+ All Categories
Home > Documents > Symantec Security Information Manager 4.7.4 User...

Symantec Security Information Manager 4.7.4 User...

Date post: 27-Sep-2020
Category:
Upload: others
View: 6 times
Download: 0 times
Share this document with a friend
357
SymantecSecurity Information Manager 4.7.4 User Guide
Transcript
Page 1: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Symantec™ SecurityInformation Manager 4.7.4User Guide

Page 2: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Symantec™ Security Information Manager 4.7.4 UserGuide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version: 4.7.4

Legal NoticeCopyright © 2011 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see the Third Party Legal Notice Appendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Page 3: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Page 4: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. The Technical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, the Technical Support group works with Product Engineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:

www.symantec.com/business/support/

Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

Page 5: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport web page at the following URL:

www.symantec.com/business/support/

Customer serviceCustomer service information is available at the following URL:

www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Page 6: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Additional enterprise servicesSymantec offers a comprehensive set of services that allow you to maximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

Managed Services remove the burden of managing and monitoring securitydevices and events, ensuring rapid response to real threats.

Managed Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trusted partners. Symantec Consulting Services offer a varietyof prepackaged and customizable options that include assessment, design,implementation, monitoring, and management capabilities. Each is focused onestablishing and maintaining the integrity and availability of your IT resources.

Consulting Services

Education Services provide a full array of technical training, security education,security certification, and awareness communication programs.

Education Services

To access more information about enterprise services, please visit our web siteat the following URL:

www.symantec.com/business/services/

Select your country or language from the site index.

Page 7: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Section 1 Introducing Symantec SecurityInformation Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About Symantec Security Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17What's new in this release ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

New features ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19About workflow in Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20About Information Manager components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

About security products and devices ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22About event collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22About Information Manager servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23About the Symantec Global Intelligence Network .... . . . . . . . . . . . . . . . . . . . . 23About the Information Manager Web service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

About estimating system performance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 2 Symantec Security Information ManagerConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About the Information Manager console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29About the Dashboard view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30About the Intelligence view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31About the Incidents view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About the Events view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35About the Tickets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37About the Assets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39About the Reports view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41About the Rules view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44About the System view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61About the Statistics view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

About the features of the Information Manager console ... . . . . . . . . . . . . . . . . . . . 63About the incident and the alert monitors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63About the event activity monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Contents

Page 8: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the Notes feature ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Creating and editing notes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Searching the notes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66About user actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Creating and modifying user actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Opening the Information Manager console from the command

line .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Changing a password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Chapter 3 Symantec Security Information Manager Webconfiguration interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

About the Information Manager server Web configuration interface... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Accessing the Web configuration interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72About the features of the Web configuration interface ... . . . . . . . . . . . . . . . . . . . . . 72

Section 2 Planning for security management . . . . . . . . . . . . . . . . . 77

Chapter 4 Managing the correlation environment . . . . . . . . . . . . . . . . . . . . . . . . . . 79

About the Correlation Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79About the Correlation Manager knowledge base .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80About the default rules set ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Chapter 5 Defining rules strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

About creating the right rule set for your business ... . . . . . . . . . . . . . . . . . . . . . . . . . . 85About defining a rules strategy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87About correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87About rule conditions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

About rule types ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89About event criteria ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

About the Event Count, Span, and Table Size rule settings ... . . . . . . . . . . . . . . . . 96About the Tracking Key and Conclusion Creation fields ... . . . . . . . . . . . . . . . . . . . . 96About the Correlate By and Resource fields ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Importing existing rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Creating custom correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Creating a multicondition rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Creating a correlation rule based on the X not followed by Y rule

type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Creating a correlation rule based on the X not followed by X rule

type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Contents8

Page 9: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Creating a correlation rule for the Y not preceded by X ruletype .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Creating a correlation rule for the Lookup Table Update ... . . . . . . . . . . . 113Enabling and disabling rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Working with the Lookup Tables window .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Creating a user-defined Lookup Table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Importing Lookup Tables and records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Section 3 Getting started with the InformationManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 6 Configuring the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

About configuring Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Identifying critical systems .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Adding a policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Specifying networks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128About customizations for a Service Provider Master console ... . . . . . . . . . . . 129

Chapter 7 Managing roles and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

About managing roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131About the administrator roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132About the default roles in the Information Manager server ... . . . . . . . 132About planning for role creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Creating a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Editing role properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Deleting a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

About working with permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149About permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150About the propagation of permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Modifying permissions from the Permissions dialog box .... . . . . . . . . . . 152

Chapter 8 Managing users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

About users and passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Customizing the password policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Creating a new user ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Creating a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160About editing user properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Changing a user’s password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Specifying user business and contact information .... . . . . . . . . . . . . . . . . . . 162Managing role assignments and properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

9Contents

Page 10: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing user group assignments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Specifying notification information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

About modifying user permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Modifying a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168Deleting a user or a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169About integrating Active Directory with the Information Manager

server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Managing Active Directory configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Chapter 9 Managing organizational units and computers . . . . . . . . . . 173

About organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173About managing organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Creating a new organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174About determining the length of the organizational unit name

.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Editing organizational unit properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176About modifying organizational unit permissions .... . . . . . . . . . . . . . . . . . . 176Deleting an organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

About managing computers within organizational units ... . . . . . . . . . . . . . . . . . 177Creating computers within organizational units ... . . . . . . . . . . . . . . . . . . . . . . 178About editing computer properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179Distributing configurations to computers in an organizational

unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Moving a computer to a different organizational unit ... . . . . . . . . . . . . . . . 198About modifying computer permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Deleting a computer from an organizational unit ... . . . . . . . . . . . . . . . . . . . . 199

Section 4 Understanding event collectors . . . . . . . . . . . . . . . . . . . . . . . . 201

Chapter 10 Introducing event collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

About Event Collectors and Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . 203Components of collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204About Symantec Universal Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205About Custom Log Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Downloading and installing the Symantec Universal Collectors ... . . . . . . . 207Correlating the logs collected in a file from a proprietary

application .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Contents10

Page 11: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Chapter 11 Configuring collectors for event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuring event filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Configuring event aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Section 5 Working with events and eventarchives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Chapter 12 Managing event archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

About events, conclusions, and incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221About the Events view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222About the event lifecycle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222About event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224About multiple event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Creating new event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Specifying event archive settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226Creating a local copy of event archives on a network computer ... . . . . . . . . 227Restoring event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Viewing event data in the archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

About the event archive viewer right pane .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Manipulating the event data histogram .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Setting a custom date and time range .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232About viewing event details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Modifying the format of the event details table ... . . . . . . . . . . . . . . . . . . . . . . . 233Searching within event query results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235Filtering event data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

About working with event queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239Using the Source View query and Target View query .... . . . . . . . . . . . . . . . 240Creating query groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Querying across multiple archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Creating custom queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Editing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248Managing the color scheme that is used in query results ... . . . . . . . . . . . 249About querying for IP addresses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Importing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250Exporting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Publishing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Scheduling queries that can be distributed as reports ... . . . . . . . . . . . . . . . 337Deleting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

11Contents

Page 12: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Chapter 13 Forwarding events to the Information ManagerServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

About forwarding events to an Information Manager server ... . . . . . . . . . . . . 255About registering a security directory .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Registering Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Registering with a security domain .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Activating event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Stopping event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Chapter 14 Understanding event normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

About event normalization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265About normalization (.norm) files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Chapter 15 Collector-based event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

About collector-based event filtering and aggregation .... . . . . . . . . . . . . . . . . . . . 269About identifying common events for collector-based filtering or

aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271About preparing to create collector-based rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Accessing event data in the Information Manager console ... . . . . . . . . . . . . . . 274Creating collector-based filtering and aggregation

specifications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275Examples of collector-based filtering and aggregation rules ... . . . . . . . . . . . . 277

Filtering events generated by specific internal networks ... . . . . . . . . . . . 277Filtering common firewall events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278Filtering common Symantec AntiVirus events ... . . . . . . . . . . . . . . . . . . . . . . . . 281Filtering or aggregating vulnerability assessment events ... . . . . . . . . . . 282Filtering Windows Event Log events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Section 6 Working with incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Chapter 16 Managing Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

About incident management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289Incident identification .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290Example: Information Manager automates incident management

during a Blaster worm attack .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Threat containment, eradication, and recovery .... . . . . . . . . . . . . . . . . . . . . . . 291Follow-up .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Viewing incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291About the incident list ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Contents12

Page 13: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Viewing and modifying the incident list ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293About creating and modifying incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Creating incidents manually ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Modifying incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Merging incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Closing an incident ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298Reopening a closed incident ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Printing incident details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Printing the incident, ticket, or asset list ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Exporting the incident, ticket, or asset list ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Assigning incidents automatically to the least busy member in a user

group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Chapter 17 Working with filters in the Incidents view . . . . . . . . . . . . . . . . . . . . 303

About filtering incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Modifying a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Creating a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304Deleting a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304Searching within incident filtering results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Section 7 Working with tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Chapter 18 Managing tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

About tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309About creating tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Creating a ticket manually ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Creating a ticket category .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311Viewing tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312About the Ticket Details window .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312Viewing tickets associated with a specific incident ... . . . . . . . . . . . . . . . . . . . . . . . . . 313Setting ticket task dispositions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Changing the priority of a ticket ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Adding a ticket note ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Closing a ticket ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Printing the ticket list ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Chapter 19 Working with filters in Tickets view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Filtering tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Modifying a custom ticket filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Deleting a custom ticket filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

13Contents

Page 14: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Chapter 20 Working with Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

About the Assets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321Importing assets into the Assets table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Section 8 Working with reports and dashboards . . . . . . . . . 325

Chapter 21 Managing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Working with reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327About reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Creating custom reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Creating a report group or folder ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Editing tabular queries in reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Publishing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331Enabling the email distribution of reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332Scheduling and distributing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Scheduling queries that can be distributed as reports ... . . . . . . . . . . . . . . . 337Modifying the report distribution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338Viewing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339Configuring a report for portrait or landscape mode .... . . . . . . . . . . . . . . . 340Printing and saving reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Exporting reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Importing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

Performing a drill-down on reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Chapter 22 Managing dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

About the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345Viewing dashboards ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346Viewing queries in the Dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Performing a drill-down on dashboards ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Refreshing the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349Customizing the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Contents14

Page 15: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Introducing SymantecSecurity InformationManager

■ Chapter 1. Overview

■ Chapter 2. Symantec Security Information Manager Console

■ Chapter 3. Symantec Security Information Manager Web configurationinterface

1Section

Page 16: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

16

Page 17: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Overview

This chapter includes the following topics:

■ About Symantec Security Information Manager

■ What's new in this release

■ About workflow in Information Manager

■ About Information Manager components

■ About estimating system performance

About Symantec Security Information ManagerInformation Manager provides real-time event correlation and data archiving toprotect against security threats and to preserve critical security data. InformationManager collects and archives security events from across the enterprise. Theseevents are correlated with the known asset vulnerabilities and current securityinformation from the Global Intelligence Network. The resulting informationprovides the basis for real-time threat analysis and security incident identification.Information Manager archives the security data for forensic and regulatorycompliance purposes.

Information Manager collects, analyzes, and archives information from securitydevices, critical applications, and services, such as the following:

■ Firewalls

■ Routers, switches, and VPNs

■ Enterprise antivirus

■ Intrusion detection systems and Intrusion Prevention Systems

■ Vulnerability scanners

1Chapter

Page 18: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Authentication servers

■ Windows and UNIX system logs

Information Manager provides the following features to help you recognize andrespond to threats in your enterprise:

■ Normalization and correlation of events from multiple vendors.

■ Event archives to retain events in both their original (raw) and normalizedformats.

■ Distributed event filtering and aggregation to ensure that only relevant securityevents are correlated.

■ Real-time security intelligence updates from Global Intelligence Network.These updates keep you apprised of global threats and let you correlate internalsecurity activity with external threats.

■ Customizable event correlation rules to let you fine-tune threat recognitionand incident creation for your environment.

■ Security incident creation, ticketing, tracking, and remediation for quickresponse to security threats. Information Manager prioritizes incidents basedupon the security policies that are associated with the affected assets.

■ An Event Viewer that lets you easily mine large amounts of event data andidentify the computers and users that are associated with each event.

■ A client-based console from which you can view all security incidents and drilldown to the related event details. These details include affected targets,associated vulnerabilities, and recommended corrective actions.

■ Predefined and customizable queries to help you demonstrate compliance withthe security and the data retention policies in your enterprise.

■ A Web-based configuration interface that lets you view and customize thedashboard, configure settings, and manage events, incidents, and ticketsremotely. You can download various utilities and perform routine maintenancetasks such as backup and restore. You can use the custom logs feature withthe universal collectors to collect and map information from devices for whichstandard collectors are not available.

What's new in this releaseInformation Manager 4.7.4 contains enhanced features. It also includes fixes forthe known issues that existed in the previous versions.

See “New features” on page 19.

OverviewWhat's new in this release

18

Page 19: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

New featuresInformation Manager 4.7.4 includes the following new features in addition toknown issues and fixes:

Symantec SIEM 9700 Series appliances

SSIM Web Start Client

Role-based access to the Event Query Templates

Navigation option for Event Storage Rules list

Symantec SIEM 9700 Series appliancesSymantec SIEM 9700 Series appliances are scalable security information andevent management appliances. These appliances provide reliable performancewith Information Manager software. The SIEM 9700 Series is comprised of threemodels; the 9750, the 9751, and the 9752. Each model provides 3.9TB of redundantevent storage and dedicated Remote Management Module features to allow remotemanagement of the appliance. In addition, the 9751 and 9752 provide enterpriseconnectivity through 8GB Fibre Channel. Each physical appliance can be combinedseamlessly with virtual appliances to ease interoperability.

For more information, see the following guides:

■ Symantec SIEM 9700 Series Appliances Maintenance Guide

■ Symantec SIEM 9700 Series Appliances Installation Guide

■ Symantec SIEM 9700 Series Appliances Product Description Guide

■ Symantec SIEM 9700 Series Appliances Hardware Troubleshooting Guide

■ Symantec SIEM 9700 Series Appliances Safety Guide

See “New features” on page 19.

SSIM Web Start ClientBy using SSIM Web Start Client, you can now reach the Information Managerconsole directly without downloading and installing the Information Managerconsole.

The Launch SSIM Web Start Client link, that is located on the logon page of theInformation Manager Web configuration interface, launches the InformationManager console. You can also access this link from the Downloads option on theHome view of the Web configuration interface.

See “New features” on page 19.

19OverviewWhat's new in this release

Page 20: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Role-based access to the Event Query TemplatesIn Information Manager, an administrator can restrict the access of a user toEvent Query Templates. Access to Event Query Templates can be controlled basedon the View Event Query Templates permission that is granted to a role. Bydefault, this permission is enabled for new roles.

If the View Event Query Templates permission is disabled for a role, the userwho is assigned with this role cannot access the Templates folder on the Eventsview. If the View Event Query Templates permission is enabled for a role, theuser who is assigned with this role can access and run the Event Query Templates.

See “Enabling access to the Event Query Templates” on page 142.

See “New features” on page 19.

Navigation option for Event Storage Rules listA Movetotop option and a Movetobottomoption are now available in the EventStorage rules list. These options can be used to move a rule directly to the top orto the bottom of the list.

See “New features” on page 19.

About workflow in Information ManagerThe Symantec Security Information Manager workflow includes the followingsteps:

■ Event collectors gather events from Symantec and third-party point products.See “About Event Collectors and Information Manager” on page 203.

■ Events are filtered and aggregated.See “Configuring event filtering” on page 211.See “Configuring event aggregation” on page 214.

■ Symantec Event Agent forwards both the raw and the processed events to theInformation Manager server.See “About forwarding events to an Information Manager server” on page 255.See “Activating event forwarding” on page 260.

■ The Information Manager server stores the event data in event archives.See “About event archives” on page 224.

■ The Information Manager server correlates the events with threat and assetinformation based on the various correlation rules.See “About the Correlation Manager” on page 79.

OverviewAbout workflow in Information Manager

20

Page 21: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Information Manager security events trigger a correlation rule and create asecurity incident.See “About incident management” on page 289.

About Information Manager componentsSymantec Security Information Manager has the following components:

■ Security products and devicesSee “About security products and devices” on page 22.

■ Event collectorsSee “About event collectors” on page 22.

■ Information Manager serversSee “About Information Manager servers” on page 23.

■ Global Intelligence NetworkSee “About the Symantec Global Intelligence Network ” on page 23.

■ Web serviceSee “About the Information Manager Web service” on page 23.

Figure 1-1 Components in an Information Manager setup

21OverviewAbout Information Manager components

Page 22: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About security products and devicesThe security products and devices in your enterprise can generate overwhelmingamounts of security data. Many firewalls can generate over 500 GB of securitydata per day; intrusion detection systems can trigger over 250,000 alertingincidents per week. Most security products store event data in a proprietaryformat, accessible only by the tools that the security products provide. To secureyour enterprise effectively, you need to collect, normalize, and analyze the datafrom all parts of your enterprise.

See “About Information Manager components” on page 21.

About event collectorsEvent collectors gather security events from a variety of event sources, such asdatabases, log files, and syslog applications. Event collectors translate the eventdata into a standard format, and optionally filter and aggregate the events. Theevent collectors then send the events to Symantec Security Information Manager.You can configure event collectors to also send the event data in its original format.

You install event collectors either on the security product computer or at a locationwith access to the security product events. To facilitate installation and setup,event collectors for third-party firewalls are preinstalled on the InformationManager server. After the event collector is registered with Information Manager,you can configure event collector settings from the Information Manager console.The event collector settings include the event source specification and any eventfilter or aggregation rules.

Symantec provides event collectors for the following types of products:

■ Firewalls

■ Routers, switches, and VPNs

■ Intrusion detection and prevention systems

■ Vulnerability scanners

■ Web servers, filters, and proxies

■ Databases

■ Mail and groupware

■ Enterprise antivirus

■ Microsoft authentication services

■ Windows and UNIX system logs

OverviewAbout Information Manager components

22

Page 23: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

For access to the extensive library of event collectors, visit Symantec support atthe following Web site:

http://www.symantec.com/enterprise/support/

See “About Information Manager components” on page 21.

About Information Manager serversSymantec Security Information Manager is hardware independent. You can installthe Information Manager server on any approved hardware that meets theminimum system requirements.

You can deploy one or more Information Manager servers in various roles tosatisfy the event gathering, archiving, and event correlation requirements foryour enterprise. To account for traffic variation, a single Information Manageris only recommended for a security environment that generates up to 1,000 eventsper second (EPS) on average and that requires a maximum of 4 MB to 8 MB perday of event data storage. To increase the overall event processing rate, you canadd multiple load sharing Information Managers to your deployment. You canconfigure each server for dedicated event collection, event archiving, or eventcorrelation. In most cases, a combination of multiple servers that share the eventand the incident processing load is preferred.

See “About Information Manager components” on page 21.

About the Symantec Global Intelligence NetworkInformation Manager has access to current vulnerability, attack pattern, andthreat resolution information from the Threat and Vulnerability ManagementService. The Symantec Global Intelligence Network powers the Threat andVulnerability Management Service. The Symantec Global Intelligence Networkis a comprehensive collection of vendor-neutral security data sources. The serviceis an authoritative source of information about known and emergingvulnerabilities, threats, risks, and global attack activity.

See “About Information Manager components” on page 21.

About the Information Manager Web serviceThe Web service of Symantec Security Information Manager lets you securelyaccess and update the data that is stored on a server. You can use the Web serviceto publish event, asset, incident, ticket, and system setting information. You canalso use the Web service to integrate Information Manager with help desk,inventory, or notification applications.

See “About Information Manager components” on page 21.

23OverviewAbout Information Manager components

Page 24: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

For more information on interfacing your application to use the Web service, seethe application documentation or your application vendor.

About estimating system performanceTo determine the performance of an Incident Manager server or set of servers.consider your unique environment. Information Manager integrates with a widerange of event collectors, and by nature requires the customization of settings tomatch each environment. Hence, the physical performance depends greatly onthe collectors and settings that you choose.

The observed events per second (EPS) rates under optimal circumstances areprovided here which can be used for general planning purposes. You can createa rough estimate of system performance by using the information available inthese tables. However, you must note that the system performance may varywidely from these figures depending on your specific environment. Your estimatesneed to be adjusted over time as your policies, settings, and storage requirementsare refined.

Table 1-1 lists the details of the hardware models that are used for testing theperformances of the various roles of the Symantec Security Information Managerserver.

The other tables list the roles in Information Manager on which the hardwaremodels are tested. In addition, the tables list the corresponding methods in whichthe performances are calculated for each role.

Table 1-1 Hardware model specifications

RAMProcessor typeCache sizeCPUHardware

32 GBSingle Quad Coreprocessor

6144 KBIntel XeonCPU E5430 @ 2.66GHz

HP DL 380

8 GB

16 GBSingle Dual CoreProcessor

6144 KBIntel XeonCPU E5405 @ 2.00GHz

HP DL 360

8 GB

16 GBSingle Dual CoreProcessor

6144 KBIntel Xeon CPUE5430 @ 2.66 GHz

IBM™ X3550

8 GBDouble Quad CoreProcessor

8192 KBIntel Xeon CPUE5520 @ 2.27 GHz

Dell™ R610

16 GBDouble Quad CoreProcessor

8192 KBIntel Xeon CPUE5520 @ 2.27 GHz

Dell R710

OverviewAbout estimating system performance

24

Page 25: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 1-1 Hardware model specifications (continued)

RAMProcessor typeCache sizeCPUHardware

16 GBSingle Quad coreprocessor

4096 KBIntel Xeon CPUE5320 @ 1.86 GHz

Dell 1950

16 GBSingle Quad coreprocessor

6144 KBIntel Xeon CPUE5410 @ 2.33 GHz

Dell 2950

32 GBDouble Quad CoreProcessor

12 MBIntel Xeon CPUE5640 @2.67 GHz

Dell R710

The tables that are listed provide the typical EPS rates that are observed undertest conditions for the recommended hardware in various roles. These numbersare intended as sample guidelines only, and vary greatly with each deployment.

Table 1-2 Performance figures for HP DL 380 with 32 GB RAM

CPU utilizationOutput EPSInput EPSRole

60%1000010000All in One

55%910010000Collection only

29%1300013000Correlation only

53%1200012000Collection + Archive

Table 1-3 Performance figures for Dell R710 with 16 GB RAM

CPU utilizationOutput EPSInput EPSRole

43%1000010000All in One

40%940010000Collection only

23%1200012000Correlation only

40%1045012000Collection + Archive

Table 1-4 Performance figures for Dell R610 with 8 GB RAM

CPU utilizationOutput EPSInput EPSRole

86%845010000All in One

74%900010000Collection only

86%1065012000Correlation only

25OverviewAbout estimating system performance

Page 26: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 1-4 Performance figures for Dell R610 with 8 GB RAM (continued)

CPU utilizationOutput EPSInput EPSRole

76%830010000Collection + Archive

Table 1-5 Performance figures for HP DL 380 with 16 GB RAM

CPU utilizationOutput EPSInput EPSRole

60%1000010000All in One

55%910010000Collection only

37%1200012000Correlation only

53%1200012000Collection + Archive

Table 1-6 Performance figures for HP-DL 380 with 8 GB RAM

CPU utilizationOutput EPSInput EPSRole

60%1000010000All in One

52%900010000Collection only

38%1200012000Correlation only

57%1000010000Collection + Archive

Table 1-7 Performance figures for IBM X3550 with 16 GB RAM

CPU utilizationOutput EPSInput EPSRole

90%900010000All in One

75%1100012000Collection only

84%1059012000Correlation only

75%780010000Collection + Archive

Table 1-8 Performance figures for Dell 2950 with 16 GB RAM

CPU utilizationOutput EPSInput EPSRole

60%1000010000All in One

23%1200012000Collection only

OverviewAbout estimating system performance

26

Page 27: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 1-8 Performance figures for Dell 2950 with 16 GB RAM (continued)

CPU utilizationOutput EPSInput EPSRole

34%1200012000Correlation only

50%1000010000Collection + Archive

Table 1-9 Performance figures for Dell 1950 with 16 GB RAM

CPU utilizationOutput EPSInput EPSRole

60%860010000All in One

55%1000010000Collection only

42%1200012000Correlation only

52%1000010000Collection + Archive

Table 1-10 Performance figures for HP-DL 360 with 8 GB RAM

CPU utilizationOutput EPSInput EPSRole

82%80008000All in One

50%1200012000Collection only

86%1000010000Correlation only

76%80008000Collection + Archive

Table 1-11 Performance figures for HP-DL 360 with 16 GB RAM

CPU utilizationOutput EPSInput EPSRole

82%70007000All in One

80%970010000Collection only

80%1000010000Correlation only

75%1000010000Collection + Archive

27OverviewAbout estimating system performance

Page 28: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 1-12 Roles for performance calculation of hardware models

Performance calculationRoles

Performance is calculated on an InformationManager server which performs the role of acollection server, an archiving server, and acorrelation server.

All in One

Performance is calculated on a collection serverof a two-server, multiappliance setup. Thissetup consists of a collection server and a serverperforming the role of an archiving server anda correlation server.

Collection only

Performance is calculated on a correlationserver of a two-server, multiappliance setup.This setup consists of a server performing therole of a forwarding server as well as of anarchiving server and a correlation server.

Correlation only

Performance is calculated on a server whichperforms the role of a collection server and ofan archiving server of a two-server,multiappliance setup. This setup consists of aserver performing the role of a collection serveras well as of an archiving server and acorrelation server.

Collection + Archive

The details of the setup that was used for the performance estimation are asfollows:

■ The test run was performed with the summarizers turned off.Symantec recommends that you disable summarizers on the Web configurationinterface if you do not use summary queries. Summarizers are maintained inSymantec Security Information Manager 4.7 only to provide backwardcompatibility with previous versions of Information Manager.

■ The test run used a run feeder tool with an archive comprised of WEC, JuniperNetScreen, and Cisco PIX events.

■ The average event size that was used for performance is 512 bytes.

■ The time span to calculate the EPS for each test was 15 minutes, and total timefor test was 67 hours.

See “About Symantec Security Information Manager” on page 17.

OverviewAbout estimating system performance

28

Page 29: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Symantec SecurityInformation ManagerConsole

This chapter includes the following topics:

■ About the Information Manager console

■ About the features of the Information Manager console

About the Information Manager consoleYou must install the Java client of the Information Manager on a MicrosoftWindows 2000, 2003, XP, or Vista computer to access the console. The client canbe downloaded from the Home > Downloads view of the Web configurationinterface.

The console of the Information Manager client enables you to perform thefollowing security monitoring functions:

■ Define rules to identify security incidents.

■ Identify critical network hosts.

■ View Symantec Global Intelligence Network information

■ Manage incidents

■ Manage tickets

■ Create reports

■ Perform Service Provider management tasks.

2Chapter

Page 30: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The console consists of the following views that help you manage the InformationManager Server:

■ Dashboard view

■ Intelligence view

■ Incidents view

■ Events view

■ Tickets view

■ Assets view

■ Reports view

■ Rules view

■ System view

■ Statistics view

See “About Information Manager components” on page 21.

About the Dashboard viewThe Dashboard view on the console of the Information Manager client providesa high-level view of the critical security information in your environment.

Information Manager users can customize the dashboard to display the requiredevent, ticket, and incident information.

The Dashboard view provides an overview of the incident activity that is presentedin the following default set of queries:

■ Closed incident count for each assignee by priority

■ Closed incident count for each assignee by severity

■ Open incident count for each assignee by severity

■ Open incident count for each assignee by priority

■ Count of both open incident and closed incident by assignee

■ Incidents count for each of the last seven days

The toolbar of the Dashboard view presents the following options:

Refreshes the queriesRefresh

Symantec Security Information Manager ConsoleAbout the Information Manager console

30

Page 31: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Toggles the automatic refresh of thedashboard queries.

When Auto Refresh is on, the dashboardqueries are refreshed every five minutes, bydefault.

Turn Auto Refresh On

Lets you add a new query to the dashboard.Add

Lets you remove a query from the dashboard.

You can also remove the query by closingthe query window.

Delete

Tiles the dashboard charts.Tile

Cascades the dashboard charts.Cascade

See “Viewing dashboards” on page 346.

See “Customizing the dashboard” on page 350.

About the Intelligence viewThe Intelligence view displays the security information that the Symantec GlobalIntelligence Network gathers. The Symantec Global Intelligence Network is acomprehensive collection of vendor-neutral security data sources. The service isan authoritative source of information about known and emerging vulnerabilities,threats, risks, and global attack activity.

The Intelligence view provides information about the current ThreatCon level.It also provides advice and instructions on how to guard against and respond tothe current threats.

The Intelligence view presents detailed information under the following tabs:

TheAnalystWatch tab provides informationabout IP addresses and URLs known to beinvolved in malicious activity.

Analyst Watch

The IDSStatistics tab displays the five mostfrequently occurring intrusion detectionevents. It also lists offending ISPs, IPaddresses, destination ports, attack products,and source and destination countries.

IDS Statistics

31Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 32: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The Firewall Statistics tab displays the topfive ports on the rise and lists offending ISPs,IP addresses, destination ports, and sourceand destination countries.

Firewall Statistics

The AntiVirus Statistics tab displays thefive most frequent corporate and consumervirus sample submissions.

AntiVirus Statistics

The Honeynet tab displays up-to-dateinformation from the Symantec GlobalIntelligence Network and data analysis ofthreats in the wild.

Honeynet

Note: The features that appear on the Intelligence view may vary depending onthe type of Global Intelligence Network services subscription that you havepurchased. Contact your Symantec sales representative for more information.

See “About the Information Manager console” on page 29.

About the Incidents viewThe Incidents view lets you look at and manage Information Manager incidents.

You can customize the Incidents view by selecting from the security filters or thealert filters or by creating your own custom filter. When you select an incidentfilter, the incident list displays only the incidents that satisfy the filter criteria.

Selecting an incident in the list updates the incident pane with the detailedinformation for the selected incident. To update the incident, modify the incidentattributes and click Save. To maximize or minimize the display area for theincident pane, click the expand and collapse arrows correspondingly in theupper-left corner.

Double-clicking an incident in the list opens the Incident Details dialog box. Toupdate the incident, modify the incident information and then click the Save icon.To export the incident details, click the Export icon. The incident details areexported to a CSV file that you can save to the desired location on your computer.To edit multiple incidents, highlight the incidents, and edit settings in the Detailstab.

From the Incidents view toolbar, you can perform the following tasks:

■ Select a filter to apply to the Incidents view. The filters available for youdepend on the roles to which you are assigned. The filters are grouped bySecurity Incidents, Alerts, and Custom filters in various states.

Symantec Security Information Manager ConsoleAbout the Information Manager console

32

Page 33: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See Table 2-1 on page 33.

■ Create a custom incident view filter.

■ Search for an incident by incident Reference ID.

■ Create a new incident.

■ Open the Incident Details dialog box for the selected incident.

■ Create a ticket for the selected incident or incidents.

■ Export the incident list to a file.You can export the list in HTML, CSV, and XML format, as required.

■ Merge the selected incidents.

■ Close the selected incidents.You must provide the disposition (for example, normal, false-positive, resolved,duplicate, or merged) and provide notes when you close an incident.

■ Lock the incident list.You can lock the incident list to prevent the display of newly created or recentlyassigned incidents in the list. When you unlock the list, it is updated with thelatest incidents.

Table 2-1 describes the Logical Groups for the filters.

Table 2-1 Logical Groups for filters

The incidents that are assigned to the current user.Following are the states of this group of incidents: Open,New, In-Work, Waiting, and Closed.

My Incidents

The incidents that are assigned to the current user's teams.Teams are created in the UserGroups section of the Systemview, on the Administration tab. Following are the statesof this group of incidents: Open, New, In-Work, Waiting,and Closed.

My Team Incidents

All incidents that have been created, both assigned andunassigned. Following are the states of this group ofincidents: Open, New, In-Work, Waiting, and Closed.

All Incidents

All incidents which are open and unassigned.Unassigned Open Incidents

The incident alerts assigned to the current user. Followingare the states of this group of incidents: Open, New, In-Work,Waiting, and Closed.

My Alerts

33Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 34: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-1 Logical Groups for filters (continued)

The incident alerts assigned to the current user's teams.Teams are created in the UserGroups section of the Systemview, on the Administration tab. Following are the statesof this group of incident: Open, New, In-Work, Waiting, andClosed.

My Team Alerts

All incident alerts that have been created, both assignedand unassigned. Following are the states of this group ofincidents: Open, New, In-Work, Waiting, and Closed.

All Alerts

All incident alerts that are open and unassigned.Unassigned Open Alerts

All user-defined incident and alert filters.Custom Filters

The Incidents view details pane contains tabs from which you can view or updatethe selected incident.

Table 2-2 lists the details pane tabs and their functions.

Table 2-2 Incident view details pane tabs

DescriptionTab

Displays the incident details that include the ID, status, severity,description, creator, assignee, and priority.

Details

Displays the event conclusions that are associated with the incident.To view the details of a conclusion that is associated with the incident,select a conclusion and click the Conclusion Details icon.

You can also select an event from the list and view the particular eventdetails.

Conclusions

Displays the events that are associated with the incident. To view thedetails of an event that is associated with the incident, select the eventand click the Event Details icon.

Events

Displays the target computers that are associated with the incident.To view the details for a target computer, select the target computerand click the Details icon. To create an asset from a target computer,select the target computer and click the Create Asset icon.

Targets

Displays the source computers that are associated with the incident.To view details for a source computer, select the source computer andclick the Details icon.

Sources

Displays a visual representation of the progress of the attack thatgenerated the incident along with the Symantec Event Code.

Attack Diagram

Symantec Security Information Manager ConsoleAbout the Information Manager console

34

Page 35: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-2 Incident view details pane tabs (continued)

DescriptionTab

Displays Symantec signature information, including the maliciouscode or vulnerability information that may be associated with theevent. You can view the intelligence information that is organized byassociated signatures or by target computers.

Intelligence

Displays the tickets that have been created for the incident. To viewthe details of the tickets that are associated with the incident, selectthe ticket and click the TicketDetails icon. To create a ticket based onthis incident, click the Create Ticket icon.

When you create a ticket, the Create Ticket dialog box includes thefollowing tabs:

■ Details: Provides the fields that describe the characteristics of theticket: A summary description, the priority, the ticket category, thecreator of the ticket, the assignee of the ticket, and the relatedincidents.

■ Instructions: Lets you correlate Intelligence data from the GlobalIntelligence Network with the ticket, if information is available.

■ Tasks: Provides the fields to describe any additional remediationtasks that the creator of the ticket recommends. Note that the Taskstab of the CreateTicket dialog differs from the steps that are listedin the Remediation tab for the incident. The Remediation tabcontains the instructions that are automatically created when theincident is created, based on settings in the rule that triggered theincident.

Tickets

Displays the remediation suggestions that have been associated withthe rule that triggered the incident. Remediation entries can be addedto a rule on the Rules view.

Remediation

Displays the information that is available on the history of the incident.The incident history contains entries for incident creation,modifications, and closure. You can add entries to the log to recordthe information and the activities that are related to the incident.

Log

See “About the Information Manager console” on page 29.

About the Events viewThe Events view lets you explore the Information Manager event archives. Eventarchives contain correlated and uncorrelated event data from the security productsthat are set up to forward events to Symantec Security Information Manager. Youcan create multiple event archives that can be stored on any instance of

35Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 36: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Information Manager. When you perform an event query, you can search acrossany available combination of archives, regardless of on which instance ofInformation Manager the archive is stored. The archives that are visible on theEvents view are created with an ordered series of event storage rules. These rulesare created on the System view.

To view the events that are stored in the event archives, you can use templatesand queries to search for events you need to view. Templates are generally morecomplex preconfigured queries that can be customized with chosen parameters.System queries are the queries that focus on specific products or common aspectsof security management.

When you run a template or a query, you set the parameters for the query,including which archives to search. Each template and query contains theparameters specific to data that the query harvests: for example, a specific IPaddress or a time range in which the search is to be conducted. After you run thequery, the results are displayed in the right pane of the Events view. Thepresentation of data depends on each query, and can include graphs, pie charts,and lists of events.

If a query returns a list of events, you can click on a particular event to see theevent details. You can change table columns if you want to see differentinformation about the events. You can view details about a particular event bydouble-clicking the table row.

You can also filter data in the table so that it displays only the events that interestyou. You can filter on a particular event parameter by right-clicking a cell andclicking Filteroncell. You can also filter results based on a unique column value.Alternatively, you can use the advanced filtering option to create a more complexquery.

You can also use the Query Builder Wizard to query the event archives. Thiswizard helps you create the following types of queries:

■ Event queries

■ Trending queriesThe trending feature is available only after you select the EventQuery option.

■ Summary queries

■ Advanced SQL queries

Note: The Query Builder Wizard icon is available only when the folder for MyQueries or Published Queries is selected.

Table 2-3 describes the items that are in the left pane of the Events view.

Symantec Security Information Manager ConsoleAbout the Information Manager console

36

Page 37: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-3 Events view left pane items

DescriptionItem

Access the static copies of the events that are archived and that arestored somewhere other than the Information Manager server. Localevent archives are often created as a backup copy of an active archive.Local event archives are not updated after the copy of the archive hasbeen made.

Local EventArchives

Provides a set of preconfigured query templates that generally providea system-wide view of event activity. The templates use the parametersyou choose, such as the event archives or the time period from whichthe query gathers information. A template can be customized byplacing a copy in either the My Queries or the Published Queriesfolder and then adjusting the copy.

Access to the Template queries are controlled based on the roles.

See “Role-based access to the Event Query Templates ” on page 20.

Templates

Displays a list of queries that you have created for your own use. Youcan move any of these queries into the Published Queries folder tomake them available to others.

My Queries

Displays a list of the queries that have been created at your site andthat you want some or all of your users to be able to use.

PublishedQueries

Displays a list of queries that are included in the Information Managerpackage. You can use any of these queries as a template for acustomized query. To create a customized query, export the selectedquery as a QML file, and then copy or import the query in the MyQueries folder or the PublishedQueries folder. You can modify it asrequired.

System Queries

You can schedule queries to be distributed in a report as a CSV file.

See “About working with event queries” on page 239.

See “Viewing event data in the archives” on page 230.

About the Tickets viewThe Tickets view lets you view and manage Information Manager tickets.

You can customize the ticket view by selecting from one of several ticket filters,or by creating a custom ticket filter. The filters that are available to you dependupon the roles to which you have been assigned. When you select a ticket filter,the ticket list displays only the tickets that satisfy the filter criteria.

37Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 38: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Selecting a ticket in the ticket list updates the ticket pane with the detailedinformation for the selected ticket. To update the ticket, modify the ticketattributes and click Apply.

Double-clicking a ticket in the ticket list opens the Ticket Details dialog box. Toupdate the ticket, modify the ticket information, and click Save or OK. You canedit multiple tickets simultaneously by opening a Ticket Details dialog box foreach ticket to view or modify.

The Tickets view toolbar contains icons for the following tasks:

■ Select a filter to apply to the ticket view.The filters that are available to you depend upon the roles to which you areassigned, and may include one or more of the following:

The open tickets that are associated with the incidentsassigned to the current user

My Open Tickets

The closed tickets that are associated with the incidentsassigned to the current user

My Closed Tickets

All ticketsAll Tickets

The open ticketsAll Open Tickets

The closed ticketsAll Closed Tickets

All tickets that are assigned to the current user, both openand closed

My Assigned Tickets

■ Create a custom ticket view filter.

■ Search for a ticket by ticket ID.

■ Refresh the tickets view.

■ Open the Ticket Details dialog box for the selected ticket.

■ Export the list of tickets to a file.

The ticket preview pane contains tabs from which you can view or update theselected ticket.

Table 2-4 lists the preview pane tabs and their functions.

Table 2-4 Ticket preview pane tabs

DescriptionTab

Displays the ticket details such as the ID, summary, category, status,priority, timestamp, creator, and help desk assignee.

Details

Symantec Security Information Manager ConsoleAbout the Information Manager console

38

Page 39: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-4 Ticket preview pane tabs (continued)

DescriptionTab

Displays the incidents that are associated with the ticket.

To associate a new incident with a ticket, click the Add icon.

To disassociate an incident from the ticket, select the incident andclick the Remove icon.

To view the incident details, click the Incident Details icon.

To close the incident from the tickets view, select the incident andclick the Close icon.

Incidents

Displays the user tasks that are assigned to each ticket.

To add a new task to the ticket, click the Add icon. To remove a taskfrom the ticket, select the task and click the Remove icon.

To edit tasks, select the task and click the Edit icon.

To add intelligence to the task, click the Intelligence icon.

Tasks

Displays the instructions that are associated with the ticket. To addor modify the instructions, edit the field and click Save. Theinstruction field accepts a maximum of 3000 characters.

The Instructions tab also displays the Reset icon.

You can also use the Add Intelligence to Instructions icon.

Instructions

Displays the ticket history that contains entries for ticket creation,ticket modifications, and ticket closure. To add log entries to recordinformation and the activities that are related to the ticket, clickthe Add icon.

Log

See “About the Information Manager console” on page 29.

About the Assets viewThe Assets view lets you view and manage Information Manager assets. Use theAssets view to identify critical assets in your environment, and track the incidentsand the tickets that are related to those assets.

Identify the network assets that have one or more of the following attributes:

■ Host critical information or services

■ Host confidential information

■ Have specific roles on the network, such as firewall or vulnerability scanningdevices

39Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 40: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Require high availability

■ Comply with regulatory policies

The correlation manager uses the asset information to identify and prioritizeincidents. The correlation manager creates an incident when a threat exploits anasset's vulnerabilities. The correlation manager sets the incident priority basedupon the confidentiality, integrity, and availability ratings that you assign to theasset.

The correlation rules depend upon the asset information, so identifying keynetwork assets on the Assets view is a critical configuration step.

You can populate the list of assets in any of the following ways:

■ Manually add entries in the Assets view.

■ On the Incidents view, in the Targets tab for an incident, create assets basedupon computers.

■ On the Events view, under System Queries > SSIM > SSIM System, createassets from the query results of the Source view query and Target view query.

■ On the Assets view, import a list of assets in XML or CSV format. For example,you can export a list of network computers from Microsoft Active Directory,convert the file to CSV format, and then import the file into the InformationManager.

■ Create assets by integrating Information Manager with a policy complianceassessment tool, such as Symantec Control Compliance Suite or SymantecEnterprise Security Manager.

■ Create assets by integrating Information Manager with a network vulnerabilityscanner. Use the Asset Detector rule under Monitor > System Monitors onthe Rules view to choose the vulnerability scan products that automaticallypopulate the assets table.If you run vulnerability scans periodically on your network, lock the assetinformation for particular computers. If you lock an asset, the vulnerabilityscan does not modify the list of the services that are hosted on the asset. Avulnerability scan always updates the asset vulnerabilities, regardless of theasset lock status.

You can filter the view of the assets in your environment using the filtering optionsor asset groups.

Search for an asset from each of the views by entering the IP address host namein the Search Asset field, and then clicking the Search icon.

Double-clicking an asset in the asset list opens the Asset Details dialog box. Toupdate the asset, modify the asset fields and then click the Save icon. You can

Symantec Security Information Manager ConsoleAbout the Information Manager console

40

Page 41: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

update multiple assets simultaneously by opening the Asset Editor dialog boxfor each asset to modify.

Table 2-5 lists the Assets view tabs and their functions.

Table 2-5 Assets view tabs

DescriptionTab

Displays the network identification, description, priority,organization, operating system, and lock information for theselected asset.

Details

Displays any policy that is applied to the selected asset. You canadd policies to an asset from a customizable list of regulatorypolicies. To customize the list of available policies, select theAdministration tab on the System view. You can also delete policiesfrom the asset.

Policies

Displays the network services that the selected computer hosts.You can add services to an asset from a customizable list ofwell-known services. To customize the list of services, select theAdministration tab on the System view. You can also delete servicesfrom the asset.

Services

Lists any incidents that pertain to the selected asset. Using theincident list is a convenient way to monitor the security activitythat is related to an asset.

Incidents

Lists any tickets that pertain to the selected asset. The ticket list isa convenient way to monitor the work-order activity that is relatedto an asset.

Tickets

Displays the discovery date, CVE ID, BugTraq ID, and descriptionof any vulnerability that is discovered on the asset. The vulnerabilityinformation is tracked when the assets are imported from avulnerability scanner.

Vulnerabilities

See “About the Information Manager console” on page 29.

About the Reports viewThe Reports view lets you create and manage Information Manager reports.

To create a report, you insert one or more queries into a report template. You canalso add graphic elements and text, including a header and footer. Reports canspan multiple views, or you can subdivide a single view and insert multiple querieson that view.

41Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 42: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

You can distribute a report immediately, or you can schedule it to be generatedat a specific time and then distributed automatically. You can also export andimport reports in RML format.

The Reports toolbar contains icons for report management tasks. The tasksavailable to you depend upon the roles to which you have been assigned, and mayinclude one or more of the following:

■ Refresh the Explorer pane.

■ Create a folder.

■ Create a report.

■ Save a report.

■ Remove the selected report or folder.

■ Import a report from an RML format file.

■ Export the selected report to an RML format file.

■ Adjust the view settings for a report, including the view size and orientation.

■ Publish the selected report by placing the report in the Published Reportsfolder.

The Reports view has the following panes:

■ ExplorerThe Explorer pane lets you manage the MyReports folder and the PublishedReports folders, as well as any new folders that you create. When you createa report in the My Reports folder, it is only available to the user who createdit. When you create a report in the PublishedReports folder, it is available toall of the users who have the applicable permissions for the contents of thereport. To publish a report, drag it from your private folder to the PublishedReports folder. When you publish a report by dragging it into the PublishedReports folder, the two reports are not linked.In addition to creating, publishing, and deleting reports, you can create anddelete report folders. You can also import reports, export reports, and movereports from one folder to another.

■ PropertiesThe Properties pane lets you view and edit the selected report property values,such as the background color or line thickness.

■ ReportThe Report pane provides the tabs that let you design, preview, and distributethe selected report.

Symantec Security Information Manager ConsoleAbout the Information Manager console

42

Page 43: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-6 describes the tabs that appear in the right pane when you create a newreport or select an existing report from the list in the left pane.

Table 2-6 Report pane tabs

DescriptionTab

Lets you specify and format the contents of your report. You can includemultiple data queries, images, annotation text, and grids in your report.The queries that are available to you depend upon the roles to which youare assigned. For example, you may have access to queries that pertainto firewall and VPN data, but may not have access to queries on antivirusdata.

Design

Displays a preview of the report. You can also save or print the reportfrom the Preview tab.

You can also drill down on the following query types by clicking on thereports that are displayed:

■ Top N by Field■ Trending for Top N by Field■ Summary Data Queries

See “Performing a drill-down on reports” on page 343.

Preview

Lets you schedule the report and specify report recipients. You cancompose an email report notification message, attach the report as a PDFand RTF, or include a URL link to the report.

Note: When the recipient clicks on the URL link, the report can beaccessed directly if the user has already logged on to the Webconfiguration interface using the host name of Information Manager.However if the user has logged on using the IP address of InformationManager, then the user is prompted for authentication to access the report.

You can also test the report distribution configuration with the Testoption. The reports are immediately distributed after you perform thetesting.

To schedule a report for distribution, you must first publish the reportby placing it in the Published Reports folder.

Distribute

Note: The Distribute option is available only for the Published Reports.

See “About the Information Manager console” on page 29.

43Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 44: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the Rules viewThe Rules view lets you create, test, and manage the rules that InformationManager uses to filter known false positives and declare security incidents. Defaultrules provide a starting point for determining the most common kinds of securityincidents, including denial-of-service attacks and blended threats. The defaultfiltering rules provide a set of common filters that can also be used to createcustomized filters. You can enable, disable, and fine-tune the default rules andfilters based on the needs of your organization and the security products that arerunning.

The Rules view also includes folders for monitors and lookup tables. Monitoringrules are used to detect unexpected security-related changes to systems or periodsof inactivity from the systems that are monitored. The lookup tables provide aset of tables that can be configured to list known malicious IP addresses, sensitivefiles, sensitive URLs, services, Trojan horses, and Windows events that can beused to fine-tune rules and filters. For example, if you have detected a set of IPaddresses that routinely attempt to maliciously infiltrate your network, you canadd these IP addresses to an IP address lookup table. You can then create a customrule that checks the table for these known malicious IP addresses during rulesprocessing.

When you define the actions that take place when an incident is triggered, youcan create remediation notes. These notes appear on the Remediation tab for anincident that is created. When you add remediation information to a rule and savethe changes, the remediation information is updated for the new and the existingincidents.

The Rules view toolbar contains icons for the following tasks:

■ Refresh the Rules list.

■ Create a rule.

■ Create a new folder.

■ Delete a rule.

■ Import rules

■ Export rules

■ Copy a rule.

■ Deploy a rule.

■ Revert changes to a rule.

■ Enable rules.

■ Disable rules.

Symantec Security Information Manager ConsoleAbout the Information Manager console

44

Page 45: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Each folder in the navigation tree includes two subfolders: a System subfolderand a User subfolder. By default, the System subfolder contains the predefinedrules, filters, monitors, and lookup tables that are included with InformationManager.

You can enable or disable the items in the System subfolders However, you cannotmake changes to these predefined elements. To create a modified version of apreconfigured rule, filter, monitor, or lookup table, you can create a custom versionof the rule and save it in the corresponding User folder. If you create a customrule or lookup table, you must deploy and enable the new element before it canbe used during event processing.

Table 2-7 describes the items that are displayed in the Event Filters list in theleft pane. It also describes the tabs that appear in the right pane when you makea selection from this list.

Table 2-7 Event filters

DescriptionItem

Displays the list of default filters in the System Filters folder andcustom filtering rules in the User Filters folder. Use the checkboxesto turn on the rules and turn off the rules.

Event Filters list

Displays the event criteria that the filtering rules use to filter events.If you create a custom filter, you can add or remove event criteriafrom this pane.

Conditions tab

Lets you test filtering rules with saved event data so that you canevaluate whether the rule filters when it should. This tool helps youfine-tune a rule to filter out the events that cause false positives. Youcan also debug the errors that prevent the rule from filtering events.

Testing tab

Shows the date and the time that a user last edited a rule.History tab

Table 2-8 describes the items that are displayed in the Monitors list in the leftpane. It also describes the tabs that appear in the right pane when you make aselection from this list.

Table 2-8 Monitors

DescriptionCategory

Displays the list of default monitors in the System Monitors folderand custom monitors in the UserMonitors folder. Use the checkboxesto turn on the rules and turn off the rules

Monitors list

45Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 46: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-8 Monitors (continued)

DescriptionCategory

Lists the monitor properties that let you configure the systemmonitors.

Properties tab

Lets you specify the follow-up actions that are required to resolve theincident. You can also specify the user or the team that is assigned toinvestigate and resolve the incident.

See “About automatically assigning incidents” on page 59.

See “Assigning incidents automatically to the least busy member ina user group” on page 302.

Actions tab

Shows the date and time when a user last edited a monitoring rule.History tab

Table 2-9 describes the items that are displayed in the Correlation Rules list inthe left pane. It also describes the tabs that appear in the right pane when youmake a selection from this list.

Table 2-9 Correlation rules

DescriptionCategory

Displays the list of default rules in the SystemRules folder and customrules in the UserRules folder. Use the checkboxes to turn on the rulesand turn off the rules.

Rules list

Displays the event criteria that the rules use to declare a securityincident. If you create a custom rule, you can add or remove eventcriteria from this pane.

Conditions tab

Specify the follow-up actions that are required to resolve the incident.You can specify the user or the team that is assigned to investigateand resolve the incident.

See “About automatically assigning incidents” on page 59.

See “Assigning incidents automatically to the least busy member ina user group” on page 302.

You can also create the remediation notes that are associated witheach incident that this rule creates.

You can also configure the notifications when the rule conditions aretriggered.

Actions tab

Symantec Security Information Manager ConsoleAbout the Information Manager console

46

Page 47: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-9 Correlation rules (continued)

DescriptionCategory

Lets you test rules with saved event data to let you evaluate whetherthe rule declares incidents when it should. This tool helps you fine-tunea rule to filter out the events that cause false positives. You can alsodebug the errors that prevent the rule from declaring incidents whenit should.

Testing tab

Shows the date and time when a user last edited a rule.History tab

Table 2-10 describes the items that are displayed in the LookupTables list in theleft pane. It also describes each of the lookup tables that are listed under SystemLookup Tables.

Table 2-10 Lookup tables

DescriptionTables

Lists the default lookup tables in the SystemLookup Tables folder and custom tables inthe User Lookup Tables folder.

Lookup Tables list

Lists the users who can performadministrative activities.

Administrative Users

Lists the authorized ports through whichincoming traffic is allowed as per thepolicies.

Authorized Ports Inbound

Lists the authorized ports through whichoutgoing traffic is allowed as per the policies.

Authorized Ports Outbound

Lists the IP addresses of the servers that arecritical from business perspective.

Critical Servers

Lists the authorized users.default usernames

Lists the IP addresses of known attackers.An incident is created if an event is detectedfrom one of these IP addresses.

A configurable table that is available formanually tracking known bad IP addresses.DeepSight and LiveUpdate updates maintainseparate internal IP Watch List. The listcontains IP addresses known to be maliciousin the larger Internet environment.

IP Watch List

47Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 48: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-10 Lookup tables (continued)

DescriptionTables

Lists the Whitelist IP addresses. These IPaddresses and domain names are reputedand can be trusted. You can add your trusteddomain names and IP addresses to the list.

IP Whitelist

Lists the logging devices that must bemonitored after a specific time span for idlestate.

Monitored Logging Devices

Provides a table for the user to describe theorganizational domains that are monitored.

Organization Domains

Lists the P2P programs.P2P Programs

Lists the IP addresses of the hosts that canpotentially violate the policy.

Potential Policy Violation IPs

Lists of all of the bad IP addresses on whichyour sensitive data can communicate.

RapidResponseMonitoredAddressTraffic

Lists the file names to monitor during FTPtransfers.

sensitive files

Lists the text strings that are often includedin malicious URLs.

sensitive urls

Lists the services that are associated witheach port number.

services

Lists the known Trojan horse exploits.trojans

Provides a table in which you can list usersand the user names that formerly had accessto the network.

user watchlist

Lists the days of the week to allow furtherrefinement of queries based on the day ordays associated with an event.

Weekdays

Lists the days of the weekend to allowfurther refinement of queries based on theday or days associated with an event.

Weekend

Lists the Windows events that may indicateviolations of security policies or othermalicious activities.

Windows events

Symantec Security Information Manager ConsoleAbout the Information Manager console

48

Page 49: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The following tables list the event criteria available and their descriptions.

Table 2-11 Event Criteria: Common tab

DescriptionField

The host name of the computer on which the agent isinstalled.

Agent Host

The IP address of the computer on which the agent isinstalled.

Agent IP

The MAC address of the computer on which the agentis installed.

Agent Mac

The numeric IP address of the computer on which theagent is installed.

Agent Numeric IP

The subnet to which the agent computer belongs.Agent Subnet

Lets you select the criteria on category of the event fromamong Application, Communication, Device,Diagnostics, Environment, QS, and Security.

Category ID

The host name of computer on which the product(collector) is installed.

Collection Device Host

The IP address of computer on which the product(collector) is installed.

Collection Device IP

The device ID of computer on which the product(collector) is installed.

Collection Device ID

The MAC address of computer on which the product(collector) is installed.

Collection Device Mac

The numeric IP of computer on which the product(collector) is installed.

Collection Device Numeric IP

Identifies the sensor that recorded the event that acollector sent.

Collector Sensor

The ID of the configuration.Configuration ID

49Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 50: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-11 Event Criteria: Common tab (continued)

DescriptionField

The date that the event was created.

■ Server Time - When the event occurs, the time zoneof the server is considered for the event correlation.

■ Source Network Time Zone - When the event occurs,the time zone of the source network is consideredfor the event correlation.

■ Destination Network Time Zone - When the eventoccurs, the time zone of the destination network isconsidered for the event correlation.

If the time zone is not specified, by default the time zoneof the server is considered for the event correlation.

Created Date

The numeric value that describes the CVS score for thevulnerability, if detected.

CVSS

A description of the event.Description

The destination host name.Destination Host name

Describes the action that the point product took (theevent was prevented, permitted, failed, successful, ordenied ).

Device Action

The domain from which the data object originated.Domain

The effects of malicious activity.Effects

The date when event ended.

■ Server Time - When the event occurs, the time zoneof the server is considered for the event correlation.

■ Source Network Time Zone - When the event occurs,the time zone of the source network is consideredfor the event correlation.

■ Destination Network Time Zone - When the eventoccurs, the time zone of the destination network isconsidered for the event correlation.

If the time zone is not specified, by default the time zoneof the server is considered for the event correlation.

Event ending date

The ID of the archive to which the event belongs (usedin summarizers).

Event Archive ID

Symantec Security Information Manager ConsoleAbout the Information Manager console

50

Page 51: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-11 Event Criteria: Common tab (continued)

DescriptionField

The possible values: symc_hdr_tkt_update_class orsymc_hdr_task_update_class.

Event class ID

The number of times that an event occurred to causethe event to be logged.

Event Count

The date when the event occurred.

■ Server Time - When the event occurs, the time zoneof the server is considered for the event correlation.

■ Source Network Time Zone - When the event occurs,the time zone of the source network is consideredfor the event correlation.

■ Destination Network Time Zone - When the eventoccurs, the time zone of the destination network isconsidered for the event correlation.

If the time zone is not specified, by default the time zoneof the server is considered for the event correlation.

Event Date

The day when the event occurred.

■ Server Time - When the event occurs, the time zoneof the server is considered for the event correlation.

■ Source Network Time Zone - When the event occurs,the time zone of the source network is consideredfor the event correlation.

■ Destination Network Time Zone - When the eventoccurs, the time zone of the destination network isconsidered for the event correlation.

If the time zone is not specified, by default the time zoneof the server is considered for the event correlation.

Event Day

The event type such as Host Intrusion Event, orVulnerability Detected.

Event Type ID

The domain of the computer on which the product isinstalled.

Host Domain

The IP address of the destination.IP Destination Address

The port of the destination or target.IP Destination Port

The IP address of the source.IP Source Address

The port address of the source.IP Source Port

51Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 52: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-11 Event Criteria: Common tab (continued)

DescriptionField

The location where the event was created.

■ Server Time - When the event occurs, the time zoneof the server is considered for the event correlation.

■ Source Network Time Zone - When the event occursthe time zone of the Source Network is consideredfor the event correlation.

■ Destination Network Time Zone - When the eventoccurs the time zone of the Destination Network isconsidered for the event correlation.

If the time zone is not specified, by default the time zoneof the server is considered for the event correlation.

Logged at

The IP of the device that logged the event.Logging Device IP

The MAC of the device that logged the event.Logging Device Mac

The name of the device that logged the event.Logging Device Name

The numeric IP of the device that logged the event.Logging Device Numeric IP

The account name that was used to log the event.Logging User

The comma-separated integer values that represent themechanisms categorization.

Mechanisms

Contains a normalized protocol value. This field ispopulated by the developer based on mapping the valueof nw_protocol or network_protocol_id to a standardizedprotocol identifier such as TCP, UDP, ICMP, IGMP, orARP.

Network Protocol

The direction of the network traffic such as external,internal, inbound, outbound, or unknown.

Network Traffic Direction

The numeric IP of the destination address.NumericIPDestinationAddress

The numeric IP of source address.Numeric IP Source Address

The Information Manager organizational unit of thecomputer.

Organizational Unit

The data that the event ended if the event end date wasreplaced during normalization.

Original Ending Event Date

Symantec Security Information Manager ConsoleAbout the Information Manager console

52

Page 53: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-11 Event Criteria: Common tab (continued)

DescriptionField

The date that the event occurred if the event date wasreplaced during normalization

■ Server Time - When the event occurs, the time zoneof the server is considered for the event correlation.

■ Source Network Time Zone - When the event occurs,the time zone of the source network is consideredfor the event correlation.

■ Destination Network Time Zone - When the eventoccurs the time zone of the Destination Network isconsidered for the event correlation.

If the time zone is not specified, by default the time zoneof the server is considered for the event correlation.

Original Event Date

The version of the point product from which you collectlogs.

Point Product Version

The timestamp that the agent sets before it sends theevent to the event service.

Posted at

The name of the product from which you collect logs.Product

The raw event as it is received from the logging deviceor application.

Raw Event

The comma-separated integer values that represent theresources categorization.

Resources

Severity of the event being reported. The value is inparentheses.

Severity ID

The software feature ID as defined for the collector.Each collector must have at least one software featurethat is defined for logging and configuration purposes.

Software Feature ID

The host name of the source of the event.Source Host Name

SSIM Event Insert

A standard ID event code that Symantec has approvedInformation Manager use to report the associated event.

Symantec Event Code

The signature ID that is used to identify Symantecvendors.

Symantec Vendor Signature ID

53Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 54: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-11 Event Criteria: Common tab (continued)

DescriptionField

The target of the attack. This information can be theURL for an HTTP or an FTP connection, or a file nameor server name.

Target Resource

The number of seconds to adjust the event date thatwas logged on the agent when events are collected fromanother time zone.

Time adjustment in seconds

Unique ID assigned to each event.Unique Event ID

Contains the user name or group account of the user orgroup at which the event is targeted.

User name

The Global Intelligence Network cross-reference of thevendor product. This ID is a two-digit code that is onlyavailable in certified, Tier 1, and Premium collectors.

Vendor Device ID

The event severity identifier that the point product uses.Vendor Severity

Contains the unique event signature from the pointproduct. This signature is used in retrieving data fromthe Global Intelligence Network integration.

Vendor Signature

The version of the collector.Version

Table 2-12 Events Criteria: Derived tab

DescriptionField

A security mailing list that includes a detailed discussionand announcement of computer security vulnerabilities,.The list describes what they are, how to exploit them,and how to fix them.

Bugtraq ID List

A publicly known list of information securityvulnerabilities and exposures.

CVE ID List

Contains the Availability setting for the destinationhost at which the event was targeted.

Destination Host Availability

List of Bugtraq IDs that are known for the destinationaddress (asset).

Destination Host Bid List

Symantec Security Information Manager ConsoleAbout the Information Manager console

54

Page 55: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-12 Events Criteria: Derived tab (continued)

DescriptionField

Contains the Confidentiality setting for the destinationhost at which the event was targeted. TheConfidentiality values include the following:

■ 1 - Non-critical

■ 2 - 3 - Medium

■ 4 - 5 - Critical

Destination Confidentiality

List of the common vulnerabilities and the exposuresthat are known for the destination address (asset).

Destination CVE List

Contains the Integrity setting for the destination hostat which the event was targeted. The Integrity valuesinclude the following: 1 - Non-critical, 2 and 3 - Medium,and 4 and 5 - Critical.

Destination Host Integrity

The Boolean value that describes whether thedestination host is internal.

Destination Host is internal

The string value that describes the destination hostlocation.

Destination Host Location

The string value that describes the destination hostoperating system.

Destination Host OS

The string value that describes the operating systemversion.

Destination Host OS Version

Contains the host policy for the destination host.Policies are added in the Systems view, under thePolicies tab.

Destination Host Policies

Contains the destination host service that the eventaffected. Services are added in the Systems pane, underthe Services tab.

Destination Host Services

The Boolean value that describes whether the target ofthe event has been categorized as critical. This value isset to True if the Asset exists in the Assets table.

Destination is critical

The string value that describes the logical location ofthe destination of the event (as opposed to the physicallocation).

Destination Network LogicalLocation

The string value that contains the descriptive name ofthe destination network.

Destination Network Name

55Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 56: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-12 Events Criteria: Derived tab (continued)

DescriptionField

The string value that describes the physical location ofthe destination of the event.

Destination Network PhysicalLocation

The Boolean value that describes whether the port thatwas affected is still open.

Destination Port is open

The Effects values describe the effects of the event fromthe detector's point of view (for example, Degradationor Reconnaissance).

Effects

The Mechanisms values describe the method of attackthat was used to generate an event from the detector'spoint of view: for example, Virus or Port Sweep.

Mechanisms

The EMR resource value indicates the type or types ofresources that the event is like to affect: for example,Mail or Host.

Resources

Contains the Availability setting for the host fromwhich the event originated. The Availability valuesinclude the following: 1 - Non-critical, 2 and 3 - Medium, and 4 and 5 - Critical.

Source Host Availability

List of Bugtraq IDs that are known for source address(asset).

Source Host Bid List

Contains the Confidentiality setting for the host fromwhich the event originated. The Confidentiality valuesinclude the following: 1 - Non-critical, 2 and 3 - Medium,and 4 and 5 - Critical

Source Host Confidentiality

List containing the Common Vulnerabilities andExposures ID for the source.

Source Host CVE List

Contains the Integrity setting for the host from whichthe event originated. This value is set in the Asset tableby the user. The Availability values include thefollowing: 1 - Non-critical, 2 and 3 - Medium, and 4 and5 - Critical.

Source Host Integrity

Boolean value that describes whether the source hostis internal.

Source Host is internal

String value that describes the host location. This valueis set in the Network table by the user.

Source Host Location

Symantec Security Information Manager ConsoleAbout the Information Manager console

56

Page 57: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-12 Events Criteria: Derived tab (continued)

DescriptionField

String value that describes the host operating system.This value is set in the Asset table by the user.

Source Host OS

Contains the host policy for the source. Policies areadded in the Systems pane, under the Policies tab. Fora rule to use this value, the policy must be added to theasset that is referenced as the source IP in the event.

Source Host Policies

Contains the service that the event affected. Servicesare added in the Systems pane, under the Services tab.For a complete list of the services available, see thedrop-down list for this event field.

Source Host Services

Boolean value that describes whether the source of theevent has been categorized as critical. This value is setin the Asset table by the user.

Source Host is critical

String value that describes the logical location of thesource of the event (as opposed to the physical location).

Source Network LogicalLocation

String value that contains the descriptive name of thesource network.

Source Network Name

Value that determines whether the system that isspecified in the Target IP field is listed as vulnerable inthe Asset table. The possible values for this field includethe following: True, False, and Can't Determine.

Vulnerable

Table 2-13 Events Criteria: Events tab

DescriptionField

Application update is used for indicating the status ofupdates in versions. Possible values are current versionand previous version.

Application Update

Lets you set the type of audit activity that is carried out.Examples are Audit Authentication, Audit Result, andso forth.

Audit Activity

Lets you select the device type, session name, integritymarker, or any other additional information underoptions 1, 2, and 3.

Backup and Recovery Activity

57Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 58: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-13 Events Criteria: Events tab (continued)

DescriptionField

Lets you select and set a value for from the commonevent types such as those available under the Commontab..

Common Event

Lets you set a value for the compliance events that arelogged by software components to determine if theymeet certain security criteria.

Compliance Activity

Lets you enter values for configuration change source,name, and revision.

Configuration Update

Lets you set the values for classes and event IDs forlogging an incident in a top-level data object or one ofits subcomponents. The single event that describes thetop-level data object, the subcomponent name (ifapplicable), the incident rule that was triggered, whythe incident rule was triggered, and the status of thetop-level data object and the subcomponent (ifapplicable).

Data Incident

Lets you enter the values for quarantine server,definition number, QS, or type of a known virus,unknown virus, worm, Trojan horse, or other type ofmalware that the virus scanner detected.

Data Virus Incident

Lets you set the values for the version, date, andinformation of the current and the previous versions.

Definition Update

Lets you set the values about the events that providedetails about a connection, for reporting on byte counts,services used, and connection durations.

Firewall Connection Statistics

Lets you set the values for the base set of the fields thatallow common data to be logged by all firewalls in aconsistent manner.

Firewall Network Event

Lets you set the values for the information fields thatare specific to activity that is detected at the host.

Host Intrusion Activity

Incident Message

Lets you set the values for the information that iscommon to the intrusion activity that is detected at boththe network and the host levels.

Intrusion Activity

Network Event

Symantec Security Information Manager ConsoleAbout the Information Manager console

58

Page 59: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 2-13 Events Criteria: Events tab (continued)

DescriptionField

Lets you enter the values for type, MAC ID of source,and destination.

Network Intrusion Activity

SAV Catalog

SAV Snapshots

Lets you enter the values for scan name, type, and GUID.Scan Events

Lets you enter the information about the system.System Information

Lets you enter the values for VPN index and ID.VPN Connection Statistics

Lets you set the type of VPN network event.VPN Network Event

Lets you set the values for the fields that are associatedwith vulnerability.

Vulnerability

Lets you set the values for the vulnerability audit ID orthe human readable name of the audit.

Vulnerability Audit

Lets you enter a description of the error.Vulnerability Audit Error

Lets you enter the values for the fields that are relatedto all of the events that the Windows and Novell eventlogs generate.

Windows and Novell Event

See “About the Information Manager console” on page 29.

About automatically assigning incidentsIn Information Manager, an incident is created when an event matches a criterionthat is specified in the Rules and Monitors. Based on the rules that are set, theseincidents can be automatically assigned to a specific user group or an individualuser. Rules or Monitors can be set to assign incidents automatically to the leastbusy member in a user group.

See “Assigning incidents automatically to the least busy member in a user group”on page 302.

Incidents are automatically assigned to the individual with the lowest load factor.The load factor is calculated based on the incident count and the incident state.Each incident state is assigned a value. Incidents that are in the New state areassigned the highest value, whereas incidents in the Waiting state are assignedthe lowest value.

59Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 60: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

A user group member who has many incidents in the Newstate is considered busy.Therefore the incidents in the New state have the highest value. The incidents inthe Working state have lower value and the incidents in the Waiting state hasthe lowest value. The number of incidents that are already assigned to a user andthe value that is assigned to the incident state determines the load factor. Themembers with the lowest load factor are given priority when they assign anincident.

When two or more users have the same load factor, Information Manager usesthe timestamp to determine which user is the least busy.

Table 2-14 shows how Information Manager calculates the incident load factor.Three users are assigned the same count of incidents in different incident states.Although each user has the same number of incidents, their load factors aredifferent because the values of their incidents are different. In the example,Information Manager automatically assigns incidents to User C because User Chas the lowest load factor.

Table 2-14 Incident load factor

Load FactorFormula

(incident count * valueof incident state)

Incidents:Waiting

Incidents:Working

Incidents:New

User

17(4*3) + (2*2) + (1*1)124A

15(2*3) + (4*2) + (1*1)142B

11(1*3) + (2*2) + (4*1)421C

Assigning incidents automatically to the least busy memberin a user groupRules and Monitors can be set to assign incidents automatically to a user groupor a user within the user group. You can also set rules and monitors toautomatically assign incidents to the least busy member in a user group. Onlyuser groups are considered when incidents are automatically assigned to the leastbusy member. The member with the lowest incident load factor is considered theleast busy member in a user group.

See “About automatically assigning incidents” on page 59.

When incidents are assigned automatically to a user group for the first time, thefirst user in the user group becomes eligible for incident assignment.

Symantec Security Information Manager ConsoleAbout the Information Manager console

60

Page 61: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

When an incident gets assigned to a member in the user group, a log entry iscreated for that incident. In the Incident log, this entry is listed as SSIM againstthe user name of that member.

To assign incidents automatically to the least busy user

1 In the Information Manager console, click Rules.

2 Select a rule or a monitor that must be automatically assigned.

3 On the Actions tab, check Enable Auto Assign.

4 Check Assigntoleastbusyuser and then select the corresponding user group.When the rule is deployed, the incidents are automatically assigned to theleast busy member in the user group.

About the System viewThe System view includes information about the Information Managerconfiguration, the security products that you manage, and the event management.The System view also lets you create and maintain the objects such as users, roles,and policies.

Table 2-15 lists the System view tabs and their functions.

Table 2-15 System view tabs

DescriptionTab

Lets you view and maintain administrative information, such as useraccounts and roles, policies, and paging services.

Administration

Lets you manage correlation, whether events are stored locally,whether Information Manager agent bootstrapping is enabled, andwhether the server is designated as a Service Provider master. Youcan also configure event storage rules, event forwarding, and incidentforwarding.

ServerConfigurations

Displays a list of all the security products that can be managed onyour network. Right-click a product name to view or modify itsproperties and permissions.

ProductConfigurations

Displays an illustration that represents your Information Managernetwork. Right-click an object in the graphic to view or modify theproperties.

Visualizer

See “About the Information Manager console” on page 29.

61Symantec Security Information Manager ConsoleAbout the Information Manager console

Page 62: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the Statistics viewThe Statistics view provides information about the health and performance ofthe Information Manager server. You can display statistics for the server to whichthe console is connected. Alternatively, you can select to view the statistics foran alternate server that shares the same directory.

Table 2-16 lists the Statistics view tabs and their functions.

Table 2-16 Statistics view tabs

DescriptionTab

Displays the server's memory and CPU utilization,database statistics, and the status of any databasejobs, such as backup and purge.

System Status

Displays the processing rate statistics forprocesses such as correlating events, declaringconclusions, and inserting incident data into theInformation Manager database.

Correlation

Displays the filtering statistics for the correlationengine. You can monitor the Filter tab todetermine how many events are excluded fromthe correlation engine.

Filters

Displays trigger statistics for each correlationrule. You can monitor the Rules tab to confirmthat rules are triggered as expected.

Rules

Displays the rate statistics for the following eventservices:

■ Events received

■ Event normalization

■ Event archiving

■ Event correlation forwarding

Event Service

In the upper right corner of the console, a graph is displayed. The graph displaysthe events being processed per second by the server. You can always see the overallevent activity from any view in the console.

See “About the Information Manager console” on page 29.

Symantec Security Information Manager ConsoleAbout the Information Manager console

62

Page 63: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the features of the Information Managerconsole

You can download and install the Java client for Information Manager from theWeb configuration interface.

The console of the Information Manager client lets you perform the followingtasks:

■ Monitor the incident or the alert count for either the current user or all users.See “About the incident and the alert monitors” on page 63.

■ Monitor event activity.See “About the event activity monitor” on page 64.

■ Attach a note to a column-and-value pair in tabular data.See “Creating and editing notes” on page 65.

■ Search for the notes that you or other users have created.See “Searching the notes” on page 66.

■ Change your password.See “Changing a password” on page 70.

■ Execute a predefined set of user actions.See “About user actions” on page 68.

■ Create new user actions and edit existing user actions.See “Creating and modifying user actions” on page 68.

About the incident and the alert monitorsThe incident and the alert monitors display in real time the number of incidentsor alerts as they are created. The incident and the alert monitors appear at thebottom of the Information Manager console. You can choose which count youwant to monitor using the right-click menu. The right-click menu also providesshortcuts to view details.

The incident monitor and the alert monitor offer the following options:

Displays the Incident details for the open incidents for thecurrent user.

View My Open Incidents

Displays the incident details for the open incidents for allusers.

View All Open Incidents

Displays the incident details for the open alerts for thecurrent user.

View My Open Alerts

63Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

Page 64: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Displays the incident details for the open alerts for all users.View All Open Alerts

Displays the open incident count for the current user.Count My Open Incidents

Displays the open incident count for all users.Count All Open Incidents

Displays the open alert count for the current user.Count My Open Alerts

Displays the open alert count for all users.Count All Open Alerts

See “About the features of the Information Manager console” on page 63.

About the event activity monitorThe event activity monitor provides a real-time display of event activity. Thedisplay includes the option to view real-time event statistics, and a shortcut optionto open a standalone event details dialog. The event activity monitor appears atthe bottom of the Information Manager console. To configure the event activitymonitor, right-click the monitor and choose from the available options.

The event activity monitor options include the following:

Opens the Statistics view in a standalone dialog box.Open Details Panel

Displays the total number of events that have been received.Display Total ReceivedEvents

Displays the average event rate.Display Average Rate

Displays the actual event rate.Display Rate

Provides you with options to customize the color of thegraph that displays.

Color options

Lets you choose the visual representation of the event countas follows:

■ Bar graph

■ Line graph

Select view type

See “About the features of the Information Manager console” on page 63.

About the Notes featureThe Information Manager console includes the Notes feature. This feature letsyou create the notes that you associate with data fields on the console views thatdisplay tabular data. For example, you can create notes to explain the meaning

Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

64

Page 65: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

of each incident severity level. You can later search for these notes, using severalsearch criteria.

The Notes feature is enabled on the following console views:

■ Incidents

■ Events

■ Tickets

■ Assets

See “About the features of the Information Manager console” on page 63.

Creating and editing notesWhen you create a note, you can attach it to a particular value in a table column.For example, in the Event details table, you can annotate the value HostIntrusionEvent in the EventTypeID column. The note is then associated with each instanceof that particular value in any table that includes the Event Type ID column.These notes provide additional reference information about any column-and-valuepair.

See “About the Notes feature” on page 64.

To create or edit a note

1 In the Information Manager console, open the view where you want to createa note.

You can create a note on any of the following views:

■ Incidents

■ Events

■ Tickets

■ Assets

2 In the displayed table, identify the column-and-value pair that you want toannotate.

3 Right-click a table cell that contains the desired value, and then click Notes.

4 In the Notes dialog box, take any of the following actions:

■ To add a note, click Add. In the Add Comment dialog box, type the note,and click OK.

■ To edit an existing note, select the note in the text area, and then clickEdit. In the Edit Comment dialog box, revise the note, and click OK.

65Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

Page 66: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ To remove an existing note, select the note in the text area, and then clickRemove. Click Yes to confirm your intention to remove the note.

5 When you finish adding and editing notes, click OK.

If you added any notes, the table displays a red triangular flag in each cellthat contains the value that you selected.

Searching the notesThe Search Notes feature lets you search for specific notes, using a variety ofsearch criteria.

To search for notes

1 In the Information Manager console, open any of these views:

■ Incidents

■ Events

■ Tickets

■ Assets

2 On the Tools menu, click Search Notes.

Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

66

Page 67: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Define the search criteria by using any of the following non-case-sensitivedata fields:

Type or use the drop-down menu to select the column name tosearch on. Clicking the drop-down arrow displays a list of alltable columns for which notes exist. You must select the exactcolumn name. For example, selecting Severity yields differentresults than selecting Severity ID.

Category

Type the full text of the value from the annotatedcolumn-and-value pair. For example, if the value in the SeverityID column is 2 - Warning, you must type it exactly this way,including the space before and after the hyphen.

Value

Type the user name of the person who created the note: forexample, Administrator.

Author

Type all or any portion of the note text. For example, to find thenote This severity level is for informational messages only, youcan type this severity or information or any other text stringfrom the note.

Note Text

Use the default start date and time or change it by using thecalendar icon. The SearchNotes feature looks for the notes thatwere created on or after this date and time.

Start Date

Use the default end date and time or change it by using thecalendar icon. The SearchNotes feature looks for the notes thatwere created on or before this date and time.

End Date

4 Click Search.

The bottom pane displays a list of the notes that meet the search criteria.

A recently created note may not appear in the list because the server clocktime is different from the client clock time. To remedy this situation, expandthe time range by using the StartDate and EndDate fields, and click Searchagain.

5 Take one of the following actions:

■ To further narrow the search, type additional search criteria in the fieldsthat are described in step 3, and click Search. You can also clear the searchfields and type different search criteria.

■ To access the dialog box where you can add, edit, and remove notes, selecta note and click Comment Details.

6 When you click Comment Details, you can take of the following actions:

67Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

Page 68: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ To add a note, click Add. In the Add Comment dialog box, type the note,and click OK.

■ To edit an existing note, select the note in the text area, and click Edit. Inthe Edit Comment dialog box, revise the note, and click OK.

■ To remove an existing note, select the note in the text area, and clickRemove. Click Yes to confirm your intention to remove the note.

7 When you finish adding and editing notes, click OK.

If you have added any notes, the table now displays a red triangular flag ineach cell that contains the value that you selected.

8 To finish, click Close.

About user actionsInformation Manager includes several predefined user actions. These actions canhelp you find the information that is related to IP addresses and the host namesthat are included in some tabular data. If you right-click a cell that contains anIP address or a host name, you can select from one of the following options:

Displays the information about a user on the specified computer. Notethat the output varies based on the remote system; therefore, thecommand is of limited value.

Finger

Sends a ping message to the computer and reports the reply in acommand window.

Ping

Traces a route to the host, but does not perform DNS lookups on thehops from host to host. Reports the results in a command window.

Trace route

User actions are available in any table that displays IP addresses or host names.User actions are available in the tables on the Assets view and on the queries onthe dashboard that include this type of data.

You can also modify the existing user actions and create your own user actions.

See “Creating and modifying user actions” on page 68.

Creating and modifying user actionsYou can create your own user actions, and you can customize the standard useractions. You can create and modify user actions by using the Events view or theTools menu on the console view.

See “About user actions” on page 68.

Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

68

Page 69: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To create a user action

1 In the Information Manager console, click Events.

2 From the Tools menu, select Preferences.

3 Click + (the plus icon).

4 Type a name for the user action in the Name box and the command to beexecuted in the Command box.

5 Select one or both of the following options:

■ To make the user action available to all users, select Public.

■ To provide a command-line window in which to view the command output,select Use Output Viewer.

6 Click OK.

7 In the Preferences dialog box, click OK.

The new user action now appears in the pop-up menu that appears when youright-click on a table cell.

To modify a user action

1 In the Information Manager console, click Events.

2 From the Tools menu, select Preferences.

3 Select the user action that you want to modify, and then click the Edit icon.

4 You can modify any of the following:

■ Change the user action name in the Name box.

■ Change the command syntax in the Command box.

■ Select Public to make the user action available to all users.

■ Select Use Output Viewer if you want Information Manager to provide acommand-line window in which to view the command output.

5 Click OK.

6 In the Preferences dialog box, click OK.

The modified user action now appears in the pop-up menu when youright-click a table cell.

Opening the Information Manager console from the command lineYou can open the Information Manager console using the command line.

See “About the Information Manager console” on page 29.

69Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

Page 70: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To open the Information Manager console from the command line

1 On the client computer, open the command-line interface.

2 Change the directory to the location in which the console was installed. Forexample:

C:\Program Files\Symantec\Security Information Manager

3 Type the following command and press Enter, where [user] is the user namefor the console and [password] is the password for that account. Do not includethe brackets.

>"Security Information Manager.exe" -user [user]

-pw [password] -address 10.0.30.140 -autologin

Changing a passwordYou can use the Information Manager console to change your own password atany time. If the administrator has changed the password settings to a strongerauthentication policy, you may be required to change your password. You canchange your password by logging out and then logging back in to the console.

See “About the features of the Information Manager console” on page 63.

To change your password

1 In the Information Manager console, open any view.

2 On the Tools menu, click Change Password.

3 In the Change Password text box, type your current password.

4 Type a new password in the New password text box, and then type exactlythe same characters in the Confirm new password text box.

5 Click Save.

6 Click OK.

Symantec Security Information Manager ConsoleAbout the features of the Information Manager console

70

Page 71: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Symantec SecurityInformation Manager Webconfiguration interface

This chapter includes the following topics:

■ About the Information Manager server Web configuration interface

■ Accessing the Web configuration interface

■ About the features of the Web configuration interface

About the Information Manager server Webconfiguration interface

The Web configuration interface for the Information Manager server providesseveral control features to help you work with ease and efficiency.

You can use an Internet browser to access the Web configuration interface. Youcan use the Web configuration interface to view security information and managecritical tasks on the Information Manager server remotely.

See “Accessing the Web configuration interface” on page 72.

The Web configuration interface lets you perform various tasks:

■ Monitor the vital parameters and perform maintenance tasks.

■ Configure the Information Manager server.

■ View reports remotely.

■ Download the report templates, universal collectors, and other utilities.

3Chapter

Page 72: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Install the licenses for Information Manager and the Symantec GlobalIntelligence Network.

■ Use the Custom Logs feature to correlate the information from the devicesthat Information Manager does not support.

Accessing the Web configuration interfaceYou can use a Web browser to access the Web configuration interface of theInformation Manager server. The Web configuration interface lets you viewsecurity information and manage critical tasks on the Information Manager serverremotely.

See “About the features of the Web configuration interface” on page 72.

To access the Web configuration interface of the Information Manager server

1 Open a Web browser, and in the address bar, type the IP address of theInformation Manager server.

For example:

https://192.168.0.10

By default, the server uses self-signed certificates, which cannot be verifiedby certificate authentication services such as VeriSign. If you are prompted,click Yes to accept the server certificate.

2 Log on to the Web configuration interface using the administrator credentialsthat you created during the Symantec Security Information Managerinstallation.

About the features of theWeb configuration interfaceThe Web configuration interface of the Information Manager server providesseveral control features to help you work with ease and efficiency.

See “About the Information Manager server Web configuration interface ”on page 71.

The Web configuration interface provides the following control features:

The status bar appears across the top of the Web configurationinterface. The status bar displays the name of the InformationManager server to which the Web configuration interface isconnected. The status bar also displays the role of the connecteduser.

Status bar

Symantec Security Information Manager Web configuration interfaceAccessing the Web configuration interface

72

Page 73: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The view bar contains links to the views that allow access tothe options that are outlined under that view.

The following main views are available in the console:

■ Home■ Monitor■ Manage■ Settings■ Maintenance

View bar

The navigation bar appears on the top across the console.

The navigation bar displays the links to available views underthe selected parent view.

Navigation bar

The tree pane appears on the left side of the console windowunder the navigation bar.

The tree pane displays a hierarchical, folder-based structureof the options available under the view.

Tree pane

The view indicator appears across the top of the tree pane andthe details pane.

The view indicator displays the selected task in the hierarchicalstructure.

View indicator

The details pane appears in the right side of the console windowunder the taskbar. This pane displays details about the selectedoption.

Details pane

The timestamp bar appears at the lower end across the console.

The timestamp displays the date and timestamp for thegenerated page.

Timestamp bar

The Web configuration interface provides the views that allow control of thefeatures of the Information Manager server.

Table 3-1 describes the various tasks that you can perform from each view.

73Symantec Security Information Manager Web configuration interfaceAbout the features of the Web configuration interface

Page 74: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 3-1

DescriptionOptionsView menu

The Event Service statusview lets you monitor thestatus for the Event Servlet,Event Service Queues, andServelet Batch Queue.

Event Service StatusHome

You can download theinstallers for Symantec EventAgent and Java client, logfiles, universal collectors,and other utilities from theDownloads view.

Downloads

Lets you restart or shut downthe Information Managerserver remotely.

Shutdown/Restart

Lets you monitor criticalaspects of the InformationManager server.

SSIM

System Statistics

Network Statistics

Monitor

Lets you view the standardreports, and the reports forthe scheduled queries.

ReportsManage

Lets you accessintelligence-relatedinformation from the Deep-Sight Threat ManagementServices Web site.

Intelligence

Symantec Security Information Manager Web configuration interfaceAbout the features of the Web configuration interface

74

Page 75: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 3-1 (continued)

DescriptionOptionsView menu

Lets you view and managethe Information Managerconfiguration settings. Youcan also manage thesummarizers, performcollector and directoryregistration, and install theInformation Managerlicenses through this view.

GIN

Database

Directory Registration

Collector Registration

Custom Logs

Active Directory

Licensing

Certificates

External Storage

Password

Network

Date Time

Settings

Lets you perform routinemaintenance tasks such asupdates, backup and restore,purge, and incidentsynchronization.

LiveUpdate

System Updates

Backup and Restore

Incident Synchronization

Maintenance

Note: The Web configuration interface does not support the use of Back andRefresh browser options. Using these options may produce unpredictable results.

75Symantec Security Information Manager Web configuration interfaceAbout the features of the Web configuration interface

Page 76: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Symantec Security Information Manager Web configuration interfaceAbout the features of the Web configuration interface

76

Page 77: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Planning for securitymanagement

■ Chapter 4. Managing the correlation environment

■ Chapter 5. Defining rules strategy

2Section

Page 78: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

78

Page 79: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing the correlationenvironment

This chapter includes the following topics:

■ About the Correlation Manager

■ About the Correlation Manager knowledge base

■ About the default rules set

About the Correlation ManagerThe Correlation Manager component of Information Manager performs automatedreal-time event correlation, aggregation, filtering, and incident creation. Toperform these functions, it uses a set of rule files and a knowledge base to compareevents to patterns of common network security threats.

See “About the Correlation Manager knowledge base” on page 80.

To facilitate security analysis, the Correlation Manager filters false positive eventsfrom networks, including the events that your company security policy permits.The Correlation Manager also identifies attacks based on patterns of firewall,Intrusion Detection System, and antivirus activity across desktops, gateways, andservers. The Correlation Manager can then declare the incidents that warrantfurther action and closure.

The Correlation Manager can provide conclusions regarding the overall analysisor cause of attacks. It also aggregates information about source, destination, attacktypes, and all related events into the incident record for forensic analysis.

See “About the default rules set ” on page 80.

4Chapter

Page 80: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the Correlation Manager knowledge baseThe Correlation Manager knowledge base consists of the tables that containinformation about the network, security policies, and normalized event categoriesand subcategories. The Information Manager default rules reference thisinformation to allow the correlation engine to make a more effective evaluationof incoming security events. Custom rules can also reference the information inthe Correlation Manager knowledge base tables.

The information in the knowledge base is a combination of the following: Updatedinformation from Symantec DeepSight Threat Management System and theinformation that you can edit from the Lookup Tables option of the Rules view.

If you have a valid DeepSight license, you can receive frequent updates directlyfrom DeepSight. If you do not have a license, you receive updates to securitycontent through LiveUpdate packages.

See “About the Correlation Manager” on page 79.

About the default rules setInformation Manager includes a set of rules that identify the most commonsecurity threats. Information Manager also provides default filters to help reducecommon false positives. New rules are developed regularly and are distributedthrough the LiveUpdate process. You can also create your own rules from theRules view of the Information Manager console.

See “About the Correlation Manager” on page 79.

See “About the Correlation Manager knowledge base” on page 80.

Table 4-1 lists the default rules and the types of security products with whichthey are associated.

Managing the correlation environmentAbout the Correlation Manager knowledge base

80

Page 81: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 4-1 Correlation Manager rules by security product type

Associated rulesSecurity product

■ AntiVirus Disabled■ Critical Malicious Code Detection■ Incomplete AV Scan■ Malicious Code via Email Not Quarantined■ Malicious Code Not Quarantined■ Malicious Code Outbreak■ Malicious Code Propagation■ Outbound Spam Zombie■ Spyware Not Quarantined■ Spyware Outbreak■ Worm Activity

Antivirus

■ Block Scan■ Check FTP Transfers■ Distributed DoS High Volume■ DoS High Volume■ External Port Sweep■ Internal Port Sweep■ IP Watchlist Destination■ IP Watchlist Source■ IRC Bot Net■ Malicious URL■ Organization IP in Watchlist Activity■ Outbound Spam Zombie■ Ping Scan Detector■ Port Scan Detector■ Potential Staged Attack■ Scan Followed By Exploit■ Single Event DoS■ Smurf Attack Firewall■ Traffic to a Monitored Address■ Trojan Connections■ Unauthorized Outbound Email Domain■ Unauthorized Port Inbound■ Unauthorized Port Outbound■ Traffic to a Monitored Address■ Watchlist Potential Policy Violators

Firewall

81Managing the correlation environmentAbout the default rules set

Page 82: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 4-1 Correlation Manager rules by security product type (continued)

Associated rulesSecurity product

■ Attempted DNS Exploit■ Attempted FTP Exploit■ Attempted WWW Exploit■ Attempted Service Exploit■ Block Scan■ Departed Employee Username■ DoS High Volume■ Distributed DoS High Volume■ Intrusion Threshold (Disabled by default)

■ IP Watchlist Destination■ IP Watchlist Source■ IRC Bot Net■ Malicious Code Propagation■ NULL Login Authentication Violation■ Ping Scan Detector■ Return Trojan Traffic■ Scan Followed By Exploit■ Single Event DoS■ Smurf Attack IDS■ TFTP from WebServer■ Traffic to a Monitored Address■ Vulnerability Scan■ Vulnerability Scan Detector■ Watchlist Potential Policy Violators■ Web Vulnerability Scan

Network intrusion detection system(NIDS)

Managing the correlation environmentAbout the default rules set

82

Page 83: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 4-1 Correlation Manager rules by security product type (continued)

Associated rulesSecurity product

■ Account Guessing Attack■ Departed Employee Username■ DoS High Volume■ IP Watchlist Destination■ IP Watchlist Source■ Multiple Files Modified■ NULL Login Authentication Violation■ Password Guessing Attack■ Potential Staged Attack■ Scan Followed By Exploit■ Single Event DoS■ Trojan Connections■ Vulnerability Scan■ Vulnerability Scan Detector■ Watchlist Potential Policy Violators■ Web Vulnerability Scan

Host intrusion detection system (HIDS)

■ Potential Staged Attack■ Vulnerability Scan

Vulnerability assessment

■ Departed Employee user name Activity■ Policy Compliance Violation

Policy compliance

■ Account guessing attack■ Non Business Hours Logins■ Password guessing attack■ Potential Staged Attack■ Windows Account Lockout (Disabled by

default)

■ Windows Audit Log Cleared■ Windows Privileged Activities by user■ Windows Privileged User Created■ Windows Security Violation (Disabled by

default)

■ Windows Sensitive File Access

Windows Events

83Managing the correlation environmentAbout the default rules set

Page 84: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 4-1 Correlation Manager rules by security product type (continued)

Associated rulesSecurity product

■ Agent Queue Monitor■ Cert Expiration Warning■ IncidentCreationAlert (Disabled by default)

■ Invalid Event Date Alert■ Low Disk Space Warning■ MultiEvent Rule Example■ Negative Rule Type Example■ Password Guessing Attack■ Validate Archive

Information Manager System

Managing the correlation environmentAbout the default rules set

84

Page 85: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Defining rules strategy

This chapter includes the following topics:

■ About creating the right rule set for your business

■ About defining a rules strategy

■ About correlation rules

■ About rule conditions

■ About the Event Count, Span, and Table Size rule settings

■ About the Tracking Key and Conclusion Creation fields

■ About the Correlate By and Resource fields

■ Importing existing rules

■ Creating custom correlation rules

■ Enabling and disabling rules

■ Working with the Lookup Tables window

About creating the right rule set for your businessA good approach to creating custom rules is to start with the generalized rulesprovided by Symantec and fine-tune them. Another good approach is to add newrules based upon real event data from your network.

See “About defining a rules strategy” on page 87.

The customizations usually belong to one of the following categories:

5Chapter

Page 86: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

These include all of the security devices on your networkthat generate the events that you collect. For example,firewall products such as Symantec Gateway Securitygenerate a huge amount of event data. In most cases, youshould edit default rules or create new rules to filter outfalse positive incidents.

Incidents stemming frommachine-generated events

These incidents include your corporate IT security policiesand regulatory compliance requirements. They also includeany unique characteristics about user activity in yournetwork that machine-generated events would typicallymiss, or that result in false positive incidents.

Incidents relating to humanevents or policies

The following is a general overview of the process for developing rules:

■ Set up Information Manager in a lab environment.

■ Update the Assets view to include the IP addresses of hosts that aremission-critical or that host sensitive information.

■ Collect event data from your network for a week. This data should includeevents from all of the security products that you want Information Managerto correlate. For example, antivirus, host intrusion detection systems, networkintrusion detection systems, and firewalls.

■ Run the default rules and review the incidents created.

■ Look for any false positives that you can easily filter out. Following areexamples of good candidates for filtering: Incidents from the failed connectionsthat the firewall reports, and the Windows-only attacks that computers runningLinux report.

■ Look at any known security incidents that occurred during the week that youcollected the data. Adjust the filters and rules if there are any incidents thatshould have been created and were not.

■ Look for the incidents that are the result of firewall rules being too lax. Tuningfirewall and Information Manager rules is an on-going process based upon thechanges in your network. Opening a firewall port to enable an essentialline-of-business application may suddenly result in a huge number offalse-positive incidents. When that occurs, you need to create a new rule tofilter out events from an approved use of that application. You may alsodiscover that there is a port that is still open long after the application thatrequired it has been retired.

■ Create rules to support security practices in your company. For example, youcan create a rule to assign a weekly help desk ticket for security IT to contactusers who are not running antivirus software.

Defining rules strategyAbout creating the right rule set for your business

86

Page 87: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ As you change rules, use the Information Manager rule test feature to assesswhether the customizations work. Of particular concern should be any rulesthat never create conclusions or those that create conclusions too often.

■ With your Information Manager server still in a test environment, forwardlive network events to it. Continue to refine your rules.

■ After you are satisfied with the incidents that are declared, migrate the serverto your live network.

About defining a rules strategyTo develop a security plan that incorporates correlation rules and filters, youmust understand the business needs of your organization from a securityperspective.

See “About creating the right rule set for your business” on page 85.

For example, if your implementation protects and monitors network resourcesrelating to financial transactions, you can develop and refine your rule setaccordingly. Your area of concern might focus on authentication on the serversthat contain sensitive financial data.

In addition, you may need to evaluate the rules that you deploy based on regulatorycompliance concerns. This evaluation ensures that the event data that is evaluatedis handled in a way that meets the requirements of the policies.

About correlation rulesCorrelation rules describe the logic that is applied to an event or a set of eventsto detect possible security concerns.

See “About creating the right rule set for your business” on page 85.

Conceptually, correlation rules can be classified into the following generalcategories:

■ An event identifies an attacker who attempts to intrude on a specific computeror resource.

■ Some unknown system or a number of systems that attempts to cause a specificsystem to malfunction or cease functioning.

■ The organization or analyst wants to group events into particular types ofincidents to make viewing and analysis simpler. For example, these types ofrules may aggregate the events that are related to policies or products.

Correlation rules consist of the following:

87Defining rules strategyAbout defining a rules strategy

Page 88: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Identifies the pattern that best describes theevent.

See “About rule types” on page 89.

Rule type

The specific values or threats that the rule appliesto, including the number of events that occursover a specified period of time.

See “About event criteria” on page 93.

Event criteria

The event count, span, table size, tracking keys,and description of an event.

Rule settings

The fields that are used to correlate existing eventconclusions with new events as they occur withinthe specified time period. If the number of eventsthat are specified in the Count field is met, theconclusion is escalated to an incident. In addition,the incident is then correlated with existingincidents where applicable. Additionally theseverity of a match for the rule is determined.Additional details are also available by thevariables that you can specify in the Descriptionfield.

Conclusion and correlation settings(Actions tab)

Describes how alert and incident assignment tasksare handled when an incident is created. The AutoAssignment area incidents can be assigned to aspecific user or user group (team). TheNotification area let you notify to the additionalrecipients that the incident has occurred. Forexample, an Antivirus Disabled incident mightbe assigned to a response technician who isresponsible for immediately assessing the event.An additional notification can be sent to thenetwork administrator who monitors the overallhealth of the network segment from which theincident occurred.

Auto assignment and notificationsettings

About rule conditionsThe rule conditions describe the fields and conditions that the rule is processedagainst to determine if the event applies to a conclusion.

See “About correlation rules” on page 87.

Defining rules strategyAbout rule conditions

88

Page 89: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The RuleConditions panel provides access to all available event and schema fielddata. The analyst can use this data to further identify and define the events thatshould be escalated as a potential security threat.

About rule typesA rule type determines the underlying behavioral patterns that a rule uses toidentify a match. For example, if the rule type is set to Single Event, the ruleevaluates each event for a criteria match. It only requires a single event to triggera conclusion. A rule that uses the Many to One rule type evaluates each eventagainst the criteria. However, it then creates a conclusion when a specified numberof matching events have aggregated over a predetermined period of time.

See “About rule conditions” on page 88.

Conclusions that involve more than one event use the One to Many and Many toOne event correlation tables. In addition, the Tracking field is provided. Itidentifies the element that is used as the basis for additional events to be correlatedto existing events and conclusions.

Table 5-1 describes the rule types that are available and provides examples.

Table 5-1 Rule types

Possible ScenariosTrigger ConditionRule Type

Denial-of-service events can often be identifiedusing this rule type.

A Smurf attack uses ICMPEchoReply events froma large number of source computers to a singletarget.

Predefined rule examples:

Distributed DoS High Volume, Smurf Attack

Creates a conclusion when the eventsthat match the specified criteria aredetected from multiple unique sourceIP addresses to a single destination IPaddress within the specified period.

Many Sources, OneTarget

A rule that detects a vulnerability scan can use thisrule type.

Within the criteria for that rule, EMR values canbe set to identify multiple exploit events (such asMechanism: Buffer Overflow, or ApplicationExploitation). In this example, the criteria for thisrule includes multiple types of Mechanisms.Therefore, the rule would track multiple types ofexploit events coming from the same source.

Predefined rule example:

Vulnerability Scan Detector

Creates a conclusion when the eventsof different types that match thespecified criteria are detected from asingle source IP address within thespecified period.

Many SymantecSignatures, One Source

89Defining rules strategyAbout rule conditions

Page 90: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-1 Rule types (continued)

Possible ScenariosTrigger ConditionRule Type

A rule that detects malicious IP hopping activitycan use this rule type.

To conceal scanning activity, an attacker mayattempt one type of attack from one IP address. Theattacker then changes to a different IP address totry a different attack until the most usefulvulnerabilities have been identified. Attackers usethis method to avoid detection as a vulnerabilityscan. Attackers know that vulnerability scannersoften operate from a single source. Using this ruletype, you can detect conditions where multipleattack types are targeted at a single host, regardlessof the attack origin.

Creates a conclusion when events ofdifferent types matching the specifiedcriteria are detected to a singledestination IP address within thespecified period.

Many SymantecSignatures, One Target

A rule that detects a MaliciousCodeOutbreak canuse this rule type.

To identify a Malicious Code Outbreak, a rule canbe configured to identify instances of a particularvirus on multiple targets. Using the EMR fields,the criteria can be set to Virus. Since the rule looksfor the same event type, this rule would trigger onlyif it was the same virus event on each target.

Creates a conclusion when events ofthe same type matching the specifiedcriteria are detected from many uniquedestination IP addresses within thespecified period.

Many Targets, OneEvent

A rule that identifies a reconnaissance attack onmultiple targets (such as a port scan) can use thisrule type.

To configure this example, you would choose theMany Targets, One Source rule type, and then setthe EMR criteria value to Portscan.

Predefined rule examples:

Block Scan, IRC Bot Net, Ping Scan Detector

Creates a conclusion when eventsmatching the specified criteria aredetected from a single source IPaddress to multiple unique destinationIP addresses within the specifiedperiod.

Many Targets, OneSource

Defining rules strategyAbout rule conditions

90

Page 91: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-1 Rule types (continued)

Possible ScenariosTrigger ConditionRule Type

A rule to create a port sweep can use this rule type.

A port sweep is typically described as a single IPaddress that scans for a specific port on multiplecomputers. After you choose this rule type and setthe event criteria for the rule, you set theOne-Many and the Many-One field options. In theOne-Many Fields area, select IP Source Addressand IP DestinationPort. This selection means thatthe event originates from the same IP address thatis evaluating the same port). In the Many-OneFields area select the IP Destination Addressoption. (Note that the event destination can be adifferent IP address for each event.)

Predefined rule examples:

MaliciousCodeOutbreak, SpywareOutbreak, DoSHighVolume, ExternalPortSweep, InternalPortSweep, Port Scan Detector, Intrusion Threshold,MultipleFilesModified, AccountGuessingAttack,Password Guessing Attack

Creates a conclusion when eventsmatching the specified criteria aredetected in a pattern that is set usingthe Many To One Fields, and the OneTo Many Field options.

In addition to the Event Criteria, thefields that must contain the sameinformation for each event (One-ManyFields) and the fields that can containdifferent values in each event(Many-One Fields) are used tocorrelate similar events occurringwithin a predetermined timeframe.

The Many to One rule requires theTracking field to be populated. For thistype of rule, the Tracking fieldgenerally matches a One-Many Fieldsentry.

Many to One

User logs on to a Windows computer andestablishes an SSH connection to a UNIX computer.The user then logs on the FTP server, anddownloads files from the FTP location.

Creates a conclusion when a sequenceof specified patterns is detected for onecombination of one-to-many fieldswithin a specified time period.

Multi-condition

Predefined rule examples:

AntiVirus Disabled, Malicious Code NotQuarantined, Spyware Not Quarantined, CheckFTP Transfers, Malicious URL, TrojanConnections, AttemptedDNSExploit, AttemptedFTPExploit, AttemptedWWWExploit, TFTPfromWebServer, WindowsSecurityViolationWindowsAccount Lockout, Windows Audit Log Cleared,Windows Privileged Activities by User

Creates a conclusion if an eventmatches the specified criteria. This ruletype requires the Tracking field to bepopulated.

Single Event

91Defining rules strategyAbout rule conditions

Page 92: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-1 Rule types (continued)

Possible ScenariosTrigger ConditionRule Type

A rule that identifies BackOrifice exploit trafficbetween a single target and source can use this ruletype. To monitor for BackOrifice symmetric trafficevents, after you choose the Symmetric Trafficrule type, set the criteria to Symantec Signaturefor BackOrifice (attackID 1414). The rule triggersif an Intrusion Detection System logs both theconnection from a source to a target, and from thattarget back to the source as being BackOrificetraffic.

Predefined rule example:

Return Trojan Traffic

Creates a conclusion when the specifiedpattern of events is detected from asingle source IP address to a singledestination IP address, then from thatdestination IP address back to theoriginal source IP address within thespecified period.

Symmetric Traffic

A rule that identifies the BackOrifice exploit trafficthat moves from one source to a target backdoor,and then the targeted computer becomes the sourcethat accesses the backdoor of a new target can usethis rule type.

To monitor for BackOrifice transitive trafficevents, after you choose the TransitiveTraffic ruletype, set the criteria to Symantec Signature forBackOrifice (attackID 1414). The rule triggers ifan Intrusion Detection System logs both theconnection from a source to a target as BackOrificetraffic and then identifies the target connecting toa new target with the same event signature.

Predefined rule example:

Malicious Code Propagation

Creates a conclusion when the specifiedpattern of events is detected from asingle source IP address to a singledestination IP address. Then, thepattern is detected from thatdestination IP address to a newdestination IP address within thespecified period.

Transitive Traffic

Predefined rule examples:

Scan Followed by Exploit, Null LoginAuthentication Violation

Note: This rule is deprecated and is not supported.Use a Multi-condition rule type.

Creates a conclusion when a specifiedpattern is detected from a single sourceIP address to a single destination IPaddress. This pattern is followed by adifferent pattern from the same sourceIP address to the same destination IPaddress within the specified timeperiod.

X followed by Y

Defining rules strategyAbout rule conditions

92

Page 93: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-1 Rule types (continued)

Possible ScenariosTrigger ConditionRule Type

A rule to monitor user authentication failure for aspecific period of time can use this rule type.

User logon fails for a specific period of time andthe user does not log in again.

Creates a conclusion when an eventthat matches the defined criteriacannot be detected in a pattern duringa predefined number of times duringtimeout.

X not followed by X

A rule to detect a non-occurrence of a user actionafter a valid user action can use this rule type.

User logs on to a critical server but does not log offfor a long time.

Creates a conclusion when an eventoccurs that is defined by an X rulecriteria. However, an event that isdefined by the Y rule criteria does not.

X not followed by Y

A rule to detect a deletion of user before the useris added can use this rule type.

Creates a conclusion when an eventthat is defined by an X rule criteria doesnot occur. However, the next event thatis defined by the Y rule criteria occurs.

Y not preceded by X

A rule to dynamically update the lookup table withthe configured event field values for the specifiedevent criteria.

Updates the configured lookup table ifan event matches the specified criteria.

Lookup Table Update

About event criteriaThe Event Criteria field contains a vast array of possible values that a rule canuse to identify an event pattern. The EventCriteria field includes event data andschema information.

See “About rule conditions” on page 88.

Table 5-2 describes the tabs available in the drop-down list.

Table 5-2 Event Criteria tabs

DescriptionName

Contains the data from the Normalization fields, the Symantec DeepSight Threat ManagementSystem database (using the Symantec Signature), and the Asset and the Network tables.

Common

93Defining rules strategyAbout rule conditions

Page 94: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-2 Event Criteria tabs (continued)

DescriptionName

Contains the customized data from the Normalization fields, the DeepSight database (using theSymantec Signature), and the Asset and the Network tables. The system applies logic to thesource and the destination IP addresses that results in several fields or flags being added to theevent. For fields, this information is primarily data from the Asset and Network table. For flags,this information includes: traffic direction, Source is Internal, Destination is Internal, serviceinfo, Destination Port is Open, whether the Asset entry has the destination_port value that islisted as available, whether the asset is Vulnerable, or whether the Asset entry for the event’sdestination_ip value is listed as being vulnerable to one or more of the BugTraq IDs associatedwith the event’s Symantec Event Code.

Derived

Includes all of the events that have been identified for each product that is associated with yourinstallation of Information Manager. This information is based on a combination of the defaultset of events (the Information Manager schema) and any SIPs that have been installed. Thesefields do not contain the Information Manager normalized values.

Events

Provides a means of creating a product-specific field that uses a string or an integer value thatmay not be accessible through the schema provided. Event data is included with some of theevents that are sent to Information Manager that a specific point product uses. However, thisdata is not accounted for as an identified field in the Information Manager schema that thecollector uses (also known as out-of-band data). This data can be included either by the collectoror it can be added during normalization.

Other Fields

Provides access to the fields that are associated with the knowledge base tables that InformationManager and the environment provide. Also provides access to the resource-specific data thatthe user provides. For example, the Asset and Network tables. These fields are dynamicallygenerated based on the current state of each of the knowledge base tables.

Table Lookups

The Event Criteria rows include a logical decision field that provides the operatorthat is used to determine how the event criteria are evaluated.

Table 5-3 describes the decision option operators available.

Note: The available operators vary with each criteria type.

Table 5-3 Event Criteria operators

DescriptionName

The field value is an exact match to the criteria value.Equal

The field value does not match the criteria value.Not Equal

The field value is greater than the specified value.Greater than

Defining rules strategyAbout rule conditions

94

Page 95: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-3 Event Criteria operators (continued)

DescriptionName

The field value is less than the specified value.Less than

The field value is greater than or equal to the specified value.Greater than orequal to

The field value is less than or equal to the specified value.Less than orequal to

The field is empty.Null

The field contains a value.Not Null

The field value contains a value that is contained in the specified table.Is in

The field value does not match a value that is contained in the specified table.Is not in

The field value is True.True

The field value is False.False

The field value contains the specified string. The usage of this operator varies with the fieldagainst which the data is compared. For example, if you use EMR values, a drop-down list ofpossible values appears. However, if you evaluate the string data in a field such as target_resource,the value that you type is used to perform a substring search. For example, if you want to findout if the string root.exe was contained in the target_resource field, if target_resource fieldcontained http://www.example.com/cgi-bin/root.exe?blah, root.exe is identified and causesa match.

Contains

The field value does not contain the specified string. The usage of this operator varies with thefield that the data is compared with. For example, if you use EMR values, a drop-down list ofpossible values appear. However, if you evaluate the string data in a field such as target_resource,the value that you type is used to perform a substring search. For example, if you wanted toverify that the string root.exe was not included in the target_resource field, if target_resourcefield contained http://www.domain.com/cgi-bin/root.exe?blah, root.exe is identified andindicates that Doesn't contain condition is not met.

Doesn't contain

The field value matches the value that is specified as a regular expression.Matches

The field value does not match the value that is specified as a regular expression.Doesn't match

95Defining rules strategyAbout rule conditions

Page 96: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the Event Count, Span, and Table Size rulesettings

The RulesEditor includes the settings that let you specify how many events mustoccur within a specified period of time to meet the criteria for the rule. In addition,you can also determine the table size for the event data that is stored.

See “About correlation rules” on page 87.

Table 5-4 Event Count, Span, and Table Size rule settings

DescriptionSetting

Determines the number of events that must occur within a specific time period to trigger anincident. The time period is specified in the Span settings. This setting is used primarily withthe Many-One Field area on the Actions tab.

Event Count

Indicates the time period for the number of events that are specified in the Event Count fieldto occur.

Span

Specifies the state table size, in rows, that is maintained in memory for each rule.

For example, the Account Guessing Attack predefined rule requires that two events beidentified within 10 minutes for the rule to trigger an incident. After the first event matchesthe rule criteria, an internal aggregation table is created that contains the event details. Whenthe second matching event occurs, data from the second event is added to the same aggregationtable. In this case, the Table Size setting is relatively small. However, if the Event Count wereraised to a much larger number, the aggregation table could potentially run out of space. Inthat case, the table wraps (the new event data begins to overwrite the original event data insequential order).

To prevent the data from being overwritten, the Table Size should be adjusted according tothe event size expectations for the rule. Event data sizes vary widely with each implementation,but using the predefined rules as a starting point helps to identify general size parameters.

Table Size

About theTrackingKeyandConclusionCreation fieldsThe TrackingKeyandConclusionCreation fields are used to further refine rulessettings. Use these fields to establish whether an event should be correlated tothe existing events that are tracked in aggregation tables. In addition, the TrackingKey and Conclusion Creation fields include the Severity and the Descriptionfields. These fields provide a means for security analysts to escalate conclusionsbased on severity, and to include additional extracted information within theConclusion Description.

Table 5-5 describes the Tracking Key fields on the Conditions tab.

Defining rules strategyAbout the Event Count, Span, and Table Size rule settings

96

Page 97: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-5 Tracking Key fields (Conditions tab)

DescriptionField

Describes the elements that must remain consistent across each event in order for the eventto be correlated to an existing event aggregation table.

For example, to define a rule that tracks a single user name connecting to multiple target IPaddresses (in other words, one user name to many IP addresses), set the rule type to One toMany, and in the One-Many Fields area, select User Name. This field must be the same ineach event for any subsequent events to be correlated with previous events.

One-Many Fields

Describes the elements that must be different for each event in order for the event to becorrelated to an existing event aggregation table. This field is used with the Event Countfield to determine when the conditions for a One to Many rule have been met.

For example, you want to define a rule that tracks a single user name connecting to multipletarget IP addresses: in other words, one user name to many IP addresses. Set the rule typeto One to Many, and in the Many-One Fields select Target IP. The IP address in this fieldmust be different in each event for any subsequent events to be correlated with previousevents.

Many-One Fields

Describes the field upon which a matching event is correlated to an existing conclusion. Ifan event matches the criteria for a rule, it is compared against the tracking fields for anyexisting conclusion. If the event matches an existing conclusion it is correlated to that eventrather than being considered for a new conclusion. Required with the ManytoOne and SingleEvent rule types.

With OnetoMany rules, this field is typically used to track the same value as in the One-ManyField area. The event field data that must remain the same across each new event that is tobe added to the aggregation table.

Tracking Fields

Table 5-6 describes the Conclusion Creation fields on the Actions tab.

Table 5-6 Conclusion Creation fields (Actions tab)

DescriptionField

Describes whether an incident should be treated as an alert rather than a security incident.Alerting Incident

97Defining rules strategyAbout the Tracking Key and Conclusion Creation fields

Page 98: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-6 Conclusion Creation fields (Actions tab) (continued)

DescriptionField

Describes the severity of the event conclusion which can determine whether an incidentis created.

The Severity values include the following:

■ 1- Informational: Purely informational events.

■ 2 - Warning: User decides if any action is needed.

■ 3 - Minor: Action is required, but the situation is not serious at this time.

■ 4 - Major/Critical: Action is required immediately and the scope may be broad.

■ 5 - Fatal: An error occurred, but it is too late to take remedial action and the scope isbroad.

Severity

Provides a user input area for security analysts to further define the conditions that led tothe creation of the conclusion. This field also supports the use of field name variables thatcan be populated with event data.

Description

Provides a user input area for security analysts to include remediation notes for eachincident that is created. The notes appear on the Remediation tab for the incident.

Remediation

About the Correlate By and Resource fieldsThe Correlate By field determines whether a conclusion that is created shouldbe mapped to an existing incident.

See “About correlation rules” on page 87.

For example, if a Virus Outbreak incident is in progress, using the appropriatesetting in the CorrelateBy field causes each VirusOutbreak conclusion with thesame virus name to be mapped to the existing incident.

In addition, you can use the Resource field drop-down list to further refine thecharacteristics of the correlation requirements for the incident.

Table 5-7 describes the Correlation types available in the Correlate By field.

Table 5-7 Correlate By fields

DescriptionType

Correlation does not occur for the new incidents that match this rule.None

Correlation is based on the Resource and the Conclusion type. For example, the sameVirusOutbreak Conclusion type occurs on the same host that is specified in the Resource field.Therefore, the new conclusion is correlated to an existing incident.

Resource andConclusion Type

Defining rules strategyAbout the Correlate By and Resource fields

98

Page 99: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-7 Correlate By fields (continued)

DescriptionType

Correlation is based on the Source and the Destination fields. For example, a new conclusionis created and the source IP and destination IP are the same. Therefore, the conclusion iscorrelated to the existing incident.

Source andDestination

Correlation is based on the Source and the Conclusion type. For example, the same IP addresscauses PortScan conclusions. Therefore, any new PortScan conclusion that originates fromthe same source is mapped to the existing incident.

Source andConclusion Type

Correlation is based on the Source field. If the Source matches, any conclusion that originatesfrom that source is correlated to the existing incident.

Source

Correlation is based on the Destination and the Conclusion type. For example, the conclusionis a denial-of-service attack that targets the same destination IP. Therefore, the conclusionis mapped to the existing incident.

Destination andConclusion Type

Correlation is based on the Destination field. If the Destination is the same, any conclusionthat applies to that destination is correlated to the existing incident.

Destination

Correlation is based on the Conclusion type. For example, all AntiVirusDisabled conclusionsare mapped to the existing incident regardless of source or destination values.

Conclusion Type

Importing existing rulesYou can import rules from separate instances of Information Manager using theImport and the Export features available in each version. If import a rule thatreferences custom lookup tables, you must also import those tables.

See “About correlation rules” on page 87.

If you import a rule from a previous supported version of Information Manager,use the Rules view to delete any imported policy information. Then, apply thecurrent policies. Java-based rules are imported as jar files.

Note: In the User Monitor folder, you can import only those monitors that arecreated by using Information Manager version 4.5.

When you import rules from a previous version of Information Manager thatinclude user, team, or role assignments, verify that the assignments are configuredcorrectly after the import completes. Sometimes a user, team, or role that existedin a previous version is not identical to the version that exists in the upgradedversion. If so, you may need to reconfigure the rule assignment values to matchthe assignee information in the upgraded version.

99Defining rules strategyImporting existing rules

Page 100: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To import an existing rule

1 In the console from which you want to export the rules, navigate to the Rulesview. Then, export the rules you want to apply to the new console.

2 In the current Information Manager console, on the Rules view, expand theCorrelation Rules folder.

3 Under the Correlation Rules folder, expand the User Rules folder.

4 Click Import from disk.

5 In the Select File(s) to Import dialog box, locate the file or files to import,and click Import....

To import a Java-based rule

1 In the Information Manager console, on the Rules view, click the UserMonitors folder and then click Import from disk.

2 In the SelectFile(s) to Import dialog box, locate the jar file or files to import.

3 Click Import....

Creating custom correlation rulesThe correlation rules describe the logic that is applied to an event or a set of eventsto detect possible security concerns.

See “About creating the right rule set for your business” on page 85.

You can create correlation rules from the Rules view of the console of theInformation Manager client.

See “About correlation rules” on page 87.

The process for creating the correlation rules is as follows:

■ Define a name for the rule.See “To define a name for the rule” on page 101.

■ Configure rule condition.See “To configure the rule conditions” on page 101.

■ Configure the rule action.See “To configure the rule actions” on page 102.

■ Deploy the rule on the server.See “To deploy the rule on the server ” on page 104.

Defining rules strategyCreating custom correlation rules

100

Page 101: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To define a name for the rule

1 On the Information Manager console, click Rules.

2 In the left navigation pane, under the Correlation Rules folder, click UserRules.

3 On the Rules tab, click Create new filter or rule (+).

4 In the Input dialog box, type a name for the rule.

You can now define a rule condition. A conclusion is generated if the set of eventssatisfies the defined conditions.

Note: You can configure multi-conditioned rules. Multi-conditioning lets youdefine the rules that support up to five user activities in a sequence. You can createa conclusion when a sequence of specified pattern is detected for one combinationof one-to-many fields within a specified time period.

See “Creating a multicondition rule” on page 104.

To configure the rule conditions

1 On the Conditions tab, in the Description window, type a description for therule.

2 On Conditions > Rule Type, click the entry that best matches the type ofevent and target combination that applies to the new rule.

For example, to declare an incident whenever a specific event is detected,select Single Event. To declare an incident after a specific number of eventsare detected from a specific IP address, select Many Targets, One Source.

See “About rule types” on page 89.

3 In the Event Criteria area, click Add.

4 Select the left column of the new entry, and then choose an event field.

5 Select the center column and specify the operator.

6 Select the right column. Based on the operator that you chose, specify thevalue that must be true for the event type.

7 Repeat steps 3 through 6 for any other event criteria that you want appliedto the rule.

You can select multiple event criteria and apply logical operators (AND/OR)to them.

8 In Event Count, specify the number of times that the event criteria that youspecified must be true for an incident to be declared.

101Defining rules strategyCreating custom correlation rules

Page 102: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

9 In Span, specify the time that is required for the number of events that arespecified in the Event Count to occur. For example, you can specify that 30events of a specific type must occur within 60 minutes, before an incident isdeclared.

10 In TableSize, specify the maximum number of events that the rule can trackat any one time. The table size should generally be a multiple of the EventCount setting. The Table Size setting divided by the Event Count setting isequal to the maximum number of event groups that the rule can manage.

11 In the Tracking Keys area, specify the fields to include in the incident. Thisfield can be any of the One-Many, Many-One, or Tracking fields that areassociated with the incident.

You can now define the rule actions. A conclusion is generated if the set of eventssatisfies the defined conditions.

Note: You can create rules to detect threats based on the absence of the eventsthat you expect to occur.

See “Creating a correlation rule based on the X not followed by Y rule type”on page 107.

To configure the rule actions

1 On the Actions tab, check Alerting Incident (not a Security Incident) tospecify that an incident is an alert incident and not a security incident.

Alerting incidents notify about a situation that requires your attention ifthere is a discrepancy on a system.

Security incidents notify about a situation where there is a potential threatdue to a security breach in the organization.

2 From the Severity options, select the severity that you want to be associatedwith the incident.

3 In the Description area, type a description of the problem. This informationappears to users who are assigned the incidents or the tickets based upon theincidents that this rule triggers.

(Optional) Click Add(+) to include the fields from the final event that triggeredthe conclusion. When a conclusion is generated, these fields are replacedwith their corresponding values in the description.

4 (Optional) Click Remediation to populate the Custom Remediation libraryfor this conclusion and to instruct the analysts with a remedy that is specificfor your organization.

Defining rules strategyCreating custom correlation rules

102

Page 103: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the Correlate By list box, select the method by which conclusions aregrouped into incidents.

6 If you selected Resource and Conclusion Type from the Correlate By listbox, you can select a field in Resource Field. This field is used to correlateconclusions within an incident. Conclusions can be correlated together intoincidents based on the value of the resource field.

7 To specify that a user or team is automatically assigned to incidents that thisrule creates, do the following:

■ Turn on Enable Auto Assign and then click Add.

■ If you want to assign incidents based upon the IP address of the affectedtarget computer, in the left column select IPAddress or Network options.Any Address is the default option. Retain the default option to ensurethat all the occurrences of the incident get assigned irrespective of the IPaddress.

■ To assign incidents to an individual user, in the Usercolumn, select theuser who should be assigned with the incidents.

■ To assign incidents to a group of users, in the User Group column, selectthe team that should be assigned with the incidents.At any time, you can click Clear to clear the selections.

■ If you want to automatically assign incidents to the least busy member ina user group, check Assign to least busy user and then select thecorresponding user group.

8 In the Notification area, check Enable if you want to notify users about theincident activity.

If you want to notify users only when an incident is created, check Sendnotification for incident creation only.

9 Click Recipients to select the method of notification for each recipient. Theoptions are Email Address Entry, User, User Group, Syslog, SNMP Trap.Once the method of notification is selected, you are prompted to enter detailscorresponding to the option that you selected.

After you specify the condition and the action, you can test the rule and thendeploy it on the server.

103Defining rules strategyCreating custom correlation rules

Page 104: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To deploy the rule on the server

1 On the Testing tab, specify the location of a file containing event data, andthen click Start Test.

2 When you are satisfied with the incidents and the conclusions that the rulecreates, turn on the rule in the Rules list.

3 On the top toolbar, click Deploy to the server.

See “Enabling and disabling rules” on page 115.

Creating a multicondition ruleConsider a sample scenario for creating an event when a combination of conditionsis fulfilled.

See “About rule conditions” on page 88.

If the following conditions are met, then an event must be triggered:

■ The user logs on to a Windows domain controller.

■ The user creates a new user.

■ The user modifies the privileges for the newly created user. (For example, theuser gives the new user domain admin privileges.)

■ The user logs out.

Note: The event codes in the procedures are applicable to Microsoft Windows2000. They may vary for other operating systems.

To create a new rule

1 On the console of the Information Manager client, click Rules.

2 In the left navigation pane, under the Correlation Rules folder, click UserRules.

3 On the Rules tab, click Create new filter or rule (+).

4 In the Input dialog box, type a name for the rule.

The rule name appears in red color under the User Rules folder.

5 In the description box, type the description for the rule. (For example, monitorfor the events that occur when all the conditions that are specified arefulfilled.)

Once you create a new rule, you must configure the rule conditions that arerequired based on the scenario.

Defining rules strategyCreating custom correlation rules

104

Page 105: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To configure the rule conditions

1 On the Conditions tab, in the Description window, type a description for therule.

2 On the Conditions tab, on the Rule Type menu, click MultiCondition as itapplies to the new rule.

3 In the Event Criteria area, click Add.

Add the conditions that are required to trigger the rule.

To add Condition 1

1 Select the left column of the new entry. From the drop-down list that appears,select the Events tab and click on the Host Intrusion Activity folder.

From the collapsible list that is displayed, select Intrusion Action ID.

2 Select the center column and select the = operator.

3 Select the right column, and then select Login. This value corresponds to thelogon action.

4 If the events must occur more than once for an incident to be declared, specifythe count of events in the EventCount list that is located in the EventCriteriaarea.

Add the other conditions that are required to trigger the rule.

To add Condition 2

1 Under Rule Type, click Add to add a second condition.

2 Select the left column of the new entry for Condition 2. From the drop-downlist that appears, click the Common tab and select Symantec Event Code.

3 Select the center column and select the = operator.

4 Select the right column, and then select 722. This value corresponds to a newuser account created.

5 If the events must occur more than once for an incident to be declared, in theEvent Criteria area, specify the count of events in the Event Count list.

Add the other conditions that are required to trigger the rule.

To add Condition 3

1 Under Rule Type, click Add to add a third condition.

2 Select the left column of the new entry for Condition 3. From the drop-downlist that appears, click the Common tab and select Vendor Signature.

105Defining rules strategyCreating custom correlation rules

Page 106: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Select the center column and select the = operator.

Select the right column, and then select 632. This value corresponds to a newuser account being added to domain admin group for the third condition.

4 If the events must occur more than once for an incident to be declared, in theEvent Criteria area, specify the count of events in the Event Count list.

Add the other conditions that are required to trigger the rule.

To add Condition 4

1 Under Rule Type, click Addto add a fourth condition.

2 Select the left column of the new entry for Condition 4. From the drop-downlist that appears, click the Common tab and select Symantec Event Code.

3 Select the center column and select the = operator.

4 Select the right column, and then select 720. This value corresponds to theuser account Log-off for the fourth condition.

5 In the Tracking Keys area, under the One-Many field, click Add and selectAgent Host.

Under the Tracking field, click Add and select IP destination address.

6 If the events must occur more than once for an incident to be declared, in theEvent Criteria area. specify the count of events in the Event Count list.

7 In Span, set the time span equal to 20 minutes.

8 In TableSize, specify the maximum number of events that the rule can trackat any one time.

After you configure the rule conditions you must configure the rule actions.

To configure the rule actions

1 On the Actions tab, in the Conclusion Severity option, specify the severitythat you want associated with the incident.

2 In the Conclusion Description area, type a description of the problem. Thisinformation appears to users who are assigned the incidents or the ticketsthat are based upon the incidents that this rule triggers.

(Optional) Click Add (+) to include the values of fields from the final eventthat triggered the conclusion.

3 In the CorrelateBy drop-down list, specify the method by which conclusionsare grouped into incidents.

Defining rules strategyCreating custom correlation rules

106

Page 107: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 In the ResourceField menu, choose the desired event fields. Conclusions canbe correlated together into the incidents that are based on the value of thisresource field.

5 To specify that a user or team is automatically assigned to incidents that thisrule creates, do the following:

■ Turn on Enable Auto Assign.

■ If you want to automatically assign incidents to the least busy member ina user group, check Assign to least busy user and then select thecorresponding user group.

■ To assign the incident that is based upon the IP address of the affectedtarget computer, in the left column, type the IP address or netmask.

■ In the User column, click the user to whom you want to assign theincidents.

■ In the UserGroup column, click the help desk team to which you want toassign the incidents.

After you specify the conditions and the actions, you can test the rule and thendeploy it on the server.

To deploy the rule on the server

1 On the Testing tab, specify the location of a file containing event data, andthen click Start Test.

2 When you are satisfied with the incidents and conclusions that this rulecreates, turn on the rule in the Rules list.

3 On the top toolbar, click Deploy to the server.

Creating a correlation rule based on the X not followed by Y rule typeConsider a sample scenario wherein a user logs on to a critical system and carriesout some activity. However, the user fails to log off within an hour. Normally sucha logon should last for less than an hour. If the user does not log off within anhour, this suspicious activity results in an event with a conclusion. This samplescenario is an example of Y not following X.

See “About rule types” on page 89.

To create a correlation rule for X not followed by Y

1 On the console of the Information Manager client, click Rules.

2 In the left navigation pane, under the Correlation Rules folder, click UserRules.

107Defining rules strategyCreating custom correlation rules

Page 108: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 On the Rules tab, click Create new filter or rule (+).

4 In the Input dialog box, type a name for the rule.

The rule name appears in red color under the User Rules folder.

Example: Rule for Event Definition with negatives

5 In the Descriptions box, type the description for the rule. Example: Monitorfor the events that have not occurred in a defined sequence.

You can now define the required rule condition. An event is generated if theset of user actions satisfies the defined condition.

In this example, X is the normal activity of a logon. Y is an activity of a logoff.Normally, Y follows X. However, in this example the logoff does not happeneven after an hour. Therefore, use the rule type of X not followed by Y totrigger an event.

To configure the rule conditions and actions

1 On the Conditions tab, on the RuleType menu, click the rule Xnot followedby Y.

2 In the Event Criteria area, click + to add a criteria for X.

3 Select the left column of the new entry, and then choose the event type asMechanisms.

4 Select the center column and select the operator contains.

5 Select the right column, and then specify the value Login.

6 To add the criteria for Y, in the EventCriteriaPostcondition area, select theleft column of the new entry, and then choose the Mechanisms event type.

7 Select the center column and select the operator contains.

8 Select the right column, and then specify the value Logout.

9 In the Tracking Keys area under the One-Many fields, click Add to specifythe fields that you want to track: for example, the Source IP address. Underthe Tracking field's column, if you want to track the date of the event, youcan add Event Date.

10 In the Event Count box, specify the number of times that the event criteriathat you specified must be true for an incident to be declared.

11 In the Span box, specify the amount of time for the two events X and Y thatare specified to occur. For example, you can specify that the two events X andY must occur within 60 minutes, failing which an incident is declared.

Defining rules strategyCreating custom correlation rules

108

Page 109: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

12 In the Table Size box, specify the maximum number of events that the rulecan track at any one time. The table size should generally be a multiple ofthe Event Count setting.

13 On the Actions tab, you can specify whether the incident is an Alertingincident and not a security incident. You can add the description and theremediation for that incident.

14 In the following areas for Autoassignments and Notifications you can specifywhether the incident should be assigned automatically to the users or groupsselected.

15 In the Notification area, you can enable notifications and specify the emailaddress of the recipients. You can add one or more recipients to receive thenotifications.

You must deploy the rule after you have created and configured the rule.

To deploy the rule

1 On the console of the Information Manager client, click Rules.

2 In the left navigation pane, place a check mark in the box next to the rulethat you want to deploy.

3 In the top toolbar, click Deploy.

Creating a correlation rule based on the X not followed by X rule typeConsider a sample scenario wherein a user tries to log on, fails, and does notattempt to log on again for 30 minutes. Normally, an authorized user tries to logon again within 30 minutes. However, this user waits for more than 30 minutesbefore attempting to log on again. This behavior indicates the suspicious activitythat results in an event with a conclusion. This sample scenario is an example ofX not following X.

See “About rule conditions” on page 88.

To create a correlation rule for X not followed by X

1 On the console of the Information Manager client, click Rules.

2 In the left navigation pane, under the Correlation Rules folder, click UserRules.

3 On the Rules tab, click Create new filter or rule (+).

109Defining rules strategyCreating custom correlation rules

Page 110: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 In the Input dialog box, type a name for the rule. Example: Rule for EventDefinition with negatives

5 In the Descriptions box, type a brief description for the rule. Example:Monitors for predefined behavior of events.

You can now define the required rule condition. An event is generated if theset of user actions satisfies the defined condition.

In this example, X is the normal activity of a logon. Normally, a failed logonattempt is followed by another logon attempt within a 30-minute period.However, in this example the user does not attempt to log on for more than30 minutes. Therefore, you can use the rule type XnotfollowedbyX to triggeran event.

To configure the rule conditions and actions

1 On the Conditions tab, on the RuleType menu, click the rule Xnot followedby X.

2 In the Event Criteria area, click + to add a criteria for X.

3 Select the left column of the new entry, and then choose the event type asMechanisms.

4 Select the center column and select the operator contains.

5 Select the right column and then specify the value Login.

6 Click Add to add the second criteria for X. Then select the left column of thenew entry, and in the drop-down list under Events, collapse the IntrusionActivity folder. Select Intrusion Outcome ID.

7 Select the center column and select the operator =.

8 Select the right column, and then specify the value Failed.

9 In the Tracking Keys area under the One-Many fields, click Add to specifythe fields to track: for example, the Source IP address. Under the Trackingfields column, if you want to track the date of the event, add Event Date.

10 In the Event Count box, specify the number of times that the event criteriathat you specified must be true for an incident to be declared.

11 In the Span box, specify the amount of time for the event. For example, youcan specify 30 minutes, failing which an incident is declared.

12 In the Table Size box, specify the maximum number of events that the rulecan track at any one time. The table size should generally be a multiple ofthe Event Count setting.

Defining rules strategyCreating custom correlation rules

110

Page 111: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

13 On the Actions tab, specify whether the incident is an Alerting incident andnot a security incident. Add the description and the remediation for thatincident.

14 In the following areas for Auto assignments and Notifications, specifywhether the incident should be assigned automatically to the users or groupsselected.

15 In the Notification area, enable notifications and specify the email addressof the recipients. You can add one or more recipients to receive thenotifications.

You must deploy the rule after you have created and configured the rule.

To deploy the rule

1 On the console of the Information Manager client, click Rules.

2 In the left navigation pane, place a check mark in the box next to the rule todeploy.

3 In the top toolbar, click Deploy.

Creating a correlation rule for the Y not preceded by X rule typeConsider a sample scenario wherein a user logs on to a Linux system. The useruses putty or another secure connection mode to log on the su (superuser) roleand creates another user. Normally, to create a new user role, you log on as theroot. However, this uses bypasses the root logon and a new user account is created.This sample scenario is an example of X not preceding Y.

To create a correlation rule for Y not preceded by X

1 On the console of the Information Manager client, click Rules.

2 In the left navigation pane, under the Correlation Rules folder, click UserRules.

3 On the Rules tab, click Create new filter or rule (+).

4 In the Input dialog box, type a name for the rule.

Example: Rule for Event Definition with negatives

5 In the Descriptions box, enter a brief description for the rule.

Example: Monitors for the events occurring in correct sequence.

In this example, X is an activity of the root logon. Y corresponds to the creationof a new user account. Normally, a new user is created by logging on as root.However, in this example, the user does not log on as root but as a normal user.

111Defining rules strategyCreating custom correlation rules

Page 112: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The user is able to create a new user account. Therefore, you can use the rule typeof Y not preceded by X to trigger an event.

You can now define the required rule condition. An event is generated if the setof user actions satisfies the defined condition.

To configure the rule conditions and actions

1 On the Conditions tab, on the RuleType menu, click the rule Ynotprecededby X.

2 In the Event Criteria area, click + to add a criteria for X.

3 Select the left column of the new entry, and then choose the event type asSymantec Event Code.

4 Select the center column and then select the operator =.

5 Select the right column, and then specify the value 733 which correspond tothe user action.

6 Click Add to add the second criteria for X. Then select the left column of thenew entry, and in the drop-down list under the Events tab, collapse the folderfor Intrusion Activity. Select Intrusion Outcome ID.

7 Select the center column and select the operator =.

8 Select the right column, and then specify the value Failed.

9 In the Tracking Keys area under the One-Many fields, click Add to specifythe fields to track: for example, the source IP address. Under the Trackingfields column, to track the date of the event, add Event Date.

10 In the Event Count box, specify the number of times that the event criteriathat you specified must be true for an incident to be declared.

11 In the Span box, specify the amount of time for the event. For example, youcan specify 30 minutes, failing which an incident is declared.

12 In the Table Size box, specify the maximum number of events that the rulecan track at any one time. The table size should generally be a multiple ofthe Event Count setting.

13 On the Actions tab, you can specify whether the incident is an Alertingincident and not a security incident. You can add the description and theremediation for that incident.

Defining rules strategyCreating custom correlation rules

112

Page 113: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

14 In the following areas for Autoassignments and Notifications you can specifywhether the incident should be assigned automatically to the users or groupsselected.

15 In the Notification area, you can enable notifications and specify the emailaddress of the recipients. You can add one or more recipients to receive thenotifications.

You must deploy the rule after you have created and configured the rule.

To deploy the rule

1 On the console of the Information Manager client, click Rules.

2 In the left navigation pane, place a check mark in the box next to the rule todeploy.

3 In the top toolbar, click Deploy.

Creating a correlation rule for the Lookup Table UpdateThe Lookup Table Update rule is set to dynamically collect information in thelookup tables. Any rule can refer to this information to generate incidents, tickets,and assets. You can create a correlation rule which refers to an existing lookuptable that gets dynamically updated. After you create a rule, you can configurethe rule conditions and actions and deploy it. This rule is created only for updatingthe lookup table. Therefore, conclusions are not created for the Lookup TableUpdate rule.

See “About rule types” on page 89.

Consider a sample scenario wherein a stack of intentionally bad credit cards isdistributed to serve as bait for malicious users. A malicious user intending tocommit fraud can use one of the bait cards that have been distributed. A list ofsuch baited credit cards is maintained in a lookup table. Whenever a credit cardusage event contains any of these baited credit card numbers, the source IP addressof this event is immediately stored in the lookup table of the Information Manager.Later, if a legitimate usage event originates from the stored source IP address, itindicates fraudulence by the malicious user.

A correlation rule that is set to refer to the dynamically updated lookup tablegenerates an incident for the events that occur from the stored source IP address.Here a lookup table must be configured with a Lookup Table Update rule to getupdates of the source IP address.

113Defining rules strategyCreating custom correlation rules

Page 114: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To create a correlation rule for Lookup Table Update

1 In the console of the Information Manager client, click Rules.

2 In the left navigation pane, under the Correlation Rules folder, click UserRules.

3 On the Rules tab, click Create new rule (+).

4 In the Descriptions box, enter a brief description for the rule.

You can now configure the required rule conditions and actions. An event isgenerated whenever the lookup table is updated with the specified event criteria.

To configure the rule conditions and actions

1 On the Conditions tab, on the RuleType menu, select LookupTableUpdateRule.

2 In the Event Criteria area, click + and specify the event criteria.

3 On the Actions tab, configure the actions for the Lookup Table Update ruleby editing any of the following properties:

Lets you select the User Lookup Table that is modifieddynamically if the event satisfies the specified event criteria.

Lookup Table

Automatically updates the key column in the Lookup Table.Table Column

Lets you select the existing event fields. If an event satisfies thespecified event criteria, the value of this event field is used topopulate the key column in the Lookup Tables.

Event Field

Lets you specify the period after which an entry in theconfigured Lookup Tables is removed. The value can be specifiedin hours. If the value specified is 0, entries in the Lookup Tablesdo not expire.

Timeout in hours

After configuring the rule conditions, you must enable and deploy the rule.

To deploy the rule

1 In the console of the Information Manager client, click Rules.

2 In the left navigation pane, place a check mark in the box next to the rule todeploy.

3 In the top toolbar, click Deploy.

Defining rules strategyCreating custom correlation rules

114

Page 115: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Enabling and disabling rulesBy enabling or disabling rules in the Rules view of the Information Managerconsole, you can temporarily filter certain network events. You can also changethe way the Correlation Manager declares incidents.

See “About correlation rules” on page 87.

Note: In some cases, such as when the server is under a heavy event load, disablingor deleting a rule may not take effect immediately.

To enable or disable a rule

1 From the Information Manager console, click Rules.

2 In the left navigation pane, check or uncheck the box next to a rule.

A check mark against the rule indicates that the rule is selected to be enabled.

3 In the top toolbar, click Deploy.

Working with the Lookup Tables windowYou can view and update the lookup table information from the Rules view. Listentries change over time due to updates from Symantec DeepSight ThreatManagement System and LiveUpdate. You can also create user-defined lookuptables under the User Lookup Tables folder.

See “About correlation rules” on page 87.

The Lookup Tables provide a set of configurable tables that let you extend thefunctioning of rules. To ensure that some correlation rules function properly, youmust populate the Lookup Tables with the information that is applicable to yournetwork and resources. Key settings include the email domains that apply to yournetwork, files to be monitored, and users to be monitored. If required, additionaluser tables can be added based on your specifications.

Table 5-8 lists the LookupTables and the types of information that they contain.

Table 5-8 Lookup Tables

DescriptionCategory

List of users who can perform administrativeactivities.

Administrative Users

List of authorized ports through which incomingtraffic is allowed as per the policies.

Authorized Ports Inbound

115Defining rules strategyEnabling and disabling rules

Page 116: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-8 Lookup Tables (continued)

DescriptionCategory

List of authorized ports through which outgoingtraffic is allowed as per the policies.

Authorized Ports Outbound

List the IP addresses of the servers that are criticalfrom business perspective.

Critical Servers

List of authorized users.default usernames

Lists the IP addresses of known attackers. Anincident is created if an event is detected from oneof these IP addresses.

The IPWatchList table is a configurable table thatis available for manually tracking known bad IPaddresses. DeepSight and LiveUpdate updatesmaintain separate internal IP Watch List. The listcontains IP addresses known to be malicious in thelarger Internet environment.

ip watchlist

Lists the Whitelist IP addresses. These IP addressesand domain names are reputed and can be trusted.You can add your trusted domain names and IPaddresses to the list.

IP Whitelist Table

Lists the logging devices that must be monitoredafter a specific time span for idle state.

Monitored Logging Devices

Provides a table for the user to describe theorganizational domains monitored.

Organization Domains

Lists the P2P programs.P2P Programs

Lists the IP addresses of the hosts that canpotentially violate the policy.

Potential Policy Violation IPs

Lists of all the bad IP addresses on which yoursensitive data can communicate.

RapidResponseMonitoredAddressTraffic

Lists the file names to monitor during FTPtransfers.

sensitive files

Lists the text strings that are often included inmalicious URLs.

sensitive urls

Lists the services that are associated with each portnumber.

services

Defining rules strategyWorking with the Lookup Tables window

116

Page 117: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 5-8 Lookup Tables (continued)

DescriptionCategory

Lists known Trojan horse exploits.trojans

Provides a table in which you can list users and theuser names that formerly had access to thenetwork.

user watchlist

Lists the days of the week to allow furtherrefinement of queries based on the day or daysassociated with an event.

Weekdays

Lists the days of the weekend to allow furtherrefinement of queries based on the day or daysassociated with an event.

Weekend

Lists the windows events that may indicateviolations of security policies or other maliciousactivities.

windows events

To add an entry to the Organization Domains watchlist

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click Organization Domains.

5 Click New Record (+).

6 In the spaces provided, type a name and description.

7 Click Deploy to Server.

8 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To add an entry to the IP watchlist

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click ip watchlist (if it is not selected).

5 Click New Record (+).

6 In the spaces provided, type the desired IP address and description.

117Defining rules strategyWorking with the Lookup Tables window

Page 118: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

7 Click Deploy to Server.

8 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To add an entry to the sensitive files list

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click sensitive files.

5 Click New Record (+).

6 In the space that is provided, type the name of the file.

7 Click Deploy to Server.

8 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To add an entry to the sensitive urls list

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click sensitive urls.

5 Click New Record (+).

6 In the URL Substring column, type the URL.

7 In the Attack Type column, type the kind of attack that is associated withthis URL.

8 Click Deploy to Server.

9 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To add an entry to the services list

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click services.

5 Click New Record (+).

6 In the Service column, type a description.

Defining rules strategyWorking with the Lookup Tables window

118

Page 119: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

7 In the Port column, type the port number to add.

8 Click Deploy to Server.

9 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To add an entry to the Trojan horses list

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click trojans.

5 Click New Record (+).

6 In the Port column, type the port number that is associated with the attack.

7 In the Protocol column, type the network protocol (such as TCP or UDP) thatis associated with the attack.

8 In the Trojan Name(s) column, type the name of the Trojan horse.

9 Click Deploy to Server.

10 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To add an entry to the user watchlist

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click user watchlist.

5 Click New Record (+).

6 In the spaces provided, type the user name, name, and departure date of theemployee or account to add.

7 Click Deploy to Server.

8 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To add an entry to the Windows Events list

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

119Defining rules strategyWorking with the Lookup Tables window

Page 120: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 Click windows events.

5 Click New Record (+).

6 In the ID column, type the desired Microsoft Windows event type.

7 In the Category column, type the kind of activity that is associated with theevent.

8 In the Description column, type a description for this kind of event.

9 Click Deploy to Server.

10 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

To delete an entry from the Lookup Tables

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click the table with the entry to be deleted and select the entry.

5 Click Delete Records.

6 Click Yes to confirm the deletion.

7 Click Deploy to Server.

8 In the DeployedModifiedItemsdialog box, enter a comment which describesthe deletion of the entry.

9 Click OK to deploy the change.

Creating a user-defined Lookup TableTo create a user-defined lookup table, you first define the columns in the table,and then you add the data.

See “Working with the Lookup Tables window” on page 115.

To create a user-defined lookup table

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the User Lookup Tables folder.

3 Click Create new filter or rule (+).

4 In the Input dialog that appears, type the name of the table you want to create,and click OK. The name of the table must not match the name of an existingtable or rule.

Defining rules strategyWorking with the Lookup Tables window

120

Page 121: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 On the Content tab, click Add Records (+). Enter the Name, Type, andDescription values for a column that you want to use in your table.

You can select any of the following types of values for a record in a column:

■ Float

■ IP Mask

■ Date

■ String

■ IP address

■ Integer

6 For each additional column, repeat step 5.

7 After creating the columns, select the Key option button corresponding tothe column that forms the primary column in the table.

8 Click Done.

9 To add data to the table that you have created, do one of the following:

■ Click Add Records and enter the information in the available fields.

■ Click Import Records. After you choose the file that you want to import,a wizard guides you through the steps to map the data that is stored inthe file to the columns that you have added in the Lookup Table.

10 When you are finished, click Deploy.

11 In the Deploy Modified Items dialog box, choose the items that you want todeploy. You can enter an optional comment in the available field.

12 Click OK.

Importing Lookup Tables and recordsYou can import a previously exported Information Manager Lookup Table froma file. Alternatively, you can import the records that are stored in comma-separatedor tabbed format into an existing Lookup Table.

See “Working with the Lookup Tables window” on page 115.

Note: When you import records into an existing Lookup Table, you can import amaximum of 1024 entries.

121Defining rules strategyWorking with the Lookup Tables window

Page 122: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To import an exported Lookup Table

1 On the Information Manager console, click Rules.

2 In the left navigation pane, click the User Lookup Tables folder.

3 Click Import from Disk.

4 In the Select File(s) to Import dialog, choose the file, and click Import.

To import records into an existing Lookup Table

1 On the Information Manager console, click Rules.

2 In the left navigation pane, expand the User Lookup Tables folder.

3 In the table into which you want to import records, on the Content tab, clickImport Records.

4 In the Opendialog box, choose the file that contains the data to be imported,and click Open.

5 In the Import Lookup Table Records wizard, choose the delimiter that isused in the file, and the appropriate options. The preview pane displays arepresentation of your choices.

6 Click Next.

7 In the next pane, use the Field Options area to specify how the data in thefile maps to the columns in the Lookup Table. Click Next.

8 In the next pane, click Start.

9 When the import process is finished, click Finish.

Defining rules strategyWorking with the Lookup Tables window

122

Page 123: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Getting started with theInformation Manager

■ Chapter 6. Configuring the Console

■ Chapter 7. Managing roles and permissions

■ Chapter 8. Managing users and user groups

■ Chapter 9. Managing organizational units and computers

3Section

Page 124: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

124

Page 125: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Configuring the Console

This chapter includes the following topics:

■ About configuring Information Manager

■ Identifying critical systems

■ Adding a policy

■ Specifying networks

■ About customizations for a Service Provider Master console

About configuring Information ManagerFor the correlation rules to function properly, it is essential that you specify theinformation that is used to determine incident severity. Key settings includespecifying the systems that host critical or sensitive information and the systemsthat require high availability. You can also specify the networks that exist in yourorganization so that you can increase the priority of incidents based on the affectednetwork. For example, the incidents that affect the networks that reside withinyour firewall can be assigned a higher priority than those that reside outside thefirewall.

See “Identifying critical systems” on page 126.

You can specify the policies that are used within your network. Symantec SecurityInformation Manager includes default policies. You can also add custom policies.Once you have defined the available policies, you can associate them with networkcomputers when you add entries to the Assets list.

See “Adding a policy” on page 127.

See “Specifying networks” on page 128.

6Chapter

Page 126: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

You should also create your list of response teams so that Information Managercan automatically assign incidents to these teams based on the rules settings. Youuse the Information Manager console to create the teams. However, the list ofmembers that you can assign to those teams is maintained on the System view.

Another key factor that lets you determine incident severity and the functioningof rules is the information that is stored in the knowledge base. The GlobalIntelligence Network Integration Manager provides some of this information. Youcan configure some settings. For example, you can add entries to the IP watchlist.

See “About customizations for a Service Provider Master console” on page 129.

Note: When you add a new policy or service to the Policies or Services lists, thenew entries appear in the Event Criteria on the Rules view after you restart theconsole for the Information Manager.

Identifying critical systemsFor the correlation rules to function properly, you must specify the informationthat is used to determine incident severity. Key settings include specifying thesystems that host critical or sensitive information and the systems that requirehigh availability.

See “About configuring Information Manager” on page 125.

Complete the following steps to identify critical systems in your organization.

To identify critical systems

1 In the console of the Information Manager client, click Assets.

2 On the toolbar, click + (the plus icon).

3 In the Asset Editor dialog box, in the IP Address box, type the IP address ofthe system.

4 Fill in the following optional information, if you want:

■ In the Host Name box, type the host name of the system.

■ In the MAC Address box, type the MAC address of the system.

■ In the DN box, type the Distinguished Name of the system.

■ In the Description box, type a description of the system.

Configuring the ConsoleIdentifying critical systems

126

Page 127: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 (Optional) In the Asset Priority area, select values for Confidentiality,Integrity, and Availability as follows:

Value range 1–5, where level 5 means that the computer hostscontent that must be maintained with the highest level ofconfidentiality.

Confidentiality

Value range 1–5, where level 5 means that the computer hostscontent that must be maintained with the highest level ofintegrity.

Integrity

Value range 1–5, where level 5 means that the computer hostsapplications and the content that must always be available foryour business.

Availability

6 (Optional) In the Additional Information area, provide in the followinginformation:

■ The name of the organization that uses this system

■ The physical location of the system

■ The name of the operating system that is running on the system

■ The version of the OS that is running on the system

■ The owner of the system

■ External ID information if used

7 Select Lock for Auto Update if you do not want the Assets list entry for thishost to be overwritten when new information is imported from a vulnerabilityscanner.

8 Click the Save Asset icon.

Adding a policyYou can add a policy against which you want to check the compliance.

See “About configuring Information Manager” on page 125.

You can add a policy from the Assets view. The policy is added for the specificasset that you select from the Assets view.

To add a policy from the Assets view

1 In the console of the Information Manager client, click Assets.

2 Select an asset to which you want to add the policy.

127Configuring the ConsoleAdding a policy

Page 128: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Double-click the asset or go to the details pane in the Assets view.

4 In the AssetDetails dialog box, under the Policies tab, click the (+) plus icon.

5 Select a policy and click OK.

You can add an entirely new policy from the System view.

To add a new policy from the System view

1 In the Information Manager console, click System.

2 On the Administration tab, click Policies.

3 On the toolbar, click + (the plus icon).

4 Type a name and description in the spaces that are provided.

5 Click OK.

Specifying networksYou can specify the networks that exist in your organization to be associated withthe Information Manager server.

See “About configuring Information Manager” on page 125.

To specify a network

1 In the Information Manager console, click System.

2 On Administration tab, click Networks.

3 On the toolbar, click + (the plus icon).

4 In the Create New Network dialog box, type a name for the network in theName box.

5 In the Netmask box, type the subnet IP address and subnet mask for thenetwork.

6 (Optional) In the Physical Location box, type the location of the network.

7 (Optional) From the Time Zone list, select a time zone to specify the timezone in which this network is situated. You can also type the time zone detailsin the GMT +/- HH:MM format. When the time zone is specified, the timeinformation from where an event has originated can be tracked.

8 (Optional) In the Logical Location box, type the logical location or select thelogical location of the network.

9 (Optional) In the Description box, type a description of the network.

Configuring the ConsoleSpecifying networks

128

Page 129: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

10 Check Auto-Updateable if you want the new entry to be overwritten whenthe new network information is imported from a vulnerability scanner.

11 Click OK.

About customizations for a Service Provider Masterconsole

Customizations to the Incidents view include the following:

■ Contacts, Tickets, and Remediation tabs are available from within the incidentdetails. The Contacts tab is not available for clients having the same domainas the Service Provider Master.

■ Incident details are displayed in a separate Information Manager consolewindow.

See “About configuring Information Manager” on page 125.

129Configuring the ConsoleAbout customizations for a Service Provider Master console

Page 130: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Configuring the ConsoleAbout customizations for a Service Provider Master console

130

Page 131: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing roles andpermissions

This chapter includes the following topics:

■ About managing roles

■ About working with permissions

About managing rolesA role is a group of access rights for a product. Users who are members of a rolehave access to the event viewing and management capabilities that are definedfor that role. A user can be a member of more than one role.

See “About planning for role creation” on page 133.

You create new roles in the Symantec Security Information Manager console.When you click Roles on the System view of the console, you can perform thefollowing tasks:

■ Create a role.See “Creating a role” on page 134.

■ Edit role properties.See “Editing role properties” on page 140.

■ Delete a role.See “Deleting a role” on page 149.

Note:Only members of the SES Administrator role and the Domain Administratorrole can add or modify roles.

See “About the administrator roles” on page 132.

7Chapter

Page 132: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the administrator rolesWhen you install the Information Manager, the following default administratorroles are created:

This role has full authority over all of the domains in theenvironment.

SES Administrator

This role has full authority over one specific domain in theenvironment.

Domain Administrator

If you have only one domain, the rights of the SES Administrator role and theDomain Administrator role are the same. If you have multiple domains (for exampleone for each geographic region of your company), each domain has a DomainAdministrator. Members of this role can perform functions such as creating usersand additional roles within that domain. The SES Administrator role can performthese functions for all of the domains that you configure.

The default user, administrator, is also created when Information Manager isinstalled. The administrator is automatically a member of the SES Administratorand Domain Administrator roles. To access Information Manager for the firsttime, you must log on as this default user. The password for the administratoruser account is specified at the time of installation.

You can add users to the administrator roles, but you cannot change any othercharacteristics of these roles. If a user is a member of the SES Administrator role,that user should not be assigned to any other roles.

See “Editing role properties” on page 140.

About the default roles in the Information Manager serverThe Information Manager server has the following predefined roles by default:

■ SES AdministratorThis role grants ownership to the entire Symantec Enterprise Security directorytree. Top-level administrators use this role.

■ Domain AdministratorThis role grants ownership to a Symantec Enterprise Security domain and itssubdomains. Domain administrators use this role.

■ External Users RoleThis role grants base access permissions for the users that are imported froman external LDAP server.You can integrate Active Directory with the Information Manager server andadd the Active Directory users. After Active Directory synchronizes with

Managing roles and permissionsAbout managing roles

132

Page 133: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Information Manager, the Active Directory users can access the InformationManager server.Members of the External Users role do not have any automatic InformationManager privileges. Only Active Directory users use this role for Pass-throughAuthentication. The user must be assigned another Information Manager roleto log on to the Information Manager server.See “About managing roles” on page 131.

About planning for role creationRoles control user access; therefore, before you create roles you should plancarefully. You need to identify the tasks that are done in your securityenvironment, and who performs them. The tasks determine the type of roles thatyou must create. The users who perform these tasks determine which users shouldbe members of each role.

See “About managing roles” on page 131.

Consider the following issues:

■ Who allocates responsibilities within your security environment?

If these users need to create roles, they must be members of the DomainAdministrator role.

■ Who administers your security network by creating management objects suchas users and organizational units?

These users must be members of the roles that provide management accessand the ability to access the System view.

■ Which products are installed, and who is responsible for configuring them?

These users must be members of management roles for the products for whichthey are responsible. They may need access to the System view only.

■ Who is responsible for monitoring events and incidents?

These users must be members of event viewing roles for the products for whichthey are responsible. Users who monitor events must have access to the Eventsview. Users who monitor incidents must have access to the Events view andthe Incidents view.

■ Who responds to problems and threats?

These users must have access to the Events view and the Incidents view. Userswho create and manage help desk tickets must also have access to the Ticketsview.

133Managing roles and permissionsAbout managing roles

Page 134: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 7-1 lists the common roles in a security environment and the responsibilitiesthat belong to each role.

Table 7-1 Typical roles and responsibilities

ResponsibilitiesRole name

Defines the user roles and role authority.Domain Administrator

Manages Information Manager. Verifies that events flowinto the system and that the system functions normally.

System Administrator

■ Creates the correlation rules and collection filters.

■ Performs the user and the device administration.

User Administrator

Views all incidents, events, reports, and actions.Incident Manager

■ Views the incidents, events, and reports for assigneddevices.

■ Reviews and validates incident response.

■ Provides the affirmation of incident review and responseby administrators to GAO and others.

Report Writer

Views the events and reports for assigned devices.Report User

Creates, edits, and deploys rules.Rule Editor

Creating a roleYou can create roles using the Role Wizard in the Information Manager console.Only a user who has either the Domain Administrator role or the SESAdministrator role can create roles.

See “About planning for role creation” on page 133.

Note: If the Rolememberswill haveaccess toall archives option is selected, rolemembers can access new archives automatically. If the Role members will haveaccess to only the selected archives option is selected, role members cannotaccess new archives automatically.

To create a role

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Roles.

3 On the toolbar, click + (the plus icon).

Managing roles and permissionsAbout managing roles

134

Page 135: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 In the first panel of the Role Wizard, click Next.

5 In the General panel, do the following, and click Next:

■ In the Role name text box, type a name for the role.

■ In the Description text box, type a description of the role (optional).

6 In the Products panel, do one of the following:

■ To give the role members access to all of the listed products, click Rolemembers will have access to all products, and click Next.

■ To limit the role member's access to certain products, click Rolememberswillhaveaccess toonly theselectedproducts and select the appropriateproducts. Then click Next. Symantec Security Information Manager ischecked by default in the Product List.

7 In the SSIM Permissions panel, do one of the following:

■ To give role members all permissions that apply to Information Manager,click Enable all Permissions, and click Next.

■ To give role members a limited set of permissions, click Enable specificPermissions. From the permissions list, uncheck the permissions thatyou do not want to enable and click Next.You must check at least one permission.

8 In the Console Access Rights panel, do one of the following:

■ To give role members the ability to see all parts of the InformationManager console, click Rolememberswillhaveallconsoleaccessrights,and click Next.

■ To limit what role members can see when they display the console, clickRole members will have only the selected console access rights. Fromthe list, enable at least one of the console access rights, and click Next.

See “Modifying Information Manager console access rights ” on page 139.

9 In the Organizational Units panel, do one of the following:

■ To give role members access to all organizational units, click Rolemembers will have access to all organizational units, and click Next.

■ To give role members access to specific organizational units, click Rolemembers will have access to only the selected organizational units. Inthe organizational unit tree, select at least one organizational unit toassociate with this role, and click Next.

135Managing roles and permissionsAbout managing roles

Page 136: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

When you select an organizational unit that has additional organizationalunits, users of the role are given access to those additional organizationalunits also.

If you add an organizational unit to a role, the following users can see theevents that are generated by the security products:

■ Users who are role members

■ Users who have event viewing access

These users can view only those events that are generated by the securityproducts that are installed on the computers of that organizational unit.

Role members can see events only from computers in the organizational unitsthat have been added to their roles.

10 In the Servers panel, do one of the following:

■ To give role members access to all of the Information Manager servers inyour security environment, click Role members will have access to allservers, and click Next.

■ To limit role members' access to certain servers, click Rolememberswillhaveaccess toonly theselectedservers. In the server tree, select at leastone server to associate with this role, and click Next.

Members of the role can modify configurations on the selected servers. Therole members can also view event archives that reside on the selected servers.

11 In the Members panel, do one of the following:

■ To add individual users to the role now, click Add Members. In the FindUsers dialog box, add one or more users, from the AvailableUsers list tothe Selected Users list and click OK. In the Members panel, click Next.

■ To add the users who are members of a specific user group, click AddMembers From Groups. In the Find User Groups dialog box, add one ormore user groups, and click OK. The users that are associated with thegroups you selected are added to the Selected Users list. When you arefinished, click Next.

■ To continue without adding users to the role, click Next.

You can add users to the role later by editing the role’s properties.

See “Adding a user to a role” on page 137.You can also associate a role with a user by editing the user’s properties.

You can assign users to a role only if you have already created those users.

See “Creating a new user” on page 158.

Managing roles and permissionsAbout managing roles

136

Page 137: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

12 In the RoleSummary panel, review the information that you have specified,and click Finish.

The role properties that are created are shown in the list at the bottom of thepanel. A green check mark next to a task indicates that it was successfullycompleted.

13 Click Close.

Editing role propertiesAfter you create a role in Information Manager, you can modify it by editing itsproperties. For example, as you create new organizational units or users, you canadd them to existing roles.

You can edit the properties of a role by selecting the role in the right pane. Youcan also edit the role properties from any dialog box that displays the role’sproperties.

To edit role properties

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 Use the Editing Role Properties dialog box to make changes to the role.

4 To save changes and close the dialog box, click OK.

See “Adding a user to a role” on page 137.

See “Modifying Information Manager console access rights ” on page 139.

See “Modifying product access rights” on page 140.

See “Modifying server access rights” on page 141.

See “Modifying access permissions in roles” on page 143.

Adding a user to a roleWhen a user logs on to Information Manager, the user’s role membershipdetermines the user's access to the various products and event data.

You can assign a user to a role in the following ways:

■ Assign each user individually to one or more roles.

■ Assign users to groups, and assign user groups to roles.

When you assign a user group to a role, all of the users who are currently in thegroup are assigned to that role. However, if you later add more users to the user

137Managing roles and permissionsAbout managing roles

Page 138: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

group, those users are not automatically added to the role. You must assign eachuser to the role individually.

Note: Before you assign users and user groups to roles, you must create users anduser groups in the Directory.

See “Creating a new user” on page 158.

See “Creating a user group” on page 160.

To add a user to a role

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 In the Editing Role Properties dialog box, in the left pane, click Members.

4 Click Add Members.

5 In the Find Users dialog box, in the list of available users, search for a userwithin a domain or a user group. You can also search for a user by enteringthe logon name, last name, or first name and then click Start Search. All ofthe users who meet the criteria you entered appear in the available users list.

Select a user name (or Ctrl + click multiple user names), and click Add.

The user name appears in the Selected users list.

6 To view or edit the properties of a user, click the user name, and clickProperties.

7 In the User Properties dialog box, view or make changes to the properties,and click OK.

8 In the Find Users dialog box, click OK.

9 In the Editing Role Properties dialog box, click OK.

To add a user group to a role

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 In the Editing Role Properties dialog box, in the left pane, click Members.

4 Click Add Members From Groups.

5 In the Find User Groups dialog box, select the domain of the group from thedrop-down list.

Managing roles and permissionsAbout managing roles

138

Page 139: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

6 In the list of available user groups, click a user group name (or Ctrl + clickmultiple user names), and click Add.

The user group name appears in the Selected user groups list.

7 To view or edit the properties of a user group, click the user group name, andclick Properties.

8 In the User Group Properties dialog box, view or make changes to theproperties, and click OK.

9 In the Find User Groups dialog box, click OK.

10 In the Editing Role Properties dialog box, click OK.

See “Editing role properties” on page 140.

Modifying Information Manager console access rightsConsole access rights control the views that a role member can access when theylog on to the Information Manager console.

You can modify the Console access rights that you assigned when you created therole. Based on the Console access rights, various views of the console are visibleto the role members whenever they log on to Information Manager.

To modify console access rights

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 In the left pane, click Console Access Rights.

4 Do one of the following:

■ To give members of the role the ability to see all components of theInformation Manager console, click Role members will have all consoleaccess rights.

■ To limit what members of the role can see when they display theInformation Manager console, click Role members will have only theselectedconsoleaccessrights. From the list that appears, enable or disableconsole access rights as you want.The following table describes the tiles (views in the Information Managerconsole) that are available to members:

Displays the Assets view in theconsole.

Show Assets Tile

139Managing roles and permissionsAbout managing roles

Page 140: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Displays the Dashboard view in theconsole.

Show Dashboard Tile

Displays the Events view in theconsole.

Show Events Tile

Displays the Incidents view in theconsole.

Show Incidents Tile

Displays the Intelligence view inthe console.

Show Intelligence Tile

Displays the Reports view in theconsole.

Show Reports Tile

Displays the Rules view in theconsole.

Show Rules Tile

Displays the Statistics view in theconsole.

Show Statistics Tile

Displays the System view in theconsole.

Show System Tile

Displays the Tickets view in theconsole.

Show Tickets Tile

Modifying access permissions in roles lists the console access rights that theusers who perform specific functions need.

5 Click OK.

See “Editing role properties” on page 140.

Modifying product access rightsThe Products property lets you select and modify the products to which rolemembers have access.

To modify product access rights

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 In the left pane, click Products.

4 Do one of the following:

Managing roles and permissionsAbout managing roles

140

Page 141: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ To give the role members access to all of the listed products, click Rolemembers will have access to all products.

■ To limit the role members' access to specified products, click Rolemembers will have access to only the selected products. Enable (check)or disable (uncheck) access to individual products in the list.Consider the tasks that role members perform as you select products fromthe list.Modifying access permissions in roles describes the access requirementsof typical enterprise security roles.

5 Click OK.

See “Editing role properties” on page 140.

Modifying server access rightsUse the Servers property to select the servers to which role members have access.The selections for this property determine the servers that the role members cansee on the following console locations:

■ The Testing tab on the Rules view that can be used for testing a specific rule.

■ The servers and archives that are available for each query on the Events view.

■ The Server Configurations tab on the System view.

To modify server access rights

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 In the left pane, click Servers.

4 Do one of the following:

■ To give role members access to all Information Manager servers in thenetwork configuration, click Rolememberswillhaveaccesstoallservers.

■ To limit role members' access to certain servers, click Rolememberswillhaveaccess toonly theselectedservers. In the server tree, select at leastone server to associate with this role, and click OK.

See “Editing role properties” on page 140.

Modifying SIM permissionsUse the SIM Permissions property to enable or disable several types of InformationManager permissions that are assigned to a role.

141Managing roles and permissionsAbout managing roles

Page 142: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About managing roles” on page 131.

To modify SIM permissions

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 In the left pane click SIM Permissions.

4 Do one of the following:

■ To assign all Information Manager permissions to the role, click Enableall Permissions.

■ To limit the permissions that are assigned to the role, click EnablespecificPermissions. Then click the check boxes as needed to enable or disablepermissions for the role.Table 7-2 lists the permissions that the users who perform specificfunctions need.

5 Click OK.

About the Bypass Event RBAC option

When you create or modify a role, you can choose to enable the Bypass EventRBAC option. Bypass Event RBAC gives unrestricted access to all of the eventarchives for which role a user has been granted access.

When a user with this role performs an event query, the query bypasses anyadditional permission settings based on Organizational Unit, Domain, or Productsettings. The query returns a complete data set from the archives for which theuser has been given access. Enabling Bypass Event RBAC enhances queryperformance by reducing the set of permissions criteria against which the querymust be processed.

See “About managing roles” on page 131.

Enabling access to the Event Query Templates

The View Event Query Templates permission in a role controls the access to theTemplates folder in the Events view. If this permission is enabled for a role, theuser who is assigned with the role can access the Event Query Templates.

For example, the Information Manager administrator creates two roles,IncidentAnalyst and EventAnalyst. The ViewEventQueryTemplates permissionis disabled for the IncidentAnalyst role, and enabled for the EventAnalyst Role.The IncidentAnalyst role is assigned to user A and the EventAnalyst role isassigned to user B. From the Events view, user A who is assigned with theIncidentAnalyst role cannot view the Event Query Templates. User B who is

Managing roles and permissionsAbout managing roles

142

Page 143: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

assigned with the EventAnalyst role can view the Event Query Templates and runthe corresponding queries.

You can edit the existing roles to enable the View Event Query Templatespermission.

To enable View Event Query Templates permission for existing roles

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Roles.

3 On the right panel, right-click the role that you want to edit and selectProperties.

4 In the Editing Role Properties dialog box, select SIM Permissions.

5 Click Enable specific permissions.

6 From the permissions list, check View Event Query Templates.

7 Click Save and then click OK.

By default, this permission is enabled for new roles. While creating a role, youcan disable the View Event Query Templates permission for a new role. Selectthe Enablespecificpermissionsoption from the SIMPermissions panel and thenuncheck View Event Query Templates.

See “Creating a role” on page 134.

See “Role-based access to the Event Query Templates ” on page 20.

Modifying access permissions in rolesRoles include the permissions that determine the types of access (for example,Read and Delete) for a role member. Based on these permissions a role membercan access various functions on the Information Manager console. Permissionsare assigned to roles on various functions and the users belonging to those rolescan perform tasks accordingly.

You can change the access permissions for the following types of objects:

■ Container objects that were created when you installed Information Manager,such as organizational units.

■ The new objects that you create within the container objects.

When you view the properties of a role, you can view and modify the permissionsby selecting tabs in the Editing Role Properties dialog box.

143Managing roles and permissionsAbout managing roles

Page 144: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Warning: Permission modification is an advanced feature. You should customizepermissions only if you have a clear understanding of how access control works.

See “About working with permissions” on page 149.

Table 7-2 describes the access requirements of typical enterprise security roles.

Table 7-2 Access requirements for roles

Access permissionsConsole accessSymantec SecurityInformation Managerpermissions

ProductsRole

All

Note: You cannot modifyaccess permissions of theSES Administrator andDomain Administratorroles.

AllAllAllSESAdministratorand DomainAdministrator

Read and Search onPublished / System Querygroups

■ Show DashboardTile

■ Show IntelligenceTile

■ Show Statistics Tile

■ Show System Tile

■ Allow Asset Edits

■ Move Computers

InformationManager

SystemAdministrator

■ Read and Search onPublished /SystemQuery groups

■ Read and Write onusers and user groups

■ Read and Write onrules and roles

■ Show Assets Tile

■ Show DashboardTile

■ Show IntelligenceTile

■ Show Rules Tile

■ Show System Tile

■ Allow Dashboard AutoRefresh

■ Move Computers

■ Allow Asset Edits

■ Manage Networks

■ Manage Policies

■ Manage Services

AllUserAdministrator

Managing roles and permissionsAbout managing roles

144

Page 145: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 7-2 Access requirements for roles (continued)

Access permissionsConsole accessSymantec SecurityInformation Managerpermissions

ProductsRole

Read and Write onPublished/System Querygroups. In addition, Readand Write on Reportgroups based on theSymantec SecurityInformation Managerpermissions that aregranted to the role.

■ Show Assets Tile

■ Show DashboardTile

■ Show Events Tile

■ Show Incidents Tile

■ Show IntelligenceTile

■ Show Reports Tile

■ Show Tickets Tile

■ Create Incidents

■ Write My Incidents

■ Write All Incidents

■ Change Assignee andTeam on My Incidents

■ Change Assignee andTeam on All Incidents

■ ChangeAssignee/Team to selfor own team onunassigned incidents

■ Change Status MyIncidents

■ Change Status AllIncidents

■ Read My Incidents

■ Read All Incidents

■ Read UnassignedIncidents

■ Create new queries

■ Create new reports

■ Publish queries

■ Publish reports

■ Allow Dashboard AutoRefresh

■ Move Computers

■ Allow Asset Edits

■ Manage Networks

■ Manage Policies

■ Manage Services

InformationManager

Incident Manager

145Managing roles and permissionsAbout managing roles

Page 146: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 7-2 Access requirements for roles (continued)

Access permissionsConsole accessSymantec SecurityInformation Managerpermissions

ProductsRole

■ Read and Write onPublished /SystemQuery groups

■ Read and Write onReport groups

■ Show DashboardTile

■ Show Events Tile

■ Show Incidents Tile

■ Show IntelligenceTile

■ Show Reports Tile

■ Show Tickets Tile

■ Write My Incidents

■ Write All Incidents

■ Change Assignee andTeam on My Incidents

■ Change Assignee andTeam on All Incidents

■ ChangeAssignee/Team to selfor own team onunassigned incidents

■ Change Status MyIncidents

■ Change Status AllIncidents

■ Read My Incidents

■ Read All Incidents

■ Read UnassignedIncidents

■ Create new queries

■ Create new reports

■ Publish queries

■ Publish reports

■ Allow Dashboard AutoRefresh

■ Move Computers

■ Allow Asset Edits

■ Manage Networks

■ Manage Policies

■ Manage Services

InformationManager

Report Writer

■ Read and Search onPublished /SystemQuery groups

■ Read and Write onReport groups

■ Show DashboardTile

■ Show Events Tile

■ Show Reports Tile

■ Create new queries

■ Create new reports

■ Allow Dashboard AutoRefresh

InformationManager

Report User

Managing roles and permissionsAbout managing roles

146

Page 147: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 7-2 Access requirements for roles (continued)

Access permissionsConsole accessSymantec SecurityInformation Managerpermissions

ProductsRole

■ Read and Write onRules and Roles

■ Read and Search onPublished /SystemQuery groups

■ Read and Search onReport groups

■ Show Events Tile

■ Show Rules Tile

■ Show Statistics Tile

Create new queriesInformationManager

Rule Editor

Note: When a role’s access permissions to a Published Query Group or a SystemQuery Group are changed, the role’s database permissions may be incorrectlymodified. If a user cannot view queries on the Events view, it may be because theuser’s role lacks the necessary database permissions. To correct this problem, dothe following: Log on as a Domain Administrator or SES Administrator and openthe EditingRoleProperties dialog box for the user’s role. On the DataStores tab,check the role’s database permissions. If the role does not have both Read andSearch permissions, add the missing permissions.

See “To modify access permissions in roles” on page 147.

To modify access permissions in roles

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 In the Editing Role Properties dialog box, in the left pane, click the type ofpermissions to modify. For example, to change the role members' directorypermissions, choose Directories.

4 When you finish setting permissions, click OK.

See “Editing role properties” on page 140.

Using examples of modifying permissions in rolesYou can modify permissions for the following purposes, among others:

■ To hide a query group from members of a role.

When members of this role open the Query Chooser on the dashboard, theycannot see the restricted query group in the query tree.

147Managing roles and permissionsAbout managing roles

Page 148: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ To hide all users from members of a role.

When members of this role view the System view, they do not see users in theleft pane.

■ To prevent role members from adding and deleting user groupsRole members can view and modify user groups, but they cannot add and deleteuser groups.

See “About permissions” on page 150.

To hide a query group from members of a role

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to restrict, and select Properties.

3 In the left pane, click System Query Groups.

4 Click Add.

5 In the FindSystemQueryGroups window, select ProductQueries.SymantecClient Security, and click Add.

6 Click OK.

7 On the Product Queries.Symantec Client Security row, uncheck Read andSearch.

8 Click OK.

Members of this role cannot view Symantec Client Security queries. If a rolemember selects SystemQueries >ProductQueries in the Query Chooser onthe dashboard, the role member cannot view Symantec Client Security in thetree.

To hide all users from members of a role

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to restrict, and select Properties.

3 In the left pane, click Users.

4 Under Default permissions for all users, uncheck all permission types (forexample, Read and Add).

5 Click OK.

When role members click Users in the left pane of the System view, they seeonly their own details in the right pane. Other users are not listed.

Managing roles and permissionsAbout managing roles

148

Page 149: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To prevent role members from adding and deleting user groups

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to restrict, and select Properties.

3 In the left pane, click User Groups.

4 On the top line of permissions, check Read, Write, and Search. Make surethat Add and Delete are not checked.

5 Click OK.

Role members can view, search, and modify all user groups in the domain.They cannot create new user groups or delete user groups.

Deleting a roleYou can delete roles when they are no longer in use.

Before you delete a role, you can view the properties of the role to ensure thatnone of your users requires it.

To delete a role

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to delete, and select Properties.

3 Review the role properties to make sure that no users require this role.

4 Click Cancel.

5 If you still want to delete the role, on the toolbar, click - (the minus symbol).

A message warns you that all members of the selected role would be removed.Then, although the user accounts are not deleted, the users no longer haveaccess to the role.

6 In the confirmation dialog box, click Yes to delete the role.

See “About managing roles” on page 131.

About working with permissionsPermissions define the access that members of a role have to specific objects.Along with other role properties, permissions control what users can see and dowhen they log on to the Information Manager console.

149Managing roles and permissionsAbout working with permissions

Page 150: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

As with roles, you can work with permissions only if you are a member of the SESAdministrator or Domain Administrator role. The permissions of objects aredefined initially when you create roles and when you create new objects. You canthen modify the permissions to fine-tune your roles.

Warning:You should customize permissions only if you have a clear understandingof how access control works in the security (LDAP) directory.

See “About permissions” on page 150.

About permissionsPermissions are always associated with roles and are applied when a member ofa role logs on to the console.

Table 7-3 shows the permissions that role members can have to view and workwith objects.

Table 7-3 Object permissions

DescriptionPermission

Lets the role members see theattributes of objects.

Read must be enabled for the otheraccess permissions to work.

Read

Lets the role members modify objects.Write

Lets the role members create a newchild object within the selectedcontainer.

Add

Lets the role members delete objects.Delete

Lets the role members search thedatabase or the LDAP directory forobjects.

Search must be enabled for the otheraccess permissions to work.

Search

The following objects have permissions:

■ Container objects

Container objects are created when the Datastore (database) and Directory areinstalled. These objects contain all of the new objects that you create.

Managing roles and permissionsAbout working with permissions

150

Page 151: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

In the console, container objects appear in the left pane of the Administrationtab on the System view.

Examples of the container objects that have permissions are users, user groups,roles, and organizational units.

■ Objects that you create within container objects

When you create new objects to represent your security environment, theyare stored within the container objects.

On the System view, the objects that you create appear in the right pane whenyou select their container object in the left pane. For example, when you selectUsers in the left pane, the individual users that you have created within theUsers container are displayed.

These created objects are sometimes known as child or leaf objects.

You must understand the relationship between the permissions of containerobjects and the permissions of the objects you create within these containers.

See “About the propagation of permissions” on page 151.

About the propagation of permissionsAs you create new management objects, it is important to understand therelationship between the permissions of container objects and the permissionsof the objects you create within these containers.

In most cases, the permissions of a container object propagate to all new objectsthat you create within the container. When you create new objects on a role-by-rolebasis, the current permissions of the container object are propagated to the newobjects.

For example, in Role A, on the Users tab, you disable Write permission for theUsers container. In Role B, you disable Delete permission for the Users container.When you create new users, members of Role A do not have Write permission, sothey cannot modify the properties of the new users. Members of Role B do nothave Delete permission, so they cannot delete the new users.

However, if a user is assigned to two roles A and B. Role A that has the Add accessfor users and Role B that do not have Add access for users. In this case, the userwho is assigned to these roles can add new users. Permissions of Role A takeprecedence over permissions of Role B

151Managing roles and permissionsAbout working with permissions

Page 152: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note:Most roles should have at least Read and Search permissions for all objects.These permissions allow role members to view information about the objects andperform searches for the objects. For example, if you enable Write access for acontainer object and disable Read access, the role members cannot modify theobjects, because they cannot view the objects.

Propagation occurs only when you create new objects. For example, you maycreate several users and assign them to role A before you disable the Writepermission in role A. These permissions are not disabled for the original usersunless you disable them explicitly for the existing user's of Role A.

See “About permissions” on page 150.

Modifying permissions from the Permissions dialog boxYou can use the following methods to modify permissions:

■ Edit the role using the Editing Role Properties dialog box.

Use this method to modify permissions for several objects within one role.See “Modifying access permissions in roles” on page 143.

You can edit the permissions of software products and their configurationsthrough the Products Tab on the Editing Role Properties dialog box.

■ Use the Permissions dialog box for a particular object.

Use this method to modify the permissions for a specific object.

Note: Some objects do not have permissions.

To modify permissions for a container object

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain.

2 In the left pane, right-click the container object (for example, Users) andselect Permissions.

In the Permissions dialog box, roles are listed if they have already beenassigned to this object.

Some container objects do not have permissions.

3 Do any of the following:

■ To modify permissions for this object, check (enable) or uncheck (disable)the permissions corresponding to the listed roles, as needed.

Managing roles and permissionsAbout working with permissions

152

Page 153: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

You should not disable the Search permission.

■ To add a role to this object, click Add. In the FindRoles dialog box, selecta role, then click Add, and click OK.

The role you added appears in the Permissions dialog box, where you canthen enable or disable its permissions.

■ To remove a role, click the role name, and click Remove.

■ To edit a role’s properties, click the role name, and click Properties.

4 Click OK when you finish modifying permissions.

To modify permissions for a created object

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain.

2 In the left pane, click the container that contains the created object. Forexample, click Users.

3 In the right pane, right-click the object whose permissions you want to modify,and select Permissions.

In the Permissions dialog box, roles are listed if they have already beenassigned to this object.

Some created objects do not have permissions, such as Policies.

4 Do any of the following:

■ To modify permissions for this object, check (enable) or uncheck (disable)the permissions corresponding to the listed roles, as needed.

You should not disable the Search permission.

■ To add a role to this object, click Add. In the FindRoles dialog box, selecta role, then click Add, and click OK.

The role you added appears in the Permissions dialog box, where you canthen enable or disable its permissions.

■ To remove a role, click the role name, and click Remove.

■ To edit a role’s properties, click the role name, and click Properties.

5 Click OK when you finish modifying permissions.

153Managing roles and permissionsAbout working with permissions

Page 154: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing roles and permissionsAbout working with permissions

154

Page 155: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing users and usergroups

This chapter includes the following topics:

■ About users and passwords

■ Customizing the password policy

■ Creating a new user

■ Creating a user group

■ About editing user properties

■ About modifying user permissions

■ Modifying a user group

■ Deleting a user or a user group

■ About integrating Active Directory with the Information Manager server

■ Managing Active Directory configurations

About users and passwordsThe Symantec Security Information Manager server uses accounts from Linuxand the IBM DB2 Service. Both types of accounts use the password that is specifiedduring installation. The default password is password.

By default, the installation program creates the following Linux accounts:

Default Linux administrativeaccount

root

8Chapter

Page 156: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Used by the InformationManager text console process

simuser

Used by the HTTP and theTomcat processes

sesuser

Used by the database processdb2admin

Used for the DB2 Admin Toolsdatabase

dasusr1

Used by the database processsymcmgmt

Warning: For security, change the Linux passwords periodically, according to yourcompany's security policy. The password for all Linux accounts must be changedusing the Change Password option (available under Settings > Passwords) fromthe Web configuration interface. Do not change these account passwords orpermissions by standard Linux commands as it may result in errors with serveroperation. The password for the symcmgmt Linux account cannot be changed fromthe Web configuration interface. The password for a symcmgmt Linux account canbe changed by using the standard Linux commands. This change in the passwordmust be followed with an update in the Information Manager console under System> Administration > Data Stores.

Usually, you are not required to create new Linux accounts. However, you maywant to create an account with limited permissions to a file share to allow a useror process to copy LDAP backups. Refer to your Linux documentation forinformation on how to create Linux accounts.

By default, the installation program also creates the administrator account in theIBM LDAP directory. This account is used for logging in to the InformationManager console and Information Manager Web configuration interface initially.

With the proper permissions, you can also create new LDAP directory accountsfor users who use the Information Manager console and Web configurationinterface. These accounts are for the administrators of your security products,contacts for notifications, or both. Users who are administrators are members ofthe roles that define their administrative permissions. All users who need accessto the Information Manager console must be members of one or more roles. If auser tries to log on to the console using an account that is not a member of a role,an error message is displayed. Users who only receive notifications do not haveto be members of a role.

See “Creating a new user” on page 158.

See “About editing user properties” on page 161.

Managing users and user groupsAbout users and passwords

156

Page 157: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About modifying user permissions” on page 168.

See “Deleting a user or a user group” on page 169.

See “Creating a user group” on page 160.

See “Modifying a user group” on page 168.

See “Deleting a user or a user group” on page 169.

Customizing the password policyThe Information Manager includes the ability to enforce strong passwordrequirements for all users. As an administrator, you can customize the passwordpolicy for Information Manager to match the password standards that apply toyour environment. You must provide the LDAP cn=root password to change thepassword settings.

When the password policy changes, users whose existing passwords arenon-compliant with the new policy are prompted to change their password at thenext logon.

Note: When you enable the EAL4 password policy and a user locks their accountthe same day that they change it, you cannot reset the password for 24 hours.This behavior is a result of the value that is defined for the setting Minimumtimebetweenpassword changes (seconds). This setting is set at 24 hours in the EAL4password policy. This behavior is expected due to the strict EAL4 password policydefinition.

If you do not want to enable the EAL4 policy, you can choose the Custom passwordpolicy option, change the Minimum time between password changes (seconds)setting to a lower value, and save the configuration.

You can configure the password policy by using any of the following methods:

The default settings that Information Manageruses.

Default

The settings that comply with EvaluationAssurance Level 4 (EAL4) standards.

EAL4

User-defined settings.

Note: If you choose this column but do not changeany settings, clicking Save reverts to the policythat was previously enabled.

Custom

157Managing users and user groupsCustomizing the password policy

Page 158: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To change the Information Manager password policy

1 Log on to the Web configuration interface using administrator credentials,and click Settings > Password. In the tree pane, click Password Policy.

2 In the LDAP cn=root Password field, type the password, and click EnterAdmin Mode.

3 In the UserPasswordSettings and AdministratorPasswordSettings tables,choose the type of password management you want to use. If you chooseCustom, configure each option, and check Password policy enabled:.

4 Click Save.

5 Click Leave Admin Mode.

See “About users and passwords” on page 155.

Creating a new userUse the Create a new User wizard to create a user. The wizard prompts you forthe required information that the user needs to log on to Symantec SecurityInformation Manager. It also lets you specify notification information, permissions,and other user properties.

You can provide all the information at the time that you create the user.Alternatively, you can provide only the required information and add moreinformation later by editing the user’s properties.

See “About editing user properties” on page 161.

To create a new user

1 In the console of the Information Manager client, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 On the toolbar, click + (the plus symbol) or right-click the Users node andselect New.

4 In the first panel of the Create a new User wizard, click Next.

Managing users and user groupsCreating a new user

158

Page 159: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the General panel, do the following:

Type the logon name for the new user.Logon name

Type the user’s last name.Last name

Type the user’s first name.First name

The other fields on this panel are optional.

Click Next after you enter the details.

6 In the Password panel, type a password in the Password text box and typethe same characters in the Confirm password box. Click Next.

The password that you choose must comply with the policy settings chosenby the administrator.

The password is case sensitive. Green check marks under Password rulesindicate that your password meets the requirements.

7 (Optional) In the Business panel, specify business information for the user,and click Next.

See “Specifying user business and contact information” on page 162.

8 (Optional) In the ContactInformation panel, specify contact information forthe user, and click Next.

9 (Optional) In the Notifications panel, specify email addresses and pagernumbers for the user, and times when those contacts can be used fornotifications. Click Next.

See “Specifying notification information” on page 166.

10 In the Roles panel, you can assign the user to one or more roles that definethe user’s permissions, and click Next. You can also assign or change a user'sroles later.

A new user cannot log on unless a role is assigned to the user.

See “Managing role assignments and properties” on page 163.

You must create roles before you can assign users to roles.

See “Creating a role” on page 134.

159Managing users and user groupsCreating a new user

Page 160: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

11 In the UserGroups panel, you can assign the user to one or more user groups,and click Next. You can also assign users to groups later.

See “Managing user group assignments” on page 164.

You must create user groups before you can assign users to groups. If nogroups appear on the Find User Groups panel, you have not yet created anygroups.

See “Creating a user group” on page 160.

12 In the UserSummary panel, review the information that you have specified,and click Finish.

The user properties that are created are shown in the task status list at thebottom of the panel. A green check mark next to a task indicates that it wassuccessfully completed.

13 Click Close.

Creating a user groupAfter you create users, you can assign them to groups. User groups are particularlyuseful when you have large numbers of users who need to have the same systemroles. You can assign an entire user group to a role. All of the users in the groupinherit the rights and the permissions that are assigned to that role. Implementinguser groups also facilitates the auto-assignment of incidents, using correlationrules.

The Create a new User Group wizard enables you to create user groups and addusers to the groups. You can assign users at the time you create a group, or youcan add users to the group later.

Note: If you create a user group and assign it to a role, the users who are currentlyin the group are assigned to that role. However, if you later add more users to theuser group, those users are not automatically added to the role. You must assigneach user to the role individually.

To create a user group

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click User Groups.

3 On the toolbar, click + (the plus symbol).

4 In the first panel of the Create a new User Group wizard, click Next.

Managing users and user groupsCreating a user group

160

Page 161: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the General panel, type a name and (optional) description for the usergroup, and click Next.

6 In the Members panel, click Add.

In the FindUsers dialog box, the AvailableUsers list shows all users for thedomain, up to the number of users that the Maximumsearchcount text boxindicates.

7 Select one or more users from the Available Users list, and click Add.

The users appear in the Selected users list.

8 If you want to review information about a specific user, click the user name,and click Properties. You can view or change the user's properties, and clickOK.

9 When you finish adding users to the group, click OK.

10 In the Members panel, click Next.

11 In the User Group Summary panel, click Finish.

Properties for the created user group are shown in the task status list at thebottom of the panel. A green check mark next to a task indicates that it wassuccessfully completed.

12 Click Close.

See “Modifying a user group” on page 168.

About editing user propertiesUser properties are the attributes that can be added for a user when you create anew user or edit the user properties. User properties include general informationabout the user, change password facility, and the role that can be assigned to auser. User properties also include the user group to which a user can be assigned,business and contact information about the user, and contact methods andschedule for alert notifications. After you create a user, you can edit the userproperties to perform the following tasks:

■ Change a user's password.See “Changing a user’s password” on page 162.

■ Specify user business and contact information.See “Specifying user business and contact information” on page 162.

■ Assign roles to a user.See “Managing role assignments and properties” on page 163.

■ Assign user to a user group.

161Managing users and user groupsAbout editing user properties

Page 162: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “Managing user group assignments” on page 164.

■ Specify contact methods and schedule for alert notifications.See “Specifying notification information” on page 166.

Changing a user’s passwordPasswords can be changed in the following ways:

■ Users can change their own passwords by using the ChangePassword optionon the Tools menu in the Information Manager console.

■ Administrators can change a user’s password by editing the user’s properties.

To change a user’s password

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 In the right pane, right-click the user whose password you want to change,and select Properties or click the Properties icon on the toolbar.

4 In the UserProperties dialog box, on the Password tab, in the Password textbox, type a new password.

The password that you choose must comply with the policy settings that theadministrator chooses.

5 In the Confirm password text box, type the password again to confirm it.

6 Click OK.

See “About editing user properties” on page 161.

Specifying user business and contact informationIn the UserProperties dialog box, the Business tab and the Contact Informationtab let you supply detailed information about the user. You can specify thisinformation when you create a user or by editing an existing user’s properties.

See “About editing user properties” on page 161.

To specify user business and contact information

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 In the right pane, right-click the user whose information you want to change,and select Properties.

Managing users and user groupsAbout editing user properties

162

Page 163: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 In the User Properties dialog box, on the Business tab, type the businessinformation for the user.

5 To identify the user’s manager, click the browse button (...) next to theManager text box to display the Find Users dialog box.

The manager must exist as a user in the LDAP directory.

6 In the Find Users dialog box, select the user who is the manager, and clickOK.

The Available users list shows all users for the domain, up to the number ofusers that the Maximum search count text box indicates.

7 To identify the user’s administrative assistant, click the browse button (...)next to the Administrative assistant text box. In the Find Users dialog box,select the administrative assistant.

The administrative assistant must exist as a user in the LDAP directory.

8 On the Contact Information tab, type the contact information for the user.

9 Click OK.

Managing role assignments and propertiesThe roles that a user is assigned define the user’s permissions in the console.

Roles are product-specific and are created as one or both of the following:

■ Roles that allow the management of policies and configurations for a product.

Users who are members of these roles can change the security configurationsof an integrated product and distribute them to specific computers andorganizational units.

■ Roles that allow the viewing of the events that a product generates.

Users who are members of these roles can view alerts and events for a product,and create alerts and customized reports.

Note: You must be a member of the Domain Administrator role to make a user amember of a role. Also, the role must exist in the LDAP directory before you canadd a user to the role.

See “Creating a role” on page 134.

163Managing users and user groupsAbout editing user properties

Page 164: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To manage role assignments and properties

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 In the right pane, right-click the user whose information you want to change,and select Properties.

4 In the User Properties dialog box, on the Roles tab, click Add.

5 In the Find Roles dialog box, from the Look in drop-down list, select thedomain in which to find the role.

Users can have access to roles in multiple domains.

6 In the Available roles list, select one or more roles, and click Add.

The Find Roles dialog box displays a list of roles only if you are a member ofthe Domain Administrator role.

7 Click OK.

8 To remove a user from a role, click the role name and click Remove.

This action does not remove the role from the LDAP directory.

9 To view or edit the properties of a role, click the role name and clickProperties.

10 (Optional) Use the Editing Role Properties dialog box to make changes tothe role.

See “Editing role properties” on page 140.

11 Click OK until you return to the System view.

Managing user group assignmentsYou can modify the composition of a user group by adding users to the group andremoving users from the group. You can also view and modify user groupproperties.

You can manage user group assignments in the following ways:

■ Manage one user's assignment by adding to or removing from one or moreuser groups.

■ Manage a single user group by adding or removing multiple users at one time.

See “About editing user properties” on page 161.

Managing users and user groupsAbout editing user properties

164

Page 165: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To manage a single user's user group assignments

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 In the right pane, right-click the user whose user group assignment you wantto manage, and select Properties.

4 In the User Properties dialog box, on the User Groups tab, click Add.

5 In the Find User Groups dialog box, from the Look in drop-down list, selectthe domain in which to find the user group.

6 In the Available user groups list, select one or more user groups, and clickAdd.

The user groups that you selected appear in the Selected user groups list.

7 Click OK.

8 To remove a user from a user group, click the user group name and clickRemove.

This action does not remove the user group from the LDAP directory.

9 To view or edit the properties of a user group, click the user group name andclick Properties.

10 (Optional) Use the UserGroupProperties dialog box to make changes to theuser group. For example, you can add members to the group and remove usersfrom the group.

11 Click OK until you return to the System view.

To manage multiple users' user group assignments

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click User Groups.

3 In the right pane, right-click the user group whose membership you want tomanage, and select Properties.

4 In the User Group Properties dialog box, on the Members tab, click Add.

5 In the Find Users dialog box, from the Look in drop-down list, select thedomain in which to find the users.

6 In the Available users list, select one or more users, and click Add.

The users that you selected appear in the Selected users list.

7 Click OK.

165Managing users and user groupsAbout editing user properties

Page 166: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

8 To remove a user from a user group, click the user name and click Remove.

This action does not remove the user from the LDAP directory.

9 To view or edit the user's properties, click the user name and click Properties.

10 (Optional) Use the User Properties dialog box to make changes to the user.

11 Click OK until you return to the System view.

Specifying notification informationWhen you create custom correlation rules, you can identify users to notify whenparticular incidents or alerts occur.

See “Creating custom correlation rules” on page 100.

For each user, you can specify the email addresses and pager numbers that areused to send these notifications. You can also specify when the user is notified.For example, you can specify one email address to be used Monday through Fridayfrom 8:00 A.M. to 5:00 P.M., and a pager to be used during off-hours.

You can specify the following:

■ Email addresses

■ Pager numbers

■ The day and the time ranges when the contact method can be used to senduser notifications of alerts.

Note: The number of email addresses and pager numbers cannot exceed five fora single rule.

To specify a user’s email address

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 In the right pane, right-click the user whose email address you want to change,and select Properties.

4 In the UserProperties dialog box, on the Notifications tab, in the drop-downlist, click Email.

5 Click Add.

6 In the Email dialog box, in the Emailaddress text box, type an email address.

Managing users and user groupsAbout editing user properties

166

Page 167: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

7 If the user receives email on a device with a small screen, such as a handhelddevice, check Send shortened email message.

This option sends an abbreviated email message that is easier to read.

8 Click OK.

9 (Optional) Specify notification times.

10 Do any of the following:

■ To add additional email addresses, repeat steps 5 through 9.

■ To edit an existing email address, click it and click Properties.

■ To remove an existing email address, click it and click Delete.

11 When you finish, click OK.

To specify a user’s pager number

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 In the right pane, right-click the user whose pager number you want to change,and select Properties.

4 In the UserProperties dialog box, on the Notifications tab, in the drop-downlist, click Pager.

5 Click Add.

6 In the Pager dialog box, in the Number text box, type a pager number.

7 In the Notification service drop-down list, select the notification service touse.

If you do not see the service that you want to select, you can add it using thePaging Services node. This node is located in the left pane of the Systemview.

8 Click OK.

9 (Optional) Specify notification times.

10 Do any of the following:

■ To add more pager numbers, repeat steps 5 through 8.

■ To edit an existing pager number, click it and click Properties.

■ To remove an existing pager number, click it and click Delete.

11 Click OK.

167Managing users and user groupsAbout editing user properties

Page 168: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To specify notification times

1 In the User Properties dialog box, on the Notifications tab, click an emailaddress or pager number.

2 Using the Day controls, check the days when the contact method can be usedto contact the user.

3 Using the From and To controls, specify the range of time when the contactmethod can be used.

4 Repeat these steps to establish notification times for other email addressesand pager numbers.

5 When you finish, click OK.

About modifying user permissionsWhen you create a role, permissions are assigned for each user with regard tothat role. These permissions control whether role members who log on to theconsole can view, modify, or delete the user.

You can modify these permissions in the following ways:

■ By displaying and editing the roles that contain the permissions.

See “Modifying access permissions in roles” on page 143.

■ By displaying the Permissions dialog box for the User container object or anindividual user.

See “Modifying permissions from the Permissions dialog box” on page 152.

Note: To modify permissions, you must be logged on as a member of the DomainAdministrator role.

Modifying a user groupYou can modify a user group by adding and removing members, and by changingthe user group name and description. You can also modify individual groupmembers' properties.

To modify a user group

1 In the Information Manager console, click System.

2 On Administration tab, in the left pane, navigate to the relevant domain,and then click User Groups.

Managing users and user groupsAbout modifying user permissions

168

Page 169: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 In the right pane, right-click the user group to modify, and click Properties.

4 On the General tab, add or change the user group's name and description.

5 On the Members tab, you can do the following:

■ Click Add.

■ In the FindUsers dialog box, select one or more usersfrom the Available Users list, and click Add.

■ When you finish adding members, click OK.

Add members

■ Select the member name, and click Remove.Remove members

■ Select the member name, and click Properties.

■ In the User Properties dialog box, use the tabs tomodify the properties of individual user groupmembers.

■ When you finish modifying properties, click OK.

Modify a member'sproperties

6 Click OK.

See “Creating a user group” on page 160.

Deleting a user or a user groupYou can delete users who are no longer participants in your security network.You can also delete the user groups that are no longer needed.

See “Creating a new user” on page 158.

See “Creating a user group” on page 160.

To delete a user or a user group

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users or User Groups.

3 In the right pane, right-click the user or the user group to delete, and clickDelete.

4 In the confirmation dialog box, click Yes.

169Managing users and user groupsDeleting a user or a user group

Page 170: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About integrating Active Directory with theInformation Manager server

The Active Directory Integration feature on the Web configuration interface ofInformation Manager lets you synchronize the Information Manager server withan Active Directory server. This integration enables Active Directory users toaccess the Information Manager server. You can create and add more than oneActive Directory configuration to the Information Manager server. You can setthe synchronization schedule for each configuration as required so that the usersare periodically refreshed with each synchronization cycle.

The synchronized Active Directory users can log on to the Information Managerserver through the console as well as the Web configuration interface. Membersof the External Users role do not have any Information Manager privileges. Thisrole is used only by Active Directory users for Pass-through Authentication. TheActive Directory user must be assigned another Information Manager role to logon to the Information Manager server.

See “Managing Active Directory configurations” on page 170.

Managing Active Directory configurationsThe Active Directory Integration feature on the Settings view of the Webconfiguration interface lets you create and synchronize Information Managerwith Active Directory servers. The view also lets you create, add, edit, orsynchronize the Active Directory configurations as required.

See “About integrating Active Directory with the Information Manager server”on page 170.

Prerequisites for creating an Active Directory configuration are as follows:

■ If the Active Directory server and Symantec Security Information Managerare not in the same DNS, you must add the FQDN and the IP address of theActive Directory server to the Information Manager hosts file.

■ Certificate authority (CA) must be installed on the domain controller withwhich Information Manager is to integrate.

■ The CA Root certificate must be assigned to the user to be used in the ActiveDirectory integration configuration.

■ Add the CA root certificate of the Active Directory that you want to synchronizeon the Information Manager server.For more details on obtaining an Active Directory root certificate, refer to theMicrosoft Web site.

Managing users and user groupsAbout integrating Active Directory with the Information Manager server

170

Page 171: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To create a new Active Directory configuration

1 On the Web configuration interface, click Settings > Active Directory.

2 On the details pane, click Create Configuration.

3 Fill in the required details of the host name, IP address, user name, andpassword.

If possible, keep the port number as 636 ( the LDAP service runs on Port 636by default).

4 In a scenario in which the Active Directory domain name and InformationManager domain name are identical, check the box for Active Directoryoverrides SSIM. This setting gives the Active Directory user a preferenceover the Information Manager user when the user logs on to the InformationManager server.

5 Enter the users and groups that you want to synchronize or exclude in therespective boxes.

The default Active Directory group domain users cannot be added to theInformation Manager because it is a special group that does not have memberattributes for the users.

6 Enter the password. The user name appears by default and cannot be modified.

7 Check the DisableScheduling box if you want to disable the synchronization.

8 Enter the synchronization schedule in minutes, hours, or days as required.

9 Click Save to apply.

Configurations are saved and listed by the domain name. You can edit ordelete the configurations that are listed.

The ibmldap service of the Information Manager server restarts when yousave the Active Directory configuration.

Note:The External Users Role on Information Manager grants access permissionto Active Directory domain users. Therefore, this role must not be removed forActive Directory users. Members of the External Users Role do not have anyInformation Manager privileges. Therefore, the Active Directory user must beassigned another Information Manager role to log on to the Information Managerserver.

To edit an Active Directory configuration

1 On the Web configuration interface, click Settings > Active Directory.

2 On the details pane, click List Configurations.

171Managing users and user groupsManaging Active Directory configurations

Page 172: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Select the configuration that you want to work with.

4 Click the Edit icon.

5 Change the details in appropriate fields as required.

6 Click Save.

To remove an Active Directory configuration

1 On the Web configuration interface, click Settings > Active Directory.

2 On the details pane, click List Configurations.

3 Select the configuration that you want to remove.

4 Click the Remove icon.

5 Enter the cn=root password in the RemoveActiveDirectoryConfigurationsdialog box, and click Ok.

To synchronize an Active Directory configuration

1 On the Web configuration interface, click Settings > Active Directory.

2 On the details pane, click List Configurations.

3 Select the configuration with which you want to synchronize InformationManager.

4 Click the Synchronize Now icon.

5 Click View Synchronization Log to see the results.

Managing users and user groupsManaging Active Directory configurations

172

Page 173: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing organizationalunits and computers

This chapter includes the following topics:

■ About organizational units

■ About managing organizational units

■ About managing computers within organizational units

About organizational unitsOrganizational units are a useful way to structure your security environment inSymantec Security Information Manager. Before you create organizational units,it is important that you understand your security network and create a securityplan.

See “About managing organizational units” on page 173.

Organizational units let you group the computers and servers that you manage.You can then add configurations for the Information Manager components thatmay be installed on those computers. These capabilities enable the distributionof the configurations to all computers and servers in the organizational unit.

About managing organizational unitsOn the Administration tab of the System view, select Organizational Units toperform the following tasks:

■ Create a new organizational unit.See “Creating a new organizational unit” on page 174.

9Chapter

Page 174: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Edit organizational properties.

■ See “Editing organizational unit properties” on page 176.

■ Delete an organizational unit.

■ See “Deleting an organizational unit” on page 177.

Creating a new organizational unitOrganizational units are logical groupings. You can create them to organize thecomputers that are in the same physical location or belong to structural groupswithin your corporation: for example, divisions or task groups. However, it is notrequired that an organizational unit reflect these relationships.

See “About organizational units” on page 173.

You can create all the organizational units that you require at a single level, oryou can create a hierarchy of nested organizational units.

The combined maximum length of the distinguished name of an organizationalunit must be no longer than 170 bytes. Keep in mind that some characters, suchas accented characters or Japanese characters, take more space to store.

The distinguished name of an organizational unit is a concatenation of the namesthat precede it in the hierarchy. Therefore, nesting organizational units with longnames can exceed this limit. A screen message informs you if you exceed the limit.

To create a new organizational unit

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Organizational Units.

3 Take one of the following actions:

■ To create a new organizational unit at the top level of the tree, click + (theplus icon) on the toolbar. Go to step 5.

■ To create a new organizational unit within an existing organizational unit,expand the organizational unit tree and select the level that you want.Then click + (the plus icon) on the toolbar. Go to step 4.

4 In the Computer or Organizational Unit dialog box, click OrganizationalUnit, and click OK.

5 In the first panel of the CreateanewOrganizationalUnitwizard, click Next.

6 In the General panel, do the following:

■ In the Organizational Unit Name text box, type a name for theorganizational unit.

Managing organizational units and computersAbout managing organizational units

174

Page 175: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ (Optional) In the Description text box, type a description of theorganizational unit.

7 Click Next.

8 In the OrganizationalUnitSummary panel, review the information that youhave specified, and click Finish.

9 Click Close.

About determining the length of the organizational unit nameInformation Manager imposes limits on the length of the name of an organizationalunit. It also imposes limits on the total length of the distinguished name that isstored in the LDAP directory. These limits become important when you nestorganizational units.

See “About organizational units” on page 173.

The distinguished name for a nested organizational unit includes the following:

■ The name you give the organizational unit when you create it

■ The names of each organizational unit that precedes it in the hierarchy

■ The name of the top node in the organizational unit tree

■ The name of the domain within which you create the organizational unithierarchy

■ Additional bytes of overhead

You can view the distinguished name of an organizational unit by looking at theorganizational unit’s properties.

The maximum length of the name you assign in the CreateanewOrganizationalUnit wizard is 64 UTF-8 bytes. For the Roman character set, this means that thename cannot exceed 64 characters. Some characters take more space to store. Forexample, accented characters take two bytes to store, and Japanese characterstake three bytes or four bytes to store. When these characters are used, fewercharacters are allowed in the name.

Information Manager adds other information for internal use to the distinguishedname. Therefore, the maximum recommended length of the distinguished nameof an organizational unit in the security directory is 170 bytes. If a distinguishedname is longer than 256 characters, performance issues occur.

Table 9-1 describes how to calculate the UTF-8 byte length of the distinguishedname of the organizational unit.

175Managing organizational units and computersAbout managing organizational units

Page 176: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 9-1 Determining the organizational unit name length

Formula and exampleName string

sum(4+domain component name length) + 17 bytes

Example: usa.SES

4 + length(usa) + 4 +length(SES) + 17 bytes overhead

or

4 + 3 + 4 + 3 + 17 = 31 bytes

Domain name length

sum(4 + OU name length) + domain name length + 13 bytes

For example: Paris OU under the Sales OU in the usa.sesdomain

4 + length(Paris) + domain name length + 13-bytes overhead

or

4 + 5 + 31 + 13 = 53 bytes

Organizational unit (OU)name length

Editing organizational unit propertiesYou can modify an existing organizational unit's description. You cannot changethe name or the distinguished name of the organizational unit.

See “About organizational units” on page 173.

To edit organizational unit properties

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Right-click the name of the organizational unit to edit, and click Properties.

4 In the Organizational Unit Properties dialog box, change the description.

5 When you finish, click OK.

About modifying organizational unit permissionsWhen you create a role, permissions are assigned for each organizational unitwith regard to that role. These permissions control whether role members wholog on to the Information Manager console can view, modify, or delete theorganizational unit.

You can modify these permissions in the following ways:

■ By displaying and editing the roles that contain the permissions.

Managing organizational units and computersAbout managing organizational units

176

Page 177: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “Modifying access permissions in roles” on page 143.

■ By displaying the Permissions dialog box for the organizational unit containerobject or an individual organizational unit.

See “Modifying permissions from the Permissions dialog box” on page 152.

Note: To modify permissions, you must be logged on as a member of the SESAdministrator role or the Domain Administrator role.

Deleting an organizational unitBefore you can delete an organizational unit, you must move or delete allcomputers that belong to the organizational unit.

See “Moving a computer to a different organizational unit” on page 198.

See “Deleting a computer from an organizational unit” on page 199.

Note:When you delete an organizational unit, all of the organizational units thatare below it in the navigational structure are also deleted.

To delete an organizational unit

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Right-click the name of the organizational unit to delete, and click Delete.

4 To confirm to delete the organizational unit and its subgroups, click Yes.

About managing computers within organizationalunits

Organizational units contain computer objects representing the computers thatrun your security products.

Note:The term computer covers a variety of equipment, from traditional desktopcomputers to servers and handheld devices. In the context of the InformationManager console, a computer is any device that you manage as part of yourenterprise security environment.

177Managing organizational units and computersAbout managing computers within organizational units

Page 178: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Computers are placed in organizational units in the following ways:

■ When an agent is installed.

When you install Symantec Event Agent on a computer, it is represented as acomputer within an organizational unit.

Symantec Event Agent is added to the default organizational unit. You canmove the agent to a different organizational unit later.

■ When you create the computer using the Create a new Computer wizard.

You can use this method to create computers other than the agent computers.

Note:Do not create a computer using the wizard if you plan to install the SymantecEvent Agent on the computer at a later time. If you do, a duplicate instance of thecomputer is added to the LDAP directory.

A computer can belong to only one organizational unit at a time. However, basedon the requirements of your network, you can easily move computers from oneorganizational unit to another.

When you select a computer in the right pane, you can perform the followingtasks:

■ Create computers within organizational units.Creating computers within organizational units

■ Edit computer properties.About editing computer properties

■ Move a computer to a different organizational unit.Moving a computer to a different organizational unit

■ Modify computer permissions.About modifying computer permissions

■ Delete a computer from an organizational unit.Deleting a computer from an organizational unit

Creating computers within organizational unitsComputers are defined in the LDAP directory as part of the organizational unitsin which you create them. If you delete a computer from an organizational unit,it is permanently removed from the LDAP directory.

See “About managing computers within organizational units” on page 177.

Managing organizational units and computersAbout managing computers within organizational units

178

Page 179: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To create a computer within an organizational unit

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Right-click the name of the organization unit, and click New > Computer.

4 In the first panel of the Create a new Computer wizard, click Next.

5 In the General panel, do the following, and click Next:

■ In the Computer name text box, type the computer name.

■ (Optional) In the Description text box, type a description.

6 In the Information panel, do one of the following:

■ Type information in some or all of the optional text boxes, and click Next.

■ Supply the information later by editing the computer’s properties.

7 In the Identification panel, do one of the following:

■ Provide the host name, IP addresses, and MAC addresses of the computer,and click Next.

■ Provide the identification information later by editing the computer’sproperties.

8 In the Configurations panel, do one of the following:

■ To directly associate configurations with the computer, click Add. Whenyou are finished, click Next.

■ Add configurations later by editing the computer’s properties.

9 In the Computer summary panel, review the information that you havespecified, and click Finish.

10 Click Close.

About editing computer propertiesThe computer properties that you can view and change depend on whetherSymantec Event Agent is installed on the computer.

If the computer has Symantec Event Agent, you can associate configurations withthe computer and view the services running on the computer. However, you cannotchange the identification information for the computer.

179Managing organizational units and computersAbout managing computers within organizational units

Page 180: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “Editing the agent computer” on page 180.

See “Viewing the services running on a computer” on page 193.

If the computer does not have an agent, you can edit the network identificationinformation for the computer. However, you cannot view services running on thecomputer.

See “Editing a computer that does not have an agent” on page 181.

See “Providing identification information for a computer” on page 182.

Editing the agent computerWhen a computer has an agent installed, most of the identification informationabout the computer is captured during the installation.

You can learn about the computer by viewing the information that the agentprovides. This information includes the state of the services running on thecomputer and the computer’s heartbeat status.

You can also specify configurations to be associated with the computer. If thecomputer is an Information Manager server, you can add access to other domains.

To edit the agent computer

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Click the name of the organizational unit that contains the computer to beedited.

4 In the right pane, right-click the name of the computer, and click Properties.

5 In the Computer Properties dialog box, on the General tab, you can type anew description.

6 On the Information tab, you can modify the Primary Owner and Ownercontact information text boxes.

The remaining information is provided during the agent installation.

7 On the Configurations tab, do any of the following:

■ To directly associate configurations with the computer, click Add.

See “Associating configurations directly with a computer” on page 183.

■ To remove a configuration, select it, and click Remove.

■ To view a configuration’s properties, select it, and click Properties.

8 You can view information on any of the following tabs:

Managing organizational units and computersAbout managing computers within organizational units

180

Page 181: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ On the Identification tab, view the host name, IP addresses, and MACaddresses of the computer.

■ On the Services tab, view information about the services running on thecomputer.

See “Viewing the services running on a computer” on page 193.

9 Click OK.

Editing a computer that does not have an agentWhen you create a computer using the Create a New Computer wizard, you canmodify most of the computer’s properties.

Services are reported only if an agent is installed on the computer.

To edit a computer that does not have an agent

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Click the name of the organizational unit that contains the computer to beedited.

4 In the right pane, right-click the name of the computer, and click Properties.

5 In the Computer Properties dialog box, on the General tab, you can type anew description.

6 On the Information tab, modify the text boxes as you want.

To enable the Other OS Type text box, select OTHER from the operatingsystem type drop-down list.

7 On the Identification tab, change the host name and add or remove IPaddresses and MAC addresses, as needed.

See “Providing identification information for a computer” on page 182.

8 On the Configurations tab, do any of the following:

■ To directly associate configurations with the computer, click Add.

See “Associating configurations directly with a computer” on page 183.

■ To remove a configuration, select it, and click Remove.

■ To view a configuration’s properties, select it, and click Properties.

181Managing organizational units and computersAbout managing computers within organizational units

Page 182: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

9 On the Services tab, view information about the services running on thecomputer.

See “Viewing the services running on a computer” on page 193.

10 Click OK.

Providing identification information for a computerAfter you create a computer using the Create a new Computer wizard, you canprovide the network identification information for the computer by editing itsproperties.

When you create a computer by installing a collector, the identification informationis supplied automatically by the installation.

See “About editing computer properties” on page 179.

To provide identification information for a computer

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Click the name of the organizational unit that contains the computer to beedited.

4 In the right pane, right-click the name of the computer, and click Properties.

5 In the ComputerProperties dialog box, on the Identification tab, in the Hostname text box, type an FQDN or a DNS host name.

6 To add an IP address, under IP addresses, click Add.

7 In the IPaddresses dialog box, type the IP address of the computer, and clickOK.

8 If the computer has multiple network interface cards, repeat steps 6 and 7for each IP address.

9 To add a MAC address, under MAC addresses, click Add.

10 In the MAC addresses dialog box, type the MAC address of the computer,and click OK.

The MAC address must consist of six hexadecimal pairs.

11 If the computer has multiple network interface cards, repeat steps 9 and 10for each MAC address.

12 Click OK.

Managing organizational units and computersAbout managing computers within organizational units

182

Page 183: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Associating configurations directly with a computerConfigurations control the behavior of Information Manager components.

To distribute configurations to a computer, you can associate a configuration withthe computer. You can then distribute the configuration either immediately or ata later date, depending on your needs.

See “About editing computer properties” on page 179.

Associating configurations directly with a computer defines each of the availableconfigurations that can be associated directly with a computer.

DescriptionConfiguration

Contains the common Information Managerserver settings, which may affect one ormore components on an InformationManager server. For example, configurationsettings define which directory service anddatabase the server should use.

Symantec Event Agent and Manager –Manager Configurations

Contains settings for services within theInformation Manager server, such as theevent logging subsystem or the configurationservice.

Symantec Event Agent and Manager –Manager Component Configurations

Lets you control how failover is performedfrom the Information Manager server todirectory service and Information Managerserver to database.

Symantec Event Agent and Manager –Manager Connection Configurations

Sets the agent to Information Managerserver failover. Failover is the ability ofInformation Manager components toautomatically switch to designatedsecondary resources if the primary resourcefails or terminates abnormally.

Symantec Event Agent and Manager – AgentConnection Configurations

Lets the agent communicate with thecorresponding Information Manager server.They include which primary and secondaryserver to connect to and how to getconfiguration information and reportinventory. In addition, they include howthese computers should receive LiveUpdateinformation.

Symantec Event Agent and Manager – AgentConfigurations

183Managing organizational units and computersAbout managing computers within organizational units

Page 184: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures Symantec Critical SystemProtection Event Collector to collect DBsensor data from the following platforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Symantec Critical System Protection EventCollector

Configures LiveUpdate to obtain softwareupdates for the various software componentsof Information Manager, such as eventcollectors, relays, security content, rules,and filters.

LiveUpdate 1.0 – LiveUpdate

Configures Java LiveUpdate to obtainsoftware updates for the various softwarecomponents of Information Manager, suchas event collectors, relays, security content,rules, and filters.

LiveUpdate 1.0 – Java LiveUpdate

Managing organizational units and computersAbout managing computers within organizational units

184

Page 185: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures the Internet Security SystemsRealSecure SiteProtector Event Collector tocollect DB sensor data from the followingplatforms:

■ ISS RealSecure Gigabit Network Sensor7.0

■ ISS RealSecure Network Sensor 6.5/7.0

■ ISS RealSecure Server Sensor6.0.1/6.5/7.0 on Windows 2000

■ ISS RealSecure Server Sensor6.0.1/6.5/7.0 on Windows 2000

■ ISS Internet Scanner 7.0

■ ISS Proventia Integrated SecurityAppliance (M Series)

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

ISS SiteProtector Event Collector

185Managing organizational units and computersAbout managing computers within organizational units

Page 186: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures Check Point FireWall-1 EventCollector to collect OpsecLea sensor datafrom the following platforms:

Check Point FireWall-1NG ApplicationIntelligence R55 and NGX6.x (including 6.0,6.2, and 6.5) that runs on one of the followingoperating systems:

■ Microsoft Windows 2000 AdvancedServer with Service Pack 4 or later

■ Red Hat Enterprise Linux AS 3.0

■ Check Point Provider-1 NG and NGX 6.x(including 6.0, 6.2, and 6.5 on Red Hat)

Enterprise 3, Sun Solaris, and Check PointSecurePlatform with the followingconfigurations:

■ Check Point Provider-1 withMDS/CMA/log server all on one computer

■ Check Point Provider-1 with separateMLM/CLM computers

■ Check Point R55 and 6.x (including 6.0,6.2, and 6.5) that runs on the Nokia IPseries appliances

■ Check Point version R70 (including IPSand Antivirus blades) is supported as longas the September 2009 (or later)LiveUpdate package is applied

■ Check Point version R71

■ Check Point Connectra NGX R66

The collector runs on the following operatingsystems:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Check Point Firewall – 1 Event Collector

Managing organizational units and computersAbout managing computers within organizational units

186

Page 187: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures Cisco ASA Event Collector tocollect Syslog sensor data from the followingplatforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows Server 2008 withService Pack 1 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Microsoft Windows Vista with ServicePack 1 or later

■ Microsoft Windows 7

■ Red Hat Enterprise Linux AS 4.0

■ Red Hat Enterprise Linux 5.0 (32-bit x86only)

■ Sun Solaris (SPARC) 8, 9, and 10

Cisco ASA Event Collector

Configures Generic Syslog Event Collectorto collect Syslog sensor data from thefollowing platforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Generic Syslog Event Collector

187Managing organizational units and computersAbout managing computers within organizational units

Page 188: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures Juniper Networks NetScreenSecurity Manager Event Collector to collectSyslog sensor data from the followingplatforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Juniper NSM Event Collector

Configures Juniper NetScreen EventCollector to collect Syslog sensor data fromthe following platforms:

■ Symantec Security Information Manager4.6 and 4.7.

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows Server 2008 withService Pack 1 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Microsoft Windows Vista with ServicePack 1 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

■ Red Hat Enterprise Linux 5.0 (32-bit x86only)

■ Sun Solaris (SPARC) 8, 9, and 10

■ SUSE Linux Enterprise 10

Juniper Netscreen Firewall Event Collector

Managing organizational units and computersAbout managing computers within organizational units

188

Page 189: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures Snare for Windows EventCollector to collect Syslog sensor data fromthe following platforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Snare for Windows Event Collector

Configures Snort Event Collector to collectSyslogFile sensor data from the followingplatforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Snort Syslog Event Collector

Configures Symantec Endpoint Protection11.0 Event Collector to collect DB sensor datafrom the following platforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Symantec Endpoint Protection 11.0 EventCollector

189Managing organizational units and computersAbout managing computers within organizational units

Page 190: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures Symantec Endpoint ProtectionState 11.0 Event Collector to collect DBsensor data from the following platforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

Symantec Endpoint Protection State 11.0Event Collector

Configures the Information Manager EventCollector to collect SyslogFile sensor data.The Local Event Collector tracks the eventsthat the Linux operating system that runsInformation Manager generates. Examplesinclude ssh commands and wrong passwordentries.

Symantec Security Information ManagerLocal Event Collector

Configures Syslog Director.Syslog Director

Configures the Universal Logfile EventCollector to collect events from the productsthat log to text files.

Universal Logfile Event Collector

Configures UNIX OS Event Collector tocollect syslog data from the followingplatforms:

■ HP-UX 11i

■ IBM AIX 5.3 and 6.x

■ Red Hat Enterprise Linux 3.0, 4.0, and 5.0

■ SUSE Linux Enterprise 9 and 10

■ Sun Solaris 8, 9, and 10

■ Nokia IPSO

■ Other Linux distributions based on the2.6 kernel

■ Debian Linux 3.1

■ Macintosh OS X 10.4, 10,5, and 10.6

In addition, the UNIX Event Collector collectsdata from ISC BIND9, Linux iptables, and theLinux Audit daemon AUDITD.

UNIX OS Event Collector

Managing organizational units and computersAbout managing computers within organizational units

190

Page 191: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

DescriptionConfiguration

Configures the Universal Syslog EventCollector to collect events from the productsthat log events by using the Syslog protocol.

Universal Syslog Event Collector

Configures Universal Event Collector forMicrosoft Windows Vista to collect eventsfrom Microsoft Windows Vista, WindowsServer 2008, and Windows 7 event logs.

Universal Event Collector for MicrosoftWindows Vista

Configures Universal Event Collector forMicrosoft Windows to collect events fromMicrosoft Windows event logs.

Universal Event Collector for MicrosoftWindows

Configures QualysGuard Event Collector tocollect QualysGuard sensor data from thefollowing platforms:

■ Microsoft Windows 2000 (all editions)with Service Pack 4 or later

■ Microsoft Windows Server 2003 (alleditions) with Service Pack 2 or later

■ Microsoft Windows XP with Service Pack2 or later

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

■ Red Hat Enterprise Linux 5.0 (32-bit x86only)

Qualys Guard Event Collector

To associate configurations directly with the computer

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Click the name of the organizational unit that contains the computer thatyou want to edit.

4 In the right pane, right-click the name of the computer, and click Properties.

5 In the ComputerProperties dialog box, on the Configurations tab, click Add.

6 In the Find Configurations dialog box, in the Look-in drop-down list, selectthe product whose configurations you want to associate with the computer.

The configurations are displayed in the Available configurations list.

See “Associating configurations directly with a computer” on page 183.

191Managing organizational units and computersAbout managing computers within organizational units

Page 192: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

7 In the Available configurations list, select a configuration, and click Add.

The selected configuration is listed in the Selected configuration list.

If the computer already contains a configuration, and you now select adifferent configuration, the new configuration replaces the old one.

8 To select a configuration for a different product, repeat steps 6 and 7.

9 When you finish adding configurations, click OK.

10 In the Computer Properties dialog box, do one of the following:

■ To remove a configuration, select it, and click Remove.

■ To view a configuration’s properties, select it, and click Properties.

11 Click OK.

Making a computer a member of a configuration groupIn addition to belonging to an organizational unit, a computer can be a memberof a configuration group. Configuration groups are used to distribute specialconfigurations to their member computers. A computer can belong only to oneconfiguration group.

To make a computer a member of a configuration group

1 In the Information Manager console, on the System tab, in the left pane,expand the Organizational Units navigational tree until you can select theorganizational unit containing the computer that you want to edit.

2 In the right pane, select the computer.

3 On the Selection menu, click Properties.

4 In the Computer Properties dialog box, on the Configuration Groups tab,click Add.

5 In the Available Configuration Groups list, select a configuration group.

If the computer is already a member of a configuration group, theconfiguration group you select here replaces the original configuration group.

6 Click Add.

7 Click OK.

8 On the Configuration Groups tab, do any of the following, as needed:

■ To remove a computer from configuration group membership, select theconfiguration group, and click Remove.

Managing organizational units and computersAbout managing computers within organizational units

192

Page 193: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ To view a configuration group’s properties, select it, and click Properties.

9 Click OK.

Viewing the services running on a computerYou can view information about the services running on a computer: for example,which configurations are in use and whether the configurations are up-to-date.

See “About editing computer properties” on page 179.

To view the services running on a computer

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 In the left pane, select the organizational unit that contains the computerwhose services you want to view.

4 In the right pane, right-click the computer name, and click Properties.

5 In the Computer Properties dialog box, on the Services tab, review the InSync column to determine whether the correct configurations are in use.

■ If the value for a specific service is Yes, the current configuration and theexpected configuration are synchronized. That is, they are identical.

■ If the value for a specific service is No, the configurations are notsynchronized.Double-click the row to view the information on the Configuration tab ofthe Service Properties dialog box. You may need to distribute the latestconfigurations to this computer.

6 Take any of the following actions:

■ In the Computer Properties dialog box, to notify the computer that itshould download new configurations, click Distribute. Then click Yes toconfirm your intention to distribute configurations.

■ To refresh the Computer Properties dialog box display, click Refresh.

■ Click Details to open the Service Properties dialog box and view thedetails of services.

7 When you finish, click OK.

About the VisualizerThe Visualizer provides a convenient way to view your Symantec SecurityInformation Manager environment, including the computers that are assigned

193Managing organizational units and computersAbout managing computers within organizational units

Page 194: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

to organizational units. You can use it to monitor events per second (EPS) ratesand CPU usage on your network devices. You can also view and modify propertiesof elements such as the Information Manager server and agents.

See “About using the Visualizer” on page 194.

See “Viewing and modifying element properties” on page 196.

About using the Visualizer

The Visualizer provides a graphical view of your Information Managerenvironment. When you click the Visualizer tab on the System view, you see aset of icons. The icons represent such elements as correlation servers, collectionservers, agents, and directories. The Icons tab in the Legend pane illustrates anddefines each type of icon that can appear in the diagram.

See “About the Visualizer” on page 193.

Colored lines join elements to indicate the nature of their interactions. For example,a green line appears between an Information Manager server and its event archive.A blue line indicates that event forwarding is configured between a collectionserver and the correlation server. The arrow shows the direction in which theevent data flows. To see an explanation of each color, click the Edges tab in theLegend pane.

You can place the icons where you want them by dragging them with the mouse.The associated text moves with the icon. You can also move the text to a differentposition relative to its icon. Click and hold the mouse over the text, and then movethe mouse. Empty text boxes appear on each side of the icon. Drag the text intoone of the boxes and release the mouse.

The toolbar includes tools to help you examine the graphic.

In the toolbar, the colored dots that appear next to some elements indicate theactivity level of these elements. Some dots reflect the volume of EPS, and otherdots reflect the percentage of appliance CPU in use. The meaning of each color isas follows:

■ Green = less than or equal to 2.5 K

■ Yellow = 2.5 K to 5 K

■ Red = greater than 5 K

EPS

■ Green = less than 60%

■ Yellow = 60% to 80%

■ Red = greater than 80%

CPU usage

Managing organizational units and computersAbout managing computers within organizational units

194

Page 195: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note: The EPS display on the Visualizer tab depends on the value of the AgentQueueStatisticsReportInterval setting under System>ProductConfiguration> SSIM Agent and Manager > Agent Configurations > Logging. By default, thisvalue is set to 300 seconds and the EPS is updated after that interval only. Youcan configure it to a lower interval. However, setting a lower value may result ina lower performance by the agent. You must update (push) the configuration tothe agent for the change to take effect.

Table 9-2 describes the tools in the toolbar.

Table 9-2 Visualizer tools

PurposeTool

This option lets you view your network topology using the followinglayouts:

■ Organic

■ Circular

■ Hierarchic

■ Orthogonal

■ Tree

Layout menu

This option lets you update the display after you make configurationchanges. For example, after you add a collector, click Refresh tore-draw the diagram and show a new icon for the added collector.

Refresh

This option lets you expand the diagram view.Zoom in

This option lets you minimize the diagram view.Zoom out

This option lets you enlarge the view of a selected portion in thediagram. Select a portion of the diagram by clicking the mouse anddragging a box around the required area. Then click the ZoomSelectedicon to enlarge the area that you selected.

Zoom selected

This option returns the diagram to its original size, to fit the entirediagram in the right pane of the System view.

Fit to window

This option lets you save the information in the diagram as an XMLfile. Symantec Technical Support may request this file to assist introubleshooting.

Save as

This option lets you export the Visualizer image as a .gif or .jpg file.You can also adjust the image width and height, and define the cliparea as a view or a graph.

Export Image

195Managing organizational units and computersAbout managing computers within organizational units

Page 196: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 9-2 Visualizer tools (continued)

PurposeTool

This option lets you print the diagram. On the Print Options dialogbox, you can select the height (Poster Rows) and width (PosterColumns) if you print a very large diagram. The default setting (oneposter row and one poster column) prints the entire diagram on asingle page.

Print

This option displays a table with one row for each element that isinvolved in processing events. The table dynamically displays suchinformation as EPS and the total number of events that the elementhas processed since it was last started. The details that are displayedin the table view can be saved into CSV format.

A green check mark means that the element is running; a red X meansthat the element is not responding.

Table view

This option lets you magnify any selected portion of the diagram.Use Magnifier

Viewing and modifying element properties

You can view the properties of many of the elements in the Visualizer diagram.You can also modify some of these properties.

See “About using the Visualizer” on page 194.

The same properties are also accessible through other tabs on the System view.You use these tabs to add and delete elements, such as collectors. After you addan element, you distribute it; the element appears in the Visualizer.

Table 9-3 explains how to access each of the element categories on other Systemview tabs.

Table 9-3 Accessing element properties on System view tabs

How to accessCategory

This category includes appliances, agents, and collectors.

■ Select Administration > Organizational Units.

■ Select an organizational unit.

■ In the list in the right pane, double-click the name of a computer.

A dialog box displays the computer's properties.

About managing organizational units.

Computers

Managing organizational units and computersAbout managing computers within organizational units

196

Page 197: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 9-3 Accessing element properties on System view tabs (continued)

How to accessCategory

■ Select Administration > Directories.

■ In the list in the right pane, double-click the name of a directory.

A dialog box displays the directory's properties.

Directories

This category includes products such as collectors and firewalls.

■ Select Product Configurations.

■ In the left pane, click the name of a product.

The right pane displays the product's properties.

Products

To view and modify element properties

1 On the System view of the Information Manager console, click the Visualizertab.

2 Right-click on an icon in the diagram, and then click Properties.

A dialog box displays a set of tabs that let you access the element's properties.The displayed properties depend on the type of element that you selected.For example, a collection appliance has different properties than an agent.

3 View and modify any of the available properties in the dialog box, using thetabs to navigate through the properties.

4 When you finish viewing and modifying properties, click OK.

Distributing configurations to computers in an organizational unitInformation Manager includes a Distribute option, which sends a message to allthe computers in an organizational unit to check for new configurations. Whena computer receives this message, it contacts Information Manager to request adownload of the configurations.

See “About managing computers within organizational units” on page 177.

Using the Distribute feature is optional. When you change a product configurationor move a computer to a different organizational unit, the change is distributedwhen you click Save.

You can do the following to distribute configurations to computers in anorganizational unit:

■ You can distribute the configurations that are associated with an organizationalunit to all computers that belong to the organizational unit.

■ You can select specific computers to receive the latest configurations.

197Managing organizational units and computersAbout managing computers within organizational units

Page 198: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note: The timing of configuration distribution varies depending on the amountof Information Manager traffic.

To distribute configurations to all computers in an organizational unit

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and then expand the Organizational Units navigation tree.

3 Right-click the name of the organizational unit to which you want to distributeconfigurations, and then click Distribute.

4 In the confirmation message box, click Yes.

To distribute configurations to selected computers in an organizational unit

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and then expand the Organizational Units navigation tree.

3 In the left pane, select the organizational unit that contains the computer orcomputers to which you want to distribute configurations.

4 In the right pane, select only those computers that you want to notify.

5 Right-click on the selected computers, and then click Distribute.

6 To confirm your intention to distribute configurations, click Yes.

Moving a computer to a different organizational unitAlthough a computer can only belong to one organizational unit, you can movecomputers from one organizational unit to another.

See “About organizational units” on page 173.

Warning: Before you move a computer, make sure that the security products youmanage let you move computers.

To move a computer to a different organizational unit

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and then expand the Organizational Units navigation tree.

3 In the left pane, select the organizational unit that contains the computer orcomputers that you want to move.

Managing organizational units and computersAbout managing computers within organizational units

198

Page 199: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 In the right pane, right-click a computer, and then click Move.

You may select multiple computers if you want to move all of them to thesame organizational unit.

5 To confirm that you want to move the computers, click Yes.

6 In the Find Organizational Units dialog box, select the organizational unitto which you want to move the computers, and then click OK.

7 To verify that the move was successful, in the left pane, select theorganizational unit to which you moved the computers. Look at the rightpane to see if the computers that you moved are now in the list.

If you move a computer that is an Information Manager server, you may haveto log on again before you see the computer in the organizational unit. Agentsthat connect to the Information Manager server may need to be restarted.

About modifying computer permissionsWhen you create a role, permissions are assigned for each computer with regardto that role. These permissions control whether role members who log on to theInformation Manager console can view, modify, or move the computer.

To modify the permissions for a computer, you must display the Permissionsdialog box for the computer. You cannot modify permissions for computers usingthe Role Properties dialog box.

See “Modifying permissions from the Permissions dialog box” on page 152.

Note: To modify permissions, you must be logged on as a member of the DomainAdministrator role.

Deleting a computer from an organizational unitIf you want to delete an organizational unit, you must first remove any computerswithin the organizational unit by moving them or deleting them. You may alsowant to delete a computer that you no longer want to have under InformationManager management.

If the computer was created by installing an agent as part of a security productinstallation, you should uninstall the collectors and agent from the computerbefore you delete the computer from the Organizational Units container in theInformation Manager console.

See “Creating computers within organizational units” on page 178.

199Managing organizational units and computersAbout managing computers within organizational units

Page 200: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Deleting a computer from an organizational unit removes it from the LDAPdirectory.

Warning: If you delete a computer that is an Information Manager server, youmust perform extra steps to add it to an organizational unit again. To restore adeleted Information Manager server to the LDAP directory, you must do one ofthe following: re-register the deleted server with the LDAP directory in which itwas previously registered, or reinstall the Information Manager on the server.

To delete a computer from an organizational unit

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and then expand the Organizational Units navigation tree.

3 In the left pane, select the organizational unit that contains the computerthat you want to delete.

4 In the right pane, right-click the computer name, and then click Delete.

5 To confirm your intention to delete the computer from the organizationalunit, click Yes.

Managing organizational units and computersAbout managing computers within organizational units

200

Page 201: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Understanding eventcollectors

■ Chapter 10. Introducing event collectors

■ Chapter 11. Configuring collectors for event filtering and aggregation

4Section

Page 202: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

202

Page 203: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Introducing event collectors

This chapter includes the following topics:

■ About Event Collectors and Information Manager

■ Components of collectors

■ About Symantec Universal Collectors

■ About Custom Log Management

■ Downloading and installing the Symantec Universal Collectors

■ Correlating the logs collected in a file from a proprietary application

About Event Collectors and Information ManagerSecurity products and operating systems generate many kinds of events. Someevents are informational, such as a user logging on, and others may indicate asecurity threat, such as antivirus software being disabled.

Symantec Event Collectors gather, filter, and aggregate these events and forwardboth the raw and the processed events to Information Manager.

See “Components of collectors” on page 204.

Event Collectors collect information from security devices, critical applications,and services, such as the following product types:

■ Firewalls

■ Routers, switches, and VPNs

■ Enterprise Antivirus

■ Intrusion detection and intrusion prevention

■ Vulnerability scanners

10Chapter

Page 204: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Authentication servers

■ Windows and UNIX system logs

Information Manager stores the event data in event archives and correlates theevents with threat and asset information. If a security event triggers a correlationrule, Information Manager creates a security incident.

Information Manager provides real-time event correlation and data archiving toprotect against security threats and to preserve critical security data.

For more details on event collectors, refer to SymantecEventCollectors IntegrationGuide.

Components of collectorsEvent collectors gather, filter, and aggregate security events and forward boththe raw and the processed events to Information Manager.

See “About Event Collectors and Information Manager” on page 203.

Table 10-1 Major components of collectors

DescriptionComponent

Refers to the Symantec Security Information Manager whereevents are processed, filtered, and stored. Allows for thecentralized collection, classification, and normalization ofevents to enable alerts and reports across managed securityproducts.

Information Manager

Refers to the Java application that performs thecommunication functions for the Information Managercomponents on the system on which it is installed.

Symantec Event Agent

Refers to an application that collects events from securityproducts, processes them, and passes them to the Agent.

Collector

Refers to the component that reads events from a file,database, syslog, Windows event log, or other medium. Thesensor then passes the events to the remaining collectorcomponents. The information is then delivered to the Agentto be sent to Information Manager.

Sensor

Refers to the software product, such as a firewall, antivirussoftware, or an operating system. The security product ensuresthat data is not vulnerable to unauthorized use or access andis the source of events to the collector.

Security or Point product

Introducing event collectorsComponents of collectors

204

Page 205: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About Event Collectors and Information Manager” on page 203.

About Symantec Universal CollectorsSymantec provides universal collectors. These universal collectors gather, filter,and aggregate events from security devices, critical applications, and services.The collectors then forward both the raw and the processed events to InformationManager. Universal collectors are used in scenarios where standard options arenot available.

You can use the CustomLogs view on the Web configuration interface to map thelog information to the fields that the Information Manager supports.

You can download the following universal collectors from the Downloads optionon the Home view of the Web configuration interface.

■ Universal Collector for Windows

■ Universal Collector for Windows Vista

■ Universal Collector for Syslog

■ Universal Collector for Log file

See “Downloading and installing the Symantec Universal Collectors” on page 207.

About Custom Log ManagementInformation Manager uses the event collectors that can be installed on theInformation Manager server or on a computer that runs Symantec Event Agent.The collectors translate the collected data before it is handed over to the eventservice for archival and correlation service for correlation. Information Managerprovides collectors for over 250 products. If a collector does not exist for anapplication in an environment, it is not possible to collect and normalize the datafor the application.

The custom log management feature lets you collect logs from an applicationfrom which Information Manager does not support collection. You can analyzethe received log data and adjust the fields where necessary to prepare the datafor interpretation by Information Manager.

To collect the logs, you can download and install the universal collectors that areavailable on the Web configuration interface. You can install universal collectorson the computers on which Symantec Event Agent is installed.

Custom log management works with the following components:

205Introducing event collectorsAbout Symantec Universal Collectors

Page 206: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Transports the log data that is collected from a pointproduct or application to Information Manager.

The universal log collectors can be installed on theInformation Manager server on other computers thathave Symantec Event Agent installed on them.

See “Downloading and installing the SymantecUniversal Collectors” on page 207.

You can download the following universal collectorsfrom the Home > Download view of the Webconfiguration interface of Information Manager.

■ Universal Collector for Log File

Collects the events that are from different log files.

■ Universal Collector for Windows

Collects the events that are from Windows logs.

■ Universal Collector for Syslog

Collects the events that are from syslog.

■ Universal Collector for Windows Vista

Collects the events that are from Windows Vista

Note: The universal collectors are preinstalled on theInformation Manager server. The Universal Collectorfor Windows is not installed on the InformationManager server because it cannot run on Linux.

Universal log collector

Introducing event collectorsAbout Custom Log Management

206

Page 207: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Maps the log data that the universal collectors collectto the event fields that are defined within InformationManager.

The mapping is done with the .norm files that are usedfor event normalization within Information Manager.

See “About normalization (.norm) files” on page 267.

You can provide the log data mappings in thefollowing ways:

■ Pattern mapping

Lets you map the entire pattern of the log entries.The fields from the pattern are mapped to fieldsthat Information Manager supports.

■ Direct mapping

Lets you map a field to another field. The mappedfield is used to create new rules. In this case, boththe fields have the same value.

For example, you can map the Agent IP to SourceIP. In this case, the value of the Source IP fieldalways corresponds to the value of the Agent IPfield.

■ Literal mapping

Lets you assign the Literal constant values to theoutput event fields.

For example, you can assign a constant value<###> to the Source Host field.

Collector mapping tool

Downloading and installing the Symantec UniversalCollectors

To collect logs from a proprietary application, first download and install theuniversal collectors on the computer on which Symantec Event Agent is installed.

See “About Symantec Universal Collectors” on page 205.

To download the universal collectors

1 Log on to the Web configuration interface as an administrator.

2 In the Web configuration interface of Information Manager, click Home >Downloads.

207Introducing event collectorsDownloading and installing the Symantec Universal Collectors

Page 208: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Click the download link for the universal collector that you want to download.

4 Save the installation zip file for the universal collector on the computerwhere you want to install the collector.

To install the universal collector on a remote computer that has Symantec EventAgent installed

1 On the computer on which Symantec Event Agent is installed, log on asadministrator.

2 Unzip the installation package.

The installation package includes a subdirectory that is named install. Theinstallation files are located in a temporary directory.

You must install some collectors on the same computer as the product forwhich it collects events.

3 On the command prompt, do one of the following:

■ On Windows, type the following command:install.bat

■ On UNIX, type the following command:sh ./install.sh

4 Follow the installation wizard prompts.

All the universal collectors are installed by default on the Information Managerserver. The universal log file and syslog collectors are also installed by default onthe Information Manager server.

Correlating the logs collected in a file from aproprietary application

By using the Custom Logs feature, you can correlate the logs that are collectedfrom a proprietary application with the fields that Information Manager supports.

Consider an example of a log entry from a Linux system. The log entry should bein the following format:

<ip address>,<source host>,<user name> <operating system>.

Assume that the log entry is as follows:

1.23.45.67,ssim2,john,Linux

Introducing event collectorsCorrelating the logs collected in a file from a proprietary application

208

Page 209: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

You can analyze the application log data that is collected from the Linux systemin Information Manager. The custom log management feature lets you map thecollected logs with the fields that Information Manager supports.

Ensure that the following requirements are met before you begin the analysis ofthe application log data:

■ Symantec Event Agent is installed on the computer on which the applicationlogs are saved.

■ The Universal Collector for Log Files is downloaded and installed from Home> Downloads view of the Web configuration interface.

■ In a multi-server setup, Information Manager must be registered with theCorrelation Manager.

To achieve the objective of collecting and mapping the logs from a proprietaryapplication, you must complete the following steps:

■ Download and install the universal collector.See “Downloading and installing the Symantec Universal Collectors”on page 207.

■ Create a new sensor configuration.

■ Configure a reporting sensor from which the logs are collected.See “Downloading and installing the Symantec Universal Collectors”on page 207.

■ Map the log fields to the fields that the Information Manager supports.

209Introducing event collectorsCorrelating the logs collected in a file from a proprietary application

Page 210: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Introducing event collectorsCorrelating the logs collected in a file from a proprietary application

210

Page 211: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Configuring collectors forevent filtering andaggregation

This chapter includes the following topics:

■ Configuring event filtering

■ Configuring event aggregation

Configuring event filteringYou can use event filtering to exclude events from being forwarded to InformationManager. Event filters let you reduce the event traffic and the number of eventsthat are stored in the event database. Filters also let you discard the data that isless important to your organization’s security.

You can also import and export filtering configurations. Filtering configurationsare exported in an XML file format; you must use the same XML file format toimport the configuration.

Event filtering is not advisable for all collectors.

The XML file for filtering should be in the following format:

<?xml version="1.0" encoding="UTF-8"?>

<filter>

<filter-spec enabled="false" index="0" name="Specification 0">

<filter-field comparator="EQ" name="queue_product_id">1</filter-field>

</filter-spec>

<filter-spec enabled="true" index="1" name="Specification 1">

11Chapter

Page 212: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

<filter-field comparator="EQ" name="server">33</filter-field>

</filter-spec>

</filter>

Event filter configuration consists of the following actions:

■ Adding and enabling the event filtering rulesSee “To add and enable event filtering rules” on page 212.

■ Changing the existing event filtering rulesSee “To change existing event filtering rules” on page 213.

■ Importing and exporting the event filtering rulesSee “To import and export event filtering rules” on page 214.

Some collectors include predefined filtering rules. Some of these predefinedfiltering rules are also pre-enabled.

To add and enable event filtering rules

1 In the Information Manager console, in the left pane, click System.

2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach the sensor configuration of a collector.

3 In the right pane, on the Filter tab, click Add.

4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name forthe rule, and click OK.

5 Under the rule properties table, click Add, and perform the following tasksin the order shown:

■ In the Name column, type a name for the event filter property (for example,IP Destination Port). You can also double-click in the Name text box tobring up an Information Manager fields window. You can choose from thelist of items that are presented in the expanded directories of theInformation Manager fields window.

■ In the Operator column, select an operator from the drop-down list (forexample, equal to).

■ In the Value column, type a value or select a preset value for the eventfilter property (for example, 80 for the port number).You can filter events by pattern by using a regular expression function.For example, to filter all events that contain "SUCCESS", enter thefollowing in the Value column:

regex(.*SUCCESS.*)

Configuring collectors for event filtering and aggregationConfiguring event filtering

212

Page 213: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Where all characters within the parentheses are part of the regularexpression"." and "*" are both metacharacters"." matches any character"*" matches zero or more occurrences of the preceding element. Therefore,match zero or more occurrences of any character, followed by the literalstring SUCCESS, followed by zero or more occurrences of any character.To rephrase, match the literal string SUCCESS anywhere within the field.

6 Repeat step 5 to add more event filtering information for the rule.

All rules within a given specification use the Boolean AND to determinewhether an event is a candidate for filtering. If there are multiplespecifications, each specification uses the Boolean OR.

7 When you are finished adding information for the rule, in the filter list, checkthe filter name.

8 Click Save.

9 In the left pane, right-click the appropriate configuration, and then clickDistribute.

10 When you are prompted to distribute the configuration, click Yes.

11 In the Configuration Viewer window, click Close.

To change existing event filtering rules

1 In the Information Manager console, in the left pane, click System.

2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach a sensor configuration of a collector.

3 In the right pane, on the Filter tab, perform any of the following tasks:

■ To add a specification, click Add.

■ To delete a specification, select the specification, and then click Remove.

■ To delete all specifications, click Remove All.

4 Perform any of the following tasks:

■ To determine the order in which Information Manager invokes the eventfilters, next to the list of specifications, click the arrow icons.

■ To change the name of the specification, double-click the specification inthe specification list, and then, in the Name text box, type a new name.

■ If you want to disable a specification, but you do not want to delete it, inthe filter list, uncheck the filter name.

213Configuring collectors for event filtering and aggregationConfiguring event filtering

Page 214: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the rule properties table, change the information in any of the followingcolumns:

■ Name

■ Operator

■ Value

6 Under the rule properties table, perform any of the following tasks:

■ To add a rule property, click Add.

■ To delete a rule property, select the rule property, and click Remove.

■ To delete all rule properties, click Remove All.

7 Click Save.

8 In the left pane, right-click the appropriate collector configuration, and thenclick Distribute.

9 When you are prompted to distribute the configuration, click Yes.

10 In the Configuration Viewer window, click Close.

To import and export event filtering rules

1 In the Information Manager console, in the left pane, click System.

2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach a sensor configuration of a collector.

3 In the right pane, on the Filter tab, perform one of the following tasks:

■ If you want to import, click Import configuration from XML file.

■ If you want to export, click Export configuration to XML file.

4 Perform one of the following tasks:

■ In the Import Configuration From File window that appears, specify theXML file to import into the collector.

■ In the Export Configuration to File window that appears, specify a filename to export the configurations.

Configuring event aggregationCollectors include a feature that lets you group similar events. By grouping events,you reduce event traffic and the number of events that are stored in the eventdatastore. The first event of a given type is sent to Symantec Security InformationManager immediately. All subsequent events of the same type are sent as one

Configuring collectors for event filtering and aggregationConfiguring event aggregation

214

Page 215: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

aggregated event. Aggregated events contain start and end times, but all otherevent fields are taken from the first event in the aggregated set.

Not all collectors should use event aggregation.

You can also import and export aggregation configurations. Aggregationconfigurations are exported in an XML file format; you must import configurationsin the same XML file format.

See “About Event Collectors and Information Manager” on page 203.

The XML file for aggregation should be in the following format:

<?xml version="1.0" encoding="UTF-8"?>

<aggregator maxbuffer="0">

<aggregator-spec enabled="true" index="0" name="Specification 0"

time="124">

<aggregator-fields>

<aggregator-field name="display_id" operator="EQ">15</aggregator-field>

</aggregator-fields>

<similarity-fields>

<similarity-field name="data_scan_guid"/>

</similarity-fields>

</aggregator-spec>

<aggregator-spec enabled="false" index="1" name="Specification 1"

time="234">

<aggregator-fields>

<aggregator-field name="connection_type_name" operator="NEQ">1

</aggregator-field>

</aggregator-fields>

<similarity-fields/>

</aggregator-spec>

</aggregator>

Event aggregation configuration includes the following actions:

■ Adding and enabling event aggregation rulesSee “To add and enable event aggregation rules” on page 216.

■ Changing existing event aggregation rule configurationsSee “To change existing event aggregation rule configurations” on page 216.

■ Importing and exporting event aggregation rulesSee “To import and export event aggregation rules” on page 217.This feature is not advisable with all collectors.

Event aggregation rules are not configured by default. You must add the rulesbefore you can enable or configure them.

215Configuring collectors for event filtering and aggregationConfiguring event aggregation

Page 216: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To add and enable event aggregation rules

1 In the Information Manager console, in the left pane, click System.

2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach the sensor configuration of a collector.

3 In the right pane, on the Aggregator tab, click Add.

4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name forthe rule.

5 Under the rule properties table, click Add, and perform the following tasksin the order shown:

■ In the Name column, select or type a name for the event aggregationproperty (for example, Event Date). You can also double-click in the Nametext box to open an Information Manager fields window. You can choosea name from the list of items that are presented in the expanded directoriesof the Information Manager fields window.

■ In the Operator column, select an operator from the drop-down list (forexample, greater than).

■ In the Value column, type a value or select a preset value for the eventaggregation property (for example, 2004-03-30 19:18:31).

6 Repeat step 5 to add more event aggregation information for the rule.

All rules within a given specification use the Boolean AND to determinewhether or not an event is a candidate for aggregation. If there are multiplespecifications, each specification uses the Boolean OR.

7 In the Aggregationtime(ms) text box, type the time in milliseconds by whicha subsequent event should occur to be aggregated by this rule.

The default value is 100. This property applies to all aggregation rules.

8 When you are finished adding information for the rule, in the aggregator list,check the aggregator name.

9 Click Save.

10 In the left pane, right-click the appropriate configuration, and click Distribute.

11 When you are prompted to distribute the configuration, click Yes.

To change existing event aggregation rule configurations

1 In the Information Manager console, in the left pane, click System.

2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach a sensor configuration of a collector.

Configuring collectors for event filtering and aggregationConfiguring event aggregation

216

Page 217: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 In the right pane, on the Aggregator tab, under the list of rules, perform anyof the following tasks:

■ To add a specification, click Add.

■ To delete a specification, select the rule, and click Remove.

■ To delete all specifications, click Remove All.

4 To determine the order in which Information Manager follows the eventaggregation specifications, next to the list of specifications, click the arrowicons.

5 To change the name of the specification, double-click the specification in thespecification list, and, in the Name box, type a new name.

6 To change the time by which a subsequent event should occur for aggregationby this rule, in the Aggregation time (ms) box, type the new time inmilliseconds.

The default value is 100. This property applies to all aggregation rules.

7 To disable a specification without deleting it, in the aggregator list, uncheckthe aggregator name.

8 In the rule properties table, change information in any of the followingcolumns:

■ Name

■ Operator

■ Value

9 Under the rule properties table, perform any of the following tasks:

■ To add a rule property, click Add.

■ To delete a rule property, select the rule property, and click Remove.

■ To delete all rule properties, click Remove All.

10 Click Save.

11 In the left pane, right-click the appropriate collector configuration, and clickDistribute.

12 When you are prompted to distribute the configuration, click Yes.

To import and export event aggregation rules

1 In the Information Manager console, in the left pane, click System.

2 On the ProductConfigurations tab, in the middle pane, and expand the treeuntil you see a sensor configuration of a collector.

217Configuring collectors for event filtering and aggregationConfiguring event aggregation

Page 218: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 In the left pane, select the appropriate configuration.

4 In the right pane, on the Aggregator tab, perform one of the following tasks:

■ If you want to import, click Import configuration from XML file.

■ If you want to export, click Export configuration to XML file.

5 Perform one of the following tasks:

■ If you want to import, in the Import Configuration From File windowthat appears, specify the XML file you want to import into the collector.

■ If you want to export, in the Export Configuration to File window thatappears, specify a file name to which to export the configurations.

Configuring collectors for event filtering and aggregationConfiguring event aggregation

218

Page 219: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with events andevent archives

■ Chapter 12. Managing event archives

■ Chapter 13. Forwarding events to the Information Manager Server

■ Chapter 14. Understanding event normalization

■ Chapter 15. Collector-based event filtering and aggregation

5Section

Page 220: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

220

Page 221: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing event archives

This chapter includes the following topics:

■ About events, conclusions, and incidents

■ About the Events view

■ About the event lifecycle

■ About event archives

■ About multiple event archives

■ Creating new event archives

■ Specifying event archive settings

■ Creating a local copy of event archives on a network computer

■ Restoring event archives

■ Viewing event data in the archives

■ About working with event queries

About events, conclusions, and incidentsSecurity products and operating systems generate many kinds of events. Someevents are informational, such as a user logging on, and others may indicate asecurity threat, such as antivirus software being disabled.

A conclusion occurs when one or more events match a correlation rule pattern.Information Manager normalizes events from multiple security products andlooks for the patterns that indicate potential threats.

An incident is the result of one or more conclusions that are identified as a typeof an attack. There can be many conclusions that are mapped to a single incident.

12Chapter

Page 222: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

For example, if a single attacker causes a number of different patterns to bematched; those are grouped into a single incident. Similarly, if a vulnerabilityscan uncovers a computer that suffers from a number of different vulnerabilities;these are all grouped into a single incident. Or, if a number of different computersreport the same virus, Information Manager creates a single outbreak incident.

See “About security products and devices” on page 22.

About the Events viewThe Events view provides access to all of the event archives used by InformationManager server. Each archive stores events that are based on the Event StorageRules that you configure on the System view. To view the events that are storedin any archive, you can do the following:

■ Use the preconfigured query templates or system queries. The preconfiguredtemplates and queries provide the parameters that you can set. You can choosethe archive that you want to search, the time period within which you wantto search for events, and so forth. Some templates and queries have moreparameters than others depending on the purpose of the query.

■ Save a copy of any preconfigured template query with the parameters thatyou have chosen, and customize the copy.

■ Create a new query using the Query Wizard.

■ Schedule queries to be distributed as CSV reports.

When a template or query is run, the results are displayed in the results pane ofthe Events view. The results pane enables you to view and search for informationabout archived events in both graphical formats and text formats. You select thearchive you want to research, and the viewer displays a histogram that representsthe data that are stored in that archive. You can then narrow the display to aparticular historical period (for example, the previous month or a specific one-hourperiod).

You can display event details in a table and drill down to get all details about oneevent at a time. You can also filter the results in this view.

See “About events, conclusions, and incidents” on page 221.

About the event lifecycleFigure 12-1 shows the lifecycle of an Information Manager event.

Managing event archivesAbout the Events view

222

Page 223: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Figure 12-1 Event lifecycle

Information Manager processes security event data in the following manner:

■ The event collector collects the raw event data from the security product.

■ The event collector normalizes the event data and filters and aggregates theevents according to the event collector configuration settings.

■ The agent sends the normalized events and if configured, the raw event datato the designated Information Manager.

■ Information Manager stores the event in the event archive.

■ Information Manager updates the event summary tables with the eventinformation.

■ Information Manager correlates the event, and, if the event triggers acorrelation rule, creates an incident.

■ Information Manager stores the incident in the incident database.

■ Information Manager console users view incident and event reports.

See “About events, conclusions, and incidents” on page 221.

223Managing event archivesAbout the event lifecycle

Page 224: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About event archivesEvent archives provide a compact, convenient way to store event data forregulatory compliance, forensic research, and long-term data retention. Eventarchives contain event data from the security products that are set up to forwardevents to a Symantec Security Information Manager Server.

Note: By default, newly created event archives are stored for seven days, but youcan adjust this period to meet your requirements. However, when the availableserver disk space runs low, the server purges event archives. The default maximumquota is 90%, and the default free space quota is 1%. If your company requireslong-term retention of event data, you can usescporrsyncover an SSH connectionto copy the event archives from the server.

See “About events, conclusions, and incidents” on page 221.

About multiple event archivesYou can create multiple event archives to organize events into the logical foldersthat Information Manager stores. You can create up to 16 archives on any server.Multiple event archives lets you distribute the events Information Managerreceives into separate folders and across multiple servers based on the criteriathat you choose. For example, you can create an individual archive for each productthat you monitor, such as an antivirus product. You can store the product generatesevents in a separate archive. You can create multiple archives on a single instanceof Information Manager, on an attached storage device such as a DAS. You canalso spread out the archives across multiple servers.

To query the event data for further analysis, you can perform a query on any orall of the event archives that you have created. That includes the archives thatare stored on separate instances of Information Manager. For example, if youcreated an archive that is exclusively used for antivirus events, you can chooseto search the contents of that single archive or any combination of archives. Byorganizing events into individual archives, you can improve the performance ofthe queries used.

When an event is received, the event is evaluated against the filter criteria in theorder that is listed for the event filters in the console. Beginning with the firstfilter in the list, the event is passed through the filter to see if there is a match. Ifa match is found, the event is stored in the archive that you have specified forthat filter, and event storage is complete. If the event does not match, it movesto the next filter in the list for evaluation. If no match is found in any of the filtersthat you have created, the event falls into the default archive.

Managing event archivesAbout event archives

224

Page 225: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To create a new event archive, you use create a set of event filters that are usedto distribute the events into the appropriate archive. When you define a filter thatspecifies an archive in which the events are stored, you define a subfolder on theserver that behaves as a separate archive.

See “About event archives” on page 224.

Creating new event archivesWhen you install the Information Manager, a single archive is created by default.

Note: An archive ID must be unique throughout the entire Information Managerdomain. You cannot use the same archive ID in any other Event Storage Rule onany other server in the Information Manager domain.

See “About event archives” on page 224.

To create a new event archive

1 On the console of the Information Manager client, click System.

2 In the left pane of the Server Configurations tab, expand the tree for theInformation Manager server you want to configure, and click Event StorageRules.

3 Click the Add (plus sign) icon.

4 In the Archive Rule Properties dialog box, in the Rule name field, type aname for the new archive.

5 In the Inclusion Filter area, add the criteria for the events that you want tostore. For example, to store all Information Manager System events in thisarchive, the filter would be Product = SSIM System. If you do not select anyfilter criteria, the archive stores all events by default.

6 In the Enter data retention (days) field, type the number of days that youwant the archive the data. Events that are outside of this range are purged.

A setting of 0 for retention days means that events are purged based on theirage.

7 In the Max archive quota drop-down list, choose a percentage.

8 In the Free space quota drop-down list, choose a percentage.

9 In the Archive ID field, type an ID if you use customized IDs for archives, oraccept the default setting.

225Managing event archivesCreating new event archives

Page 226: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

10 In the ArchivePath field, you can specify a path relative to the Events folderon the server or accept the default path.

The path name that you specify cannot start with a slash, and must bealpha-numeric. The path is created in the server’s file system from the/eventarchive folder. For example, if a user entered the archive path ascollectors/pix, then a folder in the file system will exist as/eventarchive/collectors/pix.

11 Click OK and then click Apply.

To be able to view new archives in the Events view in the console, you mustfirst log out then log on again.

Specifying event archive settingsThe event archive feature has several settings that determine how much data isstored and how long the data is stored. You can change the default settings in theInformation Manager console.

Event archiving is automatically enabled during Information Manager installation.The name of the Information Manager server appears in the left pane of theSystem view. If you have multiple Information Manager servers or multiplearchives, each one appears in the tree.

If you also use direct-attached storage for off-box storage, use the InformationManager Web configuration interface to specify the event archive settings for it.

See “About event archives” on page 224.

After you have configured the event archives, you should verify that the necessarysummarizers have been enabled. You can enable the summarizers from theDatabase option under the Settings view of the Web configuration interface.

To specify event archive settings

1 In the Information Manager console, click System.

2 In the left pane of the ServerConfigurations tab, expand the tree, includingthe Information Manager server to configure.

3 Under the Information Manager server, click Event Storage Rules.

4 In the Event StorageRules area of the details pane, double-click the archiveto configure.

Managing event archivesSpecifying event archive settings

226

Page 227: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the ArchiveRuleProperties dialog box, change the following as required:

You can change the Archive ID. However, the ID must beunique across the Information Manager domain.

Archive ID

You can change the name of the rule.Rule name

Configure the filters in the list according to your filteringcriteria. If there are no filters, all events that the filterprocesses are stored in this archive.

Inclusion filter

Specify how long events are stored in the archive beforethey are automatically deleted.

Enter the data retention(days)

Specify the proportion of server disk space that can beused for storing event archives.

Note: You should modify the default setting only underthe guidance of Symantec personnel. Choosing the wrongsetting can cause the server to run out of disk space.

Max archive quota

Specify the proportion of server disk space that must beavailable to continue storing event archives.

Note: You should modify the default setting only underthe guidance of Symantec personnel. Choosing the wrongsetting can cause the server to run out of disk space.

Free space quota

6 Click OK.

7 To enable the rule, in the Event Storage Rules area select the rule using thecheckbox under Enabled column.

8 Click Apply.

9 Close the Information Manager console, and then logon to the InformationManager server again.

Events are filtered through the list of archives based on the order of the eventarchive rules. The first archive in the list that matches the characteristics ofthe event stores the event, and event archive rules evaluation for that eventstops.

Creating a local copy of event archives on a networkcomputer

You can copy event archives from the Information Manager server to anothercomputer. Later you can access these archives through an instance of the

227Managing event archivesCreating a local copy of event archives on a network computer

Page 228: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Information Manager console on that computer. Use this procedure to create alocal event archive on a computer on your network.

Warning: Do not copy individual files, because they do not work as expected. Youmust follow the steps in this procedure to preserve the directory structure, whichcontains necessary date information. You should also perform this procedureduring lower event and incident periods.

See “About event archives” on page 224.

To create a local event archive

1 Make sure that you have sufficient space on the Information Manager serverfor the .tar file that this procedure generates.

2 In a command window, type the following command:

cd /

3 Type the following command:

tar -cz eventarchive >eventarchive.tar.gz

Information Manager creates a gzip.tar file in the root directory on theserver. This file contains the all of the event archives on a server, and thearchive directory structure. You can also create a copy of a single archive byidentifying the archive in the /eventarchive folder and specifying that archivein the command in this step.

4 Transfer the gzip.tar file to the desired location, by using SCP or anothermethod of your choice.

5 Unzip the gzip.tar file.

The events in the new local archive are now viewable in the InformationManager console. The user can view the events only if the user has access tothe location where the local archive resides.

See “To view the events that are stored in a local copy of an archive”on page 230.

Restoring event archivesYou can view events from the archives that were copied from other computers.

To view the archives that were copied from another computer you must copy theentire archive folder to the appropriate location. When you copy archives fromanother computer, only the owner has read and write permissions on the archive

Managing event archivesRestoring event archives

228

Page 229: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

folder. Group users and other users do not have any permission on the files andfolders. To be able to view events from the archives that were copied from anothercomputer, you must grant read permissions to group and other users. To grantappropriate permissions, you must do the following:

See “About event archives” on page 224.

■ Change the permissions on the files in the destination archive folder from 600to 644.

■ All folders under the /eventarchive partition should have permissions 755 or(drwxr-s).

■ You must also change the ownership of the folder to sesuser.

To restore archives from another computer

1 Copy the archive folder that you want to the /eventarchive partition into itsappropriate location (archive path).

2 All folders under the eventarchive partition should have the owner andgroup as sesuser:ses.

Run the following commands to change the ownership of the folders:

cd /eventarchive

chown -R sesuser:ses default

chown -R sesuser:ses ssimlogs

3 All folders under the eventarchive partition should have permissions 755or (drwxr-sr-x). You must change the permissions on the folders to 755 asshown in the following example:

cd /eventarchive

chmod /R 755 default

chmod /R 755 ssimlogs

4 All the files in the archive folders must have the permissions as 644(-rw-r--r--).

You must change the permissions on all the files in the archive folders to 644as given in the following example:

chmod 644 /eventarchive/default/2009/08/01/1249139954617.edx

You must change the permissions for all the files in the folder.

229Managing event archivesRestoring event archives

Page 230: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Viewing event data in the archivesYou can view the events for each archive that is created for each InformationManager server in your network. You can also view the events that are stored onthe local event archive of the computer on which the console is installed.

You can view event archives in the following ways:

■ Use the preinstalled templates and queries to view the events that are storedin any of the archives that you choose.See “To view the events that are stored in a local copy of an archive” on page 230.

■ Use the QueryWizard to create a query to be executed on a particular archiveor set of archives.See “About working with event queries” on page 239.

To view the events that are stored in the event archives

1 In the Information Manager console, click Events.

2 Expand the tree in the left pane to view the events template and query folders.

3 Choose an event query that returns the event data that you want to view. Forexample, in the Templates folder, click the All Events template.

4 In the details pane, select the archives that contain the events that you wantto view.

5 Click RunTemplate, or if you use a query from one of the Query folders, clickRun Query.

To view the events that are stored in a local copy of an archive

1 In the Information Manager console, click Events.

The tree in the left pane displays the ID of the Information Manager server,where the live archive is stored.

2 To access a local archive, click Local Event Archives, click the + icon (theplus sign) on the toolbar, and then navigate to the location of the archive.

3 Select Add Archive.

4 Click All Events under the appropriate address in the left pane.

5 Select Local archive, and click Run template.

Archived event data is displayed in a histogram in the right pane.

Managing event archivesViewing event data in the archives

230

Page 231: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To save displayed data to a file

1 After you have run the template or query, click the Export icon on the toolbar.

2 Navigate to the location where you want to save the file, and type a name inthe File name box.

3 Click Save.

To remove a local archive from the viewer

1 In the left pane, click the name of the local archive that you want to remove.

2 Click the – icon (the minus sign) on the toolbar.

Information Manager removes the event archive from the viewer. You cannow use the left pane to navigate to a different event archive.

About the event archive viewer right paneThe right pane of the event archive viewer contains the following components,which you can manipulate to display the data that you want:

■ Event data histogram

■ Event details table

See “Viewing event data in the archives” on page 230.

Manipulating the event data histogramThe X-axis of the event data histogram is the time dimension, and the Y-axis isthe event count (by default). To identify specific time periods, move the mouseover the histogram and hover (without clicking) on one bar at a time. A labeldisplays the date, time, and number of events that correspond to that bar.

Note: The histogram is available only for the All Events Query.

See “Viewing event data in the archives” on page 230.

The toolbar above the histogram includes several tools to change the appearanceof the histogram to help you access the information that you want. You canmanipulate the histogram in the following ways:

■ To change the timeframe of the view, select an option from the View drop-downlist; for example, select Last 12 hours. You can also choose a custom view.See “Setting a custom date and time range” on page 232.

■ To expand the amount of data that is displayed in the current view of thehistogram, click the ZoomOut icon. If you keep clicking, you gradually display

231Managing event archivesViewing event data in the archives

Page 232: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

the entire dataset in this window. To gradually narrow the amount of data thatis displayed in the current view of the histogram, click the Zoom In icon.

■ To change the time resolution on the x-axis, make a selection from theResolution drop-down list. For example, select Hours to group the data inhour-long units.

■ To search for a specific time period and event type, click the Filter icon. TheEvent Filter dialog box that appears lets you choose a time range and filtercriteria.See “To filter with the advanced filter option” on page 238.

■ To move forward and backward in time, click the right-facing and left-facingarrows beside the histogram.

■ To change the y-axis to display events per second, select Events per second.To return to the event count, select Event Count.

Setting a custom date and time rangeIf you want to fine-tune the period of time that is displayed in the histogram,select a custom view.

See “Viewing event data in the archives” on page 230.

To set a custom date and time range

1 On the toolbar, click the calendar icon, next to the View selection box.

2 In the ArchiveTimeRange dialog box, in the Between: box, choose the startdate and time of the time range.

You can type the information in the box or use the up and down arrows. Youcan also click the calendar icon and then set the date and time on the Calendardialog box.

3 In the and: box, choose the end date and time of the time range.

You can type the information in the box or use the up and down arrows. Youcan also click the calendar icon and then set the date and time on the Calendardialog box.

4 Click OK.

The event data histogram now displays data for the time range that you selected.

About viewing event detailsIn the lower area of the right pane, you can display a table that contains detailsfor the entire range of events in the histogram. The table can also display a selectedportion of the events.

Managing event archivesViewing event data in the archives

232

Page 233: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “Viewing event data in the archives” on page 230.

You can show details in the following ways:

■ To display details for the entire set of events in the histogram, click the SelectAll (green check) icon on the toolbar. To remove all event details from thetable, click the Deselect (red X) icon on the toolbar.

■ Click one of the bars in the histogram to display event details for the timeperiod that is displayed in the bar.

■ To select a time range, click any bar on the histogram, and then press the Shiftkey and click another bar on the histogram. The table displays details for allof the events in that time range.

In the lower-right corner of the details table, you can see the total number ofevents that are selected within the displayed subset. You also can see the totalnumber of events in the displayed subset. To view the next group of events, clickthe forward arrow in the lower-right corner of the table. To view all of the detailsin one event record, double-click one row in the table.

Modifying the format of the event details tableEach column in the event details table represents one field from the event record.You can add, delete, and reorganize the columns in the table.

Note: An event record may include several date fields. Most events have a singleevent date, which is the time when the event occurred (not the date whenInformation Manager captured the event). In this case, the Event Date value andthe Ending Event Date value are identical.

Note: If an event represents an aggregation of activity that takes place over aperiod of time, Event Date is the beginning of the time period. Ending Event Dateis the end time.

Occasionally the event service registers an event with an incorrect Event Date orEnding Event Date. Information Manager corrects the times in these fields andreplaces the original (incorrect) times in the Original Event Date and OriginalEnding Event Date fields.

See “Viewing event data in the archives” on page 230.

233Managing event archivesViewing event data in the archives

Page 234: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To add, delete, and organize table columns

1 Right-click on a column heading, and click Add Column.

In the Column Filter dialog box that appears, the Selected Columns boxshows all of the fields currently in the table.

Occasionally a collector sends data to Information Manager that does notcorrespond to any fields that are defined in the existing schema. When thisscenario occurs, the Column Filter dialog box displays the raw field namefrom the collector: for example bugtraq_ids. This scenario may also occur ifa collector's SIP is not installed on the server.

2 Complete any of the tasks:

■ To add a column, click a field name in the Available Columns box, andclick Add. You may also use the Ctrl key to select multiple field names,and click Add.

■ To add all of the available columns, click Add All.

■ To delete a column, click one or more field names in the SelectedColumnsbox, and click Remove.

■ To delete all of the columns, click Remove All.

■ To change the position of a column, click a field name and click Move Upor MoveDown until the name is in the desired position. You can also clickMove To Top or Move To Bottom.

3 When you finish making changes, click OK.

The changes are reflected in the event details table.

After you have modified the event details table to display the data that you want,you must save it as a query. By saving it as a query, you can see the same data andthe same format the next time you log on to the Information Manager server.

See “To save the modified table format” on page 234.

To save the modified table format

1 After you finish modifying the table format, click the Save View icon.

2 Type a query name, and click OK.

The query is saved in the My Queries folder in the tree pane. The next timethat you log on to Information Manager, you can select that query. The tableformat appears the way that you modified and saved it.

Managing event archivesViewing event data in the archives

234

Page 235: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Searching within event query resultsWhen you perform an event query, you can search for a specific event that iswithin the initial query results. You can perform a text search or use regularexpressions to further refine the search. You can choose whether the search spansall of the available event fields or a specific field.

See “Viewing event data in the archives” on page 230.

To search within event query results

1 After you run the query, in the Events table in the bottom pane, click Searchfor events.

2 In the SearchEvents dialog, in the TextSearch field, type the text or regularexpression.

3 In the Options area, place a check next to the appropriate options. If the textis a regular expression, ensure that Regular Expression is checked.

4 In the Look in area, take the following action:

■ If you want to search in all of the available fields for the set of events,click All fields.

■ If you want to search for a value that is stored in a specific field, clickSelected field, and from the drop-down list, choose the field.

5 Click Search. The results are displayed in the events table.

6 In the Search Events dialog, click Close.

7 After you have analyzed the search results, to return to the original querydata, click Reset event search.

Filtering event dataYou can filter event data in the following ways:

■ Filter on an individual cell in the event details table.You can filter on a cell that has data in it. Information Manager displays onlythe rows that have the same value in that column. You can also filter on anempty cell, and Information Manager displays only the rows in which thatcolumn is not empty.

■ Use the advanced filter option to select multiple filtering conditions in oneoperation.

■ Filter based on unique column value. This filter creates a snapshot of the eventsthat were returned for the query based on the column that you chose for thefilter. For example, in the query results for an All Events query, if you

235Managing event archivesViewing event data in the archives

Page 236: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

right-click any value in the Product column and choose Filter on uniquecolumn value, Information Manager creates a condensed view of the resultsthat shows which product names occur in that column. If you had 5000 eventsreturned that only involved three products, filtering on unique column valuein the Products column creates a snapshot that shows that those three productswere the only products that are returned in the results.

An additional filtering method is a sort of hybrid of an advanced filter and filteringon a cell. It is called filtering manually on a cell, and it lets you create a morecomplex query than the cell filtering method. However, it presets the first filteringcondition for you.

See “To filter manually on a table cell ” on page 237.

To filter on a table cell

1 Right-click the cell that you want use as the filter condition.

For example, to display only level 3 events, right-click a cell with severitylevel 3 in the Severity ID column.

2 Click Filter on cell. If you right-clicked an empty cell, click Filter where cellis not empty.

One of the following occurs:

■ If you clicked Filteroncell, a new table displays only the events that havethe same value as the cell where you clicked: For example, severity level3. The table has a tab at the top that is labeled Untitled.

■ If you clicked Filterwherecell isnot empty, a new table displays all rowsin which this cell is not empty.

3 Take any of the following actions:

■ To save the displayed view as a query, click the SaveView icon. Then typethe query name and click OK.If you view event data from a local archive, you cannot save the view asa query. Saving a query works only when you view event data from thelive archive on the Information Manager server.

■ To filter the displayed data even further, repeat steps 1 and 2, or use theadvanced filter option.See “To filter with the advanced filter option” on page 238.

■ To delete the table, click the red X in the upper right corner.

If no events meet the filter criteria, Information Manager displays a blanktable. If a very large number of events meet the filter criteria, it may take along time for the data to display. If you want to stop the search and view theevents that Information Manager has found so far, click Cancel.

Managing event archivesViewing event data in the archives

236

Page 237: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To filter manually on a table cell

1 Right-click a cell that you want use as a filter condition.

For example, to display only level 3 events, right-click a cell with severitylevel 3 in the Severity ID column.

2 Click Manuallyfilteroncell. If you right-clicked an empty cell, click Manuallyfilter where cell is not empty.

The Event Filter dialog box appears. One of the following occurs:

■ If you clicked Manually filter on cell, the first condition in the Filtercriteria area contains the value of the cell in which you clicked. In thisexample, the condition would display Severity ID = 3.

■ If you clicked Manually filter where cell is not empty, the Filter criteriaarea displays the column name with the condition null.

3 To add more filter conditions, click the + icon (the plus symbol).

4 Click the first drop-down box, and then click an event field that you want touse as a filter.

5 Click the drop-down box to the right of the event field, and then click anoperator: for example, the equals (=) symbol.

6 Click the drop-down box at the far right, and then click or type a value.

7 Take any of the following actions:

■ To add more conditions, repeat steps 3 through 6. Use the AND and ORlogical operators as needed.The default operator is AND. To change it to OR, press Ctrl, and then clickon the desired boxes, then click OR.

■ To remove a field, click on the row and then click the – icon (the minussign).

■ To ungroup conditions, select two or more rows (Ctrl + click) and thenclick Ungroup.

■ In the Time range area, select the desired time range.

8 Click Preview if you want to view the filtering statement that you created.Click Preview again if you want to add or change filtering criteria.

9 When you finish creating the query, click OK.

A new table displays only the events that meet the criteria in the query. Thetable has a tab at the top that is labeled Untitled.

10 Take one of the following actions:

237Managing event archivesViewing event data in the archives

Page 238: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ To save the displayed view as a query, click the SaveView icon. Then typethe query name and click OK.If you view event data from a local archive, you cannot save the view asa query. Saving a query works only when you view event data from thelive archive on the Information Manager server.

■ To filter the displayed data even further, repeat the previous steps, or usethe procedure for filtering on a table cell.See “To filter on a table cell” on page 236.

■ To delete the table, click the X in the upper right corner.

If no events meet the filter criteria, Information Manager displays a blanktable. If the number of events that meet the filter criteria is large, it may takea long time for the data to display. If you want to stop the search and viewthe events that Information Manager has found so far, click Cancel.

To filter with the advanced filter option

1 Click Filter at the top of the table.

2 In the Event Filter dialog box, select the desired time range.

3 In the Filter criteria area, click the + icon (the plus symbol).

4 Click the first drop-down box, and then click an event field that you want touse as a filter.

5 Click the drop-down box to the right of the event field, and then click anoperator: for example, the equals (=) symbol.

6 Click the drop-down box at the far right, and then click or type a value.

7 Take any of the following actions:

■ To filter on only one field, go to step 8.

■ To add more conditions, repeat steps 2 through 6. Use the AND and ORlogical operators as needed.The default operator is AND. To change it to OR, press Ctrl, and then clickon the desired boxes, then click OR.

■ To remove a field, click on the row and then click the – icon (the minussign).

■ To ungroup conditions, select two or more rows (Ctrl + click) and thenclick Ungroup.

8 Click Preview if you want to view the filtering statement that you created.Click Preview again if you want to add or change filtering criteria.

Managing event archivesViewing event data in the archives

238

Page 239: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

9 When you finish creating the query, click OK.

A new table displays only the events that meet the criteria in the query. Thetable has a tab at the top that is labeled Untitled.

10 Take one of the following actions:

■ To save the displayed view as a query, click the SaveView icon. Then typethe query name and click OK.If you view event data from a local archive, you cannot save the view asa query. Saving a query works only when you view the event data fromthe live archive on the Information Manager server.

■ To filter the displayed data even further, repeat the previous steps, or usethe procedure for filtering on a table cell.See “To filter on a table cell” on page 236.

■ To delete the table, click the red X in the upper right corner.

If no events meet the filter criteria, Information Manager displays a blanktable. If the number of events that meet the filter criteria is large, it may takea long time for the data to display. If you want to stop the search and viewthe events that Information Manager has found so far, click Cancel.

To filter within the results of a query

1 Click Filter at the top of the table.

2 In the Event Filter dialog box, select the desired time range.

3 In the Filter criteria area, on the Filter Within Results tab, create the filtercriteria using the table provided.

See “To filter with the advanced filter option” on page 238.

4 When you are finished creating the criteria, click OK.

To filter on unique column values

1 After you run an event query, Right-click a column that you want use as afilter condition.

2 Click Filter on unique column values.

About working with event queriesYou can query the event archives in the following ways:

■ Import a query from another location and save it in the My Queries folder orthe Published Queries folder.See “To import a query” on page 250.

239Managing event archivesAbout working with event queries

Page 240: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Use the Query Wizard to create a query against the event archives (eventquery).See “To create an event query” on page 243.

■ Use the Query Wizard to create a query against the summarized event data(summary query).See “To create a summary query” on page 244.

■ Use the Query Wizard to create a custom SQL query against the summarizedevent data (SQL query).See “To create an SQL query ” on page 246.

After you create and save a query, you can insert it on the dashboard and use itin reports.

You can also schedule queries to be distributed as reports in the CSV format.

See “Scheduling queries that can be distributed as reports” on page 337.

Using the Source View query and Target View queryThe Source View query and Target View query replace the Source and the Targetviews that were available in previous versions of Information Manager. Thesequeries return the IP address and host name of each system that InformationManager identifies. To run either query, double-click an entry in the list to viewthe incidents and the tickets that are associated with that host. If the host is notalready an asset, you can add the host to the assets table by selecting the host andclicking Create Asset.

Note: The Source View query and Target View query cannot be modified in theMy Queries or the Published Queries folders.

See “About working with event queries” on page 239.

To use the Source View query or the Target View query

1 In the Information Manager console, click Events.

2 In the left pane, click System Queries > SSIM > SSIM.

3 Select either the Source View query or the Target View query.

4 Select the database to query, and click Run Query.

5 When you view the results, you can do the following:

■ To create an asset from a host in the list, click the host, and click CreateAsset.

Managing event archivesAbout working with event queries

240

Page 241: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ To view the incidents or the tickets that are associated with a host, clickDetails. You can also double-click the entry.

■ To refresh the view, click Refresh.

■ To export the current view to a file, click Export current view.

Creating query groupsYou can create query groups in the MyQueries and the PublishedQueries foldersof the Events view of the Information Manager console. You can also create querygroup subfolders in each of these folders.

See “About working with event queries” on page 239.

To create a query group

1 In the left pane of the Events view, right-click either MyQueries or PublishedQueries, and click Add Query Group.

2 (Optional) Type the group name and the group description, and click OK.

The name of the new query group appears as a subfolder under the folderyou selected in step 1.

Querying across multiple archivesWhen you run a query, you can choose to retrieve event data from multiplearchives. The query description includes a list of all of the known archives in theright pane of each query.

In some cases, the query that you run may include the archives that areunavailable. For example, if you save a query and then run it later, a change mayhave been made that makes an archive unavailable. If you run a query using RunQuery on the Events view and an archive is unavailable, when the query runs youare prompted to choose from the following options:

Allows the query to continue to run on any other archivesthat are part of the query and that are available

OK

Same as OK, except that you are not prompted again in thecurrent session for that archive if it continues to beunavailable.

Ignore

Same as OK, except that you are not prompted for any ofthe unavailable archives in the current session.

Ignore all

241Managing event archivesAbout working with event queries

Page 242: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note:When you run a scheduled report, Information Manager generates the reportusing the available archives if an archive is unavailable. You are not notified ofan unavailable archive when the report is created, and no indication is given inthe generated report.

When scheduled reports are executed, queries run on all available archives andskip the archives that are not accessible. Therefore, results can be inaccurate. Theuser is not warned that some archives were not processed.

To query across multiple archives

1 In the Information Manager console, click Events.

2 In the left pane, navigate to the desired query and select it.

3 In the right pane, under Please select archives toquery, place a check in thecheckbox for each archive that you want to include.

4 If necessary, configure any of the other required fields, and then click RunQuery.

Some queries may take longer than others to return the expected results. Ifa query may return a large amount of data, create a scheduled report to runthe query at a specified time.

See “About working with event queries” on page 239.

Creating custom queriesYou can create a custom query using different methods and save it for reuse.When you create a query, you must assign it a unique name. Be sure to followthese rules for assigning a valid query name:

■ It must not be null.

■ It must have at least one alphanumeric character.

■ It must consist only of alphanumeric characters and the white spaces that arecreated with the space bar.

■ It must not exceed 64 characters, including alphanumeric characters and whitespaces.

See “About working with event queries” on page 239.

Managing event archivesAbout working with event queries

242

Page 243: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To create an event query

1 In the left pane of the Events view, navigate to the location where you wantto save the query. You can save the query in My Queries folder or thePublished Queries folder. The My Queries folder is available only to you.The Published Queries folder is available to you and other users. You canalso save the query in a query group folder under either of these folders.

2 Right-click the name of the folder where you want to save the query, clickQuery Wizard.

3 On the first panel of the QueryBuilderWizard, select EventQuery, and clickNext.

4 Select the event query type, and then click Next.

Select a query from the following query types that are displayed:

■ Event DetailsGenerates a table that contains all of the fields in the event archive.

■ Event Counts by FieldGenerates a Top N summary query that is sorted by the field that youselect in the By box. You also select the event count value in the Top box.

■ Trending Event Counts by FieldGenerates a trend of the events over the selected time period

5 In the Archives area, you can select the archive that you want to query. Bydefault, the Promptatrun-time option is selected. This option lets you selectthe archives at run-time. You can uncheck the default option and select thearchive that you want to query.

6 Specify the time range and filter criteria in one of the following options:

■ If you select View, select a time-period option from the drop-down list.

■ If you select Between, use the calendar drop-down lists to set the timerange.

■ If you select Complete, Information Manager queries the entire eventarchive.

■ If you want to filter the data, specify the filter criteria.See “To filter with the advanced filter option” on page 238.

7 Click Next and then choose the columns that must be displayed.

8 Click Next.

One of the following panels appears:

243Managing event archivesAbout working with event queries

Page 244: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ If you selected Event Details in step 4, the ArchiveEvents panel appears.Go to step 12.

■ If you selected Event Counts by Field in step 4, the Chart Presentationpanel appears. Go to step 9.

A panel displays a sample table that is based on the filtering options that youselected.

9 Click Chart Properties and use the Chart Type drop-down box to select atype. For example, you can select a pie chart or a table. You may also changethe chart's orientation, and you may choose to show the legend for charttypes other than Table. Optionally, you may assign the following labels:

■ A title to appear above the table or graph (not necessarily the same as thequery name)

■ Labels for the y-axis and the x-axis, for some chart types

■ A footer, for table charts

10 If you want to see a preview of the query results, click Preview.

11 When you finish customizing the appearance of the chart, click Next.

A chart sample appears, displaying the title and any labels that you assigned.

12 In the Query Name box, type the name that you want to appear in the leftpane. Be sure to use only alphanumeric characters in the query name.

If this query is an Event Details query, you can click Preview to see a previewof the query results.

13 Click Finish.

The query is saved, and its name appears under the folder that you selectedin the left pane. The query results appear in the right pane.

To create a summary query

1 In the left pane of the Events view, navigate to the location where you wantto save the query. You can save the query in My Queries folder or thePublished Queries folder. The My Queries folder is available only to you.The Published Queries folder is available to you and other users. You canalso save the query in a query group folder under either of these folders.

2 Right-click the name of the folder where you want to save the query, and clickQuery Wizard.

3 On the first panel of the QueryBuilderWizard, select SummaryQuery, andclick Next.

4 Select a database and then click Next.

Managing event archivesAbout working with event queries

244

Page 245: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the Summary Table box, expand Events, and select a table from the listof presummarized tables in the database.

A description of the table appears in the Table Description box. The iconnext to the table name indicates its type, which is spelled out in the Legendbox.

6 After you select the table that you want, click Next.

7 Select a column index from the drop-down list.

A list of indexed fields from the database index appears in the DisplayColumns area.

8 Click to select one or more columns to display in the query, and click Next.

9 Specify the time range:

■ If you select View, select a time-period option from the drop-down list.

■ If you select Between, use the calendar drop-down lists to set the timerange.

■ If you select Complete, Information Manager queries the entire eventarchive.

10 If you want to filter the data, specify the filter criteria, and click Next.

See “To filter with the advanced filter option” on page 238.

11 Sort the columns in the query (optional for use with the Table format).

See “To sort columns in a summary query” on page 246.

12 Click Chart Properties and use the Chart Type drop-down box to select atype. For example, a pie chart or a table. You may also change the chart'sorientation, and you may choose to show the legend for chart types otherthan Table. Optionally, you may assign the following labels:

■ A title to appear above the table or graph (not necessarily the same as thequery name)

■ Labels for the y-axis and the x-axis, for some chart types

■ A footer, for table charts

13 Click Next.

A query sample appears, displaying the title and any labels that you assigned.

245Managing event archivesAbout working with event queries

Page 246: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

14 In the Query Name box, type the name that you want to appear in the leftpane. Be sure to use only alphanumeric characters in the query name.

15 Click Finish.

The query is saved, and its name appears under the folder that you selectedin the left pane. The query results appear in the right pane.

When you view the results of a Summary query, clicking chart elements toview the details for that portion of the chart is not supported.

Symantec recommends that you disable summarizers on the Web configurationinterface if you do not use summary queries. The summarizers are maintained inSymantec Security Information Manager 4.7 only to provide backwardcompatibility to previous versions of Information Manager.The summarizers arelisted under Settings>Database>EventSummarizers on the Web configurationinterface.

To sort columns in a summary query

1 On the right side of the Column Sorting panel, click Add Column.

2 Click in the Sort Column, and select a field to be sorted in the query table.

3 Click Asc (ascending) or Desc (descending) to determine the way the data inthe column must appear.

4 Repeat steps 1 through 3 if you want to sort more fields.

5 Use the other icons (for example, Move Up) until you have the columnsarranged in the proper order.

6 For Max Rows Return, take one of the following actions:

■ To return every row in the database, click All.

■ To return a specific number of rows, click Top, and select a number.

7 Click Next to continue creating a summary query.

Return to the step in which you select the format for the query results.

See “To create a summary query” on page 244.

To create an SQL query

1 In the left pane of the Events view, navigate to the location where you wantto save the query. You can save the query in My Queries folder or thePublished Queries folder. The My Queries folder is available only to you.The Published Queries folder is available to you and other users. You canalso save the query in a query group folder under either of these folders.

2 Right-click the name of the folder where you want to save the query, and clickQuery Wizard.

Managing event archivesAbout working with event queries

246

Page 247: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 On the first panel of the QueryBuilderWizard, select AdvancedSQLQuery,and click Next.

Note: You must be a member of the Domain Administrators group to createand execute Advanced SQL Queries.

4 Select a database and then click Next.

5 In the text box, type or paste an SQL statement. The following actions areoptional:

■ In the Maximum rows box, select the maximum number of rows to appearin the table.

■ View a list of tables and fields in the database by clicking Show Schema.

6 Click Test Query.

Information Manager runs the SQL query and displays the result in tableform. While the query runs, you may stop it by clicking Stop Query.

7 Repeat steps 5 and 6 until you are satisfied with the query, and click Next.

8 Click Chart Properties and use the Chart Type drop-down box to select atype. For example you can select a pie chart or a table. You may also changethe chart's orientation, and you may choose to show the legend for charttypes other than Table. Optionally, you may assign the following labels:

■ A title to appear above the table or graph (not necessarily the same as thequery name)

■ Labels for the y-axis and the x-axis, for some chart types

■ A footer, for table charts

9 If you want to see actual data in a preview chart, click Preview.

10 When you finish customizing the appearance of the chart, click Next.

A chart sample appears, displaying the title and any labels that you assigned.

11 In the Query Name box, type the name that you want to appear in the leftpane. Be sure to use only alphanumeric characters in the query name.

12 Click Finish.

The query is saved, and its name appears under the folder that you selectedin the left pane. The query results appear in the right pane.

247Managing event archivesAbout working with event queries

Page 248: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Editing queriesYou can edit any query in the MyQueries folder or the PublishedQueries folder.If you want to edit a predefined query or use one as a template, you can make acopy of the predefined query and then paste it into the My Queries folder or thePublished Queries folder.

See “About working with event queries” on page 239.

Note: If you cannot view queries on the Events view, your role may lack thenecessary permissions. You must have Read and Search permission for theappropriate query groups and the database. A user who is a member of anAdministrator role can assign permissions.

Table 12-1 provides some examples of the methods with which you can editpredefined queries to suit your needs.

Table 12-1 Predefined query editing examples

Sample modificationsFieldQueryQuery group in SystemQueries

In the Filter criteria, change the Product codeto create an identical query for Oracle.

ProductDatabase FailedLogins

Product Queries > MS SQLServer

■ To increase the queried time period, changethe time range from Last week to Lastmonth.

■ To query a different port, change the valuefor IP Destination Port in the Filter criteria.

■ After changing the port, rename the queryto reflect the new port number. Right-clickthe query name, and then select Rename.

■ Time range(View)

■ Filter criteria

BlockedConnections onPort 80 or 443by IP address

Security Queries > Firewall

In the Filter criteria, add a filter to show onlyevents with Severity ID=4.

Filter criteriaSSIM FailedLogins

SSIM > SSIM system

Managing event archivesAbout working with event queries

248

Page 249: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note: In a tabular query, you can add and remove columns from the table in whichdata is displayed. However, if you place the modified query in a report, the columnchanges do not persist. You must insert the query in the report, and then add andremove table columns.

To edit a predefined query

1 In the Information Manager console, click Events.

2 In the left pane, navigate to the desired query in the System Queries folderand select it.

3 Drag and drop the query into the MyQueries folder or the PublishedQueriesfolder. A customizable copy of the query is created.

4 In the new folder, right-click the query name, and then select Edit Query.

5 Modify the desired query parameters, and then click OK.

Managing the color scheme that is used in query resultsWhen you run a query, you can use a customized color scheme for the queriesthat are displayed in chart format. You can add or remove colors, and change theorder in which they appear in the query results view. You can then save yourchanges as template.

To create a customized color template

1 In the Information Manager console, click System.

2 Click the Administration tab.

3 Expand the domain tree, and then click Reporting.

4 Click Add Color.

5 In the Add Color box, on the Swatches tab, make your selection. You canmake additional adjustments to the color on the HSB and the RGB tabs.

6 Click OK.

7 If you want to move up the color in the reporting list, click Move Up.

8 When you have finished making your modifications, click Create Template.

9 Type a name for the template, and then click OK.

To adjust the color configuration in an existing template

1 In the Information Manager console, click System.

2 Click the Administration tab.

249Managing event archivesAbout working with event queries

Page 250: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Expand the domain tree, and then click Reporting.

4 From the drop-down menu, select the template you want to modify.

5 After you make your changes, click Create Template.

6 Type the name of the template modify, and then click OK.

See “About working with event queries” on page 239.

About querying for IP addressesWhen you create a custom SQL query for an IP address, Information Managerreturns an integer value of the address. To return an IP address in the morefamiliar nnn.nnn.nnn.nnn format, use the following macro in your SQL query.

SELECT CASE WHEN E.SOURCE_IP >= 0 THEN

rtrim(char(mod(E.SOURCE_IP/16777216,256))) || '.' ||

rtrim(char(mod(E.SOURCE_IP/65536,256))) || '.' ||

rtrim(char(mod(E.SOURCE_IP/256,256))) || '.' ||

rtrim(char(mod(E.SOURCE_IP,256))) ELSE

rtrim(char(mod((4294967296 + E.SOURCE_IP) / 16777216, 256))) ||

'.' || rtrim(char(mod((4294967296 + E.SOURCE_IP) / 65536, 256)))

|| '.' || rtrim(char(mod((4294967296 + E.SOURCE_IP) / 256, 256)))

|| '.' || rtrim(char(mod(4294967296 + E.SOURCE_IP, 256)))

END as "Source IP" FROM SYMCMGMT.SYMC_SIM_EVENT E WHERE

<Parameter to filter events>

See “About working with event queries” on page 239.

For more information, refer to your SQL manual.

Importing queriesInformation Manager lets you import a query (a file with the .qml extension) froma folder on your computer. You can place the query in the MyQueries folder, thePublished Queries folder, or in any query group in one of those folders.

To import a query

1 In the left pane of the Events view, click on the location where you want tosave the query. You can save the query in MyQueries (available only to you)or Published Queries (available to you and other users). You can also savethe query in a query group folder under either of these folders.

2 On the toolbar, click Import Query.

Managing event archivesAbout working with event queries

250

Page 251: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Browse to the location where the query resides, and click the name of thequery file.

4 Click Open.

The name of the query appears in the left pane under the folder that youselected. The results of the query appear in the right pane.

See “About working with event queries” on page 239.

Exporting queriesYou can save a query in a different location. For example, you can save a queryas a file on a computer hard drive or CD. You can then attach the query to an emailmessage or copy it to another computer. The export feature also lets you exporta System Query, which you can then import into the My Queries folder or thePublished Queries folder for editing.

To export a query to a file

1 In the left pane of the Events view, click the name of the query that you wantto export.

The query parameters appear in the right pane.

2 On the toolbar, click Export Query.

3 In the Save dialog box, navigate to the location where you want to save thefile and type a name in the File Name box.

4 Select the file type from the Files of Type drop-down list.

If you want to be able to edit the file, select QML Files as the file type.

5 Click Save.

Information Manager saves the query in the location that you specified.

See “About working with event queries” on page 239.

Publishing queriesYou are the only user who can access the queries in the My Queries folder andits subfolders. If you want to make a query available to other users, you can copyit to the Published Queries folder.

To publish a query

1 In the left pane of the Events view, locate the query under My Queries thatyou want to publish.

2 Right-click the query name, and then click Publish Query.

251Managing event archivesAbout working with event queries

Page 252: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 Click Yes to confirm that you want to publish the query.

The query name appears under the PublishedQueries folder in the left pane.

4 If you want to move the query into a query group under Published Queries,use the mouse to drag the query name to the desired group.

See “About working with event queries” on page 239.

Scheduling queries that can be distributed as reportsYou can now schedule queries to be distributed in a report as a CSV file. TheSchedule option is available on the Events view when you select a query from thePublished and System queries. On saving the scheduled queries in the Eventsview, the scheduled query reports are created under the PublishedReports folderunder the Reports view.

You can send the scheduled query reports by email as a compressed CSV file, andmake them available by a URL link within the mail. You can also download thesereports from the Web configuration interface under ManageReports>ScheduledQuery Reports in CSV format in a compressed file. The maximum row limit ofthe CSV file is 1 million rows corresponding to 1 million events. The maximumsize of the CSV file that you can send by email is limited to 15 MB.

Note: Scheduled queries are limited to one query only. If the scheduled querycontains a chart, it is converted to a table in the created reports.

Note: The Design option is not available for scheduled query reports.

See “About working with event queries” on page 239.

You can schedule the following types of queries:

■ Summary data query

■ Event detail query

■ Custom SQL query

Note: Top N by Field and Trending Event Count by Field queries cannot bescheduled from the Events view as scheduled query reports.

Managing event archivesAbout working with event queries

252

Page 253: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To schedule a query as a report

1 In the console of the Information Manager client, click Events.

2 In the Explorer pane, under PublishedQueries or SystemQueries, click thename of the query that you want to schedule and distribute as a report.

3 In the right pane, click Schedule.

4 Type the name of scheduled query.

5 In the SetScheduleforQuery dialog box, specify the time, date, and recipientsfor the generated reports.

Set the message subject and body text as required.

6 Select the option for CSV attachment or a URL link as required.

When the recipient clicks the link, the report is directly accessible. Note thatthe user must be logged on to the Web configuration interface using the hostname of Information Manager. If the user has logged on using the IP addressof Information Manager, then the user is prompted for authentication. Thereport becomes accessible.

7 Take one or more of the following actions as required:

■ To save the query report to the Published Reports folder and close theSet Schedule for Query dialog box without scheduling the query, clickOK.

■ To enable the Schedule and Test icons and save the query report in thePublished Reports folder, click Save.

■ To ignore any changes that were made since the last save and exit thedialog box, click Cancel.

■ To verify the entered details, click Test to send the query to the specifiedrecipients.

■ To schedule the query, click Schedule.

The published query report is also available under the ScheduledQueryReportsoption under Manage > Reports on the Web configuration interface.

Deleting queriesIf you no longer need a query, you can delete it.

Note: You can delete only the queries under My Queries folder and PublishedQueries folder. You cannot delete the System Queries folder or its contents.

253Managing event archivesAbout working with event queries

Page 254: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To delete a query

1 In the left pane of the Events view, navigate to the query to delete.

2 Right-click the query name, and then click Delete Query.

3 Click Yes to confirm.

The query name is removed from the list in the left pane.

See “About working with event queries” on page 239.

Managing event archivesAbout working with event queries

254

Page 255: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Forwarding events to theInformation Manager Server

This chapter includes the following topics:

■ About forwarding events to an Information Manager server

■ About registering a security directory

■ Registering Collectors

■ Registering with a security domain

■ Activating event forwarding

■ Stopping event forwarding

About forwarding events to an Information Managerserver

Event forwarding lets you create the distributed configurations that can handlehigher event loads more efficiently by allowing events to be forwarded to multipleservers. Event forwarding lets you forward events to multiple servers.

For example, you can set up one event forwarding rule to send all events toInformation Manager server A. You can set up another event forwarding rule tosend all events to Information Manager server B. This setup is good for redundancy.You can also archive different event types on different systems. You specifydifferent event criteria on each event forwarding rule and point them to theappropriate Information Manager server.

A Collection Server is an instance of the Information Manager server that collectsand forward events from multiple sources to another server. A Correlation Server

13Chapter

Page 256: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

is an instance of Information Manager on which correlation is enabled and eventsare received.

For example, you can have multiple Information Manager servers store eventsfrom security products. You can then forward only those events that are neededfor determining security incidents to a Correlation Server. The Collection Serversstore the uncorrelated events (when archiving is enabled) to support compliancewith policies such as Sarbanes-Oxley. The Correlation Server processes theforwarded events to allow monitoring of the security incidents in your network.

See “About event archives” on page 224.

During the Information Manager installation process, one default event forwardingrule is created. This rule is created on the Information Manager server to forwardevents from the event service to the correlation manager at 127.0.0.1. If you havemultiple Information Manager servers, you may need to configure this forwardingrule. You can configure the rule to specify the destination Information Managerserver to which to forward events. You may also choose to forward events to anevent service (port 10012) on the destination server, instead of the correlationmanager (port 10010).

You can create additional event forwarding rules on a single instance ofInformation Manager for backup purposes. You can also create these rules if youwant to store certain types of events separately. For example, you can set up oneforwarding rule to send events to Information Manager A. You can set up anotherforwarding rule to send events to Information Manager B. You can define eventcriteria to filter certain events to be forwarded to Information Manager A. Thenyou can specify that other types of events are forwarded to Information ManagerB.

To configure event forwarding from one server to another, you must do thefollowing:

■ Register the collector of each security product that you want to monitor withthe destination Information Manager server.See “Registering Collectors” on page 258.

■ Use the Web configuration interface of the Information Manager to join theCollection Server with the security directory of the Correlation Server.

■ Configure the Collection Server to forward events.See “Activating event forwarding” on page 260.

Note: You cannot create incidents manually on an Information Manager serverthat is configured as a Collection Server. After you set up an instance ofInformation Manager as a Collection Server, you cannot reconfigure InformationManager to correlate events using software settings.

Forwarding events to the Information Manager ServerAbout forwarding events to an Information Manager server

256

Page 257: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To forward events through a firewall, make sure to open the ports that are requiredfor the Information Manager servers to communicate.

When the Correlation Server is unavailable, by default the forwarding servercontinues to queue events until the Correlation Server is available again. If thequeue on the forwarding server fills up, the forwarding server stops receivingevents. When the forwarding server stops receiving events, the collectors try toqueue events until the forwarding server is able to accept events again.

The event criteria determine which events are forwarded to the destinationInformation Manager server. You set event criteria in the console of theInformation Manager client, on the System view, Server Configurations tab. Ifthe Event Criteria pane is empty, all events are sent to the Information Managerserver. If you add a condition to the event criteria, only the events that matchthose criteria are sent.

To view forwarded events, a user in the console of the Information Manager clientmust have sufficient rights to view those types of events. The product, domain,or organizational unit might not match those allowed by the role that is assignedto the user. However, the events do not appear. The ability to view the forwardedevents also depends on whether archiving is enabled on the console or not.

Note: Information Manager Event Services cannot forward events to a CorrelationServer if they cannot resolve the host name that generates the Correlation Server'sSSL certificate. To resolve this problem, add a DNS entry for the IP address andhost name of the Correlation Server. You can also generate a new certificate forthe Information Manager server that is based on its IP address.

If you forward events to an event service on the destination Information Managerserver, you can enable data encryption. The data encryption option is not availablewhen you forward events to a correlation manager.

About registering a security directoryYou can register the security directory of an Information Manager server withthe security directory of another Information Manager server. The registrationcan be performed from the DirectoryRegistration view of the Web configurationinterface.

Using the Register option on the Directory Registration view configures aCollection Server to use the same LDAP directory as the Correlation Server. Afteryou register, the Collection Server also inherits the same LDAP configuration asthe Correlation Server. If the Correlation Server is configured to use a local or aremote LDAP, then the Collection Server uses that database to store event

257Forwarding events to the Information Manager ServerAbout registering a security directory

Page 258: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

information. However, if the Correlation Server is configured as a Correlation-onlyServer (event pass-through enabled, events not stored), the Collection Serverinherits similar settings. In that case, you must create a new database configurationon the Collection Server if you want to store events in its database.

Note:You can perform a directory registration of an Information Manager serverwith another Information Manager server. However, the User Filters, UserMonitors, User Rules, and User Lookup Tables that existed on the first InformationManager server before registration become unavailable.

For information on creating database configurations, refer to the Help of the Webconfiguration interface.

When you specify the name of the remote directory to which you register, ensurethat you specify the correct domain name. In addition, make sure that you usethe correct case (for example, symantec.ses instead of symantec.SES). LDAPdirectory connections are not case-sensitive, but database connections are. If youuse the wrong case, the Collection Server connects to the LDAP directory of theCorrelation Server but not to the database. When this situation occurs, no eventsappear in queries and reports.

See “About events, conclusions, and incidents” on page 221.

Registering CollectorsThe Information Manager Web configuration interface provides a page to registerand to unregister the configuration settings and event schema. The InformationManager server requires these settings and schema to recognize and to log eventsfrom the point product.

You must register the collector for all remote installations. If you use a collectorthat resides on the Information Manager server, you do not need to install theagent and you do not need to register the collector.

Forwarding events to the Information Manager ServerRegistering Collectors

258

Page 259: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To register a collector

1 Launch the Information Manager Web configuration interface at the followingURL:

https://Information_Manager_Host_Name_or_IP_address

Symantec recommends that you use the Fully Qualified Domain Name of theInformation Manager.

If you have the Information Manager Client console open, you should closeit.

2 From the Information Manager Web configuration interface, click Settings> Collector Registration.

3 On the page that appears, click Register.

4 In the first box provided, type (or click Browse to select) the path to thecollector_name.SIP file that was provided with your collector installationpackage.

You can select paths for up to 5 files.

The default location for this file is the sip/ subdirectory of the collectorinstallation package.

5 Click Begin Registration.

Registering with a security domainThe DirectoryRegistration option on the Settings view of the Web configurationinterface lets you add an Information Manager server to the directory of anotherInformation Manager server. Registering an Information Manager server withthe security directory of another instance of Information Manager server cantake 10 minutes or more.

To register an Information Manager server with security domain of anotherInformation Manager server

1 Log on to the Web configuration interface of the Information Manager serverthat you want to register to another Information Manager server as anadministrator.

Click Settings > Directory Registration.

2 In the tree pane of the Directory Registration view, click Register.

259Forwarding events to the Information Manager ServerRegistering with a security domain

Page 260: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 In the details pane, type the following information in the provided boxes:

The host name or IP address of the externalsecurity directory.

Host name or IP address

The LDAP communications port that the securitydirectory uses. The default is 636.

LDAP port

The password for the cn=root account.LDAP cn=root password

The domain administrator account on the remoteInformation Manager server.

Administrator

The Information Manager domain administratorpassword for the remote Information Managerserver.

Password

The name of the remote security directory.Domain

4 Click Register.

5 Configure the Information Manager server to forward events to the destinationInformation Manager server.

See “Activating event forwarding” on page 260.

Activating event forwardingYou can modify the default event forwarding rule, and can create additional eventforwarding rules. You can also delete or modify an existing event forwarding rule.

When an Information Manager server receives the forwarded events, it stores theevents according to the Event Storage Rules that are configured for that server.

To specify the archive in which the forwarded events are stored, you must do thefollowing:

■ Configure the forwarding Information Manager server to send the events tothe receiving Information Manager server.

■ Configure the receiving Information Manager server to store the events in theappropriate archive.

Note: Before completing the following steps, make sure that you have connectednetwork cabling between the collection and the correlation Information Managerserver.

Forwarding events to the Information Manager ServerActivating event forwarding

260

Page 261: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About forwarding events to an Information Manager server” on page 255.

To configure the default event forwarding rule

1 In the console of the Information Manager client, click System.

2 On the Server Configurations tab, expand the Information Manager serverthat forwards the events to the Correlation Server and click EventForwardingRules.

3 In the right pane, double-click the rule.

4 In the Event Forwarding Rules dialog box, in the Inclusion filter area, donot insert any filter criteria. Leaving this area empty ensures that all eventsare forwarded to the default correlation Information Manager server. Youcan create additional event forwarding rules to specify forwarding criteria.

5 Under Primary and Failover Servers, type the host name or IP address ofthe correlation Information Manager server.

You may choose not to configure the failover server. You can also forward tothe servers that are not Correlation Servers. Usually, the failover is configuredto fail over to another collection server.

6 Under Select the service to forward to, select one of the following:

■ To forward events to a Correlation Server, select Correlation Service.

■ To save the events in the destination Information Manager server's eventarchive, select Event Service.If you want the forwarded event data to be encrypted between thecollection servers and the correlation servers, go to step 7

7 To encrypt the event data between the collection servers and the correlationInformation Manager servers, select Event Service (Encrypted).

If you choose to encrypt event data, the data is sent using HTTPS (port 443).

8 By default, event forwarding rules queue events on the host if the destinationInformation Manager server is not available. If you do not want InformationManager to queue events, uncheck Queue events if target service isunavailable.

9 You can enable the Use Persistent Queues option. This option enables allevents to be written on the hard disk queue and then forwarded to thespecified destination. If the destination is not available, the event servicecontinues to write events to the disk queue (without blocking the eventstream). It flushes the queue when it detects that the destination is backonline.

Enabling the PersistentQueues may affect the event forwarding performance.

261Forwarding events to the Information Manager ServerActivating event forwarding

Page 262: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

10 Click OK.

11 Make sure that the appropriate event forwarding rule is selected (enabled)in the pane.

For example, to enable the default event forwarding rule on a collectionInformation Manager server named Denver, select the CorrelationForwarding box under the Denver folder.

12 Click Apply.

To create a new event forwarding rule

1 In the Information Manager console, click System.

2 On the Server Configurations tab, expand the Information Manager serverto which you want to add an event forwarding rule. Click Event ForwardingRules.

3 On the toolbar, click + (the Add icon).

4 In the Rule name box, type the name of the new rule.

5 By default, all events are forwarded. To limit the types of events forwarded,complete the following steps in order:

■ In the Inclusion filter area, click Add (+).

■ In the left column, click an entry in the Common, Events, or OtherFieldstabs.

■ In the middle column, specify a logical operator.

■ In the right column, specify the value that you filter on.

■ Repeat these steps for any other conditions that you want to include.

6 To complete the configuration, click OK.

7 To apply, click Apply.

Todelete anevent forwarding rule (stopevent forwarding to an InformationManagerserver)

1 In the Information Manager console, click System.

2 On the Server Configurations tab, expand the Information Manager serverfor which you want to delete an event forwarding rule. Click EventForwardingRules.

3 Select the rule to delete.

4 In the toolbar, click Remove (-).

5 Click Apply.

Forwarding events to the Information Manager ServerActivating event forwarding

262

Page 263: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Stopping event forwardingTo stop event forwarding, disable the event forwarding rule from the ServerConfigurations tab of the System view on the console of the Information Managerserver.

See “About forwarding events to an Information Manager server” on page 255.

263Forwarding events to the Information Manager ServerStopping event forwarding

Page 264: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Forwarding events to the Information Manager ServerStopping event forwarding

264

Page 265: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Understanding eventnormalization

This chapter includes the following topics:

■ About event normalization

■ About normalization (.norm) files

About event normalizationNormalization occurs when the server receives an event after the collector hasharvested the raw data. The normalization process analyzes received event dataand adjusts the fields to prepare the data for interpretation by InformationManager, including any applicable rules. A normalization configuration file witha .norm file extension is used to adjust the fields where necessary. The .norm filemaps the event fields that the collectors provide to the event fields thatInformation Manager requires. Normalization accomplishes tasks such aspopulating empty fields and locating information about source and target.

For example, if you try to trap a consistent target IP address, the point productthat harvested the data may have placed the IP address in a field that does notindicate the nature of the contents of the field. For example, the field name maybe ip_address, which may not indicate whether the IP is the address of the sourceor the target. Information Manager includes a set of mapping files that identifyand parse the data in the fields that the supported products provide. It maps thesevalues to the appropriate database schema fields. Symantec creates and updatesthe .norm files using LiveUpdate as more information from each of the pointproducts becomes available.

Normalization adds information to events using a standardized set of fields thatcan be used to refine rules processing. For example, a unique event identifier can

14Chapter

Page 266: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

be mapped to a Standard Event Code (Symantec Signature). This informationallows multiple product events to be correlated despite unique identifiers for eachproduct.

Normalization also uses the information that you provided in the Asset andNetwork tables. It uses this information to uniquely identify the elements thatare related to the event which can be used during rules creation. Additional fieldsfrom the Asset table include the assigned Confidentiality, Integrity, and Availability(CIA) values and the host name. These fields also identify who owns the system,the current operating system and what policies or roles apply to the computer.In addition, the fields identify what services are open by a computer (populatedby a vulnerability scanner). They also identify what vulnerabilities are on thatcomputer (for example, if specific patches have not been rolled out to a computer).For example, if a system has been assigned the role of a vulnerability scanner, theevents that vulnerability scanners usually generate can be filtered if they areassociated with that computer.

The Network table information is used to identify the location and directionalflow of the event. Normalization can help to identify whether an event is internalonly (contains IP addresses within your network). Normalize can also help identifywhether the traffic is inbound, outbound, traveling to or from specific locations.For example, if the source of a virus event is an internal source, the event can beflagged as an internal virus infection.

Normalization also adds any information available with the Symantec Signatureusing the Symantec DeepSight Threat Management System database.

For example, when a security incident occurs that is mapped to a SymantecSignature, the following pieces of information may be provided:

■ The Symantec Event Code, which facilitates cross-product correlation

■ EMR categorization, helping the analyst to aggregate attack data to betterunderstand the outbreak

■ Vulnerability IDs (BugTraq) that include information on the vulnerabilitiesthat are typical to this type of security threat

■ Exposure IDs that include the potential attack exposure information thatInformation Manager provides. For example, telnet is enabled or weakpasswords are used.

■ Malicious code IDs that include the information that Symantec SecurityResponse creates to describe the known malicious code activity that isassociated with an attack

See “About normalization (.norm) files” on page 267.

Understanding event normalizationAbout event normalization

266

Page 267: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About normalization (.norm) filesWhen you create a rule, it is often helpful to view the mapping that takes placeduring normalization by using the normalization (.norm) files. Normalizationfiles are included in the file system of the server. They are not available from theInformation Manager Web configuration interface. Collectors usually populatethe event fields with the data that matches the descriptive name that is specifiedin the schema. However, the event fields the collector provides may containadditional information that Information Manager can parse. In these cases, youcan view the normalization (.norm) file to understand from where the event datacomes, and how Information Manager interprets it. The Information Managerserver contains a default .norm file. It also contains the .norm files that are specificto the collectors that are used on your network. The mapping in a .norm file maybe a direct one-to-one mapping. In this mapping, the value in the collector fieldcan be directly imported into the field that Information Manager expects. In othercases, the collector field may contain more data than the Information Managerfield expects. In these cases, regular expressions are commonly used to parse thecollector field for the data that Information Manager expects.

Note: Although you can alter the contents of the .norm files, do not rely on thismethod as a means of modifying how data is normalized and accessed throughthe rule set. If you have LiveUpdate or Symantec DeepSight Threat ManagementSystem updates enabled, the default .norm file is often refreshed during the updateprocess. Any changes you make to the .norm file are lost.

In the following example, the first line of each block specifies the schema used.The field name to the left is the field name that the collector uses. The values onthe right indicate the data and the field name that is the Information Managerserver uses. The parsed data may include a data type in parentheses, followed bythe name of the field that Information Manager uses. The right side may alsoinclude the regular expressions that are used to parse the event data from thecollector field.

(intrusion_data ^ "Failure Audit") & (intrusion_data ^ "User Name")

intrusion_symc_sig -> (string)deviceAlert

machine_ip -> (ip)sourceIp (ip)targetIp

machine -> (string)sourceHost (string)targetHost

intrusion_data -> /User\s+Name:\s+(\S+)/ (string)eventResource

intrusion_target_type_id := 1037112

intrusion_outcome_id := 1027204

vendor_device_id := 36

267Understanding event normalizationAbout normalization (.norm) files

Page 268: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About event normalization” on page 265.

Understanding event normalizationAbout normalization (.norm) files

268

Page 269: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Collector-based eventfiltering and aggregation

This chapter includes the following topics:

■ About collector-based event filtering and aggregation

■ About identifying common events for collector-based filtering or aggregation

■ About preparing to create collector-based rules

■ Accessing event data in the Information Manager console

■ Creating collector-based filtering and aggregation specifications

■ Examples of collector-based filtering and aggregation rules

About collector-based event filtering and aggregationInformation Manager lets you filter and aggregate security events before theyare sent to the server. Information Manager provides the filtering and aggregationcapabilities that can be used at the collector. Filtering and aggregating event databefore it reaches the server can improve network and server performance.Collector-based filtering and aggregation can also effectively increase eventstorage capacity on the server. Collector-based filtering and aggregation discardsunnecessary events or stores summaries of events, which typically use less storagespace.

When an event collector gathers events from security products, it parses the eventfor the information that can be sent to the server. When relevant data is identified,it is translated into fields in the Information Manager schema. InformationManager uses the schema to correlate existing events, create incidents, and soforth.

15Chapter

Page 270: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Security products are responsible for identifying security breaches and threats.In many cases, these products also act as event identification and storage devicesfor any event that may be used for forensics research. Some products store theseevents locally. Others offload the event data to a storage device such as a Syslogserver or a Windows event log. In general, Information Manager collectors monitorthese devices, databases, and log files for security-related events. The collectorsthen forward all of these events to the Information Manager server. By default,event collectors gather all security-related events, and do not discriminate basedon event severity or relevance. This feature is useful for policy compliance.However, many organizations prefer to use the powerful event reporting andcorrelation features of Information Manager on the security events that are morethreat-related.

You can limit (or restrict) the events that are sent to the server to those eventsthat represent potential security threats and incidents. In contrast to eventfiltering and correlation at the server, collector-based filtering lets you excludeevents from forwarding to Symantec Security Information Manager. Similarly,collector-based aggregation lets you group similar events to reduce event traffic.Grouping also lets you reduce the number of single events that are stored in theevent database. Event aggregation groups the events that contain identical eventinformation into a single summary event which is forwarded to the server. Thissummary event includes a count of the events that matched the aggregationcriteria.

Note: When aggregation occurs, the summary event that is created and sent tothe server does not contain the raw event data for each individual event. Asummary event cannot be separated into the individual events that comprise theaggregated event.

Collector-based event filtering and aggregation rules (also referred to asspecifications) are created using the Information Manager console, and thendeployed to the corresponding collectors. When you filter events at the collector,you remove the events from the event storage, correlation, and incident creationprocesses. Use caution when you determine which events you want to filter at thecollector.

Note: Collector-based filtering or aggregation should not be used if you useInformation Manager as your primary tool for policy compliance. Filtering oraggregating event data may exclude the events or the event details that areunnecessary for security monitoring but are necessary for compliance.

Collector-based event filtering and aggregationAbout collector-based event filtering and aggregation

270

Page 271: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About identifying common events for collector-based filtering or aggregation”on page 271.

About identifying commonevents for collector-basedfiltering or aggregation

Table 15-1 describes filtering and aggregation guidelines for specific securitydevice types.

Table 15-1 Filter and aggregation guidelines

SuggestionsDevice type

Test networks can generate the security events that do not indicate any actual threat. Considerfiltering all events originating from isolated test networks.

All

Firewalls generate many events that are not required for correlation. Consider filtering oraggregating the following types of events:

■ Connection rejected.

These indicate that the firewall operates as it is configured. These events do not ordinarilypose a security threat and can be filtered at the Event Collector.

■ Connection accepted.

Typically, legitimate network traffic generates these events. These events can be filteredentirely or they can be aggregated according to IP address. If an individual unwanted connectionis accepted, the Intrusion Detection System identifies and reports the attack.

■ Possible attack.

Not all possible attack events indicate a true security threat. Consider filtering or aggregatingpossible attack events based upon specific attack IDs.

Firewall

Enterprise antivirus systems customarily report a number of informational events for eachprotected system. If you use a product such as Symantec Client Security, consider filtering oraggregating the following types of events:

■ Scan start and scan stop

These events do not pose a security threat and can be filtered or aggregated.

■ Virus repaired

These events indicate that the antivirus software has repaired infected systems. If there areinfections in your environment that are commonly repaired, consider aggregating virusrepaired events by the virus name.

■ Irreparable virus

These events may indicate a virus outbreak. The spread of a virus can generate many redundantevents. To avoid unwanted event traffic during an outbreak, consider aggregating irreparablevirus events.

EnterpriseAntivirus

271Collector-based event filtering and aggregationAbout identifying common events for collector-based filtering or aggregation

Page 272: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 15-1 Filter and aggregation guidelines (continued)

SuggestionsDevice type

Typically, all vulnerability scan events should be sent to Information Manager for correlation.Vulnerability assessment events in some cases can be aggregated to reduce network traffic.

Vulnerability

Typically, all intrusion detection and intrusion prevention events should be sent to InformationManager for correlation.

IntrusionDetection

The Windows event log stores both operating system events and application events. Because eachWindows system may have different applications installed, broad filtering or aggregation is notadvised. All aggregation and filtering must be based upon specific event criteria. Consider filteringor aggregating the following types of events:

■ Application

Some applications generate an excessive number of informational and warning events. Theseevents can be filtered or aggregated based upon the specific event source and event identifier.

■ Security

Success audit events do not indicate a security threat and can be aggregated based upon thespecific user.

■ System

System event sources such as the Service Control Manager generate many informationalevents. These events can be filtered or aggregated based upon the event source and identifier.

Windows EventLog

See “About collector-based event filtering and aggregation” on page 269.

About preparing to create collector-based rulesBefore you create collector-based filtering and aggregation rules, you need tounderstand the event data that is generated on your network. You need to gatherevent data over a period of time and evaluate the event fields that are includedin each event. In the Information Manager console, you can use the Event Viewerto view a summary of the events that the enabled collectors identified. The EventViewer may give you an idea of the categories or types of data that can be used.However, the event field is the most accurate source of information for creatingevent filters. Each product has customized event fields specific to that product.Therefore, you should create filtering and aggregation rules based on the eventsthat are specifically related to that product. You can view the event fields bydouble-clicking an event in the Event Viewer. You can then analyze the fields thatappear in the Event Details window.

Informational firewall events may be good filtering candidates. The firewall eventsthat are classified as informational can often be filtered at the collector to reducetraffic to the server. The firewall events that are categorized as informational aregenerally used for accounting purposes. These events usually do not indicate an

Collector-based event filtering and aggregationAbout preparing to create collector-based rules

272

Page 273: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

attempted security breach. However, the collector correctly detects these eventsas security-related events. The collector sends them to Information Manager bydefault. It may be unnecessary to analyze these events to maintain the securitypolicies of your organization. If analysis is unnecessary, you can filter the eventsat the collector to reduce event traffic. To filter these events, analyze the eventdetails to find the fields on which the filter for this specific event can be created.

To understand the event data and create a filtering rule to filter informationalfirewall events, you perform the following tasks:

■ With the collector enabled, generate a series of informational firewall events.In most cases, bringing a firewall online and performing connection tasksthrough the firewall generates these types of events. To make the event datamore useful, generate the common firewall events that might more accuratelyresemble a live network environment: For example, FTP sessions and failedconnection attempts.

■ After you generate a series of events, use the Event Viewer or an availableevent report in the Dashboard. Double-click an event to open the EventDetailswindow.

■ In the EventDetails window, analyze the field names that are included in theevent. Many of these fields are added at the server rather than at the collectionpoint as part of the normalization process. Therefore, the most effective fieldsto base a filter on are generally the fields that are generated in the raw eventdata: For example, the fields that contain event IDs that are specific to themonitored device. For example, if you use the Cisco Pix collector, the firewallgenerates a unique value in the Event Info 4 field.

■ Make note of the field and value pair that you want to base your filter on andopen the configuration on the Product Configurations tab.

To create a new specification

1 On the System view, in the Product Configurations tab, find the collectorfor the product that you want to monitor. For example, if you use the CheckPoint Firewall, navigate to the settings for CheckPointFireWall-1Collector.

Note: You cannot edit the default configuration. You must create a newconfiguration and specify the settings for that configuration.

2 Select the product and right-click to create a new configuration. Type a nameand description for the new configuration, and then click Next.

3 Add computers to the configuration using the + icon. Then click Next.

4 Click Finish. Click Close to save and exit the Configuration Wizard .

273Collector-based event filtering and aggregationAbout preparing to create collector-based rules

Page 274: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 Select the newly created configuration. In the right pane, on the Filter tab,create a new specification.

6 In the new specification, double-click the name field and find the field namein the list. Alternatively, type the name of the field exactly as it appears inthe event details.

7 In the operator column, choose the appropriate operator. In most cases, thisvalue is the equal to operator.

8 In the Value field, type the value exactly as it appears in the event details.

9 Enable the specification, save, and then distribute using the Distributesettings to computers icon.

See “About collector-based event filtering and aggregation” on page 269.

Accessing event data in the Information Managerconsole

The Information Manager console provides several different ways to access theevent data that each collector gathers. To gain an understanding of the eventsthat can be filtered, you should analyze the event data that is viewable in theEvent Details view.

You can also create custom reports for specific events. For more information onhow to create custom reports, see the documentation that is provided with eachcollector.

Accessing event data using the Events view

1 In the Information Manager console, click Events.

2 In the Events view, expand the Templates folder.

3 Under the Templates folder, click All Events.

Note: This example uses the All Events query. However, you can use any ofthe event queries in the Events view that return the event data for which yousearch.

4 In the right pane, select the archives that contain the event data that youwant to review, and then click Run Template.

5 After the query completes, use the results view to find the event you want toanalyze.

Collector-based event filtering and aggregationAccessing event data in the Information Manager console

274

Page 275: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

6 Find the event that you want to analyze, and click View the event details.

7 In the EventDetails window, analyze the event fields and data. Many eventshave unique event IDs that can be used to create the filters that are specificto the event that you want to filter.

See “About identifying common events for collector-based filtering or aggregation”on page 271.

Creating collector-based filtering and aggregationspecifications

After you analyze your event data, you can create filtering and aggregationspecifications based on the fields that are viewable in the Event Details window.The Filters and Aggregation tabs let you create, enable, and edit filters to excludeevents from being forwarded to the server (filtering). You can also use these tabsto create, enable, and editor filters to gather multiple events into a single event(aggregation). No event filtering or aggregation rules are configured by default.You must add the rules before you can enable or configure them.

See “About collector-based event filtering and aggregation” on page 269.

To create a collector-side filtering rule

1 In the Information Manager console, on the System view, click ProductConfigurations.

2 In the left pane, expand the product to which you want to add a filtering rule.Expand the folders until you reach the configurations that are available forthe product. If the only configuration available is Default, you must create anew configuration. The Default configuration cannot be edited. If necessary,to create a new configuration, click the folder of the product, and then clickAdd. Follow the on-screen instructions.

3 Select the configuration you want to modify, and then in the right pane, onthe Filter tab, under the list of filters, click Add.

4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name forthe rule, and then press Enter.

5 Under the rule properties table, click Add, and then do the following:

■ In the Name column, double-click the name field and find the value in theevent fields list that appears. If you know the exact name of the field thatthe collector created you can also type a name for the event filter property.Fields are case-sensitive.

■ In the Operator column, select an operator from the drop-down list.

275Collector-based event filtering and aggregationCreating collector-based filtering and aggregation specifications

Page 276: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ In the Value column, type a value for the event filter property.

To add more event filtering information for the rule, repeat this step.

6 When you are finished, in the filter list, check the filter name.

7 Click Save.

8 In the left pane, right-click the appropriate default folder, and then clickDistribute.

9 When you are prompted to distribute the configuration, click Yes.

To create a collector-based aggregation rule

1 In the Information Manager console, on the System view, click ProductConfigurations.

2 In the left pane, expand the product to which you want to add an aggregationrule. Expand the folders until you reach the configurations that are availablefor the product. If the only configuration available is Default, you must createa new configuration. The default configuration cannot be edited. If necessary,to create a new configuration, click the folder of the product, and then clickAdd. Follow the on-screen instructions.

3 In the right pane, on the Aggregator tab, under the list of filters, click Add.

4 Double-click Specification (where n is 0, 1, 2, and so on), type a name for therule, and then press Enter.

5 Under the rule properties table, click Add, and then do the following:

■ In the Name column, select the name for the event aggregation property.

■ In the Operator column, select an operator from the drop-down list.

■ In the Value column, type a value for the event aggregation property.

To add more event aggregation information for the rule, repeat this step.

6 In the Aggregation time (ms) box, type the time in milliseconds in which theaggregated events should correspond to the rule property.

The default value is 100. This property applies to all aggregation filters.

7 When you are done, in the aggregation list, check the aggregation name.

8 Click Save and enable the rule before you distribute.

9 In the left pane, right-click the appropriate default folder, and then clickDistribute.

10 When you are prompted to distribute the configuration, click Yes.

Collector-based event filtering and aggregationCreating collector-based filtering and aggregation specifications

276

Page 277: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Examples of collector-based filtering and aggregationrules

As you begin to understand the details of the event fields populated, you woulddiscover the common filtering and aggregation candidates. These candidates canbe safely implemented at the collector level. You are provided with generalguidelines for filtering and aggregation. Before you deploy these examples, eachconfiguration should be carefully evaluated to ensure that the configurationconforms to the specific needs of your security environment. The examples thatare provided are common to many deployments, but may not be in compliancewith your security policies. Creating filtering and aggregation specifications isan iterative process. This process is based on a careful evaluation of the eventdata that is specific to your security environment. Filtering at the collectorprevents event data from being sent to the Information Manager server forevaluation. Consequently, analysts do not have access to this data for forensicanalysis unless the events are stored separately from Information Manager.

For example, the events that are classified as informational can be good candidatesfor event filtering or aggregation at the collector. In some cases, a network maygenerate a large number of informational events that may not constitute animmediate security threat. From a threat perspective, these events may not be asuseful in evaluating a high priority security incident in progress. The informationalevent details may subsequently help to gain a better understanding of the seriesof events that led to the security breach. For this reason, an event filter oraggregation specification at the collector should be carefully evaluated before itis deployed.

When you determine which events can be safely filtered or aggregated, base yourcollector-based filtering or aggregation specification on specific event criteria.Basing a filter on a broad field such as severity level may have unintended results.When you create filtering rules, specificity helps to prevent unexpected gaps inthe information that is available to the analyst. For example, you should use theevent IDs generated by the monitored product to control the information that isdiscarded from Information Manager. This option is more effective than using abroader severity category to control that information.

See “About collector-based event filtering and aggregation” on page 269.

Filtering events generated by specific internal networksYou can filter events from the particular subnets that generate a high volume ofevents that do not pose a threat. For example, a network that is dedicated to testingand developing software applications may generate many events that do not

277Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

Page 278: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

threaten internal network resources. These events can be filtered at the collectorto reduce this type of false positive.

See “Examples of collector-based filtering and aggregation rules” on page 277.

To filter network events generatedby a specific subnet andacquiredby theWindowsevent log collector

1 On the System view, on the Product Configurations tab, expand the defaultconfiguration for the Snare for WindowsEventLog collector. On the Filterstab, add a new specification. Add a new entry for the specification, and thendouble-click the Name field. In the Eventfields list, choose MachineNumericSubnet.

2 Set the Operator to equal to, and in the Value field, enter the subnet that youwant to filter against.

3 Save and enable the rule, and then distribute the configuration.

Filtering common firewall eventsFirewall products typically generate a large number of events. Many of theseevents are recorded primarily for lower priority, informational purposes.Depending on the security policies that you have in place, you may be able tosafely filter these events at the collector. By filtering at the collector, you canreduce network traffic and increase overall performance.

See “Examples of collector-based filtering and aggregation rules” on page 277.

Filtering Connection Rejected eventsEvents that are classified as Connection Rejected events can often be filteredbased on the severity of the event and the event ID. For example, in many cases,TCP Connection Rejected events that the Cisco PIX collector (PIX-6-106015)detects can be filtered at the collector. Depending on the security policies of yourorganization, you may decide to filter or aggregate these events to reduce theamount of data to evaluate.

If you want to filter additional events, you can add additional event types to thespecification. For example, you can use the Event Info4 field to identify Noroutetodest_addrfromsrc_addr(PIX-6-110001) or HTTPdaemoninterfaceint_name:connection denied from IP_addr (PIX-6-605001) PIX events.

To filter Cisco PIX TCP Connection Rejected events

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Filters tab, create a new specification.

Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

278

Page 279: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Firewall Network Event > Event Info 4. For the Cisco PIX collector,the Event Info 4 field contains the name of the event that PIX uses.

4 Set the Operator to equal to, and then in the Value field, enter the PIX eventcode (PIX-6-106015).

5 Save and enable the rule, and then distribute the configuration.

Filtering Connection Accepted eventsEvents that are classified as Connection Accepted can often be filtered based onthe severity of the event and specifically the event ID. For example, the ConnectionAccepted events that the Cisco PIX collector detects can be filtered at the collector.The user user_name executed cmd: command (PIX-7-111009). PIX-7-111009events are generally used for accounting purposes only. These events indicatethat the command that the user entered was not capable of modifying theconfiguration. Depending on the security policies of your organization, you maydecide to filter or aggregate these events to reduce the amount of data to evaluate.

To filter Cisco PIX Connection Accepted events

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Filters tab, create a new specification.

3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Firewall Network Event > Event Info 4. For the Cisco PIX collector,the Event Info 4 field contains the name of the event that PIX uses.

4 After you have selected the field name, set the Operator to equal to, and thenin the Value field, enter the PIX event code (PIX-7-111009).

5 Save and enable the rule, and then distribute the configuration.

Filtering Possible Attack eventsIn many cases, events that are classified as possible attacks can be either filteredor aggregated. For example, if you use the Cisco PIX collector, the collector gathersevents such as failed telnet session attempts as possible attacks. It displays themin the console. . Based on your policies, you can filter or aggregate these eventsat the collector to reduce the amount of data to evaluate.

If you want to filter similar events (or the events that carry a similar severity),you can add additional event types to the specification. For example, you can use

279Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

Page 280: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

the Event Info 4 field to identify Telnet Login Session Failed (PIX-6-307003)events, or Retrieved IP address for FTP session (PIX-6-303002).

To filter Cisco PIX failed telnet session events

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Filters tab, create a new specification.

3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Firewall Network Event > Event Info 4. For the Cisco PIX collector,the Event Info 4 field contains the name of the event that PIX uses.

4 After you have selected the field name, set the Operator to equal to, and thenin the Value field, enter the PIX event code (PIX-6-307001).

5 Save and enable the rule, and then distribute the configuration.

Filtering Remote Management Connection eventsRemote Management Connection events can often be aggregated if you expectremote management connections to take place from trusted sources or on anexpected host computer. Remote Management Connection events often includethe events that are classified as Informational, and in many cases can be safelyaggregated.

For example, if you use the Juniper Netscreen Firewall collector, you can createan aggregation specification that gathers specific types of Remote ManagementConnection events into a single summary event that is sent to the server. Forexample, you may have a host computer that manages remote connections forwhich you expect many Remote Management events to take place. You canaggregate these events into a single event summary.

To aggregate events for the Juniper Netscreen Firewall collector based on a specifichost computer

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 Expand the default configuration for the Juniper Netscreen Firewall EventCollector.

3 On the Aggregation tab, add a new specification. Add a new entry for thespecification, and then double-click the Name field. In the Event fields list,navigate to Common Event > Destination Host Name.

4 Set the Operator to equal to, and then enter the host name in the value field.

Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

280

Page 281: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the Aggregation time (ms) box, type the time in milliseconds in which theaggregated events should correspond to the rule property.

6 Save and enable the rule, and then distribute the configuration.

Filtering common Symantec AntiVirus eventsSymantec AntiVirus generates the events that can often be filtered or aggregated.For example, most antivirus products provide proactive event notifications ofmaintenance tasks such as data scan start and stop events. As thesesecurity-related events indicate expected behavior, they can often be safely filteredor aggregated at the collector.

To filter the events that Symantec AntiVirus generates, edit the configurationfile (.conf) that is included when the collector is installed on the SymantecAntiVirus parent server. The collector monitors the parent server for events, anduses the configuration files to determine which events are forwarded to the server.

See “Examples of collector-based filtering and aggregation rules” on page 277.

The following events are common Symantec AntiVirus events that can be filteredat the collector:

■ Unscannable Violation

■ Data Scan Start

■ Data Scan End

■ Data Scan Cancel

■ Data Scan Pause

■ Data Scan Resume

■ Application Start

■ Application Stop

Note: Application Stop events can indicate that Symantec AntiVirus has beendisabled. The AntiVirus Disabled event correlation rule on the server detectsthis event. If you filter ApplicationStop events at the collector, this rule does nottrigger during correlation.

Symantec AntiVirus and Symantec Client Security configuration files are storedon the parent server on which the collector is installed. The files are stored bydefault in the following locations:

■ Symantec AntiVirus: C:\ProgramFiles\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg

281Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

Page 282: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Symantec Client Firewall: C:\ProgramFiles\Symantec\Collector\Plugins\SCFSesa\scfsesa.cfg

■ Symantec Client Security: C:\ProgramFiles\Symantec\Collector\Plugins\SCSState\scsstate.cfg

You can also filter the events that are forwarded from individual clients or serversusing the Log Event Forwarding wizard. The wizard is available through theSymantec System Center interface that is provided with Symantec AntiVirus andSymantec Client Security. The Log Event Forwarding wizard lists a complete setof events that can be forwarded to parent servers. For more information on usingSymantec System Center, see the documentation that is provided with SymantecAntiVirus and Symantec Client Security.

To enable event filtering on a Symantec AntiVirus parent server

1 On the parent server that you are monitoring, use a text editor such as Notepadto open the following file: C:\ProgramFiles\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg.

2 In the conf file, find the ExcludeEvents section.

3 From the list of events in this section, remove the comment symbol (;) frombefore the event type or types you want to filter.

4 Save the file as a .cfg file. You may need to restart the collector.

Filtering or aggregating vulnerability assessment eventsTypically all vulnerability assessment scans should be sent to the CorrelationManager for analysis. However, vulnerability assessment events in some casescan be aggregated to reduce the number of events that are sent individually tothe Information Manager server. For example, the Symantec ESM collector detectsthe vulnerability assessment events that are related to whether files are backedup on the systems that it scans (Backup Integrity events). This information isuseful for a variety of network analysis tasks. However, based on the policies ofyour organization, this information may not represent an immediate securitythreat.

A Different ACL entry event is another potential candidate for aggregation ofvulnerability assessment events. A DifferentACLentry event typically indicatesa permissions misconfiguration rather than an actual security breach.

See “Examples of collector-based filtering and aggregation rules” on page 277.

Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

282

Page 283: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To aggregate Backup Integrity events for the Symantec ESM collector

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Aggregation tab for that product, create a new specification.

3 In the new aggregation specification, double-click the Name field, and in theAggregation list that appears, expand the list. From the list of categories,choose Vulnerability > Vulnerability Custom 2. For the Symantec ESMcollector, the Vulnerability Custom 2 field contains the type of event thatthe vulnerability assessment scan generates.

4 Set the Operator to equal to. Then in the Value field, type Backup Integrityexactly as it appears in the Event Details entry for the VulnerabilityCustom2 field.

5 In the Aggregation time (ms) box, type the time (milliseconds) in which theaggregated events should correspond to the rule property.

6 Save and enable the rule, and then distribute the configuration.

To aggregate Different ACL entry events

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Aggregation tab for that product, create a new specification.

3 In the new aggregation specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Vulnerability>VulnerabilityName. For the Symantec ESM collector,the Short Descriptive Name field contains a brief description of the eventthat the vulnerability assessment scan generates.

4 After you have selected the field name, set the Operator to equal to. Then inthe Value field, type Different ACL entry exactly as it appears in the EventDetails entry for the Vulnerability Name field.

5 In the Aggregation time (ms) box, type the time (milliseconds) in which theaggregated events should correspond to the rule property.

6 Save and enable the rule, and then distribute the configuration.

Filtering Windows Event Log eventsIf you use the Windows event log collector, you can reduce traffic by filtering thecommon network events that generally do not pose a threat. The Windows eventlogs generate a large number of events that track a variety of activities, includingthose related to security. These events produce the unique event codes that are

283Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

Page 284: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

included in the raw event data. You can use these event codes to createcollector-based filters to reduce the number of events that has passed to the server.

For example, Successful Network Logon events (Windows event ID 540) do nottypically pose a security risk if the appropriate security measures are in place:For example, secure passwords, multiple layers of access defense, and limitingadministrator privileges.

Another example of a Windows event log event that can be filtered is the successfullogin Application event. As an alternative, you can also choose the Event ID fieldwith a value of 17055.

See “Examples of collector-based filtering and aggregation rules” on page 277.

To filter Windows Successful Network Logon events (540)

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Filters tab, create a new specification.

3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Windows and Novell Event>Option8. For this type of event, Option8 contains the event ID. Note that the option fields vary with each event forWindows event log entries. For more information on the WindowsEventLogoption fields, see the documentation that Microsoft provides.

4 Set the Operator to equal to. In the Value field, type Security:540 exactly asit appears in the Event Details entry for the Option 8 field.

As an alternative, you can also choose the Event ID field with a value of 540.

5 Save and enable the rule, and then distribute the configuration.

To filter Windows successful login Application events

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Filters tab, create a new specification.

3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Windows and Novell Event>Option8. For this type of event, Option8 contains the event ID. Note that the option fields vary with each event forWindows event log entries. For more information on the WindowsEventLogoption fields, see the documentation that Microsoft provides.

Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

284

Page 285: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 Set the Operator to equalto. In the Value field, type Application:17055 exactlyas it appears in the Event Details entry for the Option 8 field.

5 Save and enable the rule, and then distribute the configuration.

285Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

Page 286: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

286

Page 287: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with incidents

■ Chapter 16. Managing Incidents

■ Chapter 17. Working with filters in the Incidents view

6Section

Page 288: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

288

Page 289: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing Incidents

This chapter includes the following topics:

■ About incident management

■ Viewing incidents

■ About creating and modifying incidents

■ Closing an incident

■ Reopening a closed incident

■ Printing incident details

■ Printing the incident, ticket, or asset list

■ Exporting the incident, ticket, or asset list

■ Assigning incidents automatically to the least busy member in a user group

About incident managementSymantec Security Information Manager facilitates efficient and appropriatemanagement of security incidents and alerting (nonsecurity) incidents. An incidentis derived from one or more events that are logged in the event database.

For example, when a firewall-down event occurs, an alerting incident can begenerated. A security incident might be created when an internal port sweep eventoccurs. The term "incidents" includes both security incidents and alertingincidents.

Incident management begins when an incident is created. Information Managerprovides the following methods of incident creation:

16Chapter

Page 290: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The Correlation Manager creates incidents fromevents, and then the events are assigned accordingto automatic assignment rules.

Automated incident creation

The analyst determines which events are relatedand manually correlates the events by groupingthem as a single incident.

Manual incident creation

When you create a custom rule on the Rules view, you can specify the type ofincident that the rule generates. If you check the Alerting Incident box on theActions tab of the rule form, the Correlation Manager generates an alertingincident. If this box is unchecked, the Correlation Manager generates a securityincident. You can also set the incident type manually.

See the Symantec Security Information Manager Administrator's Guide forinformation about creating custom rules.

After an event or group of events is selected and identified as an incident, theincident is assigned to an analyst for investigation and resolution.

Information Manager provides the analyst with recommended actions to becompleted, including the remediation options that are associated with the incidenttype. A history log tracks any changes to the incident and lets the analyst noteimportant facts.

See “About creating and modifying incidents” on page 294.

Incident identificationThe Blaster worm attack begins with a series of sweeps to ports 135, 445, and4444. Using the default rules, Information Manager detects each of these sweepsas suspicious, and creates a conclusion for each. At the same time, events fromintrusion detection software such as Symantec IDS, lead to other conclusions thatare related to the source IP address. Information Manager may also create furtherconclusions if the source IP address for the attack is on the IP watch list. This listis updated automatically to provide up-to-date protection from the computersthat are known to be used in attacks. Based upon all of these conclusions that arerelated to the same IP address, Information Manager generates a security incident.

A security analyst would find out about the new incident by email alert, or whilemonitoring the Incidents tab in the Information Manager console. The incidentcontains all the information that the analyst needs to determine the source andtarget of the attack.

Managing IncidentsAbout incident management

290

Page 291: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Example: InformationManager automates incidentmanagementduringa Blaster worm attack

Symantec Security Information Manager tracks the entire incident response cyclethrough the following phases:

■ Incident identification

■ Threat containment, eradication, and recovery

■ Follow-up

Threat containment, eradication, and recoveryWhen Information Manager alerts the security analyst about the incident, theanalyst can use Information Manager to better understand the scope of the problemand to investigate eradication options. Information Manager facilitates thecontainment phase by providing the event data with the incident declaration.Rather than searching through countless log files, the analyst knows which eventstriggered the security incident, and which systems are affected. The incident alsoincludes recommended corrective action from Symantec Global IntelligenceNetwork Threat Management System. This information enables the securityanalyst to quickly identify the corrective actions.

The analyst can now create a ticket that describes the tasks necessary to eradicatethe threat. The ticket includes the incident information, the event details, andthe recommended corrective actions. Ticket information can be made accessibleto an external help desk by the Information Manager Web Service.

Follow-upAfter the threat has passed, the analyst can further analyze the effect of theincident. The analyst can fine-tune the correlation rules, event filters, and firewallrules to prevent the threat from occurring again. The analysts can also mine theevent archive data if necessary and create the reports that document the scopeof the incident and the security team's efforts to resolve it.

Viewing incidentsThe incident list displays summarized information about incidents in the database.It also provides access to more detailed information about individual incidents.

291Managing IncidentsViewing incidents

Page 292: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About the incident listInformation Manager lets you view any combination of logged incidents and thedetails that are associated with those incidents. This flexible capability facilitatesstraightforward management of incidents. By viewing incident details and incidentlogs, you gain access to the history of the incident as well as the analyst's notes.

Using the filtering feature, you can view a subset of the incidents in the database.For example, you can view all open security incidents or only the open securityincidents that are assigned to you.

You can search for a specific incident by typing the Reference ID of the incidentin the Look for box. You can also type part of the Reference ID number, andInformation Manager displays all the incidents that contain that sequence ofnumbers. If you do not type in the Reference ID box, based on the selected filter,the search returns all incidents that you have permission to see.

The Incidents view consists of the incident list (the top portion of the window)and the incident preview pane. You can select an incident view from the Filterdrop-down list. The incident views that are available to select depend on the roles(permissions) that were assigned to you.

When you click an incident in the list, the incident preview pane displays additionalinformation about that incident. This pane contains a series of tabs on which youcan perform incident management tasks.

See “Viewing and modifying the incident list ” on page 293.

The following table lists the incident preview tabs and their functions.

When you double-click an incident in the list, Information Manager displays theIncident Details window. This window contains the same information that is inthe incident preview pane. You can have more than one IncidentDetails windowopen at one time, so you can easily switch between incidents.

Table 16-1 Incident preview tabs

DescriptionTab

Displays the incident details. You can view incident history and changeseveral settings, such as the status, priority, and description.

Details

Displays the conclusions of the events that are associated with theincident. You can view details about a conclusion and about theassociated events.

Conclusions

Managing IncidentsViewing incidents

292

Page 293: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 16-1 Incident preview tabs (continued)

DescriptionTab

Displays the events that are associated with the incident. You can viewdetails about an event; you can also remove one or more events, that is,disassociate events from the selected incident.

You can view additional information about some of the fields for aparticular event. To see this information, right-click any of these fields:

■ Event Code — Includes attack effects, mechanisms, and resources.Also provides details about each type of vulnerability, maliciouscode, and exposure that is associated with the event code.

■ Source IP — Lists the incidents that are associated with the assetthat uses this IP address. You can also view details about the assetand a list of any associated tickets.

■ Destination IP — Lists the incidents that are associated with the assetthat uses this IP address. You can also view details about the assetand a list of any associated tickets.

Events

Displays the information about the target computers that are associatedwith the incident.

Targets

Displays a visual representation of the attack.Attack Diagram

Displays the vulnerability information and target information aboutthe computers that are associated with the incident.

Intelligence

Displays summary information about the help desk tickets that havebeen created for the incident. You can also view ticket details.

Tickets

Displays the remediation suggestions that are associated with anincident. Remediation information is associated with the rule that wastriggered.

Remediation

Displays an incident's log file. You can view the change history of theincident, and you can add notes to the file. You may not change or deletelog notes.

Log

Viewing and modifying the incident listThe incident list displays the first 5,000 incidents that are in the database. Forexample, if 10,000 incidents come in, only the first 5,000 incidents are displayed.Therefore, it is important to assign or auto-assign incidents to keep the queue ofall open incidents moving and current.

See “About the incident list” on page 292.

293Managing IncidentsViewing incidents

Page 294: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Information Manager updates the list as new incidents are created. You do notneed to manually refresh the list. If you want to freeze the list while you view itor when you modify the incident records, click Lock View on the toolbar. WhenLockView is checked, no new incidents are added to the list, but the list is updatedwhen you uncheck Lock View.

To view incidents

1 In the Information Manager console, click Incidents.

2 Take one or both of the following actions:

■ On the toolbar, in the Filter drop-down list, select a view. For example, toview only your open security incidents, under Security Incident Filters,click My Open Incidents. To view the open alerting incidents not yetassigned, under AlertingIncidentFilters, click UnassignedOpenAlerts.All of the incidents that meet the filter criteria appear in the incident list.

■ In the Reference ID box, type all or a portion of the ID of the specificincident that you want to view. You do not have to type the leading zeroes.Then click the Search by ID (magnifying glass) icon.All of the incidents that contain the numerals you typed appear in theincident list.

You can modify the appearance of the incident list by adding or removing columns(fields).

To add or remove columns from the incident list

1 On the toolbar, in the Filter drop-down list, select a view.

2 In the incident list, right-click any column heading.

3 In the drop-down menu, check a field name that you want to add to the list.Alternatively, uncheck a field name that you want to remove from the list.

4 Repeat steps 2 and 3 until the list contains the columns that you want.

The list modifications persist across sessions. Therefore, the next time thatyou log in to the Information Manager console, the list has the columnheadings that you selected in this procedure.

About creating and modifying incidentsInformation Manager is populated with incidents by using the following methods:

■ Automatic creation of incidents by the Correlation Manager

■ Manual creation of incidents

Managing IncidentsAbout creating and modifying incidents

294

Page 295: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The Correlation Manager automatically analyzes and correlates events to createincidents. Correlation Manager uses information from various sources to determinewhen to create an incident. Sources include correlation rules, the asset table, andGlobal Intelligence Network.

See the Symantec Security Information Manager Administrator Guide forinformation about the Correlation Manager.

You can manually create incidents in Information Manager. This capability istypically used for tracking the physical security threats that an intrusion detectionproduct would not identify.

When you create a new incident, Information Manager automatically generatesthe values for the information that is stored in the log: for example, Incident IDnumber, Incident Creator, and Rule Name.

See “ Creating incidents manually” on page 295.

Creating incidents manuallyYou can create incidents manually from the Incidents view as well as from theEvents view. Incidents that are created manually from the Events view getsassociated with the event. By default, Information Manager assigns a severity of1 to incidents that are manually entered because the confidentiality, integrity,and availability values are unknown.

To create an incident manually from the Incidents view

1 In the Information Manager console, click Incidents.

2 On the toolbar, click + (the plus icon).

3 In the CreateNewIncident dialog box, set the following values or accept thedefault settings:

■ From the Type list, select the incident type.

■ From the State list, select the incident state.

■ In the Assignee field, click Find Users (...) to open the Find Users dialogbox. Select a user from a specific user group. Select a user group from theLook in Group list and then select a user within that user group. You canalso enter the details of a user and search the user who can be assignedthe incident.

■ In the Team field, clickFindUserGroups(...) to open the FindUserGroupsdialog box, and then select the team that is responsible for resolving theincident. You can create teams with the user groups function on theSystem view.

295Managing IncidentsAbout creating and modifying incidents

Page 296: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ From the Priority drop-down list, select a priority for the incident from1 to 5 (5 is the highest priority).

■ From the Severity drop-down list, select the severity of the incident from1 to 5 (5 is the highest severity).

■ In the Description box, enter a description of the incident.

■ (Optional) Check Tracking to continue to track the events that areassociated with this incident.If you use the default settings, you can change any of the values later.

4 Click OK.

See “Modifying incidents ” on page 296.

To create an incident manually from the Events view

1 In the Information Manager console, click Events.

2 Run the query that returns the event from which you want to create theincident.

3 In the events table, locate one or more events that you want to assign to anincident.

4 Right-click the event row, and then click Create Incident. If you want toassign more than one event to a single incident, use the Ctrl or Shift key toselect the desired rows.

You may select a maximum of 500 events per incident. If you want to assignmore than 500 events to a single incident, create multiple incidents and thenmerge them.

See “Merging incidents” on page 297.

5 Click Yes to confirm.

The Create New Incident dialog box appears. The event (or events) that youselected is listed on the Events tab in the lower section of the dialog box.

6 In the CreateNewIncident dialog box, specify the settings that you want forthe new incident.

See “To create an incident manually from the Incidents view” on page 295.

7 Click OK.

Modifying incidentsYou can modify the details that were set when the incident was created. Forexample, you can change the user to whom an incident is assigned.

Managing IncidentsAbout creating and modifying incidents

296

Page 297: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About creating and modifying incidents” on page 294.

To modify an incident

1 In the Information Manager console, click Incidents.

2 From the Filter list select the category of incidents that you want to modify.In the incident list, click the incident that you want to modify. You can selectmore than one incident using the Shift or Ctrl key.

3 In the preview pane, do any of the following:

■ Change the incident type by using the Type list. You can convert analerting incident to a security incident, and you can convert a securityincident to an alerting incident.

■ Change the incident's state by using the State list.

■ Change the user to whom the incident is assigned by clicking Find Users(...) to open the Find Users dialog box. Then, in the Look in Group list,select a user group, and then select the corresponding assignee from thegroup. You can also enter the details of a user and search for the user whocan be assigned the incident.To change the Assignee field to Unassigned, click Clear.

■ Change the team to whom the incident is assigned by clicking Find UserGroups (...) and selecting the user group.To change the Team field to Unassigned, click Clear.

■ Change the incident's priority or severity, or both, by using the Priorityand Severity lists.

■ Stop tracking the events that are associated with an incident. If youuncheck the Tracking check box, you can no longer track the incident.This action is irreversible once you save and exit the Incident Detailsdialog box.

4 On the preview pane toolbar, click Save.

Merging incidentsIf you decide that multiple incidents are about the same issue, you can mergethem to reduce your system overhead. When you merge incidents, InformationManager closes the original incidents and creates a new incident. The new incidentcontains the reference IDs of all of the merged incidents. You can see the list ofreference IDs in the new incident's log.

When you merge incidents, you have the option of saving the original incidentsor deleting them. If you save the original incidents, Information Manager assignsthem to the Closed Incident list. You can then view them using the appropriate

297Managing IncidentsAbout creating and modifying incidents

Page 298: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

ClosedIncident filter: for example, the MyClosedSecurityIncidents filter. Eachclosed incident includes the reference ID of the new incident into which it wasmerged. You can see this information in the closed incident's log.

To merge incidents

1 In the Information Manager console, click Incidents.

2 Use the Filter drop-down list to select the view that you want.

3 In the incident list, select the incidents that you want to merge.

4 Click Merge Incidents on the toolbar.

5 In the CreateMergedIncident dialog box, change any of the parameters thatyou want.

You must at least select values in all fields that are blank. Blank fields occurwhen the selected incidents have differing values. For example, if all incidentpriority values are not the same, the Priority field is blank. You must selecta priority for the new incident. You should also type a description for the newincident.

To change the Assignee or Team field to Unassigned, click Clear.

6 If you want to delete the original incidents after the merge, check Deleteincidents after merge.

If you select this option, the original incidents are closed and deleted fromthe system. If you do not select this option, the original incidents remain inthe system after the merge, and they appear in the Closed Incidents list.

7 Click OK.

A new incident appears at the top of the incident list, and the original incidentsare removed from the list. They are either deleted or moved to the ClosedIncidents list, depending on your selection in step 6.

See “About incident management” on page 289.

Closing an incidentYou can close an incident when all recommended actions are complete. You canalso close multiple incidents at the same time. The history log indicates that thosemultiple incidents were closed outside of the normal workflow.

After you have closed an incident, you can reopen it. Information Manager alsolets you close an incident before all actions are complete.

In some cases, when you close an incident, correlation may continue for a shortperiod of time until the closing process completes.

Managing IncidentsClosing an incident

298

Page 299: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To close an incident

1 In the Information Manager console, click Incidents.

2 Using the Filter drop-down list, select the incident view that contains theincident to close.

3 In the incident list, click the incident to close, and then click Close on thetoolbar.

4 In the Close Incident window, select a disposition type from the Dispositiondrop-down list. For example, click Resolved.

5 In the Notes box, type a note regarding the resolution of the incident in thespace provided (optional).

Information Manager stores your comments in the log.

6 Click OK.

The incident is now closed, and you can view it using the AllClosedIncidentsview.

See “About incident management” on page 289.

Reopening a closed incidentOccasionally, you may need to reopen an incident that was previously closed.

To reopen a closed incident

1 In the Information Manager console, click Incidents.

2 Using the Filter drop-down list, select the incident view that contains theincident that you want to reopen. For example, you may select All ClosedIncidents.

3 In the incident list, double-click the incident to reopen.

4 In the State drop-down list, click the appropriate state, such as In-Work.

5 Click the Save icon on the toolbar.

6 Click OK.

See “Closing an incident” on page 298.

Printing incident detailsUse this procedure to print the details for a specific incident.

299Managing IncidentsReopening a closed incident

Page 300: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To print incident details

1 In the Information Manager console, click Incidents.

2 Using the Filter drop-down list, select the incident view that contains theincident that you want to print.

3 In the incident list, double-click the incident.

4 In the Incident Details window, click the Print icon on the toolbar.

The print output appears in a new browser window.

5 On the File menu, click Print.

6 Select your print options, and click Print.

See “Printing the incident, ticket, or asset list” on page 300.

Printing the incident, ticket, or asset listPrinting an incident, ticket, or asset list is a two-part process:

■ First, you export the view that you want to a CSV file or an XML file. If youhave applied a filter to the list, Information Manager exports only those recordsthat the filter displays.See “Exporting the incident, ticket, or asset list” on page 300.

■ Then, you print the exported file from another application, such as a Webbrowser or a spreadsheet program.

Exporting the incident, ticket, or asset listYou can export data from the incidents list to an HTML , a CSV, or an XML file.You can now export selected incidents as well as all the incidents that are displayedin the list.

To export the incidents list

1 On the console of the Information Manager, click Incidents.

2 Using the Filter drop-down list, select the view that contains the list ofincidents that you want to export.

3 To export selected incidents only, select the incidents by holding down theCtrl key and click on each incident that you want to export.

4 On the top toolbar, click Export.

5 You can select the option for SelectedIncidents if you want to export selectedincidents only. Else select the default option for All Incidents.

Managing IncidentsPrinting the incident, ticket, or asset list

300

Page 301: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

6 In the Export window, select the format for the exported file.

You can export the incidents list to an HTML , a CSV, or an XML file on yourdesktop.

7 Click OK.

8 Enter the name for the file and navigate to the destination folder on yourdesktop.

You can also select the character set before you save the list.

9 Click Save to save the incidents list on your desktop computer.

You can export data from the tickets list to an XML file or a CSV file. After thedata is exported to a file, you can print it from a program such as a Web browseror spreadsheet program.

To export the tickets list

1 On the console of the Information Manager, click Tickets.

2 Using the Filter drop-down list, select the view that contains the list of ticketsthat you want to export.

3 On the top toolbar, click Export.

4 In the Export window, select the format for the exported file.

You can export the tickets list to a CSV or an XML file on your desktop.

5 Click OK.

6 Enter the name for the file and navigate to the destination folder on yourdesktop.

You can also select the character set before you save the list.

7 Click Save to save the tickets list on your desktop computer.

You can export data from the assets list to an XML file or a comma-separatedvalues (CSV) file. After the data is exported to a file, you can print it from a programsuch as a Web browser or spreadsheet program.

To export the assets list

1 On the console of the Information Manager, click Assets.

2 Using the Filter drop-down list, select the view that contains the list of assetsthat you want to export.

3 On the top toolbar, click Export.

4 In the Export window, select the format for the exported file.

You can export the assets list to a CSV or an XML file on your desktop.

301Managing IncidentsExporting the incident, ticket, or asset list

Page 302: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 Click OK.

6 Enter the name for the file and navigate to the destination folder on yourdesktop.

You can also select the character set before you save the list.

7 Click Save to save the assets list on your desktop computer.

See “About incident management” on page 289.

Assigning incidents automatically to the least busymember in a user group

Rules and Monitors can be set to assign incidents automatically to a user groupor a user within the user group. You can also set rules and monitors toautomatically assign incidents to the least busy member in a user group. Onlyuser groups are considered when incidents are automatically assigned to the leastbusy member. The member with the lowest incident load factor is considered theleast busy member in a user group.

See “About automatically assigning incidents” on page 59.

When incidents are assigned automatically to a user group for the first time, thefirst user in the user group becomes eligible for incident assignment.

When an incident gets assigned to a member in the user group, a log entry iscreated for that incident. In the Incident log, this entry is listed as SSIM againstthe user name of that member.

To assign incidents automatically to the least busy user

1 In the Information Manager console, click Rules.

2 Select a rule or a monitor that must be automatically assigned.

3 On the Actions tab, check Enable Auto Assign.

4 Check Assigntoleastbusyuser and then select the corresponding user group.When the rule is deployed, the incidents are automatically assigned to theleast busy member in the user group.

Managing IncidentsAssigning incidents automatically to the least busy member in a user group

302

Page 303: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with filters in theIncidents view

This chapter includes the following topics:

■ About filtering incidents

■ Modifying a custom filter

■ Creating a custom filter

■ Deleting a custom filter

■ Searching within incident filtering results

About filtering incidentsYou can filter the incident list to display only the incidents that meet specificcriteria. In this way, you can use the filter as a query. For example, you can createa filter to find all incidents with a severity of 5. You can also create a filter to findall incidents that are assigned to a particular analyst.

All criteria that are selected in the filter must be met for the query to reportpositive results. Only you can view the filters that you create. Other users are notable to view your filters.

See “About incident management” on page 289.

Modifying a custom filterAfter you create a custom filter, you can modify the filter criteria when needed.

17Chapter

Page 304: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To modify a custom filter

1 In the Information Manager console, click Incidents.

2 On the toolbar, click the custom filter (funnel-shaped) icon.

3 In the left pane of the CustomIncidentFilterEditor window, click the nameof the filter that you want to change.

4 Modify the filter criteria as you want, and click OK.

See “About filtering incidents” on page 303.

Creating a custom filterYou can create custom filters, or views, to find and view the incidents that meetuser-specified criteria. When you select a custom filter or another view from theFilter drop-down list, Information Manager displays the incidents that match thefilter criteria.

To create a custom filter

1 In the Information Manager console, click Incidents.

2 On the toolbar, click the custom filter (funnel-shaped) icon.

3 In the Custom Incident Filter Editor window, click Add.

4 In the New Filter dialog box, select either Incident or Alert.

This setting determines the filter type.

5 In the Filter Criteria dialog box, select the filter criteria, and then click OK.

The name of the new filter appears in the Filter dialog box, and the incidentlist displays only the incidents that meet the filter criteria. The name of thenew filter also appears under CustomFilters in the Filter drop-down list. Anicon next to the filter name indicates whether it is an alerting incident filteror a security incident filter.

6 In the EnterFilterName dialog box, type a name for the filter, and click OK.

See “About filtering incidents” on page 303.

Deleting a custom filterYou can delete a custom filter when it is no longer needed.

Working with filters in the Incidents viewCreating a custom filter

304

Page 305: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To delete a custom filter

1 In the Information Manager console, click Incidents.

2 On the toolbar, click the custom filter (funnel-shaped) icon.

3 In the left pane of the CustomIncidentFilterEditor window, click the nameof the filter that you want to delete.

4 Click Remove.

5 In the confirmation dialog box, click Yes.

6 Click OK.

See “About filtering incidents” on page 303.

Searching within incident filtering resultsWhen you display a set of incidents on the Incidents view, you can search forspecific incidents within the results. You can use the Look For field to search forthe strings and IP addresses that may be used for a particular incident. When youperform a substring search, the search looks in any field in the incident table thatuses a string value or IP address.

You can also use the FindIncident or Alert dialog to search for a specific incidentID or alert ID. The Find Incident or Alert dialog is opened when you click Searchon the top menu of the Incidents view.

Each time you perform a substring search using the Look For field, the searchevaluates the original set of data that was returned when the filter was initiallyapplied.

To search for a substring or IP address within incident filtering results

1 In the Information Manager console, on the Incidents view, display theincidents for which you want to perform the search. You can use the filteringoptions to identify the dataset.

2 In the Look For text box, type the substring for which you want to search.

3 Click Search, next to the Look For field.

To search for a specific incident ID or alert ID

1 In the Information Manager console, on the Incidents view, display theincidents for which you want to perform the search. You can use the filteringoptions to identify the dataset.

2 In the top menu bar, click Search.

305Working with filters in the Incidents viewSearching within incident filtering results

Page 306: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 In the Find Incident or Alert dialog box, in the Search for Specific ID: textbox, type the ID.

4 Click Search.

See “About filtering incidents” on page 303.

Working with filters in the Incidents viewSearching within incident filtering results

306

Page 307: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with tickets

■ Chapter 18. Managing tickets

■ Chapter 19. Working with filters in Tickets view

7Section

Page 308: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

308

Page 309: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing tickets

This chapter includes the following topics:

■ About tickets

■ About creating tickets

■ Creating a ticket manually

■ Creating a ticket category

■ Viewing tickets

■ About the Ticket Details window

■ Viewing tickets associated with a specific incident

■ Setting ticket task dispositions

■ Changing the priority of a ticket

■ Adding a ticket note

■ Closing a ticket

■ Printing the ticket list

About ticketsTickets let you track the work items necessary to resolve an incident. When youcreate a ticket for an incident, you can designate the tasks that you want to beperformed. You can select the tasks that the Symantec Global Intelligence Networksuggests, or you can manually enter your own tasks.

Tickets are only associated with assets when a task has been entered for the ticket.

See “About the Ticket Details window” on page 312.

18Chapter

Page 310: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

About creating ticketsCreating a ticket consists of selecting the incident and entering the ticketinformation, adding ticket tasks, and adding task instructions. You can also addyour own custom tasks.

Creating a ticket manuallyComplete these steps to create a ticket manually.

To create a ticket

1 In the Information Manager console, click Incidents.

2 In the incident list, click the incident for which you want to create a ticket.If you want to assign multiple incidents to the ticket, use the Ctrl key or theShift key to select the incidents.

3 On the top toolbar, click Create Ticket.

4 In the Create Ticket window, type a summary in the Summary box.

5 From the Priority drop-down list, select a priority for the ticket.

6 In the Category field, click the selection icon and select a category for theticket.

7 In the Creator area, type your name, email address, and telephone number(optional).

8 In the Assignee area, select the ID of the user to whom you assign the ticket.You can also type the user's name, email address, and telephone number(optional).

9 Add instructions and tasks to the ticket.

To add instructions

1 On the Instructions tab, click inside the text pane and type the instructionsfor the task.

2 If you want to use Global Intelligence Network information to help you writethe instructions, click the AddIntelligencetoInstructions icon on the toolbar.Then do the following:

■ In the View by drop-down list, select Target or Vulnerability.If intelligence is available, it appears in the panes at the bottom of thedialog box.

■ Select the appropriate intelligence, and then click Add to Instructions.

Managing ticketsAbout creating tickets

310

Page 311: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Click Close.

3 When you finish adding instructions, click OK.

To add custom tasks

1 On the Tasks tab, click + (the plus icon) on the toolbar.

2 In the Add New Task dialog box, type a task summary in the Summary box.

3 In the Description box, type a description of the task (optional).

4 You may do one of these optional steps:

■ In the HostName box, type the host name of the computer where the taskshould be performed.

■ In the IPAddress box, type the IP address of the computer where the taskshould be performed.

■ In the MAC address box, type the MAC address of the computer wherethe task should be performed.

5 If you want to use Global Intelligence Network information to help you definethe task, click the AddIntelligencetoInstructions icon on the toolbar. Thendo the following:

■ In the View by drop-down list, select Target or Vulnerability.If intelligence is available, it appears in the panes at the bottom of thedialog box.

■ Select the appropriate intelligence, and then click Add to Tasks.

■ Click Close.

6 Click OK.

See “About tickets” on page 309.

Creating a ticket categoryBy default, you can assign the following categories to a ticket:

■ Default

■ Patch System

■ Research System

You can also create custom categories using the System view.

311Managing ticketsCreating a ticket category

Page 312: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To create a ticket category

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain.

2 Click Help Desk.

3 On the toolbar, click + (the plus icon).

4 In the dialog box, type the name for the new ticket category.

5 Click OK.

See “About tickets” on page 309.

Viewing ticketsThe ticket list provides a convenient preview pane that displays information aboutthe selected ticket. The Details box and several tabs provide all of the informationabout a ticket. You can also double-click a ticket and view the same informationin the Ticket Details window. With proper access rights, you can changeinformation such as status or priority from either the preview pane or TicketDetails window.

To view a ticket

1 In the Information Manager console, click Tickets.

2 On the top toolbar, select the ticket view from the Filter drop-down list. Forexample, to view only your open tickets, click My Open Tickets.

Note that you can create a custom view by clicking the custom filter(funnel-shaped) icon.

See “Filtering tickets” on page 317.

3 Double-click a ticket to display detailed information in a new window.

See “About the Ticket Details window” on page 312.

About the Ticket Details windowThe Details pane at the top of the Ticket Details window displays the followinginformation:

The unique ID number that is assigned to the ticket when it is created.Ticket ID

A summary description of the ticket.Summary

Managing ticketsViewing tickets

312

Page 313: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

The category of the ticket. The category can be one of the defaulttypes, such as Patch System, or a custom category.

Category

The status of the incident (Open, Closed, or Not Applicable).State

A number between 1 and 5 (inclusive) that indicates the level ofurgency that is assigned to the ticket (5 is the most serious priority).

Priority

The time when the ticket was created.

The time is displayed in the current client's local time zone and storedin coordinated universal time (UTC) format in the database.

Created Time

The time when the ticket data was last edited.Modified Time

The Creator pane displays the logon ID of the ticket creator and contactinformation. The HelpDeskAssignee pane displays the ID of the person to whomthe ticket is assigned, along with contact information.

At the bottom of the window, you can see the Incidents, Tasks, Instructions, andLog panes, which are accessible by clicking on their respective tabs:

Displays the information about the incidents that are associated withthe ticket. You can also add and remove incidents by clicking the +and - icons in the taskbar.

Incidents

Displays any required tasks that have been associated with the ticket.When you associate a task with a specific IP address of an asset, theasset displays the ticket on the Tickets tab. You can also add andremove tasks by clicking the + and - icons in the taskbar.

Tasks

Displays any additional user-defined instructions that have beenassociated with the ticket. You can also add and remove instructionsby clicking the + and - icons in the taskbar.

Instructions

Displays the history of activity that is related to the ticket. Someactivities such as ticket creation are automatically logged. You canalso add a note to the ticket by clicking the + icons in the taskbar.

Logs

See “About tickets” on page 309.

Viewing tickets associated with a specific incidentYou can search for a ticket by using the Search by Ticket ID box on the Ticketsview. You do not have to type the entire ID number; Information Manager searchesfor substrings.

313Managing ticketsViewing tickets associated with a specific incident

Page 314: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Another way to view tickets information is to use the Incidents view. The Ticketstab in the Incidentpreview pane lets you view the tickets that are associated witha specific incident.

See “About the Ticket Details window” on page 312.

To view the tickets associated with a specific incident

1 In the Information Manager console, click Incidents.

2 In the incident list, click the incident.

3 In the Incident preview pane, click the Tickets tab.

4 To view detailed information about a ticket, double-click the row that youwant in the list of tickets.

Setting ticket task dispositionsYou can set a disposition to indicate the completion status of a task for a ticket.This field helps you track the progress that has been made to resolve the incident.

To set a ticket task disposition

1 In the Information Manager console, click Tickets.

2 In the ticket list, click the ticket.

3 In the Ticket Details view, on the Tasks tab, double-click the task for whichyou want to set a disposition.

4 In the EditTaskDisposition window, select a disposition from the drop-downlist.

5 Click Apply.

The new disposition appears in the Disposition column.

6 Click OK.

See “Viewing tickets associated with a specific incident” on page 313.

Changing the priority of a ticketYou can change the priority of a ticket when ticket tasks are completed or whennew incidents occur.

To change the priority of a ticket

1 In the Information Manager console, click Tickets.

2 In the ticket list, click the ticket.

Managing ticketsSetting ticket task dispositions

314

Page 315: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 In the Ticket Details view, in the Priority box, select the priority.

4 Click Save.

See “About tickets” on page 309.

Adding a ticket noteInformation Manager automatically keeps a log of the creation or modificationof a ticket. You can add notes or comments to a ticket's log. This is helpful intracking the progress of a ticket task.

To add a ticket note

1 In the Information Manager console, click Tickets.

2 In the ticket list, click the ticket.

3 In the Ticket Details view, on the Log tab, click Add a note to the log for thisticket.

4 In the Add Ticket Note window, type the note.

5 Click Save.

6 In the Ticket Details window, click OK.

Closing a ticketYou can close a ticket when you are finished working on it. You can view closedtickets by selecting one of the Closed Tickets views in the Filter drop-down list.You can also reopen a closed ticket.

To close a ticket

1 In the Information Manager console, click Tickets.

2 In the ticket list, click the ticket.

3 In the Ticket Details view, in the State pull-down menu, click Closed.

4 Click OK.

5 In the Ticket Disposition window, select a disposition for the ticket from theDisposition drop-down list.

6 Optionally, type a note in the Notes box.

7 Click Save.

315Managing ticketsAdding a ticket note

Page 316: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Printing the ticket listPrinting the ticket list is a two-part process:

■ First you export the view that you want to a file. If you have applied a filter tothe ticket list, Information Manager exports only those tickets that the filterdisplays.

■ Then you print the exported file from another application, such as a Webbrowser or a spreadsheet program.

See “Exporting the incident, ticket, or asset list” on page 300.

See “Viewing tickets” on page 312.

Managing ticketsPrinting the ticket list

316

Page 317: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with filters inTickets view

This chapter includes the following topics:

■ Filtering tickets

■ Modifying a custom ticket filter

■ Deleting a custom ticket filter

Filtering ticketsWhen you manage tickets, you need to search for a specific set of data. You canuse the ticket list filter as a query to display only those tickets that meet yourcriteria. For example, you can create a filter to find all tickets with a severity of5. You can create a filter to find all tickets that are assigned to a particular analyst.

The query reports positive results if all of the selected criteria is met. You canview only the filters that you create. Other users are not able to view your filters.Additionally, note that filters are not case sensitive and do not support wildcardcharacters.

See “About tickets” on page 309.

To create a custom ticket filter

1 In the Information Manager console, click Tickets.

2 On the top toolbar, click the custom filter (funnel-shaped) icon.

3 In the Custom Ticket Filter Editor dialog box, click Add.

19Chapter

Page 318: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 In the NewFilter dialog box, select the filter criteria for the following options:

The name of the person who is assigned to the ticket.Assignee

The category of the ticket. The category can be one of thedefault types (such as Patch System), or a custom category.

Category

The date range when the ticket was created.Created Time

The individual who created the ticket.Creator

A word or group of words from the ticket's overallinstructions.

Instructions

The date range when the ticket was modified.Modified Time

A number between 1 and 5 indicating the priority that isassigned to the ticket (5 is the most serious).

Priority

A word or group of words from the ticket's summary box.Summary

The status of the ticket.State

The ID of the ticket.Ticket ID

5 In the New filter name dialog box, type the name of the custom filter, andthen click OK.

6 Click OK.

Modifying a custom ticket filterComplete the following steps to modify a custom ticket filter.

To modify a custom ticket filter

1 In the Information Manager console, click Tickets.

2 On the top toolbar, click the custom filter (funnel-shaped) icon.

3 In the left pane, click the filter that you want to modify.

4 In the right pane, modify the filter criteria.

5 Click OK.

See “Filtering tickets” on page 317.

Working with filters in Tickets viewModifying a custom ticket filter

318

Page 319: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Deleting a custom ticket filterYou can delete a custom filter when it is no longer needed.

To delete a custom ticket filter

1 In the Information Manager console, click Tickets.

2 On the top toolbar, click the custom filter (funnel-shaped) icon.

3 In the left pane, click the filter that you want to delete.

4 Click Remove.

See “Filtering tickets” on page 317.

319Working with filters in Tickets viewDeleting a custom ticket filter

Page 320: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with filters in Tickets viewDeleting a custom ticket filter

320

Page 321: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with Assets

This chapter includes the following topics:

■ About the Assets view

■ Importing assets into the Assets table

About the Assets viewThe Assets view lets you view and manage Information Manager assets. You canuse the Assets view to identify critical assets in your environment and to trackthe incidents and the tickets that are related to those assets.

You can export the assets data in CSV and XML formats by using the export icon.

You can identify the network assets that have one or more of the followingattributes:

■ Host critical information or services

■ Host confidential information

■ Have specific roles on the network, such as firewall or vulnerability scanningdevices.

■ Require high availability

■ Comply with policies such as Sarbanes-Oxley or HIPAA.

The Correlation Manager uses the asset information to identify and prioritizeincidents. The Correlation Manager creates an incident when an asset'svulnerabilities are exploited by a threat. The Correlation Manager sets the incidentpriority based upon the confidentiality, integrity, and availability ratings thatyou assign to the asset.

The correlation rules depend upon the asset information, so identifying keynetwork assets on the Assets view is a critical configuration step.

20Chapter

Page 322: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

You can populate the list of assets in any of the following ways:

■ Manually add entries in the Assets view.

■ Create assets based upon computers in the Targets tab for an incident on theIncidents view.

■ Create assets from the query results of the Source View query and Target viewquery that are under the System Queries on the Events view.

■ On the Assets view, import a list of assets in XML or CSV format. For example,you can export a list of network computers from Active Directory, convert thefile to Information Manager format, and then import the file.

■ Create assets by integrating Information Manager with a policy complianceassessment tool, such as Control Compliance Suite.

■ Create assets by integrating Information Manager with a network vulnerabilityscanner. You can use the Asset Detector rule under Monitor>SystemMonitorson the Rules view to choose the vulnerability scan products that automaticallypopulate the assets table.Because you may run vulnerability scans periodically on your network, youmay want to lock the asset information for particular computers.If you lock an asset, the vulnerability scan does not modify the list of theservices that are hosted on the asset. A vulnerability scan updates the assetvulnerabilities, regardless of the asset lock status.

You can filter the view of the assets in your environment using the filtering optionsor asset groups.

From each of the views, you can search for an asset by its IP address host nameby entering the information in the SearchAsset field, and then clicking the searchicon.

Double-clicking an asset in the asset list opens the Asset Details dialog box. Toupdate the asset, modify the asset fields and click the Save icon. You can updatemultiple assets simultaneously by opening an Asset Editor dialog box for eachasset that you want to modify.

Table 20-1 lists the Asset view tabs and their functions.

Table 20-1 Assets view tabs

DescriptionTab

Displays the network identification, description, priority,organization, operating system, and lock information for theselected asset.

Details

Working with AssetsAbout the Assets view

322

Page 323: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 20-1 Assets view tabs (continued)

DescriptionTab

Displays any policies that apply to the selected asset. You can addpolicies to an asset from a customizable list of regulatory policies.To customize the list of available policies, select the Administrationtab on the System view. You can also delete policies from the asset.

Policies

Displays the network services that are hosted by the selectedcomputer. You can add services to an asset from a customizable listof well-known services. To customize the list of services, select theAdministration tab on the System view. You can also delete servicesfrom the asset.

Services

Lists any incidents that pertain to the selected asset. The incidentlist provides a convenient way to monitor the security activity thatis related to an asset.

Incidents

Lists any tickets that pertain to the selected asset. The ticket listprovides a convenient way to monitor work-order activity that isrelated to an asset.

Tickets

Displays the discovery date, CVE ID, BugTraq ID, and descriptionof the vulnerabilities that are discovered on the asset. Thevulnerability information is tracked when the assets are importedfrom a vulnerability scanner.

Vulnerabilities

Importing assets into the Assets tableYou can use a comma-separated value (CSV) file or an.XML file to import assetinformation into the Assets table.

Note: If you import assets using a CSV file, policy and services information is notincluded during the import. To retain this information for the assets that arealready listed in the console, export the assets to an XML file. Use the XML file tore-import the assets. The XML files that Information Manager generates includeany existing policy and services data that is available for each asset. The CSV filesdo not include this information.

323Working with AssetsImporting assets into the Assets table

Page 324: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To import assets into the Assets table

1 Create a CSV file containing comma-separated values using the appropriateformat. To see the correct format, create an asset in the Asset table, and thenexport the asset list as a CSV file. Use the exported list as a template foradding assets to the file.

If you use the Active Directory Users and Computers snap-in that Microsoftprovides, export the list of computers that Active Directory tracks. Save thefile as a CSV file.

2 In the Information Manager console, on the Assets view, click Import.

3 In the Import Assets dialog box, navigate to the folder in which you savedthe assets file, select the file, and click Open.

If you import a set of assets that includes non-UTF-8 character data, youmust select the appropriate set from the Character Set drop-down list.

4 Follow the on-screen instructions.

See “About the Information Manager console” on page 29.

Working with AssetsImporting assets into the Assets table

324

Page 325: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Working with reports anddashboards

■ Chapter 21. Managing reports

■ Chapter 22. Managing dashboards

8Section

Page 326: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

326

Page 327: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing reports

This chapter includes the following topics:

■ Working with reports

■ Performing a drill-down on reports

Working with reportsYou can create your own customized reports by inserting queries, graphics, andother elements in a report template. Then you can publish, print, and schedulethem for email delivery to specified recipients. You can also import and exportreports.

About reportsYou can create your own customized reports by inserting queries, graphics, andother elements in a report template. Then you can publish, print, and schedulethem for email delivery to specified recipients. You can also import and exportreports.

You can also schedule the queries that can be distributed as reports in the CSVformat.

See “Scheduling queries that can be distributed as reports” on page 337.

Creating custom reportsYou can place a single query in a report, or you can insert multiple queries. Eachquery can be on a separate page, or you can divide a single page into sections andinsert one query in each section. You can also insert other elements, such as textand graphics. Reports are limited to 1,000 pages. If the report is longer than 1,000pages, the results are truncated.

21Chapter

Page 328: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note: If you plan to publish and distribute the report to other users, you mustselect a query from Published Queries. In the Query Chooser window, you candrag a query from the My Queries folder to the Published Queries folder.

Table 21-1 describes the formatting options that you can use when you create acustom report. The options appear on a menu when you right-click the reporttemplate. Each menu option has a corresponding icon on the report design toolbar.

Table 21-1 Report building options

DescriptionOption

■ To include generated text, such as the date the report wasgenerated, make a selection from the Report Parametersdrop-down list, and click Add.

■ To include your own text, type in the text box.

■ When you finish, click OK.

Insert Text

■ Browse to the location of the image.

■ After you select the desired image, click OK.

Note: You may insert only the JPG and the GIF files thatare 100 KB or less. Information Manager does not supportBMP or other image files in reports.

Insert Image

This option inserts a horizontal line in the center of theselected area of the report.

Insert Line

In the Query Chooser window, navigate to the name of thedesired query, and select it. Click Insert. (This option is notavailable when the cursor is in the header or the footer area.)

Note: If you plan to publish and distribute the report to otherusers, you must select a query from Published Queries. In theQueryChooser window, you can drag a query from My Queriesto Published Queries.

If the query that you want is not available, you can use theQuery Wizard on the Events view to create a query. See thesection on managing event archives for more information.

Insert Query

Select the number of rows and columns, and then click OK. Anempty grid appears in the selected area. You can select anysection of the grid and insert text, images, and so on. You canalso size any section of the grid by dragging the borders of thesection.

Add Grid

Managing reportsWorking with reports

328

Page 329: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Table 21-1 Report building options (continued)

DescriptionOption

This option subdivides the selected area by inserting a blankrow. You can also size the row by dragging its borders.

Add Row

This option subdivides the selected area by inserting a blankcolumn. You can also size the column by dragging its borders.

Add Column

This option toggles the header or the footer from on to off orfrom off to on. The cursor must be in the header or the footerarea.

Toggle Header/Footer

This option changes the orientation of the report to Portraitmode.

Portrait

This option changes the orientation of the report to Landscapemode.

Landscape

To create a custom report

1 In the Information Manager console, click Reports.

2 In the Explorer pane, right-click the folder where you want to create the newreport, and select New > Report.

3 Type the name for the report, and click OK. The name can contain onlyalphanumeric characters.

An empty report template appears, with three sections: header, footer, andbody in the center.

4 Do any of the following:

■ To insert a header, right-click in the header area, and then use theformatting options that are described in Table 21-1.

■ To insert the query (or multiple queries) and any desired images and text,right-click the body area. Then use the formatting options that aredescribed in Table 21-1.

■ To insert a footer, right-click in the footer area, and then use theformatting options that are described in Table 21-1.

■ To add a new page to the report template, click the Add a Page icon onthe report design toolbar.To return to a previous page, click the View All Pages icon, and thendouble-click the page that you want to display.

329Managing reportsWorking with reports

Page 330: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 To modify any of the properties of the report, use the Properties pane in thelower-left area of the Reports page. Click the Value column for the propertythat you want to change.

The available properties depend on the elements that you have placed in thereport area. The following are examples of the properties that you can modify:

■ If you insert a query, the available properties depend on whether the datadisplays as a graphical chart or as a table. If the query is graphical, youcan select the type, for example, bar or pie. If the query is tabular, you canselect the columns that you want to include in the table. You also canselect the desired font and type size of the text.

■ If you insert text in the report body, header, or footer, you can modify thefont size of the text.

■ If you insert a line, you can modify the default thickness, color, direction(orientation), and alignment of the line.

■ If you add a grid, you can specify the background color of each segmentof the grid.

6 To execute the query and preview the appearance of the report, click thePreview tab.

While on the Preview tab, you can print or save the report with the data thatis currently displayed.

See “Printing and saving reports” on page 341.

7 When you finish creating the report, click the Save icon on the top toolbar.

See “Viewing reports ” on page 339.

Creating a report group or folderYou can create new folders under the existing folder hierarchy to save the reports.

To create a report group or folder

1 In the Reports view, select the folder under which you want to create anotherfolder.

2 Click the New Folder icon on the menu bar.

3 In the NewFolder dialog box, type the name of the folder and its description.

4 Click OK.

See “Creating custom reports” on page 327.

Managing reportsWorking with reports

330

Page 331: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Editing tabular queries in reportsA tabular query displays data in table form. When you create or edit a query, youcan specify the columns that you want the table to display. However, if you laterplace that query in a report, the column changes do not persist. You must insertthe query in the report, and then add and remove table columns. After you savethe report, the column changes persist in that report.

Note: If you add columns to a tabular query, the columns on the rightmost sideof the table may become illegible due to lack of space. You can view more columnsby reducing the size of the text in the table. To reduce the size of the text in theTable, in the Properties pane, click the Value column next to Content Font. Thenselect a smaller font. Do the same action for the Header Font value.

To edit a tabular query in a report

1 To design the report, perform the steps in the procedure

2 After you insert the query in the report, double-click the query icon in thebody of the report (on the Design tab).

The Edit Display Properties dialog box appears.

3 Do one of the following:

■ In the Choose Columns pane, select the names of the columns that youwant to add to the query table and click Add.

■ In the ColumnstoDisplay pane, select the names of the columns that youwant to remove from the query table and click Remove.

■ Use the Move Up and Move Down icons to arrange the columns in thedesired sequence. The column at the top of the list appears on the far-leftside of the table.

4 When you finish selecting and sequencing the columns, click OK.

5 To preview the appearance of the report, click the Preview tab.

6 When you finish designing the report, click the Save icon on the top toolbar.

See “Creating custom reports” on page 327.

Publishing reportsTo publish a report, you must place it in the Published Reports folder or in asubfolder under Published Reports. If you create the report in the PublishedReports folder, it is already available for distribution. If you create the report inthe My Reports folder, use the following procedure to publish it.

331Managing reportsWorking with reports

Page 332: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note: If a report contains any private queries, you cannot publish it. The queriesin publishable reports must be from the Published Queries folder.

To publish a report

1 In the Information Manager console, click Reports.

2 In the Explorer pane, navigate to the report in the My Reports folder thatyou want to publish.

3 Do one of the following:

■ Right-click the report name, and then select Publish.

■ To place the report in a subfolder within the Published Reports folder,drag the report from My Reports to the desired folder under PublishedReports.

4 Click Yes to confirm that you want to publish the report.

The report is removed from the private folder and placed in the publishedfolder that you selected.

See “Creating custom reports” on page 327.

Enabling the email distribution of reportsTo distribute reports, you must have an Information Manager configuration thatis set up to send email notifications. This setup process includes the followingcomponents:

■ Creating a configuration

■ Defining a mail server in the configuration

Note:Web-based email accounts and the accounts that require authentication arenot supported.

To create a configuration

1 In the Information Manager console, click System.

2 On the ProductConfigurations tab, expand the tree in the left pane to SSIMAgent and Manager > Manager Components Configurations.

3 On the toolbar, click + (the plus icon).

Managing reportsWorking with reports

332

Page 333: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

4 Follow the on-screen instructions in the CreateanewConfiguration wizard.When you are prompted, in the Computers panel, add the InformationManager server that is used.

5 When the wizard finishes, click Close.

The new configuration appears in the tree in the left pane, under ManagerComponents Configurations.

To define a mail server in an Information Manager configuration

1 On the System view, in the left pane of the ProductConfigurations tab, clickthe name of the new configuration.

2 In the right pane, click the Notifications tab.

3 In the Value column next to Email server, type the name of the mail server.

4 Next to Email fromuser in the Value column, type an email address to receivemessages in case of any notification failures.

5 Click Save at the bottom of the right pane.

6 In the left pane, right-click the configuration name, and then click Distribute.

The configuration changes are distributed to the Information Manager server.

See “Scheduling and distributing reports” on page 333.

Scheduling and distributing reportsAfter you create and publish a report, you can distribute it immediately. You canalso schedule it for distribution in the future. You specify the recipients and thefrequency to receive the reports. For example, the frequency can be once eachweek.

You can distribute the reports as a PDF and an RTF attachment. You can send theURL link for accessing the reports from the server in an email. Reports forscheduled queries can be distributed as an attachment only in the CSV format.

When you distribute a report on a schedule or immediately, a copy of the reportis posted on the Web configuration interface of Information Manager. A validuser can view that report by selecting the StandardReports option under Manage> Reports on the Web configuration interface of Information Manager.

See “To view a report in the Web configuration interface of the InformationManager” on page 340.

333Managing reportsWorking with reports

Page 334: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note: To distribute reports to users by email, Information Manager must beproperly configured to send notifications to a valid mail server.

To distribute a report immediately

1 In the console of the Information Manager client, click Reports.

2 In the Explorer pane, under PublishedReports, click the name of the reportthat you want to distribute.

3 In the right pane, click the Distribute tab.

4 In the Distribute Report area, click Recipients, and then click one of thefollowing:

In the Email Entry dialog box, type an email address, and thenclick OK.

Email address

■ In the Find Users dialog box, select one or more names fromthe Available users list.

■ Click Add.

■ When you finish adding user names to the Selectedusers list,click OK.

Note: The user must have an email address defined on theNotifications tab in the user profile. See the chapter on managingusers in the Symantec Security Information ManagerAdministrator Guide.

User

■ In the FindUserGroups dialog box, select one or more namesfrom the Available user groups list.

■ Click Add.

■ When you finish adding user names to the Selected usergroups list, click OK.

Note: Each user in the user group must have an email addressdefined on the Notifications tab in the user profile. See thechapter on managing users in the Symantec Security InformationManager Administrator Guide.

User group

The report is always posted and available on the Web configuration interfaceof Information Manager under Manage > Reports > Standard Reports. It isavailable in this location even if you do not specify any recipients. Users whohave access to this view can view the reports in a Web browser.

5 In the Subject and Body text boxes, type text if desired.

Managing reportsWorking with reports

334

Page 335: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

6 Select from the following options as required:

Places a link in the email message. When the recipient clicksthe link, the report is displayed in a browser window.

Note: When the recipient clicks the URL link, the report canbe accessed directly. Note that the user must already be loggedon to the Web configuration interface using the host name ofthe Information Manager. If the user has logged on using theIP address of the Information Manager, the user is promptedfor authentication; the report is then accessible.

URL Link

Sends the report, in Portable Document Format (PDF), as anattachment to the email.

To send the report by email, be sure that the PDF file is no morethan 15 MB in size.

PDF Attachment

Sends the report, in RTF format as an attachment to the email.

To send the report by email, be sure that the compressed RTFfile is no more than 15 MB in size.

RTF attachment

7 Click Test.

A dialog box confirms that the report was sent to the selected recipients.

8 Click OK.

Note: No restriction exists regarding the size of the compressed RTF files or thePDF files that are available under Manage > Reports > Standard Reports.

To schedule a report

1 In the console of the Information Manager client, click Reports.

2 In the Explorer pane, under PublishedReports, click the name of the reportthat you want to schedule for distribution.

3 In the right pane, click the Distribute tab.

4 In the Create a report area, do the following:

■ Select the frequency of distribution: Day, Week, or Month.

■ Select the time of distribution by using the drop-down lists and by selectingeither AM or PM.

5 Use the spinner boxes or the calendar icons to select the Starts on date andtime, and the Ends by date and time.

335Managing reportsWorking with reports

Page 336: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

6 In the Distribute Report area, click Recipients, and then click one of thefollowing:

In the Email Entry dialog box, type an email address, and thenclick OK.

Email address

■ In the Find Users dialog box, select one or more names fromthe Available users list.

■ Click Add.

■ When you finish adding user names to the Selectedusers list,click OK.

User

■ In the FindUserGroups dialog box, select one or more namesfrom the Available user groups list.

■ Click Add.

■ When you finish adding user names to the Selected usergroups list, click OK.

User group

7 In the Subject and Body text boxes, type text if desired.

8 Select from the following options as required:

Places a link in the email message. When the recipient clicksthe link, the report is displayed in a browser window.

Note: When the recipient clicks on the URL link, the reportcan be accessed directly. Note that the user must already belogged on to the Web configuration interface using the hostname of the Information Manager. If the user has logged onusing the IP address of the Information Manager, the user isprompted for authentication; the report is then accessible.

URL Link

Sends the report, in Portable Document Format (PDF), as anattachment to the email.

PDF Attachment

Sends the report, in RTF format as an attachment to the email.RTF attachment

9 Click Schedule.

10 Click OK.

Note: Reports for scheduled queries can be distributed only as follows: as anattachment in the CSV format and a URL link that lets you access the report fromthe server.

Managing reportsWorking with reports

336

Page 337: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Scheduling queries that can be distributed as reportsYou can now schedule queries to be distributed in a report as a CSV file. TheSchedule option is available on the Events view when you select a query from thePublished and System queries. On saving the scheduled queries in the Eventsview, the scheduled query reports are created under the PublishedReports folderunder the Reports view.

You can send the scheduled query reports by email as a compressed CSV file, andmake them available by a URL link within the mail. You can also download thesereports from the Web configuration interface under ManageReports>ScheduledQuery Reports in CSV format in a compressed file. The maximum row limit ofthe CSV file is 1 million rows corresponding to 1 million events. The maximumsize of the CSV file that you can send by email is limited to 15 MB.

Note: Scheduled queries are limited to one query only. If the scheduled querycontains a chart, it is converted to a table in the created reports.

Note: The Design option is not available for scheduled query reports.

See “About working with event queries” on page 239.

You can schedule the following types of queries:

■ Summary data query

■ Event detail query

■ Custom SQL query

Note: Top N by Field and Trending Event Count by Field queries cannot bescheduled from the Events view as scheduled query reports.

To schedule a query as a report

1 In the console of the Information Manager client, click Events.

2 In the Explorer pane, under PublishedQueries or SystemQueries, click thename of the query that you want to schedule and distribute as a report.

3 In the right pane, click Schedule.

4 Type the name of scheduled query.

337Managing reportsWorking with reports

Page 338: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

5 In the SetScheduleforQuery dialog box, specify the time, date, and recipientsfor the generated reports.

Set the message subject and body text as required.

6 Select the option for CSV attachment or a URL link as required.

When the recipient clicks the link, the report is directly accessible. Note thatthe user must be logged on to the Web configuration interface using the hostname of Information Manager. If the user has logged on using the IP addressof Information Manager, then the user is prompted for authentication. Thereport becomes accessible.

7 Take one or more of the following actions as required:

■ To save the query report to the Published Reports folder and close theSet Schedule for Query dialog box without scheduling the query, clickOK.

■ To enable the Schedule and Test icons and save the query report in thePublished Reports folder, click Save.

■ To ignore any changes that were made since the last save and exit thedialog box, click Cancel.

■ To verify the entered details, click Test to send the query to the specifiedrecipients.

■ To schedule the query, click Schedule.

The published query report is also available under the ScheduledQueryReportsoption under Manage > Reports on the Web configuration interface.

Modifying the report distributionYou can change the recipients and the schedule for report distribution.

To modify the report distribution

1 On the Reports view, in the Explorer pane, navigate to the report whosedistribution plan you want to modify.

2 Select the report, and click the Distribute tab.

3 At the bottom of the right pane, click Cancel to cancel the existing reportdistribution plan.

4 Modify the schedule and the recipients, as necessary. You can also changeany other fields.

5 When you finish making changes, click Schedule.

See “Scheduling and distributing reports” on page 333.

Managing reportsWorking with reports

338

Page 339: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Viewing reportsYou can view a report in the following ways:

■ In the console of the Information Manager client (as a preview)

■ In the Web configuration interface of Information Manager under Manage >Reports > Standard Reports

■ In the Web configuration interface of Information Manager under Manage >Reports > Scheduled Query Reports

■ In PDF format, if you received the report as an attachment to an email message

■ In RTF format, if you received the report as an attachment to an email message

■ In HTML format

■ In a compressed CSV file, if you received the report as an attachmentThese reports are generated as a result of scheduled queries.

■ By accessing a URL link that is received through email

Note:The chosen display type for a group or a system query may affect the resultsthat are displayed on the console of Information Manager and the Webconfiguration interface.

For example, you may run a query that is copied from the System Queries folderof the type Count by Condition, such as Open Incidents by Assignee Priority.The chart type is table and the Rotate Data chart property is selected. Thecondition column name (Assignee Priority) does not appear in the results table.Therefore, you must deselect the RotateData option for the query to ensure thatthe results are displayed properly.

Note: When you access standard reports in the Web configuration interface, theRTF format is not supported for certain reports. The RTF format is not supportedfor the reports that have been distributed on the Information Manager versionsthat were released before 4.6 MP4. To obtain these reports in RTF format, manuallyclick the Test option that is available in the Distribute tab on the console.Alternatively, wait until the next scheduled run of the report.

To view a report in the console of the Information Manager client

1 In the console of the Information Manager client, click Reports.

2 In the Explorer pane, click the report that you want to view.

339Managing reportsWorking with reports

Page 340: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 For multipage reports, use the navigation icons on the Preview tab to movebetween the pages.

4 To refresh the data in a report, click the Refresh icon in the top toolbar. Bydefault, the report presents the data from the time when it was created orlast refreshed.

To view a report in the Web configuration interface of the Information Manager

1 In the Web configuration interface go to Manage > Reports.

2 Click Standard Reports if you want to view the standard published reports.If you want to view the reports for scheduled queries, then click ScheduledQuery Reports.

3 In the list of reports, navigate to the row that corresponds to the report thatyou want to view.

You can use the Search in table field to filter the report list.

Place a checkmark next to the file name in the box provided.

4 On the navigation bar, click one of the following:

■ View HTML icon.This option lets you view the report in an HTML format.

■ View PDF icon.This option lets you view the report in PDF format.

■ View RTF icon.This option lets you view the report in RTF format.

If you have selected Scheduled Query Reports in the previous step, thereports are available only in a compressed CSV file after you click the ViewCSV icon.

5 When you finish viewing the report, close the browser window.

See “Configuring a report for portrait or landscape mode” on page 340.

Configuring a report for portrait or landscape modeYou can configure the orientation of a report to be in either portrait mode orlandscape mode. When you configure the orientation for a report, the settingapplies to all of the pages in that report.

To configure a report for portrait or landscape mode

1 In the Information Manager console, click Reports.

2 In the Explorer pane, click the name of report that you want to adjust.

Managing reportsWorking with reports

340

Page 341: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

3 On the Design tab, click either the Portrait or Landscape icon. If you are inView All Pages mode, you must first open a single page to enable the icons.

4 Click Save.

See “Viewing reports ” on page 339.

Printing and saving reportsAfter you create a report, its name is displayed in the Explorer pane, under theappropriate folder name. You can run a report and then save the output as a file.You can also print the output.

To print or save a report

1 In the Information Manager console, click Reports.

2 In the Explorer pane, click the name of report that you want to print or save.

3 To execute the query or queries in the report, click the Preview tab.

4 To save the report with the displayed data, do the following actions:

■ On the Preview toolbar, click the Save icon.

■ In the Save dialog box, type a name in the File Name box.

■ In the Files of Type box, select PDF or HTML.

■ Click Save.

5 To print the report with the displayed data, do the following:

■ On the Preview toolbar, click the Print icon.

■ In the Print dialog box, select your print options.

■ Click OK.

See “Viewing reports ” on page 339.

Exporting reportsYou may export a report as an RML file. This feature enables you to send the reportto another user: for example, as an email attachment. The user can then importthe report, edit it, and save it as a private or a published report. It also enablesyou to save a report under a different name, and then import it to use as a templatefor another similar report.

See “Importing reports” on page 342.

341Managing reportsWorking with reports

Page 342: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Note: Information Manager does not support exporting reports to a differentInformation Manager domain. Each query has a unique ID that points to theInformation Manager server on which it was created. If you export a report andimport it to a different server, the queries are not attached to the report.

If you design a report on one Information Manager server, you can export it as atemplate. After you import it to a different server, you can insert the desired queryor queries.

To export a report

1 In the Information Manager console, click Reports.

2 In the Explorer pane, select the report that contains the data that you wantto export.

3 Right-click the report name, and then click Export.

4 In the Export Report dialog box, do the following:

■ Navigate to the location where you want to save the report.

■ In the File Name box, type the name of the report.If you want to use this report as a template for a new report, change thereport name.

5 Click Save.

Importing reportsYou can import a report that was exported as an RML file. You can then modifythe report and save it in My Reports or Published Reports.

See “Exporting reports” on page 341.

Note: Information Manager does not support importing the reports that werecreated in a different Information Manager domain. Each query has a unique IDthat points to the Information Manager server on which it was created. If youexport a report and import it to a different server, the queries are not attachedto the report.

If you design a report on one Information Manager server, you can export it as atemplate. After you import it to a different server, you can insert the desired queryor queries.

Managing reportsWorking with reports

342

Page 343: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To import a report

1 In the Information Manager console, click Reports.

2 In the Explorer pane, select the folder into which you want to import thereport.

3 Right-click the folder name, and click Import.

4 In the Import Report dialog box, navigate to the location where the reportis stored, and select it. You can import multiple reports by using the Shift orCtrl keys.

5 Click Open.

6 If you selected a report with the same name as another report in the folderyou selected, Information Manager prompts you to rename the report. Assigna new name, and click OK.

Performing a drill-down on reportsTo identify the critical incidents and threats in your environment, InformationManager lets you drill down into the reports. Use the drill-down feature to viewthe resources and the parts of the organization that are associated with an incident.The drill-down feature lets you search and prioritize specific assets. This capabilitysimplifies organization and helps you monitor identity and access activities.

The drill-down feature is supported only on the following types of queries in thereports:

■ Top N by Field

■ Trending for Top N by Field

■ Summary Data Queries

The drill-down feature for reports is available only on the console of theInformation Manager client.

To drill down on reports

1 In the console for the Information Manager client, click Reports.

2 Select the report that you want to run from the folders that are displayed.

The report queries are executed and the results are displayed on the detailspane. Preview the report using the Preview tab.

3 In the graphs that are displayed, double click on the graph that you want todrill down.

4 The details are displayed in a tabular view in the details pane.

343Managing reportsPerforming a drill-down on reports

Page 344: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

You can use a filter to get further details based on the filter criteria selected.

To filter the results using a filter criteria

1 Click the graph that is displayed when you select a report to run. The queryresults table is displayed under the graph in a new window.

Click the Filter icon on the taskbar.

2 In the Filter dialog box, select the time criteria in the Time range area.

3 In the Date/Time area, select Logged Date/time or Event Date/Time.

4 In the Queryfiltercriteria area, click the + icon, which lets you add and selectthe fields for the filter criteria.

5 If you have specified more than one criteria, use the first drop-down list toselect the OR or the AND criteria.

6 In the next column, select or enter the value for the condition specified.

7 Click OK.

8 To add more than one criteria, click the + icon to add another criteria.

Click the - icon if you want to remove a selected criterion.

9 Click OK.

Click Cancel if you want to cancel the filter criteria process.

The filter query is run and the results are displayed.

Managing reportsPerforming a drill-down on reports

344

Page 345: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Managing dashboards

This chapter includes the following topics:

■ About the dashboard

■ Viewing dashboards

■ Viewing queries in the Dashboard

■ Performing a drill-down on dashboards

■ Refreshing the dashboard

■ Customizing the dashboard

About the dashboardThe Information Manager dashboard provides an at-a-glance summary of thestatus of security products on your network. You can also track the status ofmission-critical network resources. You can add the default queries or customqueries that use events and the other data that is stored in the server database.

The dashboard provides a high-level view of the critical security information inyour environment. Information Manager users can customize the dashboard todisplay the event, ticket, and incident information that they require.

The Dashboard view provides an overview of the incident activity that is presentedin the following default set of queries:

■ Closed incident count for each assignee by priority

■ Closed incident count for each assignee by severity

■ Open incidents count for each assignee by severity

■ Open incident count for each assignee by priority

22Chapter

Page 346: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ Count of both open incidents and closed incidents by assignee

■ Count of incidents for each of the last seven days

The toolbar of the Dashboard view presents the following options:

Refreshes the queriesRefresh

Toggles the automatic refresh of the dashboardqueries.

When Auto Refresh is on, the dashboard queriesare refreshed every five minutes, by default.

Turn Auto Refresh On

Lets you add a new query to the dashboard.Add

Lets you remove a query from the dashboard.

You can also remove the query by closing thequery window.

Delete

Tiles the dashboard charts.Tile

Cascades the dashboard charts.Cascade

See “Viewing dashboards” on page 346.

See “Customizing the dashboard” on page 350.

See “Refreshing the dashboard” on page 349.

See “Viewing queries in the Dashboard” on page 348.

See “Performing a drill-down on dashboards” on page 348.

Viewing dashboardsYou can view the dashboards in the Dashboard view.

To view the dashboards

1 In the console of the Information Manager client, click Dashboard.

2 For some bar and pie charts based on event data, you can click on each sectionto view the events that are related to that section of the query. To determinewhether a query is drillable, hold the cursor over a region of the graph (forexample, a bar in a bar chart). If a hand symbol appears, you can click on thebar to drill down.

The events appear in a table under the chart. When working with event data,you can do any of the following:

Managing dashboardsViewing dashboards

346

Page 347: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

■ View details on a single event by right-clicking the event. Then click EventDetails.

■ Filter the events that are shown in the display by right-clicking on anevent and then clicking one of the filtering options.See “To filter event data based on a single event” on page 347.See “To create a custom filter based on an event” on page 347.

■ Create an incident based on an event by right-clicking the event and thenclicking Create Incident.

To filter event data based on a single event

◆ In a table containing event data, right-click on the cell that has the informationthat you want to filter on, and then click Filter on cell.

For example, if you want to filter on all events that have a severity 4 - Majorseverity, click a cell that has that rating in the Severity column.

The list of events that meet the criteria of your filter appears in a new tab. Notethat you can filter again on the events in the new tab.

To create a custom filter based on an event

1 In a table containing event data, right-click on the cell that has the informationthat you want to filter on, and then click Manuallyfilteroncell. For example,if you want to filter on all events that have a severity 4 - Major severity, clicka cell that has that rating in the Severity column.

The Event Filter window appears, showing the current filter conditions.

2 In the Time Range area, specify the period of time that you want the filter tocover. Choose Complete if you want to select from all of the events in thequery.

3 In the Filter Criteria area, specify the query conditions:

■ To change an existing condition, click in the cell, and then choose a valuefrom the drop-down list.

■ To add a condition, click + (the plus sign), and then click in each cell toselect or type the desired value.

■ To remove a condition, click anywhere in the row, and then click - (theminus sign).

■ To change the grouping of criteria, use the Ctrl key to select the relevantrows, and then click AND, OR, or Ungroup.

4 Click OK.

The list of events that meet the criteria of your filter appears in a new tab.Note that you can filter again on the events in the new tab.

347Managing dashboardsViewing dashboards

Page 348: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

See “About the dashboard” on page 345.

Viewing queries in the DashboardComplete the steps in this section to view a query and insert it on the dashboard.

To view a query

1 In the Information Manager console, click Dashboard.

2 On the toolbar, click + (the plus icon).

3 In the Query Chooser window, navigate through the tree and click the querythat you want to display.

4 For the query you choose, set any of the required parameters, such as selectingthe archives that you want to gather information from, and click RunQuery.

The data graph appears in the Query Chooser window.

5 Do any of the following:

■ To place the query on the dashboard, click Insert.

■ To try a different query, click the query name in the left pane.

■ To see if there are any changes to the list of available queries, click theRefresh icon on the toolbar.

Performing a drill-down on dashboardsTo identify the critical incidents and threats in your environment, InformationManager lets you drill down into the reports and dashboards. Using the drill-downfeature, you can view the resources that are associated with an incident. Thedrill-down provides insights into the parts of the organization that an incidentaffects and the background of the resources that are implicated. The drill-downfeature helps simplify organizing, searching, and prioritizing specific assets orsets of assets. This information helps in monitoring identity and access activities.

The drill-down feature is supported only on the following types of queries in thereports and dashboards:

■ Top N by Field

■ Trending for Top N by Field

■ Summary Data Queries

The drill-down feature for reports is available only on the console of theInformation Manager client.

Managing dashboardsViewing queries in the Dashboard

348

Page 349: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

To drill down on dashboard results

1 In the console of the Information Manager client, on the Dashboard view,click on the dashboard to view.

2 In the graphs displayed, double click the graph that you want to examine.

3 The details are displayed in a tabular view in the details pane.

See “About the dashboard” on page 345.

Refreshing the dashboardBy default, the dashboard updates when you open the console or when you clickthe Refresh icon. You can also turn on Auto Refresh so that dashboards areautomatically refreshed at a regular interval. To enable the automatic refreshfunction, click the Auto Refresh icon on the toolbar.

If a query is running when the Auto Refresh interval expires, the query continuesto run, even though the dashboard is refreshed. The same is true if you do a manualrefresh.

The default Auto Refresh interval is five minutes. You can change this interval.However, refreshing more frequently can cause performance issues on the serverbecause system resources are used every time a query is executed.

Note:You must close all the Information Manager console sessions before settingthe Auto Refresh interval.

To change the Auto Refresh interval

1 In the Information Manager installation directory, access theclientproperties.xml file in the User settings folder.

2 Add or edit the following entry:

<dashboard>

<auto_refresh>interval</auto_refresh>

</dashboard>

where interval is the number of seconds between refreshes.

3 Save and close the clientproperties.xml file.

4 Restart the console to enable the change.

See “About the dashboard” on page 345.

349Managing dashboardsRefreshing the dashboard

Page 350: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Customizing the dashboardYou can customize your dashboard by adding and removing queries. You can alsorearrange the queries by moving them on the dashboard and by using the Tileand Cascade options.

See “Viewing queries in the Dashboard” on page 348.

To remove a query from the dashboard

1 In the console of the Information Manager client, click Dashboard.

2 Scroll within the dashboard until you find the query that you want to remove,and click within the query to select it.

3 Click x (the cross icon) that appears on the upper right side of the querywindow to close the query.

To rearrange the dashboard

1 In the console of the Information Manager client, click Dashboard.

2 To move a query, click in the query's title bar, and then drag it with the mouseto the desired location on the dashboard.

You can place the query in a blank space on the dashboard, or you can placein on top of another query.

3 Click the Tile icon on the toolbar.

The queries rearrange themselves in a tiled configuration, and all are visible.

4 To arrange the queries in an overlapping configuration, click the Cascadeicon on the toolbar.

The queries rearrange themselves in a cascaded configuration, with one queryin front. To bring a different query to the front, click its header.

See “About the dashboard” on page 345.

Managing dashboardsCustomizing the dashboard

350

Page 351: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

Aaccess rights 139

See also permissionsInformation Manager console 139

accountAdministrator 156default password 155Linux 155

Active Directoryabout integrating 170configuration

creating a 171editing a 171removing 172synchronize a 172

Active Directory configurationscreating

editing 170list

remove 170agent

editing agent computer 180aggregation

exporting 214importing 214

aggregation tables 96alerting incidents 289

See also incidentscreating 290example 289

archives. See event archivesviewing event data 230

assetsexporting list 300identifying 126printing list 300

Assets table 266importing assets 323

Auto Refresh option 349interval setting 349

BBugTraq 266business information

users 162Bypass Event RBAC 142

Cclosing incidents 298

See also merging incidentsclosing tickets 315collector filtering and aggregation

antivirus examples 281creating specifications 275events generated by specific internal

networks 277examples 277firewall examples 278overview 269policy compliance 270preparing to create 272suggestions 271vulnerability assessment examples 282Windows Event Log examples 283

collectors. See event collectorscomponents of 204overview 203registration 258universal 205

downloading and installing 207column sorting in queries 246columns in tabular queries 331computers

addingconfiguration groups 192configurations 183

adding to organizational units 178creating 178defined 177deleting 199distributing configurations 198

Index

Page 352: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

computers (continued)editing agent

with agent 180editing properties 179editing without agent 181identification information 182modifying permissions 199moving 198specifying

IP addresses 182MAC addresses 182

viewingservice properties 193services 193

with agents 177conclusions

about 221escalating based on severity 96

configuration groupsadding to

computers 192configurations

adding tocomputers 183organizational units 174

distributingby way of computer Service properties 193to computers 198using organizational units 198

consoleabout features 63configuring 125opening 69

contact informationusers 162

Correlation Managerabout 79knowledge base 80rule set 80

correlation rules 87. See rulesabout 87creating custom 100

critical systems. See assets

Ddashboard

about 345adding queries 348Auto Refresh 349

dashboard (continued)refreshing 349

dashboardscustomizing 350performing drill-down 348viewing 346

data retention 224date values for events 233Deepsight. See Global Intelligence NetworkDeepSight Threat Management

normalization and 267default roles

administrator 132Distribute menu option 198Domain Administrator role 132

permissions 150

Eemail address

notification 166email distribution of reports 332Ending Event Date column 233Enter the data retention (days) 227environment diagram. See Visualizerevent archive

specifying settings 226event archive viewer

right pane 231event archives

about 224about multiple 224adding and removing table columns 234calendar setting 232creating incidents 296date and time range 232event details 232

event date values 233filtering 235–238modifying table columns 234

exporting a query 251graph 231histogram 231importing a query 250live 230local 230local client copy

creating 227querying

Event Query wizard 243

Index352

Page 353: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

event archives (continued)querying (continued)

naming rules 242SQL Query wizard 246Summary Query wizard 244

removing an archive from event viewer 231restoring 228saving data from event viewer 231settings 226zooming 232

event collectors 22functions 22installing and configuring 22types 22

Event Count rule setting 96Event Criteria field 93

operators 94Event Date column 233event forwarding

activating 260configuring default forwarding rule 261creating a rule 262deleting a forwarding rule 262described 255stopping 263

Event Logger 255event queries

about working with 239color scheme

managing used in query results 249creating groups 241deleting 253editing 248importing 250IP addresses 250multiple archives 241publishing 251scheduling to be distributed as reports 252, 337using Source view 240using Target View 240

event querysearching within 235

Event Query wizard 243Event to Conclusion Correlation fields 96eventaArchives

creating new 225events 265

See also normalizationabout 221

events (continued)about normalization 265accessing data in the console 274aggregation 214filtering 211lifecycle 223mapping during normalization 267role for viewing 134

events viewabout 222

exportingasset list 300incident list 300queries 249ticket list 300

Ffields

Event Criteria 93Event to Conclusion Correlation 96operators for event criteria 94

filter configurationsexporting 211importing 211

filtering events 211filters

about incident 303event data 235incident

creating 304deleting 304modifying 303

ticketscreating 317deleting 319modifying 318

finger 68forwarding events. See event forwardingFree space quota setting 227

GGlobal Intelligence Network 23, 29

Hhelp desk

viewing tickets 312histogram

manipulating the 231

353Index

Page 354: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

histogram (continued)viewing event details 232

host criticality. See assets

Iimporting

queries 249reports 342

incidentsabout 221, 289about creating and modifying 294about filtering 303automatic assigment to least busy member 60,

302automatic assignment 59closing 298creating from events 296creating manually 295creation methods 289details 292exporting list 300filters

creating 304deleting 304modifying 303

listadding and removing columns 294modifying 294

managing 292merging 297modifying 296printing details 299printing list 300reopening 298–299searching filtering results 305ticket viewing 313viewing 291viewing and modifying 293viewing associated tickets 313

Information Managerabout 17components 21event lifecycle 222overview 17workflow 20

Information Manager componentsevent collectors 22Global Intelligence Network 23Information Manager server 23

Information Manager components (continued)security products and devices 22Web service 23

Information Manager consolemodify access rights 139Move menu option 198

Information Manager console access rightsadding to roles 139

Information Manager server 23Information Manager Web service 23Information Manager workflow 20instructions

adding to a ticket 310intelligence

adding to a ticket task 311adding to ticket instructions 310

IP addressspecifying for computers 182

IP addressesquerying for 250

Kknowledge base

Correlation Manager 80

LLDAP directory accounts 156Linux account 155LiveUpdate

normalization and 267local event archives

viewing 230Lookup Table Update

create rule 113Lookup Tables 115

records 121user-defined 120

MMAC addresses

specifying for computers 182Max archive quota setting 227merging incidents 297

NNetwork table 266networks

specifying 128

Index354

Page 355: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

normalizationdescribed 265example 267files 267

modifying 267normalization files

about 267notes

about 64creating and editing 65searching 66

notificationemail address 166user information 166

email address 166pager numbers 167times 168

Ooperators

Event Criteria 94organizational units

adding computers to 178creating 174deleting 177deleting computers 199description 173distributing configurations 198editing 176managing 173modifying permissions 176moving computers 198name length limits 175

Original Ending Event Date column 233Original Event Date column 233

Ppager numbers 167passwords 155

changing 70, 162customizing policies 157security recommendation 156

permissions 139See also access rightsdescription 150examples of modifying permissions 147in roles 141, 143

permissions (continued)modifying 152

computers 199organizational units 176

propagating 151user 168

Permissions dialog box 152ping 68policy

adding a 127preferences. See user actionsprinting

asset list 300incident details 299incident list 300reports 341ticket list 300

Properties pane 330–331publishing

queries 251reports 331

Qqueries

adding to the dashboard 350column sorting 246columns in tables 331editing 249event 243exporting 249, 251importing 249naming rules 242SQL 246summary 244tables in 249, 331viewing 348

query groups 241

Rrefreshing the dashboard 349registering collectors 258report folder

creating 330report group

creating 330reports

creating cutom 327distributing 333

355Index

Page 356: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

reports (continued)enabling email distribution 332exporting 341HTML format 341importing 342modifying distribution 338PDF format 341performing drill-down 343portrait or landscape mode 340printing 341Properties pane 330–331publishing 331saving as PDF or HTML 341scheduling 333viewing 339

role membershipassigning to users 163

rolesadding user groups 137adding users 137administrator roles 132creating 134definition 131deleting 149Domain Administrator 132

permissions 150editing role properties 137Information Manager console access rights 139management of policies and configurations 134managing 131permissions 143, 150

examples 147planning 133product access assignment

modifying 140SES Administrator 132

permissions 150SIM permissions 141viewing events 134

rsync 224rule

creating multicondition 104importing existing 99X not followed by X 109X not followed by Y 107Y not preceded by X 111

rule setcreating 85

rule typeLookup Table Update 113

rulescategories 87Correlate By field 98creating correlation rule for lookup table

update 113creating multicondition 104criteria 89default 80editor 96enabling/disabling 115generating incidents 290query naming 242Resource field 98settings 96types 89

rules strategydefining strategy 87

Sscp 224security directory

registering a collection server 257Security domain

registering with 259security environment diagram. See Visualizerserver access

modifying 141services

viewing for a computer 193viewing properties 193

SES Administrator role 132permissions 150

Span rule setting 96SQL Query wizard 246SSIM Web Start 19standard event code 266Summary Query wizard 244Symantec Event Code 266Symantec Signature

incident mapped to 266system criticality. See assetssystem performance

estimating 24

TTable Size rule setting 96

Index356

Page 357: Symantec Security Information Manager 4.7.4 User Guidevox.veritas.com/.../Symantec_Security...User_Guide.pdf · Symantec™ Security Information Manager 4.7.4 User Guide Thesoftwaredescribedinthisbookisfurnishedunderalicenseagreementandmaybeused

tablesaggregation 96Lookup 115

tables in queries 249, 331tasks

adding to a ticket 311template queries

enable role-based access 142tickets

about 309–310adding a note 315adding instructions 310adding intelligence to a task 311adding intelligence to instructions 310adding tasks 311categories 311closing 315creating manually 310dispositions 314exporting list 300filters 317

creating 317deleting 319modifying 318

printing list 300priority changing 314searching by ticket ID 313task dispositions 314viewing 312viewing on Incidents view 313

trace route 68

Uuser actions

about 68creating 69modifying 69

user groupsadding to a role 137creating 160deleting 169managing the composition of 164modifying 168

usersadding to a role 137assigning role membership 163business information 162contact information 162creating 158

users (continued)deleting 169description 156notification information 166

email addresses 166notification times 168pager numbers 167

permissions 168properties 161

Vviews

Assets 321Dashboard 30Events 35Incidents 32Intelligence 31Reports 41Rules 44Statistics 62System 61Tickets 37

Visualizerabout 194about using 194modifying properties 196tools 196

WWeb configuration interface

accessing 72features 72

wizardsEvent Query 243SQL Query 246Summary Query 244

357Index


Recommended