Date post: | 08-Aug-2018 |
Category: |
Documents |
Upload: | johnharold-doe |
View: | 217 times |
Download: | 0 times |
of 355
8/22/2019 Symantec Security Information Manager User Guide
1/354
Symantec Security
Information Manager 4.8User Guide
8/22/2019 Symantec Security Information Manager User Guide
2/354
Symantec Security Information Manager User Guide
Thesoftwaredescribed in this book is furnished under a license agreement and maybe used
only in accordance with the terms of the agreement.
Documentation version: 4.8
Legal Notice
Copyright 2012 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec
Corporationor itsaffiliates in theU.S. and other countries. Other names maybe trademarks
of their respective owners.
This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (Third Party Programs
). Some of the Third PartyPrograms areavailableunder open sourceor free software licenses.The License Agreement
accompanying the Software does not alter any rights or obligations you may have under
those opensourceor freesoftware licenses. Please seethe Third Party Legal NoticeAppendix
to this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THEDOCUMENTATION ISPROVIDED"ASIS" ANDALL EXPRESS ORIMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOT BELIABLE FORINCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
TheLicensedSoftwareand Documentation are deemed to be commercial computer software
as defined in FAR12.212 andsubject to restricted rights as defined in FARSection 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,performance,display or disclosure of theLicensed Software and Documentation by theU.S.
Government shall be solely in accordance with the terms of this Agreement.
8/22/2019 Symantec Security Information Manager User Guide
3/354
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
http://www.symantec.com/http://www.symantec.com/8/22/2019 Symantec Security Information Manager User Guide
4/354
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Supports primary role is to respond to specific queries about product features
andfunctionality. The Technical Support group also createscontentfor ouronline
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. Forexample,theTechnicalSupportgroupworkswith Product Engineering
andSymantec Security Response to provide alerting services andvirus definition
updates.
Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right
amount of service for any size organization Telephone and/or Web-based support that provides rapid response and
up-to-the-minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our Web site
at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support
information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should be
at thecomputer on which theproblem occurred, in case it is necessaryto replicate
the problem.
When you contact Technical Support, please have the following information
available:
Product release level
http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/8/22/2019 Symantec Security Information Manager User Guide
5/354
Hardware information
Available memory, disk space, and NIC information
Operating system Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantecproduct requires registrationora license key, accessourtechnical
support Web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs, DVDs, or manuals
http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/http://www.symantec.com/business/support/8/22/2019 Symantec Security Information Manager User Guide
6/354
Support agreement resources
If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]8/22/2019 Symantec Security Information Manager User Guide
7/354
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Section 1 Introducing Symantec Security
Information Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
About Symantec Security Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
About workflow in Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
About Information Manager components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
About security products and devices ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
About event collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
About Information Manager servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About the Symantec DeepSight ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
About the Information Manager Web service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 2 Symantec Security Information ManagerConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About the Information Manager console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About the Dashboard view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
About the Intelligence view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
About the Incidents view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
About the Events view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
About the Tickets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
About the Assets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
About the Reports view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
About the Rules view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
About the System view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
About the Statistics view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
About the features of the Information Manager console ... . . . . . . . . . . . . . . . . . . . 58
About the incident and the alert monitors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
About the event activity monitor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
About the Notes feature ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Creating and editing notes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Searching the notes ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Contents
8/22/2019 Symantec Security Information Manager User Guide
8/354
About user actions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Creating and modifying user actions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Opening the Information Manager console from the command
line ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Changing a password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 3 Symantec Security Information Manager Webconfiguration interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
About the Information Manager Web interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Accessing the Web configuration interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
About the features of the Web configuration interface ... . . . . . . . . . . . . . . . . . . . . . 68
Section 2 Planning for security management . . . . . . . . . . . . . . . . . 73
Chapter 4 Managing the correlation environment . . . . . . . . . . . . . . . . . . . . . . . . . . 75
About the Correlation Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
About the Correlation Manager knowledge base ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
About the default rules set ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 5 Defining rules strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
About creating the right rule set for your business ... . . . . . . . . . . . . . . . . . . . . . . . . . . 81
About defining a rules strategy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
About correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83About rule conditions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
About rule types ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
About event criteria ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
About the Event Count, Span, and Table Size rule settings ... . . . . . . . . . . . . . . . . 92
About the Tracking Key and Conclusion Creation fields ... . . . . . . . . . . . . . . . . . . . . 92
About the Correlate By and Resource fields ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Importing existing rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Creating custom correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Creating a multicondition rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Creating a correlation rule based on the X not followed by Y ruletype .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Creating a correlation rule based on the X not followed by X rule
type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Creating a correlation rule for the Y not preceded by X rule
type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Creating a correlation rule for the Lookup Table Update ... . . . . . . . . . . . 110
Enabling and disabling rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Working with the Lookup Tables window .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Contents8
8/22/2019 Symantec Security Information Manager User Guide
9/354
Creating a user-defined Lookup Table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Importing Lookup Tables and records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Section 3 Getting started with the InformationManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Chapter 6 Configuring the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
About configuring Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Identifying critical systems .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Adding a policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Specifying networks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
About customizations for a Service Provider Master console ... . . . . . . . . . . . 127
Chapter 7 Managing roles and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
About managing roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
About the administrator roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
About the default roles in the Information Manager server ... . . . . . . . 130
About planning for role creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Creating a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Editing role properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Deleting a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
About working with permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
About permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148About the propagation of permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Modifying permissions from the Permissions dialog box .... . . . . . . . . . . 150
Chapter 8 Managing users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
About users and passwords ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Customizing the password policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Creating a new user ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Creating a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
About editing user properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Changing a users password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Specifying user business and contact information .... . . . . . . . . . . . . . . . . . . 160
Managing role assignments and properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Managing user group assignments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Specifying notification information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
About modifying user permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Modifying a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Deleting a user or a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Contents
8/22/2019 Symantec Security Information Manager User Guide
10/354
About integrating Active Directory with the Information Manager
server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Managing Active Directory configurations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Changing the password for Linux accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Changing the password for symcmgmt Linux account ... . . . . . . . . . . . . . . 171
Chapter 9 Managing organizational units and computers . . . . . . . . . . 173
About organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
About managing organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Creating a new organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
About determining the length of the organizational unit name
.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Editing organizational unit properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
About modifying organizational unit permissions ... . . . . . . . . . . . . . . . . . . . 176Deleting an organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
About managing computers within organizational units ... . . . . . . . . . . . . . . . . . 177
Creating computers within organizational units ... . . . . . . . . . . . . . . . . . . . . . . 178
About editing computer properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Distributing configurations to computers in an organizational
unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Moving a computer to a different organizational unit ... . . . . . . . . . . . . . . . 193
About modifying computer permissions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Deleting a computer from an organizational unit ... . . . . . . . . . . . . . . . . . . . . 194
Section 4 Understanding event collectors . . . . . . . . . . . . . . . . . . . . . . . . 197
Chapter 10 Introducing event collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
About Event Collectors and Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . 199
Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
About Symantec Universal Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
About Custom Log Management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Downloading and installing the Symantec Universal Collectors ... . . . . . . . 203
Correlating the logs collected in a file from a proprietary
application .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Chapter 11 Configuring collectors for event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuring the event filtering rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configuring event aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Contents10
8/22/2019 Symantec Security Information Manager User Guide
11/354
Section 5 Working with events and event
archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Chapter 12 Managing event archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
About events, conclusions, and incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
About the Events view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
About the event lifecycle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
About event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
About multiple event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Creating new event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Specifying event archive settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Creating a local copy of event archives on a network computer ... . . . . . . . . 224
Restoring event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225Viewing event data in the archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
About the event archive viewer right pane .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Manipulating the event data histogram .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Setting a custom date and time range .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
About viewing event details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Modifying the format of the event details table ... . . . . . . . . . . . . . . . . . . . . . . . 229
Searching within event query results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Filtering event data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
About working with event queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Using the Source View query and Target View query ... . . . . . . . . . . . . . . . . 236
Creating query groups ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Querying across multiple archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Creating custom queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Editing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Managing the color scheme that is used in query results ... . . . . . . . . . . . 245
About querying for IP addresses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Importing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Exporting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Publishing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Scheduling queries that can be distributed as reports ... . . . . . . . . . . . . . . . 248
Deleting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Chapter 13 Forwarding events to the Information ManagerServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
About forwarding events to an Information Manager server ... . . . . . . . . . . . . 251
About registering a security directory ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Registering Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Registering with a security domain .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Contents
8/22/2019 Symantec Security Information Manager User Guide
12/354
Activating event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Stopping event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Chapter 14 Understanding event normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261About event normalization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
About normalization (.norm) files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Chapter 15 Collector-based event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
About collector-based event filtering and aggregation .... . . . . . . . . . . . . . . . . . . . 265
About identifying common events for collector-based filtering or
aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
About preparing to create collector-based rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Accessing event data in the Information Manager console ... . . . . . . . . . . . . . . 270
Creating collector-based filtering and aggregation
specifications ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Examples of collector-based filtering and aggregation rules ... . . . . . . . . . . . . 273
Filtering events generated by specific internal networks ... . . . . . . . . . . . 273
Filtering common firewall events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Filtering common Symantec AntiVirus events ... . . . . . . . . . . . . . . . . . . . . . . . . 277
Filtering or aggregating vulnerability assessment events ... . . . . . . . . . . 278
Filtering Windows Event Log events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Section 6 Working with incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Chapter 16 Managing Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
About incident management ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Incident identification .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Example: InformationManager automates incident management
during a Blaster worm attack ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Threat containment, eradication, and recovery ... . . . . . . . . . . . . . . . . . . . . . . . 287
Follow-up .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Viewing incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287About the incident list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Viewing and modifying the incident list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
About creating and modifying incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Creating incidents manually ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Modifying incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Merging incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Closing an incident ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Reopening a closed incident ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Contents12
8/22/2019 Symantec Security Information Manager User Guide
13/354
Printing incident details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Printing the incident, ticket, or asset list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Exporting the incident, ticket, or asset list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Assigningincidentsautomatically to the least busy member in a usergroup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Chapter 17 Working with filters in the Incidents view . . . . . . . . . . . . . . . . . . . . 301
About filtering incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Modifying a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Creating a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Deleting a custom filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Searching within incident filtering results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Section 7 Working with tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Chapter 18 Managing tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
About tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
About creating tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Creating a ticket manually ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Creating a ticket category ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Viewing tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
About the Ticket Details window .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Viewing tickets associated with a specific incident ... . . . . . . . . . . . . . . . . . . . . . . . . . 311
Setting ticket task dispositions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Changing the priority of a ticket ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Adding a ticket note ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Closing a ticket ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Printing the ticket list .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Chapter 19 Working with filters in Tickets view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Filtering tickets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Modifying a custom ticket filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Deleting a custom ticket filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Chapter 20 Working with Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
About the Assets view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Importing assets into the Assets table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Contents
8/22/2019 Symantec Security Information Manager User Guide
14/354
Section 8 Working with reports and dashboards . . . . . . . . . 323
Chapter 21 Managing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Working with reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
About reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Creating custom reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Creating a report group or folder ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Editing tabular queries in reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Publishing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Enabling the email distribution of reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Scheduling and distributing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Modifying the report distribution .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Viewing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Configuring a report for portrait or landscape mode .... . . . . . . . . . . . . . . . 337
Printing and saving reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Exporting reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Importing reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Performing a drill-down on reports ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Chapter 22 Managing dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
About the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Viewing dashboards ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Viewing queries in the Dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Performing a drill-down on dashboards ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Refreshing the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Customizing the dashboard .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 349
Contents14
8/22/2019 Symantec Security Information Manager User Guide
15/354
Introducing Symantec
Security InformationManager
Chapter 1. Overview
Chapter 2. Symantec Security Information Manager Console
Chapter 3. Symantec Security Information Manager Web configuration
interface
1Section
8/22/2019 Symantec Security Information Manager User Guide
16/354
16
8/22/2019 Symantec Security Information Manager User Guide
17/354
Overview
This chapter includes the following topics:
About Symantec Security Information Manager
About workflow in Information Manager
About Information Manager components
About Symantec Security Information ManagerInformation Manager provides real-time event correlation and data archiving to
protect against securitythreats and to preservecritical securitydata. Information
Manager collects and archives security events from across the enterprise. These
events are correlated with the known asset vulnerabilities and current security
information from Symantec DeepSight. The resulting information provides the
basis forreal-timethreat analysis andsecurity incident identification. Information
Manager archives the security data for forensic and regulatory compliance
purposes.
Information Manager collects, analyzes, and archives information from security
devices, critical applications, and services, such as the following:
Information Manager provides the following features to help you recognize and
respond to threats in your enterprise:
Normalization of events from multiple vendors.
Normalization and correlation of events from multiple vendors.
Event archives to retain events in both their original (raw) and normalized
formats.
Distributed eventfilteringandaggregation to ensurethat only relevant security
events are correlated.
1Chapter
8/22/2019 Symantec Security Information Manager User Guide
18/354
Real-time security intelligence updates from Symantec DeepSight. These
updates keep you apprised of global threats and let you correlate internal
security activity with external threats.
Customizable event correlation rules to let you fine-tune threat recognitionand incident creation for your environment.
Security incident creation, ticketing, tracking, and remediation for quick
response to security threats. Information Manager prioritizes incidents based
upon the security policies that are associated with the affected assets.
An Event Viewer that lets you easily mine large amounts of event data and
identify the computers and users that are associated with each event.
A client-basedconsole from which youcanview allsecurity incidentsanddrill
down to the related event details. These details include affected targets,
associated vulnerabilities, and recommended corrective actions.
Predefined andcustomizable queriesto help youdemonstrate compliancewith
the security and the data retention policies in your enterprise.
A Web-based interface that lets you view and customize the dashboard,
configure settings, and manage events, incidents, and tickets remotely. You
can download various utilities and perform routine maintenance tasks such
as backup and restore. You can use the custom logs feature with the universal
collectors to collect and map information from devices for which standard
collectors are not available.
About workflow in Information ManagerThe Symantec Security Information Manager workflow includes the following
steps:
Event collectors gather eventsfrom Symantec andthird-party pointproducts.
See About Event Collectors and Information Manager on page 199.
Events are filtered and aggregated.
See Configuring the event filtering rules on page 207.
See Configuring event aggregation on page 210.
Symantec Event Agent forwards both the raw and the processed events to the
Information Manager server.
See About forwarding events to an InformationManager server on page 251.
See Activating event forwarding on page 256.
The Information Manager server stores the event data in event archives.
See About event archives on page 220.
OverviewAbout workflow in Information Manager
18
8/22/2019 Symantec Security Information Manager User Guide
19/354
The Information Manager server correlates the events with threat and asset
information based on the various correlation rules.
See About the Correlation Manager on page 75.
Information Manager security events trigger a correlation rule and create asecurity incident.
See About incident management on page 285.
About Information Manager componentsSymantec Security Information Manager has the following components:
Security products and devices
See About security products and devices on page 20.
Symantec Event Agent
Event collectors
See About event collectors on page 20.
Information Manager servers
See About Information Manager servers on page 21.
DeepSight
See About the Symantec DeepSight on page 22.
Web service
SeeAbout the Information Manager Web service
on page 22.
OverviewAbout Information Manager components
8/22/2019 Symantec Security Information Manager User Guide
20/354
Figure 1-1 Components in an Information Manager setup
About security products and devices
The security products and devices in your enterprise can generate overwhelming
amounts of security data. Many firewalls can generate over 500 GB of security
data per day; intrusion detection systems can trigger over 250,000 alerting
incidents per week. Most security products store event data in a proprietaryformat, accessible only by the tools that the security products provide. To secure
your enterprise effectively, you need to collect, normalize, and analyze the data
from all parts of your enterprise.
See About Information Manager components on page 19.
About event collectors
Event collectors gather security events from a variety of event sources, such as
databases, log files, and syslog applications. Event collectors translate the event
data into a standard format, and optionally filter and aggregate the events. Theevent collectors then send theeventsto SymantecSecurity Information Manager.
You can configure event collectors to alsosendthe event data in itsoriginalformat.
You install event collectors either onthesecurity product computer orat a location
with access to the security product events. To facilitate installation and setup,
event collectors for third-party firewalls are preinstalled on the Information
Manager server. After the event collector is registered with Information Manager,
you can configure event collector settings fromthe Information Manager console.
OverviewAbout Information Manager components
20
8/22/2019 Symantec Security Information Manager User Guide
21/354
The event collector settings include the event source specification and any event
filter or aggregation rules.
Symantec provides event collectors for the following types of products:
Firewalls
Routers, switches, and VPNs
Intrusion detection and prevention systems
Vulnerability scanners
Web servers, filters, and proxies
Databases
Mail and groupware
Enterprise antivirus
Microsoft authentication services
Windows and UNIX system logs
For access to the extensive library of event collectors, visit Symantec support at
the following Web site:
http://www.symantec.com/enterprise/support/
See About Information Manager components on page 19.
About Information Manager servers
Information Manager server can be installed on any approved hardware that
meets the minimum system requirements.
You can deploy one or more Information Manager servers in various roles to
satisfy the event gathering, archiving, and event correlation requirements for
your enterprise. To account for traffic variation, a single Information Manager
is only recommended for a security environmentthat generates up to 1,000 events
per second (EPS) on average and that requires a maximum of 4 MB to 8 MB per
day of event data storage. To increase the overall event processing rate, you can
add multiple load sharing Information Managers to your deployment.
You can configure each server for dedicated event collection, event archiving, or
event correlation. In most cases, a combination of multiple servers that share the
event and the incident processing load is preferred.
See About Information Manager components on page 19.
OverviewAbout Information Manager components
http://www.symantec.com/enterprise/support/http://www.symantec.com/enterprise/support/8/22/2019 Symantec Security Information Manager User Guide
22/354
About the Symantec DeepSight
Information Manager has access to current vulnerability, attack pattern, and
threat resolution information from the Threat and Vulnerability Management
Service. The Symantec DeepSight powers the Threat and Vulnerability
Management Service. The Symantec DeepSight is a comprehensive collection of
vendor-neutral security data sources. The service is an authoritative source of
information about known and emerging vulnerabilities, threats, risks, and global
attack activity.
See About Information Manager components on page 19.
About the Information Manager Web service
The Web service of Symantec Security Information Manager lets you securely
access and update the data that is stored on a server. You can use the Web service
to publish event, asset, incident, ticket, and system setting information. You can
also use the Web service to integrate Information Manager with help desk,
inventory, or notification applications.
See About Information Manager components on page 19.
For more information on interfacing your application to use the Web service, see
the application documentation or your application vendor.
OverviewAbout Information Manager components
22
8/22/2019 Symantec Security Information Manager User Guide
23/354
Symantec SecurityInformation Manager
ConsoleThis chapter includes the following topics:
About the Information Manager console
About the features of the Information Manager console
About the Information Manager consoleYou must install the Java client of the Information Manager on a Microsoft
Windows, 2003, XP, Vista, Windows 2008 R2, or Windows 7 computer to access
the console. The client can be downloaded from the Home>Downloads view of
the Information Manager Web interface.
The console of the Information Manager client enables you to perform the
following security monitoring functions:
Define rules to identify security incidents.
Identify critical network hosts.
View Symantec Global Intelligence Network information
Manage incidents
Manage tickets
Create reports
Connect Symantec Information Manager with Symantec Managed Security
Services (MSS).
2Chapter
8/22/2019 Symantec Security Information Manager User Guide
24/354
MSScombinesglobal threatintelligence, enterprise-wide monitoring, advanced
analytics, andexpertstaff to provide 24x7 security monitoring andprotection
for enterprises from known and emerging threats.
Perform Service Provider management tasks
Theconsole consistsof thefollowingviews that help youmanagetheInformation
Manager Server:
Dashboard view
Intelligence view
Incidents view
Events view
Tickets view
Assets view
Reports view
Rules view
System view
Statistics view
See About Information Manager components on page 19.
About the Dashboard viewTheDashboard view on the console of the Information Manager client provides
a high-level view of the critical security information in your environment.
Information Manager users can customize the dashboard to display the required
event, ticket, and incident information.
TheDashboardview provides an overview of theincident activity thatis presented
in the following default set of queries:
Closed incident count for each assignee by priority
Closed incident count for each assignee by severity Open incident count for each assignee by severity
Open incident count for each assignee by priority
Count of both open incident and closed incident by assignee
Incidents count for each of the last seven days
The toolbar of theDashboard view presents the following options:
Symantec Security Information Manager ConsoleAbout the Information Manager console
24
8/22/2019 Symantec Security Information Manager User Guide
25/354
Refreshes the queriesRefresh
Toggles the automatic refresh of the
dashboard queries.
When Auto Refresh is on, the dashboard
queries are refreshed every five minutes, by
default.
TurnAuto RefreshOn
Lets you add a new query to the dashboard.Add
Lets youremovea queryfrom thedashboard.
You can also remove the query by closing
the query window.
Delete
Tiles the dashboard charts.Tile
Cascades the dashboard charts.Cascade
See Viewing dashboards on page 344.
See Customizing the dashboard on page 348.
About the Intelligence view
The Intelligenceview displaysthesecurity informationthat theSymantecGlobal
Intelligence Network gathers. The Symantec Global Intelligence Network is a
comprehensive collection of vendor-neutral security data sources. The service isan authoritativesource of information about known andemergingvulnerabilities,
threats, risks, and global attack activity.
The Intelligence view provides information about the current ThreatCon level.
It also provides advice and instructions on how to guard against and respond to
the current threats.
The Intelligence view presents detailed information under the following tabs:
TheAnalystWatch tabprovides information
about IP addresses and URLs known to be
involved in malicious activity.
AnalystWatch
The IDSStatisticstabdisplays thefivemost
frequently occurring intrusion detection
events. It also lists offending ISPs, IP
addresses, destinationports, attack products,
and source and destination countries.
IDSStatistics
Symantec Security Information Manager ConsoleAbout the Information Manager console
8/22/2019 Symantec Security Information Manager User Guide
26/354
The FirewallStatistics tab displays the top
five ports ontherise and lists offendingISPs,
IP addresses, destination ports, and source
and destination countries.
FirewallStatistics
TheAntiVirusStatistics tab displays the
five most frequent corporate and consumer
virus sample submissions.
AntiVirusStatistics
TheHoneynet tab displays up-to-date
information from the Symantec Global
Intelligence Network and data analysis of
threats in the wild.
Honeynet
Note: The features that appear on the Intelligence view may vary depending onthe type of Global Intelligence Network services subscription that you have
purchased. Contact your Symantec sales representative for more information.
See About the Information Manager console on page 23.
About the Incidents view
The Incidents view lets you look at and manage Information Manager incidents.
You cancustomize the Incidents view by selecting from the security filters or the
alert filters or by creating your own custom filter. When you select an incidentfilter, the incident list displays only the incidents that satisfy the filter criteria.
Selecting an incident in the list updates the incident pane with the detailed
information forthe selected incident.To update the incident, modifythe incident
attributes and click Save. To maximize or minimize the display area for the
incident pane, click the expand and collapse arrows correspondingly in the
upper-left corner.
Double-clicking an incident in the list opens the IncidentDetails dialog box. To
updatetheincident,modify theincident information andthen clicktheSave icon.
To export the incident details, click the Export icon. The incident details are
exported to a CSV file that you can save to the desired location on your computer.To edit multiple incidents, highlightthe incidents, andedit settings in theDetails
tab.
From the Incidents view, you can perform the following tasks:
Select a filter to apply to the Incidents view. The filters available for you
depend on the roles to which you are assigned. The filters are grouped by
Security Incidents, Alerts, and Custom filters in various states.
Symantec Security Information Manager ConsoleAbout the Information Manager console
26
8/22/2019 Symantec Security Information Manager User Guide
27/354
See Table 2-1 on page 27.
Create a custom incident view filter.
Search for an incident by incident Reference ID. Create a new incident.
Open the IncidentDetails dialog box for the selected incident.
Create a ticket for the selected incident or incidents.
Export the incident list to a file.
You can export the list in HTML, CSV, and XML format, as required.
Merge the selected incidents.
Close the selected incidents.
Youmust provide thedisposition (for example, normal, false-positive, resolved,duplicate, or merged) and provide notes when you close an incident.
Lock the incident list.
You can locktheincident list to prevent the display of newly created or recently
assigned incidents in the list. When you unlock the list, it is updated with the
latest incidents.
Table 2-1 describes the Logical Groups for the filters.
Table 2-1 Logical Groups for filters
The incidents that are assigned to the current user.Following are the states of this group of incidents: Open,
New, In-Work, Waiting, and Closed.
MyIncidents
Theincidentsthat are assigned to thecurrent user's teams.
Teamsare created in theUserGroups sectionof theSystem
view, on the Administration tab. Following are the states
of this group of incidents: Open, New, In-Work, Waiting,
and Closed.
MyTeam Incidents
All incidents that have been created, both assigned and
unassigned. Following are the states of this group of
incidents: Open, New, In-Work, Waiting, and Closed.
All Incidents
All incidents which are open and unassigned.UnassignedOpenIncidents
The incident alerts assigned to the current user. Following
arethestates ofthis group of incidents: Open, New, In-Work,
Waiting, and Closed.
MyAlerts
Symantec Security Information Manager ConsoleAbout the Information Manager console
8/22/2019 Symantec Security Information Manager User Guide
28/354
Table 2-1 Logical Groups for filters (continued)
The incident alerts assigned to the current user's teams.
Teams arecreated intheUserGroups section of theSystem
view, on theAdministration tab. Following are the statesof this group of incident: Open, New, In-Work,Waiting, and
Closed.
MyTeamAlerts
All incident alerts that have been created, both assigned
and unassigned. Following are the states of this group of
incidents: Open, New, In-Work, Waiting, and Closed.
AllAlerts
All incident alerts that are open and unassigned.UnassignedOpenAlerts
All user-defined incident and alert filters.CustomFilters
The Incidents view details pane contains tabs from which you can view or updatethe selected incident.
Table 2-2 lists the details pane tabs and their functions.
Table 2-2 Incident view details pane tabs
DescriptionTab
Displays the incident details that include the ID, status, severity,
description, creator, assignee, and priority.
Details
Displays the event conclusions that are associated with the incident.To view thedetails of a conclusion that is associated with theincident,
select a conclusion and click the ConclusionDetails icon.
Youcanalso selectan event from thelist and view theparticular event
details.
Conclusions
Displays the events that are associated with the incident. To view the
details of an event that is associated with theincident, selecttheevent
and click the EventDetails icon.
Events
Displays the target computers that are associated with the incident.
To view the details for a target computer, select the target computer
and click the Details icon. To create an asset from a target computer,select the target computer and click the CreateAsset icon.
Targets
Displays the source computers that are associated with the incident.
To view details for a source computer, select the source computer and
click the Details icon.
Sources
Displays a visual representation of the progress of the attack that
generated the incident along with the Symantec Event Code.
AttackDiagram
Symantec Security Information Manager ConsoleAbout the Information Manager console
28
8/22/2019 Symantec Security Information Manager User Guide
29/354
Table 2-2 Incident view details pane tabs (continued)
DescriptionTab
Displays Symantec signature information, including the maliciouscode or vulnerability information that may be associated with the
event. You can view the intelligence information that is organized by
associated signatures or by target computers.
Intelligence
Displays the tickets that have been created for the incident. To view
the details of the tickets that are associated with the incident, select
the ticket and click theTicketDetails icon. To create a ticket based on
this incident, click the Create Ticket icon.
When you create a ticket, the Create Ticket dialog box includes the
following tabs:
Details: Provides the fields that describe the characteristics of theticket: A summary description, the priority,the ticket category, the
creator of the ticket, the assignee of the ticket, and the related
incidents.
Instructions: Lets you correlate Intelligence data from the Global
Intelligence Network with the ticket, if information is available.
Tasks: Provides the fields to describe any additional remediation
tasks thatthe creatorof theticketrecommends. Note that theTasks
tab of theCreateTicketdialogdiffers from thestepsthat are listed
in the Remediation tab for the incident. The Remediation tab
contains the instructions that are automatically created when the
incident is created, based on settings in the rule that triggered theincident.
Tickets
Displays the remediation suggestions that have been associated with
the rule that triggered theincident. Remediation entries can be added
to a rule on the Rules view.
Remediation
Displays theinformation thatis available on thehistoryof theincident.
The incident history contains entries for incident creation,
modifications, and closure. You can add entries to the log to record
the information and the activities that are related to the incident.
Log
See About the Information Manager console on page 23.
About the Events view
TheEvents view lets you explore the Information Manager event archives. Event
archives contain correlated anduncorrelatedevent data from thesecurity products
that aresetup to forward eventsto SymantecSecurity Information Manager. You
can create multiple event archives that can be stored on any instance of
Symantec Security Information Manager ConsoleAbout the Information Manager console
8/22/2019 Symantec Security Information Manager User Guide
30/354
Information Manager. When you perform an event query, you can search across
any available combination of archives, regardless of on which instance of
Information Manager the archive is stored. The archives that are visible on the
Events view are created with an ordered series of event storage rules. These rulesare created on the System view.
To view the events that are stored in the event archives, you can use templates
and queries to search for events you need to view. Templates are generally more
complex preconfigured queries that can be customized with chosen parameters.
Systemqueries arethequeries that focus on specificproducts or commonaspects
of security management.
When you run a template or a query, you set the parameters for the query,
including which archives to search. Each template and query contains the
parameters specific to data that the query harvests: for example, a specific IP
address or a time range in which the search is to be conducted. After you run thequery, the results are displayed in the right pane of the Events view. The
presentation of data depends on each query, and can include graphs, pie charts,
and lists of events.
If a query returns a list of events, you can click on a particular event to see the
event details. You can change table columns if you want to see different
information about the events. You can view details about a particular event by
double-clicking the table row.
You can also filter data in the table so that it displays only the events that interest
you. You can filter on a particular event parameter by right-clicking a cell and
clickingFilteroncell. You can also filter results based on a unique column value.
Alternatively, youcan use the advanced filtering option to create a more complex
query.
You can also use the QueryBuilderWizard to query the event archives. This
wizard helps you create the following types of queries:
Event queries
Trending queries
Thetrending feature is availableonly after you selecttheEventQuery option.
Summary queries Advanced SQL queries
Note: The QueryBuilderWizard icon is available only when the folder for My
Queries or PublishedQueries is selected.
Table 2-3 describes the items that are in the left pane of the Events view.
Symantec Security Information Manager ConsoleAbout the Information Manager console
30
8/22/2019 Symantec Security Information Manager User Guide
31/354
Table 2-3 Events view left pane items
DescriptionItem
Access the static copies of the events that are archived and that arestored somewhere other than the Information Manager server. Local
event archives areoften created as a backupcopy of an activearchive.
Local event archives are not updated after the copy of the archive has
been made.
LocalEventArchives
Provides a setof preconfigured query templates that generally provide
a system-wide view of eventactivity. Thetemplatesusethe parameters
you choose, such as the event archives or the time period from which
the query gathers information. A template can be customized by
placing a copy in either the MyQueries or the PublishedQueries
folder and then adjusting the copy.
Access to the Template queries are controlled based on the roles.
Templates
Displays a list of queries that you have created for your own use. You
can move any of these queries into the PublishedQueries folder to
make them available to others.
MyQueries
Displays a list of the queries that have been created at your site and
that you want some or all of your users to be able to use.
PublishedQueries
Displaysa list of queries that areincludedin the InformationManager
package. You can use any of these queries as a template for a
customized query. To create a customized query, export the selectedquery as a QML file, and then copy or import the query in the My
Queries folder or thePublishedQueries folder. You can modify it as
required.
SystemQueries
You can schedule queries to be distributed in a report as a CSV file.
See About working with event queries on page 236.
See Viewing event data in the archives on page 226.
About the Tickets viewThe Tickets view lets you view and manage Information Manager tickets.
You can customize the ticket view by selecting from one of several ticket filters,
or by creating a custom ticket filter. The filters that are available to you depend
upon the roles to which you have been assigned. When you select a ticket filter,
the ticket list displays only the tickets that satisfy the filter criteria.
Symantec Security Information Manager ConsoleAbout the Information Manager console
8/22/2019 Symantec Security Information Manager User Guide
32/354
Selecting a ticket in the ticket list updates the ticket pane with the detailed
information for the selected ticket. To update the ticket, modify the ticket
attributes and click Apply.
Double-clicking a ticket in the ticket list opens the TicketDetails dialog box. Toupdate the ticket, modify the ticket information, and click Save orOK. You can
edit multiple tickets simultaneously by opening a TicketDetails dialog box for
each ticket to view or modify.
The Tickets view toolbar contains icons for the following tasks:
Select a filter to apply to the ticket view.
The filters that are available to you depend upon the roles to which you are
assigned, and may include one or more of the following:
Lists theopen tickets that areassociated with theincidents
assigned to the current user.
MyOpen Tickets
Lists the closed tickets that are associated with the
incidents assigned to the current user.
MyClosedTickets
Lists all the open tickets.AllOpen Tickets
Lists all the closed tickets.AllClosedTickets
Lists all the unassigned tickets.AllUnassignedTickets
Create a custom ticket view filter. Search for a ticket by ticket ID.
Refresh the tickets view.
Open the TicketDetails dialog box for the selected ticket.
Export the list of tickets to a file.
The ticket preview pane contains tabs from which you can view or update the
selected ticket.
Table 2-4 lists the preview pane tabs and their functions.
Table 2-4 Ticket preview pane tabs
DescriptionTab
Displays the ticket details such as the ID,
summary, category, status, priority,
timestamp, creator, and helpdeskassignee.
Details
Symantec Security Information Manager ConsoleAbout the Information Manager console
32
8/22/2019 Symantec Security Information Manager User Guide
33/354
Table 2-4 Ticket preview pane tabs (continued)
DescriptionTab
Displays the incidents that are associatedwith the ticket.
To associate a new incident with a ticket,
click theAdd icon.
To disassociate an incident from the ticket,
select the incident and click theRemove
icon.
To view the incident details, click the
IncidentDetails icon.
To close the incident from the tickets view,
select the incident and click theClose icon.
Incidents
Displays the user tasks that are assigned to
each ticket.
To add a new task to the ticket, click the
Add icon. To remove a task from the ticket,
select the task and click the Remove icon.
To edit tasks, select the task and click the
Edit icon.
To add intelligence to the task, click the
Intelligence icon.
Tasks
Displays theinstructionsthat are associated
with the ticket. To add or modify the
instructions, edit the field and click Save.
Theinstructionfield accepts a maximum of
3000 characters.
The Instructions tabalso displays theReset
icon.
You can also use the AddIntelligenceto
Instructions icon.
Instructions
Displays the ticket history that contains
entries for ticket creation, ticket
modifications,and ticket closure. To add log
entries to record information and the
activities that arerelated to theticket, click
theAdd icon.
Log
See About the Information Manager console on page 23.
Symantec Security Information Manager ConsoleAbout the Information Manager console
8/22/2019 Symantec Security Information Manager User Guide
34/354
About the Assets view
TheAssets view lets you view and manage Information Manager assets. Use the
Assets view to identifycritical assets in your environment,andtracktheincidents
and the tickets that are related to those assets.
Identify the network assets that have one or more of the following attributes:
Host critical information or services
Host confidential information
Have specific roles on the network, such as firewall or vulnerability scanning
devices
Require high availability
Comply with regulatory policies
The correlation manager uses the asset information to identify and prioritize
incidents. The correlation manager creates an incident when a threat exploits an
asset's vulnerabilities. The correlation manager sets the incident priority based
upon the confidentiality, integrity, and availability ratings that you assign to the
asset.
The correlation rules depend upon the asset information, so identifying key
network assets on the Assets view is a critical configuration step.
You can populate the list of assets in any of the following ways:
Manually add entries in the Assets view. On the Incidents view, in the Targets tab for an incident, create assets based
upon computers.
On the Events view, under SystemQueries > SSIM> SSIMSystem, create
assets from the query results of theSource view query andTarget view query.
On theAssets view, import a list of assets in XML or CSV format. For example,
you can export a list of network computers from Microsoft Active Directory,
convert the file to CSV format, and then import the file into the Information
Manager.
Create assets by integrating Information Manager with a policy complianceassessment tool, such as Symantec Control Compliance Suite or Symantec
Enterprise Security Manager.
Create assetsby integratingInformation Manager witha networkvulnerability
scanner. Use the AssetDetector rule underMonitor > SystemMonitors on
the Rules view to choose the vulnerability scan products that automatically
populate the assets table.
Symantec Security Information Manager ConsoleAbout the Information Manager console
34
8/22/2019 Symantec Security Information Manager User Guide
35/354
If you run vulnerability scans periodically on your network, lock the asset
information for particular computers. If you lock an asset, the vulnerability
scan does not modify the list of the services that are hosted on the asset. A
vulnerability scan always updates the asset vulnerabilities, regardless of theasset lock status.
You can filterthe view oftheassets in your environment using thefiltering options
or asset groups.
Search for an asset from each of the views by entering the IP address host name
in the SearchAsset field, and then clicking the Search icon.
Double-clicking an asset in the asset list opens the AssetDetails dialog box. To
update the asset, modify the asset fields and then click the Save icon. You can
update multiple assets simultaneously by opening theAssetEditor dialog box
for each asset to modify.
Table 2-5 lists theAssets view tabs and their functions.
Table 2-5 Assets view tabs
DescriptionTab
Displays the network identification, description, priority,
organization, operating system, and lock information for the
selected asset.
Details
Displays any policy that is applied to the selected asset. You can
add policies to an asset from a customizable list of regulatorypolicies. To customize the list of available policies, select the
Administration tabontheSystem view. Youcanalso deletepolicies
from the asset.
Policies
Displays the network services that the selected computer hosts.
You can add services to an asset from a customizable list of
well-known services. To customize the list of services, select the
Administration tabonthe Systemview. Youcan also deleteservices
from the asset.
Services
Lists any incidents that pertain to the selected asset. Using the
incident list is a convenient way to monitor the security activitythat is related to an asset.
Incidents
Lists any tickets that pertain to the selected asset. The ticket list is
a convenient way to monitor thework-order activity that is related
to an asset.
Tickets
Symantec Security Information Manager ConsoleAbout the Information Manager console
8/22/2019 Symantec Security Information Manager User Guide
36/354
Table 2-5 Assets view tabs (continued)
DescriptionTab
Displays the discovery date, CVE ID, BugTraq ID, and descriptionofanyvulnerability that isdiscovered on theasset. Thevulnerability
information is tracked when the assets are imported from a
vulnerability scanner.
Vulnerabilities
See About the Information Manager console on page 23.
About the Reports view
The Reports view lets you create and manage Information Manager reports.
To create a report, you insert one or more queries into a report template. You canalso add graphic elements and text, including a header and footer. Reports can
span multiple views, or you can subdivide a single view andinsertmultiple queries
on that view.
You can distribute a report immediately, or you can schedule it to be generated
at a specific time and then distributed automatically. You can also export and
import reports in RML format.
The Reports toolbar contains icons for report management tasks. The tasks
available to you depend upon the roles to which you have been assigned, and may
include one or more of the following:
Refresh the Explorer pane.
Create a folder.
Create a report.
Save a report.
Remove the selected report or folder.
Import a report from an RML format file.
Export the selected report to an RML format file.
Adjust the view settings for a report, including the view size and orientation.
Publish the selected report by placing the report in the PublishedReports
folder.
The Reports view has the following panes:
Explorer
TheExplorer pane lets you manage theMyReports folder and the Published
Reports folders, as well as any new folders that you create. When you create
Symantec Security Information Manager ConsoleAbout the Information Manager console
36
8/22/2019 Symantec Security Information Manager User Guide
37/354
a report in theMyReports folder, it is only available to the user who created
it. When you create a report in the PublishedReports folder, it is available to
all of the users who have the applicable permissions for the contents of the
report. To publish a report, drag it from your private folder to the PublishedReports folder. When you publish a report by dragging it into the Published
Reports folder, the two reports are not linked.
In addition to creating, publishing, and deleting reports, you can create and
delete report folders. You can also import reports, export reports, and move
reports from one folder to another.
Properties
TheProperties pane lets you view and edit theselectedreportpropertyvalues,
such as the background color or line thickness.
Report
TheReportpane provides the tabs that letyoudesign, preview, anddistribute
the selected report.
Table 2-6 describes the tabs that appear in the right pane when you create a new
report or select an existing report from the list in the left pane.
Table 2-6 Report pane tabs
DescriptionTab
Lets you specify and format the contents of your report. You can include
multiple data queries, images, annotation text, and grids in your report.
The queries that are available to you depend upon the roles to which youare assigned. For example, you may have access to queries that pertain
to firewall and VPN data, but may not have access to queries on antivirus
data.
Design
Displays a preview of the report. You can also save or print the report
from the Preview tab.
You can also drill down on the following query types by clicking on the
reports that are displayed:
TopNbyField
Trending for TopNbyField
SummaryDataQueries
See Performing a drill-down on reports on page 339.
Preview
Symantec Security Information Manager ConsoleAbout the Information Manager console
8/22/2019 Symantec Security Information Manager User Guide
38/354
Table 2-6 Report pane tabs (continued)
DescriptionTab
Lets you schedule the report and specify report recipients. You cancompose an email reportnotificationmessage, attach thereportas a PDF
and RTF, or include a URL link to the report.
Note: When the recipient clicks on the URL link, the report can be
accessed directly if the user has already logged on to the Web
configuration interface using the host name of Information Manager.
However if the user has logged on using the IP address of Information
Manager, then theuser is prompted forauthenticationto accessthe report.
You can also test the report distribution configuration with the Test
option. The reports are immediately distributed after you perform the
testing.To schedule a report for distribution, you must first publish the report
by placing it in the PublishedReports folder.
Distribute
Note: The Distribute option is available only for the Published Reports.
See About the Information Manager console on page 23.
About the Rules view
The Rules view lets you create, test, and manage the rules that Information
Manager uses to filter known false positives anddeclare security incidents.Default
rules provide a starting point for determining the most common kinds of security
incidents, including denial-of-service attacks and blended threats. The default
filtering rules provide a set of common filters that can also be used to create
customized filters. You can enable, disable, and fine-tune the default rules and
filters based on the needs of your organization and the security products that are
running.
The Rules view also includes folders for monitors and lookup tables. Monitoring
rules are used to detect unexpected security-related changesto systemsor periods
of inactivity from the systems that are monitored. The lookup tables provide a
setof tablesthat canbe configured to list known maliciousIP addresses, sensitive
files, sensitive URLs, services, Trojan horses, and Windows events that can be
used to fine-tune rules and filters. For example, if you have detected a set of IP
addresses that routinely attempt to maliciously infiltrate your network, you can
add these IPaddresses to an IPaddr