha-numeric. The path is created in the server s file system from the /eventarchive folder. For example, if a user entered the archive path as collectors/pix, then a folder in the file system will exist as /eventarchive/collectors/pix. 11 Click OK and then click Apply. To be able to view new archives in the Events view in the console, you must first log out then log on again. Specifying event archive settings The event archive feature has several settings that determine how much data is stored and how long the data is stored. You can change the default settings in the Information Manager console. Event archiving is automatically enabled during Information Manager installation. The name of the Information Manager server appears in the left pane of the System view. If you have multiple Information Manager servers or multiple archives, each one appears in the tree. If you also use direct-attached storage for off-box storage, use the Information Manager Web configuration interface to specify the event archive settings for it. See About event archives on page 224. After you have configured the event archives, you should verify that the necessary summarizers have been enabled. You can enable the summarizers from the Database option under the Settings view of the Web configuration interface. To specify event archive settings 1 In the Information Manager console, click System. 2 In the left pane of the Server Configurations tab, expand the tree, including the Information Manager server to configure. 3 Under the Information Manager server, click Event Storage Rules. 4 In the Event Storage Rules area of the details pane, double-click the archive to configure.
Managing event archives Creating a local copy of event archives on a network computer 227 5 In the Archive Rule Properties dialog box, change the following as required: Archive ID Rule name Inclusion filter Enter the data retention (days) Max archive quota Free space quota You can change the Archive ID. However, the ID must be unique across the Information Manager domain. You can change the name of the rule. Configure the filters in the list according to your filtering criteria. If there are no filters, all events that the filter processes are stored in this archive. Specify how long events are stored in the archive before they are automatically deleted. Specify the proportion of server disk space that can be used for storing event archives. Note: You should modify the default setting only under the guidance of Symantec personnel. Choosing the wrong setting can cause the server to run out of disk space. Specify the proportion of server disk space that must be available to continue storing event archives. Note: You should modify the default setting only under the guidance of Symantec personnel. Choosing the wrong setting can cause the server to run out of disk space. 6 Click OK. 7 To enable the rule, in the Event Storage Rules area select the rule using the checkbox under Enabled column. 8 Click Apply. 9 Close the Information Manager console, and then logon to the Information Manager server again. Events are filtered through the list of archives based on the order of the event archive rules. The first archive in the list that matches the characteristics of the event stores the event, and event archive rules evaluation for that event stops. Creating a local copy of event archives on a network computer You can copy event archives from the Information Manager server to another computer. Later you can access these archives through an instance of the
228 Managing event archives Restoring event archives Information Manager console on that computer. Use this procedure to create a local event archive on a computer on your network. Warning: Do not copy individual files, because they do not work as expected. You must follow the steps in this procedure to preserve the directory structure, which contains necessary date information. You should also perform this procedure during lower event and incident periods. See About event archives on page 224. To create a local event archive 1 Make sure that you have sufficient space on the Information Manager server for the.tar file that this procedure generates. 2 In a command window, type the following command: cd / 3 Type the following command: tar -cz eventarchive >eventarchive.tar.gz Information Manager creates a gzip.tar file in the root directory on the server. This file contains the all of the event archives on a server, and the archive directory structure. You can also create a copy of a single archive by identifying the archive in the /eventarchive folder and specifying that archive in the command in this step. 4 Transfer the gzip.tar file to the desired location, by using SCP or another method of your choice. 5 Unzip the gzip.tar file. Restoring event archives The events in the new local archive are now viewable in the Information Manager console. The user can view the events only if the user has access to the location where the local archive resides. See To view the events that are stored in a local copy of an archive on page 230. You can view events from the archives that were copied from other computers. To view the archives that were copied from another computer you must copy the entire archive folder to the appropriate location. When you copy archives from another computer, only the owner has read and write permissions on the archive
Managing event archives Restoring event archives 229 folder. Group users and other users do not have any permission on the files and folders. To be able to view events from the archives that were copied from another computer, you must grant read permissions to group and other users. To grant appropriate permissions, you must do the following: See About event archives on page 224. Change the permissions on the files in the destination archive folder from 600 to 644. All folders under the /eventarchive partition should have permissions 755 or (drwxr-s). You must also change the ownership of the folder to sesuser. To restore archives from another computer 1 Copy the archive folder that you want to the /eventarchive partition into its appropriate location (archive path). 2 All folders under the eventarchive partition should have the owner and group as sesuser:ses. Run the following commands to change the ownership of the folders: cd /eventarchive chown -R sesuser:ses default chown -R sesuser:ses ssimlogs 3 All folders under the eventarchive partition should have permissions 755 or (drwxr-sr-x). You must change the permissions on the folders to 755 as shown in the following example: cd /eventarchive chmod /R 755 default chmod /R 755 ssimlogs 4 All the files in the archive folders must have the permissions as 644 (-rw-r--r--). You must change the permissions on all the files in the archive folders to 644 as given in the following example: chmod 644 /eventarchive/default/2009/08/01/1249139954617.edx You must change the permissions for all the files in the folder.
230 Managing event archives Viewing event data in the archives Viewing event data in the archives You can view the events for each archive that is created for each Information Manager server in your network. You can also view the events that are stored on the local event archive of the computer on which the console is installed. You can view event archives in the following ways: Use the preinstalled templates and queries to view the events that are stored in any of the archives that you choose. See To view the events that are stored in a local copy of an archive on page 230. Use the Query Wizard to create a query to be executed on a particular archive or set of archives. See About working with event queries on page 239. To view the events that are stored in the event archives 1 In the Information Manager console, click Events. 2 Expand the tree in the left pane to view the events template and query folders. 3 Choose an event query that returns the event data that you want to view. For example, in the Templates folder, click the All Events template. 4 In the details pane, select the archives that contain the events that you want to view. 5 Click RunTemplate, or if you use a query from one of the Query folders, click Run Query. To view the events that are stored in a local copy of an archive 1 In the Information Manager console, click Events. The tree in the left pane displays the ID of the Information Manager server, where the live archive is stored. 2 To access a local archive, click Local Event Archives, click the + icon (the plus sign) on the toolbar, and then navigate to the location of the archive. 3 Select Add Archive. 4 Click All Events under the appropriate address in the left pane. 5 Select Local archive, and click Run template. Archived event data is displayed in a histogram in the right pane.
Managing event archives Viewing event data in the archives 231 To save displayed data to a file 1 After you have run the template or query, click the Export icon on the toolbar. 2 Navigate to the location where you want to save the file, and type a name in the File name box. 3 Click Save. To remove a local archive from the viewer 1 In the left pane, click the name of the local archive that you want to remove. 2 Click the icon (the minus sign) on the toolbar. Information Manager removes the event archive from the viewer. You can now use the left pane to navigate to a different event archive. About the event archive viewer right pane The right pane of the event archive viewer contains the following components, which you can manipulate to display the data that you want: Event data histogram Event details table See Viewing event data in the archives on page 230. Manipulating the event data histogram The X-axis of the event data histogram is the time dimension, and the Y-axis is the event count (by default). To identify specific time periods, move the mouse over the histogram and hover (without clicking) on one bar at a time. A label displays the date, time, and number of events that correspond to that bar. Note: The histogram is available only for the All Events Query. See Viewing event data in the archives on page 230. The toolbar above the histogram includes several tools to change the appearance of the histogram to help you access the information that you want. You can manipulate the histogram in the following ways: To change the timeframe of the view, select an option from the View drop-down list; for example, select Last 12 hours. You can also choose a custom view. See Setting a custom date and time range on page 232. To expand the amount of data that is displayed in the current view of the histogram, click the Zoom Out icon. If you keep clicking, you gradually display
232 Managing event archives Viewing event data in the archives the entire dataset in this window. To gradually narrow the amount of data that is displayed in the current view of the histogram, click the Zoom In icon. To change the time resolution on the x-axis, make a selection from the Resolution drop-down list. For example, select Hours to group the data in hour-long units. To search for a specific time period and event type, click the Filter icon. The Event Filter dialog box that appears lets you choose a time range and filter criteria. See To filter with the advanced filter option on page 238. To move forward and backward in time, click the right-facing and left-facing arrows beside the histogram. To change the y-axis to display events per second, select Events per second. To return to the event count, select Event Count. Setting a custom date and time range If you want to fine-tune the period of time that is displayed in the histogram, select a custom view. See Viewing event data in the archives on page 230. To set a custom date and time range 1 On the toolbar, click the calendar icon, next to the View selection box. 2 In the Archive Time Range dialog box, in the Between: box, choose the start date and time of the time range. You can type the information in the box or use the up and down arrows. You can also click the calendar icon and then set the date and time on the Calendar dialog box. 3 In the and: box, choose the end date and time of the time range. You can type the information in the box or use the up and down arrows. You can also click the calendar icon and then set the date and time on the Calendar dialog box. 4 Click OK. About viewing event details The event data histogram now displays data for the time range that you selected. In the lower area of the right pane, you can display a table that contains details for the entire range of events in the histogram. The table can also display a selected portion of the events.
Managing event archives Viewing event data in the archives 233 See Viewing event data in the archives on page 230. You can show details in the following ways: To display details for the entire set of events in the histogram, click the Select All (green check) icon on the toolbar. To remove all event details from the table, click the Deselect (red X) icon on the toolbar. Click one of the bars in the histogram to display event details for the time period that is displayed in the bar. To select a time range, click any bar on the histogram, and then press the Shift key and click another bar on the histogram. The table displays details for all of the events in that time range. In the lower-right corner of the details table, you can see the total number of events that are selected within the displayed subset. You also can see the total number of events in the displayed subset. To view the next group of events, click the forward arrow in the lower-right corner of the table. To view all of the details in one event record, double-click one row in the table. Modifying the format of the event details table Each column in the event details table represents one field from the event record. You can add, delete, and reorganize the columns in the table. Note: An event record may include several date fields. Most events have a single event date, which is the time when the event occurred (not the date when Information Manager captured the event). In this case, the Event Date value and the Ending Event Date value are identical. Note: If an event represents an aggregation of activity that takes place over a period of time, Event Date is the beginning of the time period. Ending Event Date is the end time. Occasionally the event service registers an event with an incorrect Event Date or Ending Event Date. Information Manager corrects the times in these fields and replaces the original (incorrect) times in the Original Event Date and Original Ending Event Date fields. See Viewing event data in the archives on page 230.
234 Managing event archives Viewing event data in the archives To add, delete, and organize table columns 1 Right-click on a column heading, and click Add Column. In the Column Filter dialog box that appears, the Selected Columns box shows all of the fields currently in the table. Occasionally a collector sends data to Information Manager that does not correspond to any fields that are defined in the existing schema. When this scenario occurs, the Column Filter dialog box displays the raw field name from the collector: for example bugtraq_ids. This scenario may also occur if a collector's SIP is not installed on the server. 2 Complete any of the tasks: To add a column, click a field name in the Available Columns box, and click Add. You may also use the Ctrl key to select multiple field names, and click Add. To add all of the available columns, click Add All. To delete a column, click one or more field names in the SelectedColumns box, and click Remove. To delete all of the columns, click Remove All. To change the position of a column, click a field name and click Move Up or Move Down until the name is in the desired position. You can also click Move To Top or Move To Bottom. 3 When you finish making changes, click OK. The changes are reflected in the event details table. After you have modified the event details table to display the data that you want, you must save it as a query. By saving it as a query, you can see the same data and the same format the next time you log on to the Information Manager server. See To save the modified table format on page 234. To save the modified table format 1 After you finish modifying the table format, click the Save View icon. 2 Type a query name, and click OK. The query is saved in the My Queries folder in the tree pane. The next time that you log on to Information Manager, you can select that query. The table format appears the way that you modified and saved it.
Managing event archives Viewing event data in the archives 235 Searching within event query results Filtering event data When you perform an event query, you can search for a specific event that is within the initial query results. You can perform a text search or use regular expressions to further refine the search. You can choose whether the search spans all of the available event fields or a specific field. See Viewing event data in the archives on page 230. To search within event query results 1 After you run the query, in the Events table in the bottom pane, click Search for events. 2 In the Search Events dialog, in the Text Search field, type the text or regular expression. 3 In the Options area, place a check next to the appropriate options. If the text is a regular expression, ensure that Regular Expression is checked. 4 In the Look in area, take the following action: If you want to search in all of the available fields for the set of events, click All fields. If you want to search for a value that is stored in a specific field, click Selected field, and from the drop-down list, choose the field. 5 Click Search. The results are displayed in the events table. 6 In the Search Events dialog, click Close. 7 After you have analyzed the search results, to return to the original query data, click Reset event search. You can filter event data in the following ways: Filter on an individual cell in the event details table. You can filter on a cell that has data in it. Information Manager displays only the rows that have the same value in that column. You can also filter on an empty cell, and Information Manager displays only the rows in which that column is not empty. Use the advanced filter option to select multiple filtering conditions in one operation. Filter based on unique column value. This filter creates a snapshot of the events that were returned for the query based on the column that you chose for the filter. For example, in the query results for an All Events query, if you
236 Managing event archives Viewing event data in the archives right-click any value in the Product column and choose Filter on unique column value, Information Manager creates a condensed view of the results that shows which product names occur in that column. If you had 5000 events returned that only involved three products, filtering on unique column value in the Products column creates a snapshot that shows that those three products were the only products that are returned in the results. An additional filtering method is a sort of hybrid of an advanced filter and filtering on a cell. It is called filtering manually on a cell, and it lets you create a more complex query than the cell filtering method. However, it presets the first filtering condition for you. See To filter manually on a table cell on page 237. To filter on a table cell 1 Right-click the cell that you want use as the filter condition. For example, to display only level 3 events, right-click a cell with severity level 3 in the Severity ID column. 2 Click Filter on cell. If you right-clicked an empty cell, click Filter where cell is not empty. One of the following occurs: If you clicked Filter on cell, a new table displays only the events that have the same value as the cell where you clicked: For example, severity level 3. The table has a tab at the top that is labeled Untitled. If you clicked Filter where cell is not empty, a new table displays all rows in which this cell is not empty. 3 Take any of the following actions: To save the displayed view as a query, click the Save View icon. Then type the query name and click OK. If you view event data from a local archive, you cannot save the view as a query. Saving a query works only when you view event data from the live archive on the Information Manager server. To filter the displayed data even further, repeat steps 1 and 2, or use the advanced filter option. See To filter with the advanced filter option on page 238. To delete the table, click the red X in the upper right corner. If no events meet the filter criteria, Information Manager displays a blank table. If a very large number of events meet the filter criteria, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel.
Managing event archives Viewing event data in the archives 237 To filter manually on a table cell 1 Right-click a cell that you want use as a filter condition. For example, to display only level 3 events, right-click a cell with severity level 3 in the Severity ID column. 2 Click Manually filter on cell. If you right-clicked an empty cell, click Manually filter where cell is not empty. The Event Filter dialog box appears. One of the following occurs: If you clicked Manually filter on cell, the first condition in the Filter criteria area contains the value of the cell in which you clicked. In this example, the condition would display Severity ID = 3. If you clicked Manually filter where cell is not empty, the Filter criteria area displays the column name with the condition null. 3 To add more filter conditions, click the + icon (the plus symbol). 4 Click the first drop-down box, and then click an event field that you want to use as a filter. 5 Click the drop-down box to the right of the event field, and then click an operator: for example, the equals (=) symbol. 6 Click the drop-down box at the far right, and then click or type a value. 7 Take any of the following actions: To add more conditions, repeat steps 3 through 6. Use the AND and OR logical operators as needed. The default operator is AND. To change it to OR, press Ctrl, and then click on the desired boxes, then click OR. To remove a field, click on the row and then click the icon (the minus sign). To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup. In the Time range area, select the desired time range. 8 Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria. 9 When you finish creating the query, click OK. A new table displays only the events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled. 10 Take one of the following actions:
238 Managing event archives Viewing event data in the archives To save the displayed view as a query, click the Save View icon. Then type the query name and click OK. If you view event data from a local archive, you cannot save the view as a query. Saving a query works only when you view event data from the live archive on the Information Manager server. To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell. See To filter on a table cell on page 236. To delete the table, click the X in the upper right corner. If no events meet the filter criteria, Information Manager displays a blank table. If the number of events that meet the filter criteria is large, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel. To filter with the advanced filter option 1 Click Filter at the top of the table. 2 In the Event Filter dialog box, select the desired time range. 3 In the Filter criteria area, click the + icon (the plus symbol). 4 Click the first drop-down box, and then click an event field that you want to use as a filter. 5 Click the drop-down box to the right of the event field, and then click an operator: for example, the equals (=) symbol. 6 Click the drop-down box at the far right, and then click or type a value. 7 Take any of the following actions: To filter on only one field, go to step 8. To add more conditions, repeat steps 2 through 6. Use the AND and OR logical operators as needed. The default operator is AND. To change it to OR, press Ctrl, and then click on the desired boxes, then click OR. To remove a field, click on the row and then click the icon (the minus sign). To ungroup conditions, select two or more rows (Ctrl + click) and then click Ungroup. 8 Click Preview if you want to view the filtering statement that you created. Click Preview again if you want to add or change filtering criteria.
Managing event archives About working with event queries 239 9 When you finish creating the query, click OK. A new table displays only the events that meet the criteria in the query. The table has a tab at the top that is labeled Untitled. 10 Take one of the following actions: To save the displayed view as a query, click the Save View icon. Then type the query name and click OK. If you view event data from a local archive, you cannot save the view as a query. Saving a query works only when you view the event data from the live archive on the Information Manager server. To filter the displayed data even further, repeat the previous steps, or use the procedure for filtering on a table cell. See To filter on a table cell on page 236. To delete the table, click the red X in the upper right corner. If no events meet the filter criteria, Information Manager displays a blank table. If the number of events that meet the filter criteria is large, it may take a long time for the data to display. If you want to stop the search and view the events that Information Manager has found so far, click Cancel. To filter within the results of a query 1 Click Filter at the top of the table. 2 In the Event Filter dialog box, select the desired time range. 3 In the Filter criteria area, on the Filter Within Results tab, create the filter criteria using the table provided. See To filter with the advanced filter option on page 238. 4 When you are finished creating the criteria, click OK. To filter on unique column values 1 After you run an event query, Right-click a column that you want use as a filter condition. 2 Click Filter on unique column values. About working with event queries You can query the event archives in the following ways: Import a query from another location and save it in the My Queries folder or the Published Queries folder. See To import a query on page 250.
240 Managing event archives About working with event queries Use the Query Wizard to create a query against the event archives (event query). See To create an event query on page 243. Use the Query Wizard to create a query against the summarized event data (summary query). See To create a summary query on page 244. Use the Query Wizard to create a custom SQL query against the summarized event data (SQL query). See To create an SQL query on page 246. After you create and save a query, you can insert it on the dashboard and use it in reports. You can also schedule queries to be distributed as reports in the CSV format. See Scheduling queries that can be distributed as reports on page 337. Using the Source View query and Target View query The Source View query and Target View query replace the Source and the Target views that were available in previous versions of Information Manager. These queries return the IP address and host name of each system that Information Manager identifies. To run either query, double-click an entry in the list to view the incidents and the tickets that are associated with that host. If the host is not already an asset, you can add the host to the assets table by selecting the host and clicking Create Asset. Note: The Source View query and Target View query cannot be modified in the My Queries or the Published Queries folders. See About working with event queries on page 239. To use the Source View query or the Target View query 1 In the Information Manager console, click Events. 2 In the left pane, click System Queries > SSIM > SSIM. 3 Select either the Source View query or the Target View query. 4 Select the database to query, and click Run Query. 5 When you view the results, you can do the following: To create an asset from a host in the list, click the host, and click Create Asset.
Managing event archives About working with event queries 241 To view the incidents or the tickets that are associated with a host, click Details. You can also double-click the entry. To refresh the view, click Refresh. To export the current view to a file, click Export current view. Creating query groups You can create query groups in the My Queries and the Published Queries folders of the Events view of the Information Manager console. You can also create query group subfolders in each of these folders. See About working with event queries on page 239. To create a query group 1 In the left pane of the Events view, right-click either My Queries or Published Queries, and click Add Query Group. 2 (Optional) Type the group name and the group description, and click OK. Querying across multiple archives The name of the new query group appears as a subfolder under the folder you selected in step 1. When you run a query, you can choose to retrieve event data from multiple archives. The query description includes a list of all of the known archives in the right pane of each query. In some cases, the query that you run may include the archives that are unavailable. For example, if you save a query and then run it later, a change may have been made that makes an archive unavailable. If you run a query using Run Query on the Events view and an archive is unavailable, when the query runs you are prompted to choose from the following options: OK Ignore Ignore all Allows the query to continue to run on any other archives that are part of the query and that are available Same as OK, except that you are not prompted again in the current session for that archive if it continues to be unavailable. Same as OK, except that you are not prompted for any of the unavailable archives in the current session.
242 Managing event archives About working with event queries Note: When you run a scheduled report, Information Manager generates the report using the available archives if an archive is unavailable. You are not notified of an unavailable archive when the report is created, and no indication is given in the generated report. Creating custom queries When scheduled reports are executed, queries run on all available archives and skip the archives that are not accessible. Therefore, results can be inaccurate. The user is not warned that some archives were not processed. To query across multiple archives 1 In the Information Manager console, click Events. 2 In the left pane, navigate to the desired query and select it. 3 In the right pane, under Please select archives to query, place a check in the checkbox for each archive that you want to include. 4 If necessary, configure any of the other required fields, and then click Run Query. Some queries may take longer than others to return the expected results. If a query may return a large amount of data, create a scheduled report to run the query at a specified time. See About working with event queries on page 239. You can create a custom query using different methods and save it for reuse. When you create a query, you must assign it a unique name. Be sure to follow these rules for assigning a valid query name: It must not be null. It must have at least one alphanumeric character. It must consist only of alphanumeric characters and the white spaces that are created with the space bar. It must not exceed 64 characters, including alphanumeric characters and white spaces. See About working with event queries on page 239.
Managing event archives About working with event queries 243 To create an event query 1 In the left pane of the Events view, navigate to the location where you want to save the query. You can save the query in My Queries folder or the Published Queries folder. The My Queries folder is available only to you. The Published Queries folder is available to you and other users. You can also save the query in a query group folder under either of these folders. 2 Right-click the name of the folder where you want to save the query, click Query Wizard. 3 On the first panel of the QueryBuilderWizard, select EventQuery, and click Next. 4 Select the event query type, and then click Next. Select a query from the following query types that are displayed: Event Details Generates a table that contains all of the fields in the event archive. Event Counts by Field Generates a Top N summary query that is sorted by the field that you select in the By box. You also select the event count value in the Top box. Trending Event Counts by Field Generates a trend of the events over the selected time period 5 In the Archives area, you can select the archive that you want to query. By default, the Prompt at run-time option is selected. This option lets you select the archives at run-time. You can uncheck the default option and select the archive that you want to query. 6 Specify the time range and filter criteria in one of the following options: If you select View, select a time-period option from the drop-down list. If you select Between, use the calendar drop-down lists to set the time range. If you select Complete, Information Manager queries the entire event archive. If you want to filter the data, specify the filter criteria. See To filter with the advanced filter option on page 238. 7 Click Next and then choose the columns that must be displayed. 8 Click Next. One of the following panels appears:
244 Managing event archives About working with event queries If you selected Event Details in step 4, the Archive Events panel appears. Go to step 12. If you selected Event Counts by Field in step 4, the Chart Presentation panel appears. Go to step 9. A panel displays a sample table that is based on the filtering options that you selected. 9 Click Chart Properties and use the Chart Type drop-down box to select a type. For example, you can select a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 10 If you want to see a preview of the query results, click Preview. 11 When you finish customizing the appearance of the chart, click Next. A chart sample appears, displaying the title and any labels that you assigned. 12 In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. If this query is an Event Details query, you can click Preview to see a preview of the query results. 13 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane. To create a summary query 1 In the left pane of the Events view, navigate to the location where you want to save the query. You can save the query in My Queries folder or the Published Queries folder. The My Queries folder is available only to you. The Published Queries folder is available to you and other users. You can also save the query in a query group folder under either of these folders. 2 Right-click the name of the folder where you want to save the query, and click Query Wizard. 3 On the first panel of the Query Builder Wizard, select Summary Query, and click Next. 4 Select a database and then click Next.
Managing event archives About working with event queries 245 5 In the Summary Table box, expand Events, and select a table from the list of presummarized tables in the database. A description of the table appears in the Table Description box. The icon next to the table name indicates its type, which is spelled out in the Legend box. 6 After you select the table that you want, click Next. 7 Select a column index from the drop-down list. A list of indexed fields from the database index appears in the Display Columns area. 8 Click to select one or more columns to display in the query, and click Next. 9 Specify the time range: If you select View, select a time-period option from the drop-down list. If you select Between, use the calendar drop-down lists to set the time range. If you select Complete, Information Manager queries the entire event archive. 10 If you want to filter the data, specify the filter criteria, and click Next. See To filter with the advanced filter option on page 238. 11 Sort the columns in the query (optional for use with the Table format). See To sort columns in a summary query on page 246. 12 Click Chart Properties and use the Chart Type drop-down box to select a type. For example, a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 13 Click Next. A query sample appears, displaying the title and any labels that you assigned.
246 Managing event archives About working with event queries 14 In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. 15 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane. When you view the results of a Summary query, clicking chart elements to view the details for that portion of the chart is not supported. Symantec recommends that you disable summarizers on the Web configuration interface if you do not use summary queries. The summarizers are maintained in Symantec Security Information Manager 4.7 only to provide backward compatibility to previous versions of Information Manager.The summarizers are listed under Settings > Database > Event Summarizers on the Web configuration interface. To sort columns in a summary query 1 On the right side of the Column Sorting panel, click Add Column. 2 Click in the Sort Column, and select a field to be sorted in the query table. 3 Click Asc (ascending) or Desc (descending) to determine the way the data in the column must appear. 4 Repeat steps 1 through 3 if you want to sort more fields. 5 Use the other icons (for example, Move Up) until you have the columns arranged in the proper order. 6 For Max Rows Return, take one of the following actions: To return every row in the database, click All. To return a specific number of rows, click Top, and select a number. 7 Click Next to continue creating a summary query. Return to the step in which you select the format for the query results. See To create a summary query on page 244. To create an SQL query 1 In the left pane of the Events view, navigate to the location where you want to save the query. You can save the query in My Queries folder or the Published Queries folder. The My Queries folder is available only to you. The Published Queries folder is available to you and other users. You can also save the query in a query group folder under either of these folders. 2 Right-click the name of the folder where you want to save the query, and click Query Wizard.
Managing event archives About working with event queries 247 3 On the first panel of the Query Builder Wizard, select Advanced SQL Query, and click Next. Note: You must be a member of the Domain Administrators group to create and execute Advanced SQL Queries. 4 Select a database and then click Next. 5 In the text box, type or paste an SQL statement. The following actions are optional: In the Maximum rows box, select the maximum number of rows to appear in the table. View a list of tables and fields in the database by clicking Show Schema. 6 Click Test Query. Information Manager runs the SQL query and displays the result in table form. While the query runs, you may stop it by clicking Stop Query. 7 Repeat steps 5 and 6 until you are satisfied with the query, and click Next. 8 Click Chart Properties and use the Chart Type drop-down box to select a type. For example you can select a pie chart or a table. You may also change the chart's orientation, and you may choose to show the legend for chart types other than Table. Optionally, you may assign the following labels: A title to appear above the table or graph (not necessarily the same as the query name) Labels for the y-axis and the x-axis, for some chart types A footer, for table charts 9 If you want to see actual data in a preview chart, click Preview. 10 When you finish customizing the appearance of the chart, click Next. A chart sample appears, displaying the title and any labels that you assigned. 11 In the Query Name box, type the name that you want to appear in the left pane. Be sure to use only alphanumeric characters in the query name. 12 Click Finish. The query is saved, and its name appears under the folder that you selected in the left pane. The query results appear in the right pane.
248 Managing event archives About working with event queries Editing queries You can edit any query in the My Queries folder or the Published Queries folder. If you want to edit a predefined query or use one as a template, you can make a copy of the predefined query and then paste it into the My Queries folder or the Published Queries folder. See About working with event queries on page 239. Note: If you cannot view queries on the Events view, your role may lack the necessary permissions. You must have Read and Search permission for the appropriate query groups and the database. A user who is a member of an Administrator role can assign permissions. Table 12-1 provides some examples of the methods with which you can edit predefined queries to suit your needs. Table 12-1 Predefined query editing examples Query group in System Queries Query Field Sample modifications Product Queries > MS SQL Server Database Failed Logins Product In the Filter criteria, change the Product code to create an identical query for Oracle. Security Queries > Firewall Blocked Connections on Port 80 or 443 by IP address Time range (View) Filter criteria To increase the queried time period, change the time range from Last week to Last month. To query a different port, change the value for IP Destination Port in the Filter criteria. After changing the port, rename the query to reflect the new port number. Right-click the query name, and then select Rename. SSIM > SSIM system SSIM Failed Logins Filter criteria In the Filter criteria, add a filter to show only events with Severity ID=4.
Managing event archives About working with event queries 249 Note: In a tabular query, you can add and remove columns from the table in which data is displayed. However, if you place the modified query in a report, the column changes do not persist. You must insert the query in the report, and then add and remove table columns. To edit a predefined query 1 In the Information Manager console, click Events. 2 In the left pane, navigate to the desired query in the System Queries folder and select it. 3 Drag and drop the query into the MyQueries folder or the PublishedQueries folder. A customizable copy of the query is created. 4 In the new folder, right-click the query name, and then select Edit Query. 5 Modify the desired query parameters, and then click OK. Managing the color scheme that is used in query results When you run a query, you can use a customized color scheme for the queries that are displayed in chart format. You can add or remove colors, and change the order in which they appear in the query results view. You can then save your changes as template. To create a customized color template 1 In the Information Manager console, click System. 2 Click the Administration tab. 3 Expand the domain tree, and then click Reporting. 4 Click Add Color. 5 In the Add Color box, on the Swatches tab, make your selection. You can make additional adjustments to the color on the HSB and the RGB tabs. 6 Click OK. 7 If you want to move up the color in the reporting list, click Move Up. 8 When you have finished making your modifications, click Create Template. 9 Type a name for the template, and then click OK. To adjust the color configuration in an existing template 1 In the Information Manager console, click System. 2 Click the Administration tab.
250 Managing event archives About working with event queries 3 Expand the domain tree, and then click Reporting. 4 From the drop-down menu, select the template you want to modify. 5 After you make your changes, click Create Template. 6 Type the name of the template modify, and then click OK. See About working with event queries on page 239. About querying for IP addresses When you create a custom SQL query for an IP address, Information Manager returns an integer value of the address. To return an IP address in the more familiar nnn.nnn.nnn.nnn format, use the following macro in your SQL query. SELECT CASE WHEN E.SOURCE_IP >= 0 THEN rtrim(char(mod(e.source_ip/16777216,256))) '.' rtrim(char(mod(e.source_ip/65536,256))) '.' rtrim(char(mod(e.source_ip/256,256))) '.' rtrim(char(mod(e.source_ip,256))) ELSE rtrim(char(mod((4294967296 + E.SOURCE_IP) / 16777216, 256))) '.' rtrim(char(mod((4294967296 + E.SOURCE_IP) / 65536, 256))) '.' rtrim(char(mod((4294967296 + E.SOURCE_IP) / 256, 256))) '.' rtrim(char(mod(4294967296 + E.SOURCE_IP, 256))) END as "Source IP" FROM <Parameter to filter events> SYMCMGMT.SYMC_SIM_EVENT E WHERE See About working with event queries on page 239. For more information, refer to your SQL manual. Importing queries Information Manager lets you import a query (a file with the.qml extension) from a folder on your computer. You can place the query in the My Queries folder, the Published Queries folder, or in any query group in one of those folders. To import a query 1 In the left pane of the Events view, click on the location where you want to save the query. You can save the query in My Queries (available only to you) or Published Queries (available to you and other users). You can also save the query in a query group folder under either of these folders. 2 On the toolbar, click Import Query.
Managing event archives About working with event queries 251 Exporting queries Publishing queries 3 Browse to the location where the query resides, and click the name of the query file. 4 Click Open. The name of the query appears in the left pane under the folder that you selected. The results of the query appear in the right pane. See About working with event queries on page 239. You can save a query in a different location. For example, you can save a query as a file on a computer hard drive or CD. You can then attach the query to an email message or copy it to another computer. The export feature also lets you export a System Query, which you can then import into the My Queries folder or the Published Queries folder for editing. To export a query to a file 1 In the left pane of the Events view, click the name of the query that you want to export. The query parameters appear in the right pane. 2 On the toolbar, click Export Query. 3 In the Save dialog box, navigate to the location where you want to save the file and type a name in the File Name box. 4 Select the file type from the Files of Type drop-down list. If you want to be able to edit the file, select QML Files as the file type. 5 Click Save. Information Manager saves the query in the location that you specified. See About working with event queries on page 239. You are the only user who can access the queries in the My Queries folder and its subfolders. If you want to make a query available to other users, you can copy it to the Published Queries folder. To publish a query 1 In the left pane of the Events view, locate the query under My Queries that you want to publish. 2 Right-click the query name, and then click Publish Query.
252 Managing event archives About working with event queries 3 Click Yes to confirm that you want to publish the query. The query name appears under the Published Queries folder in the left pane. 4 If you want to move the query into a query group under Published Queries, use the mouse to drag the query name to the desired group. See About working with event queries on page 239. Scheduling queries that can be distributed as reports You can now schedule queries to be distributed in a report as a CSV file. The Schedule option is available on the Events view when you select a query from the Published and System queries. On saving the scheduled queries in the Events view, the scheduled query reports are created under the Published Reports folder under the Reports view. You can send the scheduled query reports by email as a compressed CSV file, and make them available by a URL link within the mail. You can also download these reports from the Web configuration interface under Manage Reports > Scheduled Query Reports in CSV format in a compressed file. The maximum row limit of the CSV file is 1 million rows corresponding to 1 million events. The maximum size of the CSV file that you can send by email is limited to 15 MB. Note: Scheduled queries are limited to one query only. If the scheduled query contains a chart, it is converted to a table in the created reports. Note: The Design option is not available for scheduled query reports. See About working with event queries on page 239. You can schedule the following types of queries: Summary data query Event detail query Custom SQL query Note: Top N by Field and Trending Event Count by Field queries cannot be scheduled from the Events view as scheduled query reports.
Managing event archives About working with event queries 253 To schedule a query as a report 1 In the console of the Information Manager client, click Events. 2 In the Explorer pane, under Published Queries or System Queries, click the name of the query that you want to schedule and distribute as a report. 3 In the right pane, click Schedule. 4 Type the name of scheduled query. 5 In the Set Schedule for Query dialog box, specify the time, date, and recipients for the generated reports. Set the message subject and body text as required. 6 Select the option for CSV attachment or a URL link as required. When the recipient clicks the link, the report is directly accessible. Note that the user must be logged on to the Web configuration interface using the host name of Information Manager. If the user has logged on using the IP address of Information Manager, then the user is prompted for authentication. The report becomes accessible. 7 Take one or more of the following actions as required: To save the query report to the Published Reports folder and close the Set Schedule for Query dialog box without scheduling the query, click OK. To enable the Schedule and Test icons and save the query report in the Published Reports folder, click Save. To ignore any changes that were made since the last save and exit the dialog box, click Cancel. To verify the entered details, click Test to send the query to the specified recipients. To schedule the query, click Schedule. Deleting queries The published query report is also available under the Scheduled Query Reports option under Manage > Reports on the Web configuration interface. If you no longer need a query, you can delete it. Note: You can delete only the queries under My Queries folder and Published Queries folder. You cannot delete the System Queries folder or its contents.
254 Managing event archives About working with event queries To delete a query 1 In the left pane of the Events view, navigate to the query to delete. 2 Right-click the query name, and then click Delete Query. 3 Click Yes to confirm. The query name is removed from the list in the left pane. See About working with event queries on page 239.
Chapter 13 Forwarding events to the Information Manager Server This chapter includes the following topics: About forwarding events to an Information Manager server About registering a security directory Registering Collectors Registering with a security domain Activating event forwarding Stopping event forwarding About forwarding events to an Information Manager server Event forwarding lets you create the distributed configurations that can handle higher event loads more efficiently by allowing events to be forwarded to multiple servers. Event forwarding lets you forward events to multiple servers. For example, you can set up one event forwarding rule to send all events to Information Manager server A. You can set up another event forwarding rule to send all events to Information Manager server B. This setup is good for redundancy. You can also archive different event types on different systems. You specify different event criteria on each event forwarding rule and point them to the appropriate Information Manager server. A Collection Server is an instance of the Information Manager server that collects and forward events from multiple sources to another server. A Correlation Server
256 Forwarding events to the Information Manager Server About forwarding events to an Information Manager server is an instance of Information Manager on which correlation is enabled and events are received. For example, you can have multiple Information Manager servers store events from security products. You can then forward only those events that are needed for determining security incidents to a Correlation Server. The Collection Servers store the uncorrelated events (when archiving is enabled) to support compliance with policies such as Sarbanes-Oxley. The Correlation Server processes the forwarded events to allow monitoring of the security incidents in your network. See About event archives on page 224. During the Information Manager installation process, one default event forwarding rule is created. This rule is created on the Information Manager server to forward events from the event service to the correlation manager at 127.0.0.1. If you have multiple Information Manager servers, you may need to configure this forwarding rule. You can configure the rule to specify the destination Information Manager server to which to forward events. You may also choose to forward events to an event service (port 10012) on the destination server, instead of the correlation manager (port 10010). You can create additional event forwarding rules on a single instance of Information Manager for backup purposes. You can also create these rules if you want to store certain types of events separately. For example, you can set up one forwarding rule to send events to Information Manager A. You can set up another forwarding rule to send events to Information Manager B. You can define event criteria to filter certain events to be forwarded to Information Manager A. Then you can specify that other types of events are forwarded to Information Manager B. To configure event forwarding from one server to another, you must do the following: Register the collector of each security product that you want to monitor with the destination Information Manager server. See Registering Collectors on page 258. Use the Web configuration interface of the Information Manager to join the Collection Server with the security directory of the Correlation Server. Configure the Collection Server to forward events. See Activating event forwarding on page 260. Note: You cannot create incidents manually on an Information Manager server that is configured as a Collection Server. After you set up an instance of Information Manager as a Collection Server, you cannot reconfigure Information Manager to correlate events using software settings.
Forwarding events to the Information Manager Server About registering a security directory 257 To forward events through a firewall, make sure to open the ports that are required for the Information Manager servers to communicate. When the Correlation Server is unavailable, by default the forwarding server continues to queue events until the Correlation Server is available again. If the queue on the forwarding server fills up, the forwarding server stops receiving events. When the forwarding server stops receiving events, the collectors try to queue events until the forwarding server is able to accept events again. The event criteria determine which events are forwarded to the destination Information Manager server. You set event criteria in the console of the Information Manager client, on the System view, Server Configurations tab. If the Event Criteria pane is empty, all events are sent to the Information Manager server. If you add a condition to the event criteria, only the events that match those criteria are sent. To view forwarded events, a user in the console of the Information Manager client must have sufficient rights to view those types of events. The product, domain, or organizational unit might not match those allowed by the role that is assigned to the user. However, the events do not appear. The ability to view the forwarded events also depends on whether archiving is enabled on the console or not. Note: Information Manager Event Services cannot forward events to a Correlation Server if they cannot resolve the host name that generates the Correlation Server's SSL certificate. To resolve this problem, add a DNS entry for the IP address and host name of the Correlation Server. You can also generate a new certificate for the Information Manager server that is based on its IP address. If you forward events to an event service on the destination Information Manager server, you can enable data encryption. The data encryption option is not available when you forward events to a correlation manager. About registering a security directory You can register the security directory of an Information Manager server with the security directory of another Information Manager server. The registration can be performed from the Directory Registration view of the Web configuration interface. Using the Register option on the Directory Registration view configures a Collection Server to use the same LDAP directory as the Correlation Server. After you register, the Collection Server also inherits the same LDAP configuration as the Correlation Server. If the Correlation Server is configured to use a local or a remote LDAP, then the Collection Server uses that database to store event
258 Forwarding events to the Information Manager Server Registering Collectors information. However, if the Correlation Server is configured as a Correlation-only Server (event pass-through enabled, events not stored), the Collection Server inherits similar settings. In that case, you must create a new database configuration on the Collection Server if you want to store events in its database. Note: You can perform a directory registration of an Information Manager server with another Information Manager server. However, the User Filters, User Monitors, User Rules, and User Lookup Tables that existed on the first Information Manager server before registration become unavailable. For information on creating database configurations, refer to the Help of the Web configuration interface. When you specify the name of the remote directory to which you register, ensure that you specify the correct domain name. In addition, make sure that you use the correct case (for example, symantec.ses instead of symantec.ses). LDAP directory connections are not case-sensitive, but database connections are. If you use the wrong case, the Collection Server connects to the LDAP directory of the Correlation Server but not to the database. When this situation occurs, no events appear in queries and reports. Registering Collectors See About events, conclusions, and incidents on page 221. The Information Manager Web configuration interface provides a page to register and to unregister the configuration settings and event schema. The Information Manager server requires these settings and schema to recognize and to log events from the point product. You must register the collector for all remote installations. If you use a collector that resides on the Information Manager server, you do not need to install the agent and you do not need to register the collector.
Forwarding events to the Information Manager Server Registering with a security domain 259 To register a collector 1 Launch the Information Manager Web configuration interface at the following URL: https://information_manager_host_name_or_ip_address Symantec recommends that you use the Fully Qualified Domain Name of the Information Manager. If you have the Information Manager Client console open, you should close it. 2 From the Information Manager Web configuration interface, click Settings > Collector Registration. 3 On the page that appears, click Register. 4 In the first box provided, type (or click Browse to select) the path to the collector_name.sip file that was provided with your collector installation package. You can select paths for up to 5 files. The default location for this file is the sip/ subdirectory of the collector installation package. 5 Click Begin Registration. Registering with a security domain The Directory Registration option on the Settings view of the Web configuration interface lets you add an Information Manager server to the directory of another Information Manager server. Registering an Information Manager server with the security directory of another instance of Information Manager server can take 10 minutes or more. To register an Information Manager server with security domain of another Information Manager server 1 Log on to the Web configuration interface of the Information Manager server that you want to register to another Information Manager server as an administrator. Click Settings > Directory Registration. 2 In the tree pane of the Directory Registration view, click Register.
260 Forwarding events to the Information Manager Server Activating event forwarding 3 In the details pane, type the following information in the provided boxes: Host name or IP address LDAP port LDAP cn=root password Administrator Password Domain The host name or IP address of the external security directory. The LDAP communications port that the security directory uses. The default is 636. The password for the cn=root account. The domain administrator account on the remote Information Manager server. The Information Manager domain administrator password for the remote Information Manager server. The name of the remote security directory. 4 Click Register. 5 Configure the Information Manager server to forward events to the destination Information Manager server. See Activating event forwarding on page 260. Activating event forwarding You can modify the default event forwarding rule, and can create additional event forwarding rules. You can also delete or modify an existing event forwarding rule. When an Information Manager server receives the forwarded events, it stores the events according to the Event Storage Rules that are configured for that server. To specify the archive in which the forwarded events are stored, you must do the following: Configure the forwarding Information Manager server to send the events to the receiving Information Manager server. Configure the receiving Information Manager server to store the events in the appropriate archive. Note: Before completing the following steps, make sure that you have connected network cabling between the collection and the correlation Information Manager server.
Forwarding events to the Information Manager Server Activating event forwarding 261 See About forwarding events to an Information Manager server on page 255. To configure the default event forwarding rule 1 In the console of the Information Manager client, click System. 2 On the Server Configurations tab, expand the Information Manager server that forwards the events to the Correlation Server and click EventForwarding Rules. 3 In the right pane, double-click the rule. 4 In the Event Forwarding Rules dialog box, in the Inclusion filter area, do not insert any filter criteria. Leaving this area empty ensures that all events are forwarded to the default correlation Information Manager server. You can create additional event forwarding rules to specify forwarding criteria. 5 Under Primary and Failover Servers, type the host name or IP address of the correlation Information Manager server. You may choose not to configure the failover server. You can also forward to the servers that are not Correlation Servers. Usually, the failover is configured to fail over to another collection server. 6 Under Select the service to forward to, select one of the following: To forward events to a Correlation Server, select Correlation Service. To save the events in the destination Information Manager server's event archive, select Event Service. If you want the forwarded event data to be encrypted between the collection servers and the correlation servers, go to step 7 7 To encrypt the event data between the collection servers and the correlation Information Manager servers, select Event Service (Encrypted). If you choose to encrypt event data, the data is sent using HTTPS (port 443). 8 By default, event forwarding rules queue events on the host if the destination Information Manager server is not available. If you do not want Information Manager to queue events, uncheck Queue events if target service is unavailable. 9 You can enable the Use Persistent Queues option. This option enables all events to be written on the hard disk queue and then forwarded to the specified destination. If the destination is not available, the event service continues to write events to the disk queue (without blocking the event stream). It flushes the queue when it detects that the destination is back online. Enabling the PersistentQueues may affect the event forwarding performance.
262 Forwarding events to the Information Manager Server Activating event forwarding 10 Click OK. 11 Make sure that the appropriate event forwarding rule is selected (enabled) in the pane. For example, to enable the default event forwarding rule on a collection Information Manager server named Denver, select the Correlation Forwarding box under the Denver folder. 12 Click Apply. To create a new event forwarding rule 1 In the Information Manager console, click System. 2 On the Server Configurations tab, expand the Information Manager server to which you want to add an event forwarding rule. Click Event Forwarding Rules. 3 On the toolbar, click + (the Add icon). 4 In the Rule name box, type the name of the new rule. 5 By default, all events are forwarded. To limit the types of events forwarded, complete the following steps in order: In the Inclusion filter area, click Add (+). In the left column, click an entry in the Common, Events, or Other Fields tabs. In the middle column, specify a logical operator. In the right column, specify the value that you filter on. Repeat these steps for any other conditions that you want to include. 6 To complete the configuration, click OK. 7 To apply, click Apply. To delete an event forwarding rule (stop event forwarding to an Information Manager server) 1 In the Information Manager console, click System. 2 On the Server Configurations tab, expand the Information Manager server for which you want to delete an event forwarding rule. Click EventForwarding Rules. 3 Select the rule to delete. 4 In the toolbar, click Remove (-). 5 Click Apply.
Forwarding events to the Information Manager Server Stopping event forwarding 263 Stopping event forwarding To stop event forwarding, disable the event forwarding rule from the Server Configurations tab of the System view on the console of the Information Manager server. See About forwarding events to an Information Manager server on page 255.
264 Forwarding events to the Information Manager Server Stopping event forwarding
Chapter 14 Understanding event normalization This chapter includes the following topics: About event normalization About normalization (.norm) files About event normalization Normalization occurs when the server receives an event after the collector has harvested the raw data. The normalization process analyzes received event data and adjusts the fields to prepare the data for interpretation by Information Manager, including any applicable rules. A normalization configuration file with a.norm file extension is used to adjust the fields where necessary. The.norm file maps the event fields that the collectors provide to the event fields that Information Manager requires. Normalization accomplishes tasks such as populating empty fields and locating information about source and target. For example, if you try to trap a consistent target IP address, the point product that harvested the data may have placed the IP address in a field that does not indicate the nature of the contents of the field. For example, the field name may be ip_address, which may not indicate whether the IP is the address of the source or the target. Information Manager includes a set of mapping files that identify and parse the data in the fields that the supported products provide. It maps these values to the appropriate database schema fields. Symantec creates and updates the.norm files using LiveUpdate as more information from each of the point products becomes available. Normalization adds information to events using a standardized set of fields that can be used to refine rules processing. For example, a unique event identifier can
266 Understanding event normalization About event normalization be mapped to a Standard Event Code (Symantec Signature). This information allows multiple product events to be correlated despite unique identifiers for each product. Normalization also uses the information that you provided in the Asset and Network tables. It uses this information to uniquely identify the elements that are related to the event which can be used during rules creation. Additional fields from the Asset table include the assigned Confidentiality, Integrity, and Availability (CIA) values and the host name. These fields also identify who owns the system, the current operating system and what policies or roles apply to the computer. In addition, the fields identify what services are open by a computer (populated by a vulnerability scanner). They also identify what vulnerabilities are on that computer (for example, if specific patches have not been rolled out to a computer). For example, if a system has been assigned the role of a vulnerability scanner, the events that vulnerability scanners usually generate can be filtered if they are associated with that computer. The Network table information is used to identify the location and directional flow of the event. Normalization can help to identify whether an event is internal only (contains IP addresses within your network). Normalize can also help identify whether the traffic is inbound, outbound, traveling to or from specific locations. For example, if the source of a virus event is an internal source, the event can be flagged as an internal virus infection. Normalization also adds any information available with the Symantec Signature using the Symantec DeepSight Threat Management System database. For example, when a security incident occurs that is mapped to a Symantec Signature, the following pieces of information may be provided: The Symantec Event Code, which facilitates cross-product correlation EMR categorization, helping the analyst to aggregate attack data to better understand the outbreak Vulnerability IDs (BugTraq) that include information on the vulnerabilities that are typical to this type of security threat Exposure IDs that include the potential attack exposure information that Information Manager provides. For example, telnet is enabled or weak passwords are used. Malicious code IDs that include the information that Symantec Security Response creates to describe the known malicious code activity that is associated with an attack See About normalization (.norm) files on page 267.
Understanding event normalization About normalization (.norm) files 267 About normalization (.norm) files When you create a rule, it is often helpful to view the mapping that takes place during normalization by using the normalization (.norm) files. Normalization files are included in the file system of the server. They are not available from the Information Manager Web configuration interface. Collectors usually populate the event fields with the data that matches the descriptive name that is specified in the schema. However, the event fields the collector provides may contain additional information that Information Manager can parse. In these cases, you can view the normalization (.norm) file to understand from where the event data comes, and how Information Manager interprets it. The Information Manager server contains a default.norm file. It also contains the.norm files that are specific to the collectors that are used on your network. The mapping in a.norm file may be a direct one-to-one mapping. In this mapping, the value in the collector field can be directly imported into the field that Information Manager expects. In other cases, the collector field may contain more data than the Information Manager field expects. In these cases, regular expressions are commonly used to parse the collector field for the data that Information Manager expects. Note: Although you can alter the contents of the.norm files, do not rely on this method as a means of modifying how data is normalized and accessed through the rule set. If you have LiveUpdate or Symantec DeepSight Threat Management System updates enabled, the default.norm file is often refreshed during the update process. Any changes you make to the.norm file are lost. In the following example, the first line of each block specifies the schema used. The field name to the left is the field name that the collector uses. The values on the right indicate the data and the field name that is the Information Manager server uses. The parsed data may include a data type in parentheses, followed by the name of the field that Information Manager uses. The right side may also include the regular expressions that are used to parse the event data from the collector field. (intrusion_data ^ "Failure Audit") & (intrusion_data ^ "User Name") intrusion_symc_sig -> (string)devicealert machine_ip -> (ip)sourceip (ip)targetip machine -> (string)sourcehost (string)targethost intrusion_data -> /User\s+Name:\s+(\S+)/ (string)eventresource intrusion_target_type_id := 1037112 intrusion_outcome_id := 1027204 vendor_device_id := 36
268 Understanding event normalization About normalization (.norm) files See About event normalization on page 265.
Chapter 15 Collector-based event filtering and aggregation This chapter includes the following topics: About collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation About preparing to create collector-based rules Accessing event data in the Information Manager console Creating collector-based filtering and aggregation specifications Examples of collector-based filtering and aggregation rules About collector-based event filtering and aggregation Information Manager lets you filter and aggregate security events before they are sent to the server. Information Manager provides the filtering and aggregation capabilities that can be used at the collector. Filtering and aggregating event data before it reaches the server can improve network and server performance. Collector-based filtering and aggregation can also effectively increase event storage capacity on the server. Collector-based filtering and aggregation discards unnecessary events or stores summaries of events, which typically use less storage space. When an event collector gathers events from security products, it parses the event for the information that can be sent to the server. When relevant data is identified, it is translated into fields in the Information Manager schema. Information Manager uses the schema to correlate existing events, create incidents, and so forth.
270 Collector-based event filtering and aggregation About collector-based event filtering and aggregation Security products are responsible for identifying security breaches and threats. In many cases, these products also act as event identification and storage devices for any event that may be used for forensics research. Some products store these events locally. Others offload the event data to a storage device such as a Syslog server or a Windows event log. In general, Information Manager collectors monitor these devices, databases, and log files for security-related events. The collectors then forward all of these events to the Information Manager server. By default, event collectors gather all security-related events, and do not discriminate based on event severity or relevance. This feature is useful for policy compliance. However, many organizations prefer to use the powerful event reporting and correlation features of Information Manager on the security events that are more threat-related. You can limit (or restrict) the events that are sent to the server to those events that represent potential security threats and incidents. In contrast to event filtering and correlation at the server, collector-based filtering lets you exclude events from forwarding to Symantec Security Information Manager. Similarly, collector-based aggregation lets you group similar events to reduce event traffic. Grouping also lets you reduce the number of single events that are stored in the event database. Event aggregation groups the events that contain identical event information into a single summary event which is forwarded to the server. This summary event includes a count of the events that matched the aggregation criteria. Note: When aggregation occurs, the summary event that is created and sent to the server does not contain the raw event data for each individual event. A summary event cannot be separated into the individual events that comprise the aggregated event. Collector-based event filtering and aggregation rules (also referred to as specifications) are created using the Information Manager console, and then deployed to the corresponding collectors. When you filter events at the collector, you remove the events from the event storage, correlation, and incident creation processes. Use caution when you determine which events you want to filter at the collector. Note: Collector-based filtering or aggregation should not be used if you use Information Manager as your primary tool for policy compliance. Filtering or aggregating event data may exclude the events or the event details that are unnecessary for security monitoring but are necessary for compliance.
Collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation 271 See About identifying common events for collector-based filtering or aggregation on page 271. About identifying common events for collector-based filtering or aggregation Table 15-1 describes filtering and aggregation guidelines for specific security device types. Table 15-1 Filter and aggregation guidelines Device type All Firewall Suggestions Test networks can generate the security events that do not indicate any actual threat. Consider filtering all events originating from isolated test networks. Firewalls generate many events that are not required for correlation. Consider filtering or aggregating the following types of events: Connection rejected. These indicate that the firewall operates as it is configured. These events do not ordinarily pose a security threat and can be filtered at the Event Collector. Connection accepted. Typically, legitimate network traffic generates these events. These events can be filtered entirely or they can be aggregated according to IP address. If an individual unwanted connection is accepted, the Intrusion Detection System identifies and reports the attack. Possible attack. Not all possible attack events indicate a true security threat. Consider filtering or aggregating possible attack events based upon specific attack IDs. Enterprise Antivirus Enterprise antivirus systems customarily report a number of informational events for each protected system. If you use a product such as Symantec Client Security, consider filtering or aggregating the following types of events: Scan start and scan stop These events do not pose a security threat and can be filtered or aggregated. Virus repaired These events indicate that the antivirus software has repaired infected systems. If there are infections in your environment that are commonly repaired, consider aggregating virus repaired events by the virus name. Irreparable virus These events may indicate a virus outbreak. The spread of a virus can generate many redundant events. To avoid unwanted event traffic during an outbreak, consider aggregating irreparable virus events.
272 Collector-based event filtering and aggregation About preparing to create collector-based rules Table 15-1 Filter and aggregation guidelines (continued) Device type Vulnerability Intrusion Detection Windows Event Log Suggestions Typically, all vulnerability scan events should be sent to Information Manager for correlation. Vulnerability assessment events in some cases can be aggregated to reduce network traffic. Typically, all intrusion detection and intrusion prevention events should be sent to Information Manager for correlation. The Windows event log stores both operating system events and application events. Because each Windows system may have different applications installed, broad filtering or aggregation is not advised. All aggregation and filtering must be based upon specific event criteria. Consider filtering or aggregating the following types of events: Application Some applications generate an excessive number of informational and warning events. These events can be filtered or aggregated based upon the specific event source and event identifier. Security Success audit events do not indicate a security threat and can be aggregated based upon the specific user. System System event sources such as the Service Control Manager generate many informational events. These events can be filtered or aggregated based upon the event source and identifier. See About collector-based event filtering and aggregation on page 269. About preparing to create collector-based rules Before you create collector-based filtering and aggregation rules, you need to understand the event data that is generated on your network. You need to gather event data over a period of time and evaluate the event fields that are included in each event. In the Information Manager console, you can use the Event Viewer to view a summary of the events that the enabled collectors identified. The Event Viewer may give you an idea of the categories or types of data that can be used. However, the event field is the most accurate source of information for creating event filters. Each product has customized event fields specific to that product. Therefore, you should create filtering and aggregation rules based on the events that are specifically related to that product. You can view the event fields by double-clicking an event in the Event Viewer. You can then analyze the fields that appear in the Event Details window. Informational firewall events may be good filtering candidates. The firewall events that are classified as informational can often be filtered at the collector to reduce traffic to the server. The firewall events that are categorized as informational are generally used for accounting purposes. These events usually do not indicate an
Collector-based event filtering and aggregation About preparing to create collector-based rules 273 attempted security breach. However, the collector correctly detects these events as security-related events. The collector sends them to Information Manager by default. It may be unnecessary to analyze these events to maintain the security policies of your organization. If analysis is unnecessary, you can filter the events at the collector to reduce event traffic. To filter these events, analyze the event details to find the fields on which the filter for this specific event can be created. To understand the event data and create a filtering rule to filter informational firewall events, you perform the following tasks: With the collector enabled, generate a series of informational firewall events. In most cases, bringing a firewall online and performing connection tasks through the firewall generates these types of events. To make the event data more useful, generate the common firewall events that might more accurately resemble a live network environment: For example, FTP sessions and failed connection attempts. After you generate a series of events, use the Event Viewer or an available event report in the Dashboard. Double-click an event to open the Event Details window. In the Event Details window, analyze the field names that are included in the event. Many of these fields are added at the server rather than at the collection point as part of the normalization process. Therefore, the most effective fields to base a filter on are generally the fields that are generated in the raw event data: For example, the fields that contain event IDs that are specific to the monitored device. For example, if you use the Cisco Pix collector, the firewall generates a unique value in the Event Info 4 field. Make note of the field and value pair that you want to base your filter on and open the configuration on the Product Configurations tab. To create a new specification 1 On the System view, in the Product Configurations tab, find the collector for the product that you want to monitor. For example, if you use the Check Point Firewall, navigate to the settings for Check Point FireWall-1 Collector. Note: You cannot edit the default configuration. You must create a new configuration and specify the settings for that configuration. 2 Select the product and right-click to create a new configuration. Type a name and description for the new configuration, and then click Next. 3 Add computers to the configuration using the + icon. Then click Next. 4 Click Finish. Click Close to save and exit the Configuration Wizard.
274 Collector-based event filtering and aggregation Accessing event data in the Information Manager console 5 Select the newly created configuration. In the right pane, on the Filter tab, create a new specification. 6 In the new specification, double-click the name field and find the field name in the list. Alternatively, type the name of the field exactly as it appears in the event details. 7 In the operator column, choose the appropriate operator. In most cases, this value is the equal to operator. 8 In the Value field, type the value exactly as it appears in the event details. 9 Enable the specification, save, and then distribute using the Distribute settings to computers icon. See About collector-based event filtering and aggregation on page 269. Accessing event data in the Information Manager console The Information Manager console provides several different ways to access the event data that each collector gathers. To gain an understanding of the events that can be filtered, you should analyze the event data that is viewable in the Event Details view. You can also create custom reports for specific events. For more information on how to create custom reports, see the documentation that is provided with each collector. Accessing event data using the Events view 1 In the Information Manager console, click Events. 2 In the Events view, expand the Templates folder. 3 Under the Templates folder, click All Events. Note: This example uses the All Events query. However, you can use any of the event queries in the Events view that return the event data for which you search. 4 In the right pane, select the archives that contain the event data that you want to review, and then click Run Template. 5 After the query completes, use the results view to find the event you want to analyze.
Collector-based event filtering and aggregation Creating collector-based filtering and aggregation specifications 275 6 Find the event that you want to analyze, and click View the event details. 7 In the Event Details window, analyze the event fields and data. Many events have unique event IDs that can be used to create the filters that are specific to the event that you want to filter. See About identifying common events for collector-based filtering or aggregation on page 271. Creating collector-based filtering and aggregation specifications After you analyze your event data, you can create filtering and aggregation specifications based on the fields that are viewable in the Event Details window. The Filters and Aggregation tabs let you create, enable, and edit filters to exclude events from being forwarded to the server (filtering). You can also use these tabs to create, enable, and editor filters to gather multiple events into a single event (aggregation). No event filtering or aggregation rules are configured by default. You must add the rules before you can enable or configure them. See About collector-based event filtering and aggregation on page 269. To create a collector-side filtering rule 1 In the Information Manager console, on the System view, click Product Configurations. 2 In the left pane, expand the product to which you want to add a filtering rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you must create a new configuration. The Default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the on-screen instructions. 3 Select the configuration you want to modify, and then in the right pane, on the Filter tab, under the list of filters, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, double-click the name field and find the value in the event fields list that appears. If you know the exact name of the field that the collector created you can also type a name for the event filter property. Fields are case-sensitive. In the Operator column, select an operator from the drop-down list.
276 Collector-based event filtering and aggregation Creating collector-based filtering and aggregation specifications In the Value column, type a value for the event filter property. To add more event filtering information for the rule, repeat this step. 6 When you are finished, in the filter list, check the filter name. 7 Click Save. 8 In the left pane, right-click the appropriate default folder, and then click Distribute. 9 When you are prompted to distribute the configuration, click Yes. To create a collector-based aggregation rule 1 In the Information Manager console, on the System view, click Product Configurations. 2 In the left pane, expand the product to which you want to add an aggregation rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you must create a new configuration. The default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the on-screen instructions. 3 In the right pane, on the Aggregator tab, under the list of filters, click Add. 4 Double-click Specification (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, select the name for the event aggregation property. In the Operator column, select an operator from the drop-down list. In the Value column, type a value for the event aggregation property. To add more event aggregation information for the rule, repeat this step. 6 In the Aggregation time (ms) box, type the time in milliseconds in which the aggregated events should correspond to the rule property. The default value is 100. This property applies to all aggregation filters. 7 When you are done, in the aggregation list, check the aggregation name. 8 Click Save and enable the rule before you distribute. 9 In the left pane, right-click the appropriate default folder, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 277 Examples of collector-based filtering and aggregation rules As you begin to understand the details of the event fields populated, you would discover the common filtering and aggregation candidates. These candidates can be safely implemented at the collector level. You are provided with general guidelines for filtering and aggregation. Before you deploy these examples, each configuration should be carefully evaluated to ensure that the configuration conforms to the specific needs of your security environment. The examples that are provided are common to many deployments, but may not be in compliance with your security policies. Creating filtering and aggregation specifications is an iterative process. This process is based on a careful evaluation of the event data that is specific to your security environment. Filtering at the collector prevents event data from being sent to the Information Manager server for evaluation. Consequently, analysts do not have access to this data for forensic analysis unless the events are stored separately from Information Manager. For example, the events that are classified as informational can be good candidates for event filtering or aggregation at the collector. In some cases, a network may generate a large number of informational events that may not constitute an immediate security threat. From a threat perspective, these events may not be as useful in evaluating a high priority security incident in progress. The informational event details may subsequently help to gain a better understanding of the series of events that led to the security breach. For this reason, an event filter or aggregation specification at the collector should be carefully evaluated before it is deployed. When you determine which events can be safely filtered or aggregated, base your collector-based filtering or aggregation specification on specific event criteria. Basing a filter on a broad field such as severity level may have unintended results. When you create filtering rules, specificity helps to prevent unexpected gaps in the information that is available to the analyst. For example, you should use the event IDs generated by the monitored product to control the information that is discarded from Information Manager. This option is more effective than using a broader severity category to control that information. See About collector-based event filtering and aggregation on page 269. Filtering events generated by specific internal networks You can filter events from the particular subnets that generate a high volume of events that do not pose a threat. For example, a network that is dedicated to testing and developing software applications may generate many events that do not
278 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules threaten internal network resources. These events can be filtered at the collector to reduce this type of false positive. See Examples of collector-based filtering and aggregation rules on page 277. To filter network events generated by a specific subnet and acquired by the Windows event log collector 1 On the System view, on the Product Configurations tab, expand the default configuration for the Snare for Windows Event Log collector. On the Filters tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, choose Machine Numeric Subnet. 2 Set the Operator to equal to, and in the Value field, enter the subnet that you want to filter against. 3 Save and enable the rule, and then distribute the configuration. Filtering common firewall events Firewall products typically generate a large number of events. Many of these events are recorded primarily for lower priority, informational purposes. Depending on the security policies that you have in place, you may be able to safely filter these events at the collector. By filtering at the collector, you can reduce network traffic and increase overall performance. See Examples of collector-based filtering and aggregation rules on page 277. Filtering Connection Rejected events Events that are classified as Connection Rejected events can often be filtered based on the severity of the event and the event ID. For example, in many cases, TCP Connection Rejected events that the Cisco PIX collector (PIX-6-106015) detects can be filtered at the collector. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data to evaluate. If you want to filter additional events, you can add additional event types to the specification. For example, you can use the Event Info 4 field to identify No route todest_addrfromsrc_addr(pix-6-110001) or HTTPdaemoninterfaceint_name: connection denied from IP_addr (PIX-6-605001) PIX events. To filter Cisco PIX TCP Connection Rejected events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 279 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that PIX uses. 4 Set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX-6-106015). 5 Save and enable the rule, and then distribute the configuration. Filtering Connection Accepted events Events that are classified as Connection Accepted can often be filtered based on the severity of the event and specifically the event ID. For example, the Connection Accepted events that the Cisco PIX collector detects can be filtered at the collector. The user user_name executed cmd: command (PIX-7-111009). PIX-7-111009 events are generally used for accounting purposes only. These events indicate that the command that the user entered was not capable of modifying the configuration. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data to evaluate. To filter Cisco PIX Connection Accepted events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that PIX uses. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX-7-111009). 5 Save and enable the rule, and then distribute the configuration. Filtering Possible Attack events In many cases, events that are classified as possible attacks can be either filtered or aggregated. For example, if you use the Cisco PIX collector, the collector gathers events such as failed telnet session attempts as possible attacks. It displays them in the console.. Based on your policies, you can filter or aggregate these events at the collector to reduce the amount of data to evaluate. If you want to filter similar events (or the events that carry a similar severity), you can add additional event types to the specification. For example, you can use
280 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules the Event Info 4 field to identify Telnet Login Session Failed (PIX-6-307003) events, or Retrieved IP address for FTP session (PIX-6-303002). To filter Cisco PIX failed telnet session events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that PIX uses. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX-6-307001). 5 Save and enable the rule, and then distribute the configuration. Filtering Remote Management Connection events Remote Management Connection events can often be aggregated if you expect remote management connections to take place from trusted sources or on an expected host computer. Remote Management Connection events often include the events that are classified as Informational, and in many cases can be safely aggregated. For example, if you use the Juniper Netscreen Firewall collector, you can create an aggregation specification that gathers specific types of Remote Management Connection events into a single summary event that is sent to the server. For example, you may have a host computer that manages remote connections for which you expect many Remote Management events to take place. You can aggregate these events into a single event summary. To aggregate events for the Juniper Netscreen Firewall collector based on a specific host computer 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 Expand the default configuration for the Juniper Netscreen Firewall Event Collector. 3 On the Aggregation tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, navigate to Common Event > Destination Host Name. 4 Set the Operator to equal to, and then enter the host name in the value field.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 281 5 In the Aggregation time (ms) box, type the time in milliseconds in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering common Symantec AntiVirus events Symantec AntiVirus generates the events that can often be filtered or aggregated. For example, most antivirus products provide proactive event notifications of maintenance tasks such as data scan start and stop events. As these security-related events indicate expected behavior, they can often be safely filtered or aggregated at the collector. To filter the events that Symantec AntiVirus generates, edit the configuration file (.conf) that is included when the collector is installed on the Symantec AntiVirus parent server. The collector monitors the parent server for events, and uses the configuration files to determine which events are forwarded to the server. See Examples of collector-based filtering and aggregation rules on page 277. The following events are common Symantec AntiVirus events that can be filtered at the collector: Unscannable Violation Data Scan Start Data Scan End Data Scan Cancel Data Scan Pause Data Scan Resume Application Start Application Stop Note: Application Stop events can indicate that Symantec AntiVirus has been disabled. The AntiVirus Disabled event correlation rule on the server detects this event. If you filter Application Stop events at the collector, this rule does not trigger during correlation. Symantec AntiVirus and Symantec Client Security configuration files are stored on the parent server on which the collector is installed. The files are stored by default in the following locations: Symantec AntiVirus: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg
282 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules Symantec Client Firewall: C:\Program Files\Symantec\Collector\Plugins\SCFSesa\scfsesa.cfg Symantec Client Security: C:\Program Files\Symantec\Collector\Plugins\SCSState\scsstate.cfg You can also filter the events that are forwarded from individual clients or servers using the Log Event Forwarding wizard. The wizard is available through the Symantec System Center interface that is provided with Symantec AntiVirus and Symantec Client Security. The Log Event Forwarding wizard lists a complete set of events that can be forwarded to parent servers. For more information on using Symantec System Center, see the documentation that is provided with Symantec AntiVirus and Symantec Client Security. To enable event filtering on a Symantec AntiVirus parent server 1 On the parent server that you are monitoring, use a text editor such as Notepad to open the following file: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg. 2 In the conf file, find the ExcludeEvents section. 3 From the list of events in this section, remove the comment symbol (;) from before the event type or types you want to filter. 4 Save the file as a.cfg file. You may need to restart the collector. Filtering or aggregating vulnerability assessment events Typically all vulnerability assessment scans should be sent to the Correlation Manager for analysis. However, vulnerability assessment events in some cases can be aggregated to reduce the number of events that are sent individually to the Information Manager server. For example, the Symantec ESM collector detects the vulnerability assessment events that are related to whether files are backed up on the systems that it scans (Backup Integrity events). This information is useful for a variety of network analysis tasks. However, based on the policies of your organization, this information may not represent an immediate security threat. A Different ACL entry event is another potential candidate for aggregation of vulnerability assessment events. A Different ACL entry event typically indicates a permissions misconfiguration rather than an actual security breach. See Examples of collector-based filtering and aggregation rules on page 277.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 283 To aggregate Backup Integrity events for the Symantec ESM collector 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Aggregation list that appears, expand the list. From the list of categories, choose Vulnerability > Vulnerability Custom 2. For the Symantec ESM collector, the Vulnerability Custom 2 field contains the type of event that the vulnerability assessment scan generates. 4 Set the Operator to equal to. Then in the Value field, type Backup Integrity exactly as it appears in the Event Details entry for the Vulnerability Custom 2 field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. To aggregate Different ACL entry events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Vulnerability>VulnerabilityName. For the Symantec ESM collector, the Short Descriptive Name field contains a brief description of the event that the vulnerability assessment scan generates. 4 After you have selected the field name, set the Operator to equal to. Then in the Value field, type Different ACL entry exactly as it appears in the Event Details entry for the Vulnerability Name field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering Windows Event Log events If you use the Windows event log collector, you can reduce traffic by filtering the common network events that generally do not pose a threat. The Windows event logs generate a large number of events that track a variety of activities, including those related to security. These events produce the unique event codes that are
284 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules included in the raw event data. You can use these event codes to create collector-based filters to reduce the number of events that has passed to the server. For example, Successful Network Logon events (Windows event ID 540) do not typically pose a security risk if the appropriate security measures are in place: For example, secure passwords, multiple layers of access defense, and limiting administrator privileges. Another example of a Windows event log event that can be filtered is the successful login Application event. As an alternative, you can also choose the Event ID field with a value of 17055. See Examples of collector-based filtering and aggregation rules on page 277. To filter Windows Successful Network Logon events (540) 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows event log entries. For more information on the Windows Event Log option fields, see the documentation that Microsoft provides. 4 Set the Operator to equal to. In the Value field, type Security:540 exactly as it appears in the Event Details entry for the Option 8 field. As an alternative, you can also choose the Event ID field with a value of 540. 5 Save and enable the rule, and then distribute the configuration. To filter Windows successful login Application events 1 On the System view, on the Product Configurations tab, navigate to the product to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows event log entries. For more information on the Windows Event Log option fields, see the documentation that Microsoft provides.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 285 4 Set the Operator to equalto. In the Value field, type Application:17055 exactly as it appears in the Event Details entry for the Option 8 field. 5 Save and enable the rule, and then distribute the configuration.
286 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules
Section 6 Working with incidents Chapter 16. Managing Incidents Chapter 17. Working with filters in the Incidents view
288
Chapter 16 Managing Incidents This chapter includes the following topics: About incident management Viewing incidents About creating and modifying incidents Closing an incident Reopening a closed incident Printing incident details Printing the incident, ticket, or asset list Exporting the incident, ticket, or asset list Assigning incidents automatically to the least busy member in a user group About incident management Symantec Security Information Manager facilitates efficient and appropriate management of security incidents and alerting (nonsecurity) incidents. An incident is derived from one or more events that are logged in the event database. For example, when a firewall-down event occurs, an alerting incident can be generated. A security incident might be created when an internal port sweep event occurs. The term "incidents" includes both security incidents and alerting incidents. Incident management begins when an incident is created. Information Manager provides the following methods of incident creation:
290 Managing Incidents About incident management Automated incident creation Manual incident creation The Correlation Manager creates incidents from events, and then the events are assigned according to automatic assignment rules. The analyst determines which events are related and manually correlates the events by grouping them as a single incident. Incident identification When you create a custom rule on the Rules view, you can specify the type of incident that the rule generates. If you check the Alerting Incident box on the Actions tab of the rule form, the Correlation Manager generates an alerting incident. If this box is unchecked, the Correlation Manager generates a security incident. You can also set the incident type manually. See the Symantec Security Information Manager Administrator's Guide for information about creating custom rules. After an event or group of events is selected and identified as an incident, the incident is assigned to an analyst for investigation and resolution. Information Manager provides the analyst with recommended actions to be completed, including the remediation options that are associated with the incident type. A history log tracks any changes to the incident and lets the analyst note important facts. See About creating and modifying incidents on page 294. The Blaster worm attack begins with a series of sweeps to ports 135, 445, and 4444. Using the default rules, Information Manager detects each of these sweeps as suspicious, and creates a conclusion for each. At the same time, events from intrusion detection software such as Symantec IDS, lead to other conclusions that are related to the source IP address. Information Manager may also create further conclusions if the source IP address for the attack is on the IP watch list. This list is updated automatically to provide up-to-date protection from the computers that are known to be used in attacks. Based upon all of these conclusions that are related to the same IP address, Information Manager generates a security incident. A security analyst would find out about the new incident by email alert, or while monitoring the Incidents tab in the Information Manager console. The incident contains all the information that the analyst needs to determine the source and target of the attack.
Managing Incidents Viewing incidents 291 Example: Information Manager automates incident management during a Blaster worm attack Symantec Security Information Manager tracks the entire incident response cycle through the following phases: Incident identification Threat containment, eradication, and recovery Follow-up Threat containment, eradication, and recovery When Information Manager alerts the security analyst about the incident, the analyst can use Information Manager to better understand the scope of the problem and to investigate eradication options. Information Manager facilitates the containment phase by providing the event data with the incident declaration. Rather than searching through countless log files, the analyst knows which events triggered the security incident, and which systems are affected. The incident also includes recommended corrective action from Symantec Global Intelligence Network Threat Management System. This information enables the security analyst to quickly identify the corrective actions. The analyst can now create a ticket that describes the tasks necessary to eradicate the threat. The ticket includes the incident information, the event details, and the recommended corrective actions. Ticket information can be made accessible to an external help desk by the Information Manager Web Service. Follow-up After the threat has passed, the analyst can further analyze the effect of the incident. The analyst can fine-tune the correlation rules, event filters, and firewall rules to prevent the threat from occurring again. The analysts can also mine the event archive data if necessary and create the reports that document the scope of the incident and the security team's efforts to resolve it. Viewing incidents The incident list displays summarized information about incidents in the database. It also provides access to more detailed information about individual incidents.
292 Managing Incidents Viewing incidents About the incident list Information Manager lets you view any combination of logged incidents and the details that are associated with those incidents. This flexible capability facilitates straightforward management of incidents. By viewing incident details and incident logs, you gain access to the history of the incident as well as the analyst's notes. Using the filtering feature, you can view a subset of the incidents in the database. For example, you can view all open security incidents or only the open security incidents that are assigned to you. You can search for a specific incident by typing the Reference ID of the incident in the Look for box. You can also type part of the Reference ID number, and Information Manager displays all the incidents that contain that sequence of numbers. If you do not type in the Reference ID box, based on the selected filter, the search returns all incidents that you have permission to see. The Incidents view consists of the incident list (the top portion of the window) and the incident preview pane. You can select an incident view from the Filter drop-down list. The incident views that are available to select depend on the roles (permissions) that were assigned to you. When you click an incident in the list, the incident preview pane displays additional information about that incident. This pane contains a series of tabs on which you can perform incident management tasks. See Viewing and modifying the incident list on page 293. The following table lists the incident preview tabs and their functions. When you double-click an incident in the list, Information Manager displays the Incident Details window. This window contains the same information that is in the incident preview pane. You can have more than one Incident Details window open at one time, so you can easily switch between incidents. Table 16-1 Tab Details Conclusions Incident preview tabs Description Displays the incident details. You can view incident history and change several settings, such as the status, priority, and description. Displays the conclusions of the events that are associated with the incident. You can view details about a conclusion and about the associated events.
Managing Incidents Viewing incidents 293 Table 16-1 Tab Events Incident preview tabs (continued) Description Displays the events that are associated with the incident. You can view details about an event; you can also remove one or more events, that is, disassociate events from the selected incident. You can view additional information about some of the fields for a particular event. To see this information, right-click any of these fields: Event Code Includes attack effects, mechanisms, and resources. Also provides details about each type of vulnerability, malicious code, and exposure that is associated with the event code. Source IP Lists the incidents that are associated with the asset that uses this IP address. You can also view details about the asset and a list of any associated tickets. Destination IP Lists the incidents that are associated with the asset that uses this IP address. You can also view details about the asset and a list of any associated tickets. Targets Attack Diagram Intelligence Tickets Remediation Log Displays the information about the target computers that are associated with the incident. Displays a visual representation of the attack. Displays the vulnerability information and target information about the computers that are associated with the incident. Displays summary information about the help desk tickets that have been created for the incident. You can also view ticket details. Displays the remediation suggestions that are associated with an incident. Remediation information is associated with the rule that was triggered. Displays an incident's log file. You can view the change history of the incident, and you can add notes to the file. You may not change or delete log notes. Viewing and modifying the incident list The incident list displays the first 5,000 incidents that are in the database. For example, if 10,000 incidents come in, only the first 5,000 incidents are displayed. Therefore, it is important to assign or auto-assign incidents to keep the queue of all open incidents moving and current. See About the incident list on page 292.
294 Managing Incidents About creating and modifying incidents Information Manager updates the list as new incidents are created. You do not need to manually refresh the list. If you want to freeze the list while you view it or when you modify the incident records, click Lock View on the toolbar. When Lock View is checked, no new incidents are added to the list, but the list is updated when you uncheck Lock View. To view incidents 1 In the Information Manager console, click Incidents. 2 Take one or both of the following actions: On the toolbar, in the Filter drop-down list, select a view. For example, to view only your open security incidents, under Security Incident Filters, click My Open Incidents. To view the open alerting incidents not yet assigned, under Alerting Incident Filters, click Unassigned Open Alerts. All of the incidents that meet the filter criteria appear in the incident list. In the Reference ID box, type all or a portion of the ID of the specific incident that you want to view. You do not have to type the leading zeroes. Then click the Search by ID (magnifying glass) icon. All of the incidents that contain the numerals you typed appear in the incident list. You can modify the appearance of the incident list by adding or removing columns (fields). To add or remove columns from the incident list 1 On the toolbar, in the Filter drop-down list, select a view. 2 In the incident list, right-click any column heading. 3 In the drop-down menu, check a field name that you want to add to the list. Alternatively, uncheck a field name that you want to remove from the list. 4 Repeat steps 2 and 3 until the list contains the columns that you want. The list modifications persist across sessions. Therefore, the next time that you log in to the Information Manager console, the list has the column headings that you selected in this procedure. About creating and modifying incidents Information Manager is populated with incidents by using the following methods: Automatic creation of incidents by the Correlation Manager Manual creation of incidents
Managing Incidents About creating and modifying incidents 295 Creating incidents manually The Correlation Manager automatically analyzes and correlates events to create incidents. Correlation Manager uses information from various sources to determine when to create an incident. Sources include correlation rules, the asset table, and Global Intelligence Network. See the Symantec Security Information Manager Administrator Guide for information about the Correlation Manager. You can manually create incidents in Information Manager. This capability is typically used for tracking the physical security threats that an intrusion detection product would not identify. When you create a new incident, Information Manager automatically generates the values for the information that is stored in the log: for example, Incident ID number, Incident Creator, and Rule Name. See Creating incidents manually on page 295. You can create incidents manually from the Incidents view as well as from the Events view. Incidents that are created manually from the Events view gets associated with the event. By default, Information Manager assigns a severity of 1 to incidents that are manually entered because the confidentiality, integrity, and availability values are unknown. To create an incident manually from the Incidents view 1 In the Information Manager console, click Incidents. 2 On the toolbar, click + (the plus icon). 3 In the Create New Incident dialog box, set the following values or accept the default settings: From the Type list, select the incident type. From the State list, select the incident state. In the Assignee field, click Find Users (...) to open the Find Users dialog box. Select a user from a specific user group. Select a user group from the Look in Group list and then select a user within that user group. You can also enter the details of a user and search the user who can be assigned the incident. In the Team field, clickfindusergroups(...) to open the FindUserGroups dialog box, and then select the team that is responsible for resolving the incident. You can create teams with the user groups function on the System view.
296 Managing Incidents About creating and modifying incidents From the Priority drop-down list, select a priority for the incident from 1 to 5 (5 is the highest priority). From the Severity drop-down list, select the severity of the incident from 1 to 5 (5 is the highest severity). In the Description box, enter a description of the incident. (Optional) Check Tracking to continue to track the events that are associated with this incident. If you use the default settings, you can change any of the values later. 4 Click OK. See Modifying incidents on page 296. To create an incident manually from the Events view 1 In the Information Manager console, click Events. 2 Run the query that returns the event from which you want to create the incident. 3 In the events table, locate one or more events that you want to assign to an incident. 4 Right-click the event row, and then click Create Incident. If you want to assign more than one event to a single incident, use the Ctrl or Shift key to select the desired rows. You may select a maximum of 500 events per incident. If you want to assign more than 500 events to a single incident, create multiple incidents and then merge them. See Merging incidents on page 297. 5 Click Yes to confirm. The Create New Incident dialog box appears. The event (or events) that you selected is listed on the Events tab in the lower section of the dialog box. 6 In the Create New Incident dialog box, specify the settings that you want for the new incident. See To create an incident manually from the Incidents view on page 295. 7 Click OK. Modifying incidents You can modify the details that were set when the incident was created. For example, you can change the user to whom an incident is assigned.
Managing Incidents About creating and modifying incidents 297 See About creating and modifying incidents on page 294. To modify an incident 1 In the Information Manager console, click Incidents. 2 From the Filter list select the category of incidents that you want to modify. In the incident list, click the incident that you want to modify. You can select more than one incident using the Shift or Ctrl key. 3 In the preview pane, do any of the following: Change the incident type by using the Type list. You can convert an alerting incident to a security incident, and you can convert a security incident to an alerting incident. Change the incident's state by using the State list. Change the user to whom the incident is assigned by clicking Find Users (...) to open the Find Users dialog box. Then, in the Look in Group list, select a user group, and then select the corresponding assignee from the group. You can also enter the details of a user and search for the user who can be assigned the incident. To change the Assignee field to Unassigned, click Clear. Change the team to whom the incident is assigned by clicking Find User Groups (...) and selecting the user group. To change the Team field to Unassigned, click Clear. Change the incident's priority or severity, or both, by using the Priority and Severity lists. Stop tracking the events that are associated with an incident. If you uncheck the Tracking check box, you can no longer track the incident. This action is irreversible once you save and exit the Incident Details dialog box. Merging incidents 4 On the preview pane toolbar, click Save. If you decide that multiple incidents are about the same issue, you can merge them to reduce your system overhead. When you merge incidents, Information Manager closes the original incidents and creates a new incident. The new incident contains the reference IDs of all of the merged incidents. You can see the list of reference IDs in the new incident's log. When you merge incidents, you have the option of saving the original incidents or deleting them. If you save the original incidents, Information Manager assigns them to the Closed Incident list. You can then view them using the appropriate
298 Managing Incidents Closing an incident Closed Incident filter: for example, the My Closed Security Incidents filter. Each closed incident includes the reference ID of the new incident into which it was merged. You can see this information in the closed incident's log. To merge incidents 1 In the Information Manager console, click Incidents. 2 Use the Filter drop-down list to select the view that you want. 3 In the incident list, select the incidents that you want to merge. 4 Click Merge Incidents on the toolbar. 5 In the Create Merged Incident dialog box, change any of the parameters that you want. You must at least select values in all fields that are blank. Blank fields occur when the selected incidents have differing values. For example, if all incident priority values are not the same, the Priority field is blank. You must select a priority for the new incident. You should also type a description for the new incident. To change the Assignee or Team field to Unassigned, click Clear. 6 If you want to delete the original incidents after the merge, check Delete incidents after merge. If you select this option, the original incidents are closed and deleted from the system. If you do not select this option, the original incidents remain in the system after the merge, and they appear in the Closed Incidents list. 7 Click OK. Closing an incident A new incident appears at the top of the incident list, and the original incidents are removed from the list. They are either deleted or moved to the Closed Incidents list, depending on your selection in step 6. See About incident management on page 289. You can close an incident when all recommended actions are complete. You can also close multiple incidents at the same time. The history log indicates that those multiple incidents were closed outside of the normal workflow. After you have closed an incident, you can reopen it. Information Manager also lets you close an incident before all actions are complete. In some cases, when you close an incident, correlation may continue for a short period of time until the closing process completes.
Managing Incidents Reopening a closed incident 299 To close an incident 1 In the Information Manager console, click Incidents. 2 Using the Filter drop-down list, select the incident view that contains the incident to close. 3 In the incident list, click the incident to close, and then click Close on the toolbar. 4 In the Close Incident window, select a disposition type from the Disposition drop-down list. For example, click Resolved. 5 In the Notes box, type a note regarding the resolution of the incident in the space provided (optional). Information Manager stores your comments in the log. 6 Click OK. The incident is now closed, and you can view it using the All Closed Incidents view. See About incident management on page 289. Reopening a closed incident Occasionally, you may need to reopen an incident that was previously closed. To reopen a closed incident 1 In the Information Manager console, click Incidents. 2 Using the Filter drop-down list, select the incident view that contains the incident that you want to reopen. For example, you may select All Closed Incidents. 3 In the incident list, double-click the incident to reopen. 4 In the State drop-down list, click the appropriate state, such as In-Work. 5 Click the Save icon on the toolbar. 6 Click OK. See Closing an incident on page 298. Printing incident details Use this procedure to print the details for a specific incident.
300 Managing Incidents Printing the incident, ticket, or asset list To print incident details 1 In the Information Manager console, click Incidents. 2 Using the Filter drop-down list, select the incident view that contains the incident that you want to print. 3 In the incident list, double-click the incident. 4 In the Incident Details window, click the Print icon on the toolbar. The print output appears in a new browser window. 5 On the File menu, click Print. 6 Select your print options, and click Print. See Printing the incident, ticket, or asset list on page 300. Printing the incident, ticket, or asset list Printing an incident, ticket, or asset list is a two-part process: First, you export the view that you want to a CSV file or an XML file. If you have applied a filter to the list, Information Manager exports only those records that the filter displays. See Exporting the incident, ticket, or asset list on page 300. Then, you print the exported file from another application, such as a Web browser or a spreadsheet program. Exporting the incident, ticket, or asset list You can export data from the incidents list to an HTML, a CSV, or an XML file. You can now export selected incidents as well as all the incidents that are displayed in the list. To export the incidents list 1 On the console of the Information Manager, click Incidents. 2 Using the Filter drop-down list, select the view that contains the list of incidents that you want to export. 3 To export selected incidents only, select the incidents by holding down the Ctrl key and click on each incident that you want to export. 4 On the top toolbar, click Export. 5 You can select the option for Selected Incidents if you want to export selected incidents only. Else select the default option for All Incidents.
Managing Incidents Exporting the incident, ticket, or asset list 301 6 In the Export window, select the format for the exported file. You can export the incidents list to an HTML, a CSV, or an XML file on your desktop. 7 Click OK. 8 Enter the name for the file and navigate to the destination folder on your desktop. You can also select the character set before you save the list. 9 Click Save to save the incidents list on your desktop computer. You can export data from the tickets list to an XML file or a CSV file. After the data is exported to a file, you can print it from a program such as a Web browser or spreadsheet program. To export the tickets list 1 On the console of the Information Manager, click Tickets. 2 Using the Filter drop-down list, select the view that contains the list of tickets that you want to export. 3 On the top toolbar, click Export. 4 In the Export window, select the format for the exported file. You can export the tickets list to a CSV or an XML file on your desktop. 5 Click OK. 6 Enter the name for the file and navigate to the destination folder on your desktop. You can also select the character set before you save the list. 7 Click Save to save the tickets list on your desktop computer. You can export data from the assets list to an XML file or a comma-separated values (CSV) file. After the data is exported to a file, you can print it from a program such as a Web browser or spreadsheet program. To export the assets list 1 On the console of the Information Manager, click Assets. 2 Using the Filter drop-down list, select the view that contains the list of assets that you want to export. 3 On the top toolbar, click Export. 4 In the Export window, select the format for the exported file. You can export the assets list to a CSV or an XML file on your desktop.
302 Managing Incidents Assigning incidents automatically to the least busy member in a user group 5 Click OK. 6 Enter the name for the file and navigate to the destination folder on your desktop. You can also select the character set before you save the list. 7 Click Save to save the assets list on your desktop computer. See About incident management on page 289. Assigning incidents automatically to the least busy member in a user group Rules and Monitors can be set to assign incidents automatically to a user group or a user within the user group. You can also set rules and monitors to automatically assign incidents to the least busy member in a user group. Only user groups are considered when incidents are automatically assigned to the least busy member. The member with the lowest incident load factor is considered the least busy member in a user group. See About automatically assigning incidents on page 59. When incidents are assigned automatically to a user group for the first time, the first user in the user group becomes eligible for incident assignment. When an incident gets assigned to a member in the user group, a log entry is created for that incident. In the Incident log, this entry is listed as SSIM against the user name of that member. To assign incidents automatically to the least busy user 1 In the Information Manager console, click Rules. 2 Select a rule or a monitor that must be automatically assigned. 3 On the Actions tab, check Enable Auto Assign. 4 Check Assign to least busy user and then select the corresponding user group. When the rule is deployed, the incidents are automatically assigned to the least busy member in the user group.
Chapter 17 Working with filters in the Incidents view This chapter includes the following topics: About filtering incidents Modifying a custom filter Creating a custom filter Deleting a custom filter Searching within incident filtering results About filtering incidents You can filter the incident list to display only the incidents that meet specific criteria. In this way, you can use the filter as a query. For example, you can create a filter to find all incidents with a severity of 5. You can also create a filter to find all incidents that are assigned to a particular analyst. All criteria that are selected in the filter must be met for the query to report positive results. Only you can view the filters that you create. Other users are not able to view your filters. See About incident management on page 289. Modifying a custom filter After you create a custom filter, you can modify the filter criteria when needed.
304 Working with filters in the Incidents view Creating a custom filter To modify a custom filter 1 In the Information Manager console, click Incidents. 2 On the toolbar, click the custom filter (funnel-shaped) icon. 3 In the left pane of the Custom Incident Filter Editor window, click the name of the filter that you want to change. 4 Modify the filter criteria as you want, and click OK. See About filtering incidents on page 303. Creating a custom filter You can create custom filters, or views, to find and view the incidents that meet user-specified criteria. When you select a custom filter or another view from the Filter drop-down list, Information Manager displays the incidents that match the filter criteria. To create a custom filter 1 In the Information Manager console, click Incidents. 2 On the toolbar, click the custom filter (funnel-shaped) icon. 3 In the Custom Incident Filter Editor window, click Add. 4 In the New Filter dialog box, select either Incident or Alert. This setting determines the filter type. 5 In the Filter Criteria dialog box, select the filter criteria, and then click OK. The name of the new filter appears in the Filter dialog box, and the incident list displays only the incidents that meet the filter criteria. The name of the new filter also appears under Custom Filters in the Filter drop-down list. An icon next to the filter name indicates whether it is an alerting incident filter or a security incident filter. 6 In the Enter Filter Name dialog box, type a name for the filter, and click OK. See About filtering incidents on page 303. Deleting a custom filter You can delete a custom filter when it is no longer needed.
Working with filters in the Incidents view Searching within incident filtering results 305 To delete a custom filter 1 In the Information Manager console, click Incidents. 2 On the toolbar, click the custom filter (funnel-shaped) icon. 3 In the left pane of the Custom Incident Filter Editor window, click the name of the filter that you want to delete. 4 Click Remove. 5 In the confirmation dialog box, click Yes. 6 Click OK. See About filtering incidents on page 303. Searching within incident filtering results When you display a set of incidents on the Incidents view, you can search for specific incidents within the results. You can use the Look For field to search for the strings and IP addresses that may be used for a particular incident. When you perform a substring search, the search looks in any field in the incident table that uses a string value or IP address. You can also use the FindIncident or Alert dialog to search for a specific incident ID or alert ID. The Find Incident or Alert dialog is opened when you click Search on the top menu of the Incidents view. Each time you perform a substring search using the Look For field, the search evaluates the original set of data that was returned when the filter was initially applied. To search for a substring or IP address within incident filtering results 1 In the Information Manager console, on the Incidents view, display the incidents for which you want to perform the search. You can use the filtering options to identify the dataset. 2 In the Look For text box, type the substring for which you want to search. 3 Click Search, next to the Look For field. To search for a specific incident ID or alert ID 1 In the Information Manager console, on the Incidents view, display the incidents for which you want to perform the search. You can use the filtering options to identify the dataset. 2 In the top menu bar, click Search.
306 Working with filters in the Incidents view Searching within incident filtering results 3 In the Find Incident or Alert dialog box, in the Search for Specific ID: text box, type the ID. 4 Click Search. See About filtering incidents on page 303.
Section 7 Working with tickets Chapter 18. Managing tickets Chapter 19. Working with filters in Tickets view
308
Chapter 18 Managing tickets This chapter includes the following topics: About tickets About creating tickets Creating a ticket manually Creating a ticket category Viewing tickets About the Ticket Details window Viewing tickets associated with a specific incident Setting ticket task dispositions Changing the priority of a ticket Adding a ticket note Closing a ticket Printing the ticket list About tickets Tickets let you track the work items necessary to resolve an incident. When you create a ticket for an incident, you can designate the tasks that you want to be performed. You can select the tasks that the Symantec Global Intelligence Network suggests, or you can manually enter your own tasks. Tickets are only associated with assets when a task has been entered for the ticket. See About the Ticket Details window on page 312.
310 Managing tickets About creating tickets About creating tickets Creating a ticket consists of selecting the incident and entering the ticket information, adding ticket tasks, and adding task instructions. You can also add your own custom tasks. Creating a ticket manually Complete these steps to create a ticket manually. To create a ticket 1 In the Information Manager console, click Incidents. 2 In the incident list, click the incident for which you want to create a ticket. If you want to assign multiple incidents to the ticket, use the Ctrl key or the Shift key to select the incidents. 3 On the top toolbar, click Create Ticket. 4 In the Create Ticket window, type a summary in the Summary box. 5 From the Priority drop-down list, select a priority for the ticket. 6 In the Category field, click the selection icon and select a category for the ticket. 7 In the Creator area, type your name, email address, and telephone number (optional). 8 In the Assignee area, select the ID of the user to whom you assign the ticket. You can also type the user's name, email address, and telephone number (optional). 9 Add instructions and tasks to the ticket. To add instructions 1 On the Instructions tab, click inside the text pane and type the instructions for the task. 2 If you want to use Global Intelligence Network information to help you write the instructions, click the AddIntelligencetoInstructions icon on the toolbar. Then do the following: In the View by drop-down list, select Target or Vulnerability. If intelligence is available, it appears in the panes at the bottom of the dialog box. Select the appropriate intelligence, and then click Add to Instructions.
Managing tickets Creating a ticket category 311 Click Close. 3 When you finish adding instructions, click OK. To add custom tasks 1 On the Tasks tab, click + (the plus icon) on the toolbar. 2 In the Add New Task dialog box, type a task summary in the Summary box. 3 In the Description box, type a description of the task (optional). 4 You may do one of these optional steps: In the Host Name box, type the host name of the computer where the task should be performed. In the IP Address box, type the IP address of the computer where the task should be performed. In the MAC address box, type the MAC address of the computer where the task should be performed. 5 If you want to use Global Intelligence Network information to help you define the task, click the Add Intelligence to Instructions icon on the toolbar. Then do the following: In the View by drop-down list, select Target or Vulnerability. If intelligence is available, it appears in the panes at the bottom of the dialog box. Select the appropriate intelligence, and then click Add to Tasks. Click Close. 6 Click OK. See About tickets on page 309. Creating a ticket category By default, you can assign the following categories to a ticket: Default Patch System Research System You can also create custom categories using the System view.
312 Managing tickets Viewing tickets To create a ticket category 1 On the System view, in the left pane of the Administration tab, navigate to the relevant domain. 2 Click Help Desk. 3 On the toolbar, click + (the plus icon). 4 In the dialog box, type the name for the new ticket category. 5 Click OK. Viewing tickets See About tickets on page 309. The ticket list provides a convenient preview pane that displays information about the selected ticket. The Details box and several tabs provide all of the information about a ticket. You can also double-click a ticket and view the same information in the Ticket Details window. With proper access rights, you can change information such as status or priority from either the preview pane or Ticket Details window. To view a ticket 1 In the Information Manager console, click Tickets. 2 On the top toolbar, select the ticket view from the Filter drop-down list. For example, to view only your open tickets, click My Open Tickets. Note that you can create a custom view by clicking the custom filter (funnel-shaped) icon. See Filtering tickets on page 317. 3 Double-click a ticket to display detailed information in a new window. See About the Ticket Details window on page 312. About the Ticket Details window The Details pane at the top of the Ticket Details window displays the following information: Ticket ID Summary The unique ID number that is assigned to the ticket when it is created. A summary description of the ticket.
Managing tickets Viewing tickets associated with a specific incident 313 Category State Priority Created Time The category of the ticket. The category can be one of the default types, such as Patch System, or a custom category. The status of the incident (Open, Closed, or Not Applicable). A number between 1 and 5 (inclusive) that indicates the level of urgency that is assigned to the ticket (5 is the most serious priority). The time when the ticket was created. The time is displayed in the current client's local time zone and stored in coordinated universal time (UTC) format in the database. Modified Time The time when the ticket data was last edited. The Creator pane displays the logon ID of the ticket creator and contact information. The HelpDeskAssignee pane displays the ID of the person to whom the ticket is assigned, along with contact information. At the bottom of the window, you can see the Incidents, Tasks, Instructions, and Log panes, which are accessible by clicking on their respective tabs: Incidents Tasks Instructions Logs Displays the information about the incidents that are associated with the ticket. You can also add and remove incidents by clicking the + and - icons in the taskbar. Displays any required tasks that have been associated with the ticket. When you associate a task with a specific IP address of an asset, the asset displays the ticket on the Tickets tab. You can also add and remove tasks by clicking the + and - icons in the taskbar. Displays any additional user-defined instructions that have been associated with the ticket. You can also add and remove instructions by clicking the + and - icons in the taskbar. Displays the history of activity that is related to the ticket. Some activities such as ticket creation are automatically logged. You can also add a note to the ticket by clicking the + icons in the taskbar. See About tickets on page 309. Viewing tickets associated with a specific incident You can search for a ticket by using the Search by Ticket ID box on the Tickets view. You do not have to type the entire ID number; Information Manager searches for substrings.
314 Managing tickets Setting ticket task dispositions Another way to view tickets information is to use the Incidents view. The Tickets tab in the Incidentpreview pane lets you view the tickets that are associated with a specific incident. See About the Ticket Details window on page 312. To view the tickets associated with a specific incident 1 In the Information Manager console, click Incidents. 2 In the incident list, click the incident. 3 In the Incident preview pane, click the Tickets tab. 4 To view detailed information about a ticket, double-click the row that you want in the list of tickets. Setting ticket task dispositions You can set a disposition to indicate the completion status of a task for a ticket. This field helps you track the progress that has been made to resolve the incident. To set a ticket task disposition 1 In the Information Manager console, click Tickets. 2 In the ticket list, click the ticket. 3 In the Ticket Details view, on the Tasks tab, double-click the task for which you want to set a disposition. 4 In the Edit Task Disposition window, select a disposition from the drop-down list. 5 Click Apply. The new disposition appears in the Disposition column. 6 Click OK. See Viewing tickets associated with a specific incident on page 313. Changing the priority of a ticket You can change the priority of a ticket when ticket tasks are completed or when new incidents occur. To change the priority of a ticket 1 In the Information Manager console, click Tickets. 2 In the ticket list, click the ticket.
Managing tickets Adding a ticket note 315 3 In the Ticket Details view, in the Priority box, select the priority. 4 Click Save. See About tickets on page 309. Adding a ticket note Information Manager automatically keeps a log of the creation or modification of a ticket. You can add notes or comments to a ticket's log. This is helpful in tracking the progress of a ticket task. To add a ticket note 1 In the Information Manager console, click Tickets. 2 In the ticket list, click the ticket. 3 In the Ticket Details view, on the Log tab, click Add a note to the log for this ticket. 4 In the Add Ticket Note window, type the note. 5 Click Save. Closing a ticket 6 In the Ticket Details window, click OK. You can close a ticket when you are finished working on it. You can view closed tickets by selecting one of the Closed Tickets views in the Filter drop-down list. You can also reopen a closed ticket. To close a ticket 1 In the Information Manager console, click Tickets. 2 In the ticket list, click the ticket. 3 In the Ticket Details view, in the State pull-down menu, click Closed. 4 Click OK. 5 In the Ticket Disposition window, select a disposition for the ticket from the Disposition drop-down list. 6 Optionally, type a note in the Notes box. 7 Click Save.
316 Managing tickets Printing the ticket list Printing the ticket list Printing the ticket list is a two-part process: First you export the view that you want to a file. If you have applied a filter to the ticket list, Information Manager exports only those tickets that the filter displays. Then you print the exported file from another application, such as a Web browser or a spreadsheet program. See Exporting the incident, ticket, or asset list on page 300. See Viewing tickets on page 312.
Chapter 19 Working with filters in Tickets view This chapter includes the following topics: Filtering tickets Modifying a custom ticket filter Deleting a custom ticket filter Filtering tickets When you manage tickets, you need to search for a specific set of data. You can use the ticket list filter as a query to display only those tickets that meet your criteria. For example, you can create a filter to find all tickets with a severity of 5. You can create a filter to find all tickets that are assigned to a particular analyst. The query reports positive results if all of the selected criteria is met. You can view only the filters that you create. Other users are not able to view your filters. Additionally, note that filters are not case sensitive and do not support wildcard characters. See About tickets on page 309. To create a custom ticket filter 1 In the Information Manager console, click Tickets. 2 On the top toolbar, click the custom filter (funnel-shaped) icon. 3 In the Custom Ticket Filter Editor dialog box, click Add.
318 Working with filters in Tickets view Modifying a custom ticket filter 4 In the New Filter dialog box, select the filter criteria for the following options: Assignee Category Created Time Creator Instructions Modified Time Priority Summary State Ticket ID The name of the person who is assigned to the ticket. The category of the ticket. The category can be one of the default types (such as Patch System), or a custom category. The date range when the ticket was created. The individual who created the ticket. A word or group of words from the ticket's overall instructions. The date range when the ticket was modified. A number between 1 and 5 indicating the priority that is assigned to the ticket (5 is the most serious). A word or group of words from the ticket's summary box. The status of the ticket. The ID of the ticket. 5 In the New filter name dialog box, type the name of the custom filter, and then click OK. 6 Click OK. Modifying a custom ticket filter Complete the following steps to modify a custom ticket filter. To modify a custom ticket filter 1 In the Information Manager console, click Tickets. 2 On the top toolbar, click the custom filter (funnel-shaped) icon. 3 In the left pane, click the filter that you want to modify. 4 In the right pane, modify the filter criteria. 5 Click OK. See Filtering tickets on page 317.
Working with filters in Tickets view Deleting a custom ticket filter 319 Deleting a custom ticket filter You can delete a custom filter when it is no longer needed. To delete a custom ticket filter 1 In the Information Manager console, click Tickets. 2 On the top toolbar, click the custom filter (funnel-shaped) icon. 3 In the left pane, click the filter that you want to delete. 4 Click Remove. See Filtering tickets on page 317.
320 Working with filters in Tickets view Deleting a custom ticket filter
Chapter 20 Working with Assets This chapter includes the following topics: About the Assets view Importing assets into the Assets table About the Assets view The Assets view lets you view and manage Information Manager assets. You can use the Assets view to identify critical assets in your environment and to track the incidents and the tickets that are related to those assets. You can export the assets data in CSV and XML formats by using the export icon. You can identify the network assets that have one or more of the following attributes: Host critical information or services Host confidential information Have specific roles on the network, such as firewall or vulnerability scanning devices. Require high availability Comply with policies such as Sarbanes-Oxley or HIPAA. The Correlation Manager uses the asset information to identify and prioritize incidents. The Correlation Manager creates an incident when an asset's vulnerabilities are exploited by a threat. The Correlation Manager sets the incident priority based upon the confidentiality, integrity, and availability ratings that you assign to the asset. The correlation rules depend upon the asset information, so identifying key network assets on the Assets view is a critical configuration step.
322 Working with Assets About the Assets view You can populate the list of assets in any of the following ways: Manually add entries in the Assets view. Create assets based upon computers in the Targets tab for an incident on the Incidents view. Create assets from the query results of the Source View query and Target view query that are under the System Queries on the Events view. On the Assets view, import a list of assets in XML or CSV format. For example, you can export a list of network computers from Active Directory, convert the file to Information Manager format, and then import the file. Create assets by integrating Information Manager with a policy compliance assessment tool, such as Control Compliance Suite. Create assets by integrating Information Manager with a network vulnerability scanner. You can use the Asset Detector rule under Monitor>SystemMonitors on the Rules view to choose the vulnerability scan products that automatically populate the assets table. Because you may run vulnerability scans periodically on your network, you may want to lock the asset information for particular computers. If you lock an asset, the vulnerability scan does not modify the list of the services that are hosted on the asset. A vulnerability scan updates the asset vulnerabilities, regardless of the asset lock status. You can filter the view of the assets in your environment using the filtering options or asset groups. From each of the views, you can search for an asset by its IP address host name by entering the information in the Search Asset field, and then clicking the search icon. Double-clicking an asset in the asset list opens the Asset Details dialog box. To update the asset, modify the asset fields and click the Save icon. You can update multiple assets simultaneously by opening an Asset Editor dialog box for each asset that you want to modify. Table 20-1 lists the Asset view tabs and their functions. Table 20-1 Tab Details Assets view tabs Description Displays the network identification, description, priority, organization, operating system, and lock information for the selected asset.
Working with Assets Importing assets into the Assets table 323 Table 20-1 Tab Policies Services Incidents Tickets Vulnerabilities Assets view tabs (continued) Description Displays any policies that apply to the selected asset. You can add policies to an asset from a customizable list of regulatory policies. To customize the list of available policies, select the Administration tab on the System view. You can also delete policies from the asset. Displays the network services that are hosted by the selected computer. You can add services to an asset from a customizable list of well-known services. To customize the list of services, select the Administration tab on the System view. You can also delete services from the asset. Lists any incidents that pertain to the selected asset. The incident list provides a convenient way to monitor the security activity that is related to an asset. Lists any tickets that pertain to the selected asset. The ticket list provides a convenient way to monitor work-order activity that is related to an asset. Displays the discovery date, CVE ID, BugTraq ID, and description of the vulnerabilities that are discovered on the asset. The vulnerability information is tracked when the assets are imported from a vulnerability scanner. Importing assets into the Assets table You can use a comma-separated value (CSV) file or an.xml file to import asset information into the Assets table. Note: If you import assets using a CSV file, policy and services information is not included during the import. To retain this information for the assets that are already listed in the console, export the assets to an XML file. Use the XML file to re-import the assets. The XML files that Information Manager generates include any existing policy and services data that is available for each asset. The CSV files do not include this information.
324 Working with Assets Importing assets into the Assets table To import assets into the Assets table 1 Create a CSV file containing comma-separated values using the appropriate format. To see the correct format, create an asset in the Asset table, and then export the asset list as a CSV file. Use the exported list as a template for adding assets to the file. If you use the Active Directory Users and Computers snap-in that Microsoft provides, export the list of computers that Active Directory tracks. Save the file as a CSV file. 2 In the Information Manager console, on the Assets view, click Import. 3 In the Import Assets dialog box, navigate to the folder in which you saved the assets file, select the file, and click Open. If you import a set of assets that includes non-utf-8 character data, you must select the appropriate set from the Character Set drop-down list. 4 Follow the on-screen instructions. See About the Information Manager console on page 29.
Section 8 Working with reports and dashboards Chapter 21. Managing reports Chapter 22. Managing dashboards
326
Chapter 21 Managing reports This chapter includes the following topics: Working with reports Performing a drill-down on reports Working with reports You can create your own customized reports by inserting queries, graphics, and other elements in a report template. Then you can publish, print, and schedule them for email delivery to specified recipients. You can also import and export reports. About reports You can create your own customized reports by inserting queries, graphics, and other elements in a report template. Then you can publish, print, and schedule them for email delivery to specified recipients. You can also import and export reports. You can also schedule the queries that can be distributed as reports in the CSV format. See Scheduling queries that can be distributed as reports on page 337. Creating custom reports You can place a single query in a report, or you can insert multiple queries. Each query can be on a separate page, or you can divide a single page into sections and insert one query in each section. You can also insert other elements, such as text and graphics. Reports are limited to 1,000 pages. If the report is longer than 1,000 pages, the results are truncated.
328 Managing reports Working with reports Note: If you plan to publish and distribute the report to other users, you must select a query from Published Queries. In the Query Chooser window, you can drag a query from the My Queries folder to the Published Queries folder. Table 21-1 describes the formatting options that you can use when you create a custom report. The options appear on a menu when you right-click the report template. Each menu option has a corresponding icon on the report design toolbar. Table 21-1 Option Report building options Description Insert Text To include generated text, such as the date the report was generated, make a selection from the Report Parameters drop-down list, and click Add. To include your own text, type in the text box. When you finish, click OK. Insert Image Browse to the location of the image. After you select the desired image, click OK. Note: You may insert only the JPG and the GIF files that are 100 KB or less. Information Manager does not support BMP or other image files in reports. Insert Line Insert Query This option inserts a horizontal line in the center of the selected area of the report. In the Query Chooser window, navigate to the name of the desired query, and select it. Click Insert. (This option is not available when the cursor is in the header or the footer area.) Note: If you plan to publish and distribute the report to other users, you must select a query from Published Queries. In the QueryChooser window, you can drag a query from My Queries to Published Queries. If the query that you want is not available, you can use the Query Wizard on the Events view to create a query. See the section on managing event archives for more information. Add Grid Select the number of rows and columns, and then click OK. An empty grid appears in the selected area. You can select any section of the grid and insert text, images, and so on. You can also size any section of the grid by dragging the borders of the section.
Managing reports Working with reports 329 Table 21-1 Option Add Row Add Column Report building options (continued) Description This option subdivides the selected area by inserting a blank row. You can also size the row by dragging its borders. This option subdivides the selected area by inserting a blank column. You can also size the column by dragging its borders. Toggle Header/Footer Portrait Landscape This option toggles the header or the footer from on to off or from off to on. The cursor must be in the header or the footer area. This option changes the orientation of the report to Portrait mode. This option changes the orientation of the report to Landscape mode. To create a custom report 1 In the Information Manager console, click Reports. 2 In the Explorer pane, right-click the folder where you want to create the new report, and select New > Report. 3 Type the name for the report, and click OK. The name can contain only alphanumeric characters. An empty report template appears, with three sections: header, footer, and body in the center. 4 Do any of the following: To insert a header, right-click in the header area, and then use the formatting options that are described in Table 21-1. To insert the query (or multiple queries) and any desired images and text, right-click the body area. Then use the formatting options that are described in Table 21-1. To insert a footer, right-click in the footer area, and then use the formatting options that are described in Table 21-1. To add a new page to the report template, click the Add a Page icon on the report design toolbar. To return to a previous page, click the View All Pages icon, and then double-click the page that you want to display.
330 Managing reports Working with reports 5 To modify any of the properties of the report, use the Properties pane in the lower-left area of the Reports page. Click the Value column for the property that you want to change. The available properties depend on the elements that you have placed in the report area. The following are examples of the properties that you can modify: If you insert a query, the available properties depend on whether the data displays as a graphical chart or as a table. If the query is graphical, you can select the type, for example, bar or pie. If the query is tabular, you can select the columns that you want to include in the table. You also can select the desired font and type size of the text. If you insert text in the report body, header, or footer, you can modify the font size of the text. If you insert a line, you can modify the default thickness, color, direction (orientation), and alignment of the line. If you add a grid, you can specify the background color of each segment of the grid. 6 To execute the query and preview the appearance of the report, click the Preview tab. While on the Preview tab, you can print or save the report with the data that is currently displayed. See Printing and saving reports on page 341. 7 When you finish creating the report, click the Save icon on the top toolbar. See Viewing reports on page 339. Creating a report group or folder You can create new folders under the existing folder hierarchy to save the reports. To create a report group or folder 1 In the Reports view, select the folder under which you want to create another folder. 2 Click the New Folder icon on the menu bar. 3 In the New Folder dialog box, type the name of the folder and its description. 4 Click OK. See Creating custom reports on page 327.
Managing reports Working with reports 331 Editing tabular queries in reports A tabular query displays data in table form. When you create or edit a query, you can specify the columns that you want the table to display. However, if you later place that query in a report, the column changes do not persist. You must insert the query in the report, and then add and remove table columns. After you save the report, the column changes persist in that report. Note: If you add columns to a tabular query, the columns on the rightmost side of the table may become illegible due to lack of space. You can view more columns by reducing the size of the text in the table. To reduce the size of the text in the Table, in the Properties pane, click the Value column next to Content Font. Then select a smaller font. Do the same action for the Header Font value. To edit a tabular query in a report 1 To design the report, perform the steps in the procedure 2 After you insert the query in the report, double-click the query icon in the body of the report (on the Design tab). The Edit Display Properties dialog box appears. 3 Do one of the following: In the Choose Columns pane, select the names of the columns that you want to add to the query table and click Add. In the ColumnstoDisplay pane, select the names of the columns that you want to remove from the query table and click Remove. Use the Move Up and Move Down icons to arrange the columns in the desired sequence. The column at the top of the list appears on the far-left side of the table. Publishing reports 4 When you finish selecting and sequencing the columns, click OK. 5 To preview the appearance of the report, click the Preview tab. 6 When you finish designing the report, click the Save icon on the top toolbar. See Creating custom reports on page 327. To publish a report, you must place it in the Published Reports folder or in a subfolder under Published Reports. If you create the report in the Published Reports folder, it is already available for distribution. If you create the report in the My Reports folder, use the following procedure to publish it.
332 Managing reports Working with reports Note: If a report contains any private queries, you cannot publish it. The queries in publishable reports must be from the Published Queries folder. To publish a report 1 In the Information Manager console, click Reports. 2 In the Explorer pane, navigate to the report in the My Reports folder that you want to publish. 3 Do one of the following: Right-click the report name, and then select Publish. To place the report in a subfolder within the Published Reports folder, drag the report from My Reports to the desired folder under Published Reports. 4 Click Yes to confirm that you want to publish the report. The report is removed from the private folder and placed in the published folder that you selected. See Creating custom reports on page 327. Enabling the email distribution of reports To distribute reports, you must have an Information Manager configuration that is set up to send email notifications. This setup process includes the following components: Creating a configuration Defining a mail server in the configuration Note: Web-based email accounts and the accounts that require authentication are not supported. To create a configuration 1 In the Information Manager console, click System. 2 On the Product Configurations tab, expand the tree in the left pane to SSIM Agent and Manager > Manager Components Configurations. 3 On the toolbar, click + (the plus icon).
Managing reports Working with reports 333 4 Follow the on-screen instructions in the Create a new Configuration wizard. When you are prompted, in the Computers panel, add the Information Manager server that is used. 5 When the wizard finishes, click Close. The new configuration appears in the tree in the left pane, under Manager Components Configurations. To define a mail server in an Information Manager configuration 1 On the System view, in the left pane of the Product Configurations tab, click the name of the new configuration. 2 In the right pane, click the Notifications tab. 3 In the Value column next to Email server, type the name of the mail server. 4 Next to Emailfromuser in the Value column, type an email address to receive messages in case of any notification failures. 5 Click Save at the bottom of the right pane. 6 In the left pane, right-click the configuration name, and then click Distribute. The configuration changes are distributed to the Information Manager server. See Scheduling and distributing reports on page 333. Scheduling and distributing reports After you create and publish a report, you can distribute it immediately. You can also schedule it for distribution in the future. You specify the recipients and the frequency to receive the reports. For example, the frequency can be once each week. You can distribute the reports as a PDF and an RTF attachment. You can send the URL link for accessing the reports from the server in an email. Reports for scheduled queries can be distributed as an attachment only in the CSV format. When you distribute a report on a schedule or immediately, a copy of the report is posted on the Web configuration interface of Information Manager. A valid user can view that report by selecting the Standard Reports option under Manage > Reports on the Web configuration interface of Information Manager. See To view a report in the Web configuration interface of the Information Manager on page 340.
334 Managing reports Working with reports Note: To distribute reports to users by email, Information Manager must be properly configured to send notifications to a valid mail server. To distribute a report immediately 1 In the console of the Information Manager client, click Reports. 2 In the Explorer pane, under Published Reports, click the name of the report that you want to distribute. 3 In the right pane, click the Distribute tab. 4 In the Distribute Report area, click Recipients, and then click one of the following: Email address In the Email Entry dialog box, type an email address, and then click OK. User In the Find Users dialog box, select one or more names from the Available users list. Click Add. When you finish adding user names to the Selectedusers list, click OK. Note: The user must have an email address defined on the Notifications tab in the user profile. See the chapter on managing users in the Symantec Security Information Manager Administrator Guide. User group In the FindUserGroups dialog box, select one or more names from the Available user groups list. Click Add. When you finish adding user names to the Selected user groups list, click OK. Note: Each user in the user group must have an email address defined on the Notifications tab in the user profile. See the chapter on managing users in the Symantec Security Information Manager Administrator Guide. The report is always posted and available on the Web configuration interface of Information Manager under Manage > Reports > Standard Reports. It is available in this location even if you do not specify any recipients. Users who have access to this view can view the reports in a Web browser. 5 In the Subject and Body text boxes, type text if desired.
Managing reports Working with reports 335 6 Select from the following options as required: URL Link PDF Attachment Places a link in the email message. When the recipient clicks the link, the report is displayed in a browser window. Note: When the recipient clicks the URL link, the report can be accessed directly. Note that the user must already be logged on to the Web configuration interface using the host name of the Information Manager. If the user has logged on using the IP address of the Information Manager, the user is prompted for authentication; the report is then accessible. Sends the report, in Portable Document Format (PDF), as an attachment to the email. To send the report by email, be sure that the PDF file is no more than 15 MB in size. RTF attachment Sends the report, in RTF format as an attachment to the email. To send the report by email, be sure that the compressed RTF file is no more than 15 MB in size. 7 Click Test. A dialog box confirms that the report was sent to the selected recipients. 8 Click OK. Note: No restriction exists regarding the size of the compressed RTF files or the PDF files that are available under Manage > Reports > Standard Reports. To schedule a report 1 In the console of the Information Manager client, click Reports. 2 In the Explorer pane, under Published Reports, click the name of the report that you want to schedule for distribution. 3 In the right pane, click the Distribute tab. 4 In the Create a report area, do the following: Select the frequency of distribution: Day, Week, or Month. Select the time of distribution by using the drop-down lists and by selecting either AM or PM. 5 Use the spinner boxes or the calendar icons to select the Starts on date and time, and the Ends by date and time.
336 Managing reports Working with reports 6 In the Distribute Report area, click Recipients, and then click one of the following: Email address In the Email Entry dialog box, type an email address, and then click OK. User User group In the Find Users dialog box, select one or more names from the Available users list. Click Add. When you finish adding user names to the Selectedusers list, click OK. In the FindUserGroups dialog box, select one or more names from the Available user groups list. Click Add. When you finish adding user names to the Selected user groups list, click OK. 7 In the Subject and Body text boxes, type text if desired. 8 Select from the following options as required: URL Link Places a link in the email message. When the recipient clicks the link, the report is displayed in a browser window. Note: When the recipient clicks on the URL link, the report can be accessed directly. Note that the user must already be logged on to the Web configuration interface using the host name of the Information Manager. If the user has logged on using the IP address of the Information Manager, the user is prompted for authentication; the report is then accessible. PDF Attachment RTF attachment Sends the report, in Portable Document Format (PDF), as an attachment to the email. Sends the report, in RTF format as an attachment to the email. 9 Click Schedule. 10 Click OK. Note: Reports for scheduled queries can be distributed only as follows: as an attachment in the CSV format and a URL link that lets you access the report from the server.
Managing reports Working with reports 337 Scheduling queries that can be distributed as reports You can now schedule queries to be distributed in a report as a CSV file. The Schedule option is available on the Events view when you select a query from the Published and System queries. On saving the scheduled queries in the Events view, the scheduled query reports are created under the Published Reports folder under the Reports view. You can send the scheduled query reports by email as a compressed CSV file, and make them available by a URL link within the mail. You can also download these reports from the Web configuration interface under Manage Reports > Scheduled Query Reports in CSV format in a compressed file. The maximum row limit of the CSV file is 1 million rows corresponding to 1 million events. The maximum size of the CSV file that you can send by email is limited to 15 MB. Note: Scheduled queries are limited to one query only. If the scheduled query contains a chart, it is converted to a table in the created reports. Note: The Design option is not available for scheduled query reports. See About working with event queries on page 239. You can schedule the following types of queries: Summary data query Event detail query Custom SQL query Note: Top N by Field and Trending Event Count by Field queries cannot be scheduled from the Events view as scheduled query reports. To schedule a query as a report 1 In the console of the Information Manager client, click Events. 2 In the Explorer pane, under Published Queries or System Queries, click the name of the query that you want to schedule and distribute as a report. 3 In the right pane, click Schedule. 4 Type the name of scheduled query.
338 Managing reports Working with reports 5 In the Set Schedule for Query dialog box, specify the time, date, and recipients for the generated reports. Set the message subject and body text as required. 6 Select the option for CSV attachment or a URL link as required. When the recipient clicks the link, the report is directly accessible. Note that the user must be logged on to the Web configuration interface using the host name of Information Manager. If the user has logged on using the IP address of Information Manager, then the user is prompted for authentication. The report becomes accessible. 7 Take one or more of the following actions as required: To save the query report to the Published Reports folder and close the Set Schedule for Query dialog box without scheduling the query, click OK. To enable the Schedule and Test icons and save the query report in the Published Reports folder, click Save. To ignore any changes that were made since the last save and exit the dialog box, click Cancel. To verify the entered details, click Test to send the query to the specified recipients. To schedule the query, click Schedule. The published query report is also available under the Scheduled Query Reports option under Manage > Reports on the Web configuration interface. Modifying the report distribution You can change the recipients and the schedule for report distribution. To modify the report distribution 1 On the Reports view, in the Explorer pane, navigate to the report whose distribution plan you want to modify. 2 Select the report, and click the Distribute tab. 3 At the bottom of the right pane, click Cancel to cancel the existing report distribution plan. 4 Modify the schedule and the recipients, as necessary. You can also change any other fields. 5 When you finish making changes, click Schedule. See Scheduling and distributing reports on page 333.
Managing reports Working with reports 339 Viewing reports You can view a report in the following ways: In the console of the Information Manager client (as a preview) In the Web configuration interface of Information Manager under Manage > Reports > Standard Reports In the Web configuration interface of Information Manager under Manage > Reports > Scheduled Query Reports In PDF format, if you received the report as an attachment to an email message In RTF format, if you received the report as an attachment to an email message In HTML format In a compressed CSV file, if you received the report as an attachment These reports are generated as a result of scheduled queries. By accessing a URL link that is received through email Note: The chosen display type for a group or a system query may affect the results that are displayed on the console of Information Manager and the Web configuration interface. For example, you may run a query that is copied from the System Queries folder of the type Count by Condition, such as Open Incidents by Assignee Priority. The chart type is table and the Rotate Data chart property is selected. The condition column name (Assignee Priority) does not appear in the results table. Therefore, you must deselect the Rotate Data option for the query to ensure that the results are displayed properly. Note: When you access standard reports in the Web configuration interface, the RTF format is not supported for certain reports. The RTF format is not supported for the reports that have been distributed on the Information Manager versions that were released before 4.6 MP4. To obtain these reports in RTF format, manually click the Test option that is available in the Distribute tab on the console. Alternatively, wait until the next scheduled run of the report. To view a report in the console of the Information Manager client 1 In the console of the Information Manager client, click Reports. 2 In the Explorer pane, click the report that you want to view.
340 Managing reports Working with reports 3 For multipage reports, use the navigation icons on the Preview tab to move between the pages. 4 To refresh the data in a report, click the Refresh icon in the top toolbar. By default, the report presents the data from the time when it was created or last refreshed. To view a report in the Web configuration interface of the Information Manager 1 In the Web configuration interface go to Manage > Reports. 2 Click Standard Reports if you want to view the standard published reports. If you want to view the reports for scheduled queries, then click Scheduled Query Reports. 3 In the list of reports, navigate to the row that corresponds to the report that you want to view. You can use the Search in table field to filter the report list. Place a checkmark next to the file name in the box provided. 4 On the navigation bar, click one of the following: View HTML icon. This option lets you view the report in an HTML format. View PDF icon. This option lets you view the report in PDF format. View RTF icon. This option lets you view the report in RTF format. If you have selected Scheduled Query Reports in the previous step, the reports are available only in a compressed CSV file after you click the View CSV icon. 5 When you finish viewing the report, close the browser window. See Configuring a report for portrait or landscape mode on page 340. Configuring a report for portrait or landscape mode You can configure the orientation of a report to be in either portrait mode or landscape mode. When you configure the orientation for a report, the setting applies to all of the pages in that report. To configure a report for portrait or landscape mode 1 In the Information Manager console, click Reports. 2 In the Explorer pane, click the name of report that you want to adjust.
Managing reports Working with reports 341 3 On the Design tab, click either the Portrait or Landscape icon. If you are in View All Pages mode, you must first open a single page to enable the icons. 4 Click Save. See Viewing reports on page 339. Printing and saving reports After you create a report, its name is displayed in the Explorer pane, under the appropriate folder name. You can run a report and then save the output as a file. You can also print the output. To print or save a report 1 In the Information Manager console, click Reports. 2 In the Explorer pane, click the name of report that you want to print or save. 3 To execute the query or queries in the report, click the Preview tab. 4 To save the report with the displayed data, do the following actions: On the Preview toolbar, click the Save icon. In the Save dialog box, type a name in the File Name box. In the Files of Type box, select PDF or HTML. Click Save. 5 To print the report with the displayed data, do the following: On the Preview toolbar, click the Print icon. In the Print dialog box, select your print options. Click OK. Exporting reports See Viewing reports on page 339. You may export a report as an RML file. This feature enables you to send the report to another user: for example, as an email attachment. The user can then import the report, edit it, and save it as a private or a published report. It also enables you to save a report under a different name, and then import it to use as a template for another similar report. See Importing reports on page 342.
342 Managing reports Working with reports Note: Information Manager does not support exporting reports to a different Information Manager domain. Each query has a unique ID that points to the Information Manager server on which it was created. If you export a report and import it to a different server, the queries are not attached to the report. If you design a report on one Information Manager server, you can export it as a template. After you import it to a different server, you can insert the desired query or queries. To export a report 1 In the Information Manager console, click Reports. 2 In the Explorer pane, select the report that contains the data that you want to export. 3 Right-click the report name, and then click Export. 4 In the Export Report dialog box, do the following: Navigate to the location where you want to save the report. In the File Name box, type the name of the report. If you want to use this report as a template for a new report, change the report name. Importing reports 5 Click Save. You can import a report that was exported as an RML file. You can then modify the report and save it in My Reports or Published Reports. See Exporting reports on page 341. Note: Information Manager does not support importing the reports that were created in a different Information Manager domain. Each query has a unique ID that points to the Information Manager server on which it was created. If you export a report and import it to a different server, the queries are not attached to the report. If you design a report on one Information Manager server, you can export it as a template. After you import it to a different server, you can insert the desired query or queries.
Managing reports Performing a drill-down on reports 343 To import a report 1 In the Information Manager console, click Reports. 2 In the Explorer pane, select the folder into which you want to import the report. 3 Right-click the folder name, and click Import. 4 In the Import Report dialog box, navigate to the location where the report is stored, and select it. You can import multiple reports by using the Shift or Ctrl keys. 5 Click Open. 6 If you selected a report with the same name as another report in the folder you selected, Information Manager prompts you to rename the report. Assign a new name, and click OK. Performing a drill-down on reports To identify the critical incidents and threats in your environment, Information Manager lets you drill down into the reports. Use the drill-down feature to view the resources and the parts of the organization that are associated with an incident. The drill-down feature lets you search and prioritize specific assets. This capability simplifies organization and helps you monitor identity and access activities. The drill-down feature is supported only on the following types of queries in the reports: Top N by Field Trending for Top N by Field Summary Data Queries The drill-down feature for reports is available only on the console of the Information Manager client. To drill down on reports 1 In the console for the Information Manager client, click Reports. 2 Select the report that you want to run from the folders that are displayed. The report queries are executed and the results are displayed on the details pane. Preview the report using the Preview tab. 3 In the graphs that are displayed, double click on the graph that you want to drill down. 4 The details are displayed in a tabular view in the details pane.
344 Managing reports Performing a drill-down on reports You can use a filter to get further details based on the filter criteria selected. To filter the results using a filter criteria 1 Click the graph that is displayed when you select a report to run. The query results table is displayed under the graph in a new window. Click the Filter icon on the taskbar. 2 In the Filter dialog box, select the time criteria in the Time range area. 3 In the Date/Time area, select Logged Date/time or Event Date/Time. 4 In the Queryfiltercriteria area, click the + icon, which lets you add and select the fields for the filter criteria. 5 If you have specified more than one criteria, use the first drop-down list to select the OR or the AND criteria. 6 In the next column, select or enter the value for the condition specified. 7 Click OK. 8 To add more than one criteria, click the + icon to add another criteria. Click the - icon if you want to remove a selected criterion. 9 Click OK. Click Cancel if you want to cancel the filter criteria process. The filter query is run and the results are displayed.
Chapter 22 Managing dashboards This chapter includes the following topics: About the dashboard Viewing dashboards Viewing queries in the Dashboard Performing a drill-down on dashboards Refreshing the dashboard Customizing the dashboard About the dashboard The Information Manager dashboard provides an at-a-glance summary of the status of security products on your network. You can also track the status of mission-critical network resources. You can add the default queries or custom queries that use events and the other data that is stored in the server database. The dashboard provides a high-level view of the critical security information in your environment. Information Manager users can customize the dashboard to display the event, ticket, and incident information that they require. The Dashboard view provides an overview of the incident activity that is presented in the following default set of queries: Closed incident count for each assignee by priority Closed incident count for each assignee by severity Open incidents count for each assignee by severity Open incident count for each assignee by priority
346 Managing dashboards Viewing dashboards Count of both open incidents and closed incidents by assignee Count of incidents for each of the last seven days The toolbar of the Dashboard view presents the following options: Refresh Turn Auto Refresh On Refreshes the queries Toggles the automatic refresh of the dashboard queries. When Auto Refresh is on, the dashboard queries are refreshed every five minutes, by default. Add Delete Lets you add a new query to the dashboard. Lets you remove a query from the dashboard. You can also remove the query by closing the query window. Tile Cascade Tiles the dashboard charts. Cascades the dashboard charts. Viewing dashboards See Viewing dashboards on page 346. See Customizing the dashboard on page 350. See Refreshing the dashboard on page 349. See Viewing queries in the Dashboard on page 348. See Performing a drill-down on dashboards on page 348. You can view the dashboards in the Dashboard view. To view the dashboards 1 In the console of the Information Manager client, click Dashboard. 2 For some bar and pie charts based on event data, you can click on each section to view the events that are related to that section of the query. To determine whether a query is drillable, hold the cursor over a region of the graph (for example, a bar in a bar chart). If a hand symbol appears, you can click on the bar to drill down. The events appear in a table under the chart. When working with event data, you can do any of the following:
Managing dashboards Viewing dashboards 347 View details on a single event by right-clicking the event. Then click Event Details. Filter the events that are shown in the display by right-clicking on an event and then clicking one of the filtering options. See To filter event data based on a single event on page 347. See To create a custom filter based on an event on page 347. Create an incident based on an event by right-clicking the event and then clicking Create Incident. To filter event data based on a single event In a table containing event data, right-click on the cell that has the information that you want to filter on, and then click Filter on cell. For example, if you want to filter on all events that have a severity 4 - Major severity, click a cell that has that rating in the Severity column. The list of events that meet the criteria of your filter appears in a new tab. Note that you can filter again on the events in the new tab. To create a custom filter based on an event 1 In a table containing event data, right-click on the cell that has the information that you want to filter on, and then click Manuallyfilteroncell. For example, if you want to filter on all events that have a severity 4 - Major severity, click a cell that has that rating in the Severity column. The Event Filter window appears, showing the current filter conditions. 2 In the Time Range area, specify the period of time that you want the filter to cover. Choose Complete if you want to select from all of the events in the query. 3 In the Filter Criteria area, specify the query conditions: 4 Click OK. To change an existing condition, click in the cell, and then choose a value from the drop-down list. To add a condition, click + (the plus sign), and then click in each cell to select or type the desired value. To remove a condition, click anywhere in the row, and then click - (the minus sign). To change the grouping of criteria, use the Ctrl key to select the relevant rows, and then click AND, OR, or Ungroup. The list of events that meet the criteria of your filter appears in a new tab. Note that you can filter again on the events in the new tab.
348 Managing dashboards Viewing queries in the Dashboard See About the dashboard on page 345. Viewing queries in the Dashboard Complete the steps in this section to view a query and insert it on the dashboard. To view a query 1 In the Information Manager console, click Dashboard. 2 On the toolbar, click + (the plus icon). 3 In the Query Chooser window, navigate through the tree and click the query that you want to display. 4 For the query you choose, set any of the required parameters, such as selecting the archives that you want to gather information from, and click Run Query. The data graph appears in the Query Chooser window. 5 Do any of the following: To place the query on the dashboard, click Insert. To try a different query, click the query name in the left pane. To see if there are any changes to the list of available queries, click the Refresh icon on the toolbar. Performing a drill-down on dashboards To identify the critical incidents and threats in your environment, Information Manager lets you drill down into the reports and dashboards. Using the drill-down feature, you can view the resources that are associated with an incident. The drill-down provides insights into the parts of the organization that an incident affects and the background of the resources that are implicated. The drill-down feature helps simplify organizing, searching, and prioritizing specific assets or sets of assets. This information helps in monitoring identity and access activities. The drill-down feature is supported only on the following types of queries in the reports and dashboards: Top N by Field Trending for Top N by Field Summary Data Queries The drill-down feature for reports is available only on the console of the Information Manager client.
Managing dashboards Refreshing the dashboard 349 To drill down on dashboard results 1 In the console of the Information Manager client, on the Dashboard view, click on the dashboard to view. 2 In the graphs displayed, double click the graph that you want to examine. 3 The details are displayed in a tabular view in the details pane. See About the dashboard on page 345. Refreshing the dashboard By default, the dashboard updates when you open the console or when you click the Refresh icon. You can also turn on Auto Refresh so that dashboards are automatically refreshed at a regular interval. To enable the automatic refresh function, click the Auto Refresh icon on the toolbar. If a query is running when the Auto Refresh interval expires, the query continues to run, even though the dashboard is refreshed. The same is true if you do a manual refresh. The default Auto Refresh interval is five minutes. You can change this interval. However, refreshing more frequently can cause performance issues on the server because system resources are used every time a query is executed. Note: You must close all the Information Manager console sessions before setting the Auto Refresh interval. To change the Auto Refresh interval 1 In the Information Manager installation directory, access the clientproperties.xml file in the User settings folder. 2 Add or edit the following entry: <dashboard> <auto_refresh>interval</auto_refresh> </dashboard> where interval is the number of seconds between refreshes. 3 Save and close the clientproperties.xml file. 4 Restart the console to enable the change. See About the dashboard on page 345.
350 Managing dashboards Customizing the dashboard Customizing the dashboard You can customize your dashboard by adding and removing queries. You can also rearrange the queries by moving them on the dashboard and by using the Tile and Cascade options. See Viewing queries in the Dashboard on page 348. To remove a query from the dashboard 1 In the console of the Information Manager client, click Dashboard. 2 Scroll within the dashboard until you find the query that you want to remove, and click within the query to select it. 3 Click x (the cross icon) that appears on the upper right side of the query window to close the query. To rearrange the dashboard 1 In the console of the Information Manager client, click Dashboard. 2 To move a query, click in the query's title bar, and then drag it with the mouse to the desired location on the dashboard. You can place the query in a blank space on the dashboard, or you can place in on top of another query. 3 Click the Tile icon on the toolbar. The queries rearrange themselves in a tiled configuration, and all are visible. 4 To arrange the queries in an overlapping configuration, click the Cascade icon on the toolbar. The queries rearrange themselves in a cascaded configuration, with one query in front. To bring a different query to the front, click its header. See About the dashboard on page 345.
Index A access rights 139 See also permissions Information Manager console 139 account Administrator 156 default password 155 Linux 155 Active Directory about integrating 170 configuration creating a 171 editing a 171 removing 172 synchronize a 172 Active Directory configurations creating editing 170 list remove 170 agent editing agent computer 180 aggregation exporting 214 importing 214 aggregation tables 96 alerting incidents 289 See also incidents creating 290 example 289 archives. See event archives viewing event data 230 assets exporting list 300 identifying 126 printing list 300 Assets table 266 importing assets 323 Auto Refresh option 349 interval setting 349 B BugTraq 266 business information users 162 Bypass Event RBAC 142 C closing incidents 298 See also merging incidents closing tickets 315 collector filtering and aggregation antivirus examples 281 creating specifications 275 events generated by specific internal networks 277 examples 277 firewall examples 278 overview 269 policy compliance 270 preparing to create 272 suggestions 271 vulnerability assessment examples 282 Windows Event Log examples 283 collectors. See event collectors components of 204 overview 203 registration 258 universal 205 downloading and installing 207 column sorting in queries 246 columns in tabular queries 331 computers adding configuration groups 192 configurations 183 adding to organizational units 178 creating 178 defined 177 deleting 199 distributing configurations 198
352 Index computers (continued) editing agent with agent 180 editing properties 179 editing without agent 181 identification information 182 modifying permissions 199 moving 198 specifying IP addresses 182 MAC addresses 182 viewing service properties 193 services 193 with agents 177 conclusions about 221 escalating based on severity 96 configuration groups adding to computers 192 configurations adding to computers 183 organizational units 174 distributing by way of computer Service properties 193 to computers 198 using organizational units 198 console about features 63 configuring 125 opening 69 contact information users 162 Correlation Manager about 79 knowledge base 80 rule set 80 correlation rules 87. See rules about 87 creating custom 100 critical systems. See assets D dashboard about 345 adding queries 348 Auto Refresh 349 dashboard (continued) refreshing 349 dashboards customizing 350 performing drill-down 348 viewing 346 data retention 224 date values for events 233 Deepsight. See Global Intelligence Network DeepSight Threat Management normalization and 267 default roles administrator 132 Distribute menu option 198 Domain Administrator role 132 permissions 150 E email address notification 166 email distribution of reports 332 Ending Event Date column 233 Enter the data retention (days) 227 environment diagram. See Visualizer event archive specifying settings 226 event archive viewer right pane 231 event archives about 224 about multiple 224 adding and removing table columns 234 calendar setting 232 creating incidents 296 date and time range 232 event details 232 event date values 233 filtering 235 238 modifying table columns 234 exporting a query 251 graph 231 histogram 231 importing a query 250 live 230 local 230 local client copy creating 227 querying Event Query wizard 243
Index 353 event archives (continued) querying (continued) naming rules 242 SQL Query wizard 246 Summary Query wizard 244 removing an archive from event viewer 231 restoring 228 saving data from event viewer 231 settings 226 zooming 232 event collectors 22 functions 22 installing and configuring 22 types 22 Event Count rule setting 96 Event Criteria field 93 operators 94 Event Date column 233 event forwarding activating 260 configuring default forwarding rule 261 creating a rule 262 deleting a forwarding rule 262 described 255 stopping 263 Event Logger 255 event queries about working with 239 color scheme managing used in query results 249 creating groups 241 deleting 253 editing 248 importing 250 IP addresses 250 multiple archives 241 publishing 251 scheduling to be distributed as reports 252, 337 using Source view 240 using Target View 240 event query searching within 235 Event Query wizard 243 Event to Conclusion Correlation fields 96 eventaarchives creating new 225 events 265 See also normalization about 221 events (continued) about normalization 265 accessing data in the console 274 aggregation 214 filtering 211 lifecycle 223 mapping during normalization 267 role for viewing 134 events view about 222 exporting asset list 300 incident list 300 queries 249 ticket list 300 F fields Event Criteria 93 Event to Conclusion Correlation 96 operators for event criteria 94 filter configurations exporting 211 importing 211 filtering events 211 filters about incident 303 event data 235 incident creating 304 deleting 304 modifying 303 tickets creating 317 deleting 319 modifying 318 finger 68 forwarding events. See event forwarding Free space quota setting 227 G Global Intelligence Network 23, 29 H help desk viewing tickets 312 histogram manipulating the 231
354 Index histogram (continued) viewing event details 232 host criticality. See assets I importing queries 249 reports 342 incidents about 221, 289 about creating and modifying 294 about filtering 303 automatic assigment to least busy member 60, 302 automatic assignment 59 closing 298 creating from events 296 creating manually 295 creation methods 289 details 292 exporting list 300 filters creating 304 deleting 304 modifying 303 list adding and removing columns 294 modifying 294 managing 292 merging 297 modifying 296 printing details 299 printing list 300 reopening 298 299 searching filtering results 305 ticket viewing 313 viewing 291 viewing and modifying 293 viewing associated tickets 313 Information Manager about 17 components 21 event lifecycle 222 overview 17 workflow 20 Information Manager components event collectors 22 Global Intelligence Network 23 Information Manager server 23 Information Manager components (continued) security products and devices 22 Web service 23 Information Manager console modify access rights 139 Move menu option 198 Information Manager console access rights adding to roles 139 Information Manager server 23 Information Manager Web service 23 Information Manager workflow 20 instructions adding to a ticket 310 intelligence adding to a ticket task 311 adding to ticket instructions 310 IP address specifying for computers 182 IP addresses querying for 250 K knowledge base Correlation Manager 80 L LDAP directory accounts 156 Linux account 155 LiveUpdate normalization and 267 local event archives viewing 230 Lookup Table Update create rule 113 Lookup Tables 115 records 121 user-defined 120 M MAC addresses specifying for computers 182 Max archive quota setting 227 merging incidents 297 N Network table 266 networks specifying 128
Index 355 normalization described 265 example 267 files 267 modifying 267 normalization files about 267 notes about 64 creating and editing 65 searching 66 notification email address 166 user information 166 email address 166 pager numbers 167 times 168 O operators Event Criteria 94 organizational units adding computers to 178 creating 174 deleting 177 deleting computers 199 description 173 distributing configurations 198 editing 176 managing 173 modifying permissions 176 moving computers 198 name length limits 175 Original Ending Event Date column 233 Original Event Date column 233 P pager numbers 167 passwords 155 changing 70, 162 customizing policies 157 security recommendation 156 permissions 139 See also access rights description 150 examples of modifying permissions 147 in roles 141, 143 permissions (continued) modifying 152 computers 199 organizational units 176 propagating 151 user 168 Permissions dialog box 152 ping 68 policy adding a 127 preferences. See user actions printing asset list 300 incident details 299 incident list 300 reports 341 ticket list 300 Properties pane 330 331 publishing queries 251 reports 331 Q queries adding to the dashboard 350 column sorting 246 columns in tables 331 editing 249 event 243 exporting 249, 251 importing 249 naming rules 242 SQL 246 summary 244 tables in 249, 331 viewing 348 query groups 241 R refreshing the dashboard 349 registering collectors 258 report folder creating 330 report group creating 330 reports creating cutom 327 distributing 333
356 Index reports (continued) enabling email distribution 332 exporting 341 HTML format 341 importing 342 modifying distribution 338 PDF format 341 performing drill-down 343 portrait or landscape mode 340 printing 341 Properties pane 330 331 publishing 331 saving as PDF or HTML 341 scheduling 333 viewing 339 role membership assigning to users 163 roles adding user groups 137 adding users 137 administrator roles 132 creating 134 definition 131 deleting 149 Domain Administrator 132 permissions 150 editing role properties 137 Information Manager console access rights 139 management of policies and configurations 134 managing 131 permissions 143, 150 examples 147 planning 133 product access assignment modifying 140 SES Administrator 132 permissions 150 SIM permissions 141 viewing events 134 rsync 224 rule creating multicondition 104 importing existing 99 X not followed by X 109 X not followed by Y 107 Y not preceded by X 111 rule set creating 85 rule type Lookup Table Update 113 rules categories 87 Correlate By field 98 creating correlation rule for lookup table update 113 creating multicondition 104 criteria 89 default 80 editor 96 enabling/disabling 115 generating incidents 290 query naming 242 Resource field 98 settings 96 types 89 rules strategy defining strategy 87 S scp 224 security directory registering a collection server 257 Security domain registering with 259 security environment diagram. See Visualizer server access modifying 141 services viewing for a computer 193 viewing properties 193 SES Administrator role 132 permissions 150 Span rule setting 96 SQL Query wizard 246 SSIM Web Start 19 standard event code 266 Summary Query wizard 244 Symantec Event Code 266 Symantec Signature incident mapped to 266 system criticality. See assets system performance estimating 24 T Table Size rule setting 96
Index 357 tables aggregation 96 Lookup 115 tables in queries 249, 331 tasks adding to a ticket 311 template queries enable role-based access 142 tickets about 309 310 adding a note 315 adding instructions 310 adding intelligence to a task 311 adding intelligence to instructions 310 adding tasks 311 categories 311 closing 315 creating manually 310 dispositions 314 exporting list 300 filters 317 creating 317 deleting 319 modifying 318 printing list 300 priority changing 314 searching by ticket ID 313 task dispositions 314 viewing 312 viewing on Incidents view 313 trace route 68 U user actions about 68 creating 69 modifying 69 user groups adding to a role 137 creating 160 deleting 169 managing the composition of 164 modifying 168 users adding to a role 137 assigning role membership 163 business information 162 contact information 162 creating 158 users (continued) deleting 169 description 156 notification information 166 email addresses 166 notification times 168 pager numbers 167 permissions 168 properties 161 V views Assets 321 Dashboard 30 Events 35 Incidents 32 Intelligence 31 Reports 41 Rules 44 Statistics 62 System 61 Tickets 37 Visualizer about 194 about using 194 modifying properties 196 tools 196 W Web configuration interface accessing 72 features 72 wizards Event Query 243 SQL Query 246 Summary Query 244