Symantec Security Information Manager 4.6 Administrator's Guide
Symantec Security Information Manager 4.6 Administrator's Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 1.0 Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com
Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system
Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America contractsadmin@symantec.com semea@symantec.com supportsolutions@symantec.com Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Contents Technical Support... 4 Section 1 Product overview... 15 Chapter 1 Section 2 Introducing Symantec Security Information Manager... 17 About Symantec Security Information Manager... 17 What's new in Information Manager 4.6... 18 How Symantec Security Information Manager works... 20 About events, conclusions, and incidents... 21 Example: Information Manager automates incident management during a Blaster worm attack... 21 Incident identification... 22 Threat containment, eradication, and recovery... 22 Follow-up... 22 Where to find more information about Information Manager... 23 Managing roles, permissions, users, and organizational units... 25 Chapter 2 Managing roles and permissions... 27 Creating and managing roles... 27 About the administrator roles... 27 How to plan for role creation... 28 Creating a role... 29 Editing role properties... 32 Deleting a role... 43 Working with permissions... 43 About permissions... 44 Modifying permissions from the Permissions dialog box... 45
8 Contents Chapter 3 Managing users and user groups... 49 About managing users and passwords... 49 Customizable password policy... 51 Creating a new user... 52 Creating a user group... 53 Editing user properties... 55 Changing a user s password... 55 Specifying user business and contact information... 55 Managing role assignments and properties... 56 Managing user group assignments... 57 Specifying notification information... 59 Modifying user permissions... 61 Modifying a user group... 61 Deleting a user or a user group... 62 Chapter 4 Managing organizational units and computers... 63 About organizational units... 63 Managing organizational units... 63 Creating a new organizational unit... 64 Editing organizational unit properties... 66 About modifying organizational unit permissions... 66 Deleting an organizational unit... 67 Managing computers within organizational units... 67 Creating computers within organizational units... 68 Editing computer properties... 69 Distributing configurations to computers in an organizational unit... 79 Moving a computer to a different organizational unit... 80 Modifying computer permissions... 80 Deleting a computer from an organizational unit... 81 Section 3 Information Manager as a Service Provider... 83 Chapter 5 Configuring a Service Provider environment... 85 Service Provider overview... 85 Understanding a service provider environment from a client perspective... 87 Understanding a service provider environment from a service provider perspective... 88
Contents 9 Responding to a client incident... 89 Understanding Information Manager tickets in a Service Provider Master context... 89 Exporting incident information from the Client Incident viewer... 91 Setting up a Service Provider environment... 91 Configuring an instance of Information Manager as a Service Provider client... 91 Configuring an Information Manager appliance as a Service Provider Master... 92 Configuring service provider Client management accounts... 92 Synchronizing the Service Provider Master with client incidents... 93 Disconnecting a client from a Service Provider Master... 94 Section 4 Managing your correlation environment... 95 Chapter 6 Configuring the Correlation Manager... 97 About the Correlation Manager... 97 About the Correlation Manager Knowledge Base... 98 About the default rules set... 98 Working with the Lookup Tables window... 101 Creating a user-defined Lookup Table... 106 Importing Lookup Tables and records... 107 Enabling and disabling rules... 107 Creating a custom rule... 108 Chapter 7 Defining a rules strategy... 111 About defining a rules strategy... 111 About creating the right rule set for your business... 111 Chapter 8 Understanding rules components... 115 Understanding Correlation Rules... 115 About Rule conditions... 116 About Rule Types... 116 Event Criteria... 120 About the Event Count, Span, and Table Size rule settings... 122 About the Tracking Key and Conclusion Creation fields... 122 About the Correlate By and Resource fields... 124
10 Contents Importing existing rules... 125 Chapter 9 Understanding event normalization... 127 About event normalization... 127 About normalization (.norm) files... 128 Chapter 10 Effects, Mechanisms, and Resources... 131 About Effects, Mechanisms, and Resources (EMR)... 131 About Effects values... 132 About Mechanisms values... 133 About Resources values... 136 EMR examples... 139 Chapter 11 Working with the Assets table... 141 About the Assets table... 141 How event correlation uses Assets table entries... 142 About CIA values in the Assets table... 143 Importing assets into the Assets table... 144 Searching, filtering, and sorting assets... 144 Visual identification of the IP addresses that are also on the IP Watchlist... 146 About vulnerability information in the Assets table... 146 About using a vulnerability scanner to populate Assets table... 146 About locked and unlocked assets in the Assets table... 148 Using the Assets table to help reduce false positives... 148 About filtering events based on the operating system... 149 About using CIA values to identify critical events... 149 About using Severity to identify events related to critical assets... 149 About using the Services tab... 150 About associating policies with assets to reduce false positives or escalate events to incidents... 150 Chapter 12 Collector-based event filtering and aggregation... 153 About collector-based event filtering and aggregation... 153 About identifying common events for collector-based filtering or aggregation... 155 About preparing to create collector-based rules... 156 Accessing event data in the Information Manager console... 158 Creating collector-based filtering and aggregation specifications... 158 Examples of collector-based filtering and aggregation rules... 160
Contents 11 Filtering events generated by specific internal networks... 161 Filtering common firewall events... 162 Filtering common Symantec AntiVirus events... 165 Filtering or aggregating vulnerability assessment events... 166 Filtering Windows Event Log events... 167 Section 5 Configuration options... 171 Chapter 13 Configuring the appliance after installation... 173 About the Information Manager Web configuration interface... 173 Accessing the Security Information Manager Web configuration interface... 174 Changing network settings... 174 Specifying date and time settings... 176 Specifying a network time protocol server... 176 Changing the password for Linux accounts... 176 Shutting down and restarting the appliance... 177 Chapter 14 Chapter 15 Configuring Symantec Security Information Manager... 179 About configuring Symantec Security Information Manager... 179 Preventing new Symantec Event Agent connections... 180 Adding a policy... 181 Specifying networks... 181 Identifying critical systems... 181 Forwarding events to an Information Manager appliance... 183 About forwarding events to an Information Manager appliance... 183 About registering with a security directory... 185 Registering security products... 186 Registering with a security domain... 187 Forwarding events... 187 Chapter 16 Managing Global Intelligence Network content... 191 About managing Global Intelligence Network content... 191 Registering a Global Intelligence Network license... 192 Viewing Global Intelligence Network content status... 192 Receiving Global Intelligence Network content updates... 193
12 Contents Chapter 17 Running LiveUpdate... 197 About running LiveUpdate... 197 Running LiveUpdate from the Information Manager Web configuration interface... 197 Chapter 18 Working with Symantec Security Information Manager Configurations... 199 Introducing the Symantec Security Information Manager configurations... 199 Manager configurations... 200 Increasing the minimum free disk space requirement in high logging volume situations... 201 Manager Components Configurations... 202 Modifying administrative settings... 203 Manager connection configurations... 204 Configuring Information Manager Directories... 205 Agent Connection Configurations... 208 Configuring Agent to Manager failover... 208 Agent configurations... 210 Managing the Manager... 212 Setting up blacklisting for logon failures... 212 Section 6 Managing appliance data... 213 Chapter 19 Managing the directory service... 215 About LDAP backup and restore... 215 Backing up the security directory... 215 Restoring the security directory... 216 Chapter 20 Maintaining the Symantec Security Information Manager database... 219 About data maintenance... 219 Checking database status... 220 About the health monitor service... 221 Backing up and restoring the database... 221 Enabling and scheduling automated backups... 222 Initiating a backup... 223 Restoring the database from a backup image... 223 Specifying a third-party backup solution... 223 About purging event summary and incident data... 224
Contents 13 Adjusting parameters for daily automated purges... 225 Adjusting the thresholds for size-based purges... 226 Initiating a purge... 227 Reviewing maintenance history... 228 Section 7 Appendices... 229 Appendix A Ports used by Information Manager... 231 Ports used by Information Manager... 231 Appendix B Managing security certificates... 235 About managing security certificates... 235 Managing security certificate information for the appliance... 236 Index... 239
14 Contents
Section 1 Product overview Introducing Symantec Security Information Manager
16
Chapter 1 Introducing Symantec Security Information Manager This chapter includes the following topics: About Symantec Security Information Manager How Symantec Security Information Manager works About events, conclusions, and incidents Example: Information Manager automates incident management during a Blaster worm attack Where to find more information about Information Manager About Symantec Security Information Manager Symantec Security Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following: Firewalls Routers, switches, and VPNs Enterprise Antivirus Intrusion detection and intrusion prevention
18 Introducing Symantec Security Information Manager About Symantec Security Information Manager Vulnerability scanners Authentication servers Windows and UNIX system logs Information Manager provides the following features to help you recognize and respond to threats in your enterprise: Normalization and correlation of events from multiple vendors. Event archives to retain events in both their original (raw) and normalized formats. Distributed event filtering and aggregation to ensure that only relevant security events are correlated. Real-time security intelligence updates from Symantec Global Intelligence Network to keep you apprised of global threats and to let you correlate internal security activity with external threats. Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment. Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies associated with the affected assets. A powerful event viewer that lets you easily mine large amounts of event data and identify the machines and users that are associated with each event. A console from which you can view all security incidents and drill down to the related event details, including affected targets, associated vulnerabilities, and recommended corrective actions. Pre-defined and customizable queries to help you demonstrate compliance with the security and data retention policies in your enterprise. What's new in Information Manager 4.6 Table 1-1 describes the new features and enhancements that are included with this release. Table 1-1 New features for Information Manager 4.6 Category Service Provider Description You can use Information Manager to provide remotely managed security services for multiple clients.
Introducing Symantec Security Information Manager About Symantec Security Information Manager 19 Table 1-1 Category New features for Information Manager 4.6 (continued) Description Installation enhancements Installation enhancements include the following: Information Manager can now be installed on any approved hardware that meets the supported system requirements. Both new and 4.5.2 upgrade installations are supported. Customizable password policy Web configuration interface enhancements Password settings can be customized to meet or exceed the requirements of your password policy, to simplify alignment of privileged access policies with audit requirements. Web configuration has been enhanced with new options including a validation tool for verifying the integrity of event archives, the ability to conveniently download the event collector agent, and to upload system updates to the Information Manager appliance. Information Manager console system configuration enhancements System configuration options in the Information Manager console include the following: Event storage rules, support for multiple archives, and ordered lists of archives. Event forwarding rules with failover targets. Incident forwarding rules, that allow incidents to be forwarded to one or more Information Manager appliances. Service Provider master. You can configure Information Manager to be a Service Provider master that monitors forwarded incidents from other instances of Information Manager. Event tile enhancements Event tile enhancements in the Information Manager console include the following: Raw event data viewing. New activity templates: Network Activity, Raw Event, and All Events with customizable columns. Cross-archive query support with Role Based Access Control (RBAC). Event data is loaded dynamically. New options for relative filtering criteria. Regular expression (RegEx) searches of table view data. Unique value filtering. Parameterized queries.
20 Introducing Symantec Security Information Manager How Symantec Security Information Manager works Table 1-1 Category New features for Information Manager 4.6 (continued) Description Reporting tile enhancements Asset management enhancements Incident and workflow enhancements Reports can now be printed in landscape mode. You can customize the columns that are report-specific, and there are page and table query row limit controls. Enhancements to asset management include the following: The option to organize assets into groups. Additional options for bulk edit of multiple assets. Improved search and filtering options. A new Last Updated column. Visual identification of the IP addresses that are on an IP watchlist. Enhancements to incident management and workflow include the following: Attack diagrams, that provide a graphic display of the progress of an attack to facilitate quicker analysis and remediation. New incident state options. A globally visible incident status indicator that is updated as incidents are created. Remediation notes that can be applied to all of the incidents that are created by the same rule. Inclusion of Global Intelligence Network IP Watchlist data in the Incidents view. Support for importing lookup tables on the Rules tile. Intelligence tile enhancements If you have installed a Symantec Global Intelligence Network Threat Management System license, Information Manager includes Symantec Global Intelligence Network data on the Honeynet tab of the Intelligence tile. How Symantec Security Information Manager works Event collectors gather events from Symantec and third-party point products, such as firewalls, Intrusion Detection Services (IDS), and antivirus scanners. The events are filtered and aggregated, and the Information Manager agent forwards both the raw and the processed events to the Information Manager appliance. The agent is a Java application that provides secure communications between the event collectors and the Information Manager appliance.
Introducing Symantec Security Information Manager About events, conclusions, and incidents 21 The Information Manager appliance stores the event data in event archives and correlates the events with threat and asset information. If a security event triggers a correlation rule, Information Manager creates a security incident. The Information Manager appliance also contains the following components: A downloadable installation program for the Information Manager console. A relational database to store incidents, conclusions, assets, and rules. Event archives to store raw and normalized event data. An LDAP directory to store Information Manager deployment and configuration settings. About events, conclusions, and incidents Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. A conclusion occurs when one or more events match a correlation rule pattern. Information Manager normalizes events from multiple security products and looks for the patterns that indicate potential threats. An incident is the result of one or more conclusions that are identified as a type of an attack. There can be many conclusions that are mapped to a single incident. For example, if a single attacker causes a number of different patterns to be matched, those are grouped into a single incident. Similarly, if a vulnerability scan uncovers a computer that suffers from a number of different vulnerabilities, these are all grouped into a single incident. Or, if a number of different computers report the same virus, Information Manager creates a single outbreak incident. Example: Information Manager automates incident management during a Blaster worm attack Symantec Security Information Manager tracks the entire incident response cycle through the following phases: Incident identification Threat containment, eradication, and recovery Follow-up
22 Introducing Symantec Security Information Manager Example: Information Manager automates incident management during a Blaster worm attack Incident identification The Blaster worm attack begins with a series of sweeps to ports 135, 445, and 4444. Using the default rules, Information Manager detects each of these sweeps as suspicious, and creates a conclusion for each. At the same time, events from intrusion detection software such as Symantec IDS, lead to other conclusions that are related to the source IP address. Information Manager may also create further conclusions if the source IP address for the attack is on the IP watch list. This list is updated automatically to provide up-to-date protection from the computers that are known to be used in attacks. Based upon all of these conclusions that are related to the same IP address, Information Manager generates a security incident. A security analyst would find out about the new incident by email alert, or while monitoring the Incidents tab in the Information Manager console. The incident contains all the information that the analyst needs to determine the source and target of the attack. Threat containment, eradication, and recovery When Information Manager alerts the security analyst about the incident, the analyst can use Information Manager to better understand the scope of the problem and to investigate eradication options. Information Manager facilitates the containment phase by providing the event data with the incident declaration. Rather than searching through countless log files, the analyst knows which events triggered the security incident, and which systems are affected. The incident also includes recommended corrective action from Symantec Global Intelligence Network Threat Management System. This information enables the security analyst to quickly identify the corrective actions. The analyst can now create a ticket that describes the tasks necessary to eradicate the threat. The ticket includes the incident information, the event details, and the recommended corrective actions. Ticket information can be made accessible to an external help desk by the Information Manager Web Service. Follow-up After the threat has passed, the analyst can further analyze the impact of the incident. The analyst can fine-tune the correlation rules, event filters, and firewall rules to prevent the threat from occurring again. The analysts can also mine the event archive data if necessary and create the reports that document the scope of the incident and the security team's efforts to resolve it.
Introducing Symantec Security Information Manager Where to find more information about Information Manager 23 Where to find more information about Information Manager For more information about Information Manager, visit the knowledge base that is available on the Symantec Technical Support Web site at: http://www.symantec.com/business/support/overview.jsp?pid=52517 In the Security Management section of the Downloads page, you can obtain updated versions of the documentation, including the following: Symantec Security Information Manager Administrator's Guide Symantec Security Information Manager User's Guide
24 Introducing Symantec Security Information Manager Where to find more information about Information Manager
Section 2 Managing roles, permissions, users, and organizational units Managing roles and permissions Managing users and user groups Managing organizational units and computers
26
Chapter 2 Managing roles and permissions This chapter includes the following topics: Creating and managing roles Working with permissions Creating and managing roles A role is a group of access rights for a product in a domain. Users who are members of a role have access to the event viewing and management capabilities that are defined for that role. A user can be a member of more than one role. You create new roles in the Symantec Security Information Manager console. When you click Roles on the System page of the console, you can perform the following tasks: Creating a role Editing role properties Deleting a role Note: Only members of the SES Administrator role and the Domain Administrator role can add or modify roles. See About the administrator roles on page 27. About the administrator roles When you install Information Manager, the following default roles are created:
28 Managing roles and permissions Creating and managing roles SES Administrator Domain Administrator This role has full authority over all of the domains in the environment. This role has full authority over one specific domain in the environment. How to plan for role creation If you have only one domain, the rights of the SES Administrator role and the Domain Administrator role are the same. For example, if you have multiple domains, one for each geographic region of your company, each domain has a Domain Administrator. Members of this role can perform functions such as creating users and additional roles within that domain. The SES Administrator role can perform these functions for all of the domains that you configure. The default user, administrator, is also created when Information Manager is installed. The administrator is automatically a member of the SES Administrator and Domain Administrator roles. To access Information Manager for the first time, you must log on as this default user. You can add users to the administrator roles, but you cannot change any other characteristics of these roles. If a user is a member of the SES Administrator role, that user does not need to be assigned to any other roles. Because roles control user access, before you create roles you should plan carefully. You need to identify the tasks that are done in your security environment, and who performs them. The tasks determine the kinds of roles that you must create. The users who perform these tasks determine which users should be members of each role. Ask yourself the following questions: Who allocates responsibilities within your security environment? If these users need to create roles, they must be members of the Domain Administrator role. Who administers your security network by creating management objects such as users and organizational units? These users must be members of the roles that provide management access and the ability to access the System view. What products are installed, and who is responsible for configuring them? These users must be members of management roles for the products for which they are responsible. They may need access to the System page only. Who is responsible for monitoring events and incidents?
Managing roles and permissions Creating and managing roles 29 These users must be members of event viewing roles for the products for which they are responsible. Users who monitor events must have access to the Events page. Users who monitor incidents must have access to the Events page and the Incidents page. Who responds to problems and threats? These users must have access to the Events page and the Incidents page. Users who create and manage help desk tickets must also have access to the Tickets page. Table 2-1 lists the common roles in a security environment and the responsibilities that belong to each role. Table 2-1 Role name Typical roles and responsibilities Responsibilities Domain Administrator System Administrator Defines the user roles and role authority. Manages Information Manager. Verifies that events flow into the system and that the system functions normally. User Administrator Creates the correlation rules and collection filters. Performs the user and the device administration. Incident Manager Views all incidents, events, reports, and actions. Report Writer Views the incidents, events, and reports for assigned devices. Reviews and validates incident response. Provides the attestation of incident review and response by administrators to GAO and others. Report User Rule Editor Views the events and reports for assigned devices. Creates, edits, and deploys rules. For information about the access requirements of each role, see Table 2-2. Creating a role You create all roles using the Role Wizard in the Information Manager console. Only a user who is a member of the Domain Administrator role or the SES Administrator role can create roles. See How to plan for role creation on page 28.
30 Managing roles and permissions Creating and managing roles Note: If you create a role with permissions to all existing event archives, and you then later add additional archives, the new archives are not available to the pre-existing role. You must edit the role to see the new archives. To create a role 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click Roles. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Role Wizard, click Next. 5 In the General panel, do the following, and then click Next: In the Role name text box, type a name for the role. In the Description text box, type a description of the role (optional). 6 In the Products panel, do one of the following actions: To give the role members access to all of the listed products, click Role members will have access to all products, and then click Next. To limit the role members' access to certain products, click Role members will have access to only the selected products. From the Products list, enable (check) at least one product, and then click Next. Symantec Security Information Manager is listed as one of the products, and is required in this panel. Consider the tasks that role members perform as you select products from the list. 7 In the SIM Permissions panel, do one of the following actions: To give role members all permissions that apply to Information Manager, click Enable all Permissions, and then click Next. To give role members a limited set of permissions, click Enable specific Permissions. From the permissions list, enable at least one permission, and then click Next. 8 In the Console Access Rights panel, do one of the following actions: To give role members the ability to see all parts of the Information Manager console, click Role members will have all console access rights, and then click Next.
Managing roles and permissions Creating and managing roles 31 To limit what role members can see when they display the console, click Role members will have only the selected console access rights. From the list, enable at least one console access right, and then click Next. See Modifying console access rights on page 34. 9 In the Organizational Units panel, do one of the following actions: To give role members access to all organizational units, click Role members will have access to all organizational units, and then click Next. To give role members access to specific organizational units, click Role members will have access to only the selected organizational units. In the organizational units tree, select at least one organizational unit to associate with this role, and then click Next. When you select an organizational unit that has additional organizational units below it, users of the role are given access to those organizational units as well. If you add an organizational unit to a role, users who are role members and who have event viewing access can see events generated by the security products that are installed on the computers that belong to that organizational unit. Role members can see events only from computers in the organizational units that have been added to their roles. 10 In the Appliances panel, do one of the following actions: To give role members access to all of the Information Manager appliances in your security environment, click Role members will have access to all appliances, and then click Next. To limit role members' access to certain appliances, click Role members will have access to only the selected appliances. In the appliances tree, select at least one appliance to associate with this role, and then click Next. Members of the role can modify configurations on the selected appliances. The role members can also view event archives that reside on the selected appliances. 11 In the Members panel, do one of the following actions: To add individual users to the role now, click Add Members. In the Find Users dialog box, add one or more users, and then click OK. In the Members panel, click Next. To add the users who are members of a specific User Group, click Add Members From Groups. In the Find User Groups dialog, add one or more user groups, and then click OK. The users that are associated with the
32 Managing roles and permissions Creating and managing roles groups you selected are added to the Members list. When you are finished, click Next. To continue without adding users to the role, click Next. You can add users to the role later by editing the role s properties. See Making a user a member of a role on page 33. You can assign users to a role only if you have already created those users. See Creating a new user on page 52. 12 In the Role Summary panel, review the information that you have specified, and then click Finish. The role properties that are created are shown in the list at the bottom of the panel. A green check mark next to a task indicates that it was successfully accomplished. 13 Click Close. Editing role properties After you create a role, you can modify it by editing its properties. For example, as you create new organizational units or users, you can add them to existing roles. You can edit the properties of a role by selecting the role in the right pane or from any dialog box that lets you display the role s properties. To edit role properties 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 Use the Editing Role Properties dialog box to make changes to the role. 4 To save changes and close the dialog box, click OK. For information about editing specific role properties, see any of the following sections: Making a user a member of a role Modifying console access rights Modifying product access Modifying SIM permissions Modifying access permissions in roles
Managing roles and permissions Creating and managing roles 33 Making a user a member of a role When a user logs on to Information Manager, the user s role membership determines his or her access to the various products and event data. You can assign a user to a role in the following ways: Assign each user individually to one or more roles. Assign users to groups, and then assign user groups to roles. When you assign a user group to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. Note: Before you assign users and user groups to roles, you must create users and user groups in the Directory. See Creating a new user on page 52. To make a user a member of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 In the Editing Role Properties dialog box, in the left pane click Members. 4 Click Add Members. 5 In the Find Users dialog box, in the list of available users, click a user name (or Ctrl + click multiple user names), and then click Add. The user name appears in the Selected users list. You can also search for a particular user by entering the logon name, last name, or first name on the left side of the dialog box. Then click StartSearch. All of the users who meet the criteria you entered will appear in the available users list. 6 To view or edit the properties of a user, click the user name, and then click Properties. 7 In the User Properties dialog box, view or make changes to the properties, and then click OK. 8 In the Find Users dialog box, click OK. 9 In the Editing Role Properties dialog box, click OK.
34 Managing roles and permissions Creating and managing roles To make a user group a member of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 In the Editing Role Properties dialog box, in the left pane click Members. 4 Click Add Members From Groups. 5 In the Find User Groups dialog box, select the domain of the group from the dropdown list. 6 In the list of available user groups, click a user group name (or Ctrl + click multiple user names), and then click Add. The user group name appears in the Selected user groups list. 7 To view or edit the properties of a user group, click the user group name, and then click Properties. 8 In the User Group Properties dialog box, view or make changes to the properties, and then click OK. 9 In the Find User Groups dialog box, click OK. 10 In the Editing Role Properties dialog box, click OK. Modifying console access rights Console access rights control what users who are members of a role can see when they log on to the Information Manager console. You can modify the console access rights you assigned when you created a role. Console access rights make the various features of the console visible to role members when they log on. To modify console access rights 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 In the left pane click Console Access Rights. 4 Do one of the following actions: To give members of the role the ability to see all components of the Information Manager console, click Role members will have all console access rights.
Managing roles and permissions Creating and managing roles 35 To limit what members of the role can see when they display the Information Manager console, click Role members will have only the selectedconsoleaccessrights. From the list that appears, enable or disable console access rights as desired. The following table describes the tiles (that is, pages in the Information Manager console) that are available. Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Rules Tile Show Statistics Tile Show System Tile Show Tickets Tile Lets members view the Assets page in the console. Lets members view the Dashboard page in the console. Lets members view the Events page in the console. Lets members view the Incidents page in the console. Lets members view the Intelligence page in the console. Lets members view the Reports page in the console. Lets members view the Rules page in the console. Lets members view the Statistics page in the console. Lets members view the System page in the console. Lets members view the Tickets page in the console. Table 2-2 lists the console access rights that are needed by users who perform specific functions. 5 Click OK. Modifying product access The Products property lets you select the products to which role members have access. To modify product access 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and then select Properties. 3 In the left pane click Products. 4 Do one of the following actions:
36 Managing roles and permissions Creating and managing roles To give the role members access to all of the listed products, click Role members will have access to all products. To limit the role members' access to specified products, click Role members will have access to only the selected products. Enable (check) or disable (uncheck) access to individual products in the list. Consider the tasks that role members will perform as you select products from the list. Table 2-2 lists the product access that is needed by users who perform specific functions. 5 Click OK. Modifying SIM permissions Use the SIM Permissions property to enable or disable several types of Information Manager permissions that are assigned to a role. To modify SIM permissions 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 In the left pane click SIM Permissions. 4 Do one of the following actions: 5 Click OK. To assign all Information Manager permissions to the role, click Enable all Permissions. To limit the permissions assigned to the role, click Enable specific Permissions. Then click the check boxes as needed to enable or disable permissions for the role. Table 2-2 lists the permissions that are needed by users who perform specific functions. About the Bypass Event RBAC option When you create or modify a role, you can choose to enable the Bypass Event RBAC option. Bypass Event RBAC gives a role unrestricted access to all of the event archives for which a user has been granted access. When a user with this role performs an event query, the query bypasses any additional permission settings that are based on Organizational Unit, Domain, or Product settings, and returns a complete data set from the archives for which the user has been given
Managing roles and permissions Creating and managing roles 37 access. Enabling Bypass Event RBAC enhances query performance by reducing the set of permissions criteria against which the query must be processed. Modifying appliance access Use the Appliances property select the appliances to which role members have access. The selections for this property determine the appliances that the role members can see in the following console locations: The Testing tab on the Rules page, for use when testing a particular rule. The appliances and archives that are available for each query on the Events page. The Appliance Configurations tab on the System page. To modify appliance access 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 In the left pane click Appliances 4 Do one of the following actions: To give role members access to all Information Manager appliances in the network configuration, click Role members will have access to all appliances. To limit role members' access to certain appliances, click Role members will have access to only the selected appliances. In the appliances tree, select at least one appliance to associate with this role, and then click Next. Modifying access permissions in roles Roles include the permissions that determine the types of access (for example, Read and Delete) that role members have to objects that appear in the console. Role-specific permissions are assigned to the objects when you create each role. You can change the access permissions for the following types of objects: Container objects that were created when you installed Information Manager, such as organizational units. The new objects that you create within the container objects. When you view the properties of a role, you can see and modify the permissions for the role by selecting tabs in the Editing Role Properties dialog box.
38 Managing roles and permissions Creating and managing roles Warning: Permission modification is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works. See Working with permissions on page 43. Table 2-2 describes the access requirements of typical enterprise security roles. Table 2-2 Access requirements for roles Role Products SIM permissions Console access Access permissions SES Administrator and Domain Administrator All All All None required System Administrator Information Manager Allow Asset Edits Move Computers Show Dashboard Tile Show Intelligence Tile Show Statistics Tile Read and Search on Public/System Query groups Show System Tile User Administrator All Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Show Assets Tile Show Dashboard Tile Show Intelligence Tile Show Rules Tile Show System Tile Read and Search on Public/System Query groups Read and Write on Users and User Groups Read and Write on Rules and Roles
Managing roles and permissions Creating and managing roles 39 Table 2-2 Access requirements for roles (continued) Role Products SIM permissions Console access Access permissions Incident Manager Information Manager Create Incidents Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Assets Tile Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services
40 Managing roles and permissions Creating and managing roles Table 2-2 Access requirements for roles (continued) Role Products SIM permissions Console access Access permissions Report Writer Information Manager Write My Incidents Write All Incidents Change Assignee and Team on My Incidents Change Assignee and Team on All Incidents Change Assignee/Team to self or own team on unassigned incidents Change Status My Incidents Change Status All Incidents Read My Incidents Show Dashboard Tile Show Events Tile Show Incidents Tile Show Intelligence Tile Show Reports Tile Show Tickets Tile Read and Write on Public/System Query groups Read and Write on Report groups Read All Incidents Read Unassigned Incidents Create new queries Create new reports Publish queries Publish reports Allow Dashboard Auto Refresh Move Computers Allow Asset Edits Manage Networks Manage Policies Manage Services Report User Information Manager Create new queries Create new reports Allow Dashboard Auto Refresh Show Dashboard Tile Show Events Tile Show Reports Tile Read and Search on Public/System Query groups Read and Search on Report groups
Managing roles and permissions Creating and managing roles 41 Table 2-2 Access requirements for roles (continued) Role Products SIM permissions Console access Access permissions Rule Editor Information Manager Create new queries Show Events Tile Show Rules Tile Show Statistics Tile Read and Write on Rules and Roles Read and Search on Public/System Query groups Read and Search on Report groups Note: When you change a role s access permissions to a Public Query Group or a System Query Group, the role s database permissions may be incorrectly modified. If a user cannot view queries on the Events page, it may be because the user s role lacks the necessary database permissions. To correct this problem, do the following actions: Log on as a Domain Administrator or SES Administrator and open the Editing Role Properties dialog box for the user s role. On the DataStores tab, check the role s database permissions. If the role does not have both Read and Search permissions, add the missing permissions. See To modify permissions on page 41. To modify permissions 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to edit, and select Properties. 3 In the Editing Role Properties dialog box, in the left pane click the type of permissions that you want to modify. For example, to change the role members' directory permissions, choose Directories. 4 When you finish setting permissions, click OK. Examples of modifying permissions in roles You can modify permissions for the following purposes, among others: To hide a query group from members of a role When members of this role open the Query Chooser on the dashboard, they cannot see the restricted query group in the query tree. To hide all users from members of a role
42 Managing roles and permissions Creating and managing roles When members of this role view the System page, they do not see Users in the left pane. To prevent role members from adding and deleting user groups Role members can view and modify user groups, but they cannot add and delete user groups. To hide a query group from members of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to restrict, and select Properties. 3 In the left pane click System Query Groups. 4 Click Add. 5 In the Find System Query Groups window, select Product Queries.Symantec Client Security, and then click Add. 6 Click OK. 7 On the Product Queries.Symantec Client Security row, uncheck Read and Search. 8 Click OK. Members of this role cannot view Symantec Client Security queries. That is, if a role member selects System Queries > Product Queries in the Query Chooser on the dashboard, the role member will not see Symantec Client Security in the tree. To hide all users from members of a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to restrict, and then select Properties. 3 In the left pane click Users. 4 Under Default permissions for all users, uncheck all permission types (for example, Read and Add). 5 Click OK. When role members view the System page, they cannot see Users in the left pane.
Managing roles and permissions Working with permissions 43 Deleting a role To prevent role members from adding and deleting user groups 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to restrict, and then select Properties. 3 In the left pane click User Groups. 4 On the top line of permissions, check Read, Write, and Search. Make sure that Add and Delete are not checked. 5 Click OK. Role members can view, search, and modify all user groups in the domain. They cannot create new user groups or delete user groups. You can delete roles when they are no longer in use. Before you delete a role, you can view the properties of the role to ensure that none of your users requires it. To delete a role 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain, and then click Roles. 2 In the right pane, right-click the role that you want to delete, and select Properties. 3 Review the role properties to make sure that no users require this role. 4 Click Cancel. 5 If you still want to delete the role, on the toolbar, click - (the minus icon). A message warns you that all members of the selected role will be removed. This means that users will no longer have access to the role. The user accounts will not be deleted. 6 In the confirmation dialog box, click Yes to delete the role. Working with permissions Permissions define the access that members of a role have to specific objects. Along with other role properties, permissions control what users can see and do when they log on to the Information Manager console.
44 Managing roles and permissions Working with permissions As with roles, you can work with permissions only if you are a member of the SES Administrator or Domain Administrator role. The permissions of objects are defined initially when you create roles and when you create new objects. You can then modify the permissions to fine-tune your roles. Warning: Permission modification is an advanced feature. You should customize permissions only if you have a clear understanding of how access control works in the security directory. About permissions Permissions are always associated with roles and are applied when a member of a role logs on to the console. Table 2-3 shows the permissions that role members can have to view and work with objects. Table 2-3 Permission Read Object permissions Description Lets the role members see the attributes of objects. Read must be enabled for the other access permissions to work. Write Add Delete Search Lets the role members modify objects. Lets the role members create a new child object within the selected container. Lets the role members delete objects. Lets the role members search the database or the security directory for objects. Search must be enabled for the other access permissions to work. For information about the access permissions of typical enterprise security roles, see Table 2-2. The following objects have permissions: Container objects Container objects are created when the DataStore (database) and Directory are installed. These objects contain all of the new objects that you create. In the console, container objects appear in the left pane of the Administration tab on the System page.
Managing roles and permissions Working with permissions 45 Examples of the container objects that have permissions are Users, Roles, and Organizational Units. Objects that you create within container objects When you create new objects to represent your security environment, they are stored within the container objects. On the System page, the objects that you create appear in the right pane when you select their container object in the left pane. For example, when you select Users in the left pane, the individual users that you have created within the Users container are displayed. These created objects are sometimes known as child or leaf objects. Propagation of permissions As you create new management objects, it is important to understand the relationship between the permissions of container objects and the permissions of the objects you create within these containers. In most cases, the permissions of a container object propagate to all new objects that you create within the container. When you create new objects on a role-by-role basis, the current permissions of the container object are propagated to the new objects. For example, in Role A, on the Users tab, you disable Write permission for the Users container. In Role B, you disable Delete permission for the Users container. When you create new users, members of Role A do not have Write permission, so they cannot modify the properties of the new users. Members of Role B do not have Delete permission, so they cannot delete the new users. Note: Most roles should have at least Read and Search permissions for all objects. These permissions allow role members to view information about the objects and perform searches for the objects. For example, if you enable Write access for a container object and disable Read access, the role members cannot modify the objects, because they cannot view the objects. Propagation occurs only when you create new objects. For example, you may create several users and assign them to Role A before you disable the Write permission in Role A. These permissions are not disabled for the original users unless you set them explicitly. Modifying permissions from the Permissions dialog box You can use the following methods to modify permissions: Edit the role using the Editing Role Properties dialog box.
46 Managing roles and permissions Working with permissions Use this method to modify permissions for several objects within one role. See Modifying access permissions in roles on page 37. You cannot edit the permissions of software products and their configurations through the Editing Role Properties dialog box. Use the Permissions dialog box for a particular object. Use this method to modify the permissions for a specific object within one or more roles. Note: Some objects do not have permissions. To modify permissions for a container object 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, right-click the container object (for example, Users) and select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Note that some container objects do not have permissions. 3 You may do any of the following: To modify permissions for this object within the listed roles, check (enable) or uncheck (disable) the permissions, as needed. You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and then click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and then click Remove. To edit a role s properties, click the role name, and then click Properties. 4 Click OK when you finish modifying permissions. To modify permissions for a created object 1 On the System page, in the left pane of the Administration tab, navigate to the relevant domain. 2 In the left pane, click the container object that contains the created object. For example, click Users.
Managing roles and permissions Working with permissions 47 3 In the right pane, right-click the object whose permissions you want to modify, and then select Permissions. In the Permissions dialog box, roles are listed if they have already been assigned to this object. Note that some created objects do not have permissions, such as Policies. 4 You may do any of the following actions: To modify permissions for this object within the listed roles, check (enable) or uncheck (disable) the permissions, as needed. You should not disable the Search permission. To add a role to this object, click Add. In the Find Roles dialog box, select a role, then click Add, and then click OK. The role you added appears in the Permissions dialog box, where you can then enable or disable its permissions. To remove a role, click the role name, and then click Remove. To edit a role s properties, click the role name, and then click Properties. 5 Click OK when you finish modifying permissions.
48 Managing roles and permissions Working with permissions
Chapter 3 Managing users and user groups This chapter includes the following topics: About managing users and passwords Customizable password policy Creating a new user Creating a user group Editing user properties Modifying user permissions Modifying a user group Deleting a user or a user group About managing users and passwords The Symantec Security Information Manager appliance uses accounts from Linux and the IBM DB2 Service. Both types of accounts use the password that is specified during installation. The default password is password. By default, the installation program creates these Linux accounts: root simuser sesuser default Linux administrative account used by the Information Manager text console process used by the http and the Tomcat processes
50 Managing users and user groups About managing users and passwords db2admin dasusr1 symcmgmt used by the database process used for the DB2 Admin Tools database used by the database process Warning: For security, change the Linux passwords periodically, according to your company's security policy. The password for all Linux accounts must be changed using the Change Password option from the Information Manager Web configuration interface. Do not change these account passwords or permissions by standard Linux commands as it may result in errors with appliance operation. Generally, you should not need to create new Linux accounts; however, you may want to create an account with limited permissions to a file share to allow a user or process to copy database and directory service backups. See your Linux documentation for information on how to create Linux accounts. See the Symantec Security Information Manager Installation Guide for information on how to change the password for the Linux accounts. By default, the installation program also creates the Administrator account in the directory service. This account is used for logging in to the Information Manager console and Information Manager Web configuration interface initially. With the proper permissions, you can also create new directory service accounts for users who will use the Information Manager console and Information Manager Web configuration interface. Directory service accounts are for the administrators of your security products, contacts for notifications, or both. Users who are administrators are members of the roles that define their administrative permissions. Users who only receive notifications do not have to be members of a role. When you select Users from the Administration tab on the System page, you can do the following tasks: Creating a new user Editing user properties Modifying user permissions Deleting a user or a user group The Administration tab also lets you create, modify, and delete user groups: Creating a user group Modifying a user group
Managing users and user groups Customizable password policy 51 Deleting a user or a user group Customizable password policy Information Manager includes the ability to enforce strong password requirements for all users. As an administrator, you can customize the password policy for Information Manager to match the password standards that apply to your environment. You must provide the LDAP cn=root password to change the password settings. When you change the password policy, any users who have existing passwords that are not in compliance with the new policy are prompted to change their password at the next log on. Note: When you enable the EAL4 password policy and a user locks their account the same day that they change it, you cannot reset the password for 24 hours. This is a result of the "Minimum time between password changes (seconds):" value being defined as 24 hours in the EAL4 password policy. This behavior is expected due to the strict EAL4 password policy definition. If this behavior is not desired, you can choose the Custom password policy option, change the Minimum time between password changes (seconds): setting to a lower value, and save the configuration. The Password Management User Password Settings table includes the following selectable columns: Default EAL4 Custom The default settings used by Information Manager. The settings that comply with Evaluation Assurance Level 4 (EAL4) standards. User-defined settings. Note that if you choose this column but do not change any settings, clicking Save reverts to the policy that was previously enabled. To change the Information Manager password policy 1 Log into the Information Manager Web Configuration interface using administrator credentials, and click Password Management. 2 In the LDAP cn=root password field, type the password, and then click Enter admin mode.
52 Managing users and user groups Creating a new user 3 In the password settings tables, choose the type of password management you would like to use. If you choose Custom, configure each option, and place a check in the Password policy enabled: checkbox. 4 Click Save. Creating a new user Use the Create a new User wizard to create a user. The wizard prompts you for the required information that the user needs to log on to Symantec Security Information Manager. It also lets you specify notification information, permissions, and other user properties. The Create a new User wizard is designed for flexibility and to provide multiple ways to collect information. You can supply all pertinent user information at the time that you create the user; alternatively, you can provide only the required information and add more information later by editing the user s properties. See Editing user properties on page 55. To create a new user 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Create a new User wizard, click Next. 5 In the General panel, do the following, and then click Next: Logon name Last name First name Type the logon name for the new user. Type the user s last name. Type the user s first name. The other fields on this panel are optional. 6 In the Password panel, type a password in the Password text box and type the same characters in the Confirm password box. Then click Next. The password that you choose must comply with the policy settings chosen by the administrator. The password is case sensitive. Green check marks under Password rules indicate that your password meets the requirements.
Managing users and user groups Creating a user group 53 7 In the Business panel, specify business information for the user (optional), and then click Next. See Specifying user business and contact information on page 55. 8 In the Contact Information panel, specify contact information for the user (optional), and then click Next. 9 In the Notifications panel, specify email addresses and pager numbers for the user, and times when those contacts can be used for notifications (optional). See Specifying notification information on page 59. 10 In the Roles panel, you can assign the user to one or more roles that define the user s permissions. You can also assign or change a user's roles later. See Managing role assignments and properties on page 56. Note that you must create roles before you can assign users to roles. If no roles appear on the Find Roles panel, you have not yet created any roles. See Creating a role on page 29. 11 In the User Groups panel, you can assign the user to one or more user groups. You can also assign users to groups later. See Managing user group assignments on page 57. Note that you must create user groups before you can assign users to groups. If no groups appear on the Find User Groups panel, you have not yet created any groups. See Creating a user group on page 53. 12 In the User Summary panel, review the information that you have specified, and then click Finish. The user properties that are created are shown in the task status list at the bottom of the panel. A green check mark next to a task indicates that it was successfully accomplished. 13 Click Close. Creating a user group After you create users, you can assign them to groups. User groups are particularly useful when you have large numbers of users who need to have the same system roles. You can assign an entire user group to a role, and all of the users in the group will have the rights and permissions that are assigned to that role. Another
54 Managing users and user groups Creating a user group reason to implement user groups is to facilitate the auto-assignment of incidents, using correlation rules. The Create a new User Group wizard enables you to create user groups and add users to the groups. You can assign users at the time you create a group, or you can add users to the group later. Note: If you create a user group, and then assign it to a role, all of the users who are currently in the group are assigned to that role. However, if you later add more users to the user group, those users are not automatically added to the role. You must assign each user to the role individually. To create a user group 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups. 3 On the toolbar, click + (the plus icon). 4 In the first panel of the Create a new User Group wizard, click Next. 5 In the General panel, type a name and (optional) description for the user group, and then click Next. 6 In the Members panel, click Add. In the Find Users dialog box, the Available users list shows all users for the domain, up to the number of users indicated by the Maximum search count text box. 7 Select one or more users from the Available users list, and then click Add. The users appear in the Selected users list. 8 If you want to review information about a specific user, click the user name, and then click Properties. You can view or change the user's properties, and then click OK. 9 When you finish adding users to the group, click OK. 10 In the Members panel, click Next. 11 In the User Group Summary panel, click Finish. The user group properties that are created are shown in the task status list at the bottom of the panel. A green check mark next to a task indicates that it was successfully accomplished. 12 Click Close.
Managing users and user groups Editing user properties 55 Editing user properties After you create a user, you can edit the user properties to perform the following tasks: Changing a user s password Changing a user s password Specifying user business and contact information Managing role assignments and properties Managing user group assignments Specifying notification information Passwords can be changed in the following ways: Users can change their own passwords by using the Change Password option on the Tools menu in the Information Manager console. Administrators can change a user s password by editing the user s properties. To change a user s password 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose password you want to change, and then select Properties. 3 In the User Properties dialog box, on the Password tab, in the Password text box, type a new password. The password that you choose must comply with the policy settings that are chosen by the administrator. 4 In the Confirm password text box, type the password again to confirm it. 5 Click OK. Specifying user business and contact information In the User Properties dialog box, the Business tab and Contact Information tab let you supply detailed information about the user. You can specify this information when you create a user or by editing an existing user s properties. The choice of a preferred language is particularly important. The preferred language controls the format of currency, date, time, and the use of numerical separators when the user is logged into the Information Manager console.
56 Managing users and user groups Editing user properties To specify user business and contact information 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose information you want to change, and then select Properties. 3 In the User Properties dialog box, on the Business tab, type the business information for the user. 4 To specify the user s preferred language, in the Preferred language drop-down list, select a language. 5 To identify the user s manager, click the browse button (...) next to the Manager text box to display the Find Users dialog box. The manager must exist as a user in the database. 6 In the Find Users dialog box, select the user who is the manager, and then click OK. The Available users list shows all users for the domain, up to the number of users that are indicated by the Maximum search count text box. 7 To identify the user s administrative assistant, click the browse button (...) next to the Administrative assistant text box. In the Find Users dialog box, select the administrative assistant. The administrative assistant must exist as a user in the database. 8 On the Contact Information tab, type the contact information for the user. 9 Click OK. Managing role assignments and properties The roles that a user is assigned define the user s administrative permissions in the console. Roles are product-specific and are created as one or both of the following: Roles that allow the management of policies and configurations for a product Users who are members of these roles can change the security configurations of an integrated product and distribute them to specific computers and organizational units. Roles that allow the viewing of the events that are generated by a product Users who are members of these roles can view alerts and events for a product, and create alerts and customized reports.
Managing users and user groups Editing user properties 57 Note: You must be a member of the Domain Administrator role to make a user a member of a role. Also, the role must exist in the database before you can add a user to the role. See Creating a role on page 29. To manage role assignments and properties 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose information you want to change, and then select Properties. 3 In the User Properties dialog box, on the Roles tab, click Add. 4 In the Find Roles dialog box, from the Look in drop-down list, select the domain in which to find the role. Users can have access to roles in multiple domains. 5 In the Available roles list, select one or more roles, and then click Add. The Find Roles dialog box displays a list of roles only if you are a member of the Domain Administrator role. 6 Click OK. 7 To remove a user from a role, click the role name and then click Remove. This action does not remove the role from the database. 8 To view or edit the properties of a role, click the role name and then click Properties. 9 Use the Editing Role Properties dialog box to make changes to the role, if you want. See Editing role properties on page 32. 10 Click OK until you return to the System page. Managing user group assignments You can modify the composition of a user group by adding users to the group and removing users from the group. You can also view and modify user group properties. You can manage user group assignments in the following ways: Manage one user's assignment by adding to or removing from one or more user groups.
58 Managing users and user groups Editing user properties Manage a single user group by adding or removing multiple users at one time. To manage a single user's user group assignments 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose user group assignment you want to manage, and then select Properties. 3 In the User Properties dialog box, on the User Groups tab, click Add. 4 In the Find User Groups dialog box, from the Look in drop-down list, select the domain in which to find the user group. 5 In the Available user groups list, select one or more user groups, and then click Add. The user groups that you selected appear in the Selected user groups list. 6 Click OK. 7 To remove a user from a user group, click the user group name and then click Remove. This action does not remove the user group from the database. 8 To view or edit the properties of a user group, click the user group name and then click Properties. 9 Use the User Group Properties dialog box to make changes to the user group, if you want. For example, you can add members to the group and remove users from the group. 10 Click OK until you return to the System page. To manage multiple users' user group assignments 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups. 2 In the right pane, right-click the user group whose membership you want to manage, and then select Properties. 3 In the User Group Properties dialog box, on the Members tab, click Add. 4 In the Find Users dialog box, from the Look in drop-down list, select the domain in which to find the users. 5 In the Available users list, select one or more users, and then click Add. The users that you selected appear in the Selected users list. 6 Click OK.
Managing users and user groups Editing user properties 59 7 To remove a user from a user group, click the user name and then click Remove. This action does not remove the user from the database. 8 To view or edit the user's properties, click the user name and then click Properties. 9 Use the User Properties dialog box to make changes to the user, if you want. 10 Click OK until you return to the System page. Specifying notification information When you create custom correlation rules, you can identify users to notify when particular incidents or alerts occur. See Creating a custom rule on page 108. For each user, you can specify the email addresses and pager numbers that are used to send these notifications. You can also specify when the user is notified. For example, you can specify one email address to be used Monday through Friday from 8:00 A.M. to 5:00 P.M., and a pager to be used during off-hours, namely, Saturday and Sunday, and Monday through Friday after 5 P.M. You can specify the following: Email addresses Pager numbers The day and the time ranges when the contact method can be used to send a user notifications of alerts The combined number of email addresses and pager numbers cannot exceed five. To specify a user s email address 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose email address you want to change, and then select Properties. 3 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click Email. 4 Click Add. 5 In the Email dialog box, in the Email address text box, type an email address.
60 Managing users and user groups Editing user properties 6 If the user receives email on a device with a small screen, such as a handheld device, check Send shortened email message. This option sends an abbreviated email message that is easier to read. 7 Click OK. 8 Specify notification times if desired. 9 Do any of the following: To add additional email addresses, repeat steps 4 through 8. To edit an existing email address, click it and then click Properties. To remove an existing email address, click it and then click Delete. 10 When you finish, click OK. To specify a user s pager number 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users. 2 In the right pane, right-click the user whose pager number you want to change, and then select Properties. 3 In the User Properties dialog box, on the Notifications tab, in the drop-down list, click Pager. 4 Click Add. 5 In the Pager dialog box, in the Number text box, type a pager number. 6 In the Notification service drop-down list, select the notification service to use. If you do not see the service that you want to select, you can add it using the Notification Services node in the left pane of the System page. 7 Click OK. 8 Specify notification times if desired. See To specify notification times on page 61. 9 Do any of the following: To add more pager numbers, repeat steps 4 through 8. To edit an existing pager number, click it and then click Properties. To remove an existing pager number, click it and then click Delete. 10 Click OK.
Managing users and user groups Modifying user permissions 61 To specify notification times 1 In the User Properties dialog box, on the Notifications tab, click an email address or pager number. 2 Using the Day controls, check the days when the contact method can be used to contact the user. 3 Using the From and To controls, specify the range of time when the contact method can be used. 4 Repeat these steps to establish notification times for other email addresses and pager numbers. 5 When you finish, click OK. Modifying user permissions When you create a role, permissions are assigned for each user with regard to that role. These permissions control whether role members who log on to the console can view, modify, or delete the user. You can modify these permissions in the following ways: By displaying and editing the roles that contain the permissions. See Modifying access permissions in roles on page 37. By displaying the Permissions dialog for the User container object or an individual user. See Modifying permissions from the Permissions dialog box on page 45. Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Modifying a user group You can modify a user group by adding and removing members, and by changing the user group name and description. You can also modify individual group members' properties. To modify a user group 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click User Groups. 2 In the right pane, right-click the user group that you want to modify, and then click Properties.
62 Managing users and user groups Deleting a user or a user group 3 On the General tab, you can add or change the user group's name and description. 4 On the Members tab, you can do the following: Add members Click Add. In the Find Users dialog box, select one or more users from the Available users list, and then click Add. When you finish adding members, click OK. Remove members Select the member name, and then click Remove. When you finish removing members, click OK. Modify a member's properties Select the member name, and then click Properties. In the User Properties dialog box, use the tabs to modify the properties of individual user group members. When you finish modifying properties, click OK. 5 Click OK. Deleting a user or a user group You can delete users who are no longer participants in your security network. You can also delete the user groups that are no longer needed. To delete a user or a user group 1 On the System page Administration tab, in the left pane, navigate to the relevant domain, and then click Users or User Groups. 2 In the right pane, right-click the user or the user group that you want to delete, and then click Delete. 3 In the confirmation dialog box, click Yes.
Chapter 4 Managing organizational units and computers This chapter includes the following topics: About organizational units Managing organizational units Managing computers within organizational units About organizational units Organizational units are a useful way to structure your security environment in Symantec Security Information Manager. Before you create organizational units, it is important that you understand your security network and create a security plan. Organizational units let you group the computers and appliances that you manage. You can then add configurations for the Information Manager components that may be installed on those computers. This enables the distribution of the configurations to all computers and appliances in the organizational unit. Managing organizational units On the Administration tab of the System page, when you select Organizational Units, you can perform the following tasks: Creating a new organizational unit Editing organizational unit properties About modifying organizational unit permissions
64 Managing organizational units and computers Managing organizational units Deleting an organizational unit Distributing configurations to computers in an organizational unit Creating a new organizational unit Organizational units are logical groupings. You can create them to organize computers that are in the same physical location or belong to structural groups within your corporation, such as divisions or task groups. However, it is not required that an organizational unit reflect these relationships. You can create all the organizational units that you require at a single level, or you can create a hierarchy of nested organizational units. The combined maximum length of the distinguished name of an organizational unit should be no longer than 170 bytes. Keep in mind that some characters, such as accented characters or Japanese characters, take more space to store. Since the distinguished name of an organizational unit is a concatenation of the names above it in the hierarchy, nesting organizational units with long names can exceed this limit. A screen message informs you if you exceed the limit. To create a new organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then click Organizational Units. 3 Do one of the following: To create a new organizational unit at the top level of the tree, click + (the plus icon) on the toolbar. Go to step 4. To create a new organizational unit within an existing organizational unit, expand the organizational unit tree and select the desired level. Then click + (the plus icon) on the toolbar. Go to step 3. 4 In the Computer or Organizational Unit dialog box, click Organizational Unit, and then click OK. 5 In the first panel of the Create a new Organizational Unit wizard, click Next. 6 In the General panel, do the following: In the Organizational Unit name text box, type a name for the organizational unit. In the Description text box, type a description of the organizational unit (optional). 7 Click Next.
Managing organizational units and computers Managing organizational units 65 8 In the Organizational Unit Summary panel, review the information that you have specified, and then click Finish. 9 Click Close. Determining organizational unit name length Information Manager imposes limits on the length of the name of an organizational unit and on the total length of the distinguished name that is stored in the security directory. These limits become important when you nest organizational units. The distinguished name for a nested organizational unit includes the following: The name you give the organizational unit when you create it The names of each organizational unit above it in the hierarchy The name of the top node in the organizational unit tree The name of the domain within which you create the organizational unit hierarchy Additional bytes of overhead You can view the distinguished name of an organizational unit by looking at the organizational unit s properties. The maximum length of the name you assign in the Create a new Organizational Unit wizard is 64 UTF-8 bytes. For the Roman character set, this means that the name cannot exceed 64 characters. Some characters take more space to store. For example, accented characters take 2 bytes to store, and Japanese characters take 3 to 4 bytes to store. When these characters are used, fewer characters are allowed in the name. Because Information Manager adds additional information for internal use to the distinguished name, the maximum recommended length of the distinguished name of an organizational unit in the security directory is 170 bytes. If a distinguished name is longer than 256 characters, serious performance issues occur. Table 4-1 describes how to calculate the UTF-8 byte length of the distinguished name of the organizational unit.
66 Managing organizational units and computers Managing organizational units Table 4-1 Name string Calculating organizational unit name length Formula and example Domain name length sum(4+domain component name length) + 17 bytes Example: usa.ses 4 + length(usa) + 4 +length(ses) + 17 bytes overhead or 4 + 3 + 4 + 3 + 17 = 31 bytes Organizational unit (OU) name length sum(4 + OU name length) + domain name length + 13 bytes For example: Paris OU under the Sales OU in the usa.ses domain 4 + length(paris) + 4 + length(sales) + domain name length + 13 bytes overhead or 4 + 5 + 31 + 13 = 53 bytes Editing organizational unit properties You can modify an existing organizational unit's description. You cannot change the name or distinguished name of the organizational unit. To edit organizational unit properties 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit that you want to edit, and then click Properties. 4 In the Organizational Unit Properties dialog box, change the description. 5 When you finish, click OK. About modifying organizational unit permissions When you create a role, permissions are assigned for each organizational unit with regard to that role. These permissions control whether role members who log on to the Information Manager console can view, modify, or delete the organizational unit. You can modify these permissions in the following ways:
Managing organizational units and computers Managing computers within organizational units 67 By displaying and editing the roles that contain the permissions. See Modifying access permissions in roles on page 37. By displaying the Permissions dialog for the Organizational Unit container object or an individual organizational unit. See Modifying permissions from the Permissions dialog box on page 45. Note: To modify permissions, you must be logged on as a member of the SES Administrator role or the Domain Administrator role. Deleting an organizational unit Before you can delete an organizational unit, you must move or delete all computers that belong to the organizational unit. See Moving a computer to a different organizational unit on page 80. See Deleting a computer from an organizational unit on page 81. Note: When you delete an organizational unit, all of the organizational units that are below it in the navigational structure are also deleted. To delete an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit that you want to delete, and then click Delete. 4 To confirm that you want to delete the organizational unit and its subgroups, click Yes. Managing computers within organizational units Organizational units contain computer objects that represent the computers that run your security products. Note: The term "computer" covers a variety of equipment, from traditional desktop computers, to appliances and handheld devices. In the context of the Information Manager console, a computer is any machine that you manage as part of your enterprise security environment.
68 Managing organizational units and computers Managing computers within organizational units Computers are placed in organizational units in the following ways: When an agent is installed When you install a collector on a computer, an agent is installed on the computer. It is represented in the Information Manager console as a computer within an organizational unit. In some cases, you can specify the organizational unit for the computer when the agent is installed. If an organizational unit is not specified, the computer is placed in the Default organizational unit. When you create the computer using the Create a new Computer wizard You can use this method to create computers for security products that do not install agents. Note: Do not create a computer using the wizard if you plan to install an Agent on the computer at a later time. If you do, a duplicate instance of the computer will be added to the security directory. A computer can belong to only one organizational unit at a time; however, depending on the requirements of your network, you can easily move computers from one organizational unit to another. When you select a computer in the right pane, you can perform the following tasks: Creating computers within organizational units Editing computer properties Distributing configurations to computers in an organizational unit Moving a computer to a different organizational unit Modifying computer permissions Deleting a computer from an organizational unit Creating computers within organizational units Computers are defined in the security directory as part of the organizational units in which you create them. If you delete a computer from an organizational unit, it is permanently removed from the security directory. To create a computer within an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree.
Managing organizational units and computers Managing computers within organizational units 69 3 Right-click the name of the organization unit, and then click New>Computer. 4 In the first panel of the Create a new Computer wizard, click Next. 5 In the General panel, do the following, and then click Next: In the Computer name text box, type the computer name. In the Description text box, type a description (optional). 6 In the Information panel, do one of the following: Type information in some or all of the optional text boxes, and then click Next. Click Next. You can supply the information later by editing the computer s properties. 7 In the Identification panel, do one of the following: Provide the host name, IP addresses, and MAC addresses of the computer now, and then click Next. Click Next. You can provide the identification information later by editing the computer s properties. 8 In the Configurations panel, do one of the following: To directly associate configurations with the computer now, click Add. When you are finished, click Next. Click Next. You can add configurations later by editing the computer s properties. 9 In the Computer summary panel, review the information that you have specified, and then click Finish. 10 Click Close. Editing computer properties The computer properties that you can view and change depend on whether an agent is installed on the computer. If the computer has an agent, you can associate configurations with the computer and view the services that are running on the computer. However, you cannot change the identification information for the computer. See Editing a computer that has an agent on page 70. See Viewing the services that are running on a computer on page 77.
70 Managing organizational units and computers Managing computers within organizational units If the computer does not have an agent, you can edit the network identification information for the computer. However, you cannot view services that are running on the computer. See Editing a computer that does not have an agent on page 71. See Providing identification information for a computer on page 72. Editing a computer that has an agent When a computer has an agent installed, much of the identification information about the computer is captured as a result of the installation of the agent. You can learn a lot about the computer by viewing the information that is provided by the agent. This information includes the state of the services that are running on the computer and the computer s heartbeat status. You can also specify configurations to be associated with the computer. If the computer is a Information Manager appliance, you can add access to other domains. To edit a computer that has an agent 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, you can modify the Primary Owner and Owner contact information text boxes. The rest of the information is supplied by the agent installation. 7 On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 76. To remove a configuration, select it, and then click Remove. To view a configuration s properties, select it, and then click Properties. See Agent configurations on page 210.
Managing organizational units and computers Managing computers within organizational units 71 8 On the Domain Access tab, you can add or remove domain access for the Information Manager appliance. See Adding domain access to an Information Manager appliance on page 78. You can do this only if the computer is an Information Manager appliance and you are logged on as a SES Administrator or a Domain Administrator. 9 You can view information on any of the following tabs: On the Identification tab, view the host name, IP addresses, and MAC addresses of the computer. On the Services tab, view information about the services that are running on the computer. See Viewing the services that are running on a computer on page 77. On the Heartbeat Monitor tab, view the heartbeat status of the services that are running on the computer. 10 Click OK. Editing a computer that does not have an agent When you create a computer using the Create a New Computer wizard, you can modify most of the computer s properties. Services are reported only if an agent is installed on the computer. To edit a computer that does not have an agent 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the General tab, you can type a new description. 6 On the Information tab, modify the text boxes as desired. To enable the Other OS text box, select OTHER from the Operating system type drop-down list. 7 On the Identification tab, change the host name and add or remove IP addresses and MAC addresses, as desired. See Providing identification information for a computer on page 72.
72 Managing organizational units and computers Managing computers within organizational units 8 On the Configurations tab, do any of the following: To directly associate configurations with the computer, click Add. See Associating configurations directly with a computer on page 76. To remove a configuration, select it, and then click Remove. To view a configuration s properties, select it, and then click Properties. See Agent configurations on page 210. 9 On the Services tab, view information about the services that are running on the computer. See Viewing the services that are running on a computer on page 77. 10 On the Heartbeat Monitor tab, view the heartbeat status of the services that are running on the computer. 11 Click OK. Providing identification information for a computer After you create a computer using the Create a new Computer wizard, you can provide the network identification information for the computer by editing its properties. When you create a computer by installing a collector, the identification information is supplied automatically by the installation. To provide identification information for a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer to be edited. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the Identification tab, in the Host name text box, type a fully qualified domain name or DNS hostname. 6 To add an IP address, under IP addresses, click Add. 7 In the IP addresses dialog box, type the IP address of the computer, and then click OK. 8 If the computer has multiple network interface cards, repeat steps 6 and 7 for each IP address.
Managing organizational units and computers Managing computers within organizational units 73 9 To add a MAC address, under MAC addresses, click Add. 10 In the MAC addresses dialog box, type the MAC address of the computer, and then click OK. The MAC address must consist of six hexadecimal pairs. 11 If the computer has multiple network interface cards, repeat steps 9 and 10 for each MAC address. 12 Click OK. Using the Visualizer The Visualizer provides a convenient way to view your Symantec Security Information Manager environment, including the computers that are assigned to organizational units. You can use it to monitor EPS rates and CPU usage on your network devices. You can also view and modify properties of elements such as Information Manager appliances and agents. About the Visualizer The Visualizer provides a graphical view of your Information Manager environment. When you click the Visualizer tab on the System page, you will see a set of icons that represent such elements as correlation appliances, collection appliances, agents, and directories. The Icons tab in the Legend pane illustrates and defines each type of icon that can appear in the diagram. Colored lines join elements to indicate the nature of their interactions. For example, a green line appears between an appliance and its event archive. A blue line indicates that event forwarding is configured between a collection appliance and the correlation appliance, and the arrow shows the direction in which the event data flows. To see an explanation of each color, click the Edges tab in the Legend pane. You can place the icons where you want them by dragging them with the mouse. The associated text moves with the icon. You can also move the text to a different position relative to its icon. Click and hold the mouse over the text, and then move the mouse. Empty text boxes appear on each side of the icon. Drag the text into one of the boxes and release the mouse. The toolbar includes tools to help you examine the graphic. These tools are defined in Table 4-2.
74 Managing organizational units and computers Managing computers within organizational units Table 4-2 Tool Layout menu Refresh Zoom in Zoom out Zoom selected Fit to window Save as Print Table view Visualizer tools Purpose Use this drop-down menu to select a display format, such as Organic or Circular. Click the Refresh icon to update the display after you make configuration changes. For example, after you add a collector, clicking Refresh to will re-draw the diagram and show a new icon for the added collector. Enlarge the diagram. Make the diagram smaller. Select a portion of the diagram by clicking the mouse and dragging a box around the desired area. Then click the Zoom selected icon to enlarge the area that you selected. This option returns the diagram to its original size, to fit the entire diagram in the right pane of the System page. This option lets you save the information in the diagram as an XML file. Symantec Technical Support may request this file to assist in troubleshooting. This option lets you print the diagram. On the Print Options dialog, you can select the height (Poster Rows) and width (Poster Columns) if you are printing a very large diagram. The default setting (1 poster row and 1 poster column) prints the entire diagram on a single page. This option displays a table with one row for each element that is involved in processing events. The table dynamically displays such information as events per second (EPS) and the total number of events that have been processed by the element since it was last started. A green check mark means that the element is running; a red X means that the element is not responding. The colored dots that appear next to some elements indicate the activity level of these elements. Some dots reflect the volume of events per second (EPS), and other dots reflect the percentage of appliance CPU in use. The meaning of each color is explained below. EPS Green = less than or equal to 2.5 K Yellow = 2.5 K to 5 K Red = greater than 5 K
Managing organizational units and computers Managing computers within organizational units 75 CPU usage Green = less than 60% Yellow = 60% to 80% Red = greater than 80% Viewing and modifying element properties You can view the properties of many of the elements in the Visualizer diagram. You can also modify some of these properties. The same properties are also accessible through other tabs on the System page. You use these tabs to add and delete elements, such as collectors. After you add an element, you distribute it, which makes the element appear in the Visualizer. Table 4-3 explains how to access each of the element categories on other System page tabs. Table 4-3 Category Computers Accessing element properties on System page tabs How to access This category includes appliances, agents, and collectors. Select Administration tab > Organizational Units. Select an organizational unit. In the list in the right pane, double-click the name of a computer. A dialog box displays the computer's properties. For more information about modifying these properties and about adding new computers, see the section on organizational units. Directories Select Administration tab > Directories. In the list in the right pane, double-click the name of a directory. A dialog box displays the directory's properties. Products This category includes products such as collectors and firewalls. Select Product Configurations tab. In the left pane, click the name of a product. The right pane displays the product's properties.
76 Managing organizational units and computers Managing computers within organizational units To view and modify element properties 1 On the System page of the Information Manager console, click the Visualizer tab. 2 Right-click on an icon in the diagram, and then click Properties. A dialog box displays a set of tabs that let you access the element's properties. The displayed properties depend on the type of element that you selected. For example, a collection appliance has different properties than an agent. 3 View and modify any of the available properties in the dialog box, using the tabs to navigate through the properties. 4 When you finish viewing and modifying properties, click OK. Associating configurations directly with a computer The behavior of Information Manager components is controlled by the configurations. To distribute configurations, you can associate a configuration with a computer. You can then distribute the configuration, either immediately or at a later date, depending on your needs. To associate configurations directly with the computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Click the name of the organizational unit that contains the computer that you want to edit. 4 In the right pane, right-click the name of the computer, and then click Properties. 5 In the Computer Properties dialog box, on the Configurations tab, click Add. 6 In the Find Configurations dialog box, in the Look-in drop-down list, select the product whose configurations you want to associate with the organizational unit. The configurations are displayed in the Available configurations list. 7 In the Available configurations list, select a configuration, and then click Add. The selected configuration is listed in the Selected configuration list. If the computer already contains a configuration, and you now select a different configuration, the new configuration replaces the old one.
Managing organizational units and computers Managing computers within organizational units 77 8 To select a configuration for a different product, repeat steps 6 and 7. 9 When you finish adding configurations, click OK. 10 In the Organizational Unit Properties dialog box, do any of the following: To remove a configuration, select it, and then click Remove. To view a configuration s properties, select it, and then click Properties. 11 Click OK. Viewing the services that are running on a computer You can view information about the services that are running on a computer, such as what configurations are in use, and whether the configurations are up to date. To view the services that are running on a computer 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer whose services you want to view. 4 In the right pane, right-click the computer name, and then click Properties. 5 In the Computer Properties dialog box, on the Services tab, review the In Sync column to determine whether the correct configurations are being used. If the value for a specific service is Yes, the current configuration and the expected configuration are synchronized, that is, they are identical. If the value for a specific service is No, the configurations are not synchronized. Double-click the row to view the information on the Configuration tab of the Service Properties dialog box. You may need to distribute the latest configurations to this computer. See step 6. If this field is blank, it is probably because the service is not configurable. Check the Configurable column; if the value is No, the In Sync field is always blank. 6 You may do either of the following: In the Computer Properties dialog box, to notify the computer that it should download new configurations, click Distribute. Then click Yes to confirm your intention to distribute configurations.
78 Managing organizational units and computers Managing computers within organizational units To refresh the Computer Properties dialog box display, click Refresh. 7 When you finish, click OK. Adding domain access to an Information Manager appliance By default, a computer has access to the domain in which it was created. If the computer is an Information Manager appliance, you can give it access to more than one domain. The following are examples of when you should grant domain access to an Information Manager appliance: If you create an alert configuration and add notification to users in another domain, you must give each Information Manager appliance in your top domain access to this domain so that it can do directory lookups. If you want to deploy Information Manager appliance extensions across domains, you must ensure that the Information Manager appliances in each domain have access to each other. If you monitor heartbeat for Information Manager appliances across domains, you must configure the Information Manager appliances in both the local and the remote domain to have access to each other. This is because the master heartbeat machines in different domains contact each other to share heartbeat information across domains. To add domain access to an Information Manager appliance 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the desired appliance. 4 In the right pane, right-click the appliance name, and then click Properties. 5 In the Computer Properties dialog box, on the Domain Access tab, click Add. 6 In the Find Domains dialog box, do the following: In the Available domains list, select one or more domains. Click Add. The domains appear in the Selected domains list. Click OK. 7 In the Computer Properties dialog box, on the Domain Access tab, do any of the following, as needed:
Managing organizational units and computers Managing computers within organizational units 79 To remove a domain, select it, and then click Remove. You cannot remove domain access to the domain in which the computer resides. To view a domain s properties, select it, and then click Properties. 8 Click OK. Distributing configurations to computers in an organizational unit Information Manager includes a Distribute option, which sends a message to the computers in the organizational unit to check for new configurations. When a computer receives this message, it contacts Information Manager to request a download of the configurations. Using the Distribute feature is optional. When you change a product configuration or move a computer to a different organizational unit, the change is distributed when you click Save. There are the following ways to distribute configurations to computers in an organizational unit: You can distribute the configurations that are associated with an organizational unit to all computers that belong to the organizational unit. You can select specific computers to receive the latest configurations. Note: The timing of configuration distribution varies depending on the amount of Information Manager traffic. To distribute configurations to all computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 Right-click the name of the organizational unit to which you want to distribute configurations, and then click Distribute. To distribute configurations to selected computers in an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers to which you want to distribute configurations.
80 Managing organizational units and computers Managing computers within organizational units 4 In the right pane, select only those computers that you want to notify. 5 Right-click on the selected computers, and then click Distribute. 6 To confirm your intention to distribute configurations, click Yes. Moving a computer to a different organizational unit Although a computer can only belong to one organizational unit, you can move computers from one organizational unit to another. Warning: Before you move a computer, make sure that moving computers is supported by the security products that you are managing. To move a computer to a different organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer or computers that you want to move. 4 In the right pane, right-click a computer, and then click Move. You may select multiple computers if you want to move all of them to the same organizational unit. 5 To confirm that you want to move the computers, click Yes. 6 In the Find Organizational Units dialog box, select the organizational unit to which you want to move the computers, and then click OK. 7 To verify that the move was successful, in the left pane, select the organizational unit to which you moved the computers. Look at the right pane to see if the computers that you moved are now in the list. Modifying computer permissions If you move a computer that is an Information Manager appliance, you may have to log on again before you will see the computer in the organizational unit. Agents that connect to the Information Manager appliance may need to be restarted. When you create a role, permissions are assigned for each computer with regard to that role. These permissions control whether role members who log on to the Information Manager console can view, modify, or move the computer.
Managing organizational units and computers Managing computers within organizational units 81 To modify the permissions for a computer, you must display the Permissions dialog for the computer. You cannot modify permissions for computers using the Role Properties dialog box. See Modifying permissions from the Permissions dialog box on page 45. Note: To modify permissions, you must be logged on as a member of the Domain Administrator role. Deleting a computer from an organizational unit If you want to delete an organizational unit, you must first remove any computers within the organizational unit by moving them or deleting them. You may also want to delete a computer that you no longer want to have under Information Manager management. If the computer was created by installing an agent as part of a security product installation, you should uninstall the security product before you delete the computer. See Creating computers within organizational units on page 68. Deleting a computer from an organizational unit removes it from the security directory. Warning: Be aware that if you delete a computer that is an Information Manager appliance, you cannot add it to an organizational unit again without first doing some extra steps. To restore a deleted appliance to the security directory, you must either re-register the deleted appliance with the security directory in which it was previously registered or re-install the Information Manager appliance. To delete a computer from an organizational unit 1 In the Information Manager console, click System. 2 On the Administration tab, in the left pane, navigate to the relevant domain, and then expand the Organizational Units navigation tree. 3 In the left pane, select the organizational unit that contains the computer that you want to delete. 4 In the right pane, right-click the computer name, and then click Delete. 5 To confirm your intention to delete the computer from the organizational unit, click Yes.
82 Managing organizational units and computers Managing computers within organizational units
Section 3 Information Manager as a Service Provider Configuring a Service Provider environment
84
Chapter 5 Configuring a Service Provider environment This chapter includes the following topics: Service Provider overview Responding to a client incident Setting up a Service Provider environment Disconnecting a client from a Service Provider Master Service Provider overview Information Manager can be used to offer security incident management services to multiple business clients and physical locations. In a service provider context, Information Manager can be used to gather, correlate, monitor, and initiate resolution of security incidents in real time. An instance of Information Manager that is configured as a service provider can also create and work with tickets, as well as generate and deliver custom reports. Using Information Manager in a service provider context has the following minimum requirements: For a service provider client, at least one instance of Information Manager must be configured to monitor and correlate security events, and then forward the resulting incidents. A copy of the incidents that are created at the client correlation appliance is forwarded to the Service Provider Master. For a service provider, at least one instance of Information Manager must be configured as a Service Provider Master. The Service Provider Master receives a copy of incident data that the client appliance(s) forwards. Using the Information Manager console, a Service Provider Master provides a centralized
86 Configuring a Service Provider environment Service Provider overview view of all of the incidents that are generated by each client. If the service provider uses more than one Information Manager Service Provider Master to manage clients, each Service Provider Master operates independently from any other Service Provider appliances. Note: If you use an instance of Information Manager as a Service Provider Master, you should use an additional instance of Information Manager to manage security for the Service Provider Master. A Service Provider Master should forward its own security events to another instance of Information Manager for correlation and incident management. This instance of Information Manager can be closer to the minimum requirements for instances of Information Manager if it is dedicated primarily to event correlation for the Service Provider Master. Figure 5-1 displays a conceptual overview of the relationship between multiple clients that use instances of Information Manager and an incident management service that uses a Service Provider Master appliance. Each client maintains their own event and incident management policies and topologies; the only requirement is that the client configure the primary correlation appliance to forward to the Service Provider Master any incidents that are generated.
Configuring a Service Provider environment Service Provider overview 87 Figure 5-1 Service Provider examples Note: In some client environments, a secondary correlation appliance can be set up for data redundancy. The secondary correlation appliance can also be configured as a Service Provider client that forwards incident data to the Service Provider Master. From the Service Provider Master perspective, these two appliances are completely independent of each other. If there are multiple correlation appliances for a single client, each appliance uses its own domain information. Understanding a service provider environment from a client perspective When a client uses the services of an Information Manager service provider, the client environment is configured as a completely autonomous Information Manager solution. All raw event data is gathered, stored, managed, and correlated within
88 Configuring a Service Provider environment Service Provider overview the environment of the client. All of the client's Information Manager asset, ticket, incident, and user information is also exclusive to the client environment. The key connection to the Service Provider is through a primary correlation appliance, which is configured to gather and forward a copy of incidents to the Service Provider Master appliance. The service provider that receives the copy of client incidents then processes, analyzes, and monitors the incidents. When necessary, the service provider then initiates the appropriate remediation steps by notifying the client. Understanding a service provider environment from a service provider perspective Incident management on the Service Provider Master begins as soon as the following conditions are met: At the client site, Incident forwarding is enabled on the primary correlation appliance and network connectivity with the off-site management service is established. The Information Manager appliance at the service provider management site is configured to receive incidents as a Service Provider Master. The Service Provider Master is also configured with a Client account that includes the client location, the service provider analyst who is assigned to the account, and the contact information for the client. With these prerequisites met, as soon as incident forwarding is enabled, all of the incidents that a client appliance creates can be managed at the Service Provider Master. Incidents that were created prior to the enabling of incident forwarding can be forwarded using the Sync feature in the Web Configuration interface for the client. See Synchronizing the Service Provider Master with client incidents on page 93. Customizations to the Incidents tile in a Service Provider Master console When you configure an appliance to perform the duties of a Service Provider Master appliance, the view in the Information Manager console is modified to match the features that are available in a service provider context. The primary differences in the console appear on the Incidents tile. A Service Provider appliance uses a streamlined version of the Incidents tile. When you view incidents in a Service Provider console, the Original ID and the Reference ID are for two distinct purposes. If you use multiple clients, the Original ID is the Incident number that was generated by the client, and then forwarded
Configuring a Service Provider environment Responding to a client incident 89 to the Service Provider. The Reference ID is the incident number that is generated by the Service Provider. Modifying an incident that is generated at a client site When you are logged into a Service Provider-enabled appliance, to modify an incident that a client appliance generated, you can double-click the incident to open a browser session that lets you modify the available fields. You can also log in to the client appliance using a separate instance of the Information Manager console, which shows all of the tabs that are available for non-service Provider Master instances. Customer information that is stored on the Service Provider appliance When you configure the Service Provider Master, you use the Add Client wizard on the System tile to create a Client account configuration. The Client account configuration includes the client location, information for the service provider analyst who is assigned to the account, and the contact information for the client. You are prompted for the necessary information during the Client setup wizard. See Configuring service provider Client management accounts on page 92. Responding to a client incident In the Incidents tile of the Information Manager console when you click an incident that a Service Provider client generates, you can use the fields and information on the tabs available to take the appropriate action. To view the incident details, you can quickly review the incident by double-clicking the incident in the summary table. Double-clicking an incident in this view opens the Client Incident viewer, which is a browser instance that communicates over a secure browser session (HTTPS). This console lets you analyze the incident without having to open an additional Information Manager console session. The Client Incident viewer provides a streamlined view of the incident details, and lets you perform tasks to address the incident immediately, such as selecting an Assignee, State, Priority, Severity, and so forth. Understanding Information Manager tickets in a Service Provider Master context When you view client incidents on a Service Provider Master, you can view, create, and resolve the following types of tickets:
90 Configuring a Service Provider environment Responding to a client incident An Information Manager Service Provider ticket. When you work in an Information Manager console that is logged into a Service Provider Master, a ticket that is displayed in the Incidents or Tickets pane is exclusive to the environment of the Service Provider Master. A service provider analyst or administrator uses the information in this ticket to perform such duties as following the steps required to notify a client that an incident has occurred. An Information Manager client ticket. When you open the Client Incident viewer, a ticket that is displayed in that browser session is local to the client environment. A client uses the information in this ticket to perform such duties as any tasks that are necessary to address the incident within the client environment. To create an Information Manager Service Provider ticket, you use the Information Manager console that is logged into the Service Provider Master. The Service Provider Master ticket is used by service provider analysts or administrators. The client does not see Service Provider tickets. To create an Information Manager client ticket, you use the Client Incident viewer browser session, or a separate instance of the Information Manager console that is logged directly into the client's correlation appliance. The Client Incident viewer and the instance of the Information Manager console that is logged into the client appliance share the same client ticket information. A ticket that is created from within the Client Incident viewer is local to that client, applies only to the client's resources, and so forth. For example, this type of ticket may include the instructions that client IT personnel must act upon to reduce the spread of an outbreak. To create a ticket for the client environment 1 In the Information Manager console for the Service Provider Master, on the Incidents page, double-click the incident. 2 In the Client Incident viewer, click Create Ticket. 3 In the Ticket Details area, enter the ticket information for the client in the available fields. The Summary field is required. 4 In the Creator area, enter the contact information for the appropriate service provider contact in the available fields. 5 In the Help Desk Assignee area, assign the ticket to the appropriate client assignee. 6 Add any necessary instructions (optional). 7 Click Save. After the ticket is saved, you can view, add, or remove any associated tasks using the Tasks tab. You can also add a note on the Log tab.
Configuring a Service Provider environment Setting up a Service Provider environment 91 To create a ticket for the Service Provider Master environment 1 In the Information Manager console for the Service Provider Master, on the Incidents page, click the incident. 2 In the lower pane, on the Tickets tab, click Create Ticket. 3 In the Ticket Details window, use the available fields to provide the necessary ticket information. The Summary field is required. The Assignee field provides a list of Service Provider environment users. 4 When you are finished, click OK. Exporting incident information from the Client Incident viewer You can export incident data from the Client Incident viewer using the Export button and the save feature of the browser that you are using. To export incident information from the Client Incident viewer 1 In the Information Manager console, on the Incidents tile, double-click the incident that you want to export. 2 In the Client Incident viewer, click Export. Depending on how your browser is configured, in most cases the information is exported to a new browser window that displays the XML. 3 Save the exported XML to a file using the browser's save functionality. When you save the file, you must provide an.xml file extension. Setting up a Service Provider environment When you configure Information Manager appliances in a Service Provider context, you must configure the following: The client appliance that creates incidents. In distributed client environments, this appliance is generally the primary correlation appliance. The service provider appliance that receives the forwarded incidents. Configuring an instance of Information Manager as a Service Provider client To configure an instance of Information Manager as a client of a Service Provider Master, you configure the client appliance to forward incidents to the Service Provider Master.
92 Configuring a Service Provider environment Setting up a Service Provider environment To configure an instance of Information Manager as a Service Provider client 1 Using the Information Manager console, connect to the client instance of Information Manager. 2 In the System tile, expand the appliance that will be configured as the Service Provider client. 3 Click Incident Forwarding Rules, and then click the Add icon. 4 In the Incident Forwarding Rules window, type a name for the rule in the Rule name field. 5 Place a check in the checkbox for any other relevant options for the client appliance. 6 Click OK. Configuring an Information Manager appliance as a Service Provider Master To enable an Information Manager appliance to perform the duties of a Service Provider Master, you enable this feature in the System tile. To configure an appliance as a Service Provider Master 1 Using the Information Manager console, connect to the instance of Information Manager that will be the Service Provider Master. 2 In the System tile, on the Appliance Configuration tab, expand the appliance that will be configured as the Service Provider Master. 3 Click the appliance folder. 4 In the right tile, under Service Provider, check the Service Provider Master checkbox. 5 Click Apply. 6 Close and restart the Information Manager console. Configuring service provider Client management accounts To manage a service provider client, you configure a Client account that includes the network and physical location, the assigned service provider analyst, and contact information that is associated with the client.
Configuring a Service Provider environment Setting up a Service Provider environment 93 To add a service provider Client management account 1 Using the Information Manager console, connect to the instance of Information Manager that will be the Service Provider Master. 2 In the System tile, expand the domain, and click Clients. 3 Click New (+). 4 In the Add Client wizard, in the Client Information window, describe the client using the fields provided, and then click Next. 5 In the Client Setup window, click New. 6 In the Client Account fields, do the following for each analyst that you would like to be assigned to this account: In the Client Username and Client Password fields, enter the appropriate client user name and password information. In the Analyst field, use the ellipses (...) to open the Find Users dialog and choose the analyst (or analysts) to whom the account will be assigned. If you want the assigned analyst to receive notifications for incidents, check Analyst Notification. The notifications are determined by the settings for the user. 7 Click Save to add the analyst to the list. 8 When you are finished, click Next. 9 In the Contact Information window, click New. 10 In the Add/Edit Contact area, enter the relevant client contact information. This contact is the client representative that is contacted when an incident requires remediation, for example. You can add multiple contacts if necessary. 11 Click Finish. To delete a service provider Client management account 1 Using the Information Manager console, connect to the Service Provider Master. 2 In the System tile, expand the domain, and click Clients. 3 Click Delete (-). 4 In the Delete Client Configurations dialog, click Yes. Synchronizing the Service Provider Master with client incidents If the correlation appliance for a Service Provider client creates Information Manager incidents when the client and Service Provider Master are not connected,
94 Configuring a Service Provider environment Disconnecting a client from a Service Provider Master you can synchronize the Service Provider Master when the connection is available. When you synchronize client and Service Provider Master incidents, you forward an updated set of incident data from the client's correlation appliance to the Service Provider Master. The synchronization tool is available in the Web Configuration interface for the client's correlation appliance. To synchronize the Service Provider Master with client incidents 1 On the correlation appliance that is forwarding Incidents to the Service Provider Master, log in to the Web Configuration interface using administrator credentials. 2 In the left pane, click Database Utilities. 3 On the Sync tab, click Start. Disconnecting a client from a Service Provider Master You can disconnect a client from a Service Provider Master by disabling Incident Forwarding on the client instance of Information Manager. To disconnect a client from a Service Provider Master 1 Using the Information Manager console, connect to the client instance of Information Manager. 2 In the System tile, on the Appliance Configuration tab, expand the domain that you want to disconnect from the Service Provider Master. 3 On the Incident Forwarding Rules page, select the forwarding rule that forwards incidents to the Service Provider Master, and click Delete (-). 4 Click Apply. 5 If you want to delete the Client configuration, do the following: Using the Information Manager console, connect to the Service Provider Master On the System page, on the Administration tab, click Clients. Choose the Client configuration that you want to remove, and click Delete. In the Delete Configurations dialog, click Yes.
Section 4 Managing your correlation environment Configuring the Correlation Manager Defining a rules strategy Understanding rules components Understanding event normalization Effects, Mechanisms, and Resources Working with the Assets table Collector-based event filtering and aggregation
96
Chapter 6 Configuring the Correlation Manager This chapter includes the following topics: About the Correlation Manager About the Correlation Manager Knowledge Base About the default rules set Working with the Lookup Tables window Enabling and disabling rules Creating a custom rule About the Correlation Manager The Correlation Manager component of Symantec Security Information Manager performs automated real-time event correlation, aggregation, filtering, and incident creation. To perform these functions, it uses a set of rule files and a Knowledge Base to compare events to patterns of common network security threats. To facilitate security analysis, the Correlation Manager filters false positive events from networks, including the events that are permitted by your company security policy. The Correlation Manager also identifies attacks based on patterns of firewall, IDS, and antivirus activity across desktops, gateways, and servers to declare the incidents that warrant further action and closure. The Correlation Manager can provide conclusions regarding the overall analysis or cause of attacks. It also aggregates information about source, destination, attack types, and all related events into the incident record for forensic analysis.
98 Configuring the Correlation Manager About the Correlation Manager Knowledge Base About the Correlation Manager Knowledge Base The Correlation Manager Knowledge Base consists of the tables that contain information about the network, security policies, and normalized event categories and subcategories. This information is referenced by the Information Manager default rules to allow the correlation engine to make a more effective evaluation of incoming security events. Custom rules can also reference the information in the Correlation Manager Knowledge Base tables. The information in the Knowledge Base is a combination of updated information from DeepSight Threat Management Services and the information that you can edit from the Lookup Tables view of the Rules page. If you have a valid DeepSight license, you can receive frequent updates directly from DeepSight. If you do not have a DeepSight license, you will receive updates to security content by regular LiveUpdate packages. See the Symantec Security Information Manager Installation Guide for information on managing DeepSight content and running LiveUpdate for the appliance. About the default rules set Symantec Security Information Manager includes a set of rules that identify the most common security threats. Information Manager also provides default filters to help reduce common false positives. New rules are developed regularly and are distributed through the Symantec Global Intelligence Network, and LiveUpdate. You can also create your own rules with the Rules Editor. Table 6-1 lists the default rules and the types of security products that they are associated with. Table 6-1 Security product Correlation manager rules by security product type Associated rules Antivirus AntiVirus Disabled Critical Malicious Code Detection Malicious Code Not Quarantined Malicious Code Outbreak Malicious Code Propagation Malicious Code by Email Not Quarantined Spyware Not Quarantined Spyware Outbreak Worm Activity
Configuring the Correlation Manager About the default rules set 99 Table 6-1 Security product Correlation manager rules by security product type (continued) Associated rules Firewall Block Scan Check FTP Transfers DoS High Volume Distributed DoS High Volume External Port Sweep Internal Port Sweep IP Watchlist Destination IP Watchlist Source IRC Bot Net Malicious URL Single Event DoS Ping Scan Detector Port Scan Detector Scan Followed By Exploit Smurf Attack Firewall Trojan Connections Organization IP in Watchlist Activity Outbound Spam Zombie Unauthorized Outbound Email Domain
100 Configuring the Correlation Manager About the default rules set Table 6-1 Security product Correlation manager rules by security product type (continued) Associated rules NIDS HIDS Attempted DNS Exploit Attempted FTP Exploit Attempted WWW Exploit Attempted Service Exploit Block Scan DoS High Volume Single Event DoS Distributed DoS High Volume Intrusion Threshold (Disabled by default) IP Watchlist Destination IP Watchlist Source IRC Bot Net NULL Login Authentication Violation Ping Scan Detector Return Trojan Traffic Scan Followed By Exploit Smurf Attack IDS TFTP from WebServer Malicious Code Propagation Vulnerability Scan Vulnerability Scan Detector Web Vulnerability Scan Departed Employee Username DoS High Volume IP Watchlist Destination IP Watchlist Source Account Guessing Attack Password Guessing Attack Multiple Files Modified NULL Login Authentication Violation Single Event DoS Scan Followed By Exploit Trojan Connections Vulnerability Scan Vulnerability Scan Detector Web Vulnerability Scan Departed Employee Username
Configuring the Correlation Manager Working with the Lookup Tables window 101 Table 6-1 Security product Correlation manager rules by security product type (continued) Associated rules Vulnerability assessment Vulnerability Scan Policy compliance Policy Compliance Violation Windows Events Information Manager System Account guessing attack Password guessing attack Windows Account Lockout (Disabled by default) Windows Audit Log Cleared Windows Privileged Activities by user Windows Privileged User Created Windows Sensitive File Access Windows Security Violation (Disabled by default) Cert Expiration Warning Incident Creation Alert (Disabled by default) Invalid Event Date Alert Low Disk Space Warning Working with the Lookup Tables window You can view and update the lookup table information from the Rules tile. List entries change over time due to updates from DeepSight Threat Management Services and LiveUpdate. You can also create user-defined lookup tables under the User Lookup Tables folder. The Lookup Tables provide a set of configurable tables that allow you to describe the assets and resources of your network. For the proper functioning of the correlation rules, it is essential that you populate the Lookup Tables with the information that is used to determine incident severity, including details that range from the physical information about each computer to the Confidentiality, Integrity, and Availability (CIA) assessments of each resource. Key settings include specifying which systems host critical or sensitive information, and the systems that require high availability. You can also specify the networks that exist in your organization so that you can increase the priority of incidents based on the affected network. For example, the incidents that affect the networks that reside within your firewall can be assigned a higher priority than those that reside outside the firewall.
102 Configuring the Correlation Manager Working with the Lookup Tables window It's also helpful to specify which policies are used within your network. Information Manager includes default policies such as Sarbanes-Oxley and HIPAA. You can also add custom policies. After you have defined the available policies, you can associate them with network computers when you add entries to the Assets list. You should also create your list of response teams so that Information Manager can automatically assign incidents to these teams based on the rules settings. You use the Information Manager console to create the teams. The list of members that you can assign to those teams is maintained in the System Viewer. Knowledge base information is another key factor in determining incident severity and the functioning of rules. Some of this information is provided by DeepSight Threat Management Services, and some settings you can configure. For example, you can add entries to the IP watchlist. Table 6-2 lists the Lookup Tables and the kinds of information that they contain. Table 6-2 Category Lookup Tables Description Organization Domains Weekdays Weekend ip watchlist sensitive files sensitive urls services Provides a table for the user to describe the organizational domains that are monitored. Lists the days of the week to allow further refinement of queries that are based on the day or days that are associated with an event. Lists the days of the weekend to allow further refinement of queries that are based on the day or days that are associated with an event. Lists the IP addresses of known attackers. An incident is created if an event is detected from one of these IP addresses. Note: The IP Watch List table is a configurable table that is available for manually tracking known bad IP addresses. A separate internal IP Watch List is maintained by LiveUpdate and Symantec DeepSight updates, which contains a list of IP addresses that are known to be malicious in the larger Internet environment. Updates to this internal list do not affect the IP Watch List that is visible in the Information Manager Web configuration interface. Lists the file names to monitor during FTP transfers. Lists the text strings that are often included in malicious URLs. Lists the services that are associated with each port number.
Configuring the Correlation Manager Working with the Lookup Tables window 103 Table 6-2 Category trojans user watchlist windows events Lookup Tables (continued) Description Lists known Trojan horse exploits. Provides a table in which you can list users and the user names that formerly had access to the network. Lists the port addresses that are used by network services. To add an entry to the Organization Domains watchlist 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click Organization Domains. 5 Click New Record (+). 6 In the spaces that are provided, type the desired name and description. 7 Click Deploy. 8 When prompted, click OK to deploy the change. To add an entry to the ip watchlist 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click ip watchlist (if it's not already selected). 5 Click New Record (+). 6 In the spaces that are provided, type the desired IP address and description. 7 Click Deploy. 8 When prompted, click OK to deploy the change. To add an entry to the sensitive files list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click sensitive files. 5 Click New Record (+).
104 Configuring the Correlation Manager Working with the Lookup Tables window 6 In the space that is provided, type the name of the file. 7 Click Deploy. 8 When prompted, click OK to deploy the change. To add an entry to the sensitive urls list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click sensitive urls. 5 Click New Record (+). 6 In the URL Substring column, type the URL. 7 In the Attack Type column, type the kind of attack that is associated with this URL. 8 Click Deploy. 9 When prompted, click OK to deploy the change. To add an entry to the services list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click services. 5 Click New Record (+). 6 In the Service column, type a description. 7 In the Port column, type the port number that you want to add. 8 Click Deploy. 9 When prompted, click OK to deploy the change. To add an entry to the Trojans list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click trojans. 5 Click New Record (+). 6 In the Port column, type the port number that is associated with the attack.
Configuring the Correlation Manager Working with the Lookup Tables window 105 7 In the Protocol column, type the network protocol (such as TCP or UDP) that is associated with the attack. 8 In the Trojan Name(s) column, type the name of the Trojan horse. 9 Click Deploy. 10 When prompted, click OK to deploy the change. To add an entry to the user watchlist 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click user watchlist. 5 Click New Record (+). 6 In the spaces that are provided, type the user name, name, and departure date of the employee or account that you want to add. 7 Click Deploy. 8 When prompted, click OK to deploy the change. To add an entry to the Windows Events list 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder. 4 Click windows events. 5 Click New Record (+). 6 In the ID column, type the desired Microsoft Windows event type. 7 In the Category column, type the kind of activity that is associated with the event. 8 In the Description column, type a description for this kind of event. 9 Click Deploy. 10 When prompted, click OK to deploy the change. To delete an entry from the Lookup Tables 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the Lookup Tables folder. 3 Expand the System Lookup Tables folder.
106 Configuring the Correlation Manager Working with the Lookup Tables window 4 Click the table with the entry that you want to delete. 5 Click Delete. 6 Click Yes to confirm the deletion. 7 Click Deploy. 8 When prompted, click OK to deploy the change. Creating a user-defined Lookup Table To create a user-defined lookup table, you first define the columns in the table, and then you add the data. To create a user-defined lookup table 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the User Lookup Tables folder. 3 Click Create new filter or rule (+). 4 In the Input dialog that appears, type the name of the table you want to create, and click OK. The name of the table must not match the name of an existing table or rule. 5 In the Content tab, click Add (+), and enter the Name, Type, and Description values for a column that you want to use in your table. 6 For each additional column, repeat step 5 7 After you are finished creating the columns, click Done. 8 To add data to the table that you have created, do one of the following: Click Add and enter the information in the available fields. Click Import Records. After you choose the file that you want to import, a wizard guides you through the steps to map the data stored in the file to the columns that you have added in the Lookup Table. 9 When you are finished, click Deploy. 10 In the Deploy Modified Items dialog, choose the items that you would like to deploy. You can enter an optional comment in the available field. 11 Click OK.
Configuring the Correlation Manager Enabling and disabling rules 107 Importing Lookup Tables and records You can import a previously exported Information Manager Lookup Table from a file, or you can import the records that are stored in comma-separated or tabbed format into an existing Lookup Table. Note: When you import records into an existing Lookup Table, you can import a maximum of 1024 entries. To import an exported Lookup Table 1 From the Information Manager console, click Rules. 2 In the left navigation pane, click the User Lookup Tables folder. 3 Click Import from Disk. 4 In the Select File(s) to Import dialog, choose the file, and click Import. To import records into an existing Lookup Table 1 From the Information Manager console, click Rules. 2 In the left navigation pane, expand the User Lookup Tables folder. 3 In the table into which you want to import records, on the Content tab, click Import Records. 4 In the Open dialog box, choose the file that contains the data to be imported, and click Open. 5 In the Import Lookup Table Records wizard, choose the delimiter that is used in the file, and the appropriate options. The preview pane displays a representation of your choices. 6 Click Next. 7 In the next pane, use the Field Options area to specify how the data in the file maps to the columns in the Lookup Table, and then click Next. 8 In the next pane, click Start. 9 When the import process is finished, click Finish. Enabling and disabling rules By enabling or disabling rules in the Rules Editor, you can temporarily filter certain network events or change the way the Correlation Manager declares incidents.
108 Configuring the Correlation Manager Creating a custom rule Note: In some cases, such as when the appliance is under a heavy event load, disabling or deleting a rule may not take effect immediately. To enable or disable a rule 1 From the Information Manager console, click Rules. 2 In the left navigation pane, check or uncheck the box next to a rule. 3 In the top toolbar, click Deploy. Creating a custom rule Complete the following steps to create a custom rule. Note that it's usually easier to start by copying a default rule, and then make your changes. To create a custom rule 1 From the Information Manager console, click Rules. 2 In the left navigation pane, under the Correlation Rules folder, click the User Rules folder. 3 On the Rules tab, click Create new filter or rule (+). 4 In the Input dialog box, type a name for the rule. 5 On the Conditions tab, in the Description window, type a description for the rule. 6 On the Conditions tab, on the Rule Type menu, click the entry that best matches the type of event and target combination that applies to the new rule. For example, if you want an incident declared every time a specific event is detected, you would click Single Event. If you would like to declare an incident after a certain number of events are detected from a specific IP address, then you would click Many Events, One Source. 7 In the Event Criteria area, click Add. 8 Select the left-most column of the new entry, and then choose an event type. 9 Select the center column and specify the operator. 10 Select the right-most column, and then specify the value that must be true for the event type, given the operator that you chose.
Configuring the Correlation Manager Creating a custom rule 109 11 Repeat steps 7 through 10 for any other Event Criteria that you want applied to the rule. You can select multiple Event Criteria and apply logical operators (AND/OR) to them. 12 In the Event Count box, specify the number of times that the Event Criteria that you specified must be true for an incident to be declared. 13 In the Span box, specify the amount of time for the number of events that are specified in the Event Count to occur. For example, you can specify that 30 events of a specific type must occur within 60 minutes, before an incident is declared. 14 In the Table Size box, specify the maximum number of events that the rule can track at any one time. The table size should generally be a multiple of the Event Count setting. The Table Size setting divided by the Event Count setting is equal to the maximum number of event groups that can be managed by the rule. 15 In the Tracking Keys section, specify the fields to include in the incident. This can be any of the One-Many, Many-One, or Tracking Fields that are associated with the incident. 16 On the Actions tab, in the Conclusion Severity option, specify the severity that you want associated with the incident. 17 In the Conclusion Description area, type a description of the problem. This information appears to users who are assigned the incidents or the tickets that are based upon incidents triggered by this rule. Note: You can click Add (+) to include the values of fields from the final event that triggered the conclusion. 18 In the Correlate By drop-down list, specify the method by which conclusions are grouped into incidents. 19 In the Resource Field menu, choose the desired event fields. Conclusions can be correlated together into the incidents that are based on the value of this resource field. 20 To specify that a user or team is automatically assigned to incidents that are created by this rule, do the following: Turn on Enable Auto Assign.
110 Configuring the Correlation Manager Creating a custom rule If you want to assign the incident that is based upon the IP address of the affected target computer, in the left column, type the IP address or netmask. In the User column, click the user that you want to assign the incidents to. In the Team column, click the Help Desk team that you want to assign the incidents to. 21 On the Testing tab, specify the location of a file containing event data, and then click Start. 22 When you are satisfied with the incidents and conclusions that are created by the rule, turn on the rule in the Rules list. 23 On the top toolbar, click Deploy.
Chapter 7 Defining a rules strategy This chapter includes the following topics: About defining a rules strategy About creating the right rule set for your business About defining a rules strategy Developing a security plan that incorporates correlation rules and filters involves first gaining a thorough understanding of the business needs of your organization from a security perspective. The rules strategy that you derive from this understanding will be specific to the needs of your business. For example, if your implementation protects and monitors the network resources that are related to financial transactions, you will need to develop and refine your rule set to focus on the security areas of highest concern, such as authentication on the servers that contain sensitive financial data. In addition, you may need to evaluate the rules that you deploy based on regulatory compliance concerns to ensure that the event data that is evaluated is handled in a way that meets the requirements of the policies in place. About creating the right rule set for your business When you begin to create custom rules, a good approach is to start with the generalized rules provided by Symantec, and then fine-tune them or add new rules that are based upon real event data from your network. The customizations that you need usually fall into the following categories:
112 Defining a rules strategy About creating the right rule set for your business Incidents from machine-generated events Incidents that are related to human events or policies These include all of the security devices on your network that generate the events that you collect. For example, firewall products such as Symantec Gateway Security generate a huge amount of event data. In most cases, you should edit default rules or create new rules to filter out false positive incidents. In addition, correlation rules help to automatically map machine-generated events from multiple point products together that may indicate a security incident has occurred, which helps to minimize the manual analysis of each event. These include your corporate IT security policies, regulatory compliance requirements, and any unique characteristics about user activity in your network that machine-generated events would typically miss, or that result in false positive incidents. The rules that are included by default cannot be modified. To customize a rule, create a copy of the rule you want to customize, edit the rule settings, disable the default rule, and enable the new rule. The following is a general overview of the process for developing rules: Set up Information Manager in a lab environment. Update the Assets page to include the IP addresses of hosts that are mission-critical or that host sensitive information. Collect event data from your network for a week. This should include the events from all of the security products that you want Information Manager to correlate (for example, antivirus, HIDS, NIDS, firewalls). Run the default rules and review the incidents that are created. Look for any false positives that you can easily filter out. For example, incidents from the failed connections reported by a firewall, and Windows-only attacks that are reported by computers running Linux. Look at any known security incidents that occurred during the week that you collected the data. Adjust the filters and rules if there are any incidents that should have been created and were not. Look for the incidents that are the result of firewall rules being too lax. Fine-tuning firewall and Information Manager rules is an ongoing process based on the changes in your network. Opening a firewall port to enable an essential line-of-business application may suddenly result in a huge number of false positive incidents. When this occurs, you need to create a new rule to filter out events from an approved use of that application. Or you may discover
Defining a rules strategy About creating the right rule set for your business 113 that there is a port that is still open long after the application that required it has been retired. Create rules to support security practices in your company. For example, you can create a rule to assign a weekly help desk ticket for security IT to contact PC owners who are not running antivirus software. As you change rules, use the Information Manager rule test feature to see if the customizations work. Of particular concern should be any rules that never create conclusions or those that create conclusions too often. With your Information Manager appliance still in a test environment, forward live network events to it. Continue to refine your rules. When you are satisfied with the incidents that are declared, migrate the appliance to your live network.
114 Defining a rules strategy About creating the right rule set for your business
Chapter 8 Understanding rules components This chapter includes the following topics: Understanding Correlation Rules About Rule conditions About the Event Count, Span, and Table Size rule settings About the Tracking Key and Conclusion Creation fields About the Correlate By and Resource fields Importing existing rules Understanding Correlation Rules Correlation Rules describe the logic that is applied to an event or set of events to detect possible security concerns. Conceptually, Correlation Rules can be thought of in the following general categories: An event identifies an attacker trying to intrude on a particular computer or resource. Some unknown system or a number of systems are trying to cause a specific system to malfunction or cease functioning. The organization or analyst wants to group events into particular types of incidents to make viewing and analysis simpler. For example, these types of rules may aggregate events that are related to policies or products. Correlation Rules consist of the following sections:
116 Understanding rules components About Rule conditions Rule Type: Identifies the pattern that best describes the event Event Criteria: The specific values or threats that the rule applies to, including the number of events that take place over a specified period of time Rule Settings: The Event Count, Span, Table Size, Tracking Keys, and Descriptions for an event Conclusion and Correlation settings (Actions tab): The fields that are used to correlate existing event conclusions with new events as they occur within the specified time period. If the number of events that are specified in the Count field is met, the conclusion is escalated to an incident, and correlated with existing incidents where applicable. In addition, the severity of a match for the rule is determined. Additional details are also available by the variables that you can specify in the Description field. Auto Assignment and Notification settings: Describes how alert and incident assignment tasks are handled when an incident is created. The Auto Assignment section is used to assign the incident to a specific user or user group (team). The Notification section provides a means of notifying additional recipients that the incident has occurred. For example, an Antivirus Disabled incident might be assigned to a response technician who is responsible for immediately assessing the event, and an additional notification can be sent to the network administrator who monitors the overall health of the network segment from which the incident occurred. About Rule conditions About Rule Types The Rule conditions describe the fields and conditions that the rule is processed against to determine if the event applies to a conclusion. The Rule Conditions panel provides access to all available event and schema field data that can be used to help the analyst to further identify and define the events that should be escalated as a potential security threat. A rule type determines the underlying behavioral patterns that a rule uses to identify a match. For example, if the rule type is set to Single Event, the rule evaluates each event for a criteria match, and only requires a single event to trigger a conclusion. By contrast, a rule that uses the Many to One rule type evaluates each event against the criteria, but will only create a conclusion when a specified number of matching events have aggregated over a predetermined period of time.
Understanding rules components About Rule conditions 117 Conclusions that involve more than one event use the One to Many and Many to One event correlation tables. In addition, the Tracking field is provided to identify the element that is used as the basis for additional events to be correlated to existing events and conclusions. The Tracking field must be used for the following rule types: Many to One Single Event Table 8-1 describes the rule types that are available. Table 8-1 Rule Types Rule Type Many Sources, One Target Description Create a conclusion when events that match the specified criteria have been detected from multiple unique source IP addresses to a single destination IP address within the specified time period. Denial of service events can often be identified using this rule type. For example, a Smurf attack uses ICMP Echo Reply events from a large number of source computers to a single target. Predefined rule examples: Distributed DoS High Volume, Smurf Attack Many Symantec Signatures, One Source Create a conclusion when events of different types that match the specified criteria have been detected from a single source IP address within the specified time period. For example, a rule that detects a vulnerability scan can use this rule type. Within the criteria for that rule, EMR values can be set to identify multiple exploit events (such as Mechanism: Buffer Overflow, or Application Exploitation). In this example, since the criteria for this rule includes multiple types of Mechanisms, the rule would track multiple types of exploit events that come from the same source. Predefined rule example: Vulnerability Scan Detector Many Symantec Signatures, One Target Create a conclusion when events of different types that match the specified criteria have been detected to a single destination IP address within the specified time period. For example, a rule that detects malicious IP hopping activity can use this rule type. In order to conceal scanning activity, an attacker may attempt one type of attack from one IP address, and then change to a different IP address to try a different attack, and so forth, until the most useful vulnerabilities have been identified. This method is used by attackers to avoid detection as a vulnerability scan, since vulnerability scanners often operate from a single source. Using this rule type, you can detect conditions where multiple attack types are targeted at a single host, regardless of the attack origin.
118 Understanding rules components About Rule conditions Table 8-1 Rule Types (continued) Rule Type Many Targets, One Event Description Create a conclusion when events of the same type that match the specified criteria have been detected from many unique destination IP addresses within the specified time period. For example, a rule that detects a Malicious Code Outbreak can use this rule type. To identify a Malicious Code Outbreak, a rule can be configured to identify instances of a particular virus on multiple targets. Using the EMR fields, the criteria can be set to Virus. Since the rule looks for the same event type, this rule would trigger only if it was the same virus event on each target. Many Targets, One Source Create a conclusion when events that match the specified criteria have been detected from a single source IP address to multiple unique destination IP addresses within the specified time period. For example, a rule that identifies a reconnaissance attack on multiple targets, such as a port scan, can use this rule type. To configure this example, you would choose the Many Targets, One Source rule type, and then set the EMR criteria value to Portscan. Predefined rule examples: Block Scan, IRC Bot Net, Ping Scan Detector Many to One Create a conclusion when events that match the specified criteria have been detected in a pattern set using the ManyToOne Fields, and the OneToMany Field options. In addition to the Event Criteria, the fields that must contain the same information for each event (One-Many Fields) and the fields that can contain different values in each event (Many-One Fields) are used to correlate similar events that occur within a predetermined time frame. Many to One rules require that the Tracking field be populated. For this type of rule, the Tracking field generally matches a One-Many Fields entry. For example, to create a port sweep rule, you can use the Many to One rule type. A port sweep is typically described as a single IP address that scans for a specific port on multiple computers. After you choose this rule type and set the basic event criteria for the rule, you set the One-Many and the Many-One field options. In the One-Many Fields area you would select IP Source Address and IP Destination Port (meaning that the event originates from the same IP address that is evaluating the same port), and in the Many-One Fields area you would select the IP Destination Address option (the event destination can be a different IP address for each event). Predefined rule examples: Malicious Code Outbreak, Spyware Outbreak, DoS High Volume, External Port Sweep, Internal Port Sweep, Port Scan Detector, Intrusion Threshold, Multiple Files Modified, Account Guessing Attack, Password Guessing Attack
Understanding rules components About Rule conditions 119 Table 8-1 Rule Types (continued) Rule Type Single Event Description Create a conclusion if an event matches the specified criteria. This rule type requires that the Tracking field be populated. Predefined rule examples: AntiVirus Disabled, Critical Virus Infection, Malicious Code Not Quarantined, Spyware Not Quarantined, ESM Critical Asset Policy Violation, ESM Policy Violation, Check FTP Transfers, IP Watchlist Rule, Malicious URL, One Shot DoS, Trojan Connections, Attempted DNS Exploit, Attempted FTP Exploit, Attempted WWW Exploit, TFTP from Web Server, Windows Security Violation, Windows Account Lockout, Windows Audit Log Cleared, Windows Privileged Activities by User Symmetric Traffic Create a conclusion when the specified pattern of events is detected from a single source IP address to a single destination IP address, then from that destination IP address back to the original source IP address within the specified time period. For example, if you wanted to create a rule that identifies BackOrifice exploit traffic between a single target and source, you could use the Symmetric Traffic rule type. To monitor for BackOrifice symmetric traffic events, after choosing the Symmetric Traffic rule type, you would set the criteria to be the Symantec Signature for BackOrifice (attackid 1414). The rule would trigger if an IDS logs both the connection from a source to a target, and from that target back to the source as being BackOrifice traffic. Predefined rule example: Return Trojan Traffic Transitive Traffic Create a conclusion when the specified pattern of events is detected from a single source IP address to a single destination IP address, then from that destination IP address to a new destination IP address within the specified time period. For example, if you wanted to create a rule that identifies the BackOrifice exploit traffic that moves from one source to a target backdoor, and then the targeted computer becomes the source that accesses the backdoor of a new target, and so forth, you could use the Transitive Traffic rule type. To monitor for BackOrifice transitive traffic events, after choosing the Transitive Traffic rule type, you would set the criteria to be the Symantec Signature for BackOrifice (attackid 1414). The rule would trigger if an IDS logs both the connection from a source to a target as BackOrifice traffic and then identifies the target connecting to a new target with the same event signature. Predefined rule example: Malicious Code Propagation X followed by Y Create a conclusion when a specified pattern is detected from a single source IP address to a single destination IP address, and is followed by a different pattern from the same source IP address to the same destination IP address within the specified time period. Predefined rule examples: Scan Followed by Exploit, Null Login Authentication Violation
120 Understanding rules components About Rule conditions Event Criteria The Event Criteria field contains a vast array of possible values that a rule can use to identify an event pattern. The Event Criteria field includes event data and schema information. Table 8-2 describes the tabs that are available in the drop-down list. Table 8-2 Event Criteria tables Name Common Derived Events Other Fields Table Lookups Description Contains data from the Normalization fields, the DeepSight database (via the Symantec Signature), and the Asset and Network tables. Contains customized data from the Normalization fields, the DeepSight database (using the Symantec Signature), and the Asset and Network tables. The system applies logic to the source and the destination IP addresses that results in several fields or flags being added to the event. For fields, this is primarily data from the Asset and Network table. For flags, information such as the traffic direction, Source is Internal, Destination is Internal, service info, Destination Port is Open, whether the Asset entry has the destination_port value listed as available, whether the asset is Vulnerable, or whether the Asset entry for the event s destination_ip value is listed as being vulnerable to one or more of the Bugtraq IDs associated with the event s Symantec Event Code. Includes all of the events that have been identified for each product that is associated with your installation of Information Manager, based on a combination of the default set of events (the Information Manager schema) and any SIPs that have been installed. These fields do not contain the Information Manager normalized values. Provides a means of creating a product-specific field that uses a string or an integer value that may not be accessible through the schema provided. In some cases, event data is included with the events that are sent to Information Manager that is used by a specific point product, but is not accounted for as an identified field in the Information Manager schema that is used by the collector (also known as out-of-band data). This data can be included either by the collector or it can be added during normalization. Provides access to the fields that are associated with the Knowledge Base tables that are populated by both Information Manager and the environment and resource-specific data that is provided by the user (such as the Asset and Network tables). These fields are dynamically generated based on the current state of each of the Knowledge Base tables. The Event Criteria rows include a logical decision field that provides the operator that is used to determine how the event criteria are evaluated. Table 8-3 describes the decision options that are available. Note: The available operators vary with each criteria type.
Understanding rules components About Rule conditions 121 Table 8-3 describes the Event Criteria operators. Table 8-3 Event Criteria operators Name Equal Not Equal Greater than Less than Greater than or equal to Less than or equal to Null Not Null Is in Is not in True False Contains Doesn't contain Matches Doesn't match Description The field value is an exact match to the criteria value. The field value does not match the criteria value. The field value is greater than the specified value. The field value is less than the specified value. The field value is greater than or equal to the specified value. The field value is less than or equal to the specified value. The field is empty. The field contains a value. The field value matches a value that is contained in the specified table. The field value does not match a value that is contained in the specified table. The field value is True. The field value is False. The field value contains the specified string. The usage of this operator varies with the field that the data is being compared with. For example, if you use EMR values, a drop-down list of possible values appears. However, if you are evaluating the string data in a field such as target_resource, the value that you type will be used to perform a substring search. For example, if you wanted to find out if the string root.exe was contained in the target_resource field, if target_resource field contained http://www.example.com/cgi-bin/root.exe?blah, root.exe would be identified, causing a match. The field value does not contain the specified string. The usage of this operator varies with the field that the data is compared with. For example, if you use EMR values, a drop-down list of possible values will appear. However, if you are evaluating the string data in a field such as target_resource, the value that you type will be used to perform a substring search. For example, if you wanted to verify that the string root.exe was not included in the target_resource field, if target_resource field contained http://www.domain.com/cgi-bin/root.exe?blah, root.exe would be identified, which indicates that the Doesn't contain condition has not be met. The field value matches the value that is specified as a regular expression. The field value does not match the value that is specified as a regular expression.
122 Understanding rules components About the Event Count, Span, and Table Size rule settings About the Event Count, Span, and Table Size rule settings The Rules Editor includes the settings that allow you to specify how many events must occur within a specified period of time to meet the criteria for the rule. In addition, you can also determine the table size for the event data that is stored. Table 8-4 describes the Event Count, Span, and Table Size settings. Table 8-4 Event Count, Span, and Table Size rule settings Setting Event Count Span Table Size Description Determines the number of events that must occur within the time period specified in the Span settings in order for the rule to trigger an incident. This setting is used primarily with the Many-One Field area on the Actions tab. Indicates the timeframe allotted for the number of events that are specified in the Event Count field to occur. Specifies the state table size, in rows, that is maintained in memory for each rule. For example, the Account Guessing Attack predefined rule requires that two events be identified within ten minutes for the rule to trigger an incident. After the first event matches the rule criteria, an internal aggregation table is created that contains the event details. When the second matching event occurs, data from the second event is added to the same aggregation table. In this case, the Table Size setting is relatively small. However, if the Event Count were raised to a much larger number, the aggregation table could potentially run out of space. In that case, the table wraps, meaning that the new event data begins to overwrite the original event data in sequential order. To prevent the data from being overwritten, the Table Size should be adjusted according to the event size expectations for the rule. Event data sizes vary widely with each implementation, but using the predefined rules as a starting point helps to identify general size parameters. About the Tracking Key and Conclusion Creation fields The Tracking Key and Conclusion Creation fields are used to further refine rules settings to establish whether an event should be correlated to the existing events that are being tracked in aggregation tables. In addition, the Tracking Key and Conclusion Creation fields include the Severity and the Description fields that provide a means for security analysts to escalate conclusions based on severity, and to include additional extracted information within the Conclusion Description. Table 8-5 describes the fields that are available.
Understanding rules components About the Tracking Key and Conclusion Creation fields 123 Table 8-5 Tracking Key fields (Conditions tab) Field One-Many Fields Description Used with the Many to One rule type. This field describes the elements that must remain consistent across each event in order for the event to be correlated to an existing event aggregation table. For example, if you want to define a rule that tracks a single user name connecting to multiple target IP addresses (in other words, one username to many IP addresses), after setting the rule type to One to Many, in the One-Many Fields area you would choose the User Name option since this field must be the same in each event for any subsequent events to be correlated with previous events. Many-One Fields Used with the Many to One rule type. This field describes the elements that must be different for each event in order for the event to be correlated to an existing event aggregation table. This field is used with the Event Count field to determine when the conditions for a One to Many rule have been met. For example, if you want to define a rule that tracks a single user name connecting to multiple target IP addresses (in other words, one username to many IP addresses), after setting the rule type to One to Many, in the Many-One Fields area you would choose the Target IP option since the IP address in this field must be different in each event for any subsequent events to be correlated with previous events. Tracking Fields Required with the Many to One and Single Event rule types. This field describes the field upon which a matching event is correlated to an existing conclusion. If an event matches the criteria for a rule, it is compared against the tracking fields for any existing conclusion. If the event matches an existing conclusion it is correlated to that event rather then being considered for a new conclusion. In the case of One to Many rules, this field is typically used to track the same value as in the One-Many Field area, which indicates the event field data that must remain the same across each new event that is to be added to the aggregation table. Table 8-6 describes the Conclusion Creation fields that are available on the Actions tab. Table 8-6 Conclusion Creation fields (Actions tab) Field Alerting Incident Description Describes whether an incident should be treated as an alert rather than a security incident.
124 Understanding rules components About the Correlate By and Resource fields Table 8-6 Conclusion Creation fields (Actions tab) (continued) Field Severity Description Describes the severity of the event conclusion which can determine whether an incident is created. The Severity values include the following: 1- Informational: Purely informational events. 2 - Warning: User decides if any action is needed. 3 - Minor: Action is required, but the situation is not serious at this time. 4 - Major/Critical: Action is required immediately and the scope may be broad. 5 - Fatal: An error occurred, but it is too late to take remedial action and the scope is broad. Description Remediation Provides a user input area for security analysts to further define the conditions that led to the creation of the conclusion. This field also supports the use of field name variables that can be populated with event data. Provides a user input area for security analysts to include remediation notes for each incident that is created. The notes appear on the Remediation tab for the incident. About the Correlate By and Resource fields The Correlate By field determines whether a conclusion that is created should be mapped to an existing incident. For example, if a Virus Outbreak incident is in progress, using the appropriate setting in the Correlate By field would cause each Virus Outbreak conclusion with the same virus name to be mapped to the existing incident. In addition, you can use the Resource Field drop-down list to further refine the characteristics of the correlation requirements for the incident. Table 8-7 describes the Correlation types that are available in the Correlate By field. Table 8-7 Correlate By fields Type None Resource and Conclusion Type Source and Destination Description Correlation does not occur for new incidents that match this rule. Correlation is based on the Resource and Conclusion Type. For example, if the same Virus Outbreak conclusion type occurs on the same host specified in the Resource field, then the new conclusion is correlated to an existing incident. Correlation is based on the Source and Destination fields. For example, if a new conclusion is created and the Source IP and Destination IP are the same, the conclusion is correlated to the existing incident.
Understanding rules components Importing existing rules 125 Table 8-7 Correlate By fields (continued) Type Source and Conclusion Type Source Destination and Conclusion Type Destination Conclusion Type Description Correlation is based on the Source and Conclusion Type. For example, if the same IP address is causing Port Scan conclusions, any new Port Scan conclusion that originates from the same source is mapped to the existing incident. Correlation is based on the Source field. If the Source matches, any conclusion that originates from that source is correlated to the existing incident. Correlation is based on the Destination and Conclusion Type. For example, if the conclusion is a Denial of Service attack that is targeting the same Destination IP, the conclusion is mapped to the existing incident. Correlation is based on the Destination field. If the Destination is the same, any conclusion that applies to that destination is correlated to the existing incident. Correlation is based on the Conclusion Type. For example, all AntiVirus Disabled conclusions would be mapped to the existing incident regardless of source or destination values. Importing existing rules You can import rules from separate instances of Symantec Security Information Manager using the Import and Export features that are available in each version. If you are importing a rule that references custom lookup tables, you must also import those tables. If you are importing a rule from a previous supported version of Information Manager, you should use the Rules Editor to delete any imported policy information, and then apply the current policies. You can also import Java-based rules that are created by Symantec technical support into the System Monitors folder in the Rules Editor. Java-based rules are imported asjar files. Note: When you are importing rules from a previous version of Information Manager that include user, team, or role assignments, you should verify that the assignments are configured correctly after the import completes. In some cases, if a user, team, or role that existed in a previous version is not identical to the version that exists in the upgraded version, the rule assignment values must be reconfigured to match the assignee information in the upgraded version.
126 Understanding rules components Importing existing rules To import an existing rule 1 In the console from which you want to export the rules, navigate to the Rules Editor and export the rules you want to apply to the new console. 2 In the current Information Manager console, on the Rules page, expand the Correlation Rules folder. 3 Under the Correlation Rules folder, expand the User Rules folder. 4 Click Import from disk. 5 In the Select File(s) to Import dialog, locate the file or files that you want to import, and click Import... To import a Java-based rule 1 In the Information Manager console, on the Rules page, expand the System Monitors folder. 2 Click the User Monitors folder, and then click Import from disk. 3 In the Select File(s) to Import dialog, locate thejar file or files that you want to import, and click Import...
Chapter 9 Understanding event normalization This chapter includes the following topics: About event normalization About event normalization Normalization occurs when an event has been received by the appliance after the collector has harvested the raw data. The normalization process analyzes received event data and adjusts the fields where necessary to prepare the data to be interpreted by Information Manager, including any applicable rules. A normalization configuration file with anorm file extension is used to adjust the fields where necessary. Thenorm file maps the event fields provided by collectors to the event fields that Information Manager requires. Normalization accomplishes such tasks as populating empty fields and locating source/target information. For example, if you are trying to trap a consistent target IP address, the point product that harvested the data may have placed the IP address in a field that does not clearly indicate the nature of the contents of the field. The field name may be ip_address, for example, which may not indicate whether the IP is the address of the source or the target. Information Manager includes a set of mapping files that identify and parse the data in the fields that are provided by any supported product and maps these values to the appropriate database schema fields. Symantec creates and updatesnorm files via LiveUpdate as more information from each of the point products becomes available. Normalization adds information to events using a standardized set of fields that can be used to refine rules processing. For example, a unique event identifier can be mapped to a Standard Event Code (Symantec Signature), allowing multiple product events to be correlated despite unique identifiers for each product.
128 Understanding event normalization About event normalization Normalization also uses the information you have provided in the Asset and Network tables to uniquely identify elements related to the event which can be used during rules creation. Additional fields from the Asset table include the assigned Confidentiality, Integrity, and Availability (CIA) values, Host name, who owns the system, the current operating system, what policies or roles apply to the machine, what services are open by that machine (populated by a vulnerability scanner), and what vulnerabilities are on that machine (for example, if specific patches have not been rolled out to a computer). For example, if a system has been assigned the role of a vulnerability scanner, events that are normally generated by vulnerability scanners (such as exploit and port scan events) can be filtered if they are associated with that computer. The Network table information is used to identify the location and directional flow of the event. Normalization can help to identify whether an event is internal only (contains IP addresses that are within your network), whether the traffic is inbound or outbound, or is traveling to or from specific locations. For example, if the source of a virus event is an internal source, the event can be flagged as an internal virus infection. Normalization also adds any information available with the Symantec Signature using the DeepSight database. For example, when a security incident occurs that is mapped to a Symantec Signature, the following pieces of information may be provided: About normalization (.norm) files The Symantec Event Code, which facilitates cross-product correlation EMR categorization, helping the analyst to aggregate attack data to better understand the outbreak Vulnerability IDs (BugTraq) that include information on vulnerabilities that are typical to this type of security threat Exposure IDs that include potential attack exposure information provided by Information Manager. For example, telnet being enabled or weak passwords being used. Malicious Code IDs that include information created by Symantec Security Response to describe known malicious code activity associated with an attack When you are creating a rule, it is often helpful to view the mapping that takes place during normalization using the normalization (.norm) files that are included in the file system of the appliance, and are not available from the Information Manager Web configuration interface. Collectors usually populate the event fields with data that matches the descriptive name specified in the schema, but there are occasions when the event fields provided by the collector contain additional
Understanding event normalization About event normalization 129 information that can be parsed by Information Manager. In these cases, it is helpful to view the normalization (.norm) file to understand where the event data is coming from, and how Information Manager interprets it. The Information Manager appliance will contain a default.norm file, as well asnorm files that are specific to the collectors that are used on your network. The mapping in anorm file may be a direct one-to-one mapping, where the value in the collector field can be directly imported into the field that Information Manager expects. In other cases, the collector field may contain more data than the Information Manager field expects. In these cases, regular expressions are commonly used to parse the collector field for the data that Information Manager expects. Note: Although you can alter the contents of thenorm files, is strongly recommended that you do not rely on this method as a means of modifying how data is normalized and accessed through the rule set. If you have LiveUpdate or DeepSight updates enabled, the default.norm file is often refreshed during the update process. Any changes you make to thenorm file(s) will be lost. In the following example, the first line of each block specifies the schema used. The field name to the left is the field name used by the collector. The values on the right indicate the data and field name that is used by Information Manager. The parsed data may include a data type in parentheses, followed by the name of the field used by Information Manager. The right side may also include regular expressions that are used to parse the event data from the collector field. (intrusion_data ^ "Failure Audit") & (intrusion_data ^ "User Name") intrusion_symc_sig machine_ip machine intrusion_data -> (string)devicealert -> (ip)sourceip (ip)targetip -> (string)sourcehost (string)targethost -> /User\s+Name:\s+(\S+)/ (string)eventresource intrusion_target_type_id := 1037112 intrusion_outcome_id := 1027204 vendor_device_id := 36 For more information on the data provided in the schemas that collectors use, see the Collector Studio Event Reference documentation.
130 Understanding event normalization About event normalization
Chapter 10 Effects, Mechanisms, and Resources This chapter includes the following topics: About Effects, Mechanisms, and Resources (EMR) About Effects, Mechanisms, and Resources (EMR) Effects, Mechanisms, and Resources (EMR) values define the event classification scheme used by Information Manager. EMR replaces the Category and Subcategory fields that were used in previous versions of Information Manager. EMR classification is used by all events that are assigned a Symantec Signature. In addition, EMR has been established as a DMTF (Distributed Management Task Force) standard. EMR values provide security classification data that applies to each event type. However, EMR values only represent potential threat conditions; the process of determining whether an event is an actual attack is performed at the Rules processing, Event Correlation, and security analysis phase. The assigned EMR values should not be interpreted as conclusions as to whether any particular event is a security incident. For example, an incorrect logon event may include EMR data that suggests a Guess Password mechanism. However, it is up to the security analyst to either create a rule that describes a Guess Password threat (such as a rule that triggers when 3 or more failed logon attempts occurs over a specified period of time), or to analyze the event manually to determine whether the event constitutes a threat. EMR values are most useful when they are used with other available fields to further identify whether a security incident has taken place.
132 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) About Effects values Effects values describe the effects of the event from the detector's point of view (for example, Degradation or Reconnaissance). Symantec Signatures can have more than one value in the Effects field (for example, Access and Reconnaissance). The Effects values reflect the Confidentiality, Integrity, and Availability (CIA) values that describe security events. For example, as far as the IDS is concerned, what is the effect of this event? The IDS does not evaluate whether the event is a false positive; it only knows the potential effects of the event that has occurred. Some security devices such as simple packet filters may not be able to detect the notion of an event's effect. In these cases, the Effects field is populated with "Unknown". Although in many cases the effect of an attack is intended, not all attacks have a known intent, such as viruses or other malicious code, which may have multiple varied effects. If there is more than one value in the Effects field, the first element in the list generally represents the most significant or the most severe effect from the detector's point of view. Three of the values correspond exactly to the standard security attributes, Confidentiality, Integrity, and Availability. Table 10-1 describes the EMR Effects values that are available. Table 10-1 Effects value Access Degradation Reconnaissance System Compromised EMR Effects values Description Access has been attempted or made to data or services. An attempt was made to damage or impair usability, performance, service availability, and so forth. An attempt to gather information useful for attacks, or a probe for vulnerabilities without necessarily exploiting them was made. The Integrity of the targeted system has been compromised. For example, a compromised system is likely to be susceptible to remote execution. Events that use this Effect type are the events that may lead to an intruder gaining access to the system by either remote management (SNMP) or a shell prompt by bypassing or otherwise nullifying the required authentication scheme. Integrity Unknown Aan attempt was made to modify or delete data. The Effect of the event is unknown.
Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 133 About Mechanisms values Mechanisms values describe the method of attack that was used to generate an event from the detector's point of view (for example, Virus or Port Sweep). A Symantec Signature may have more than one mechanism (for example, SSH CRC32 Corruption has mechanisms Buffer Overflow, and Remote Execution). Mechanisms values can be used with any of the Effects values, depending on the method employed in an attack or probe. For example, a denial-of-service attack that uses ICMP packets would have an Effects value of Degradation and a Mechanisms value of NetworkICMP. If the attack is a port sweep, the Effects value would be Reconnaissance and the Mechanisms value would be Port Sweep. In general, if the event contains more than one mechanism, the first element represents the most specific, most significant, or most severe mechanism from the detector's point of view. Note, however, that implementation of this guideline is not enforced, so the order should not be used as a determining factor of the characteristics of the mechanisms used by the event. Although the value map is a flat enumeration, there are hierarchical relationships that are selected in most-specific to most-general ascending order in the list of values. For example, Network Protocol is a parent value to Network ICMP. If Network ICMP is the desired value, Network Protocol is selected and placed as the next element in the list of mechanism values. Table 10-2 describes the Mechanisms values that are available. Table 10-2 EMR Mechanisms values Mechanisms value ARP Poisoning Description ARP poisoning (also known as ARP Spoofing) sends fake ARP requests to a LAN using a forged MAC address. Using this technique, a network device may send packets to a forged, sniffable address or may halt traffic across the device. Using IPv6, IPsec and static ARP records are used to combat ARP Poisoning attacks. Backdoor The mechanism used appears to be a backdoor. A backdoor is a method that uses a hidden entry point to the program or algorithm that bypasses the front-end logon system. Worms such as Mydoom and Sobig create back doors on non-secure systems to propagate email traffic. A backdoor may be an installed program (for example, BackOrifice) or an unintended modification to an existing program. A backdoor in a logon system can take the form of a hard-coded user and password combination which gives access to the system.
134 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) Table 10-2 EMR Mechanisms values (continued) Mechanisms value Rootkit Trojan Buffer Overflow Guess Password Replay attack SQL Injection Spoof Identity Description A rootkit is used for a variety of covert system activities including terminal and connection sniffing, keystroke monitoring, and cleaning up or obscuring logon records, processes, and event logs. Kernel level rootkits replace system calls with binary code hidden in a Trojan horse. Application level rootkits replace application code with replacement code hidden in a Trojan horse. The mechanism used appears to be a Trojan horse. The mechanism used appears to be a Buffer Overflow attack. The mechanism used appears to be a Guess Password attack. For example, some point products log multiple failed logon events, which may indicate a Guess Password condition. The mechanism used may be a Replay attack. The mechanism used may be a SQL Injection. Any technique that attempts to represent one end of a client-server relationship or network session as a different entity from the actual entity. This mechanism can be used to attack a network session to hijack the session, for example, a Man-in-the-Middle attack Port Sweep Host Sweep Network Sweep Network ICMP Network TCP Network UDP Worm Virus Non-Viral Malicious Spyware Adware Login The mechanism used appears to be a port sweep. The mechanism used appears to be a host sweep. The mechanism used appears to be a network sweep. Child of Network Protocol. The event uses the ICMP protocol. For example, this mechanism is common in ping attacks and probes. Child of Network Protocol. The event uses the TCP protocol. Child of Network Protocol. The event uses the UDP protocol. The mechanism used appears to be a worm. The mechanism used appears to be a virus. The mechanism used appears to be malicious code of a non-viral (non-propagating) nature. The mechanism used matches spyware behavior. The mechanism used matches adware behavior. The mechanism used was a logon event.
Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 135 Table 10-2 EMR Mechanisms values (continued) Mechanisms value Logout Application Exploit Script Injection Stale Data Scan Overloading Congestion Overloading Saturation Overloading Port Scan Network Protocol Network HTTP Phishing Redirection Remote Execution Description The mechanism used was a log out event. The mechanism used appears to take advantage of a flaw in the operation of a program or an unintended behavior of the program to compromise the program or the host system in some way. This attack differs from a buffer overflow because it is not recompiling code; the application is used to perform a task that is possible with the released version of the product or system. The mechanism used appears to be a script injection. The mechanism used appears to be a stale data scan. A stale data scan is defined as when a tool reads memory that has been deallocated but not erased. Confidential or secure information may still be present in the memory. The mechanism used appears to be a network flood or denial of service attack that is attempting to overload the available bandwidth for a network. For example, a Ping flood would trigger this condition, as the sheer number of packets involved prevents any other traffic from passing over the network. The mechanism used appears to be a host flood or denial of service attack that is attempting to (or has succeeded in) overload the available resources for a particular host. For example, a Syn flood would trigger this condition, as a Syn flood does not affect the network itself, but focuses on a particular host, preventing other computers from establishing connections with the targeted computer. Parent of the Overloading Congestion and Overloading Saturation types. This mechanism often indicates a generic denial of service condition. The mechanism used appears to be a Port Scan. The parent for any attack mechanism that uses a network protocol. Child of Network Protocol. The event uses the HTTP protocol. The mechanism used matches Phishing behavior. The mechanism used seems to indicate that the attack has caused the redirection of the victim's session to a malicious server instead of the intended server. An example would be HTTP hijack sessions, where a malicious site can impersonate a bank site, causing the victim to connect to the impersonated site instead of the actual bank site. When the user types in their logon information, the logon information is collected, and then the customer is redirected to the authentic bank site. The event that is taking place is capable of being executed remotely.
136 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) Table 10-2 EMR Mechanisms values (continued) Mechanisms value Data Manipulation Cross-site Scripting Unknown Description The mechanism used appears to have altered data with malicious intent. For example, a DNS Server cache is forced to update with a malicious IP mapping. This type of attack is typically performed as part of an HTTP hijack attack. The mechanism used appears to be code that has been executed within a URL or similar cross-site code execution. For example, Apache and IIS can detect this activity when a client requests a URL that contains the <script></script> tag set. The Mechanism of this event is unknown. About Resources values The EMR Resource value indicates the type or types of resources that are likely to have been affected by the event (for example, Mail or Host). A Symantec Signature may have more than one Resource value. For example, DB indicates that an attack was made against a database server, where Mail indicates that some type of email server is affected. DB, DNS, and other values can indicate a server or service, meaning that there is no distinction between a DNS server resource and a DNS service resource. If there is more than one Resource value, the first element usually represents the most specific or most significant resource from the detector's point of view. Although the value map is a flat enumeration, there are hierarchical relationships that are selected in most-specific to most-general ascending order of values. For example, Remote Service is a parent value to DNS. If DNS is the desired value, Remote Service is the next element in the list. Table 10-3 describes the Resource values that are available. Table 10-3 EMR Resource values Resource value DB DNS FTP Mail Web Description Child of Remote Service. The resource that was affected was a Database server. Child of Remote Service. The resource that was affected was a DNS service. Child of Remote Service. The resource that was affected was an FTP service. Child of Remote Service. The resource that was affected was a mail server, such as an SMTP server. Child of Remote Service. The resource that was affected was an HTTP server.
Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 137 Table 10-3 EMR Resource values (continued) Resource value Host Firewall Registry Network Device Hardware User Activity Cookies Network Data Application Data Application Configuration OS Kernel OS Configuration OS Session File System Process Service Network Session Description The resource that was affected was a Host computer. The resource that was affected was a firewall, which includes a packet filter or application proxy that discriminates and filters network packets and application sessions. Child of OS. Requires OS and Host values. The resource that was affected was a registry value. Parent of Firewall, Router, Switch. The resource that was affected was a network device. The resource is a hardware device. The resource involved includes user activity. The resource affected is a cookie. The resource involved is network data. Child of Application. The resource affected is Application Data. Child of Application. The resource that was affected was an application configuration. Child of OS. The resource that was affected was the trusted computing base of the operating system. Requires OS and Host values. Child of OS. A particular configuration of the operating system based on settings and policies. Requires OS and Host values. Child of OS. A particular instance of an interactive or batch-running environment on the operating system. Requires OS and Host values. Child of OS. The subsystem of the operating system that allows basic persistence, inputs and output. Requires OS and Host values. Child of OS. Requires OS and Host values. The resource that was affected was a process on the target computer. Child of OS. Requires OS and Host values. The resource that was affected was a service on the target computer. Session Hijack target resource. A related set of packets traveling between two or more entities communicating from different endpoints on a network. For example, this is the target of a TCP spoofing mechanism like Spoof Identity for the purpose of a session hijack or a Man-in-the-Middle attack. URL The resource that was used was a URL.
138 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) Table 10-3 EMR Resource values (continued) Resource value User Account Privileges User Policy Group RPC SNMP Remote Service Remote Share Naming Service Application OS NFS SMB CIFS CPU Router Switch LDAP Unknown Description Child of OS. Requires OS and Host values. The resource that was affected was a user account. Child of OS. Requires OS and Host values. The resource that was affected was the target of a privilege escalation attack (Integrity). Child of OS. Requires OS and Host values. The resource that was affected was a user policy. Child of OS. Requires OS and Host values. The resource that was affected was a group policy. Child of Remote Service. The resource that was affected was a Remote Procedure Call service. Child of Remote Service. The resource that was affected was an SNMP Agent. Parent of Remote Share, Naming Service, DB, FTP, Mail, RPC, and Web. The resource that was affected was a remote service. Child of Remote Service. The resource that was affected was a remote share. Child of Remote Service. The resource that was affected was a naming service. Parent of Application Data and Application Configuration. The resource that was affected was a non-operating system program that runs on a single host computer. Parent of OS Kernel, OS Configuration, OS Session, File System, Process, Service, User Account, Privileges, User Policy, Group, Registry and File. The resource that was affected was an operating system that runs on a single host computer. This value requires the Host value to be provided. Child of Remote Share. The resource that was affected was a Network File System service. Child of Remote Share. The resource that was affected was a Windows fileshare, or Simple Message Blocks (SMB). Child of Remote Share. The resource that was affected was a Windows fileshare. CPU. Requires the Host value. The resource that was affected was a CPU. Child of Network Device. The resource is a router. Child of Network Device. The resource is a switch. Child of Naming Service. The resource that was affected was an LDAP directory service. The Resource type is unknown.
Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR) 139 EMR examples Table 10-4 provides examples of the application of EMR values for attacks. Table 10-4 EMR examples Attack Effect(s) Mechanism(s) Resource(s) DNS Exploit x86 Linux (Snort) Degradation Buffer Overflow DNS DNS Exploit x86 Freebsd (Snort) Access, Integrity Buffer Overflow DNS XS BIND TSIG attempt (Snort) Access, Integrity Buffer Overflow, NetworkUDP, NetworkTCP, NetworkProtocol DNS WEB-MISC sml3com access (Snort) Degradation NetworkHTTP, NetworkProtocol Network Device DOS Cisco null snmp Degradation NetworkSNMP, Network Protocol Network Device 2106045 (BlackIce) Degradation NetworkHTTP, Network Protocol, Application Exploitation Network Device FTP:PASS-4DGIFTS (Dragon) Access Guess Password FTP FTP:PASS-LRKR0X (Dragon) Access Guess Password FTP FTP-rhosts (Snort) Access, Integrity Application Exploit FTP FTP-BOUNCE Access Application Exploit FTP
140 Effects, Mechanisms, and Resources About Effects, Mechanisms, and Resources (EMR)
Chapter 11 Working with the Assets table This chapter includes the following topics: About the Assets table About vulnerability information in the Assets table Using the Assets table to help reduce false positives About the Assets table The Assets table provides a centralized list of network assets that is used by Information Manager for event correlation and rules processing. You can identify the Confidentiality, Integrity, and Availability (CIA) values for each asset, the applicable policies, the ports that are potentially vulnerable, and the specific vulnerabilities of each asset. You can also associate the host name of an asset with the IP address, as well as the operating system, operating system version, and distinguished name for each system. Assets can be added to the Assets table using the following techniques: Manually entering each asset in the Assets list Importing a list of assets that are stored in a comma-separated value (.CSV) file or an Extensible Markup Language (.XML) file. Adding the target to the Assets list through the Destination Details pane for an incident that occurs Automatically populating the table using a supported vulnerability scanner. This method also populates the Services and Vulnerabilities tabs for each asset.
142 Working with the Assets table About the Assets table Note: Information Manager requires that the IPv4 address of each computer be unique. If you use network address translation (NAT) and you have two or more computers on separate subnets that use the same IP address, automatically populating the asset table will overwrite the asset entry with the most recently scanned computer's information. To use the same IP address for two or more computers using a NAT table, you should use a separate instance of Information Manager for each subnet. The Assets table provides an automated means of identifying vulnerabilities on the assets listed when used with a supported vulnerability scan. By having this information available in the Information Manager console, an analyst can gain a quick and accurate understanding of the vulnerabilities of a target during an attack. By adding assets to the Assets table, you can use a variety of fields in the Rules Editor to correlate events with the specific characteristics of the target or source asset that is identified in the event. For example, the Destination Host Availability, Destination Host Confidentiality, and Destination Host Integrity fields access the Confidentiality, Integrity, and Availability settings that you select for each asset in the Assets table. This information can help to reduce the amount of data that must be evaluated by security analysts. If you do not add the assets that you want to track, with the corresponding details for each asset, these fields cannot be leveraged. How event correlation uses Assets table entries The Assets table provides a means for analysts to identify the network assets that range from critical business assets to less important systems from a business or operations perspective. One of the primary benefits of using the Assets table is that the security analyst or network administrator can quantify the importance of the listed assets based on Confidentiality, Integrity, and Availability (CIA) values, which can be used by Information Manager to escalate security incidents related to a particular asset. You can also use the Assets table to identify the policies that are associated with each asset. You can use the Rules Editor to create the rules that access the list of policies that you have assigned. You can configure a rule to either discard the events that do not apply to the policies that are associated with the target, or escalate the event to an incident if the threat applies. You can use information on the Services and Vulnerabilities tabs to help further identify potential threats to the assets that you have listed. The Services tab includes a list of ports that are available on each asset. You can either manually choose these ports, or use a vulnerability scanner to automatically identify
Working with the Assets table About the Assets table 143 available ports. The Vulnerabilities tab is automatically populated by a vulnerability scanner, and is used primarily during the analysis phase to provide an immediate summary of the known vulnerabilities on a particular asset. Information in the Vulnerabilities tab can only be added through a vulnerability scanner, and is used during correlation to increase or decrease the priority of the incident. If any vulnerability is discovered during a vulnerability scan of a particular asset, the asset is automatically flagged as vulnerable. You can access the information that is entered for each asset through the Normalized fields that are accessible through the Rules Editor. By using these fields you can filter false positives or refine the incidents that are generated based on the asset information you provide. About CIA values in the Assets table The assignment of Confidentiality, Integrity, and Availability values should be an integral part of a network security audit. CIA values are unique to each network environment, and are typically determined as part of risk assessment. The CIA values can be used as components of event processing rules that you create in the Rules Editor. The CIA values are also used by the correlation engine to adjust the priority of an incident when appropriate. The CIA values that are available in the Assets table range from 1 (non-critical) to 5 (critical) for each CIA category, and determine the importance of the computer or device relative to other assets that are listed. For example, a savings and loan company might rate a publicly facing server that manages account information using the following: Confidentiality value of 5 (critical that the data stays secure and confidential) Integrity value of 5 (critical that the data is not altered in a way that is not intended) Availability value of 5 (critical that the publicly facing server is online all the time, and likely needs redundancy to prevent failure) In this example, the CIA values would be assigned because of the server s importance from a business perspective. By contrast, the administrator or analyst might list an internal, non-public FTP server that only hosts lightweight applications for internal download as a 1 or 2 for each CIA value, since that internal server is less important from a business perspective. After you have entered the CIA values for all of the assets you are tracking in the Asset table, you can export a backup copy of these assets by clicking the Export button in the Assets table and saving the list as acsv file.
144 Working with the Assets table About the Assets table Importing assets into the Assets table You can use a comma-separated value (.CSV) file or an. XML file to import asset information into the Assets table. Note: If you import assets using a.csv file, policy and services information is not included during the import. To retain this information for assets already listed in the console, export the assets to a.xml file and use the.xml file to re-import the assets.xml files that are generated by Information Manager include any existing policy and services data that is available for each asset;.csv files do not include this information. To import assets into the Assets table 1 Create a.csv file that contains comma-separated values using the appropriate format. To see the correct format, create an asset in the Asset table, and then export the asset list as a.csv file. Use the exported list as a template for adding assets to the file. If you use the Active Directory Users and Computers snap-in provided by Microsoft, export the list of computers that Active Directory is tracking. Save the file as a.csv file. 2 In the Information Manager console, on the Assets page, click Import. 3 In the Import Assets dialog box, navigate to the folder in which you saved the assets file, select the file, and click Open. Note: If you import a set of assets that includes non UTF-8 character data, you must select the appropriate character set from the Character Set drop-down list. 4 Follow the on-screen instructions. Searching, filtering, and sorting assets You can search for assets and filter the results using the tools provided. You can also sort the results using the columns provided. Note: Searches for assets may take several minutes depending on the number of results that are returned and the filter settings you choose. The results tile is limited to the first 5000 assets that are retrieved by an asset search. When possible you should refine the filter to reduce the number of results returned.
Working with the Assets table About the Assets table 145 To create a filter for an asset search 1 In the Information Manager console, on the Assets tab, click Filter. 2 In the Asset Filters window, click Add. 3 In the New Filter window, under Filter Criteria, click Add (+). 4 Using the row that appears, choose your criteria using the cells available. 5 When you are finished selecting the filter criteria, click OK. 6 In the Input dialog box, provide a name for the filter, and click OK. 7 Click OK to close any remaining filter windows. The new filter is added to the Filter: drop-down list. You can filter the results of a search using the filters you have created either before or after you perform the search. To filter the results of an Asset search 1 In the Information Manager console, on the Assets tab, from the Filter drop-down list choose the filter that you would like to use. 2 In the Search Asset text box, type the element you want to search for. 3 Click the Search button, or press Enter. Note: You can also filter the results after To sort the order of the assets display area 1 In the Information Manager console, click Assets. 2 In the Assets list, click the column on which you want to sort. Searching for an asset by substring value To find a specific asset or set of assets within the group you are viewing, you can use the Search Asset text box. The Search Asset feature searches the assets in the group for the occurrence of a specified substring in any of the string-based asset fields. Non-string values, such as date or system-defined integer values, are not included in the search. The search is not case-sensitive. To search the entire set of assets, change the Group By selection to None, and then click All, which displays all of the available assets. The fields that are searched include the following: Host Name DN
146 Working with the Assets table About vulnerability information in the Assets table OS Version Location Organizational Unit Description External ID Owner OS Name To search for an asset by substring value 1 In the Information Manager console, on the Assets tab, in the Search Asset text box, type the substring. 2 Click Search Asset. Visual identification of the IP addresses that are also on the IP Watchlist When an IP address is displayed in a table and it is also found in a watchlist, the IP address appears in bold red. You can right-click an IP address to view a dialog box that contains all of the known information about this IP address. About vulnerability information in the Assets table In the Assets table, each asset includes a Vulnerabilities tab that contains the vulnerability information that has been identified by a vulnerability scanner. The information on the Vulnerabilities tab for each asset lists the CVE ID (Common Vulnerabilities and Exposures ID), the BugTraq ID, the date that the vulnerability was discovered, the source that identified the vulnerability, and a description of the vulnerability type if a description is available. The specific vulnerabilities that are listed can be used by a security analyst to gain a better understanding of the characteristics of a particular computer, but are not accessible by rules entries. If an incident is created, the vulnerabilities list is used during event correlation to adjust the priority of the incident. For example, if an incident involves a vulnerability that is not on the list of the vulnerabilities identified for the specific target, the priority of the incident is reduced. About using a vulnerability scanner to populate Assets table Information Manager integrates with supported vulnerability scanner data by automatically importing vulnerability information into the Assets table when a
Working with the Assets table About vulnerability information in the Assets table 147 scan is performed. Every asset that is listed in the Assets table includes the fields that describe the services that are running and the vulnerabilities that are associated with that asset. When a scan is performed, the services and the vulnerabilities tabs are populated with the data that is specific to each asset. The primary requirement for automatically populating the Assets table with scan information is that you have the collector installed that corresponds to the supported scan. In some cases, such as when you use the ESM collector, DNS resolution must be implemented to allow the collector to map IP addresses to host names. Managing which vulnerability scanners update the Assets table Some environments include multiple vulnerability scanners that monitor the environment. In some cases, you may not want all of the vulnerability information that is gathered from separate scanners to be used to automatically populate the Assets table. You can use the Asset Detector monitor on the Rules page to choose which scanners are used for autopopulating the Assets table. Note: When you view a product that is capable of autopopulating the Asset table but has not been configured to do so, the product ID is displayed rather than the product name. To ensure that the product does not autopopulate the Asset table, move the product ID for that product to the left pane. To manage which vulnerability scanners update the Assets table 1 In the Information Manager console, click Rules. 2 In the left pane, expand the Monitors > System Monitors folder. 3 Click Asset Detector. 4 On the Properties tab, click the ellipses (...) to open the Property Editor. 5 In the Property Editor, use the options that are available to add or remove the appropriate products. 6 Click OK. 7 When you are finished, click Deploy to Server. Note: To ensure that the configuration is current, you can uncheck the monitor and click Deploy to Server, and then recheck the monitor and click Deploy to Server again.
148 Working with the Assets table Using the Assets table to help reduce false positives About locked and unlocked assets in the Assets table When you list an asset in the Assets table, you have the option of locking the asset information or leaving it in the default (unlocked) state. When a supported vulnerability scan is performed, the Assets table overwrites any unlocked assets (including the settings that you have manually changed) that were identified in a previous scan. Table 11-1 describes the Locked and the Unlocked states. Table 11-1 Setting Locked Unlocked Locked and Unlocked assets in the Assets table Description Prevents the asset from being overwritten when a new vulnerability scan is performed. The Services and Vulnerabilities tabs are updated. Allows the asset to be overwritten with current asset information when a supported vulnerability scan is performed. Using the Assets table to help reduce false positives You can use the Assets table to reduce false positives by affecting the priority of incidents that are generated. To use the Assets table to reduce false positives: 1 Populate the Assets table with the assets that you want to track. Include the systems that may generate large amounts of traffic that can be filtered or aggregated, such as firewalls or Intrusion Detection devices. Include the IP Address, Host name, Distinguished name, and operating system details. 2 For each asset, assign the CIA values that have been determined as part of a network security audit or external risk assessment. Higher CIA values generate incidents with higher priority. 3 Use a supported vulnerability scanner to scan the assets listed. The Services and Vulnerabilities tabs are automatically populated with the ports and services available and the potential vulnerabilities for each asset. If you do not use a supported vulnerability scanner, select the Services that you want to identify for filtering and correlation purposes for each asset. 4 For each asset, on the Policies tab, choose any policies that apply to the asset. For example, if the asset is a firewall, add the Firewall policy to the list of policies that apply to that asset.
Working with the Assets table Using the Assets table to help reduce false positives 149 5 In the Rules Editor, create any new filters (or correlation rules) based on the settings in the Assets table for each asset. You can combine the fields that access the Assets table with other conditions, such as EMR values. For example, you can create a rule that checks to see if the asset has a Vulnerable value of True, and the Mechanism equals Buffer Overflow, then create an incident. 6 Save and distribute the new rules or filters. About filtering events based on the operating system An example of using the Assets table information to reduce false positives is to use the Destination Operating System field available in the Rules Editor with a specific event ID. The Destination Operating System field accesses the information that is entered in the OS Name field in the Asset Details window. The events that are specific to a UNIX or Linux operating system often do not apply to a computer that uses Windows, and can be a source of false positives. For example, a BIND Transaction Signature Overflow event primarily applies to UNIX or Linux systems. If the Vendor Event Code field uses a BugTraq ID, you could create a filter that uses the following logic: If the Vendor Event Code field contains 2302 (the BugTraq ID for this event), and the Destination Operating System field contains Windows, then filter the event. About using CIA values to identify critical events After you have populated the Assets table with the assets you want to track, and you have assigned CIA values for each asset, you can use the CIA values associated with an asset to build the rules that create incidents based on those values. For example, if you wanted to create a rule that would escalate ESM events on the assets that had a CIA value of 3 or greater for any CIA category, you could create a rule that uses the following logic: If the Product equals ESM, and the Destination Host Confidentiality field, the Destination Host Availability field, or the Destination Host Integrity field has a value that is greater than or equal to 3, then create an incident. About using Severity to identify events related to critical assets You can use the Severity setting for a rule with the information you have provided in the Assets table to help identify critical events related to specific assets. By adjusting the severity of an incident, a security analyst can focus on the highest priority events from a security perspective. For example, using CIA values with the Severity setting of a rule lets you correlate more important systems on your network with a higher visibility for the analyst, as they are likely to analyze higher
150 Working with the Assets table Using the Assets table to help reduce false positives About using the Services tab severity incidents first. Similarly, identifying systems with lower CIA values and correlating that information with a lower severity level helps to reduce the number of incidents that demand the immediate attention of an analyst. For example, if you use the Vulnerable field to identify whether a vulnerability exists on the Destination asset, and you want to escalate an incident that uses a Virus Mechanism, you could use the following logic: If Vulnerable equals Yes, and the Mechanism field contains Virus, then create an Incident. To increase the importance of this event for the analyst, on the Actions tab for this rule set the Severity to a high number, such as 5. You can further refine this rule by adding the conditions that use the Destination Host Availability, Destination Host Confidentiality, and Destination Host Integrity fields. For each asset that is listed in the Assets table, the Services tab lists the ports that are available (and potentially vulnerable) for that asset. The services tab can be manually populated by choosing the ports from the provided list that you are interested in, or it can be automatically populated by a supported vulnerability scanner. Running a supported scan on an asset that is listed in the Assets table will automatically populate the Services pane with the available ports, and will overwrite any services you have added manually. The Services tab is used by a number of fields available in the Rules Editor to identify potential incidents. You can use the information in the Services tab to reduce false positives by creating rules and filters that access the list of ports that have been identified for each asset, and filter or aggregate based on this information. For example, the Attempted DNS Exploit rule uses the Destination Host Services field (which references the services information in the Assets table) to determine whether a buffer overflow event is associated with a target computer that acts as a Domain Name Server (port 53). If the asset that is targeted has port 53 listed on the Services tab, this condition for the rule is met. If the other conditions that are listed in this rule also match this event, a security incident is created. You can customize the services that are available to choose from by editing the list that is contained in the System pane, under the Services tab. The Services tab of the Systems pane determines the list of services that you can choose from when describing an asset in the Assets table. About associating policies with assets to reduce false positives or escalate events to incidents When you populate the Assets table with the assets on your network, you can associate policies with each asset that help to describe each system with more
Working with the Assets table Using the Assets table to help reduce false positives 151 granularity. In the Assets pane, on the Policies tab, you can choose from a predetermined set of policies that describe the use of the asset from a policy perspective. Policy association is used by several fields available in the Rules Editor to further identify the type of asset that is associated with an event. For example, the External Port Sweep rule uses the Source Host Policies field to determine whether the source host for the event is associated with the Firewall or Proxy policy. In this case, if the Source Host Policies field contains either value, the event does not match the correlation criteria for that rule. Assigning policies to assets helps to use the power of the Correlation Engine to reduce the number of events that must be reviewed by the security analyst. If you have a large number of assets that are used for a similar purpose such as a firewall or a vulnerability scanner, you can create a rule that identifies events based on the policies that are associated with the assets involved with the event. Another example is if you have assets on your network that are required to be in compliance with a specific regulatory policy, such as the Visa Cardholder Information Security Program (Visa CISP). Using the Assets table, if you have identified servers or devices that are used to meet the compliance requirements for Visa CISP, you can add this policy to the description of the asset in the table. In the event of an attack that may relate to the potential compromise of the data related to this policy (such as unauthorized logon attempts detected by an IDS), you can develop a set of rules that immediately escalate these events as security incidents. The set of policies that are available to choose from may be periodically updated by an update mechanism such as DeepSight or LiveUpdate. When the policies are updated, the policies that you have assigned to each asset are not affected. In addition, you can create the custom policies that are added in the System pane under the Policies tab. When you add a policy to the list in the System pane, the policy can then be assigned to an asset in the Asset Details window under the Policies tab.
152 Working with the Assets table Using the Assets table to help reduce false positives
Chapter 12 Collector-based event filtering and aggregation This chapter includes the following topics: About collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation About preparing to create collector-based rules Accessing event data in the Information Manager console Creating collector-based filtering and aggregation specifications Examples of collector-based filtering and aggregation rules About collector-based event filtering and aggregation Information Manager provides the ability to filter and aggregate security events before they are sent to the appliance by providing filtering and aggregation capabilities that can be used at the collector. Filtering and aggregating event data before it reaches the appliance can improve network and appliance performance. Collector-based filtering and aggregation can also effectively increase event storage capacity on the appliance by discarding unnecessary events, or storing summaries of events, which typically use less storage space. When events are gathered from security products by an Information Manager event collector, the collector parses the event for the information that can be sent to the appliance. When relevant data is identified, it is translated into fields in the Information Manager schema, which are then used by Information Manager to correlate existing events, create incidents, and so forth.
154 Collector-based event filtering and aggregation About collector-based event filtering and aggregation In many cases, security products are not only responsible for identifying security breaches and threats, but also act as event identification and storage devices for any event that may be used for forensics research. Some products store these events locally, whereas others offload the event data to a storage device such as a Syslog server or a Windows event log. In general, Information Manager collectors monitor these devices, databases, and log files for security-related events, and forward all of these events to the Information Manager appliance. By default, event collectors gather all security-related events, and do not discriminate based on event severity or relevance. While this feature is useful for policy compliance, many organizations prefer to use the powerful event reporting and correlation features of Information Manager on the security events that are more threat-related. You can limit (or restrict) the events that are sent to the appliance to those events that represent potential security threats and incidents. In contrast to event filtering and correlation at the appliance, collector-based filtering lets you exclude events from forwarding to Symantec Security Information Manager. Similarly, collector-based aggregation lets you group similar events to reduce event traffic, and to reduce the number of single events that are stored in the event database. Event aggregation groups events that contain identical event information into a single summary event which is forwarded to the appliance. This summary event includes a count of the events that matched the aggregation criteria. Note: When aggregation takes place, the summary event that is created and sent to the appliance does not contain the raw event data for each individual event. A summary event cannot be separated into the individual events that comprise the aggregated event. Collector-based event filtering and aggregation rules (also referred to as specifications) are created using the Information Manager console, and then deployed to the corresponding collectors. When you filter events at the collector, you remove the events from the event storage, correlation, and incident creation processes. Caution should be used when determining which events you want to filter at the collector. Note: In some cases, depending on the granularity of event data required, collector-based filtering or aggregation should not be used if you are using Information Manager as your primary tool for policy compliance. Filtering or aggregating event data may exclude the events or event details that are not needed for security monitoring, but may be needed for compliance.
Collector-based event filtering and aggregation About identifying common events for collector-based filtering or aggregation 155 About identifying common events for collector-based filtering or aggregation Table 12-1 describes filtering and aggregation guidelines for specific security device types. Table 12-1 Filter and aggregation guidelines Device type All Firewall Suggestions Test networks can generate security events that do not indicate any actual threat. Consider filtering all events originating from isolated test networks. Firewalls generate many events that are not required for correlation. Consider filtering or aggregating the following types of events: Connection rejected Connection rejected events indicate that the firewall operates as it is configured. These events do not ordinarily pose a security threat and can be filtered at the Event Collector. Connection accepted Connection accepted events are ordinarily generated by legitimate network traffic. These events can be filtered entirely or can be aggregated by IP address. If an individual unwanted connection is accepted, the intrusion detection system identifies and reports the attack. Possible attack Not all possible attack events indicate a true security threat. Consider filtering or aggregating possible attack events based upon specific attack IDs. Enterprise Antivirus Enterprise antivirus systems customarily report a number of informational events for each protected system. If you use a product such as Symantec Client Security, consider filtering or aggregating the following types of events: Scan start and scan stop Scan start and scan stop events do not pose a security threat and can be filtered or aggregated. Virus repaired Virus repaired events indicate that the antivirus software is successfully repairing infected systems. If there are infections in your environment that are commonly repaired, consider aggregating virus repaired events by the virus name. Irreparable virus Many irreparable virus events may indicate a virus outbreak. The spread of a virus can generate many redundant events. To avoid unwanted event traffic during an outbreak, consider aggregating irreparable virus events. Vulnerability Intrusion Detection Typically, all vulnerability scan events should be sent to Information Manager for correlation. Vulnerability assessment events in some cases can be aggregated to reduce network traffic. Typically, all intrusion detection and intrusion prevention events should be sent to Information Manager for correlation.
156 Collector-based event filtering and aggregation About preparing to create collector-based rules Table 12-1 Filter and aggregation guidelines (continued) Device type Windows Event Log Suggestions The Windows Event Log stores both operating system events and application events. Because each Windows system may have different applications installed, broad filtering or aggregation is not advised. All Windows Event Log filtering and aggregation must be based upon specific event criteria. Consider filtering or aggregating the following types of events: Application Some applications generate an excessive number of informational and warning events; these events can be filtered or aggregated based upon the specific event source and event identifier. Security Success audit events do not indicate a security threat and can be aggregated based upon the specific user. System Some system event sources, such as the Service Control Manager, generate many informational events; these events can be filtered or aggregated based upon the event source and identifier. About preparing to create collector-based rules The first step in creating collector-based filtering and aggregation rules is to understand the event data that is generated on your network. Before deployment, it is advisable to gather event data over a period of time and evaluate the event fields that are included in each event. In the Information Manager console, you can use the Event Viewer to view a summary of the events that are identified by the collectors that are enabled. While the Event Viewer may give you an idea of the categories, or types of data, that can be used, the most accurate source of information for creating event filters is the event fields themselves. Each product has customized event fields that are specific to that product, so you should create filtering and aggregation rules based on the events that are specifically related to that product. You can view the event fields by double-clicking an event in the Event Viewer, and then analyzing the fields that appear in the Event Details window. An example of events that may be good filtering candidates are informational firewall events. Firewall events that are classified as informational can often be filtered at the collector to reduce traffic to the appliance. Firewall events that are categorized as informational are generally used for accounting purposes, and usually do not indicate an attempted security breach. However, these events are correctly detected by the collector as a security-related event, and are sent to Information Manager by default. If you decide that analyzing these events is unnecessary to maintain the security policies of your organization, you can filter these events at the collector to reduce event traffic. To filter these events, you
Collector-based event filtering and aggregation About preparing to create collector-based rules 157 should carefully analyze the event details to find the fields on which the filter for this specific event can be created. To understand the event data and create a filtering rule to filter informational firewall events, you would perform the following tasks: With the collector enabled, generate a series of informational firewall events. In most cases, bringing a firewall online and performing simple connection tasks through the firewall generates these types of events. To make the event data more useful, you can generate common firewall events such as FTP sessions, failed connection attempts, and other firewall events that might more accurately resemble a live network environment. After you have generated a series of events, using the Event Viewer or an available event report in the Dashboard, double-click an event to open the Event Details window. In the Event Details window, analyze the field names that are included in the event. Note that many of these fields are added at the appliance rather than at the collection point as part of the normalization process, so the most effective fields to base a filter on are generally the fields that are generated in the raw event data, such as fields that contain event IDs that are specific to the device that is being monitored. For example, if you are using the Cisco Pix collector, the firewall generates a unique value in the Event Info 4 field. Make note of the field and value pair that you want to base your filter on and open the configuration on the Product Configurations tab. In the Product Configurations tab, find the collector for the product that you are monitoring. For example, if you are using the Check Point Firewall, navigate to the settings for Check Point ) FireWall-1 Collector, and click default. In the right pane, on the Filter tab, create a new specification. In the new specification, either double-click the name field and find the field name in the list, or type the name of the field exactly as it appears in the event details. In the operator column, choose the appropriate operator. In most cases this will be the is equal to operator. In the Value field, type the value exactly as it appears in the event details. Enable the specification, save, and then distribute using the Distribute settings to computers button.
158 Collector-based event filtering and aggregation Accessing event data in the Information Manager console Accessing event data in the Information Manager console The Information Manager console provides several different ways to access event data that is gathered by each collector. To gain an understanding of the events that can be filtered, you should analyze the event data that is viewable in the Event Details view. You can also create custom reports for specific events. For more information on how to create custom reports, see the documentation that is provided with each collector. Accessing event data using the Events page 1 In the Information Manager console, click Events. 2 In the Events page, expand the Templates folder. 3 Under the Templates folder, click All Events. Note: This example uses the All Events query. However, you can use any of the event queries in the Events view that will return the event data for which you are searching. 4 In the right pane, select the archives that contain the event data that you wish to review, and then click Run Template. 5 After the query completes, use the results view to find the event you want to analyze. 6 Find the event you would like to analyze, and click View the event details. 7 In the Event Details window, analyze the event fields and data. Many events have unique event IDs that can be used to create the filters that are specific to the event that you want to filter. Creating collector-based filtering and aggregation specifications After you analyze your event data, you can create filtering and aggregation specifications based on the fields that are viewable in the Event Details window. The Filters and Aggregation tabs let you create, enable, and edit rules to either exclude events from being forwarded to the appliance (filtering), or gather multiple events into a single event (aggregation). No event filtering or aggregation rules
Collector-based event filtering and aggregation Creating collector-based filtering and aggregation specifications 159 are configured by default. You must add rules before you can enable or configure them. To create a collector-side filtering rule 1 In the Information Manager console, on the System page, click the Product Configurations tab. 2 In the left pane, expand the product to which you want to add a filtering rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you must create a new configuration. The Default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the onscreen instructions. 3 Select the configuration you want to modify, and then in the right pane, on the Filter tab, under the list of rules, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, double-click the name field and find the value in the event fields list that appears. If you know the exact name of the field that was created by the collector, you can also type a name for the event filter property. Fields are case sensitive. In the Operator column, select an operator from the drop-down list. In the Value column, type a value for the event filter property. To add more event filtering information for the rule, repeat this step. 6 When you are finished, in the filter list, check the filter name. 7 Click Save. 8 In the left pane, right-click the appropriate Default folder, and then click Distribute. 9 When you are prompted to distribute the configuration, click Yes.
160 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules To create a collector-based aggregation rule 1 In the Information Manager console, on the System page, click the Product Configurations tab. 2 In the left pane, expand the product to which you want to add an aggregation rule. Expand the folders until you reach the configurations that are available for the product. If the only configuration available is Default, you must create a new configuration. The Default configuration cannot be edited. If necessary, to create a new configuration, click the folder of the product, and then click Add. Follow the onscreen instructions. 3 In the right pane, on the Aggregator tab, under the list of rules, click Add. 4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and then press Enter. 5 Under the rule properties table, click Add, and then do the following: In the Name column, type a name for the event aggregation property. In the Operator column, select an operator from the drop-down list. In the Value column, type a value for the event aggregation property. To add more event aggregation information for the rule, repeat this step. 6 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. The default value is 0. This property applies to all aggregation rules. 7 When you are done, in the aggregation list, check the aggregation name. 8 Click Save. 9 In the left pane, right-click the appropriate Default folder, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes. Examples of collector-based filtering and aggregation rules As you begin to understand the details of the event fields that are populated, you will likely discover common filtering and aggregation candidates that can be safely implemented at the collector level. The following sections provide general guidelines for filtering and aggregation. Before you deploy these examples, each configuration should be carefully evaluated to ensure that the configuration conforms to the specific needs of your security environment. The examples
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 161 provided are common to many deployments, but may not be in compliance with your security policies. Creating filtering and aggregation specifications should be an iterative process that is based on a careful evaluation of the event data that is specific to your security environment. Filtering at the collector prevents event data from being sent to the Information Manager appliance for evaluation. Consequently, analysts will not have access to this data for forensic analysis unless the events are stored separately from Information Manager. For example, events that are classified as informational can be good candidates for event filtering or aggregation at the collector. In some cases, a network may generate a large number of informational events that may not constitute an immediate security threat. From a threat perspective, these events may not be as useful in evaluating a high priority security incident in progress. However, from a forensic analysis perspective, the informational event details may subsequently help to gain a better understanding of the series of events that led to the security breach. For this reason, an event filter or aggregation specification at the collector should be carefully evaluated before it is deployed. When you are determining which events can be safely filtered or aggregated, a good general rule is to use very specific event criteria on which to base your collector-based filtering or aggregation specifications. Basing a filter on a broad field such as severity level may have unintended results. Specificity when creating filtering rules helps to prevent unexpected gaps in the information available to the analyst. For example, you should use the event IDs that are generated by the monitored product to control the information that is discarded from Information Manager. This option is more effective than using a broader severity category to control that information. Filtering events generated by specific internal networks You can filter events from particular subnets that generate a high volume of events that do not pose a threat. For example, a network that is dedicated to testing and developing software applications may generate a large number of events that do not threaten internal network resources. These events can be filtered at the collector to reduce this type of false positive.
162 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules To filter network events that are generated by a specific subnet and acquired by the Windows Event Log collector 1 On the System page, on the Product Configurations tab, expand the default configuration for the Windows Event Log collector. On the Filters tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, choose Machine Numeric Subnet. 2 After you have selected the field name, set the Operator to equal to, and then in the Value field enter the subnet that you would like to filter against. 3 Save and enable the rule, and then distribute the configuration. Filtering common firewall events Firewall products typically generate a large number of events, many of which are recorded primarily for lower priority, informational purposes. In many cases, depending on the security policies that you have in place, you can safely filter these events at the collector to reduce network traffic and increase overall performance. Filtering Connection Rejected events Events that are classified as Connection Rejected events can often be filtered based on the severity of the event and the event ID. For example, in many cases, TCP Connection Rejected events detected by the Cisco PIX collector (PIX-6-106015) can be filtered at the collector. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data that must be evaluated. If you want to filter additional events that are similar (or carry a similar severity from an analyst's perspective), you can add additional event types to the specification. For example, you can use the Event Info 4 field to identify No route to dest_addr from src_addr (PIX-6-110001) or HTTP daemon interface int_name: connection denied from IP_addr (PIX-6-605001) PIX events. To filter Cisco PIX TCP Connection Rejected events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that is used by PIX.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 163 4 Set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX-6-106015). 5 Save and enable the rule, and then distribute the configuration. Filtering Connection Accepted events Events that are classified as Connection Accepted events can often be filtered based on the severity of the event and specifically the event ID. For example, Connection Accepted events detected by the Cisco PIX collector such as user user_name executed cmd: command (PIX-7-111009) events can be filtered at the collector. PIX-7-111009 events are generally used for accounting purposes only, and indicate that the command entered by the user was not capable of modifying the configuration. Depending on the security policies of your organization, you may decide to filter or aggregate these events to reduce the amount of data that must be evaluated. To filter Cisco PIX Connection Accepted events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that is used by PIX. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX-7-111009). 5 Save and enable the rule, and then distribute the configuration. Filtering Possible Attack events In many cases, events that are classified as possible attacks can be either filtered or aggregated. For example, if you are using the Cisco PIX collector, the collector will gather events such as failed telnet session attempts as possible attacks and display them in the console. Depending on the security policies of your organization, you may decide to filter or aggregate these events at the collector to reduce the amount of data that must be evaluated. If you want to filter additional events that are similar (or carry a similar severity from an analyst's perspective), you can add additional event types to the specification. For example, you can use the Event Info 4 field to identify Telnet
164 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules Login Session Failed (PIX-6-307003) events, or Retrieved IP address for FTP session (PIX-6-303002). To filter Cisco PIX failed telnet session events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears expand the list. From the list of categories, choose Network Event > Firewall Network Event > Event Info 4. For the Cisco PIX collector, the Event Info 4 field contains the name of the event that is used by PIX. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, enter the PIX event code (PIX-6-307001). 5 Save and enable the rule, and then distribute the configuration. Filtering Remote Management Connection events Remote Management Connection events can often be aggregated if you expect remote management connections to take place from trusted sources or on an expected host computer. Remote Management Connection events often include events that are classified as Informational, and in many cases can be safely aggregated. For example, if you are using the Juniper Netscreen Firewall collector, you can create an aggregation specification that gathers specific types of Remote Management Connection events into a single summary event that is sent to the appliance. For example, you may have a host computer that manages remote connections for which you expect many remote management events to take place. You can aggregate these events into a single event summary. To aggregate events for the Juniper Netscreen Firewall collector based on a specific host computer 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 Expand the default configuration for the Juniper Netscreen Firewall collector. 3 On the Aggregation tab, add a new specification. Add a new entry for the specification, and then double-click the Name field. In the Event fields list, navigate to Network Event > Firewall Network Event > Destination Host name.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 165 4 After you select the field name, set the Operator to equal to, and then enter the host name in the value field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering common Symantec AntiVirus events Symantec AntiVirus generates events that can often be filtered or aggregated. For example, most antivirus products provide proactive event notifications of maintenance tasks such as data scan start and stop events. As these security-related events indicate expected behavior, they can often be safely filtered or aggregated at the collector. To filter events that are generated by Symantec AntiVirus, you need to edit the configuration file (.conf) that is included when the collector is installed on the Symantec AntiVirus parent server. The collector monitors the parent server for events, and uses the configuration files to determine which events are forwarded to the appliance. The following list of events are common Symantec AntiVirus events that can be filtered at the collector. Unscannable Violation Data Scan Start Data Scan End Data Scan Cancel Data Scan Pause Data Scan Resume Application Start Application Stop Note: Application Stop events can indicate that Symantec AntiVirus has been disabled, which is detected by the AntiVirus Disabled event correlation rule on the appliance. If you filter Application Stop events at the collector, this rule will not fire during correlation. Symantec AntiVirus and Symantec Client Security configuration files are stored on the parent server on which the collector is installed. The files are stored by default in the following locations:
166 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules Symantec AntiVirus: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg Symantec Client Firewall: C:\Program Files\Symantec\Collector\Plugins\SCFSesa\scfsesa.cfg Symantec Client Security: C:\Program Files\Symantec\Collector\Plugins\SCSState\scsstate.cfg You can also filter the events that are forwarded from individual clients or servers using the Log Event Forwarding wizard that is available through the Symantec System Center interface that is provided with Symantec AntiVirus and Symantec Client Security. The Log Event Forwarding wizard lists a complete set of events that can be forwarded to parent servers. For more information on using Symantec System Center, see the documentation provided with Symantec AntiVirus and Symantec Client Security. To enable event filtering on a Symantec AntiVirus parent server 1 On the parent server you are monitoring, using a text editor such as Notepad, open the following file: C:\Program Files\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg. 2 In theconf file, find the ExcludeEvents section. 3 From the list of events that appears in this section, remove the comment symbol (;) from before the event type or types you want to filter. 4 Save the file as acfg file. You may need to restart the collector. Filtering or aggregating vulnerability assessment events Typically all vulnerability assessment scans should be sent to the Correlation Manager for analysis. However, vulnerability assessment events in some cases can be aggregated to reduce the number of events that are sent individually to the Information Manager appliance. For example, the Symantec ESM collector will detect vulnerability assessment events related to whether files are backed up on the systems that it scans (Backup Integrity events). This information is useful for a variety of network analysis tasks, but depending on the policies of your organization, may not represent an immediate security threat. Another potential candidate for aggregation of vulnerability assessment events is a Different ACL entry event. A Different ACL entry event typically indicates a permissions misconfiguration rather than an actual security breach.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 167 To aggregate Backup Integrity events for the Symantec ESM collector 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Vulnerability > Custom 2. For the Symantec ESM collector, the Custom 2 field contains the type of event generated by the vulnerability assessment scan. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, type Backup Integrity exactly as it appears in the Event Details entry for the Custom 2 field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. To aggregate Different ACL entry events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Aggregation tab for that product, create a new specification. 3 In the new aggregation specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Network Event > Vulnerability > Short Descriptive Name. For the Symantec ESM collector, the Short Descriptive Name field contains a brief description of the event generated by the vulnerability assessment scan. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field, type Different ACL entry exactly as it appears in the Event Details entry for the Short Descriptive Name field. 5 In the Aggregation time (ms) box, type the time (milliseconds) in which the aggregated events should correspond to the rule property. 6 Save and enable the rule, and then distribute the configuration. Filtering Windows Event Log events If you are using the Windows Event Log collector, you can reduce traffic by filtering common network events that generally do not pose a threat. The Windows event logs generate a large number of events that track a variety of activities, including those that are related to security. These events produce unique event codes that are included in the raw event data. You can use these event codes to create
168 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules collector-based filters to reduce the number of events that are passed to the appliance. For example, Successful Network Logon events (Windows event ID 540) do not typically pose a security risk if the appropriate security measures are in place (for example, secure passwords, multiple layers of access defense, and limiting administrator privileges). Another example of a Windows Event Log event that can be filtered is the successful login Application event. As an alternative, you could also choose the Event ID field with a value of 17055. To filter Windows Successful Network Logon events (540) 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows Event Log entries. For more information on the Windows Event Log option fields, see the documentation provided by Microsoft. 4 After you have selected the field name, set the Operator to equal to, and then in the Value field type Security:540 exactly as it appears in the Event Details entry for the Option 8 field. As an alternative, you could also choose the Event ID field with a value of 540. 5 Save and enable the rule, and then distribute the configuration. To filter Windows successful login Application events 1 On the System page, on the Product Configurations tab, navigate to the product that you want to configure. 2 On the Filters tab, create a new specification. 3 In the new filtering specification, double-click the Name field, and in the Event fields list that appears, expand the list. From the list of categories, choose Windows and Novell Event > Option 8. For this type of event, Option 8 contains the event ID. Note that the option fields vary with each event for Windows Event Log entries. For more information on the Windows Event Log option fields, see the documentation provided by Microsoft.
Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules 169 4 After you have selected the field name, set the Operator to equal to, and then in the Value field type Application:17055 exactly as it appears in the Event Details entry for the Option 8 field. 5 Save and enable the rule, and then distribute the configuration.
170 Collector-based event filtering and aggregation Examples of collector-based filtering and aggregation rules
Section 5 Configuration options Configuring the appliance after installation Configuring Symantec Security Information Manager Forwarding events to an Information Manager appliance Managing Global Intelligence Network content Running LiveUpdate Working with Symantec Security Information Manager Configurations
172
Chapter 13 Configuring the appliance after installation This chapter includes the following topics: About the Information Manager Web configuration interface Accessing the Security Information Manager Web configuration interface Changing network settings Specifying date and time settings Specifying a network time protocol server Changing the password for Linux accounts Shutting down and restarting the appliance About the Information Manager Web configuration interface After you have run the installation program, you can use the Information Manager Web configuration interface to change appliance settings, including the following: Network information such as IP address, DNS, and gateway servers Date and time NTP server Password for Linux accounts such as root Security certificates Shutting down or restarting the appliance
174 Configuring the appliance after installation Accessing the Security Information Manager Web configuration interface Register collectors Download and install the Symantec Event Agent View system diagnostics You also use the Information Manager Web configuration interface to install the Information Manager console on a remote computer. Accessing the Security Information Manager Web configuration interface Complete the following steps to access the Security Information Manager configuration page. To access the Security Information Manager configuration page 1 Open a Web browser, and in the address bar, type the IP address of the appliance. By default, the appliance uses self-signed certificates, which cannot be verified by certificate authentication services such as VeriSign. If prompted, click Yes to accept the appliance certificate. 2 Type a username and password in the spaces provided. Changing network settings You can use the Information Manager Web configuration interface to change network settings. Warning: Once you specify a domain name or accept the default name, you cannot change it without re-installing the appliance software. Changing the hostname or IP address of the primary Ethernet connection (eth0) creates a new self-signed certificate for the appliance. If you are using a signed certificate from a Certified Signing Authority, you must generate a new signed certificate using the CA, and then install it via the Certificate Management page after changing the hostname or IP address. If you change the host name or IP address of an Information Manager appliance, all remote agents that communicate with it must be configured to use the new settings. This requirement does not apply to the agents that are running on the appliance.
Configuring the appliance after installation Changing network settings 175 See your collector or agent documentation for information on reconfiguring to use the new settings. To change the network settings 1 In the Web Configuration interface, click Network Settings. 2 In the General Settings section, type the host name. 3 In the Search Domain box, type the search domain for the appliance. 4 Optionally enter the names of up to three Domain Name Servers in the boxes that are provided. 5 In the Network Interface 0 (eth0) Settings section, do the following: In the box that is provided, type the IP address for the first Ethernet connection in the appliance. In the Netmask box, optionally type the mask that is used for addresses in the network or subnet where the appliance will be used. In the Gateway box, type the IP address of the gateway server for the appliance. 6 If you are using the second Ethernet connection on the appliance, do the following in the Network Interface 1 (eth1) Settings section: In the box that is provided, type the IP address for the second Ethernet connection in the appliance. In the Netmask box, optionally type the mask that is used for addresses in the network or subnet where the appliance will be used. In the Gateway box, type the IP address of the gateway server for the appliance. 7 If you changed IP address or the host name of Network Interface 0, complete the following steps. Otherwise, skip to step 8. Turn on Force hostname and eth0 IP address update. In the Username (DN) box, type a username with administrator rights for the current security directory that is used by the appliance. In the Password box, type a password. In the Domain box, type the domain that is used by the appliance. The default username for the security directory is cn=root. The default password is password. 8 Click Change Settings.
176 Configuring the appliance after installation Specifying date and time settings Specifying date and time settings You can use the Information Manager Web configuration interface to specify the appliance date and time settings. To specify the date and time settings 1 In the Web Configuration interface, click Date/Time Settings. 2 Use the controls that are provided to specify the date, time, and time zone settings. 3 Click Update. Specifying a network time protocol server If you want the Information Manager appliance to get time settings from a network time protocol (NTP) server, you can specify that by using Information Manager Web configuration interface. By default, NTP synchronization is disabled. To add and specify an NTP server 1 In the Web Configuration interface, click Date/Time Settings. 2 On the NTP Status tab, uncheck NTP Disabled. 3 On the Add NTP Server tab, type the path of the desired NTP server in the box provided, and then click Add. 4 On the NTP Status, click Apply. To remove an NTP server 1 In the Web Configuration interface, on the Remove NTP Server tab, click the server to be deleted.. 2 Click Delete. Changing the password for Linux accounts You can use the Information Manager Web configuration interface to change the password that is used for Linux administrative accounts such as root and simuser. Console accounts, such as administrator, are changed in the Information Manager console.
Configuring the appliance after installation Shutting down and restarting the appliance 177 Note: To change system settings such as account passwords, do not attempt to manually run the scripts that are included on the appliance. You should be able to use the Information Manager Web configuration interface to accomplish most system level tasks. If you need to perform an operation on an appliance that is not available through the Web Configuration interface or the Information Manager console, contact technical support for assistance. To change the password for Linux accounts 1 In the Web Configuration interface, click Password Management. 2 In the Username box, type the name of a user account on the appliance. 3 Type the current password for the account in the space that is provided. 4 Type the new password and then confirm the new password in the spaces that are provided. 5 Click Change Password. Shutting down and restarting the appliance The Information Manager Web configuration interface provides options for shutting down and restarting the appliance. It is recommended that you use these options rather than powering down the appliance, because the Information Manager Web configuration interface options shut down services and leave the on-board database in a stable state. To shut down or restart the appliance 1 In the Web Configuration interface, click Shutdown / Restart. 2 Do one of the following: To restart the appliance, click Restart Now. To shut down the appliance, click Shutdown Now.
178 Configuring the appliance after installation Shutting down and restarting the appliance
Chapter 14 Configuring Symantec Security Information Manager This chapter includes the following topics: About configuring Symantec Security Information Manager Preventing new Symantec Event Agent connections Adding a policy Specifying networks Identifying critical systems About configuring Symantec Security Information Manager For the proper functioning of the correlation rules, it is essential that you specify information that is used to determine incident severity. Key settings include specifying systems that host critical or sensitive information and systems that require high availability. You can also specify the networks that exist in your organization so that you can increase the priority of incidents based on the affected network. For example, incidents that affect networks that reside within your firewall can be assigned a higher priority than those that reside outside the firewall. It is also helpful to specify which policies are used within your network. Information Manager includes default policies such as Sarbanes-Oxley or HIPAA. You can also add custom policies. Once you have defined the available policies,
180 Configuring Symantec Security Information Manager Preventing new Symantec Event Agent connections you can associate them with network computers when you add entries to the Assets list. You should also create your list of response teams so that Information Manager can automatically assign incidents to these teams based on the rules settings. You use the Information Manager console to create the teams; however, the list of members that you can assign to those teams is maintained on the System page. Another key factor in determining incident severity and the functioning of rules is the information that is stored in the knowledge base. Some of this information is provided by Global Intelligence Network Integration Manager, and some settings you can configure. For example, you can add entries to the IP watchlist. Note: When you add a new policy or service to the Policies or Services lists, the new entries will not appear in the Event Criteria in the Rules Editor until you have restarted the console. Preventing new Symantec Event Agent connections After you configure all of the Symantec Event Agents that you are using and have verified that they are connected, you should disable the ability for new Agents to connect to an appliance without your permission. This is an important security measure that contributes to hardening the security on an appliance. If you need to add a new Agent or reestablish an existing connection, you can reenable this feature. To prevent new Symantec Event Agent connections 1 In the Information Manager console, click System. 2 On the appliance configuration tab, expand the domain, and click the folder for the appliance that you would like to configure. 3 Under Appliance Options, place a check in the Disable Bootstrapping checkbox. 4 Click Apply. To reenable new Symantec Event Agent connections 1 In the Information Manager console, click System. 2 On the appliance configuration tab, expand the domain, and click the folder for the appliance that you would like to configure. 3 Under Appliance Options, remove the check in the Disable Bootstrapping checkbox. 4 Click Apply.
Configuring Symantec Security Information Manager Adding a policy 181 Adding a policy Complete these steps to add a policy. To add a policy 1 In the Information Manager console, click System. 2 On the Administration tab, click Policies. 3 On the toolbar, click + (the plus icon). 4 Type a name and description in the spaces that are provided. 5 Click OK. Specifying networks Complete these steps to specify the networks that exist in your organization. To specify a network 1 In the Information Manager console, click System. 2 On the Administration tab, click Networks. 3 On the toolbar, click + (the plus icon). 4 In the Create New Network dialog box, type a name for the network in the Name box. 5 In the Netmask box, type the address and subnet mask for the network. 6 Fill in the following optional information, if desired: 7 Click OK. Identifying critical systems In the Physical Location box, type the location of the network. In the Logical Location box, type the logical location of the network. In the Description box, type a description of the network. Check Auto-Updateable if you want the new entry to be overwritten when new network information is imported from a vulnerability scanner, such as Nessus. Complete the following steps to identify critical systems in your organization.
182 Configuring Symantec Security Information Manager Identifying critical systems To identify critical systems 1 In the Information Manager console, click Assets. 2 On the toolbar, click + (the plus icon). 3 In the Asset Editor dialog box, in the IP Address box, type the IP address of the system. 4 Fill in the following optional information, if desired: In the Host Name box, type the host name of the system. In the MAC Address box, type the MAC address of the system. In the DN box, type the Distinguished Name of the system. In the Description box, type a description of the system. 5 In the Asset Priority area, select values for Confidentiality, Integrity, and Availability, if desired: Confidentiality Integrity Availability Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of confidentiality. Value range 1 5, where level 5 means that the computer hosts content that must be maintained with the highest level of integrity. Value range 1 5, where level 5 means that the computer hosts applications and content that must always be available for your business. 6 In the Additional Information area, fill in the following information, if desired: The name of the organization that uses this system The physical location of the system The name of the operating system (OS) that is running on the system The owner of the system External ID information if used The version of the OS that is running on the system 7 Check Lock for Auto Update if you do not want the Assets list entry for this host to be overwritten when new information is imported from a vulnerability scanner, such as Nessus. 8 Click OK.
Chapter 15 Forwarding events to an Information Manager appliance This chapter includes the following topics: About forwarding events to an Information Manager appliance About registering with a security directory Registering security products Registering with a security domain Forwarding events About forwarding events to an Information Manager appliance Event forwarding allows you to create distributed configurations that can handle higher event loads more efficiently. For example, you can have multiple appliances store events from security products, and then forward only those events that are needed for determining security incidents to a correlation appliance. The collection appliances store the uncorrelated events to support compliance with policies such as Sarbanes-Oxley, while the correlation appliance processes the forwarded events to allow monitoring of the security incidents in your network. In this chapter, the term "collection appliance" refers to an instance of Information Manager that forwards events to another appliance. The terms "correlation appliance" and "destination appliance" refer to an instance of Information Manager
184 Forwarding events to an Information Manager appliance About forwarding events to an Information Manager appliance that is the target of the event forwarding. Generally, this appliance is used for correlating events that are forwarded from collection appliances. During Information Manager installation, one default event forwarding rule is created on the appliance to forward events from the event service to the correlation manager at 127.0.0.1. If you have multiple appliances, you may need to configure this forwarding rule to specify the destination appliance to which events will be forwarded. You may also choose to forward events to an event service on the destination appliance, instead of the correlation manager. You can create additional event forwarding rules on a single instance of Information Manager for backup purposes, or if you want to store certain types of events separately. For example, you can set up one forwarding rule to send events to appliance A, and another forwarding rule to send events to appliance B. You can define event criteria to filter certain events to be forwarded to appliance A. Then you can specify that other types of events are forwarded to appliance B. To configure event forwarding from an instance of Information Manager to an Information Manager appliance, you must do the following: Register each security product that you will be monitoring with the destination Information Manager appliance. See Registering security products on page 186. Use the Information Manager Web configuration interface to join the collection appliance with the security directory of the correlation appliance. See Registering with a security domain on page 187. Configure the collection appliance to forward events. See Forwarding events on page 187. Note that you cannot create incidents manually on a collection appliance. To create a security incident manually, do so on the correlation appliance. Also, after you set up an instance of Information Manager as a collection appliance, you cannot reconfigure the appliance to correlate events using software settings. If you will be forwarding events through a firewall, make sure that the ports required for the Information Manager appliances to communicate are open. When the correlation appliance is unavailable, by default, the forwarding appliance will continue to queue events until the correlation appliance is available again. If the queue on the forwarding appliance fills up, the forwarding appliance will stop receiving events. When the forwarding appliance stops receiving events, the collectors will try to queue events until the forwarding appliance is able to accept events again. The Event Criteria determine which events are forwarded to the destination appliance. You set event criteria in the Information Manager console, on the System page, Appliance Configurations tab. If the Event Criteria pane is empty,
Forwarding events to an Information Manager appliance About registering with a security directory 185 all events are sent to the appliance. If you add a condition to the Event Criteria, only the events that match that criteria are sent. To view forwarded events, a user at the Information Manager console must have sufficient rights to view those types of events. If the product, domain, or organizational unit do not match those allowed by the Role assigned to the user, the events do not appear. Note: SSIM Event Services cannot forward events to a correlation appliance if they cannot resolve the host name used to generate the correlation appliance's SSL certificate. To resolve this problem, add a domain name server (DNS) entry for the IP address and host name of the correlation appliance. Alternatively, you can add an entry for the IP address and host name of the appliance to the hosts file of the forwarding instance. However, this second option will not work on Microsoft Windows-based SSIM Event Services due to a defect in the Sun Java Virtual Machine (JVM) for that platform. A third option is to generate a new certificate for the appliance that is based on its IP address. See Registering security products on page 186. If you forward events to an event service on the destination appliance, you can enable data encryption. The data encryption option is not available when you forward events to a correlation manager. About registering with a security directory Using the Register with remote appliance directory option configures an Information Manager collection appliance to use the same directory service as the correlation appliance. After registering, the collection appliance also inherits the same database configuration that the correlation appliance uses. If the correlation appliance is configured to use a local or remote database, then the collection appliance uses that same database to store event information. However, if the correlation appliance is configured as a correlation-only appliance (event pass-through enabled, events not stored), the collection appliance inherits those same settings as well. In that case, you must create a new database configuration on the collection appliance if you want it to store events in its database. For information on creating database configurations, see the Information Manager online help. After you register a collection appliance with a correlation appliance, the events stored in the collection appliance's database are no longer visible in queries and reports. Events stored in the collection appliance database are not copied into the database of the correlation appliance. To view the original collection appliance
186 Forwarding events to an Information Manager appliance Registering security products events, you can use the Register with remote appliance directory option to register the collection appliance back to itself. However, doing so results in the events that are stored in the correlation appliance database not being visible from the console in the collection appliance. When specifying the name of the remote directory to which you are registering, make sure you specify the correct domain name, using the correct case (for example, symantec.ses vs. symantec.ses). Directory service connections are not case sensitive, but database connections are. So entering the correct domain name with the wrong case results in the collection appliance being able to connect to the directory service of the correlation appliance, but not to the database. When this occurs, no events appear in queries and reports. Note: When you register an appliance, the summarizers on the registered appliance are turned off as part of the registration process. In some cases you may want to reenable the summarizers. To reenable the summarizers, use the Web Configuration interface. Registering security products The Information Manager Web configuration interface provides a page to register and unregister the configuration settings and event schemas that the Information Manager appliance requires to recognize and log events from a security product. To register a security product 1 In the Information Manager Web configuration interface, click Collector Registration. 2 On the Register Collector tab, in one or more of the boxes provided, type the path to the collector.sip file provided with the collector. You can select up to five files at one time. See your collector implementation guide for more information. 3 Click Begin registration. To unregister a security product 1 In the Information Manager Web configuration interface, click Collector Registration. 2 On the Unregister tab, check one or more boxes to specify the collectors that you want to unregister. 3 Click Unregister selected collector(s).
Forwarding events to an Information Manager appliance Registering with a security domain 187 Registering with a security domain The Directory Registration option of the Information Manager Web configuration interface lets you add the appliance to the security domain of the destination appliance. The process of registering an Information Manager appliance to a second appliance's security directory may take 10 minutes or more. To register an Information Manager appliance with a security domain 1 Log on to the Information Manager Web configuration interface configuration page as an administrator. 2 Click Directory Registration. 3 On the Directory Registration page, click Register. 4 Type the following information in the provided boxes: Hostname or IP Address LDAP port LDAP cn=root password Administrator Password Domain The host name or IP address of the external security directory. The LDAP communications port that is used by the security directory. The default is 636. The password for the cn=root account. The Domain Administrator account on the remote appliance. The SSIM Domain Administrator password for the external appliance. The name of the remote security directory, such as Symantec.SES. 5 Click Register. Forwarding events 6 Configure the Information Manager appliance to forward events to the destination Information Manager appliance. See Forwarding events on page 187. You can configure the default event forwarding rule, and you can create additional event forwarding rules. You can later modify any event forwarding rule's option settings. You can also delete an existing event forwarding rule.
188 Forwarding events to an Information Manager appliance Forwarding events When an event is forwarded, the appliance that receives the events stores the events according to the Event Storage Rules that are configured for that appliance. To specify the archive in which the forwarded events are stored, configure the forwarding appliance to send the events to the recieving appliance, and then configure the receiving appliance to store the events in the appropriate archive. Note: Before completing the following steps, make sure that you have connected network cabling between the collection and correlation appliances. To configure the default event forwarding rule 1 In the Information Manager console, click System. 2 On the Appliance Configurations tab, expand the appliance that will be forwarding events to the correlation appliance, and click Event Forwarding Rules. 3 In the Inclusion filter area, for the default event forwarding rule, in most cases you should not insert any filter criteria. Leaving this area empty will ensure that all events are forwarded to the default correlation appliance. You can create additional event forwarding rules that specify forwarding criteria. 4 Under Primary and Failover Servers, type the host name or IP address of the correlation appliance. 5 Under Select the service to forward to, select one of the following:. To forward events to the correlation manager on the destination appliance, select Correlation Service. Go to step 7. To save the events in the destination appliance's event archive, select Event Service. If you want the forwarded event data to be encrypted between the collection and correlation appliances, go to step 6. 6 To encrypt the event data between the collection and correlation appliances, select Event Service (Encrypted). If you choose to encrypt event data, the data is sent using HTTPS (port 443). 7 By default, event forwarding rules queue events on the host if the destination appliance is not available. If you do not want Information Manager to queue events, uncheck Queue events if target service is unavailable..
Forwarding events to an Information Manager appliance Forwarding events 189 8 Click Apply. 9 Make sure that the appropriate event forwarding rule is checked in the left pane navigation tree. For example, if you want to enable the default event forwarding rule on a collection appliance named Denver, make sure that the Correlation Forwarding box under the Denver folder is checked. To create a new event forwarding rule 1 In the Information Manager console, click System. 2 On the Appliance Configuration tab, expand the appliance to which you want to add an event forwarding rule. 3 On the toolbar, click + (the plus symbol). 4 In the Rule name box, type the name of the new rule. 5 By default, all events are forwarded. To limit the types of events that are forwarded, complete these bulleted steps in the following order: In the Inclusion filter area, click Add (+). In the left column, click an entry in the Common, Events, or Other Fields tabs. In the middle column, specify a logical operator. In the right column, specify the value that you are filtering on. Repeat the above bulleted steps for any other conditions that you want to include. 6 To complete the configuration, use the steps in the procedure To configure the default event forwarding rule on page 188. To delete an event forwarding rule (stop event forwarding to an appliance) 1 In the Information Manager console, click System. 2 On the Appliance Configuration tab, expand the appliance for which you want to delete an event forwarding rule. 3 Select the rule that you want to delete. 4 In the toolbar, click Remove (-).
190 Forwarding events to an Information Manager appliance Forwarding events
Chapter 16 Managing Global Intelligence Network content This chapter includes the following topics: About managing Global Intelligence Network content Registering a Global Intelligence Network license Viewing Global Intelligence Network content status Receiving Global Intelligence Network content updates About managing Global Intelligence Network content Symantec Security Information Manager provides features that allow you to configure your appliance to use Global Intelligence Network (previously known as DeepSight) content. This content includes rules, virus definitions, recommended procedures for resolving known security vulnerabilities, and much more. From the Information Manager Web configuration interface, you can register a Global Intelligence Network license, import and export Global Intelligence Network content, and configure the appliance to get Global Intelligence Network updates from a proxy computer. The ability to import and export Global Intelligence Network content or to get updates from a proxy server allows the appliance to maintain current security content without being connected to the Internet.
192 Managing Global Intelligence Network content Registering a Global Intelligence Network license Registering a Global Intelligence Network license If you purchased Symantec Security Information Manager Platinum support, complete the following steps to activate your Global Intelligence Network content updates. Note: By default, the Microsoft Internet Explorer Enhanced Security Configuration feature is enabled in Internet Explorer in Windows Server 2003. To import the license, you may need to add the URL of the appliance to the list of Trusted Sites. See Microsoft Internet Explorer Help for more information. To register a Global Intelligence Network license 1 From the Information Manager Web configuration interface, in the left pane, click GIN Configuration. 2 On the Global Network Integration Manager Utilities window, click License. The page displays the content of the current license file, if there is one, as well as options that let you import a license and remove a license. 3 Click Browse, and then navigate to the Global Intelligence Network license file. 4 When you locate the file, click Open. 5 Click Import License. Viewing Global Intelligence Network content status The Status page provides the following information: The status of the server that is providing updated security content The status of the Global Intelligence Network content license The status of the server database that caches Global Intelligence Network content The timestamps of any updates that have occurred To view Global Intelligence Network content status From the Information Manager Web configuration interface, click GIN Configuration. The Status page displays information about the security content server, the content license, and the server database. It also displays timestamps for the latest content updates.
Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 193 In the Content License Status area, you can see the number of days before the license expires, along with the expiration date. If you have multiple licenses, the latest expiration date appears. Receiving Global Intelligence Network content updates The Global Intelligence Network Integration Manager Utilities page provides controls for you to specify the source for the following security content updates: Internet connection to Global Intelligence Network Another server inside your organization LiveUpdate packages See About running LiveUpdate on page 197. The Global Intelligence Network Integration Manager Utilities page also lets you specify proxy server settings, if you need to receive updates through a proxy server. To receive Global Intelligence Network content from an Internet connection 1 From the Information Manager Web configuration interface, click GIN Configuration. 2 Click Configuration. 3 In the Source of Security Content area, click Global Intelligence Network Internet Service. In order to select this option, you must have an active license. 4 In the Global Intelligence Network Server Settings area, make sure that the DataFeed Service URL is set to the following: https://deepsightinfo.symantec.com/datafeeds2/datafeed.asmx Note that if you use an IP address instead of deepsightinfo.symantec.com, the proxy test will fail. 5 In the Global Intelligence Network Server Settings area, make sure that the IP Service URL is set to the following: https://deepsightinfo.symantec.com/deepsight/intelligence.asmx Note that if you use an IP address instead of deepsightinfo.symantec.com, the proxy test will fail. 6 In the DataFeed Polling Interval box, specify how often the appliance will check for updates.
194 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 7 In the IP Polling Interval box, specify how often the appliance will check for updates to the IP watchlist. This is the list of IP addresses that are known to be associated with security exploits. 8 In the IP Address Limit box, specify how many IP addresses to download with each update. 9 Click Save. To receive Global Intelligence Network content updates from a network server 1 From the Information Manager Web configuration interface, click GIN Configuration. 2 Click Configuration. 3 In the Source of Security Content area, click Another Global Intelligence Network Integration Manager Server. 4 In the Global Intelligence Network Integration Manager Server Chaining area, in the Global Intelligence Network Integration Manager Server Host box, type the hostname or IP address of the Information Manager appliance that will provide content updates. 5 In the Global Intelligence Network Integration Manager Polling Interval box, specify how often (in minutes) the appliance will check for updates. For example, if you want to update every hour, type 60. If you want to disable this function, type 0. 6 Click Save. To receive Global Intelligence Network content via LiveUpdate 1 From the Information Manager Web configuration interface, click GIN Configuration. 2 Click Configuration. 3 In the Source of Security Content area, click Static. 4 Click Save. To specify proxy server settings 1 From the Information Manager Web configuration interface, click GIN Configuration. 2 Click Configuration. 3 In the Proxy Server Settings area, ensure that Use Proxy Server is checked. 4 In the HTTPS/Secure Proxy Server box, type the URL of proxy server.
Managing Global Intelligence Network content Receiving Global Intelligence Network content updates 195 5 In the HTTPS/Secure Proxy Port box, type the port that is used to communicate with the proxy server. 6 If the proxy server you are using requires a username and password to connect, type them in the HTTPS/Secure Proxy Username and HTTPS/Secure Proxy Password boxes, respectively. 7 Click Save.
196 Managing Global Intelligence Network content Receiving Global Intelligence Network content updates
Chapter 17 Running LiveUpdate This chapter includes the following topics: About running LiveUpdate Running LiveUpdate from the Information Manager Web configuration interface About running LiveUpdate You can use LiveUpdate to obtain the latest Symantec Security Information Manager software updates. The LiveUpdate process requires that you run updates from the following places: The Information Manager Web configuration interface The Information Manager console Running LiveUpdate from the Information Manager Web configuration interface The options in the Information Manager Web configuration interface allow you to get updates for software components such as event collectors, relays, security content, rules, and filters. To run LiveUpdate from the Information Manager Web configuration interface 1 From the Symantec Security Information Manager configuration page, in the left pane, click LiveUpdate. 2 In the Update column, check the box to select the components that you want to update, and then click Update. By default all components are selected.
198 Running LiveUpdate Running LiveUpdate from the Information Manager Web configuration interface
Chapter 18 Working with Symantec Security Information Manager Configurations This chapter includes the following topics: Introducing the Symantec Security Information Manager configurations Manager configurations Increasing the minimum free disk space requirement in high logging volume situations Manager Components Configurations Manager connection configurations Agent Connection Configurations Agent configurations Managing the Manager Introducing the Symantec Security Information Manager configurations Symantec Security Information Manager relies on Agents, a Symantec Security Information Manager Directory, a Symantec Security Information Manager DataStore, a Manager, and archives to collect, store, process, and report security events to the Information Manager console. These components also distribute configuration changes to Information Manager and integrated products.
200 Working with Symantec Security Information Manager Configurations Manager configurations The Information Manager configurations let you configure these components. Note: You can create customized configurations for each of the collectors that are installed. For more information on creating collector configurations, see the documentation that is provided with each collector. Manager configurations Manager configurations hold common Manager settings that may affect one or more of the manager components across Managers. These common settings include selecting the Information Manager Directory and DataStore for the domain, and setting throttle options that control connection attempts to Managers. Table 18-1 lists the tabs on which you can change settings for Manager configurations. Table 18-1 Tab General Throttle Manager Configuration tabs Description Contains the name, description, and modification date of the configuration. Lets you balance security and scalability issues on a Manager by controlling when or how often events are sent to the Information Manager DataStore. For example, you can set a threshold for all Managers, so that when an Agent tries to contact a Manager too many times in a given time period, the computer is denied access to the Manager for an allotted time. If you make the timeouts shorter, you protect yourself more against hyperactive clients, or denial-of-service attacks (DOS attacks), but if you make the time allotments longer, you may be able to increase the performance of the server and avoid problems with false positives for hyperactive clients. Client Validation Controls how Information Manager handles the validation of clients. For example, on this tab, you can set how Information Manager reacts to clients who provide bogus passwords. If Information Manager attempts to validate a client and fails, the client is blacklisted until the entry times out. This tab lets you set how long those timeouts last. Web Server This tab is deprecated and should not be used.
Working with Symantec Security Information Manager Configurations Increasing the minimum free disk space requirement in high logging volume situations 201 Table 18-1 Tab Other Manager Configuration tabs (continued) Description Contains miscellaneous settings that let you fine tune the operation of your Manager. For example, one setting lets you configure how much minimum disk space is required for the Manager before its logging and other functions are suspended. See Increasing the minimum free disk space requirement in high logging volume situations on page 201. Increasing the minimum free disk space requirement in high logging volume situations The Other tab of the Manager Configurations includes the Free Space Minimum Size property. This specifies the amount of free space that is needed for the Manager to function properly. The amount of free space is checked every two minutes and an event is created if the free space is less than the minimum specified. In an environment that generates a high volume of log messages, you should increase the free space minimum size. To increase the free space minimum size 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand the domain, and click Manager Configuration. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the Other tab, for the Free space minimum size property, increase the value to meet the needs of your environment. By default, the free space minimum size is 50 MB. In an environment with a high volume of log messages, you should increase the minimum disk space to at least 100 MB or higher. If the Manager is installed on the operating system drive, you should set the free space minimum to at least 2 GB. 4 Click Save.
202 Working with Symantec Security Information Manager Configurations Manager Components Configurations Manager Components Configurations Manager Components Configurations contain specific settings for each of the Manager components. They let you configure the specific settings for each component individually, based on the component's configuration requirements. These components generally refer to specific services within the Manager, such as the Event Logging subsystem or the Configuration Service. Table 18-2 lists the tabs on which you can change settings for the Manager Components Configurations. Table 18-2 Tab General Notifications Manager Components Configurations tabs Description Contains the name, description, and modification date of the configuration. Contains email and retry settings that are used by the alert servlet. These settings control how alerts are sent from Information Manager. Configuration Lets you configure the Information Manager Configuration Service by specifying how many times a client can request its configuration during a polling interval. If a client exceeds this value, it is flagged as hyperactive, and is not allowed to get its configuration again for a configured interval. Command Controls the settings for the command servlet. When you use the Distribute option to initiate the distribution of configurations, the Command Servlet contacts each computer using the configuration and notifies it to reload its configuration. These settings let you configure throttling information for how many Agents to notify in a given period of time. They can be adjusted based on your environment. If you make this setting too high, you run the risk of overloading your Managers. If the throttling is set too low, it could take a long time to push new settings to a large number of computers.
Working with Symantec Security Information Manager Configurations Manager Components Configurations 203 Table 18-2 Tab Administrative Manager Components Configurations tabs (continued) Description Lets you modify administrative protections such as how long a console session should be idle before timing out. You can lengthen the session idle interval to keep the console from timing out quickly or shorten it to increase security. You can also specify the character set that the console uses to export information. This toggle lets you select US English ANSI exporting or Unicode encoding for most double-byte character sets, such as Japanese. SNMP Contains the settings that control how alert notifications are sent to an SNMP server. You can specify the host, port, and community of the SNMP server to which alerts are forwarded, as well as the version of SNMP traps to send to that server. LiveUpdate Lets you schedule a one-time update for the Manager, as well as several retry and delay settings that are related to updating the Manager using LiveUpdate. Modifying administrative settings You can control the following behaviors of the Information Manager console by changing administrative settings: How long a console session is idle before timing out The character set that is used when you export reports How Information Manager responds to repeated failed logon attempts To modify administrative settings 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand the domain, and click Manager Components Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the Administrative tab, next to Session idle interval, do one of the following: To increase the time before the Information Manager console times out, type a higher value.
204 Working with Symantec Security Information Manager Configurations Manager connection configurations Increase the value if you do not want the Information Manager console session to time out so quickly. To decrease the time before the Information Manager console times out, type a lower value. Lower the value to increase security. 4 If the DataStore contains double-byte characters for languages such as Japanese, next to Export character set selector, check the check box. This configures the Manager to export data in Unicode encoding, which lets you export reports with double-byte characters to HTML or CSV formats. 5 If necessary, configure the blacklist settings. See Setting up blacklisting for logon failures on page 212. 6 To compress the results, check the compress the results checkbox. 7 To set the number of event records that is initially downloaded for a report, change the value of the Number of report rows to load into console property. 8 Click Save. Manager connection configurations Manager connection configurations let you configure failover for Managers. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. You can configure Manager to Directory failover. After you configure failover, distribute the configurations to Managers that require failover protection. Table 18-3 lists the tabs on which you can change the failover settings for the Manager. Table 18-3 Tab General Manager Connection Configurations tabs Description Contains the name, description, and modification date of the configuration.
Working with Symantec Security Information Manager Configurations Manager connection configurations 205 Table 18-3 Tab Manager Connection Configurations tabs (continued) Description SSIM Directory Failover Lets you specify the primary Information Manager Directory and control how failover takes place when that Information Manager Directory becomes unavailable. See Configuring Manager to Information Manager Directory failover on page 205. Configuring Information Manager Directories Failover is the ability of the Manager to automatically switch to a standby Information Manager Directory if the primary Information Manager Directory fails or terminates abnormally. The Information Manager Directory Failover tab of the Manager Connection Configurations lets you do more than configure Information Manager Directory failover. You can use this tab for either of the following: Configuring Manager to Information Manager Directory failover Logging Information Manager Directory connection failures Configuring Manager to Information Manager Directory failover You configure Information Manager Directory Failover to identify a primary Information Manager Directory and specify how failover should occur, including the number of retry attempts, time between retry attempts, and whether log messages are generated. The Information Manager Directories to which you failover must be installed and configured before you complete the Information Manager Directory failover configuration. These Directories should be read-only replicas. Note: Read-only replica Directories provide access to the Manager but cannot be edited. When a failover occurs, a message notifies users that the domain is using a read-only replica and that modifications cannot be made.
206 Working with Symantec Security Information Manager Configurations Manager connection configurations To configure Manager to Information Manager Directory failover 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand the domain, and click Manager Connection Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the SSIM Directory Failover tab, next to the Primary Directory text box, click the browse button (...). 4 In the Find Directories dialog box, in the Available Directories list, select a directory to be the Primary Directory. 5 Click OK. 6 On the SSIM Directory Failover tab, check Enable automatic Directory failover. 7 Under Primary Directory Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Manager should attempt to connect to the Primary Directory before it fails over to the Information Manager Directory with the nearest LDAP suffix. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt. 8 Under Secondary Directory Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Manager should attempt to connect to the initial Secondary Directory before it fails over to the next Information Manager Directory. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt. 9 To have the Manager automatically attempt to failback to the primary Information Manager Directory, do the following: Ensure that Enable automatic failback recovery is checked. In the Seconds between failback connection attempts text box, type the number of seconds that should elapse between attempts to failback. 10 Click Save.
Working with Symantec Security Information Manager Configurations Manager connection configurations 207 Logging Information Manager Directory connection failures A connection failure event can cause a failover; however, connection failures are a broader category of events. They can also occur any time there is a problem with the connection between the Manager and the Information Manager Directory, regardless of whether the connection failure causes failover, or whether failover is enabled. To specify how Information Manager Directory connection failures are logged 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand the domain, and click Manager Connection Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. You cannot edit the Default configuration. 3 In the right pane, on the SSIM Directory Failover tab, scroll to the bottom of the tab. 4 To configure what happens when connection failure events occur, do one or more of the following: Write an event to the SSIM DataStore when a connection failure occurs Write an event to the system log when a connection failure occurs Generate an SNMP trap when a connection failure occurs To log an Information Manager event when there is a connection failure, check here. To log a system event when there is a connection failure, check here. To generate an SNMP trap when there is a connection failure, check here. Generate a Multiple Connection Failure Event To generate a single event when multiple connection failures occur, do the following: In the Number of connection failures that must occur text box, type a number. In the Time period (seconds) of connection failures text box, type a time period. When the specified number of failovers occurs within the specified time period, an event is logged. 5 Click Save.
208 Working with Symantec Security Information Manager Configurations Agent Connection Configurations Agent Connection Configurations Agent Connection Configurations let you configure Agent to Manager failover. Failover is the ability of Information Manager components to automatically switch to designated secondary resources if the primary resource fails or terminates abnormally. After you configure failover, distribute the configurations to computers that require failover protection. Table 18-4 lists the tabs on which you can change the failover setting for the Agent. Table 18-4 Tab General Agent Connection Configurations tabs Description Contains the name, description, and modification date of the configuration. SSIM Manager Failover Lets you specify the primary Manager and an ordered list of Managers to which the Agent can failover if the primary Manager becomes unavailable. Configuring Agent to Manager failover You configure Manager failover to identify a primary Manager and provide an ordered list of failover Managers to which the Agent can connect if the primary Manager fails. To configure Agent to Manager failover 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand the domain, and click Agent Connection Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 In the right pane, on the SSIM Manager Failover tab, next to the Primary Manager text box, click the browse button (...). 4 In the Find Computers dialog box, do one of the following: To proceed without modifying the Available computers list, select a computer to be the primary manager, and then continue at step 6.
Working with Symantec Security Information Manager Configurations Agent Connection Configurations 209 The Available computers list shows all Managers for the domain, up to the number of computers indicated by the Maximum search count text box. To modify the Available computers list by specifying search criteria, in the revised Available computers list, select one or more computers. 5 Click OK. 6 On the SSIM Manager Failover tab, check EnableautomaticManagerFailover. 7 Under Primary Manager Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Agent should attempt to connect to the Primary Manager before it fails over to the first Manager in the Secondary Managers list. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt. 8 Under Secondary Manager Failover, do the following: In the Reconnect attempts before failover text box, type the number of times that the Agent should attempt to connect to the initial Secondary Manager before it fails over to the next computer in the Secondary Manager list. In the Seconds between reconnect attempts text box, type the time interval in seconds that will elapse between each reconnect attempt. 9 To create an ordered list of failover Managers, do the following: Below the Secondary (failover) Managers list, click Add. In the Find Computers dialog box, in the Available computers list, select the computer that you want to make the first failover Manager. If you cannot immediately find the computer that you want, on the left side of the dialog box, enter search criteria, click Start Search, and then, in the Available computers list, select a computer. Click Add. Continue selecting and adding computers in the order in which you want them to be used for failover. Click OK. The computers that you selected are added to the Secondary (failover) Managers list.
210 Working with Symantec Security Information Manager Configurations Agent configurations To change the order of the failover Managers, select a Manager and use the Move Up and Move Down arrows to the right of the list to move the Manager relative to the other Managers in the list. 10 To have the Agent automatically attempt to failback to the primary Manager, do the following: Ensure that Enable automatic failback recovery is checked. In the Seconds between failback connection attempts text box, type the number of seconds that should elapse between attempts to failback. In the Maximum failback retry period text box, type the maximum amount of time to wait before all failback attempts end and a new permanent primary Manager is established. After a new permanent primary Manager is established, if you want to reset the connection between the Agent and the original Manager, you must do it manually, using the Primary Manager drop-down list. 11 To generate a single event when multiple connection failures occur, under Generate a Multiple Connection Failure Event, do the following: In the Number of connection failures that must occur text box, type a number. In the Time period (seconds) of connection failures, type a time period. When the specified number of failovers occurs within the specified time period, an event is logged. If you enable Manager failover, connection failure events occur with the same frequency as failovers, based on the values for reconnect attempts. If you do not enable failover, connection failures can still occur. The values you provide here determine how often events are logged for these occurrences. 12 Click Save. Agent configurations Agent configurations describe how Agents behave and how they communicate with their corresponding Managers. The settings include what primary and secondary server to connect to, how to get configuration information and report inventory, and how these computers should receive LiveUpdate information. Table 18-5 lists the tabs on which you can change settings for Agent Configurations.
Working with Symantec Security Information Manager Configurations Agent configurations 211 Table 18-5 Tab General Configuration Agent Configuration tabs Description Contains the name, description, and modification date of the configuration. Lets you specify how often the Agent Configuration Provider should check with its Manager for configuration updates. This value is independent of using Distribute to send configurations to the Agent directly through the Command Servlet. This setting refers to how long the client waits before asking for new configurations, if it is not contacted sooner. Inventory Lets you configure the Agent Inventory Provider to report inventory information for each Agent. This inventory contains information as to what components are installed, and what version of those components reside on the Agent. You can set how often to report inventory, and how long to wait between failed inventory attempts. State Lets you configure the Agent State Provider to report state information for all Agent providers. Each provider is given the opportunity to report its operational state to its Manager. This information includes what Manager it is currently connected to, what its starting mode is, and what configuration it currently uses. Logging Manages the Information Manager Event Logging Provider so that all events that are logged through the Agent are sent reliably to its Manager. The logging provider stores events locally if it cannot forward them immediately to its Manager. You can specify the listening port, what Manager servlet to contact, and how to cache events before sending them to the Manager. Many of these settings control how events are forwarded to the Manager. You can also specify the Statistics reporting interval. If you change the Logging Servlet value to an incorrect value, you may not be able to forward events to the Agent s Manager. LiveUpdate Lets you schedule a one-time LiveUpdate for the Agent. You can also set several retry and delay settings that relate to running a LiveUpdate session on the Agent.
212 Working with Symantec Security Information Manager Configurations Managing the Manager Managing the Manager The Manager supports many common administrative tasks. Setting up blacklisting for logon failures When failed attempts to log on to the Information Manager console occur repeatedly, it may indicate an attempt to break in to the system. Information Manager blacklists computers from which repeated failed logon attempts are made. The Administrative tab lets you control how Information Manager responds to logon failures. To set up blacklisting for logon failures 1 In the Information Manager console, on the System page, on the Product Configurations tab, expand the domain, and click Manager Components Configurations. 2 Select the custom configuration that you want to edit. You cannot edit the Default configuration. 3 On the Administrative tab, to control how Information Manager handles blacklisting for logon failures, do the following: Blacklist threshold time Adjust the window of time during which failed logon attempts are accumulated. When the accumulated count is larger than the blacklist threshold count, the IP address from which the logon attempts originate is added to the blacklist. Blacklist threshold count Blacklist entry duration Specify the number of failed logon attempts, within the blacklist threshold time, that causes an IP address to be placed on the blacklist. Specify the length of time that the IP address will remain on the blacklist before it is automatically removed and logons from the IP address are again permitted. 4 Click Save.
Section 6 Managing appliance data Managing the directory service Maintaining the Symantec Security Information Manager database
214
Chapter 19 Managing the directory service This chapter includes the following topics: About LDAP backup and restore Backing up the security directory Restoring the security directory About LDAP backup and restore Symantec Security Information Manager provides utilities to perform Lightweight Directory Access Protocol (LDAP) backup and restore of the security directory on demand. Each utility calls a set of IBM tools in a script. You access these utilities through the Information Manager Web configuration interface. Backing up the security directory To perform an LDAP backup operation, you must use an account that has administrative privileges, such as cn=root. To back up the security directory 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the LDAP Backup tab, enter the specified logon credentials for cn=root. At the bottom of the page, you can view the status of the job as it processes. Working with the console during backup may result in authentication errors, because the directory server shuts down during the process.
216 Managing the directory service Restoring the security directory The first time you perform a backup, a file called ldifbackup is created in this folder: dbsesa/backup/ldap Thereafter, each time you perform a backup, the following actions occur: The existing ldifbackup file is renamed ldifbackup.1. The new backup file is named ldifbackup. If you want to maintain more than two backup files, rename ldifbackup.1 before you perform the next backup. You may move the file to another location, if you wish. Restoring the security directory The tools in the LDAP Restore script use the ldifbackup file to restore the directory. If you want to use a different file, you must rename that file accordingly and make sure that the file resides in this folder: dbsesa/backup/ldap To execute the LDAP Restore script, you must use an account that has administrative privileges, such as cn=root. To restore the security directory 1 Make sure that the data you want to restore is in this file: dbsesa/backup/ldap/ldifbackup If you want to restore from a file other than the current ldifbackup, rename that file, and then rename the backup file that you want to restore to ldifbackup. Note: The /dbsesa/backup/ldap folder and the ldifbackup file in this folder must be owned by root. You must connect to the appliance over an SSH connection, change to the root user, and run the following commands:chown root:root /dbsesa/backup/ldapchown root:root /dbsesa/backup/ldap/ldifbackup 2 From the Information Manager Web configuration interface, click Database Utilities.
Managing the directory service Restoring the security directory 217 3 Click the LDAP Restore tab. 4 On the Warning dialog box, click OK to confirm that you want to restore the directory. The script uses the file named ldifbackup to restore the directory. Working with the console during directory restore may result in authentication errors, because the directory server shuts down during the process.
218 Managing the directory service Restoring the security directory
Chapter 20 Maintaining the Symantec Security Information Manager database This chapter includes the following topics: About data maintenance Checking database status Backing up and restoring the database About purging event summary and incident data Reviewing maintenance history About data maintenance The Symantec Security Information Manager appliance uses an IBM DB2 database to store event summary, incident, ticket, asset, rule, and report data. These elements are stored in separate tablespace containers in the database. The most common maintenance tasks have been automated to make the database largely self-maintaining. The status of the database is checked regularly, and such tasks as database reorganization and statistics gathering occur automatically as they are required. Note: Raw event data is stored in the Information Manager event archives. Purges are performed automatically on a daily basis to prevent the database from filling to capacity. You can adjust the purge parameters to purge or retain
220 Maintaining the Symantec Security Information Manager database Checking database status particular types of data. You can back up and restore the database, and you can enable automatic backups. Information Manager provides utilities that you can use to do the following: Check the status of the database See Checking database status on page 220. See Reviewing maintenance history on page 228. Control regularly scheduled database maintenance activities See Enabling and scheduling automated backups on page 222. See About purging event summary and incident data on page 224. Back up the database at will See Initiating a backup on page 223. Restore the database to a backup image See Restoring the database from a backup image on page 223. Purge events and incidents at will See Initiating a purge on page 227. Checking database status The Status pane displays current information about the overall health of the Information Manager database. The Status pane also displays the status of maintenance jobs that run to keep the database healthy. The information in the Status pane is updated automatically as conditions change. The Status pane includes the following sections: Database Health Monitor Indicates the current health status of the database. See About the health monitor service on page 221. Database Space Displays the amount of space that is currently used by the incidents and tablespaces. For each tablespace, the value is expressed as a percentage of the total space that is available to that tablespace. Job Status Lists the current status of data maintenance activities. Regularly scheduled jobs are listed, along with any jobs that you initiate manually.
Maintaining the Symantec Security Information Manager database Backing up and restoring the database 221 To check database status 1 From the Information Manager Web configuration interface, in the left pane, click Database Utilities. 2 On the Database Utilities page, click Status. 3 To refresh the status information immediately, click Refresh. About the health monitor service The database on the Symantec Security Information Manager appliance includes a health monitor service that checks the health status of the database at regular intervals. In the Status pane, the Database Health Monitor section displays one of the following status indicators: OK, Warning, Alarm, or Critical. The Warning, Alarm, and Critical status indicators appear in the following circumstances: The Warning indicator appears if a tablespace reaches 60 percent of total capacity, or whatever percentage you specify for the Safe Level parameter in the Options pane. The Alarm indicator appears if a tablespace reaches 70 percent of total capacity, or whatever percentage you specify for the Alarm Level parameter in the Options pane. If a tablespace reaches the Alarm threshold, data is purged automatically until the size falls below the configured safe level. The Critical indicator appears if the tablespace reaches 95 percent of total capacity. The tablespace size can reach the critical level in certain situations. For example, a scheduled health check might be delayed by a lengthy backup at the same time that a high number of new incidents are generated. In this case, the tablespace size could reach the critical level before the health check is run. If the tablespace size reaches the critical level, data is purged automatically. Event logging and correlation are suspended during the purge. Event logging and correlation resume once the size falls below the configured safe level. See Adjusting the thresholds for size-based purges on page 226. Backing up and restoring the database When Symantec Security Information Manager is installed, a full, offline backup of the database is performed. Subsequently, all backups that are performed are
222 Maintaining the Symantec Security Information Manager database Backing up and restoring the database full, online backups. An online backup is performed while the database is running to ensure the continuous availability of data to the Information Manager console. During a backup, all DB2 data is backed up, along with all of the logs and other metadata that DB2 requires to restore the database. This backup does not affect the event archives, which are not stored using DB2. You can enable automatic backups in the Options pane. You can initiate a manual backup in the Backup pane. Note: A full backup can be a lengthy operation and server performance can be affected during the backup. Other health maintenance jobs will not start until the backup is completed. See Enabling and scheduling automated backups on page 222. See Initiating a backup on page 223. See Restoring the database from a backup image on page 223. See Specifying a third-party backup solution on page 223. Enabling and scheduling automated backups You can enable automated daily backups of the database. The online backup method is used to create the backup image, which is stored on the Information Manager appliance. If necessary, backup images are deleted to prevent the disk from filling up. You can specify the time of day at which the backups begin. To minimize any impact on server performance, choose a time that corresponds to typical periods of low activity. The default maintenance time is 1:00 A.M. To enable and schedule automated backups 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Options pane, in the Automated Backup section, click Enabled. 4 To set the time of day for backups, in the General Maintenance section, select an option from the Maintenance time drop-down list. 5 To apply your changes, click Apply.
Maintaining the Symantec Security Information Manager database Backing up and restoring the database 223 Initiating a backup You can initiate a full, online backup of the database at any time in the Backup pane. This backup operation is independent of the automated backup operations that may be enabled. To initiate a backup 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Backup. 3 In the Backup pane, click Backup. 4 When you are prompted to confirm your action, click OK. Restoring the database from a backup image You can restore the database from a backup image at any time. All available backup images are listed according to the date and time that each backup was created. The server is taken offline during the restore operation. The server restarts automatically when the operation is complete. Warning: When you restore the database to a backup image, all other backup images, whether older or newer, are deleted from the appliance. To restore the database from a backup image 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Restore. 3 In the Restore from drop-down list, select the backup image that you want to restore. 4 Click Restore. Specifying a third-party backup solution You can implement a customized database backup solution that uses third-party software to archive the Information Manager database to an external storage medium. If you do so, be sure to disable automated purging of the database archive logs. Archive logs, or transaction logs, are required for online backups. In normal operation, Information Manager purges older archive logs automatically on a
224 Maintaining the Symantec Security Information Manager database About purging event summary and incident data regular basis. You must disable the automated archive log purge to ensure that the necessary archive logs are always available to the third-party backup software. The third-party backup software becomes responsible for backing up the database to external storage and deleting old archive logs on the appliance. To specify a third-party backup solution 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Automated Backup section of the Options pane, click Done by third-party. 4 To apply your change, click Apply. About purging event summary and incident data Summary events and incidents are purged as follows: Daily maintenance purge An automatic daily purge of all data that does not meet the configured retention criteria. You can configure the retention period for data. You can also configure the types of incidents that are retained or purged, based on their status. See Adjusting parameters for daily automated purges on page 225. Size-based purge A purge that is performed automatically whenever a tablespace exceeds a configured percentage of its total storage capacity. During a size-based purge of event summaries, event summaries are purged progressively, starting with the oldest data. During a size-based purge of incidents, closed incidents are purged first, from oldest to newest. If necessary, expired incidents are purged next, from oldest to newest. Finally, open incidents are purged, if necessary, from oldest to newest. The amount of space that is currently used by each tablespace is calculated during the regularly scheduled health check. You can configure the safe and alarm thresholds. See Adjusting the thresholds for size-based purges on page 226. Manual purge A purge of data that you can initiate at any time. See Initiating a purge on page 227.
Maintaining the Symantec Security Information Manager database About purging event summary and incident data 225 The database is automatically reorganized after a purge whenever necessary. Note: In some situations, the size of a tablespace could reach the critical level, which is 95 percent of total capacity. When this threshold is reached, a purge is initiated automatically, and event logging and correlation are suspended until the size falls below the safe level. Adjusting parameters for daily automated purges During the daily maintenance purge, data is purged automatically using the following default criteria: All summary events that are more than 7 days old are purged from the event data. All summary events that are more than 30 days old are purged from the event data. Summary event data is used in event reports. By default, report data is retained for 30 days. All closed incidents that are more than 30 days old are purged. You can adjust the parameter values for the daily maintenance purge to suit your needs. Do not increase the retention periods unless it is necessary, however. Depending on your deployment, event data can fill the tablespace quickly and lead to frequent size-based purges. To adjust parameters for daily automated purges 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Automated Purge section of the Options pane, to change the retention value for summary events or incidents, type a new number of days in the appropriate box. 4 To specify the types of incidents and tickets to purge, select one or more of the following: Closed Incidents Delete Incidents Open Incidents Closed Tickets
226 Maintaining the Symantec Security Information Manager database About purging event summary and incident data Open Tickets 5 To apply your changes, click Apply. Adjusting the thresholds for size-based purges In most deployments you do not need to adjust the thresholds for size-based purges. They are designed to help maintain the appliance automatically, and to help you evaluate database usage on the appliance. For example, if the alarm threshold for summary events is triggered frequently, you could consider ways to reduce the flow of data to the appliance instead of increasing the threshold values. If necessary, however, you can configure the following parameters for size-based purges: Alarm Level This is the percentage of total tablespace capacity at which the automated, size-based purge is triggered. The Alarm Level value must be less than the critical level, which is 95 percent of total capacity. The critical level cannot be changed. By default, the Alarm Level for both events and incidents is 70 percent. Safe Level This is the percentage of total capacity at which the size-based purge operation stops. The Safe Level value must be at least 10 percent less than the Alarm Level. By default, the Safe Level for both summary events and incidents is 60 percent. The summary events and incidents tablespaces are monitored independently. For example, the thresholds for incidents apply to the size of the incidents tablespace, regardless of the size of the summary events tablespace. To adjust the thresholds for size-based purges 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Options. 3 In the Automated Purge section of the Options pane, to change the Safe Level or Alarm Level value for events or incidents, type a new percentage value in the appropriate box. 4 To apply your changes, click Apply.
Maintaining the Symantec Security Information Manager database About purging event summary and incident data 227 Initiating a purge You can purge summary events and incidents manually at any time. All data older than the age you specify, in days, is purged from the database. For example, you can select summary events as the data type to purge, and specify seven days for the retention value. In this case, all events that are more than seven days old are purged. You can also purge all incidents or all summary events, or both. In this case, the server restarts automatically after all of the selected data is purged. Note: Always ensure that the database is backed up before purging data. See Backing up and restoring the database on page 221. To purge selected data 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Purge. 3 In the Purge section, to specify the type of data to purge, check or uncheck the Hourly (or Short Term) Event Summary Data, Daily (or Long Term) Event Summary Data, and Incidents and Tickets check boxes. 4 In the box where you specify how many days of data to retain, type a number. The default data retention value is seven days. Only the summary events and incidents that are more than seven days old are purged. 5 If you selected to purge incidents, select one or more of the following to specify the types of incidents and tickets to purge: Closed Incidents Deleted Incidents Open Incidents Closed Tickets Open Tickets 6 Click Purge. To purge all data 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click Purge.
228 Maintaining the Symantec Security Information Manager database Reviewing maintenance history 3 In the Purge All section, to specify the type of data to purge, check or uncheck the Event Summary and Incidents and Tickets check boxes. 4 Click Purge All. Reviewing maintenance history You can view a history log at any time in the History pane. The log lists each maintenance job, along with the start time, end time, and whether the job completed successfully. To review maintenance history 1 From the Information Manager Web configuration interface, click Database Utilities. 2 On the Database Utilities page, click History. 3 Do either of the following: Click View History to display the history as a table in the current pane. Click Download History to save the history log to disk.
Section 7 Appendices Ports used by Information Manager Managing security certificates
230
Appendix A Ports used by Information Manager This appendix includes the following topics: Ports used by Information Manager Ports used by Information Manager The IP table firewall policy has been configured to block all ports except the following: 22 (SSH) 443 (HTTPS) 636 (LDAPS) 3539 (Ibmdiradm) 3700 (Db2tcpcm) 10010 (Simserver) 10012 (eventservice) 50000 (Db2tcp) 10099-49999 (Ethereal ports) 10514-10650 (Collector ports) Table A-1 shows the list of ports that Symantec Security Information Manager uses, along with the service that uses that port, whether or not the service is blocked by the firewall that is running on the appliance, and the network protocol associated with the service.
232 Ports used by Information Manager Ports used by Information Manager Table A-1 Ports used by Information Manager Port Service/Process Blocked by firewall Protocol 127.0.0.1:80 IBM Apache Web server (HTTPD)/http Yes TCP 50000 IBM DB2 database service/db2tcpcm No TCP 3700 IBM DB2 database service/db2tcpcm No TCP 127.0.0.1:10080 assetsvc Yes TCP 127.0.0.1:55557 assetsvc Yes TCP 127.0.0.1:10050 HelpDeskEvent Sink/Manager Yes TCP 127.0.0.1:8005 Shutdown port for Information Manager Tomcat service/manager Yes TCP 127.0.0.1:8009 modjk connector for Information Manager Tomcat service/manager Yes TCP 10021 simserver Yes TCP 10010 simserver No TCP 127.0.0.1:55558 Notificationsvc Yes TCP 10022 eventservice Yes TCP 127.0.0.1:8015 modjk connector for Information Manager Tomcat event service/eventservice Yes TCP 127.0.0.1:8019 modjk connector for Information Manager Tomcat event service/eventservice Yes TCP 8090 Information Manager Tomcat event service/eventservice Yes TCP
Ports used by Information Manager Ports used by Information Manager 233 Table A-1 Ports used by Information Manager (continued) Port Service/Process Blocked by firewall Protocol 10012 Event forwarding port/eventservice No TCP 127.0.0.1:55559 Rulesvc Yes TCP 127.0.0.1:55560 Dimserver Yes TCP 127.0.0.1:55561 Schedulersvc Yes TCP 127.0.0.1:55562 Icesvc Yes TCP 127.0.0.1:10030 Information Manager Database Management Utility/Simdbmu Yes TCP 127.0.0.1:55566 Kbsvc Yes TCP 5998 Symantec Event Agent/Agent Yes TCP 127.0.0.1:55567 Ticketsvc Yes TCP 127.0.0.1:55568 Eventfindersvc Yes TCP 127.0.0.1:55569 Querysvc Yes TCP 127.0.0.1:55570 Statsvc Yes TCP 3539 IBM Tivoli (LDAP) Directory Service/ibmdiradm No TCP 127.0.0.1:55571 Configurationsvc Yes TCP 127.0.0.1:8086 Symantec Event Agent/Agent Yes TCP 22 Linux Secure Shell (SSH) service/ssh No TCP 443 Secure Sockets Layer (HTTPS)/https No TCP 636 IBM Tivoli (LDAP) Directory Service/ldaps No TCP
234 Ports used by Information Manager Ports used by Information Manager Table A-1 Ports used by Information Manager (continued) Port Service/Process Blocked by firewall Protocol 18777 Information Manager service monitor/svclauncher Yes UDP 127.0.0.1:8025 Web Services/Wsrf Yes TCP 127.0.0.1:8029 Web Services/Wsrf Yes TCP 127.0.0.1:55550 Rx protocol service/rxservice Yes TCP 127.0.0.1:8889 QueueMonitor Yes TCP
Appendix B Managing security certificates This appendix includes the following topics: About managing security certificates Managing security certificate information for the appliance About managing security certificates By default, Symantec Security Information Manager uses a self-signed security certificate for authentication between the on- and off-appliance components. The Information Manager web configuration interface lets you view certificate information, delete a certificate, create a new self-signed certificate, create a request for a signed certificate for submission to a public or private certificate authority, or import a certificate from a certificate authority. You can also add a new root certificate to the server, to use as a basis for new certificates. When you generate a security certificate, you can base it upon either the IP address of the appliance or the host name of the appliance. Basing the certificate upon the host name makes it convenient to change the IP address of the appliance. However, you may need to add an entry to the domain name server (DNS) to help ensure that the host name always resolves to the correct address. If you are unable to update the DNS, you may add the appliance IP address and host name to the hosts file on the computers that communicate with the appliance.
236 Managing security certificates Managing security certificate information for the appliance Managing security certificate information for the appliance You can use the Information Manager web configuration interface to perform the following certificate management tasks: View security certificate information for the appliance Delete a security certificate from the appliance keystore Create a new self-signed security certificate Create a request for a signed certificate for submission to a public or private certificate authority Import a certificate from a certificate authority Add a certificate authority root certificate If you install a CA certificate, you must import the certificate to the computers that communicate with Information Manager, such as computers that run the Information Manager console or computers that run event collectors. To view security certificate information for the appliance 1 From the Information Manager web configuration interface, click Certificate Management. 2 To view detailed information about the certificate that the appliance is using for authentication for HTTPS and secure LDAP communications, click Show Default Certificate. 3 To view detailed information about any certificate that is contained in the appliance keystore, click Show All Server and CA Root Certificates. In the Get Details for a Certificate area, select the security certificate from the Key Label drop-down, and then click Get Details. 4 To view a list of all certificate requests, click Show Certificate Requests. To create a new self-signed security certificate 1 From the Information Manager web configuration interface, click Certificate Management and then click Create Self-Signed. 2 In the Common Name drop-down, select whether you want to generate the certificate based upon the IP address or the host name of the appliance. 3 In the Organization box, type the name of your organization. 4 In the Organization Unit box, type the name of the unit. 5 In the Locality box, type the region for the appliance.
Managing security certificates Managing security certificate information for the appliance 237 6 In the State/Province box, type the name of the state or province where the appliance resides. 7 In the Country Code box, type the two-character country code where the appliance resides. For example, in the United States, you would type US. 8 In the Label field, type a name for this certificate. For example, the default label for the certificate that Information Manager uses is SESA. 9 In the Key size drop-down, select either 512 or 1024 bit encryption. If possible, you should use 1024 bit encryption. 10 In the Validity Period box, type the number of days (between 1 and 7300) that the certificate is to be valid. 11 In the Username (DN) box, type the name of an administrator account, such as cn=root. 12 In the Password box, type the password that corresponds with the administrator account that you typed in the previous step. 13 Click Submit. To delete a security certificate 1 From the Information Manager configuration interface, click Certificate Management. 2 Click Show All Server and CA Root Certificates. 3 In the Delete a Certificate area, from the Key Label drop-down, select the certificate that you would like to delete, and then click Delete Certificate. To generate a CSR to request a signed certificate from a CA authority 1 From the Information Manager configuration interface, click Certificate Management. 2 Click Create CSR. 3 In the Organization box, type the name of your organization. 4 In the Organization Unit box, type the name of the unit. 5 In the Locality box, type the region for the appliance. 6 In the State/Province box, type the name of the state or province where the appliance resides. 7 In the Country Code box, type the two-character country code where the appliance resides. For example, in the United States, you would type US. 8 In the Label field, type a name for this certificate. For example, the default label for the certificate that Information Manager uses is SESA.
238 Managing security certificates Managing security certificate information for the appliance 9 In the Key size drop-down, select either 512 or 1024 bit encryption. If possible, you should use 1024 bit encryption. 10 Click Submit. 11 Click Download Certificate Signing Request to download the certificate request to a file. 12 Submit the request file to the certificate authority of your choice. To add a signed certificate to the collection of acceptable certificates 1 After you have received the signed certificate from the certificate authority, from the Information Manager web configuration interface, click Certificate Management. 2 Click Receive Signed. 3 In the Certificate File option, click Browse, and then navigate to the signed certificate file. 4 In the Key Label drop-down, select the label you specified for the certificate when you created the request. 5 In the Username (DN) box, type the name of an administrator account, such as cn=root. 6 In the Password box, type the password that corresponds with the administrator account that you typed in the previous step. 7 Click Receive. To add a certificate authority root certificate 1 From the Information Manager web configuration interface, click Certificate Management. 2 Click Add Certificate Authority Root Certificate. 3 In the Certificate File option, click Browse, and then navigate to the root certificate file. 4 In the Key Label box, type a name for this root certificate. 5 Click Add.
Index A access rights 34 See also permissions console 34 account Administrator 50 default password 49 Information Manager Web configuration interface default 174 Linux 49 administrative settings modifying 203 Agent configuring Manager failover 208 Agent Configurations 210 batch logging 210 for 1.1 Agent 210 Agent to Manager failover configuring 208 aggregation tables 122 appliance access modifying 37 assets identifying 181 Assets table 128 CIA values 143 correlation overview 142 filtering based on operating system 149 importing assets 144 locked and unlocked assets 148 overview 141 policies 150 Services tab overview 150 using a vulnerability scanner to populate the table 146 using CIA values to identify critical events 149 using Severity settings 149 using to reduce false positives 148 vulnerability information 146 attacks sample EMR values 139 B backup directory 215 batch logging, Agent 210 blacklisting, configuring 212 BugTraq 128 business information users 55 Bypass Event RBAC 36 C Category field. See EMR certificates 235 managing 236 client validation, configuring 200 Collector filtering and aggregation antivirus examples 165 creating specifications 158 events generated by specific internal networks 161 examples 160 firewall examples 162 overview 153 policy compliance 154 preparation 156 suggestions 155 vulnerability assessment examples 166 Windows Event Log examples 167 collectors registering products 186 Command servlet, configuring 202 computers adding configurations 76 adding to organizational units 68 creating 68 defined 67 deleting 81 distributing configurations 79 editing with agent 70
240 Index computers (continued) editing (continued) without agent 71 identification information 72 modifying permissions 80 moving 80 specifying IP addresses 72 MAC addresses 72 viewing service properties 77 services 77 with agents 67 conclusions described 21 escalating based on severity 122 Confidentiality, Integrity, and Availability values assigning 143 Configuration service, configuring 202 configurations adding to computers 76 organizational units 64 Agent Configurations 210 Agent Connection Configurations 208 distributing by way of computer Service properties 77 to computers 79 using organizational units 79 Manager 200 Manager components 202 connection failures Information Manager Directory logging 207 console access rights adding to roles 34 contact information users 55 correlation manager described 97 knowledge base 98 rule set 98 correlation rules. See rules critical systems. See assets D database alarm level 226 archive logs 224 database (continued) backing up 221 automatically 222 manually 223 to external archive 223 capacity critical level 221 viewing percentage used 220 health monitoring 221 job status 220 maintenance history log 228 purging 224 archive logs 223 purge types 224 restoring from a backup 223 safe level 226 status indicators 221 date setting 176 DeepSight. See Global Intelligence Network DeepSight Threat Management normalization and 129 directory. See security directory directory service accounts 50 diskspace, configuring minimum free space 201 Distribute menu option 79 domain 174 domain access adding to an Information Manager appliance 78 Domain Administrator role 27 permissions 44 domain name 174 double-byte characters, for exported Information Manager reports 203 E effects. See EMR EM R examples 139 email address notification 59 EMR described 131 Effects values 132 effects 132 Mechanisms values 136 mechanisms 133
Index 241 EMR (continued) Resource values 138 resources 136 environment diagram. See Visualizer errors authentication 215, 217 Event Count rule setting 122 Event Criteria field 120 operators 120 event data backing up 221 purging 224 restoring from a backup 223 event forwarding configuring default forwarding rule 188 creating a forwarding rule 189 deleting a forwarding rule 189 described 183 from a collection appliance 187 Event Logger 183 event logging configuring for Agent 210 Event to Conclusion Correlation fields 122 Events accessing event data in the console 158 events 127 See also normalization described 21 mapping during normalization 129 role for viewing 29 F failover configuring Agent to Manager 208 Manager to Information Manager Directory 205 fields Event Criteria 120 Event to Conclusion Correlation 122 operators for event criteria 120 forwarding events. See event forwarding G gateway 174 Global Intelligence Network content updates 193 Global Intelligence Network (continued) license registration 192 managing security content 191 viewing status 192 H history log maintenance 228 host criticality. See assets I incident data backing up 221 purging 224 restoring from a backup 223 Incident Forwarding disabling from Service Provider Master 94 incidents described 21 exporting from Client Incident viewer 91 synchronizing with Service Provider Master 94 Information Manager appliance adding domain access 78 configuring for Service Provider Master 91 Service Provider examples 86 using as a service provider 85 Information Manager console creating tickets for Service Provider Master 90 Move menu option 80 preventing timeout 203 Information Manager Directory configuring failover 205 logging connection failures 207 Information Manager Web configuration interface accessing 174 described 173 installation collectors 186 inventory, configuring for Agent 210 IP address 174 specifying for computers 72 IP Watch list 101 K knowledge base configuring tables 101 correlation manager 98
242 Index L LDAP backup. See security directory ldifbackup file 216 Linux account 49 LiveUpdate 197 normalization and 129 running from Information Manager Web configuration interface 197 logging configuring for Agent 210 logon failure, configuring blacklisting 212 Lookup Tables 101 user-defined 106 M MAC addresses specifying for computers 72 Manager configuring 200, 202 Agent connections 208 Manager connections 204 mechanisms. See EMR minimum free disk space, configuring 201 N network settings changing 174 Network table 128 networks specifying 181 normalization described 127 example 129 files 129 modifying 129 notification email address 59 user information 59 email address 59 pager numbers 60 times 61 NTP server specifying 176 O operators Event Criteria 120 Organization Domains watchlist 101 organizational units adding computers to 68 creating 64 deleting 67 deleting computers 81 description 63 distributing configurations 79 editing 66 modifying permissions 66 moving computers 80 name length limits 65 P pager numbers 60 password Information Manager Web configuration interface default 174 passwords changing 55, 176 customizing policies for 51 security recommendation 50 permissions 34 See also access rights description 44 in roles 36 37 modification examples 41 modifying 46 computers 80 organizational units 66 propagating 45 user 61 Permissions dialog box 46 policy adding 181 purging data automatically 225 manually 227 purge types 224 size-based purge 226 R RBAC. See Role Based Access Control reboot. See restarting RegEx 19 reports, exporting configuring character set 203 resources. See EMR
Index 243 restarting 177 restoring security directory 216 Role Based Access Control 19 role membership assigning to users 56 roles adding users 33 console access rights 34 creating 29 deleting 43 description 27 Domain Administrator 27 permissions 44 editing 32 management of policies and configurations 29 permissions 37 examples 41 planning 28 product access assignment modifying 35 SES Administrator 27 permissions 44 SIM permissions 36 viewing events 29 rules categories 115 components 115 creating 108 criteria 116 custom 111 default 98 development process 112 editor 122 enabling/disabling 107 settings 122 strategy 111 test feature 113 tuning 113 types 116 S security certificates 235 managing 236 security directory backing up 215 registering a collection appliance 185 restoring 216 security domain registering with 187 security environment diagram. See Visualizer security policy adding 181 Sensitive Files list 101 Sensitive URLs list 101 service provider configuring client management accounts 92 minimum requirements for Information Manager 85 See also Service Provider Master Service Provider Master configuring client 91 configuring Information Manager as 91 customizing the Incidents tile 88 disconnecting a client from 94 overview and examples 86 synchronizing with client incidents 94 viewing client incidents 89 services viewing for a computer 77 viewing properties 77 SES Administrator role 27 permissions 44 shutdown 177 Span rule setting 122 standard event code 127 state information, configuring for Agent 210 Subcategory field. See EMR Symantec Event Code 128 Symantec Security Information Manager about 17 configuration process overview 179 features 18 Functional overview 20 Symantec Signature incident mapped to 128 system criticality. See assets T Table Size rule setting 122 Tables Lookup 101 tables aggregation 122 tablespace containers 219 technical support 23 throttling, configuring 200 time specifying NTP server 176
244 Index time setting 176 timeout, preventing, in Information Manager console 203 U user groups creating 54 deleting 62 managing the composition of 57 modifying 61 users adding to a role 33 assigning role membership 56 business information 55 contact information 55 creating 52 deleting 62 description 50 notification information 59 email addresses 59 notification times 61 pager numbers 60 permissions 61 properties 55 V viewing maintenance history log 228 Visualizer about 73 modifying properties 75 tools 74 W Web server, configuring 200 Windows Events list 101