Symantec Security Information Manager User Guide

8/22/2019 Symantec Security Information Manager User Guide

1/354

Symantec Security

Information Manager 4.8User Guide


2/354

Symantec Security Information Manager User Guide

Thesoftwaredescribed in this book is furnished under a license agreement and maybe used

only in accordance with the terms of the agreement.

Documentation version: 4.8

Legal Notice

Copyright 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec

Corporationor itsaffiliates in theU.S. and other countries. Other names maybe trademarks

of their respective owners.

This Symantec product may contain third party software for which Symantec is required

to provide attribution to the third party (Third Party Programs

). Some of the Third PartyPrograms areavailableunder open sourceor free software licenses.The License Agreement

accompanying the Software does not alter any rights or obligations you may have under

those opensourceor freesoftware licenses. Please seethe Third Party Legal NoticeAppendix

to this Documentation or TPIP ReadMe File accompanying this Symantec product for more

information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,

copying, distribution, and decompilation/reverse engineering. No part of this document

may be reproduced in any form by any means without prior written authorization of

Symantec Corporation and its licensors, if any.

THEDOCUMENTATION ISPROVIDED"ASIS" ANDALL EXPRESS ORIMPLIED CONDITIONS,

REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,

ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO

BELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOT BELIABLE FORINCIDENTAL

OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED

IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

TheLicensedSoftwareand Documentation are deemed to be commercial computer software

as defined in FAR12.212 andsubject to restricted rights as defined in FARSection 52.227-19

"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in

Commercial Computer Software or Commercial Computer Software Documentation", as

applicable, and any successor regulations. Any use, modification, reproduction release,performance,display or disclosure of theLicensed Software and Documentation by theU.S.

Government shall be solely in accordance with the terms of this Agreement.


3/354

Symantec Corporation

350 Ellis Street

Mountain View, CA 94043

http://www.symantec.com

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1
http://www.symantec.com/http://www.symantec.com/


4/354

Technical Support

Symantec Technical Support maintains support centers globally. Technical

Supports primary role is to respond to specific queries about product features

andfunctionality. The Technical Support group also createscontentfor ouronline

Knowledge Base. The Technical Support group works collaboratively with the

other functional areas within Symantec to answer your questions in a timely

fashion. Forexample,theTechnicalSupportgroupworkswith Product Engineering

andSymantec Security Response to provide alerting services andvirus definition

updates.

Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right

amount of service for any size organization Telephone and/or Web-based support that provides rapid response and

up-to-the-minute information

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7

days a week basis

Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our Web site

at the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement

and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support

information at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be

at thecomputer on which theproblem occurred, in case it is necessaryto replicate

the problem.

When you contact Technical Support, please have the following information

available:

Product release level
http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/


5/354

Hardware information

Available memory, disk space, and NIC information

Operating system Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registration

If your Symantecproduct requires registrationora license key, accessourtechnical

support Web page at the following URL:


Customer service

Customer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as the

following types of issues:

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs, DVDs, or manuals
http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/


6/354

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please

contact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


7/354

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Section 1 Introducing Symantec Security

Information Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About Symantec Security Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About workflow in Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

About Information Manager components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

About security products and devices ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

About event collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

About Information Manager servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

About the Symantec DeepSight ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

About the Information Manager Web service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 2 Symantec Security Information ManagerConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

About the Information Manager console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

About the Dashboard view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

About the Intelligence view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About the Incidents view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

About the Events view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About the Tickets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

About the Assets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

About the Reports view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

About the Rules view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

About the System view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

About the Statistics view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

About the features of the Information Manager console ... . . . . . . . . . . . . . . . . . . . 58

About the incident and the alert monitors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

About the event activity monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

About the Notes feature ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Creating and editing notes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Searching the notes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Contents


8/354

About user actions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Creating and modifying user actions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Opening the Information Manager console from the command

line ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Changing a password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Chapter 3 Symantec Security Information Manager Webconfiguration interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

About the Information Manager Web interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Accessing the Web configuration interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

About the features of the Web configuration interface ... . . . . . . . . . . . . . . . . . . . . . 68

Section 2 Planning for security management . . . . . . . . . . . . . . . . . 73

Chapter 4 Managing the correlation environment . . . . . . . . . . . . . . . . . . . . . . . . . . 75

About the Correlation Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

About the Correlation Manager knowledge base ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

About the default rules set ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 5 Defining rules strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

About creating the right rule set for your business ... . . . . . . . . . . . . . . . . . . . . . . . . . . 81

About defining a rules strategy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

About correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83About rule conditions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

About rule types ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

About event criteria ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

About the Event Count, Span, and Table Size rule settings ... . . . . . . . . . . . . . . . . 92

About the Tracking Key and Conclusion Creation fields ... . . . . . . . . . . . . . . . . . . . . 92

About the Correlate By and Resource fields ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Importing existing rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Creating custom correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Creating a multicondition rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Creating a correlation rule based on the X not followed by Y ruletype .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Creating a correlation rule based on the X not followed by X rule

type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Creating a correlation rule for the Y not preceded by X rule

type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Creating a correlation rule for the Lookup Table Update ... . . . . . . . . . . . 110

Enabling and disabling rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Working with the Lookup Tables window .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Contents8


9/354

Creating a user-defined Lookup Table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Importing Lookup Tables and records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Section 3 Getting started with the InformationManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Chapter 6 Configuring the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

About configuring Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Identifying critical systems .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Adding a policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Specifying networks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

About customizations for a Service Provider Master console ... . . . . . . . . . . . 127

Chapter 7 Managing roles and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

About managing roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

About the administrator roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

About the default roles in the Information Manager server ... . . . . . . . 130

About planning for role creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Creating a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Editing role properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Deleting a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

About working with permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

About permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148About the propagation of permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Modifying permissions from the Permissions dialog box .... . . . . . . . . . . 150

Chapter 8 Managing users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

About users and passwords ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Customizing the password policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Creating a new user ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Creating a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

About editing user properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Changing a users password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Specifying user business and contact information .... . . . . . . . . . . . . . . . . . . 160

Managing role assignments and properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Managing user group assignments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Specifying notification information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

About modifying user permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Modifying a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Deleting a user or a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Contents


10/354

About integrating Active Directory with the Information Manager

server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Managing Active Directory configurations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Changing the password for Linux accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Changing the password for symcmgmt Linux account ... . . . . . . . . . . . . . . 171

Chapter 9 Managing organizational units and computers . . . . . . . . . . 173

About organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

About managing organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Creating a new organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

About determining the length of the organizational unit name

.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Editing organizational unit properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

About modifying organizational unit permissions ... . . . . . . . . . . . . . . . . . . . 176Deleting an organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

About managing computers within organizational units ... . . . . . . . . . . . . . . . . . 177

Creating computers within organizational units ... . . . . . . . . . . . . . . . . . . . . . . 178

About editing computer properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Distributing configurations to computers in an organizational

unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Moving a computer to a different organizational unit ... . . . . . . . . . . . . . . . 193

About modifying computer permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Deleting a computer from an organizational unit ... . . . . . . . . . . . . . . . . . . . . 194

Section 4 Understanding event collectors . . . . . . . . . . . . . . . . . . . . . . . . 197

Chapter 10 Introducing event collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

About Event Collectors and Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . 199

Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

About Symantec Universal Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

About Custom Log Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Downloading and installing the Symantec Universal Collectors ... . . . . . . . 203

Correlating the logs collected in a file from a proprietary

application .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Chapter 11 Configuring collectors for event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Configuring the event filtering rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Configuring event aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Contents10


11/354

Section 5 Working with events and event

archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Chapter 12 Managing event archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

About events, conclusions, and incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

About the Events view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

About the event lifecycle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

About event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

About multiple event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Creating new event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Specifying event archive settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Creating a local copy of event archives on a network computer ... . . . . . . . . 224

Restoring event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Viewing event data in the archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

About the event archive viewer right pane .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Manipulating the event data histogram .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Setting a custom date and time range .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

About viewing event details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Modifying the format of the event details table ... . . . . . . . . . . . . . . . . . . . . . . . 229

Searching within event query results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Filtering event data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

About working with event queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Using the Source View query and Target View query ... . . . . . . . . . . . . . . . . 236

Creating query groups ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Querying across multiple archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Creating custom queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Editing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Managing the color scheme that is used in query results ... . . . . . . . . . . . 245

About querying for IP addresses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Importing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Exporting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Publishing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Scheduling queries that can be distributed as reports ... . . . . . . . . . . . . . . . 248

Deleting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Chapter 13 Forwarding events to the Information ManagerServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

About forwarding events to an Information Manager server ... . . . . . . . . . . . . 251

About registering a security directory ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Registering Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Registering with a security domain .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Contents


12/354

Activating event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Stopping event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Chapter 14 Understanding event normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261About event normalization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

About normalization (.norm) files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Chapter 15 Collector-based event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

About collector-based event filtering and aggregation .... . . . . . . . . . . . . . . . . . . . 265

About identifying common events for collector-based filtering or

aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

About preparing to create collector-based rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Accessing event data in the Information Manager console ... . . . . . . . . . . . . . . 270

Creating collector-based filtering and aggregation

specifications ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Examples of collector-based filtering and aggregation rules ... . . . . . . . . . . . . 273

Filtering events generated by specific internal networks ... . . . . . . . . . . . 273

Filtering common firewall events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Filtering common Symantec AntiVirus events ... . . . . . . . . . . . . . . . . . . . . . . . . 277

Filtering or aggregating vulnerability assessment events ... . . . . . . . . . . 278

Filtering Windows Event Log events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Section 6 Working with incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Chapter 16 Managing Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

About incident management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Incident identification .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Example: InformationManager automates incident management

during a Blaster worm attack ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Threat containment, eradication, and recovery ... . . . . . . . . . . . . . . . . . . . . . . . 287

Follow-up .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Viewing incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287About the incident list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Viewing and modifying the incident list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

About creating and modifying incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Creating incidents manually ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Modifying incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Merging incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Closing an incident ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Reopening a closed incident ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Contents12


13/354

Printing incident details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Printing the incident, ticket, or asset list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Exporting the incident, ticket, or asset list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Assigningincidentsautomatically to the least busy member in a usergroup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Chapter 17 Working with filters in the Incidents view . . . . . . . . . . . . . . . . . . . . 301

About filtering incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Modifying a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Creating a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Deleting a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Searching within incident filtering results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Section 7 Working with tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Chapter 18 Managing tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

About tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

About creating tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Creating a ticket manually ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Creating a ticket category ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Viewing tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

About the Ticket Details window .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Viewing tickets associated with a specific incident ... . . . . . . . . . . . . . . . . . . . . . . . . . 311

Setting ticket task dispositions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Changing the priority of a ticket ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Adding a ticket note ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Closing a ticket ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Printing the ticket list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Chapter 19 Working with filters in Tickets view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Filtering tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Modifying a custom ticket filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Deleting a custom ticket filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Chapter 20 Working with Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

About the Assets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Importing assets into the Assets table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Contents


14/354

Section 8 Working with reports and dashboards . . . . . . . . . 323

Chapter 21 Managing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Working with reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

About reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Creating custom reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Creating a report group or folder ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Editing tabular queries in reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Publishing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Enabling the email distribution of reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Scheduling and distributing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Modifying the report distribution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Viewing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Configuring a report for portrait or landscape mode .... . . . . . . . . . . . . . . . 337

Printing and saving reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Exporting reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Importing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Performing a drill-down on reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Chapter 22 Managing dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

About the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Viewing dashboards ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Viewing queries in the Dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Performing a drill-down on dashboards ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Refreshing the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Customizing the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 349

Contents14


15/354

Introducing Symantec

Security InformationManager

Chapter 1. Overview

Chapter 2. Symantec Security Information Manager Console

Chapter 3. Symantec Security Information Manager Web configuration

interface

1Section


16/354

16


17/354

Overview

This chapter includes the following topics:

About Symantec Security Information Manager

About workflow in Information Manager

About Information Manager components

About Symantec Security Information ManagerInformation Manager provides real-time event correlation and data archiving to

protect against securitythreats and to preservecritical securitydata. Information

Manager collects and archives security events from across the enterprise. These

events are correlated with the known asset vulnerabilities and current security

information from Symantec DeepSight. The resulting information provides the

basis forreal-timethreat analysis andsecurity incident identification. Information

Manager archives the security data for forensic and regulatory compliance

purposes.

Information Manager collects, analyzes, and archives information from security

devices, critical applications, and services, such as the following:

Information Manager provides the following features to help you recognize and

respond to threats in your enterprise:

Normalization of events from multiple vendors.

Normalization and correlation of events from multiple vendors.

Event archives to retain events in both their original (raw) and normalized

formats.

Distributed eventfilteringandaggregation to ensurethat only relevant security

events are correlated.

1Chapter


18/354

Real-time security intelligence updates from Symantec DeepSight. These

updates keep you apprised of global threats and let you correlate internal

security activity with external threats.

Customizable event correlation rules to let you fine-tune threat recognitionand incident creation for your environment.

Security incident creation, ticketing, tracking, and remediation for quick

response to security threats. Information Manager prioritizes incidents based

upon the security policies that are associated with the affected assets.

An Event Viewer that lets you easily mine large amounts of event data and

identify the computers and users that are associated with each event.

A client-basedconsole from which youcanview allsecurity incidentsanddrill

down to the related event details. These details include affected targets,

associated vulnerabilities, and recommended corrective actions.

Predefined andcustomizable queriesto help youdemonstrate compliancewith

the security and the data retention policies in your enterprise.

A Web-based interface that lets you view and customize the dashboard,

configure settings, and manage events, incidents, and tickets remotely. You

can download various utilities and perform routine maintenance tasks such

as backup and restore. You can use the custom logs feature with the universal

collectors to collect and map information from devices for which standard

collectors are not available.

About workflow in Information ManagerThe Symantec Security Information Manager workflow includes the following

steps:

Event collectors gather eventsfrom Symantec andthird-party pointproducts.

See About Event Collectors and Information Manager on page 199.

Events are filtered and aggregated.

See Configuring the event filtering rules on page 207.

See Configuring event aggregation on page 210.

Symantec Event Agent forwards both the raw and the processed events to the

Information Manager server.

See About forwarding events to an InformationManager server on page 251.

See Activating event forwarding on page 256.

The Information Manager server stores the event data in event archives.

See About event archives on page 220.

OverviewAbout workflow in Information Manager

18


19/354

The Information Manager server correlates the events with threat and asset

information based on the various correlation rules.

See About the Correlation Manager on page 75.

Information Manager security events trigger a correlation rule and create asecurity incident.

See About incident management on page 285.

About Information Manager componentsSymantec Security Information Manager has the following components:

Security products and devices

See About security products and devices on page 20.

Symantec Event Agent

Event collectors

See About event collectors on page 20.

Information Manager servers

See About Information Manager servers on page 21.

DeepSight

See About the Symantec DeepSight on page 22.

Web service

SeeAbout the Information Manager Web service

on page 22.

OverviewAbout Information Manager components


20/354

Figure 1-1 Components in an Information Manager setup

About security products and devices

The security products and devices in your enterprise can generate overwhelming

amounts of security data. Many firewalls can generate over 500 GB of security

data per day; intrusion detection systems can trigger over 250,000 alerting

incidents per week. Most security products store event data in a proprietaryformat, accessible only by the tools that the security products provide. To secure

your enterprise effectively, you need to collect, normalize, and analyze the data

from all parts of your enterprise.

See About Information Manager components on page 19.

About event collectors

Event collectors gather security events from a variety of event sources, such as

databases, log files, and syslog applications. Event collectors translate the event

data into a standard format, and optionally filter and aggregate the events. Theevent collectors then send theeventsto SymantecSecurity Information Manager.

You can configure event collectors to alsosendthe event data in itsoriginalformat.

You install event collectors either onthesecurity product computer orat a location

with access to the security product events. To facilitate installation and setup,

event collectors for third-party firewalls are preinstalled on the Information

Manager server. After the event collector is registered with Information Manager,

you can configure event collector settings fromthe Information Manager console.


20


21/354

The event collector settings include the event source specification and any event

filter or aggregation rules.

Symantec provides event collectors for the following types of products:

Firewalls

Routers, switches, and VPNs

Intrusion detection and prevention systems

Vulnerability scanners

Web servers, filters, and proxies

Databases

Mail and groupware

Enterprise antivirus

Microsoft authentication services

Windows and UNIX system logs

For access to the extensive library of event collectors, visit Symantec support at

the following Web site:

http://www.symantec.com/enterprise/support/


About Information Manager servers

Information Manager server can be installed on any approved hardware that

meets the minimum system requirements.

You can deploy one or more Information Manager servers in various roles to

satisfy the event gathering, archiving, and event correlation requirements for

your enterprise. To account for traffic variation, a single Information Manager

is only recommended for a security environmentthat generates up to 1,000 events

per second (EPS) on average and that requires a maximum of 4 MB to 8 MB per

day of event data storage. To increase the overall event processing rate, you can

add multiple load sharing Information Managers to your deployment.

You can configure each server for dedicated event collection, event archiving, or

event correlation. In most cases, a combination of multiple servers that share the

event and the incident processing load is preferred.


http://www.symantec.com/enterprise/support/http://www.symantec.com/enterprise/support/


22/354

About the Symantec DeepSight

Information Manager has access to current vulnerability, attack pattern, and

threat resolution information from the Threat and Vulnerability Management

Service. The Symantec DeepSight powers the Threat and Vulnerability

Management Service. The Symantec DeepSight is a comprehensive collection of

vendor-neutral security data sources. The service is an authoritative source of

information about known and emerging vulnerabilities, threats, risks, and global

attack activity.


About the Information Manager Web service

The Web service of Symantec Security Information Manager lets you securely

access and update the data that is stored on a server. You can use the Web service

to publish event, asset, incident, ticket, and system setting information. You can

also use the Web service to integrate Information Manager with help desk,

inventory, or notification applications.


For more information on interfacing your application to use the Web service, see

the application documentation or your application vendor.


22


23/354

Symantec SecurityInformation Manager

ConsoleThis chapter includes the following topics:

About the Information Manager console

About the features of the Information Manager console

About the Information Manager consoleYou must install the Java client of the Information Manager on a Microsoft

Windows, 2003, XP, Vista, Windows 2008 R2, or Windows 7 computer to access

the console. The client can be downloaded from the Home>Downloads view of

the Information Manager Web interface.

The console of the Information Manager client enables you to perform the

following security monitoring functions:

Define rules to identify security incidents.

Identify critical network hosts.

View Symantec Global Intelligence Network information

Manage incidents

Manage tickets

Create reports

Connect Symantec Information Manager with Symantec Managed Security

Services (MSS).

2Chapter


24/354

MSScombinesglobal threatintelligence, enterprise-wide monitoring, advanced

analytics, andexpertstaff to provide 24x7 security monitoring andprotection

for enterprises from known and emerging threats.

Perform Service Provider management tasks

Theconsole consistsof thefollowingviews that help youmanagetheInformation

Manager Server:

Dashboard view

Intelligence view

Incidents view

Events view

Tickets view

Assets view

Reports view

Rules view

System view

Statistics view


About the Dashboard viewTheDashboard view on the console of the Information Manager client provides

a high-level view of the critical security information in your environment.

Information Manager users can customize the dashboard to display the required

event, ticket, and incident information.

TheDashboardview provides an overview of theincident activity thatis presented

in the following default set of queries:

Closed incident count for each assignee by priority

Closed incident count for each assignee by severity Open incident count for each assignee by severity

Open incident count for each assignee by priority

Count of both open incident and closed incident by assignee

Incidents count for each of the last seven days

The toolbar of theDashboard view presents the following options:

Symantec Security Information Manager ConsoleAbout the Information Manager console

24


25/354

Refreshes the queriesRefresh

Toggles the automatic refresh of the

dashboard queries.

When Auto Refresh is on, the dashboard

queries are refreshed every five minutes, by

default.

TurnAuto RefreshOn

Lets you add a new query to the dashboard.Add

Lets youremovea queryfrom thedashboard.

You can also remove the query by closing

the query window.

Delete

Tiles the dashboard charts.Tile

Cascades the dashboard charts.Cascade

See Viewing dashboards on page 344.

See Customizing the dashboard on page 348.

About the Intelligence view

The Intelligenceview displaysthesecurity informationthat theSymantecGlobal

Intelligence Network gathers. The Symantec Global Intelligence Network is a

comprehensive collection of vendor-neutral security data sources. The service isan authoritativesource of information about known andemergingvulnerabilities,

threats, risks, and global attack activity.

The Intelligence view provides information about the current ThreatCon level.

It also provides advice and instructions on how to guard against and respond to

the current threats.

The Intelligence view presents detailed information under the following tabs:

TheAnalystWatch tabprovides information

about IP addresses and URLs known to be

involved in malicious activity.

AnalystWatch

The IDSStatisticstabdisplays thefivemost

frequently occurring intrusion detection

events. It also lists offending ISPs, IP

addresses, destinationports, attack products,

and source and destination countries.

IDSStatistics



26/354

The FirewallStatistics tab displays the top

five ports ontherise and lists offendingISPs,

IP addresses, destination ports, and source

and destination countries.

FirewallStatistics

TheAntiVirusStatistics tab displays the

five most frequent corporate and consumer

virus sample submissions.

AntiVirusStatistics

TheHoneynet tab displays up-to-date

information from the Symantec Global

Intelligence Network and data analysis of

threats in the wild.

Honeynet

Note: The features that appear on the Intelligence view may vary depending onthe type of Global Intelligence Network services subscription that you have

purchased. Contact your Symantec sales representative for more information.

See About the Information Manager console on page 23.

About the Incidents view

The Incidents view lets you look at and manage Information Manager incidents.

You cancustomize the Incidents view by selecting from the security filters or the

alert filters or by creating your own custom filter. When you select an incidentfilter, the incident list displays only the incidents that satisfy the filter criteria.

Selecting an incident in the list updates the incident pane with the detailed

information forthe selected incident.To update the incident, modifythe incident

attributes and click Save. To maximize or minimize the display area for the

incident pane, click the expand and collapse arrows correspondingly in the

upper-left corner.

Double-clicking an incident in the list opens the IncidentDetails dialog box. To

updatetheincident,modify theincident information andthen clicktheSave icon.

To export the incident details, click the Export icon. The incident details are

exported to a CSV file that you can save to the desired location on your computer.To edit multiple incidents, highlightthe incidents, andedit settings in theDetails

tab.

From the Incidents view, you can perform the following tasks:

Select a filter to apply to the Incidents view. The filters available for you

depend on the roles to which you are assigned. The filters are grouped by

Security Incidents, Alerts, and Custom filters in various states.


26


27/354

See Table 2-1 on page 27.

Create a custom incident view filter.

Search for an incident by incident Reference ID. Create a new incident.

Open the IncidentDetails dialog box for the selected incident.

Create a ticket for the selected incident or incidents.

Export the incident list to a file.

You can export the list in HTML, CSV, and XML format, as required.

Merge the selected incidents.

Close the selected incidents.

Youmust provide thedisposition (for example, normal, false-positive, resolved,duplicate, or merged) and provide notes when you close an incident.

Lock the incident list.

You can locktheincident list to prevent the display of newly created or recently

assigned incidents in the list. When you unlock the list, it is updated with the

latest incidents.

Table 2-1 describes the Logical Groups for the filters.

Table 2-1 Logical Groups for filters

The incidents that are assigned to the current user.Following are the states of this group of incidents: Open,

New, In-Work, Waiting, and Closed.

MyIncidents

Theincidentsthat are assigned to thecurrent user's teams.

Teamsare created in theUserGroups sectionof theSystem

view, on the Administration tab. Following are the states

of this group of incidents: Open, New, In-Work, Waiting,

and Closed.

MyTeam Incidents

All incidents that have been created, both assigned and

unassigned. Following are the states of this group of

incidents: Open, New, In-Work, Waiting, and Closed.

All Incidents

All incidents which are open and unassigned.UnassignedOpenIncidents

The incident alerts assigned to the current user. Following

arethestates ofthis group of incidents: Open, New, In-Work,

Waiting, and Closed.

MyAlerts



28/354

Table 2-1 Logical Groups for filters (continued)

The incident alerts assigned to the current user's teams.

Teams arecreated intheUserGroups section of theSystem

view, on theAdministration tab. Following are the statesof this group of incident: Open, New, In-Work,Waiting, and

Closed.

MyTeamAlerts

All incident alerts that have been created, both assigned

and unassigned. Following are the states of this group of

incidents: Open, New, In-Work, Waiting, and Closed.

AllAlerts

All incident alerts that are open and unassigned.UnassignedOpenAlerts

All user-defined incident and alert filters.CustomFilters

The Incidents view details pane contains tabs from which you can view or updatethe selected incident.

Table 2-2 lists the details pane tabs and their functions.

Table 2-2 Incident view details pane tabs

DescriptionTab

Displays the incident details that include the ID, status, severity,

description, creator, assignee, and priority.

Details

Displays the event conclusions that are associated with the incident.To view thedetails of a conclusion that is associated with theincident,

select a conclusion and click the ConclusionDetails icon.

Youcanalso selectan event from thelist and view theparticular event

details.

Conclusions

Displays the events that are associated with the incident. To view the

details of an event that is associated with theincident, selecttheevent

and click the EventDetails icon.

Events

Displays the target computers that are associated with the incident.

To view the details for a target computer, select the target computer

and click the Details icon. To create an asset from a target computer,select the target computer and click the CreateAsset icon.

Targets

Displays the source computers that are associated with the incident.

To view details for a source computer, select the source computer and

click the Details icon.

Sources

Displays a visual representation of the progress of the attack that

generated the incident along with the Symantec Event Code.

AttackDiagram


28


29/354

Table 2-2 Incident view details pane tabs (continued)

DescriptionTab

Displays Symantec signature information, including the maliciouscode or vulnerability information that may be associated with the

event. You can view the intelligence information that is organized by

associated signatures or by target computers.

Intelligence

Displays the tickets that have been created for the incident. To view

the details of the tickets that are associated with the incident, select

the ticket and click theTicketDetails icon. To create a ticket based on

this incident, click the Create Ticket icon.

When you create a ticket, the Create Ticket dialog box includes the

following tabs:

Details: Provides the fields that describe the characteristics of theticket: A summary description, the priority,the ticket category, the

creator of the ticket, the assignee of the ticket, and the related

incidents.

Instructions: Lets you correlate Intelligence data from the Global

Intelligence Network with the ticket, if information is available.

Tasks: Provides the fields to describe any additional remediation

tasks thatthe creatorof theticketrecommends. Note that theTasks

tab of theCreateTicketdialogdiffers from thestepsthat are listed

in the Remediation tab for the incident. The Remediation tab

contains the instructions that are automatically created when the

incident is created, based on settings in the rule that triggered theincident.

Tickets

Displays the remediation suggestions that have been associated with

the rule that triggered theincident. Remediation entries can be added

to a rule on the Rules view.

Remediation

Displays theinformation thatis available on thehistoryof theincident.

The incident history contains entries for incident creation,

modifications, and closure. You can add entries to the log to record

the information and the activities that are related to the incident.

Log


About the Events view

TheEvents view lets you explore the Information Manager event archives. Event

archives contain correlated anduncorrelatedevent data from thesecurity products

that aresetup to forward eventsto SymantecSecurity Information Manager. You

can create multiple event archives that can be stored on any instance of



30/354

Information Manager. When you perform an event query, you can search across

any available combination of archives, regardless of on which instance of

Information Manager the archive is stored. The archives that are visible on the

Events view are created with an ordered series of event storage rules. These rulesare created on the System view.

To view the events that are stored in the event archives, you can use templates

and queries to search for events you need to view. Templates are generally more

complex preconfigured queries that can be customized with chosen parameters.

Systemqueries arethequeries that focus on specificproducts or commonaspects

of security management.

When you run a template or a query, you set the parameters for the query,

including which archives to search. Each template and query contains the

parameters specific to data that the query harvests: for example, a specific IP

address or a time range in which the search is to be conducted. After you run thequery, the results are displayed in the right pane of the Events view. The

presentation of data depends on each query, and can include graphs, pie charts,

and lists of events.

If a query returns a list of events, you can click on a particular event to see the

event details. You can change table columns if you want to see different

information about the events. You can view details about a particular event by

double-clicking the table row.

You can also filter data in the table so that it displays only the events that interest

you. You can filter on a particular event parameter by right-clicking a cell and

clickingFilteroncell. You can also filter results based on a unique column value.

Alternatively, youcan use the advanced filtering option to create a more complex

query.

You can also use the QueryBuilderWizard to query the event archives. This

wizard helps you create the following types of queries:

Event queries

Trending queries

Thetrending feature is availableonly after you selecttheEventQuery option.

Summary queries Advanced SQL queries

Note: The QueryBuilderWizard icon is available only when the folder for My

Queries or PublishedQueries is selected.

Table 2-3 describes the items that are in the left pane of the Events view.


30


31/354

Table 2-3 Events view left pane items

DescriptionItem

Access the static copies of the events that are archived and that arestored somewhere other than the Information Manager server. Local

event archives areoften created as a backupcopy of an activearchive.

Local event archives are not updated after the copy of the archive has

been made.

LocalEventArchives

Provides a setof preconfigured query templates that generally provide

a system-wide view of eventactivity. Thetemplatesusethe parameters

you choose, such as the event archives or the time period from which

the query gathers information. A template can be customized by

placing a copy in either the MyQueries or the PublishedQueries

folder and then adjusting the copy.

Access to the Template queries are controlled based on the roles.

Templates

Displays a list of queries that you have created for your own use. You

can move any of these queries into the PublishedQueries folder to

make them available to others.

MyQueries

Displays a list of the queries that have been created at your site and

that you want some or all of your users to be able to use.

PublishedQueries

Displaysa list of queries that areincludedin the InformationManager

package. You can use any of these queries as a template for a

customized query. To create a customized query, export the selectedquery as a QML file, and then copy or import the query in the My

Queries folder or thePublishedQueries folder. You can modify it as

required.

SystemQueries

You can schedule queries to be distributed in a report as a CSV file.

See About working with event queries on page 236.

See Viewing event data in the archives on page 226.

About the Tickets viewThe Tickets view lets you view and manage Information Manager tickets.

You can customize the ticket view by selecting from one of several ticket filters,

or by creating a custom ticket filter. The filters that are available to you depend

upon the roles to which you have been assigned. When you select a ticket filter,

the ticket list displays only the tickets that satisfy the filter criteria.



32/354

Selecting a ticket in the ticket list updates the ticket pane with the detailed

information for the selected ticket. To update the ticket, modify the ticket

attributes and click Apply.

Double-clicking a ticket in the ticket list opens the TicketDetails dialog box. Toupdate the ticket, modify the ticket information, and click Save orOK. You can

edit multiple tickets simultaneously by opening a TicketDetails dialog box for

each ticket to view or modify.

The Tickets view toolbar contains icons for the following tasks:

Select a filter to apply to the ticket view.

The filters that are available to you depend upon the roles to which you are

assigned, and may include one or more of the following:

Lists theopen tickets that areassociated with theincidents

assigned to the current user.

MyOpen Tickets

Lists the closed tickets that are associated with the

incidents assigned to the current user.

MyClosedTickets

Lists all the open tickets.AllOpen Tickets

Lists all the closed tickets.AllClosedTickets

Lists all the unassigned tickets.AllUnassignedTickets

Create a custom ticket view filter. Search for a ticket by ticket ID.

Refresh the tickets view.

Open the TicketDetails dialog box for the selected ticket.

Export the list of tickets to a file.

The ticket preview pane contains tabs from which you can view or update the

selected ticket.

Table 2-4 lists the preview pane tabs and their functions.

Table 2-4 Ticket preview pane tabs

DescriptionTab

Displays the ticket details such as the ID,

summary, category, status, priority,

timestamp, creator, and helpdeskassignee.

Details


32


33/354

Table 2-4 Ticket preview pane tabs (continued)

DescriptionTab

Displays the incidents that are associatedwith the ticket.

To associate a new incident with a ticket,

click theAdd icon.

To disassociate an incident from the ticket,

select the incident and click theRemove

icon.

To view the incident details, click the

IncidentDetails icon.

To close the incident from the tickets view,

select the incident and click theClose icon.

Incidents

Displays the user tasks that are assigned to

each ticket.

To add a new task to the ticket, click the

Add icon. To remove a task from the ticket,

select the task and click the Remove icon.

To edit tasks, select the task and click the

Edit icon.

To add intelligence to the task, click the

Intelligence icon.

Tasks

Displays theinstructionsthat are associated

with the ticket. To add or modify the

instructions, edit the field and click Save.

Theinstructionfield accepts a maximum of

3000 characters.

The Instructions tabalso displays theReset

icon.

You can also use the AddIntelligenceto

Instructions icon.

Instructions

Displays the ticket history that contains

entries for ticket creation, ticket

modifications,and ticket closure. To add log

entries to record information and the

activities that arerelated to theticket, click

theAdd icon.

Log




34/354

About the Assets view

TheAssets view lets you view and manage Information Manager assets. Use the

Assets view to identifycritical assets in your environment,andtracktheincidents

and the tickets that are related to those assets.

Identify the network assets that have one or more of the following attributes:

Host critical information or services

Host confidential information

Have specific roles on the network, such as firewall or vulnerability scanning

devices

Require high availability

Comply with regulatory policies

The correlation manager uses the asset information to identify and prioritize

incidents. The correlation manager creates an incident when a threat exploits an

asset's vulnerabilities. The correlation manager sets the incident priority based

upon the confidentiality, integrity, and availability ratings that you assign to the

asset.

The correlation rules depend upon the asset information, so identifying key

network assets on the Assets view is a critical configuration step.

You can populate the list of assets in any of the following ways:

Manually add entries in the Assets view. On the Incidents view, in the Targets tab for an incident, create assets based

upon computers.

On the Events view, under SystemQueries > SSIM> SSIMSystem, create

assets from the query results of theSource view query andTarget view query.

On theAssets view, import a list of assets in XML or CSV format. For example,

you can export a list of network computers from Microsoft Active Directory,

convert the file to CSV format, and then import the file into the Information

Manager.

Create assets by integrating Information Manager with a policy complianceassessment tool, such as Symantec Control Compliance Suite or Symantec

Enterprise Security Manager.

Create assetsby integratingInformation Manager witha networkvulnerability

scanner. Use the AssetDetector rule underMonitor > SystemMonitors on

the Rules view to choose the vulnerability scan products that automatically

populate the assets table.


34


35/354

If you run vulnerability scans periodically on your network, lock the asset

information for particular computers. If you lock an asset, the vulnerability

scan does not modify the list of the services that are hosted on the asset. A

vulnerability scan always updates the asset vulnerabilities, regardless of theasset lock status.

You can filterthe view oftheassets in your environment using thefiltering options

or asset groups.

Search for an asset from each of the views by entering the IP address host name

in the SearchAsset field, and then clicking the Search icon.

Double-clicking an asset in the asset list opens the AssetDetails dialog box. To

update the asset, modify the asset fields and then click the Save icon. You can

update multiple assets simultaneously by opening theAssetEditor dialog box

for each asset to modify.

Table 2-5 lists theAssets view tabs and their functions.

Table 2-5 Assets view tabs

DescriptionTab

Displays the network identification, description, priority,

organization, operating system, and lock information for the

selected asset.

Details

Displays any policy that is applied to the selected asset. You can

add policies to an asset from a customizable list of regulatorypolicies. To customize the list of available policies, select the

Administration tabontheSystem view. Youcanalso deletepolicies

from the asset.

Policies

Displays the network services that the selected computer hosts.

You can add services to an asset from a customizable list of

well-known services. To customize the list of services, select the

Administration tabonthe Systemview. Youcan also deleteservices

from the asset.

Services

Lists any incidents that pertain to the selected asset. Using the

incident list is a convenient way to monitor the security activitythat is related to an asset.

Incidents

Lists any tickets that pertain to the selected asset. The ticket list is

a convenient way to monitor thework-order activity that is related

to an asset.

Tickets



36/354

Table 2-5 Assets view tabs (continued)

DescriptionTab

Displays the discovery date, CVE ID, BugTraq ID, and descriptionofanyvulnerability that isdiscovered on theasset. Thevulnerability

information is tracked when the assets are imported from a

vulnerability scanner.

Vulnerabilities


About the Reports view

The Reports view lets you create and manage Information Manager reports.

To create a report, you insert one or more queries into a report template. You canalso add graphic elements and text, including a header and footer. Reports can

span multiple views, or you can subdivide a single view andinsertmultiple queries

on that view.

You can distribute a report immediately, or you can schedule it to be generated

at a specific time and then distributed automatically. You can also export and

import reports in RML format.

The Reports toolbar contains icons for report management tasks. The tasks

available to you depend upon the roles to which you have been assigned, and may

include one or more of the following:

Refresh the Explorer pane.

Create a folder.

Create a report.

Save a report.

Remove the selected report or folder.

Import a report from an RML format file.

Export the selected report to an RML format file.

Adjust the view settings for a report, including the view size and orientation.

Publish the selected report by placing the report in the PublishedReports

folder.

The Reports view has the following panes:

Explorer

TheExplorer pane lets you manage theMyReports folder and the Published

Reports folders, as well as any new folders that you create. When you create


36


37/354

a report in theMyReports folder, it is only available to the user who created

it. When you create a report in the PublishedReports folder, it is available to

all of the users who have the applicable permissions for the contents of the

report. To publish a report, drag it from your private folder to the PublishedReports folder. When you publish a report by dragging it into the Published

Reports folder, the two reports are not linked.

In addition to creating, publishing, and deleting reports, you can create and

delete report folders. You can also import reports, export reports, and move

reports from one folder to another.

Properties

TheProperties pane lets you view and edit theselectedreportpropertyvalues,

such as the background color or line thickness.

Report

TheReportpane provides the tabs that letyoudesign, preview, anddistribute

the selected report.

Table 2-6 describes the tabs that appear in the right pane when you create a new

report or select an existing report from the list in the left pane.

Table 2-6 Report pane tabs

DescriptionTab

Lets you specify and format the contents of your report. You can include

multiple data queries, images, annotation text, and grids in your report.

The queries that are available to you depend upon the roles to which youare assigned. For example, you may have access to queries that pertain

to firewall and VPN data, but may not have access to queries on antivirus

data.

Design

Displays a preview of the report. You can also save or print the report

from the Preview tab.

You can also drill down on the following query types by clicking on the

reports that are displayed:

TopNbyField

Trending for TopNbyField

SummaryDataQueries

See Performing a drill-down on reports on page 339.

Preview



38/354

Table 2-6 Report pane tabs (continued)

DescriptionTab

Lets you schedule the report and specify report recipients. You cancompose an email reportnotificationmessage, attach thereportas a PDF

and RTF, or include a URL link to the report.

Note: When the recipient clicks on the URL link, the report can be

accessed directly if the user has already logged on to the Web

configuration interface using the host name of Information Manager.

However if the user has logged on using the IP address of Information

Manager, then theuser is prompted forauthenticationto accessthe report.

You can also test the report distribution configuration with the Test

option. The reports are immediately distributed after you perform the

testing.To schedule a report for distribution, you must first publish the report

by placing it in the PublishedReports folder.

Distribute

Note: The Distribute option is available only for the Published Reports.


About the Rules view

The Rules view lets you create, test, and manage the rules that Information

Manager uses to filter known false positives anddeclare security incidents.Default

rules provide a starting point for determining the most common kinds of security

incidents, including denial-of-service attacks and blended threats. The default

filtering rules provide a set of common filters that can also be used to create

customized filters. You can enable, disable, and fine-tune the default rules and

filters based on the needs of your organization and the security products that are

running.

The Rules view also includes folders for monitors and lookup tables. Monitoring

rules are used to detect unexpected security-related changesto systemsor periods

of inactivity from the systems that are monitored. The lookup tables provide a

setof tablesthat canbe configured to list known maliciousIP addresses, sensitive

files, sensitive URLs, services, Trojan horses, and Windows events that can be

used to fine-tune rules and filters. For example, if you have detected a set of IP

addresses that routinely attempt to maliciously infiltrate your network, you can

add these IPaddresses to an IPaddr

Date post:	08-Aug-2018
Category:	Documents
Upload:	johnharold-doe
View:	217 times
Download:	0 times

Symantec Security Information Manager User Guide

Documents