Symantec Security Information Manager 4.7.4 …vox.veritas.com › legacyfs › online ›...

Symantec™ SecurityInformation Manager 4.7.4Administrator Guide

Symantec™ Security Information Manager 4.7.4Administrator Guide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Documentation version: 4.7.4

Legal NoticeCopyright © 2011 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see the Third Party Legal Notice Appendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. The Technical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, the Technical Support group works with Product Engineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our Web siteat the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Section 1 Introducing the Information Manager . . . . . . . . . . . . 17

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

About Symantec Security Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19What's new in this release ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

New features ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Features of Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22About estimating system performance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 2 Understanding the Information Managercomponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About workflow in Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29About Information Manager components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

About security products and devices ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31About event collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31About the Symantec Global Intelligence Network .... . . . . . . . . . . . . . . . . . . . . 32About the Information Manager Web service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About Information Manager servers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Section 2 Managing roles, permissions, users, andorganizational units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 3 Managing roles and permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

About managing roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37About planning for role creation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38About the administrator roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Creating a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Editing role properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Deleting a role ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

About working with permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55About permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Contents

About the propagation of permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Modifying permissions from the Permissions dialog box .... . . . . . . . . . . . 58

Chapter 4 Managing user and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

About users and passwords .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Creating a new user ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Creating a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65About editing user properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Changing a user’s password .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Specifying user business and contact information .... . . . . . . . . . . . . . . . . . . . . 67Managing role assignments and properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Managing user group assignments ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Specifying notification information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

About modifying user permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Modifying a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Deleting a user or a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Customizing the password policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Chapter 5 Managing organizational units and computers . . . . . . . . . . . . 77

About organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77About managing organizational units ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Creating a new organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78About determining the length of the organizational unit name

.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Editing organizational unit properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Deleting an organizational unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

About managing computers within organizational units ... . . . . . . . . . . . . . . . . . . . 81Creating computers within organizational units ... . . . . . . . . . . . . . . . . . . . . . . . 82About editing computer properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Distributing configurations to computers in an organizational

unit ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Moving a computer to a different organizational unit ... . . . . . . . . . . . . . . . . 93About modifying computer permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Deleting a computer from an organizational unit ... . . . . . . . . . . . . . . . . . . . . . . 94About the Visualizer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 6 Configuring a service provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

About using Information Manager in a service provider context ... . . . . . . . 101About the service provider environment from the client

perspective ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Contents8

About the service provider environment from the providerperspective ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

About customizing the Incidents view in a Service ProviderMaster console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

About responding to a client incident ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Creating Information Manager tickets in a Service Provider

Master context ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Exporting incident information from the Client Incident

viewer .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107About setting up a Service Provider environment .... . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring an instance of Information Manager as a ServiceProvider client ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring an Information Manager server as a Service ProviderMaster ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring service provider client management accounts ... . . . . . . . . 109Synchronizing the Service Provider Master with client

incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Disconnecting a client from a Service Provider Master ... . . . . . . . . . . . . . . . . . . . 110

Section 3 Planning for security management . . . . . . . . . . . . . . . 113

Chapter 7 Managing the correlation environment . . . . . . . . . . . . . . . . . . . . . . . . 115

About the Correlation Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115About the Correlation Manager knowledge base .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 116About the default rules set ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Chapter 8 Defining rules strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

About creating the right rule set for your business ... . . . . . . . . . . . . . . . . . . . . . . . . 121About defining a rules strategy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123About correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123About rule conditions ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

About rule types ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125About event criteria ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

About the Event Count, Span, and Table Size rule settings ... . . . . . . . . . . . . . . 132About the Tracking Key and Conclusion Creation fields ... . . . . . . . . . . . . . . . . . . 132About the Correlate By and Resource fields ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Importing existing rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Creating custom correlation rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

About automatically assigning incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Assigning incidents automatically to the least busy member in

a user group .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

9Contents

Creating a multicondition rule ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Creating a correlation rule based on the X not followed by Y rule

type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Creating a correlation rule based on the X not followed by X rule

type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Creating a correlation rule for the Y not preceded by X rule

type .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Creating a correlation rule for the Lookup Table Update ... . . . . . . . . . . . 150

Enabling and disabling rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Working with the Lookup Tables window .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Creating a user-defined Lookup Table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Importing Lookup Tables and records ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Section 4 Understanding event collectors . . . . . . . . . . . . . . . . . . . . . . . . 161

Chapter 9 Introducing event collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

About Event Collectors and Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . 163Components of collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Chapter 10 Installing event collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Before you install collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Requirements for point products and the collectors ... . . . . . . . . . . . . . . . . . 165Updating the hosts file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

About installation and configuration tasks for collectors ... . . . . . . . . . . . . . . . . 167Registering Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Installing the Symantec Event Agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Preinstallation requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171About installing the Event Agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Installing the Event Agent on Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Installing the Event Agent on Solaris ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Installing the Event Agent on Linux .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175About uninstalling the Event Agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176About uninstalling the Event Agent on Windows .... . . . . . . . . . . . . . . . . . . . . 176About uninstalling the Event Agent on Linux and Solaris ... . . . . . . . . . . 176Event Agent Management with agentmgmt.bat utility ... . . . . . . . . . . . . . . 176Verifying Symantec Event Agent installation .... . . . . . . . . . . . . . . . . . . . . . . . . 178Verifying Symantec Event Agent operation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Installing the collector on a remote computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Installing collectors on an Information Manager server ... . . . . . . . . . . . . . . . . . . 182

Verifying collector installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Verifying collector configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Contents10

About Symantec Universal Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Downloading and installing the Symantec Universal Collectors ... . . . . . . . 186

Chapter 11 Configuring point products and collectors . . . . . . . . . . . . . . . . . . 189

About configuring a point product to work with a collector ... . . . . . . . . . . . . . 189Creating and configuring sensors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Creating a new sensor configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Configuring the collector sensor to receive security events ... . . . . . . . . . . . . . 192Adding, renaming, deleting, and disabling sensors ... . . . . . . . . . . . . . . . . . . . . . . . . . 193Importing and exporting sensor properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Updating sensor properties globally ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Configuring collector raw event logging .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Chapter 12 Configuring collectors for event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Configuring event filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Configuring event aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Section 5 Working with events and eventarchives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Chapter 13 Managing event archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

About events, conclusions, and incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207About the Events view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208About the event lifecycle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208About event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210About multiple event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Creating new event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Restoring event archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212Specifying event archive settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Creating a local copy of event archives on a network computer ... . . . . . . . . 215Viewing event data in the archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

About the event archive viewer right pane .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Manipulating the event data histogram .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217Setting a custom date and time range .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218About viewing event details ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218Modifying the format of the event details table ... . . . . . . . . . . . . . . . . . . . . . . . 219Searching within event query results ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Filtering event data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

About working with event queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

11Contents

Using the Source View query and Target View query .... . . . . . . . . . . . . . . . 226Creating query groups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Creating custom queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227Querying across multiple archives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Managing the color scheme that is used in query results ... . . . . . . . . . . . 234Editing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234Importing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Exporting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Publishing queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237About querying for IP addresses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Deleting queries ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238Scheduling queries that can be distributed as reports ... . . . . . . . . . . . . . . . 238

Chapter 14 Forwarding events to an Information Managerserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

About forwarding events to an Information Manager server ... . . . . . . . . . . . . 241About registering a security directory .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243Registering the Information Manager with a security domain .... . . . . . . . . . 244Activating event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Stopping event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Chapter 15 Understanding event normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

About event normalization .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249About normalization (.norm) files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Chapter 16 About Effects, Mechanisms, and Resources . . . . . . . . . . . . . . . . 253

About Effects, Mechanisms, and Resources (EMR) .... . . . . . . . . . . . . . . . . . . . . . . . . 253About Effects values ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254About Mechanisms values ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255About Resources values ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258EMR examples ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Chapter 17 Collector-based event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

About collector-based event filtering and aggregation .... . . . . . . . . . . . . . . . . . . . 263About identifying common events for collector-based filtering or

aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265About preparing to create collector-based rules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266Accessing event data in the Information Manager console ... . . . . . . . . . . . . . . 268

Contents12

Creating collector-based filtering and aggregationspecifications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Examples of collector-based filtering and aggregation rules ... . . . . . . . . . . . . 271Filtering events generated by specific internal networks ... . . . . . . . . . . . 271Filtering common firewall events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Filtering common Symantec AntiVirus events ... . . . . . . . . . . . . . . . . . . . . . . . . 275Filtering or aggregating vulnerability assessment events ... . . . . . . . . . . 276Filtering Windows Event Log events ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Chapter 18 Working with the Assets table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

About the Assets table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281About how event correlation uses Assets table entries ... . . . . . . . . . . . . . . 282About CIA values in the Assets table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Importing assets into the Assets table ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Searching, filtering, and sorting assets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Visual identification of the IP addresses also on the IP

Watchlist ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286About vulnerability information in the Assets table ... . . . . . . . . . . . . . . . . . . . . . . . 286

About using a vulnerability scanner to populate Assetstable ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

About locked and unlocked assets in the Assets table ... . . . . . . . . . . . . . . . 288Using the Assets table to help reduce false positives ... . . . . . . . . . . . . . . . . . . . . . . 288

About filtering events based on the operating system .... . . . . . . . . . . . . . . 289About using CIA values to identify critical events ... . . . . . . . . . . . . . . . . . . . . 289About using Severity to identify events related to critical

assets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290About using the Services tab .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290About associating policies with assets to reduce false positives

or escalate events to incidents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Section 6 Configuring the Information Manager . . . . . . . . . . 293

Chapter 19 Configuring the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

About configuring Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Identifying critical systems .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Adding a policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Specifying networks ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

13Contents

Chapter 20 Configuring general settings in the Webconfiguration interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

About the Settings view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Editing the Hosts file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304Changing the network settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305Changing date and time settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Changing a Network Time Protocol Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308About the Password view .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Changing the password for Linux accounts ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309Changing the password for symcmgmt Linux account ... . . . . . . . . . . . . . . . . . . . . 310About the Global Intelligence Network configuration view .... . . . . . . . . . . . . . 311About running LiveUpdate ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312Running LiveUpdate from the Information Manager Web

configuration interface ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313About integrating Active Directory with the Information Manager

server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313Managing Active Directory configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Adding the CA root certificate ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316Shutting down the Information Manager server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317Restarting the Information Manager server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317About using the multipath feature for storage options .... . . . . . . . . . . . . . . . . . . 318About External Storage .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318Creating NAS Configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319Deleting NAS configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Connecting Information Manager to a SAN .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320Connecting Information Manager to a DAS .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322Configuring Information Manager with DAS/SAN Storage .... . . . . . . . . . . . . . 322Extending the storage capacity of an existing DAS/SAN

configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323Unmounting the DAS/SAN configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Restoring a DAS/SAN configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Deleting a DAS/SAN configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Chapter 21 Managing Global Intelligence Network content . . . . . . . . . . 327

About managing Global Intelligence Network content ... . . . . . . . . . . . . . . . . . . . . 327Registering a Global Intelligence Network license .... . . . . . . . . . . . . . . . . . . . . . . . . . 328Viewing the status of Global Intelligence Network content ... . . . . . . . . . . . . . . 328Receiving Global Intelligence Network content updates ... . . . . . . . . . . . . . . . . . . 329

Contents14

Chapter 22 Working with Information Managerconfigurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

About agent configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333About Agent Connection Configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339Configuring Agent to Manager failover ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340About the Information Manager configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 342About the Manager components configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . 342Setting up blacklisting for logon failures ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344Modifying administrative settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344About Manager configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345Increasing the minimum free disk space requirement in high logging

volume situations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347About Manager connection configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347About configuring Information Manager directories ... . . . . . . . . . . . . . . . . . . . . . . 348About configuring LiveUpdate ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

About Java LiveUpdate ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348Creating Java LiveUpdate configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349Scheduling LiveUpdate requests ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350Modifying Java LiveUpdate configurations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351Editing Java LiveUpdate configuration properties ... . . . . . . . . . . . . . . . . . . . 357Distributing a Java LiveUpdate configuration .... . . . . . . . . . . . . . . . . . . . . . . . . 358

Section 7 Managing application data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Chapter 23 Maintaining the Information Managerdatabase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

About database maintenance .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361Checking database status ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361About the database health monitor service ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362About purging event summary, alerts, and incident data ... . . . . . . . . . . . . . . . . 363

Adjusting parameters for automated purges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 364Setting the safe level and the alarm level for automated

purges ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Chapter 24 Managing data backup, restore, and purge . . . . . . . . . . . . . . . . 367

About backup, restore, and purge .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367Performing a complete LDAP directory server backup .... . . . . . . . . . . . . . . . . . . . 368Performing a complete LDAP directory server restore ... . . . . . . . . . . . . . . . . . . . . 369Performing a complete database backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370Performing a complete database restore ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

15Contents

Performing a selective backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371Performing a selective restore ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373Scheduling a backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374Editing a scheduled backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Deleting a scheduled backup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Purging incident or event summary data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376Purging selective backup files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Section 8 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Appendix A Firewall Settings for the Information Manager . . . . . . . . . . . 381

Firewall settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Contents16

Introducing the InformationManager

■ Chapter 1. Overview

■ Chapter 2. Understanding the Information Manager components

1Section

Overview

This chapter includes the following topics:

■ About Symantec Security Information Manager

■ What's new in this release

■ Features of Information Manager

■ About estimating system performance

About Symantec Security Information ManagerInformation Manager provides real-time event correlation and data archiving toprotect against security threats and to preserve critical security data. InformationManager collects and archives security events from across the enterprise. Theseevents are correlated with the known asset vulnerabilities and current securityinformation from the Global Intelligence Network. The resulting informationprovides the basis for real-time threat analysis and security incident identification.Information Manager archives the security data for forensic and regulatorycompliance purposes.

Information Manager collects, analyzes, and archives information from securitydevices, critical applications, and services, such as the following:

■ Firewalls

■ Routers, switches, and VPNs

■ Enterprise antivirus

■ Intrusion detection systems and Intrusion Prevention Systems

■ Vulnerability scanners

■ Authentication servers

1Chapter

■ Windows and UNIX system logs

Information Manager provides the following features to help you recognize andrespond to threats in your enterprise:

■ Normalization and correlation of events from multiple vendors.

■ Event archives to retain events in both their original (raw) and normalizedformats.

■ Distributed event filtering and aggregation to ensure that only relevant securityevents are correlated.

■ Real-time security intelligence updates from Global Intelligence Network.These updates keep you apprised of global threats and let you correlate internalsecurity activity with external threats.

■ Customizable event correlation rules to let you fine-tune threat recognitionand incident creation for your environment.

■ Security incident creation, ticketing, tracking, and remediation for quickresponse to security threats. Information Manager prioritizes incidents basedupon the security policies that are associated with the affected assets.

■ An Event Viewer that lets you easily mine large amounts of event data andidentify the computers and users that are associated with each event.

■ A client-based console from which you can view all security incidents and drilldown to the related event details. These details include affected targets,associated vulnerabilities, and recommended corrective actions.

■ Predefined and customizable queries to help you demonstrate compliance withthe security and the data retention policies in your enterprise.

■ A Web-based configuration interface that lets you view and customize thedashboard, configure settings, and manage events, incidents, and ticketsremotely. You can download various utilities and perform routine maintenancetasks such as backup and restore. You can use the custom logs feature withthe universal collectors to collect and map information from devices for whichstandard collectors are not available.

See “Features of Information Manager” on page 22.

What's new in this releaseInformation Manager 4.7.4 contains enhanced features. It also includes fixes forthe known issues that existed in the previous versions.

See “New features” on page 21.

OverviewWhat's new in this release

20

New featuresInformation Manager 4.7.4 includes the following new features in addition toknown issues and fixes:

Symantec SIEM 9700 Series appliances

SSIM Web Start Client

Role-based access to the Event Query Templates

Navigation option for Event Storage Rules list

Symantec SIEM 9700 Series appliancesSymantec SIEM 9700 Series appliances are scalable security information andevent management appliances. These appliances provide reliable performancewith Information Manager software. The SIEM 9700 Series is comprised of threemodels; the 9750, the 9751, and the 9752. Each model provides 3.9TB of redundantevent storage and dedicated Remote Management Module features to allow remotemanagement of the appliance. In addition, the 9751 and 9752 provide enterpriseconnectivity through 8GB Fibre Channel. Each physical appliance can be combinedseamlessly with virtual appliances to ease interoperability.

For more information, see the following guides:

■ Symantec SIEM 9700 Series Appliances Maintenance Guide

■ Symantec SIEM 9700 Series Appliances Installation Guide

■ Symantec SIEM 9700 Series Appliances Product Description Guide

■ Symantec SIEM 9700 Series Appliances Hardware Troubleshooting Guide

■ Symantec SIEM 9700 Series Appliances Safety Guide


SSIM Web Start ClientBy using SSIM Web Start Client, you can now reach the Information Managerconsole directly without downloading and installing the Information Managerconsole.

The Launch SSIM Web Start Client link, that is located on the logon page of theInformation Manager Web configuration interface, launches the InformationManager console. You can also access this link from the Downloads option on theHome view of the Web configuration interface.


21OverviewWhat's new in this release

Role-based access to the Event Query TemplatesIn Information Manager, an administrator can restrict the access of a user toEvent Query Templates. Access to Event Query Templates can be controlled basedon the View Event Query Templates permission that is granted to a role. Bydefault, this permission is enabled for new roles.

If the View Event Query Templates permission is disabled for a role, the userwho is assigned with this role cannot access the Templates folder on the Eventsview. If the View Event Query Templates permission is enabled for a role, theuser who is assigned with this role can access and run the Event Query Templates.

See “Enabling access to the Event Query Templates” on page 46.


Navigation option for Event Storage Rules listA Movetotop option and a Movetobottomoption are now available in the EventStorage rules list. These options can be used to move a rule directly to the top orto the bottom of the list.


Features of Information ManagerSymantec Security Information Manager 4.7 offers several new features overprevious versions of Information Manager.

You can find the following new features in the 4.7 release of the InformationManager:

■ Information Manager is now hardware independent.You can now install the Information Manager software on the hardware ofyour choice subject to the minimum requirements.

■ To identify the critical incidents and threats in your environment, theInformation Manager lets you drill down into the reports and dashboards.Using the drill-down feature (available only on the console of the client), youcan view the resources that are associated with an incident. This featureprovides insights into the parts of the organization that the incident affectsand the background information regarding the resources that are implicated.The drill-down feature helps simplify organizing, searching, and prioritizingspecific assets or sets of assets, to assist in monitoring identity and accessactivities.The drill-down feature is supported on the following types of queries in thereports and dashboards:

OverviewFeatures of Information Manager

22

■ Top N by field

■ Trending for Top N by field

■ Summary data queries

■ The Information Manager now ships with version 4.7.1 of the Symantec EventAgent.

■ Active Directory IntegrationThis feature allows the users of the Active Directory to access the InformationManager. This feature lets you configure the Information Manager server touse the Active Directory to perform user authentication.

■ Report TemplatesThe Information Manager has report content ready for regulatory compliancestandards. These reports can automate the collection and analysis of log data.Therefore, businesses can provide the accountability and the transparencythat is required to comply with stringent mandates and regulations.Report Templates are available for the following categories:

■ HIPAA

■ NERC

■ SOX

■ FISMA

■ UK-DPA

■ PCI-DSS

■ ISO 27001

■ GLBA

■ MISC

■ Custom Log ManagementUsing the Custom Log Management feature, you can now gather and correlatelog data for applications universally for which collectors are not available.The Custom Log Management feature lets you collect logs from an applicationthat the Information Manager does not support. You can analyze the receivedlog data and adjust the fields where necessary so that the Information Managercan interpret the data. This feature helps in interpreting the log data that iscollected from the application that the Information Manager does not support.The Information Manager provides Universal Collectors that you can use tocollect the logs of applications that the Information Manager does not support.You can install the Universal Collectors on the computers on which SymantecEvent Agent is installed. From the CustomLogs view on the Web configuration

23OverviewFeatures of Information Manager

interface, you can map the application log data. Universal collectors collectthis data to the fields that are defined in the Events view in the InformationManager.

■ Advanced Event CorrelationThe Advanced Event Correlation feature now lets you define and use acombination of multiple rules to correlate events.The Advanced Event Correlation feature enables you to define multipleconditions in a rule. Multi-conditioning lets you define the rules that supportup to five user activities in a sequence. You can create a conclusion when asequence of a specified pattern is detected for one combination of one-to-manyfields within a specified time period.Multi-conditioning provides flexibility and extensibility of the correlationrules. This flexibility significantly extends the ability of Information Managerto detect attacks and to identify the threats.

■ Event definition with negatives is possible in the Information Manager server.You now have the ability to generate incidents based on negative occurrences.This means that the Information Manager can generate incidents based onexpected events not occurring.Information Manager supports the definition of a rule that creates a conclusionwhen two user activities occur after one another that can be harmful. Inaddition to this type of rule definition, Information Manager also supports thedefinition of rules when a certain user activity does not occur after a valid useractivity. The ability of Information Manager to generate events based onnegative occurrences extends the possibility of threat detection.The Information Manager server supports the following rule types:

■ Lookup Table Update

■ Many Sources, One Target

■ Many Symantec Signatures, One Source

■ Many Symantec Signatures, One Target

■ Many Targets, One Event

■ Many Targets, One Source

■ Many to One

■ Multi-condition

■ Single Event

■ Symmetric Traffic

■ Transitive Traffic


24

■ X not followed by X

■ X not followed by Y

■ Y not preceded by X

■ Trending QueriesThe Information Manager lets you create a new query based on trends. TheTrending Queries feature gives you a breakup of trend data for the Top NEvents by Category (such as Product or Organizational Units) over a selectedtime frame. For example, you can view the Top Five Events Counts by Productover the last week. The results of the trending query can be displayed in atable, line bar, stacked, or multiple pie graphs.The user can query the trends over the following time slice parameters:

Trend for the last five minutes plotted foreach minute of the last five minutes.

Last 5 minutes

Trend for the last 10 minutes plotted foreach minute of the last 10 minutes.

Last 10 minutes


Last 15 minutes


Last 30 minutes


Last 45 minutes

Trend for the last hour that is plotted foreach minute of the last hour.

Last hour

Trend for the last eight hours plotted foreach hour of the last eight hours.

Last 8 hours

Trend for the last 12 hours plotted for eachhour of the last 12 hours.

Last 12 hours


Last 24 hours


Last 48 hours

Trend for the last seven days that isplotted for each day of the last seven days.

Last 7 days

Trend for the last 14 days that is plottedfor each day of the last 14 days.

Last 14 days

25OverviewFeatures of Information Manager

Trend for the last 30 days that is plottedfor each day of the last 30 days.

Last 30 days

Trend for the present day that is plottedfor every hour.

Today

Trend for the day before today that isplotted for every hour.

Yesterday

Trend for this week that is plotted for eachday of the week.

This week

Trend for the last week that is plotted foreach day of the week.

Last Week

Trend for this month that is plotted foreach week of the month.

This Month

Trend for this month that is plotted foreach day of the month.

This Month (Daily Trend)

Trend for the last month that is plotted foreach week of the month.

Last Month

Trend for the last month that is plotted foreach day of the month.

Last Month (Daily Trend)

Trend for this quarter that is plotted foreach month of the quarter.

This Quarter

Trend for this quarter that is plotted foreach week of the quarter.

This Quarter (Weekly trend)

Trend for the last quarter that is plottedfor each month of the quarter.

Last Quarter

Trend for the last quarter that is plottedfor each week of the quarter.

Last Quarter (Weekly Trend)

Trend for this year that is plotted for eachmonth of the year

This Year

Trend for the last year that is plotted foreach month of the year.

Last Year

■ Information Manager lets you back up and restore data selectively. You canselect the items for backup from the various components available for backup.From the list of backup files, you can select the components that need to berestored. You can select and restore only those data items that you require,


26

instead of restoring all the data to an earlier state. Further you can also selectand purge the backup files. Only those backup files that were selectively backedup can be purged.

About estimating system performanceTo determine the performance of an Information Manager server or set of servers.consider your unique environment. Information Manager integrates with a widerange of event collectors, and by nature requires the customization of settings tomatch each environment. Hence, the physical performance depends greatly onthe collectors and settings that you choose.

The observed events per second (EPS) rates under optimal circumstances areprovided here which can be used for general planning purposes. You can createa rough estimate of system performance by using the information available inthese tables. However, you must note that the system performance may varywidely from these figures depending on your specific environment. Your estimatesneed to be adjusted over time as your policies, settings, and storage requirementsare refined.

Note: The performance figures are currently being updated. An addendum toSymantec Security Information Manager 4.7.4 Administrator Guide will beavailable soon with the new performance figures.

See “About Symantec Security Information Manager” on page 19.

27OverviewAbout estimating system performance

OverviewAbout estimating system performance

28

Understanding theInformation Managercomponents


■ About workflow in Information Manager

■ About Information Manager components

About workflow in Information ManagerThe Symantec Security Information Manager workflow includes the followingsteps:

■ Event collectors gather events from Symantec and third-party point products.See “About Event Collectors and Information Manager” on page 163.

■ Events are filtered and aggregated.See “Configuring event filtering” on page 197.See “Configuring event aggregation” on page 200.

■ Symantec Event Agent forwards both the raw and the processed events to theInformation Manager server.See “About forwarding events to an Information Manager server” on page 241.See “Activating event forwarding” on page 245.

■ The Information Manager server stores the event data in event archives.See “About event archives” on page 210.

■ The Information Manager server correlates the events with threat and assetinformation based on the various correlation rules.

2Chapter

See “About the Correlation Manager” on page 115.

■ Information Manager security events trigger a correlation rule and create asecurity incident.

About Information Manager componentsSymantec Security Information Manager has the following components:

■ Security products and devicesSee “About security products and devices” on page 31.

■ Event collectorsSee “About event collectors” on page 31.

■ Information Manager serversSee “About Information Manager servers” on page 32.

■ Global Intelligence NetworkSee “About the Symantec Global Intelligence Network ” on page 32.

■ Web serviceSee “About the Information Manager Web service” on page 32.

Figure 2-1 Components in an Information Manager setup

Understanding the Information Manager componentsAbout Information Manager components

30

About security products and devicesThe security products and devices in your enterprise can generate overwhelmingamounts of security data. Many firewalls can generate over 500 GB of securitydata per day; intrusion detection systems can trigger over 250,000 alertingincidents per week. Most security products store event data in a proprietaryformat, accessible only by the tools that the security products provide. To secureyour enterprise effectively, you need to collect, normalize, and analyze the datafrom all parts of your enterprise.

See “About Information Manager components” on page 30.

About event collectorsEvent collectors gather security events from a variety of event sources, such asdatabases, log files, and syslog applications. Event collectors translate the eventdata into a standard format, and optionally filter and aggregate the events. Theevent collectors then send the events to Symantec Security Information Manager.You can configure event collectors to also send the event data in its original format.

You install event collectors either on the security product computer or at a locationwith access to the security product events. To facilitate installation and setup,event collectors for third-party firewalls are preinstalled on the InformationManager server. After the event collector is registered with Information Manager,you can configure event collector settings from the Information Manager console.The event collector settings include the event source specification and any eventfilter or aggregation rules.

Symantec provides event collectors for the following types of products:

■ Firewalls


■ Intrusion detection and prevention systems


■ Web servers, filters, and proxies

■ Databases

■ Mail and groupware

■ Enterprise antivirus

■ Microsoft authentication services


31Understanding the Information Manager componentsAbout Information Manager components

For access to the extensive library of event collectors, visit Symantec support atthe following Web site:

http://www.symantec.com/enterprise/support/


About the Symantec Global Intelligence NetworkInformation Manager has access to current vulnerability, attack pattern, andthreat resolution information from the Threat and Vulnerability ManagementService. The Symantec Global Intelligence Network powers the Threat andVulnerability Management Service. The Symantec Global Intelligence Networkis a comprehensive collection of vendor-neutral security data sources. The serviceis an authoritative source of information about known and emergingvulnerabilities, threats, risks, and global attack activity.


About the Information Manager Web serviceThe Web service of Symantec Security Information Manager lets you securelyaccess and update the data that is stored on a server. You can use the Web serviceto publish event, asset, incident, ticket, and system setting information. You canalso use the Web service to integrate Information Manager with help desk,inventory, or notification applications.


For more information on interfacing your application to use the Web service, seethe application documentation or your application vendor.

About Information Manager serversSymantec Security Information Manager is hardware independent. You can installthe Information Manager server on any approved hardware that meets theminimum system requirements.

You can deploy one or more Information Manager servers in various roles tosatisfy the event gathering, archiving, and event correlation requirements foryour enterprise. To account for traffic variation, a single Information Manageris only recommended for a security environment that generates up to 1,000 eventsper second (EPS) on average and that requires a maximum of 4 MB to 8 MB perday of event data storage. To increase the overall event processing rate, you canadd multiple load sharing Information Managers to your deployment. You canconfigure each server for dedicated event collection, event archiving, or event


32

http://www.symantec.com/enterprise/support/

correlation. In most cases, a combination of multiple servers that share the eventand the incident processing load is preferred.


33Understanding the Information Manager componentsAbout Information Manager components


34

Managing roles, permissions,users, and organizationalunits

■ Chapter 3. Managing roles and permissions

■ Chapter 4. Managing user and user groups

■ Chapter 5. Managing organizational units and computers

■ Chapter 6. Configuring a service provider

2Section

Managing roles andpermissions


■ About managing roles

■ About working with permissions

About managing rolesA role is a group of access rights for a product. Users who are members of a rolehave access to the event viewing and management capabilities that are definedfor that role. A user can be a member of more than one role.

See “About planning for role creation” on page 38.

You create new roles in the Symantec Security Information Manager console.When you click Roles on the System view of the console, you can perform thefollowing tasks:

■ Create a role.See “Creating a role” on page 40.

■ Edit role properties.See “Editing role properties” on page 48.

■ Delete a role.See “Deleting a role” on page 55.

Note:Only members of the SES Administrator role and the Domain Administratorrole can add or modify roles.

See “About the administrator roles” on page 39.

3Chapter

About planning for role creationRoles control user access; therefore, before you create roles you should plancarefully. You need to identify the tasks that are done in your securityenvironment, and who performs them. The tasks determine the type of roles thatyou must create. The users who perform these tasks determine which users shouldbe members of each role.

See “About managing roles” on page 37.

Consider the following issues:

■ Who allocates responsibilities within your security environment?

If these users need to create roles, they must be members of the DomainAdministrator role.

■ Who administers your security network by creating management objects suchas users and organizational units?

These users must be members of the roles that provide management accessand the ability to access the System view.

■ Which products are installed, and who is responsible for configuring them?

These users must be members of management roles for the products for whichthey are responsible. They may need access to the System view only.

■ Who is responsible for monitoring events and incidents?

These users must be members of event viewing roles for the products for whichthey are responsible. Users who monitor events must have access to the Eventsview. Users who monitor incidents must have access to the Events view andthe Incidents view.

■ Who responds to problems and threats?

These users must have access to the Events view and the Incidents view. Userswho create and manage help desk tickets must also have access to the Ticketsview.

Table 3-1 lists the common roles in a security environment and the responsibilitiesthat belong to each role.

Table 3-1 Typical roles and responsibilities

ResponsibilitiesRole name

Defines the user roles and role authority.Domain Administrator

Manages Information Manager. Verifies that events flowinto the system and that the system functions normally.

System Administrator

Managing roles and permissionsAbout managing roles

38

Table 3-1 Typical roles and responsibilities (continued)

ResponsibilitiesRole name

■ Creates the correlation rules and collection filters.

■ Performs the user and the device administration.

User Administrator

Views all incidents, events, reports, and actions.Information Manager

■ Views the incidents, events, and reports for assigneddevices.

■ Reviews and validates incident response.

■ Provides the affirmation of incident review and responseby administrators to GAO and others.

Report Writer

Views the events and reports for assigned devices.Report User

Creates, edits, and deploys rules.Rule Editor

About the administrator rolesWhen you install the Information Manager, the following default administratorroles are created:

This role has full authority over all of the domains in theenvironment.

SES Administrator

This role has full authority over one specific domain in theenvironment.

Domain Administrator

If you have only one domain, the rights of the SES Administrator role and theDomain Administrator role are the same. If you have multiple domains (for exampleone for each geographic region of your company), each domain has a DomainAdministrator. Members of this role can perform functions such as creating usersand additional roles within that domain. The SES Administrator role can performthese functions for all of the domains that you configure.

The default user, administrator, is also created when Information Manager isinstalled. The administrator is automatically a member of the SES Administratorand Domain Administrator roles. To access Information Manager for the firsttime, you must log on as this default user. The password for the administratoruser account is specified at the time of installation.

You can add users to the administrator roles, but you cannot change any othercharacteristics of these roles. If a user is a member of the SES Administrator role,that user should not be assigned to any other roles.

39Managing roles and permissionsAbout managing roles

See “Editing role properties” on page 48.

Creating a roleYou can create roles using the Role Wizard in the Information Manager console.Only a user who has either the Domain Administrator role or the SESAdministrator role can create roles.

See “About planning for role creation” on page 38.

Note: If the Rolememberswill haveaccess toall archives option is selected, rolemembers can access new archives automatically. If the Role members will haveaccess to only the selected archives option is selected, role members cannotaccess new archives automatically.

To create a role

1 In the Information Manager console, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Roles.

3 On the toolbar, click + (the plus icon).

4 In the first panel of the Role Wizard, click Next.

5 In the General panel, do the following, and click Next:

■ In the Role name text box, type a name for the role.

■ In the Description text box, type a description of the role (optional).

6 In the Products panel, do one of the following:

■ To give the role members access to all of the listed products, click Rolemembers will have access to all products, and click Next.

■ To limit the role member's access to certain products, click Rolememberswillhaveaccess toonly theselectedproducts and select the appropriateproducts. Then click Next. Symantec Security Information Manager ischecked by default in the Product List.

7 In the SSIM Permissions panel, do one of the following:

■ To give role members all permissions that apply to Information Manager,click Enable all Permissions, and click Next.

■ To give role members a limited set of permissions, click Enable specificPermissions. From the permissions list, uncheck the permissions thatyou do not want to enable and click Next.


40

8 In the Console Access Rights panel, do one of the following:

■ To give role members the ability to see all parts of the InformationManager console, click Rolememberswillhaveallconsoleaccessrights,and click Next.

■ To limit what role members can see when they display the console, clickRole members will have only the selected console access rights. Fromthe list, enable at least one of the console access rights, and click Next.

See “Modifying Information Manager console access rights ” on page 47.

9 In the Organizational Units panel, do one of the following:

■ To give role members access to all organizational units, click Rolemembers will have access to all organizational units, and click Next.

■ To give role members access to specific organizational units, click Rolemembers will have access to only the selected organizational units. Inthe organizational unit tree, select at least one organizational unit toassociate with this role, and click Next.

When you select an organizational unit that has additional organizationalunits, users of the role are given access to those additional organizationalunits also.

If you add an organizational unit to a role, the following users can see theevents that are generated by the security products:

■ Users who are role members

■ Users who have event viewing access

These users can view only those events that are generated by the securityproducts that are installed on the computers of that organizational unit.

Role members can see events only from computers in the organizational unitsthat have been added to their roles.

10 In the Servers panel, do one of the following:

■ To give role members access to all of the Information Manager servers inyour security environment, click Role members will have access to allservers, and click Next.

■ To limit role members' access to certain servers, click Rolememberswillhaveaccess toonly theselectedservers. In the server tree, select at leastone server to associate with this role, and click Next.

Members of the role can modify configurations on the selected servers. Therole members can also view event archives that reside on the selected servers.

11 In the Members panel, do one of the following:


■ To add individual users to the role now, click Add Members. In the FindUsers dialog box, add one or more users, from the AvailableUsers list tothe Selected Users list and click OK. In the Members panel, click Next.

■ To add the users who are members of a specific user group, click AddMembers From Groups. In the Find User Groups dialog box, add one ormore user groups, and click OK. The users that are associated with thegroups you selected are added to the Selected Users list. When you arefinished, click Next.

■ To continue without adding users to the role, click Next.

You can add users to the role later by editing the role’s properties.

See “Adding a user to a role” on page 43.You can also associate a role with a user by editing the user’s properties.

You can assign users to a role only if you have already created those users.

See “Creating a new user” on page 63.

12 In the RoleSummary panel, review the information that you have specified,and click Finish.

The role properties that are created are shown in the list at the bottom of thepanel. A green check mark next to a task indicates that it was successfullycompleted.

13 Click Close.

Editing role propertiesAfter you create a role in Information Manager, you can modify it by editing itsproperties. For example, as you create new organizational units or users, you canadd them to existing roles.

You can edit the properties of a role by selecting the role in the right pane. Youcan also edit the role properties from any dialog box that displays the role’sproperties.

To edit role properties

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain, and click Roles.

2 In the right pane, right-click the role to edit, and select Properties.

3 Use the Editing Role Properties dialog box to make changes to the role.

4 To save changes and close the dialog box, click OK.

See “Adding a user to a role” on page 43.


42

See “Modifying Information Manager console access rights ” on page 47.

See “Modifying product access rights” on page 44.

See “Modifying server access rights” on page 48.

See “Modifying access permissions in roles” on page 49.

Adding a user to a roleWhen a user logs on to Information Manager, the user’s role membershipdetermines the user's access to the various products and event data.

You can assign a user to a role in the following ways:

■ Assign each user individually to one or more roles.

■ Assign users to groups, and assign user groups to roles.

When you assign a user group to a role, all of the users who are currently in thegroup are assigned to that role. However, if you later add more users to the usergroup, those users are not automatically added to the role. You must assign eachuser to the role individually.

Note: Before you assign users and user groups to roles, you must create users anduser groups in the Directory.


See “Creating a user group” on page 65.

To add a user to a role



3 In the Editing Role Properties dialog box, in the left pane, click Members.

4 Click Add Members.

5 In the Find Users dialog box, in the list of available users, search for a userwithin a domain or a user group. You can also search for a user by enteringthe logon name, last name, or first name and then click Start Search. All ofthe users who meet the criteria you entered appear in the available users list.

Select a user name (or Ctrl + click multiple user names), and click Add.

The user name appears in the Selected users list.

6 To view or edit the properties of a user, click the user name, and clickProperties.


7 In the User Properties dialog box, view or make changes to the properties,and click OK.

8 In the Find Users dialog box, click OK.

9 In the Editing Role Properties dialog box, click OK.

To add a user group to a role



3 In the Editing Role Properties dialog box, in the left pane, click Members.

4 Click Add Members From Groups.

5 In the Find User Groups dialog box, select the domain of the group from thedrop-down list.

6 In the list of available user groups, click a user group name (or Ctrl + clickmultiple user names), and click Add.

The user group name appears in the Selected user groups list.

7 To view or edit the properties of a user group, click the user group name, andclick Properties.

8 In the User Group Properties dialog box, view or make changes to theproperties, and click OK.

9 In the Find User Groups dialog box, click OK.

10 In the Editing Role Properties dialog box, click OK.


Modifying product access rightsThe Products property lets you select and modify the products to which rolemembers have access.

To modify product access rights



3 In the left pane, click Products.

4 Do one of the following:

■ To give the role members access to all of the listed products, click Rolemembers will have access to all products.


44

■ To limit the role members' access to specified products, click Rolemembers will have access to only the selected products. Enable (check)or disable (uncheck) access to individual products in the list.Consider the tasks that role members perform as you select products fromthe list.Modifying access permissions in roles describes the access requirementsof typical enterprise security roles.

5 Click OK.


Modifying SIM permissionsUse the SIM Permissions property to enable or disable several types of InformationManager permissions that are assigned to a role.


To modify SIM permissions



3 In the left pane click SIM Permissions.


■ To assign all Information Manager permissions to the role, click Enableall Permissions.

■ To limit the permissions that are assigned to the role, click EnablespecificPermissions. Then click the check boxes as needed to enable or disablepermissions for the role.Table 3-2 lists the permissions that the users who perform specificfunctions need.

5 Click OK.

About the Bypass Event RBAC option

When you create or modify a role, you can choose to enable the Bypass EventRBAC option. Bypass Event RBAC gives unrestricted access to all of the eventarchives for which role a user has been granted access.

When a user with this role performs an event query, the query bypasses anyadditional permission settings based on Organizational Unit, Domain, or Productsettings. The query returns a complete data set from the archives for which theuser has been given access. Enabling Bypass Event RBAC enhances query


performance by reducing the set of permissions criteria against which the querymust be processed.


About the Bypass Event RBAC option

When you create or modify a role, you can choose to enable the Bypass EventRBAC option. Bypass Event RBAC gives unrestricted access to all of the eventarchives for which role a user has been granted access.

When a user with this role performs an event query, the query bypasses anyadditional permission settings based on Organizational Unit, Domain, or Productsettings. The query returns a complete data set from the archives for which theuser has been given access. Enabling Bypass Event RBAC enhances queryperformance by reducing the set of permissions criteria against which the querymust be processed.


Enabling access to the Event Query Templates

The View Event Query Templates permission in a role controls the access to theTemplates folder in the Events view. If this permission is enabled for a role, theuser who is assigned with the role can access the Event Query Templates.

For example, the Information Manager administrator creates two roles,IncidentAnalyst and EventAnalyst. The ViewEventQueryTemplates permissionis disabled for the IncidentAnalyst role, and enabled for the EventAnalyst Role.The IncidentAnalyst role is assigned to user A and the EventAnalyst role isassigned to user B. From the Events view, user A who is assigned with theIncidentAnalyst role cannot view the Event Query Templates. User B who isassigned with the EventAnalyst role can view the Event Query Templates and runthe corresponding queries.

You can edit the existing roles to enable the View Event Query Templatespermission.

To enable View Event Query Templates permission for existing roles


2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Roles.

3 On the right panel, right-click the role that you want to edit and selectProperties.

4 In the Editing Role Properties dialog box, select SIM Permissions.

5 Click Enable specific permissions.


46

6 From the permissions list, check View Event Query Templates.

7 Click Save and then click OK.

By default, this permission is enabled for new roles. While creating a role, youcan disable the View Event Query Templates permission for a new role. Selectthe Enablespecificpermissionsoption from the SIMPermissions panel and thenuncheck View Event Query Templates.

See “Creating a role” on page 40.

See “Role-based access to the Event Query Templates ” on page 22.

Modifying Information Manager console access rightsConsole access rights control the views that a role member can access when theylog on to the Information Manager console.

You can modify the Console access rights that you assigned when you created therole. Based on the Console access rights, various views of the console are visibleto the role members whenever they log on to Information Manager.

To modify console access rights



3 In the left pane, click Console Access Rights.


■ To give members of the role the ability to see all components of theInformation Manager console, click Role members will have all consoleaccess rights.

■ To limit what members of the role can see when they display theInformation Manager console, click Role members will have only theselectedconsoleaccessrights. From the list that appears, enable or disableconsole access rights as you want.The following table describes the tiles (views in the Information Managerconsole) that are available to members:

Displays the Assets view in theconsole.

Show Assets Tile

Displays the Dashboard view in theconsole.

Show Dashboard Tile


Displays the Events view in theconsole.

Show Events Tile

Displays the Incidents view in theconsole.

Show Incidents Tile

Displays the Intelligence view inthe console.

Show Intelligence Tile

Displays the Reports view in theconsole.

Show Reports Tile

Displays the Rules view in theconsole.

Show Rules Tile

Displays the Statistics view in theconsole.

Show Statistics Tile

Displays the System view in theconsole.

Show System Tile

Displays the Tickets view in theconsole.

Show Tickets Tile

Modifying access permissions in roles lists the console access rights that theusers who perform specific functions need.

5 Click OK.


Modifying server access rightsUse the Servers property to select the servers to which role members have access.The selections for this property determine the servers that the role members cansee on the following console locations:

■ The Testing tab on the Rules view that can be used for testing a specific rule.

■ The servers and archives that are available for each query on the Events view.

■ The Server Configurations tab on the System view.

To modify server access rights




48

3 In the left pane, click Servers.


■ To give role members access to all Information Manager servers in thenetwork configuration, click Rolememberswillhaveaccesstoallservers.

■ To limit role members' access to certain servers, click Rolememberswillhaveaccess toonly theselectedservers. In the server tree, select at leastone server to associate with this role, and click OK.


Modifying access permissions in rolesRoles include the permissions that determine the types of access (for example,Read and Delete) for a role member. Based on these permissions a role membercan access various functions on the Information Manager console. Permissionsare assigned to roles on various functions and the users belonging to those rolescan perform tasks accordingly.

You can change the access permissions for the following types of objects:

■ Container objects that were created when you installed Information Manager,such as organizational units.

■ The new objects that you create within the container objects.

When you view the properties of a role, you can view and modify the permissionsby selecting tabs in the Editing Role Properties dialog box.

Warning: Permission modification is an advanced feature. You should customizepermissions only if you have a clear understanding of how access control works.

See “About working with permissions” on page 55.

Table 3-2 describes the access requirements of typical enterprise security roles.


Table 3-2 Access requirements for roles

Access permissionsConsole accessSymantec SecurityInformation Managerpermissions

ProductsRole

All

Note: You cannot modifyaccess permissions of theSES Administrator andDomain Administratorroles.

AllAllAllSESAdministratorand DomainAdministrator

Read and Search onPublished / System Querygroups

■ Show DashboardTile

■ Show IntelligenceTile

■ Show Statistics Tile

■ Show System Tile

■ Allow Asset Edits

■ Move Computers

InformationManager

SystemAdministrator

■ Read and Search onPublished /SystemQuery groups

■ Read and Write onusers and user groups

■ Read and Write onrules and roles

■ Show Assets Tile



■ Show Rules Tile

■ Show System Tile

■ Allow Dashboard AutoRefresh

■ Move Computers


■ Manage Networks

■ Manage Policies

■ Manage Services

AllUserAdministrator


50

Table 3-2 Access requirements for roles (continued)


ProductsRole

Read and Write onPublished/System Querygroups. In addition, Readand Write on Reportgroups based on theSymantec SecurityInformation Managerpermissions that aregranted to the role.

■ Show Assets Tile


■ Show Events Tile

■ Show Incidents Tile


■ Show Reports Tile

■ Show Tickets Tile

■ Create Incidents

■ Write My Incidents

■ Write All Incidents

■ Change Assignee andTeam on My Incidents

■ Change Assignee andTeam on All Incidents

■ ChangeAssignee/Team to selfor own team onunassigned incidents

■ Change Status MyIncidents

■ Change Status AllIncidents

■ Read My Incidents

■ Read All Incidents

■ Read UnassignedIncidents

■ View Event QueryTemplates

■ Create new queries

■ Create new reports

■ Publish queries

■ Publish reports


■ Move Computers


■ Manage Networks

■ Manage Policies

■ Manage Services

InformationManager

InformationManager




ProductsRole

■ Read and Write onPublished /SystemQuery groups

■ Read and Write onReport groups



■ Show Incidents Tile



■ Show Tickets Tile

■ Write My Incidents

■ Write All Incidents

■ Change Assignee andTeam on My Incidents

■ Change Assignee andTeam on All Incidents

■ ChangeAssignee/Team to selfor own team onunassigned incidents

■ Change Status MyIncidents

■ Change Status AllIncidents

■ Read My Incidents

■ Read All Incidents

■ Read UnassignedIncidents



■ Publish queries

■ Publish reports


■ Move Computers


■ Manage Networks

■ Manage Policies

■ Manage Services

InformationManager

Report Writer


■ Read and Write onReport groups







InformationManager

Report User


52



ProductsRole

■ Read and Write onRules and Roles


■ Read and Search onReport groups


■ Show Rules Tile

■ Show Statistics Tile

Create new queriesInformationManager

Rule Editor

Note: When a role’s access permissions to a Published Query Group or a SystemQuery Group are changed, the role’s database permissions may be incorrectlymodified. If a user cannot view queries on the Events view, it may be because theuser’s role lacks the necessary database permissions. To correct this problem, dothe following: Log on as a Domain Administrator or SES Administrator and openthe EditingRoleProperties dialog box for the user’s role. On the DataStores tab,check the role’s database permissions. If the role does not have both Read andSearch permissions, add the missing permissions.

See “To modify access permissions in roles” on page 53.

To modify access permissions in roles



3 In the Editing Role Properties dialog box, in the left pane, click the type ofpermissions to modify. For example, to change the role members' directorypermissions, choose Directories.

4 When you finish setting permissions, click OK.


Using examples of modifying permissions in rolesYou can modify permissions for the following purposes, among others:

■ To hide a query group from members of a role.

When members of this role open the Query Chooser on the dashboard, theycannot see the restricted query group in the query tree.


■ To hide all users from members of a role.

When members of this role view the System view, they do not see users in theleft pane.

■ To prevent role members from adding and deleting user groupsRole members can view and modify user groups, but they cannot add and deleteuser groups.

See “About permissions” on page 56.

To hide a query group from members of a role


2 In the right pane, right-click the role to restrict, and select Properties.

3 In the left pane, click System Query Groups.

4 Click Add.

5 In the FindSystemQueryGroups window, select ProductQueries.SymantecClient Security, and click Add.

6 Click OK.

7 On the Product Queries.Symantec Client Security row, uncheck Read andSearch.

8 Click OK.

Members of this role cannot view Symantec Client Security queries. If a rolemember selects SystemQueries >ProductQueries in the Query Chooser onthe dashboard, the role member cannot view Symantec Client Security in thetree.

To hide all users from members of a role



3 In the left pane, click Users.

4 Under Default permissions for all users, uncheck all permission types (forexample, Read and Add).

5 Click OK.

When role members click Users in the left pane of the System view, they seeonly their own details in the right pane. Other users are not listed.


54

To prevent role members from adding and deleting user groups



3 In the left pane, click User Groups.

4 On the top line of permissions, check Read, Write, and Search. Make surethat Add and Delete are not checked.

5 Click OK.

Role members can view, search, and modify all user groups in the domain.They cannot create new user groups or delete user groups.

Deleting a roleYou can delete roles when they are no longer in use.

Before you delete a role, you can view the properties of the role to ensure thatnone of your users requires it.

To delete a role


2 In the right pane, right-click the role to delete, and select Properties.

3 Review the role properties to make sure that no users require this role.

4 Click Cancel.

5 If you still want to delete the role, on the toolbar, click - (the minus symbol).

A message warns you that all members of the selected role would be removed.Then, although the user accounts are not deleted, the users no longer haveaccess to the role.

6 In the confirmation dialog box, click Yes to delete the role.


About working with permissionsPermissions define the access that members of a role have to specific objects.Along with other role properties, permissions control what users can see and dowhen they log on to the Information Manager console.

55Managing roles and permissionsAbout working with permissions

As with roles, you can work with permissions only if you are a member of the SESAdministrator or Domain Administrator role. The permissions of objects aredefined initially when you create roles and when you create new objects. You canthen modify the permissions to fine-tune your roles.

Warning:You should customize permissions only if you have a clear understandingof how access control works in the security (LDAP) directory.


About permissionsPermissions are always associated with roles and are applied when a member ofa role logs on to the console.

Table 3-3 shows the permissions that role members can have to view and workwith objects.

Table 3-3 Object permissions

DescriptionPermission

Lets the role members see theattributes of objects.

Read must be enabled for the otheraccess permissions to work.

Read

Lets the role members modify objects.Write

Lets the role members create a newchild object within the selectedcontainer.

Add

Lets the role members delete objects.Delete

Lets the role members search thedatabase or the LDAP directory forobjects.

Search must be enabled for the otheraccess permissions to work.

Search

The following objects have permissions:

■ Container objects

Container objects are created when the Datastore (database) and Directory areinstalled. These objects contain all of the new objects that you create.

Managing roles and permissionsAbout working with permissions

56

In the console, container objects appear in the left pane of the Administrationtab on the System view.

Examples of the container objects that have permissions are users, user groups,roles, and organizational units.

■ Objects that you create within container objects

When you create new objects to represent your security environment, theyare stored within the container objects.

On the System view, the objects that you create appear in the right pane whenyou select their container object in the left pane. For example, when you selectUsers in the left pane, the individual users that you have created within theUsers container are displayed.

These created objects are sometimes known as child or leaf objects.

You must understand the relationship between the permissions of containerobjects and the permissions of the objects you create within these containers.

See “About the propagation of permissions” on page 57.

About the propagation of permissionsAs you create new management objects, it is important to understand therelationship between the permissions of container objects and the permissionsof the objects you create within these containers.

In most cases, the permissions of a container object propagate to all new objectsthat you create within the container. When you create new objects on a role-by-rolebasis, the current permissions of the container object are propagated to the newobjects.

For example, in Role A, on the Users tab, you disable Write permission for theUsers container. In Role B, you disable Delete permission for the Users container.When you create new users, members of Role A do not have Write permission, sothey cannot modify the properties of the new users. Members of Role B do nothave Delete permission, so they cannot delete the new users.

However, if a user is assigned to two roles A and B. Role A that has the Add accessfor users and Role B that do not have Add access for users. In this case, the userwho is assigned to these roles can add new users. Permissions of Role A takeprecedence over permissions of Role B


Note:Most roles should have at least Read and Search permissions for all objects.These permissions allow role members to view information about the objects andperform searches for the objects. For example, if you enable Write access for acontainer object and disable Read access, the role members cannot modify theobjects, because they cannot view the objects.

Propagation occurs only when you create new objects. For example, you maycreate several users and assign them to role A before you disable the Writepermission in role A. These permissions are not disabled for the original usersunless you disable them explicitly for the existing user's of Role A.


Modifying permissions from the Permissions dialog boxYou can use the following methods to modify permissions:

■ Edit the role using the Editing Role Properties dialog box.

Use this method to modify permissions for several objects within one role.See “Modifying access permissions in roles” on page 49.

You can edit the permissions of software products and their configurationsthrough the Products Tab on the Editing Role Properties dialog box.

■ Use the Permissions dialog box for a particular object.

Use this method to modify the permissions for a specific object.

Note: Some objects do not have permissions.

To modify permissions for a container object

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain.

2 In the left pane, right-click the container object (for example, Users) andselect Permissions.

In the Permissions dialog box, roles are listed if they have already beenassigned to this object.

Some container objects do not have permissions.

3 Do any of the following:

■ To modify permissions for this object, check (enable) or uncheck (disable)the permissions corresponding to the listed roles, as needed.


58

You should not disable the Search permission.

■ To add a role to this object, click Add. In the FindRoles dialog box, selecta role, then click Add, and click OK.

The role you added appears in the Permissions dialog box, where you canthen enable or disable its permissions.

■ To remove a role, click the role name, and click Remove.

■ To edit a role’s properties, click the role name, and click Properties.

4 Click OK when you finish modifying permissions.

To modify permissions for a created object

1 On the System view, in the left pane of the Administration tab, navigate tothe relevant domain.

2 In the left pane, click the container that contains the created object. Forexample, click Users.

3 In the right pane, right-click the object whose permissions you want to modify,and select Permissions.

In the Permissions dialog box, roles are listed if they have already beenassigned to this object.

Some created objects do not have permissions, such as Policies.


■ To modify permissions for this object, check (enable) or uncheck (disable)the permissions corresponding to the listed roles, as needed.

You should not disable the Search permission.

■ To add a role to this object, click Add. In the FindRoles dialog box, selecta role, then click Add, and click OK.

The role you added appears in the Permissions dialog box, where you canthen enable or disable its permissions.

■ To remove a role, click the role name, and click Remove.

■ To edit a role’s properties, click the role name, and click Properties.

5 Click OK when you finish modifying permissions.



60

Managing user and usergroups


■ About users and passwords

■ Creating a new user

■ Creating a user group

■ About editing user properties

■ About modifying user permissions

■ Modifying a user group

■ Deleting a user or a user group

■ Customizing the password policy

About users and passwordsThe Symantec Security Information Manager server uses accounts from Linuxand the IBM DB2 Service. Both types of accounts use the password that is specifiedduring installation. The default password is password.

By default, the installation program creates the following Linux accounts:

Default Linux administrativeaccount

root

Used by the InformationManager text console process

simuser

4Chapter

Used by the HTTP and theTomcat processes

sesuser

Used by the database processdb2admin

Used for the DB2 Admin Toolsdatabase

dasusr1

Used by the database processsymcmgmt

Warning: For security, change the Linux passwords periodically, according to yourcompany's security policy. The password for all Linux accounts must be changedusing the Change Password option (available under Settings > Passwords) fromthe Web configuration interface. Do not change these account passwords orpermissions by standard Linux commands as it may result in errors with serveroperation. The password for the symcmgmt Linux account cannot be changed fromthe Web configuration interface. The password for a symcmgmt Linux account canbe changed by using the standard Linux commands. This change in the passwordmust be followed with an update in the Information Manager console under System> Administration > Data Stores.

See “Changing the password for Linux accounts ” on page 309.

See “Changing the password for symcmgmt Linux account” on page 310.

Usually, you are not required to create new Linux accounts. However, you maywant to create an account with limited permissions to a file share to allow a useror process to copy LDAP backups. Refer to your Linux documentation forinformation on how to create Linux accounts.

By default, the installation program also creates the administrator account in theIBM LDAP directory. This account is used for logging in to the InformationManager console and Information Manager Web configuration interface initially.

With the proper permissions, you can also create new LDAP directory accountsfor users who use the Information Manager console and Web configurationinterface. These accounts are for the administrators of your security products,contacts for notifications, or both. Users who are administrators are members ofthe roles that define their administrative permissions. All users who need accessto the Information Manager console must be members of one or more roles. If auser tries to log on to the console using an account that is not a member of a role,an error message is displayed. Users who only receive notifications do not haveto be members of a role.


Managing user and user groupsAbout users and passwords

62

See “About editing user properties” on page 66.

See “About modifying user permissions” on page 72.

See “Deleting a user or a user group” on page 74.


See “Modifying a user group” on page 73.

See “Deleting a user or a user group” on page 74.

Creating a new userUse the Create a new User wizard to create a user. The wizard prompts you forthe required information that the user needs to log on to Symantec SecurityInformation Manager. It also lets you specify notification information, permissions,and other user properties.

You can provide all the information at the time that you create the user.Alternatively, you can provide only the required information and add moreinformation later by editing the user’s properties.


To create a new user

1 In the console of the Information Manager client, click System.

2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users.

3 On the toolbar, click + (the plus symbol) or right-click the Users node andselect New.

4 In the first panel of the Create a new User wizard, click Next.

5 In the General panel, do the following:

Type the logon name for the new user.Logon name

Type the user’s last name.Last name

Type the user’s first name.First name

The other fields on this panel are optional.

Click Next after you enter the details.

63Managing user and user groupsCreating a new user

6 In the Password panel, type a password in the Password text box and typethe same characters in the Confirm password box. Click Next.

The password that you choose must comply with the policy settings chosenby the administrator.

The password is case sensitive. Green check marks under Password rulesindicate that your password meets the requirements.

7 (Optional) In the Business panel, specify business information for the user,and click Next.

See “Specifying user business and contact information” on page 67.

8 (Optional) In the ContactInformation panel, specify contact information forthe user, and click Next.

9 (Optional) In the Notifications panel, specify email addresses and pagernumbers for the user, and times when those contacts can be used fornotifications. Click Next.

See “Specifying notification information” on page 70.

10 In the Roles panel, you can assign the user to one or more roles that definethe user’s permissions, and click Next. You can also assign or change a user'sroles later.

A new user cannot log on unless a role is assigned to the user.

See “Managing role assignments and properties” on page 68.

You must create roles before you can assign users to roles.


11 In the UserGroups panel, you can assign the user to one or more user groups,and click Next. You can also assign users to groups later.

See “Managing user group assignments” on page 69.

You must create user groups before you can assign users to groups. If nogroups appear on the Find User Groups panel, you have not yet created anygroups.


12 In the UserSummary panel, review the information that you have specified,and click Finish.

The user properties that are created are shown in the task status list at thebottom of the panel. A green check mark next to a task indicates that it wassuccessfully completed.

13 Click Close.

Managing user and user groupsCreating a new user

64

Creating a user groupAfter you create users, you can assign them to groups. User groups are particularlyuseful when you have large numbers of users who need to have the same systemroles. You can assign an entire user group to a role. All of the users in the groupinherit the rights and the permissions that are assigned to that role. Implementinguser groups also facilitates the auto-assignment of incidents, using correlationrules.

The Create a new User Group wizard enables you to create user groups and addusers to the groups. You can assign users at the time you create a group, or youcan add users to the group later.

Note: If you create a user group and assign it to a role, the users who are currentlyin the group are assigned to that role. However, if you later add more users to theuser group, those users are not automatically added to the role. You must assigneach user to the role individually.

To create a user group


2 On the Administration tab, in the left pane, navigate to the relevant domain,and click User Groups.

3 On the toolbar, click + (the plus symbol).

4 In the first panel of the Create a new User Group wizard, click Next.

5 In the General panel, type a name and (optional) description for the usergroup, and click Next.

6 In the Members panel, click Add.

In the FindUsers dialog box, the AvailableUsers list shows all users for thedomain, up to the number of users that the Maximumsearchcount text boxindicates.

7 Select one or more users from the Available Users list, and click Add.

The users appear in the Selected users list.

8 If you want to review information about a specific user, click the user name,and click Properties. You can view or change the user's properties, and clickOK.

9 When you finish adding users to the group, click OK.

10 In the Members panel, click Next.

65Managing user and user groupsCreating a user group

11 In the User Group Summary panel, click Finish.

Properties for the created user group are shown in the task status list at thebottom of the panel. A green check mark next to a task indicates that it wassuccessfully completed.

12 Click Close.

See “Modifying a user group” on page 73.

About editing user propertiesUser properties are the attributes that can be added for a user when you create anew user or edit the user properties. User properties include general informationabout the user, change password facility, and the role that can be assigned to auser. User properties also include the user group to which a user can be assigned,business and contact information about the user, and contact methods andschedule for alert notifications. After you create a user, you can edit the userproperties to perform the following tasks:

■ Change a user's password.See “Changing a user’s password” on page 66.

■ Specify user business and contact information.See “Specifying user business and contact information” on page 67.

■ Assign roles to a user.See “Managing role assignments and properties” on page 68.

■ Assign user to a user group.See “Managing user group assignments” on page 69.

■ Specify contact methods and schedule for alert notifications.See “Specifying notification information” on page 70.

Changing a user’s passwordPasswords can be changed in the following ways:

■ Users can change their own passwords by using the ChangePassword optionon the Tools menu in the Information Manager console.

■ Administrators can change a user’s password by editing the user’s properties.

To change a user’s password



Managing user and user groupsAbout editing user properties

66

3 In the right pane, right-click the user whose password you want to change,and select Properties.

4 In the UserProperties dialog box, on the Password tab, in the Password textbox, type a new password.

The password that you choose must comply with the policy settings that theadministrator chooses.

5 In the Confirm password text box, type the password again to confirm it.

6 Click OK.


Specifying user business and contact informationIn the UserProperties dialog box, the Business tab and the Contact Informationtab let you supply detailed information about the user. You can specify thisinformation when you create a user or by editing an existing user’s properties.


To specify user business and contact information



3 In the right pane, right-click the user whose information you want to change,and select Properties.

4 In the User Properties dialog box, on the Business tab, type the businessinformation for the user.

5 To identify the user’s manager, click the browse button (...) next to theManager text box to display the Find Users dialog box.

The manager must exist as a user in the LDAP directory.

6 In the Find Users dialog box, select the user who is the manager, and clickOK.

The Available users list shows all users for the domain, up to the number ofusers that the Maximum search count text box indicates.

7 To identify the user’s administrative assistant, click the browse button (...)next to the Administrative assistant text box. In the Find Users dialog box,select the administrative assistant.

The administrative assistant must exist as a user in the LDAP directory.

67Managing user and user groupsAbout editing user properties

8 On the Contact Information tab, type the contact information for the user.

9 Click OK.

Managing role assignments and propertiesThe roles that a user is assigned define the user’s permissions in the console.

Roles are product-specific and are created as one or both of the following:

■ Roles that allow the management of policies and configurations for a product.

Users who are members of these roles can change the security configurationsof an integrated product and distribute them to specific computers andorganizational units.

■ Roles that allow the viewing of the events that a product generates.

Users who are members of these roles can view alerts and events for a product,and create alerts and customized reports.

Note: You must be a member of the Domain Administrator role to make a user amember of a role. Also, the role must exist in the LDAP directory before you canadd a user to the role.


To manage role assignments and properties



3 In the right pane, right-click the user whose information you want to change,and select Properties.

4 In the User Properties dialog box, on the Roles tab, click Add.

5 In the Find Roles dialog box, from the Look in drop-down list, select thedomain in which to find the role.

Users can have access to roles in multiple domains.

6 In the Available roles list, select one or more roles, and click Add.

The Find Roles dialog box displays a list of roles only if you are a member ofthe Domain Administrator role.

7 Click OK.


68

8 To remove a user from a role, click the role name and click Remove.

This action does not remove the role from the LDAP directory.

9 To view or edit the properties of a role, click the role name and clickProperties.

10 (Optional) Use the Editing Role Properties dialog box to make changes tothe role.


11 Click OK until you return to the System view.

Managing user group assignmentsYou can modify the composition of a user group by adding users to the group andremoving users from the group. You can also view and modify user groupproperties.

You can manage user group assignments in the following ways:

■ Manage one user's assignment by adding to or removing from one or moreuser groups.

■ Manage a single user group by adding or removing multiple users at one time.


To manage a single user's user group assignments



3 In the right pane, right-click the user whose user group assignment you wantto manage, and select Properties.

4 In the User Properties dialog box, on the User Groups tab, click Add.

5 In the Find User Groups dialog box, from the Look in drop-down list, selectthe domain in which to find the user group.

6 In the Available user groups list, select one or more user groups, and clickAdd.

The user groups that you selected appear in the Selected user groups list.

7 Click OK.

8 To remove a user from a user group, click the user group name and clickRemove.

This action does not remove the user group from the LDAP directory.


9 To view or edit the properties of a user group, click the user group name andclick Properties.

10 (Optional) Use the UserGroupProperties dialog box to make changes to theuser group. For example, you can add members to the group and remove usersfrom the group.


To manage multiple users' user group assignments


2 On the Administration tab, in the left pane, navigate to the relevant domain,and click User Groups.

3 In the right pane, right-click the user group whose membership you want tomanage, and select Properties.

4 In the User Group Properties dialog box, on the Members tab, click Add.

5 In the Find Users dialog box, from the Look in drop-down list, select thedomain in which to find the users.

6 In the Available users list, select one or more users, and click Add.

The users that you selected appear in the Selected users list.

7 Click OK.

8 To remove a user from a user group, click the user name and click Remove.

This action does not remove the user from the LDAP directory.

9 To view or edit the user's properties, click the user name and click Properties.

10 (Optional) Use the User Properties dialog box to make changes to the user.


Specifying notification informationWhen you create custom correlation rules, you can identify users to notify whenparticular incidents or alerts occur.

See “Creating custom correlation rules” on page 136.

For each user, you can specify the email addresses and pager numbers that areused to send these notifications. You can also specify when the user is notified.For example, you can specify one email address to be used Monday through Fridayfrom 8:00 A.M. to 5:00 P.M., and a pager to be used during off-hours.

You can specify the following:

■ Email addresses


70

■ Pager numbers

■ The day and the time ranges when the contact method can be used to senduser notifications of alerts.

Note: The number of email addresses and pager numbers cannot exceed five fora single rule.

To specify a user’s email address



3 In the right pane, right-click the user whose email address you want to change,and select Properties.

4 In the UserProperties dialog box, on the Notifications tab, in the drop-downlist, click Email.

5 Click Add.

6 In the Email dialog box, in the Emailaddress text box, type an email address.

7 If the user receives email on a device with a small screen, such as a handhelddevice, check Send shortened email message.

This option sends an abbreviated email message that is easier to read.

8 Click OK.

9 (Optional) Specify notification times.


■ To add additional email addresses, repeat steps 5 through 9.

■ To edit an existing email address, click it and click Properties.

■ To remove an existing email address, click it and click Delete.

11 When you finish, click OK.

To specify a user’s pager number



3 In the right pane, right-click the user whose pager number you want to change,and select Properties.


4 In the UserProperties dialog box, on the Notifications tab, in the drop-downlist, click Pager.

5 Click Add.

6 In the Pager dialog box, in the Number text box, type a pager number.

7 In the Notification service drop-down list, select the notification service touse.

If you do not see the service that you want to select, you can add it using thePaging Services node. This node is located in the left pane of the Systemview.

8 Click OK.

9 (Optional) Specify notification times.


■ To add more pager numbers, repeat steps 5 through 8.

■ To edit an existing pager number, click it and click Properties.

■ To remove an existing pager number, click it and click Delete.

11 Click OK.

To specify notification times

1 In the User Properties dialog box, on the Notifications tab, click an emailaddress or pager number.

2 Using the Day controls, check the days when the contact method can be usedto contact the user.

3 Using the From and To controls, specify the range of time when the contactmethod can be used.

4 Repeat these steps to establish notification times for other email addressesand pager numbers.


About modifying user permissionsWhen you create a role, permissions are assigned for each user with regard tothat role. These permissions control whether role members who log on to theconsole can view, modify, or delete the user.

You can modify these permissions in the following ways:

■ By displaying and editing the roles that contain the permissions.

Managing user and user groupsAbout modifying user permissions

72

See “Modifying access permissions in roles” on page 49.

■ By displaying the Permissions dialog box for the User container object or anindividual user.

See “Modifying permissions from the Permissions dialog box” on page 58.

Note: To modify permissions, you must be logged on as a member of the DomainAdministrator role.

Modifying a user groupYou can modify a user group by adding and removing members, and by changingthe user group name and description. You can also modify individual groupmembers' properties.

To modify a user group


2 On Administration tab, in the left pane, navigate to the relevant domain,and then click User Groups.

3 In the right pane, right-click the user group to modify, and click Properties.

4 On the General tab, add or change the user group's name and description.

5 On the Members tab, you can do the following:

■ Click Add.

■ In the FindUsers dialog box, select one or more usersfrom the Available Users list, and click Add.

■ When you finish adding members, click OK.

Add members

■ Select the member name, and click Remove.Remove members

■ Select the member name, and click Properties.

■ In the User Properties dialog box, use the tabs tomodify the properties of individual user groupmembers.

■ When you finish modifying properties, click OK.

Modify a member'sproperties

6 Click OK.


73Managing user and user groupsModifying a user group

Deleting a user or a user groupYou can delete users who are no longer participants in your security network.You can also delete the user groups that are no longer needed.



To delete a user or a user group


2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Users or User Groups.

3 In the right pane, right-click the user or the user group to delete, and clickDelete.

4 In the confirmation dialog box, click Yes.

Customizing the password policyThe Information Manager includes the ability to enforce strong passwordrequirements for all users. As an administrator, you can customize the passwordpolicy for Information Manager to match the password standards that apply toyour environment. You must provide the LDAP cn=root password to change thepassword settings.

When the password policy changes, users whose existing passwords arenon-compliant with the new policy are prompted to change their password at thenext logon.

Note: When you enable the EAL4 password policy and a user locks their accountthe same day that they change it, you cannot reset the password for 24 hours.This behavior is a result of the value that is defined for the setting Minimumtimebetweenpassword changes (seconds). This setting is set at 24 hours in the EAL4password policy. This behavior is expected due to the strict EAL4 password policydefinition.

If you do not want to enable the EAL4 policy, you can choose the Custom passwordpolicy option, change the Minimum time between password changes (seconds)setting to a lower value, and save the configuration.

You can configure the password policy by using any of the following methods:

Managing user and user groupsDeleting a user or a user group

74

The default settings that Information Manageruses.

Default

The settings that comply with EvaluationAssurance Level 4 (EAL4) standards.

EAL4

User-defined settings.

Note: If you choose this column but do not changeany settings, clicking Save reverts to the policythat was previously enabled.

Custom

To change the Information Manager password policy

1 Log on to the Web configuration interface using administrator credentials,and click Settings > Password. In the tree pane, click Password Policy.

2 In the LDAP cn=root Password field, type the password, and click EnterAdmin Mode.

3 In the UserPasswordSettings and AdministratorPasswordSettings tables,choose the type of password management you want to use. If you chooseCustom, configure each option, and check Password policy enabled:.

4 Click Save.

5 Click Leave Admin Mode.

See “About users and passwords” on page 61.

75Managing user and user groupsCustomizing the password policy

Managing user and user groupsCustomizing the password policy

76

Managing organizationalunits and computers


■ About organizational units

■ About managing organizational units

■ About managing computers within organizational units

About organizational unitsOrganizational units are a useful way to structure your security environment inSymantec Security Information Manager. Before you create organizational units,it is important that you understand your security network and create a securityplan.

See “About managing organizational units” on page 77.

Organizational units let you group the computers and servers that you manage.You can then add configurations for the Information Manager components thatmay be installed on those computers. These capabilities enable the distributionof the configurations to all computers and servers in the organizational unit.

About managing organizational unitsOn the Administration tab of the System view, select Organizational Units toperform the following tasks:

■ Create a new organizational unit.See “Creating a new organizational unit” on page 78.

5Chapter

■ Edit organizational properties.

■ See “Editing organizational unit properties” on page 80.

■ Delete an organizational unit.

■ See “Deleting an organizational unit” on page 80.

Creating a new organizational unitOrganizational units are logical groupings. You can create them to organize thecomputers that are in the same physical location or belong to structural groupswithin your corporation: for example, divisions or task groups. However, it is notrequired that an organizational unit reflect these relationships.

See “About organizational units” on page 77.

You can create all the organizational units that you require at a single level, oryou can create a hierarchy of nested organizational units.

The combined maximum length of the distinguished name of an organizationalunit must be no longer than 170 bytes. Keep in mind that some characters, suchas accented characters or Japanese characters, take more space to store.

The distinguished name of an organizational unit is a concatenation of the namesthat precede it in the hierarchy. Therefore, nesting organizational units with longnames can exceed this limit. A screen message informs you if you exceed the limit.

To create a new organizational unit


2 On the Administration tab, in the left pane, navigate to the relevant domain,and click Organizational Units.

3 Take one of the following actions:

■ To create a new organizational unit at the top level of the tree, click + (theplus icon) on the toolbar. Go to step 5.

■ To create a new organizational unit within an existing organizational unit,expand the organizational unit tree and select the level that you want.Then click + (the plus icon) on the toolbar. Go to step 4.

4 In the Computer or Organizational Unit dialog box, click OrganizationalUnit, and click OK.

5 In the first panel of the CreateanewOrganizationalUnitwizard, click Next.

6 In the General panel, do the following:

■ In the Organizational Unit Name text box, type a name for theorganizational unit.

Managing organizational units and computersAbout managing organizational units

78

■ (Optional) In the Description text box, type a description of theorganizational unit.

7 Click Next.

8 In the OrganizationalUnitSummary panel, review the information that youhave specified, and click Finish.

9 Click Close.

About determining the length of the organizational unit nameInformation Manager imposes limits on the length of the name of an organizationalunit. It also imposes limits on the total length of the distinguished name that isstored in the LDAP directory. These limits become important when you nestorganizational units.


The distinguished name for a nested organizational unit includes the following:

■ The name you give the organizational unit when you create it

■ The names of each organizational unit that precedes it in the hierarchy

■ The name of the top node in the organizational unit tree

■ The name of the domain within which you create the organizational unithierarchy

■ Additional bytes of overhead

You can view the distinguished name of an organizational unit by looking at theorganizational unit’s properties.

The maximum length of the name you assign in the CreateanewOrganizationalUnit wizard is 64 UTF-8 bytes. For the Roman character set, this means that thename cannot exceed 64 characters. Some characters take more space to store. Forexample, accented characters take two bytes to store, and Japanese characterstake three bytes or four bytes to store. When these characters are used, fewercharacters are allowed in the name.

Information Manager adds other information for internal use to the distinguishedname. Therefore, the maximum recommended length of the distinguished nameof an organizational unit in the security directory is 170 bytes. If a distinguishedname is longer than 256 characters, performance issues occur.

Table 5-1 describes how to calculate the UTF-8 byte length of the distinguishedname of the organizational unit.

79Managing organizational units and computersAbout managing organizational units

Table 5-1 Determining the organizational unit name length

Formula and exampleName string

sum(4+domain component name length) + 17 bytes

Example: usa.SES

4 + length(usa) + 4 +length(SES) + 17 bytes overhead

or

4 + 3 + 4 + 3 + 17 = 31 bytes

Domain name length

sum(4 + OU name length) + domain name length + 13 bytes

For example: Paris OU under the Sales OU in the usa.sesdomain

4 + length(Paris) + domain name length + 13-bytes overhead

or

4 + 5 + 31 + 13 = 53 bytes

Organizational unit (OU)name length

Editing organizational unit propertiesYou can modify an existing organizational unit's description. You cannot changethe name or the distinguished name of the organizational unit.


To edit organizational unit properties


2 On the Administration tab, in the left pane, navigate to the relevant domain,and expand the Organizational Units navigation tree.

3 Right-click the name of the organizational unit to edit, and click Properties.

4 In the Organizational Unit Properties dialog box, change the description.


Deleting an organizational unitBefore you can delete an organizational unit, you must move or delete allcomputers that belong to the organizational unit.

See “Moving a computer to a different organizational unit” on page 93.

See “Deleting a computer from an organizational unit” on page 94.

Managing organizational units and computersAbout managing organizational units

80

Note:When you delete an organizational unit, all of the organizational units thatare below it in the navigational structure are also deleted.

To delete an organizational unit



3 Right-click the name of the organizational unit to delete, and click Delete.

4 To confirm to delete the organizational unit and its subgroups, click Yes.

About managing computers within organizationalunits

Organizational units contain computer objects representing the computers thatrun your security products.

Note:The term computer covers a variety of equipment, from traditional desktopcomputers to servers and handheld devices. In the context of the InformationManager console, a computer is any device that you manage as part of yourenterprise security environment.

Computers are placed in organizational units in the following ways:

■ When an agent is installed.

When you install Symantec Event Agent on a computer, it is represented as acomputer within an organizational unit.

Symantec Event Agent is added to the default organizational unit. You canmove the agent to a different organizational unit later.

■ When you create the computer using the Create a new Computer wizard.

You can use this method to create computers other than the agent computers.

Note:Do not create a computer using the wizard if you plan to install the SymantecEvent Agent on the computer at a later time. If you do, a duplicate instance of thecomputer is added to the LDAP directory.

81Managing organizational units and computersAbout managing computers within organizational units

A computer can belong to only one organizational unit at a time. However, basedon the requirements of your network, you can easily move computers from oneorganizational unit to another.

When you select a computer in the right pane, you can perform the followingtasks:

■ Create computers within organizational units.Creating computers within organizational units

■ Edit computer properties.About editing computer properties

■ Move a computer to a different organizational unit.Moving a computer to a different organizational unit

■ Modify computer permissions.About modifying computer permissions

■ Delete a computer from an organizational unit.Deleting a computer from an organizational unit

Creating computers within organizational unitsComputers are defined in the LDAP directory as part of the organizational unitsin which you create them. If you delete a computer from an organizational unit,it is permanently removed from the LDAP directory.

See “About managing computers within organizational units” on page 81.

To create a computer within an organizational unit



3 Right-click the name of the organization unit, and click New > Computer.

4 In the first panel of the Create a new Computer wizard, click Next.

5 In the General panel, do the following, and click Next:

■ In the Computer name text box, type the computer name.

■ (Optional) In the Description text box, type a description.

6 In the Information panel, do one of the following:

■ Type information in some or all of the optional text boxes, and click Next.

■ Supply the information later by editing the computer’s properties.

Managing organizational units and computersAbout managing computers within organizational units

82

7 In the Identification panel, do one of the following:

■ Provide the host name, IP addresses, and MAC addresses of the computer,and click Next.

■ Provide the identification information later by editing the computer’sproperties.

8 In the Configurations panel, do one of the following:

■ To directly associate configurations with the computer, click Add. Whenyou are finished, click Next.

■ Add configurations later by editing the computer’s properties.

9 In the Computer summary panel, review the information that you havespecified, and click Finish.

10 Click Close.

About editing computer propertiesThe computer properties that you can view and change depend on whetherSymantec Event Agent is installed on the computer.

If the computer has Symantec Event Agent, you can associate configurations withthe computer and view the services running on the computer. However, you cannotchange the identification information for the computer.

See “Editing the agent computer” on page 83.

See “Viewing the services running on a computer” on page 91.

If the computer does not have an agent, you can edit the network identificationinformation for the computer. However, you cannot view services running on thecomputer.

See “Editing a computer that does not have an agent” on page 84.

See “Providing identification information for a computer” on page 85.

Editing the agent computerWhen a computer has an agent installed, most of the identification informationabout the computer is captured during the installation.

You can learn about the computer by viewing the information that the agentprovides. This information includes the state of the services running on thecomputer and the computer’s heartbeat status.

You can also specify configurations to be associated with the computer. If thecomputer is an Information Manager server, you can add access to other domains.


To edit the agent computer



3 Click the name of the organizational unit that contains the computer to beedited.

4 In the right pane, right-click the name of the computer, and click Properties.

5 In the Computer Properties dialog box, on the General tab, you can type anew description.

6 On the Information tab, you can modify the Primary Owner and Ownercontact information text boxes.

The remaining information is provided during the agent installation.

7 On the Configurations tab, do any of the following:

■ To directly associate configurations with the computer, click Add.

See “Associating configurations directly with a computer” on page 86.

■ To remove a configuration, select it, and click Remove.

■ To view a configuration’s properties, select it, and click Properties.See “About agent configurations” on page 333.

8 You can view information on any of the following tabs:

■ On the Identification tab, view the host name, IP addresses, and MACaddresses of the computer.

■ On the Services tab, view information about the services running on thecomputer.


9 Click OK.

Editing a computer that does not have an agentWhen you create a computer using the Create a New Computer wizard, you canmodify most of the computer’s properties.

Services are reported only if an agent is installed on the computer.


84

To edit a computer that does not have an agent





5 In the Computer Properties dialog box, on the General tab, you can type anew description.

6 On the Information tab, modify the text boxes as you want.

To enable the Other OS Type text box, select OTHER from the operatingsystem type drop-down list.

7 On the Identification tab, change the host name and add or remove IPaddresses and MAC addresses, as needed.

See “Providing identification information for a computer” on page 85.

8 On the Configurations tab, do any of the following:

■ To directly associate configurations with the computer, click Add.



■ To view a configuration’s properties, select it, and click Properties.

9 On the Services tab, view information about the services running on thecomputer.


10 Click OK.

Providing identification information for a computerAfter you create a computer using the Create a new Computer wizard, you canprovide the network identification information for the computer by editing itsproperties.

When you create a computer by installing a collector, the identification informationis supplied automatically by the installation.

See “About editing computer properties” on page 83.


To provide identification information for a computer





5 In the ComputerProperties dialog box, on the Identification tab, in the Hostname text box, type an FQDN or a DNS host name.

6 To add an IP address, under IP addresses, click Add.

7 In the IPaddresses dialog box, type the IP address of the computer, and clickOK.

8 If the computer has multiple network interface cards, repeat steps 6 and 7for each IP address.

9 To add a MAC address, under MAC addresses, click Add.

10 In the MAC addresses dialog box, type the MAC address of the computer,and click OK.

The MAC address must consist of six hexadecimal pairs.

11 If the computer has multiple network interface cards, repeat steps 9 and 10for each MAC address.

12 Click OK.

Associating configurations directly with a computerConfigurations control the behavior of Information Manager components.

To distribute configurations to a computer, you can associate a configuration withthe computer. You can then distribute the configuration either immediately or ata later date, depending on your needs.


Associating configurations directly with a computer defines each of the availableconfigurations that can be associated directly with a computer.

Note: Only those configurations that are shipped with the default installation ofInformation Manager are listed here. If additional collectors or products are addedto your Information Manager, the configurations list may be different.


86

DescriptionConfiguration

Contains the common Information Managerserver settings, which may affect one ormore components on an InformationManager server. For example, configurationsettings define which directory service anddatabase the server should use.

Symantec Event Agent and Manager –Manager Configurations

Contains the settings for services within theInformation Manager server, such as theevent logging subsystem or the configurationservice.

Symantec Event Agent and Manager –Manager Component Configurations

Lets you control how failover is performedfrom the Information Manager server todirectory service and Information Managerserver to database.

Symantec Event Agent and Manager –Manager Connection Configurations

Sets the agent to Information Managerserver failover. Failover is the ability ofInformation Manager components toautomatically switch to designatedsecondary resources if the primary resourcefails or terminates abnormally.

Symantec Event Agent and Manager – AgentConnection Configurations

Lets the agent communicate with thecorresponding Information Manager server.They include which primary and secondaryserver to connect to and how to getconfiguration information and reportinventory. In addition, they include howthese computers should receive LiveUpdateinformation.

Symantec Event Agent and Manager – AgentConfigurations

Configures Symantec Critical SystemProtection Event Collector to collect DBsensor data from various platforms.

Symantec Critical System Protection EventCollector

Configures LiveUpdate to obtain softwareupdates for the various software componentsof Information Manager, such as eventcollectors, relays, security content, rules,and filters.

LiveUpdate 1.0 – LiveUpdate



Configures Java LiveUpdate to obtainsoftware updates for the various softwarecomponents of Information Manager, suchas event collectors, relays, security content,rules, and filters.

LiveUpdate 1.0 – Java LiveUpdate

Configures the Internet Security SystemsRealSecure SiteProtector Event Collector tocollect DB sensor data from variousplatforms.

ISS SiteProtector Event Collector

Configures Check Point FireWall-1 EventCollector to collect OpsecLea sensor datafrom various platforms.

Check Point Firewall – 1 Event Collector

Configures Cisco ASA Event Collector tocollect Syslog sensor data from variousplatforms.

Cisco ASA Event Collector

Configures Generic Syslog Event Collectorto collect Syslog sensor from variousplatforms.

Generic Syslog Event Collector

Configures Juniper Networks NetScreenSecurity Manager Event Collector to collectSyslog sensor data from various platforms.

Juniper NSM Event Collector

Configures Juniper NetScreen EventCollector to collect Syslog sensor data fromvarious platforms.

Juniper Netscreen Firewall Event Collector

Configures Snare for Windows EventCollector to collect Syslog sensor data fromvarious platforms.

Snare for Windows Event Collector

Configures Snort Event Collector to collectSyslogFile sensor data from variousplatforms.

Snort Syslog Event Collector

Configures Symantec Endpoint Protection11.0 Event Collector to collect DB sensor datafrom various platforms.

Symantec Endpoint Protection 11.0 EventCollector

Configures Symantec Endpoint ProtectionState 11.0 Event Collector to collect DBsensor data from various platforms.

Symantec Endpoint Protection State 11.0Event Collector


88


Configures the Information Manager EventCollector to collect SyslogFile sensor data.The Local Event Collector tracks the eventsthat the Linux operating system that runsInformation Manager generates. Examplesinclude ssh commands and wrong passwordentries.

Symantec Security Information ManagerLocal Event Collector

Configures Syslog Director.Syslog Director

Configures the Universal Logfile EventCollector to collect events from the productsthat log to text files.

Universal Logfile Event Collector

Configures UNIX OS Event Collector tocollect syslog data from various platforms.

In addition, the UNIX Event Collector collectsdata from ISC BIND9, Linux iptables, and theLinux Audit daemon AUDITD.

UNIX OS Event Collector

Configures the Universal Syslog EventCollector to collect events from the productsthat log events by using the Syslog protocol.

Universal Syslog Event Collector

Configures Universal Event Collector forMicrosoft Windows Vista to collect eventsfrom Microsoft Windows Vista, WindowsServer 2008, and Windows 7 event logs.

Universal Event Collector for MicrosoftWindows Vista

Configures Universal Event Collector forMicrosoft Windows to collect events fromMicrosoft Windows event logs.

Universal Event Collector for MicrosoftWindows

Configures QualysGuard Event Collector tocollect QualysGuard sensor data fromvarious platforms.

Qualys Guard Event Collector

For more details about the Collectors you must refer to the specific Collectorguides.

To associate configurations directly with the computer




3 Click the name of the organizational unit that contains the computer thatyou want to edit.


5 In the ComputerProperties dialog box, on the Configurations tab, click Add.

6 In the Find Configurations dialog box, in the Look-in drop-down list, selectthe product whose configurations you want to associate with the computer.

The configurations are displayed in the Available configurations list.


7 In the Available configurations list, select a configuration, and click Add.

The selected configuration is listed in the Selected configuration list.

If the computer already contains a configuration, and you now select adifferent configuration, the new configuration replaces the old one.

8 To select a configuration for a different product, repeat steps 6 and 7.

9 When you finish adding configurations, click OK.

10 In the Computer Properties dialog box, do one of the following:


■ To view a configuration’s properties, select it, and click Properties.

11 Click OK.

Making a computer a member of a configuration groupIn addition to belonging to an organizational unit, a computer can be a memberof a configuration group. Configuration groups are used to distribute specialconfigurations to their member computers. A computer can belong only to oneconfiguration group.

To make a computer a member of a configuration group

1 In the Information Manager console, on the System tab, in the left pane,expand the Organizational Units navigational tree until you can select theorganizational unit containing the computer that you want to edit.

2 In the right pane, select the computer.

3 On the Selection menu, click Properties.

4 In the Computer Properties dialog box, on the Configuration Groups tab,click Add.


90

5 In the Available Configuration Groups list, select a configuration group.

If the computer is already a member of a configuration group, theconfiguration group you select here replaces the original configuration group.

6 Click Add.

7 Click OK.

8 On the Configuration Groups tab, do any of the following, as needed:

■ To remove a computer from configuration group membership, select theconfiguration group, and click Remove.

■ To view a configuration group’s properties, select it, and click Properties.

9 Click OK.

Viewing the services running on a computerYou can view information about the services running on a computer: for example,which configurations are in use and whether the configurations are up-to-date.


To view the services running on a computer



3 In the left pane, select the organizational unit that contains the computerwhose services you want to view.

4 In the right pane, right-click the computer name, and click Properties.

5 In the Computer Properties dialog box, on the Services tab, review the InSync column to determine whether the correct configurations are in use.

■ If the value for a specific service is Yes, the current configuration and theexpected configuration are synchronized. That is, they are identical.

■ If the value for a specific service is No, the configurations are notsynchronized.Double-click the row to view the information on the Configuration tab ofthe Service Properties dialog box. You may need to distribute the latestconfigurations to this computer.

6 Take any of the following actions:


■ In the Computer Properties dialog box, to notify the computer that itshould download new configurations, click Distribute. Then click Yes toconfirm your intention to distribute configurations.

■ To refresh the Computer Properties dialog box display, click Refresh.

■ Click Details to open the Service Properties dialog box and view thedetails of services.


Distributing configurations to computers in an organizational unitInformation Manager includes a Distribute option, which sends a message to allthe computers in an organizational unit to check for new configurations. Whena computer receives this message, it contacts Information Manager to request adownload of the configurations.

See “About managing computers within organizational units” on page 81.

Using the Distribute feature is optional. When you change a product configurationor move a computer to a different organizational unit, the change is distributedwhen you click Save.

You can do the following to distribute configurations to computers in anorganizational unit:

■ You can distribute the configurations that are associated with an organizationalunit to all computers that belong to the organizational unit.

■ You can select specific computers to receive the latest configurations.

Note: The timing of configuration distribution varies depending on the amountof Information Manager traffic.

To distribute configurations to all computers in an organizational unit


2 On the Administration tab, in the left pane, navigate to the relevant domain,and then expand the Organizational Units navigation tree.

3 Right-click the name of the organizational unit to which you want to distributeconfigurations, and then click Distribute.

4 In the confirmation message box, click Yes.


92

To distribute configurations to selected computers in an organizational unit



3 In the left pane, select the organizational unit that contains the computer orcomputers to which you want to distribute configurations.

4 In the right pane, select only those computers that you want to notify.

5 Right-click on the selected computers, and then click Distribute.

6 To confirm your intention to distribute configurations, click Yes.

Moving a computer to a different organizational unitAlthough a computer can only belong to one organizational unit, you can movecomputers from one organizational unit to another.


Warning: Before you move a computer, make sure that the security products youmanage let you move computers.

To move a computer to a different organizational unit



3 In the left pane, select the organizational unit that contains the computer orcomputers that you want to move.

4 In the right pane, right-click a computer, and then click Move.

You may select multiple computers if you want to move all of them to thesame organizational unit.

5 To confirm that you want to move the computers, click Yes.


6 In the Find Organizational Units dialog box, select the organizational unitto which you want to move the computers, and then click OK.

7 To verify that the move was successful, in the left pane, select theorganizational unit to which you moved the computers. Look at the rightpane to see if the computers that you moved are now in the list.

If you move a computer that is an Information Manager server, you may haveto log on again before you see the computer in the organizational unit. Agentsthat connect to the Information Manager server may need to be restarted.

About modifying computer permissionsWhen you create a role, permissions are assigned for each computer with regardto that role. These permissions control whether role members who log on to theInformation Manager console can view, modify, or move the computer.

To modify the permissions for a computer, you must display the Permissionsdialog box for the computer. You cannot modify permissions for computers usingthe Role Properties dialog box.

See “Modifying permissions from the Permissions dialog box” on page 58.

Note: To modify permissions, you must be logged on as a member of the DomainAdministrator role.

Deleting a computer from an organizational unitIf you want to delete an organizational unit, you must first remove any computerswithin the organizational unit by moving them or deleting them. You may alsowant to delete a computer that you no longer want to have under InformationManager management.

If the computer was created by installing an agent as part of a security productinstallation, you should uninstall the collectors and agent from the computerbefore you delete the computer from the Organizational Units container in theInformation Manager console.

See “Creating computers within organizational units” on page 82.

Deleting a computer from an organizational unit removes it from the LDAPdirectory.


94

Warning: If you delete a computer that is an Information Manager server, youmust perform extra steps to add it to an organizational unit again. To restore adeleted Information Manager server to the LDAP directory, you must do one ofthe following: re-register the deleted server with the LDAP directory in which itwas previously registered, or reinstall the Information Manager on the server.

To delete a computer from an organizational unit



3 In the left pane, select the organizational unit that contains the computerthat you want to delete.

4 In the right pane, right-click the computer name, and then click Delete.

5 To confirm your intention to delete the computer from the organizationalunit, click Yes.

About the VisualizerThe Visualizer provides a convenient way to view your Symantec SecurityInformation Manager environment, including the computers that are assignedto organizational units. You can use it to monitor events per second (EPS) ratesand CPU usage on your network devices. You can also view and modify propertiesof elements such as the Information Manager server and agents.

See “About using the Visualizer” on page 95.

See “Viewing and modifying element properties” on page 98.

About using the VisualizerThe Visualizer provides a graphical view of your Information Managerenvironment. When you click the Visualizer tab on the System view, you see aset of icons. The icons represent such elements as correlation servers, collectionservers, agents, and directories. The Icons tab in the Legend pane illustrates anddefines each type of icon that can appear in the diagram.

See “About the Visualizer” on page 95.

The Overview pane that is located on the top left corner provides a visual summaryof the layout in which the various components are arranged in your InformationManager environment. You can click a specific item in the overview and easilyreach the selected item in the graphical view.


Colored lines join elements to indicate the nature of their interactions. For example,a green line appears between an Information Manager server and its event archive.A blue line indicates that event forwarding is configured between a collectionserver and the correlation server. The arrow shows the direction in which theevent data flows. To see an explanation of each color, click the Edges tab in theLegend pane.

You can place the icons where you want them by dragging them with the mouse.The associated text moves with the icon. You can also move the text to a differentposition relative to its icon. Click and hold the mouse over the text, and then movethe mouse. Empty text boxes appear on each side of the icon. Drag the text intoone of the boxes and release the mouse.

The toolbar includes tools to help you examine the graphic.

The colored dots that appear next to an element indicate the activity level of theseelements. Some dots reflect the volume of EPS, and other dots reflect thepercentage of appliance CPU in use. The meaning of each color is as follows:

■ Green = less than or equal to 2.5 K

■ Yellow = 2.5 K to 5 K

■ Red = greater than 5 K

EPS

■ Green = less than 60%

■ Yellow = 60% to 80%

■ Red = greater than 80%

CPU usage

Note: The EPS display on the Visualizer tab depends on the value of the AgentQueueStatisticsReportInterval setting under System>ProductConfiguration> SSIM Agent and Manager > Agent Configurations > Logging. By default, thisvalue is set to 300 seconds and the EPS is updated after that interval only. Youcan configure it to a lower interval. However, setting a lower value may result ina lower performance by the agent. You must update (push) the configuration tothe agent for the change to take effect.

Table 5-2 describes the tools in the toolbar.


96

Table 5-2 Visualizer tools

PurposeTool

This option lets you view your network topology using the followinglayouts:

■ Organic

■ Circular

■ Hierarchic

■ Orthogonal

■ Tree

Layout menu

This option lets you update the display after you make configurationchanges. For example, after you add a collector, click Refresh tore-draw the diagram and show a new icon for the added collector.

Refresh

This option lets you expand the diagram view.Zoom in

This option lets you minimize the diagram view.Zoom out

This option lets you enlarge the view of a selected portion in thediagram. Select a portion of the diagram by clicking the mouse anddragging a box around the required area. Then click the ZoomSelectedicon to enlarge the area that you selected.

Zoom selected

This option returns the diagram to its original size, to fit the entirediagram in the right pane of the System view.

Fit to window

This option lets you save the information in the diagram as an XMLfile. Symantec Technical Support may request this file to assist introubleshooting.

Save as

This option lets you export the Visualizer image as a .gif or .jpg file.You can also adjust the image width and height, and define the cliparea as a view or a graph.

Export Image

This option lets you print the diagram. On the Print Options dialogbox, you can select the height (Poster Rows) and width (PosterColumns) if you print a very large diagram. The default setting (oneposter row and one poster column) prints the entire diagram on asingle page.

Print


Table 5-2 Visualizer tools (continued)

PurposeTool

This option displays a table with one row for each element that isinvolved in processing events. The table dynamically displays suchinformation as EPS and the total number of events that the elementhas processed since it was last started. The details that are displayedin the table view can be saved into CSV format.

A green check mark means that the element is running; a red X meansthat the element is not responding.

Table view

This option lets you magnify any selected portion of the diagram.Use Magnifier

Viewing and modifying element propertiesYou can view the properties of many of the elements in the Visualizer diagram.You can also modify some of these properties.

See “About using the Visualizer” on page 95.

The same properties are also accessible through other tabs on the System view.You use these tabs to add and delete elements, such as collectors. After you addan element, you distribute it; the element appears in the Visualizer.

Table 5-3 explains how to access each of the element categories on other Systemview tabs.

Table 5-3 Accessing element properties on System view tabs

How to accessCategory

This category includes appliances, agents, and collectors.

■ Select Administration > Organizational Units.

■ Select an organizational unit.

■ In the list in the right pane, double-click the name of a computer.

A dialog box displays the computer's properties.

Computers

■ Select Administration > Directories.

■ In the list in the right pane, double-click the name of a directory.

A dialog box displays the directory's properties.

Directories

This category includes products such as collectors and firewalls.

■ Select Product Configurations.

■ In the left pane, click the name of a product.

The right pane displays the product's properties.

Products


98

To view and modify element properties

1 On the System view of the Information Manager console, click the Visualizertab.

2 Right-click on an icon in the diagram, and then click Properties.

A dialog box displays a set of tabs that let you access the element's properties.The displayed properties depend on the type of element that you selected.For example, a collection appliance has different properties than an agent.

3 View and modify any of the available properties in the dialog box, using thetabs to navigate through the properties.

4 When you finish viewing and modifying properties, click OK.



100

Configuring a serviceprovider


■ About using Information Manager in a service provider context

■ About responding to a client incident

■ About setting up a Service Provider environment

■ Disconnecting a client from a Service Provider Master

Aboutusing InformationManager in a serviceprovidercontext

Information Manager can be used to offer services to manage security incidentsto multiple business clients and physical locations. In a service provider context,Information Manager can be used to gather, correlate, monitor, and initiateresolution of security incidents in real time. An instance of Information Managerthat is configured as a service provider can also create and work with tickets. Itcan also generate and deliver custom reports.

See “About using Information Manager in a service provider context” on page 101.

Correlation can now be enabled on the Service Provider Master. This feature canbe used to trigger the rules on the Service Provider Master and create incidentsbased on local Service Provider events.

Using Information Manager in a service provider context has the followingminimum requirements:

■ For a service provider client: At least one instance of Information Managermust be configured to monitor and correlate security events, and forward the

6Chapter

resulting incidents. A copy of the incidents that are created at the clientcorrelation server is forwarded to the Service Provider Master.

■ For a service provider: At least one instance of Information Manager must beconfigured as a Service Provider Master. You can add multiple correlationservers for a single domain through the client configuration user interface onthe console of the Service Provider Master. The Service Provider Masterreceives a copy of the incident data that the client server forwards. Using theInformation Manager console, a Service Provider Master provides a centralizedview of all of the incidents that each client generates. If the service provideruses more than one Service Provider Master to manage clients, each masteroperates independently from any other Service Provider servers.

Figure 6-1 displays the relationship between multiple clients that use instancesof Information Manager and a service that manages incident management usingthe server of the Service Provider Master. Each client maintains their own eventand incident management policies and topologies. The only requirement is thatthe client configures the primary correlation server to forward any incidents thatare generated to the Service Provider Master.

Configuring a service providerAbout using Information Manager in a service provider context

102

Figure 6-1 Service Provider Master with Correlation Service enabled

About the service provider environment from the client perspectiveWhen a client uses the services of an Information Manager service provider, theclient environment is configured as a completely autonomous Information Managersolution. All raw event data is gathered, stored, managed, and correlated withinthe environment of the client. All the information about the client InformationManager's asset, ticket, incident, and users is exclusive to the client environment.


The key connection to the Service Provider is through a primary correlation server,which is configured to gather and forward a copy of incidents to the ServiceProvider Master Server. The service provider that receives the copy of clientincidents then processes, analyzes, and monitors the incidents. When necessary,the service provider then initiates the appropriate remediation steps by notifyingthe client.

103Configuring a service providerAbout using Information Manager in a service provider context

About the service provider environment from the provider perspectiveIncident management on the Service Provider Master begins as soon as thefollowing conditions are met:

■ At the client site, incident forwarding is enabled on the primary correlationserver and network connectivity with the off-site management service isestablished.

■ The Information Manager server at the service provider management site isconfigured to receive incidents as a Service Provider Master. The ServiceProvider Master is also configured with a client account. This account includesthe client location, the service provider analyst who is assigned to the account,and the contact information for the client.

When these prerequisites are met and incident forwarding is enabled, the incidentsthat a client server creates can be managed at the Service Provider Master.Incidents that were created before the enabling of incident forwarding can beforwarded. To forward these incidents, use the Incident Synchronization featurein the Web configuration interface for the client.

See “Synchronizing the Service Provider Master with client incidents” on page 110.

About customizing the Incidents view in a Service Provider Masterconsole

When you configure a server to perform the duties of a Service Provider MasterServer, the view in the Information Manager console is modified. The view ismodified to match the features that are available in a service provider context.The primary differences in the console appear on the Incidents view. A ServiceProvider Server uses a configurable single incident that is a streamlined versionof the Incidents view.


The client configuration user interface on the console of the Service ProviderMaster lets you add multiple correlation servers for a single domain. The Incidentsview on the Service Provider Master displays the host name with a domain thatcorresponds to a particular incident of a client.

When you view incidents in a Service Provider console, the Original ID and theReference ID are for two distinct purposes. If you use multiple clients, the OriginalID is the incident number that the client generates and then forwards to theService Provider. The Reference ID is the incident number that the Service Providergenerates.

Changes to the Incidents view include the following:

Configuring a service providerAbout using Information Manager in a service provider context

104

■ Contacts, Tickets, and Remediation tabs are now available from within theincident details. The Contacts tab is not available for clients having the samedomain as Service Provider Master.

■ Incident details are now displayed in a separate Information Manager consolewindow, unlike the browser window that is displayed in earlier versions ofInformation Manager.

About responding to a client incidentIn the Incidents view of the Information Manager console, when you click anincident that a Service Provider client generates, you can use the fields andinformation on the tabs available to take the appropriate action.


To view the incident details, you can quickly review the incident by double-clickingthe incident in the summary table. Double-clicking an incident in this view opensthe Client Incident viewer, which is a browser instance that communicates overa secure browser session (HTTPS). This console lets you analyze the incidentwithout having to open an additional Information Manager console session. TheClient Incident viewer provides a streamlined view of the incident details. Theviewer also lets you perform tasks to address the incident immediately, such asselecting an Assignee, State, Priority, Severity, and so forth.

Creating Information Manager tickets in a Service Provider Mastercontext

When you view client incidents on a Service Provider Master, you can view, create,and resolve the following types of tickets:


■ An Information Manager Service Provider ticket. When you work in anInformation Manager console that is logged on to a Service Provider Master,the ticket that is displayed in the Incidents or Tickets view is exclusive to theenvironment of the Service Provider Master. A service provider analyst oradministrator uses the information in this ticket to perform certain duties:For example, following the steps that are required to notify a client that anincident has occurred.

■ An Information Manager client ticket. When you open the Client Incidentviewer, a ticket that is displayed in that browser session is local to the clientenvironment. A client uses the information in this ticket to perform certainduties: For example, the tasks that are necessary to address the incident withinthe client environment.

105Configuring a service providerAbout responding to a client incident

To create an Information Manager Service Provider ticket, you use the InformationManager console that is logged on to the Service Provider Master. The serviceprovider analysts or administrators used the Service Provider Master ticket. Theclient does not see Service Provider tickets.

To create an Information Manager client ticket, you use the Client Incident viewerbrowser session. Alternatively, you can use a separate instance of the InformationManager console that is logged directly on to the client's correlation Server. TheClient Incident viewer and the Information Manager console instance that islogged on to the client server share the same client ticket information. A ticketthat is created from within the Client Incident viewer is local to that client, appliesonly to the client's resources, and so forth. For example, this type of ticket mayinclude the instructions that client IT personnel must act upon to reduce thespread of an outbreak.

To create a ticket for the client environment

1 In the Information Manager console for the Service Provider Master, on theIncidents view, double-click the incident.

2 In the Client Incident viewer, click Create Ticket.

3 In the Ticket Details area, enter the ticket information for the client in theavailable fields. The Summary field is required.

4 In the Creator area, enter the contact information for the appropriate serviceprovider contact in the available fields.

5 In the Help Desk Assignee area, assign the ticket to the appropriate clientassignee.

6 (Optional) Add any necessary instructions.

7 Click Save.

After the ticket is saved, you can view, add, or remove any associated tasksusing the Tasks tab. You can also add a note on the Log tab.

To create a ticket for the Service Provider Master environment

1 In the Information Manager console for the Service Provider Master, on theIncidents view, click the incident.

2 In the lower pane, on the Tickets tab, click Create Ticket.

3 In the TicketDetails window, use the available fields to provide the necessaryticket information. The Summary field is required. The Assignee field providesa list of Service Provider environment users.

4 When you are finished, click OK.

Configuring a service providerAbout responding to a client incident

106

Exporting incident information from the Client Incident viewerYou can export incident data from the Client Incident viewer using the Exportbutton and the save feature of the browser that you use.

See “About responding to a client incident” on page 105.

To export incident information from the Client Incident viewer

1 In the Information Manager console, on the Incidents view, double-click theincident that you want to export.

2 In the Client Incident viewer, click Export. Specify a new name or accept thedefault name for the CSV file.

3 Save the exported CSV file in the required location.

About setting up a Service Provider environmentWhen you configure Information Manager servers in a Service Provider context,you must configure the following:

■ The client server that creates incidents. In distributed client environments,this server is generally the primary correlation server.

■ The service provider server that receives the forwarded incidents.


Configuring an instance of Information Manager as a Service Providerclient

To configure an instance of Information Manager as a client of a Service ProviderMaster, configure the client server to forward incidents to the Service ProviderMaster.


To configure an instance of Information Manager as a Service Provider client

1 Using the Information Manager console, connect to the client instance ofInformation Manager.

2 On the System view, click the Server Configurations tab and expand theserver to configure as the Service Provider client.

3 Click Incident Forwarding Rules, and then click the Add icon.

4 In the Incident Forwarding Rules window, type a name for the rule in theRule name field.

107Configuring a service providerAbout setting up a Service Provider environment

5 Enter the server host name or IP address of the Service Provider Master.

6 Click OK.

7 Ensure that Enabled is checked and then click Apply to apply the incidentforwarding rule.

Configuring an Information Manager server as a Service ProviderMaster

To enable an Information Manager server to perform the duties of a ServiceProvider Master, you enable this feature in the System view.

See “About setting up a Service Provider environment” on page 107.

Correlation can now be enabled on the Service Provider Master. This feature canbe used to trigger the rules on the Service Provider Master and create incidentsbased on local Service Provider events.

Note: Ensure that the Event Forwarding rule is enabled if Correlation Service isenabled on the Service Provider Master.

To configure a server as a Service Provider Master

1 Using the Information Manager console, connect to the instance ofInformation Manager that is to be the Service Provider Master.

2 On the System view, on the Server Configurations tab, expand the serverthat is to be configured as the Service Provider Master.

3 Click the server folder.

4 In the right tile, under Service Provider, check Service Provider Master.

5 Click Apply.

6 Close and restart the Information Manager console.

To enable the correlation service on a Service Provider server

1 Using the Information Manager console, connect to the Service ProviderMaster and log on as an administrator.

2 On the System view, on the Server Configurations tab, click on the serverfolder.

3 In the Server options area, select the option for Enable Correlation.

4 Click Apply.

Configuring a service providerAbout setting up a Service Provider environment

108

Configuring service provider client management accountsTo manage a service provider client, you configure a client account. The accountmust include the network and physical location, the assigned service provideranalyst, and contact information that is associated with the client.


You can add multiple clients that have the same domain as the Service ProviderMaster. You can also add multiple clients that have a different domain, and providea single incident view for incidents from all Correlation Servers.

To add a service provider Client management account

1 Using the Information Manager console, connect to the instance ofInformation Manager that is to be the Service Provider Master.

2 On the System view, expand the domain, and click Clients.

3 Click New (+).

4 In the Add Client wizard, in the Client Information window, describe theclient using the fields provided, and then click Next.

5 In the Client Setup window, click New.

6 In the Client Account fields, do the following for each analyst to assign tothis account:

■ In the ClientUsername and ClientPassword fields, enter the appropriateclient user name and password information.

■ In the Analyst field, use the ellipses (...) to open the FindUsers dialog boxand choose the analyst (or analysts) to whom the account is to be assigned.

■ If you want the assigned analyst to receive notifications for incidents,select Analyst Notification. The settings for the user determine thenotifications.

7 Click Save to add the analyst to the list.

8 When you are finished, click Next.

9 In the Contact Information window, click New.

10 In the Add/Edit Contact area, enter the relevant client contact information.This contact is the client representative that is contacted when an incidentrequires remediation, for example. You can add multiple contacts if necessary.

11 Click Finish.

109Configuring a service providerAbout setting up a Service Provider environment

To delete a service provider client management account

1 Using the Information Manager console, connect to the Service ProviderMaster.

2 On the System view, expand the domain, and click Clients.

3 Click Delete (-).

4 In the Delete Client Configurations dialog box, click Yes.

Synchronizing the Service Provider Master with client incidentsThe correlation server for a Service Provider client can create Information Managerincidents when the client and Service Provider Master are not connected. You cansynchronize the Service Provider Master when the connection is available. Whenyou synchronize client and Service Provider Master incidents, you forward anupdated set of incident data. The data is forwarded from the client's correlationserver to the Service Provider Master.


The synchronization tool is available in the Web configuration interface for theclient's correlation server.

To synchronize the Service Provider Master with client incidents

1 On the Correlation Server that forwards incidents to the Service ProviderMaster, log on to the Web configuration interface using administratorcredentials.

2 On the Maintenance view, click Incident Synchronization.

3 In the details pane, click Start.

Disconnecting a client fromaService ProviderMasterYou can disconnect a client from a Service Provider Master by disabling IncidentForwarding on the client instance of Information Manager.


To disconnect a client from a Service Provider Master

1 Using the Information Manager console, connect to the client instance ofInformation Manager.

2 In the System view, on the Server Configurations tab, expand the domainthat you want to disconnect from the Service Provider Master.

Configuring a service providerDisconnecting a client from a Service Provider Master

110

3 On the Incident Forwarding Rules view, select the forwarding rule thatforwards incidents to the Service Provider Master, and click Delete (-).

4 Click Apply.

5 If you want to delete the client configuration, do the following:

■ Using the Information Manager console, connect to the Service ProviderMaster

■ On the System view, on the Administration tab, click Clients.

■ Choose the client configuration that you want to remove, and click Delete.

■ In the Delete Configurations dialog box, click Yes.

111Configuring a service providerDisconnecting a client from a Service Provider Master

Configuring a service providerDisconnecting a client from a Service Provider Master

112

Planning for securitymanagement

■ Chapter 7. Managing the correlation environment

■ Chapter 8. Defining rules strategy

3Section

Managing the correlationenvironment


■ About the Correlation Manager

■ About the Correlation Manager knowledge base

■ About the default rules set

About the Correlation ManagerThe Correlation Manager component of Information Manager performs automatedreal-time event correlation, aggregation, filtering, and incident creation. Toperform these functions, it uses a set of rule files and a knowledge base to compareevents to patterns of common network security threats.

See “About the Correlation Manager knowledge base” on page 116.

To facilitate security analysis, the Correlation Manager filters false positive eventsfrom networks, including the events that your company security policy permits.The Correlation Manager also identifies attacks based on patterns of firewall,Intrusion Detection System, and antivirus activity across desktops, gateways, andservers. The Correlation Manager can then declare the incidents that warrantfurther action and closure.

The Correlation Manager can provide conclusions regarding the overall analysisor cause of attacks. It also aggregates information about source, destination, attacktypes, and all related events into the incident record for forensic analysis.

See “About the default rules set ” on page 116.

7Chapter

About the Correlation Manager knowledge baseThe Correlation Manager knowledge base consists of the tables that containinformation about the network, security policies, and normalized event categoriesand subcategories. The Information Manager default rules reference thisinformation to allow the correlation engine to make a more effective evaluationof incoming security events. Custom rules can also reference the information inthe Correlation Manager knowledge base tables.

The information in the knowledge base is a combination of the following: Updatedinformation from Symantec DeepSight Threat Management System and theinformation that you can edit from the Lookup Tables option of the Rules view.

If you have a valid DeepSight license, you can receive frequent updates directlyfrom DeepSight. If you do not have a license, you receive updates to securitycontent through LiveUpdate packages.


See “About managing Global Intelligence Network content” on page 327.

About the default rules setInformation Manager includes a set of rules that identify the most commonsecurity threats. Information Manager also provides default filters to help reducecommon false positives. New rules are developed regularly and are distributedthrough the LiveUpdate process. You can also create your own rules from theRules view of the Information Manager console.


See “About the Correlation Manager knowledge base” on page 116.

Table 7-1 lists the default rules and the types of security products with whichthey are usually associated.

Managing the correlation environmentAbout the Correlation Manager knowledge base

116

Table 7-1 Correlation Manager rules by security product type

Associated rulesSecurity product

■ AntiVirus Disabled■ Critical Malicious Code Detection■ Incomplete AV Scan■ Malicious Code via Email Not Quarantined■ Malicious Code Not Quarantined■ Malicious Code Outbreak■ Malicious Code Propagation■ Outbound Spam Zombie■ Spyware Not Quarantined■ Spyware Outbreak■ Worm Activity

Antivirus

■ Block Scan■ Check FTP Transfers■ Distributed DoS High Volume■ DoS High Volume■ External Port Sweep■ Internal Port Sweep■ IP Watchlist Destination■ IP Watchlist Source■ IRC Bot Net■ Malicious URL■ Organization IP in Watchlist Activity■ Outbound Spam Zombie■ Ping Scan Detector■ Port Scan Detector■ Potential Staged Attack■ Scan Followed By Exploit■ Single Event DoS■ Smurf Attack Firewall■ Traffic to a Monitored Address■ Trojan Connections■ Unauthorized Outbound Email Domain■ Unauthorized Port Inbound■ Unauthorized Port Outbound■ Traffic to a Monitored Address■ Watchlist Potential Policy Violators

Firewall

117Managing the correlation environmentAbout the default rules set

Table 7-1 Correlation Manager rules by security product type (continued)


■ Attempted DNS Exploit■ Attempted FTP Exploit■ Attempted WWW Exploit■ Attempted Service Exploit■ Block Scan■ Departed Employee Username■ DoS High Volume■ Distributed DoS High Volume■ Intrusion Threshold (Disabled by default)

■ IP Watchlist Destination■ IP Watchlist Source■ IRC Bot Net■ Malicious Code Propagation■ NULL Login Authentication Violation■ Ping Scan Detector■ Return Trojan Traffic■ Scan Followed By Exploit■ Single Event DoS■ Smurf Attack IDS■ TFTP from WebServer■ Traffic to a Monitored Address■ Vulnerability Scan■ Vulnerability Scan Detector■ Watchlist Potential Policy Violators■ Web Vulnerability Scan

Network intrusion detection system(NIDS)

Managing the correlation environmentAbout the default rules set

118



■ Account Guessing Attack■ Departed Employee Username■ DoS High Volume■ IP Watchlist Destination■ IP Watchlist Source■ Multiple Files Modified■ NULL Login Authentication Violation■ Password Guessing Attack■ Potential Staged Attack■ Scan Followed By Exploit■ Single Event DoS■ Trojan Connections■ Vulnerability Scan■ Vulnerability Scan Detector■ Watchlist Potential Policy Violators■ Web Vulnerability Scan

Host intrusion detection system (HIDS)

■ Potential Staged Attack■ Vulnerability Scan

Vulnerability assessment

■ Departed Employee user name Activity■ Policy Compliance Violation

Policy compliance

■ Account guessing attack■ Non Business Hours Logins■ Password guessing attack■ Potential Staged Attack■ Windows Account Lockout (Disabled by

default)

■ Windows Audit Log Cleared■ Windows Privileged Activities by user■ Windows Privileged User Created■ Windows Security Violation (Disabled by

default)

■ Windows Sensitive File Access

Windows Events

119Managing the correlation environmentAbout the default rules set



■ Agent Queue Monitor■ Cert Expiration Warning■ IncidentCreationAlert (Disabled by default)

■ Invalid Event Date Alert■ Low Disk Space Warning■ MultiEvent Rule Example■ Negative Rule Type Example■ Password Guessing Attack■ Validate Archive

Information Manager System

Managing the correlation environmentAbout the default rules set

120

Defining rules strategy


■ About creating the right rule set for your business

■ About defining a rules strategy

■ About correlation rules

■ About rule conditions

■ About the Event Count, Span, and Table Size rule settings

■ About the Tracking Key and Conclusion Creation fields

■ About the Correlate By and Resource fields

■ Importing existing rules

■ Creating custom correlation rules

■ Enabling and disabling rules

■ Working with the Lookup Tables window

About creating the right rule set for your businessA good approach to creating custom rules is to start with the generalized rulesprovided by Symantec and fine-tune them. Another good approach is to add newrules based upon real event data from your network.

See “About defining a rules strategy” on page 123.

The customizations usually belong to one of the following categories:

8Chapter

These include all of the security devices on your networkthat generate the events that you collect. For example,firewall products such as Checkpoint® Firewall generate ahuge amount of event data. In most cases, you should editdefault rules or create new rules to filter out false positiveincidents.

Incidents stemming frommachine-generated events

These incidents include your corporate IT security policiesand regulatory compliance requirements. They also includeany unique characteristics about user activity in yournetwork that machine-generated events would typicallymiss, or that result in false positive incidents.

Incidents relating to humanevents or policies

The following is a general overview of the process for developing rules:

■ Set up Information Manager in a lab environment.

■ Update the Assets view to include the IP addresses of hosts that aremission-critical or that host sensitive information.

■ Collect event data from your network for a week. This data should includeevents from all of the security products that you want Information Managerto correlate. For example, antivirus, host intrusion detection systems, networkintrusion detection systems, and firewalls.

■ Run the default rules and review the incidents created.

■ Look for any false positives that you can easily filter out. Following areexamples of good candidates for filtering: Incidents from the failed connectionsthat the firewall reports, and the Windows-only attacks that computers runningLinux report.

■ Look at any known security incidents that occurred during the week that youcollected the data. Adjust the filters and rules if there are any incidents thatshould have been created and were not.

■ Look for the incidents that are the result of firewall rules being too lax. Tuningfirewall and Information Manager rules is an on-going process based upon thechanges in your network. Opening a firewall port to enable an essentialline-of-business application may suddenly result in a huge number offalse-positive incidents. When that occurs, you need to create a new rule tofilter out events from an approved use of that application. You may alsodiscover that there is a port that is still open long after the application thatrequired it has been retired.

■ Create rules to support security practices in your company. For example, youcan create a rule to assign a weekly help desk ticket for security IT to contactusers who are not running antivirus software.

Defining rules strategyAbout creating the right rule set for your business

122

■ As you change rules, use the Information Manager rule test feature to assesswhether the customizations work. Of particular concern should be any rulesthat never create conclusions or those that create conclusions too often.

■ With your Information Manager server still in a test environment, forwardlive network events to it. Continue to refine your rules.

■ After you are satisfied with the incidents that are declared, migrate the serverto your live network.

About defining a rules strategyTo develop a security plan that incorporates correlation rules and filters, youmust understand the business needs of your organization from a securityperspective.

See “About creating the right rule set for your business” on page 121.

For example, if your implementation protects and monitors network resourcesrelating to financial transactions, you can develop and refine your rule setaccordingly. Your area of concern might focus on authentication on the serversthat contain sensitive financial data.

In addition, you may need to evaluate the rules that you deploy based on regulatorycompliance concerns. This evaluation ensures that the event data that is evaluatedis handled in a way that meets the requirements of the policies.

About correlation rulesCorrelation rules describe the logic that is applied to an event or a set of eventsto detect possible security concerns.


Conceptually, correlation rules can be classified into the following generalcategories:

■ An event identifies an attacker who attempts to intrude on a specific computeror resource.

■ Some unknown system or a number of systems that attempts to cause a specificsystem to malfunction or cease functioning.

■ The organization or analyst wants to group events into particular types ofincidents to make viewing and analysis simpler. For example, these types ofrules may aggregate the events that are related to policies or products.

Correlation rules consist of the following:

123Defining rules strategyAbout defining a rules strategy

Identifies the pattern that best describes theevent.

See “About rule types” on page 125.

Rule type

The specific values or threats that the rule appliesto, including the number of events that occursover a specified period of time.

See “About event criteria” on page 129.

Event criteria

The event count, span, table size, tracking keys,and description of an event.

Rule settings

The fields that are used to correlate existing eventconclusions with new events as they occur withinthe specified time period. If the number of eventsthat are specified in the Count field is met, theconclusion is escalated to an incident. In addition,the incident is then correlated with existingincidents where applicable. Additionally theseverity of a match for the rule is determined.Additional details are also available by thevariables that you can specify in the Descriptionfield.

Conclusion and correlation settings(Actions tab)

Describes how alert and incident assignment tasksare handled when an incident is created. The AutoAssignment area incidents can be assigned to aspecific user or user group (team). TheNotification area let you notify to the additionalrecipients that the incident has occurred. Forexample, an Antivirus Disabled incident mightbe assigned to a response technician who isresponsible for immediately assessing the event.An additional notification can be sent to thenetwork administrator who monitors the overallhealth of the network segment from which theincident occurred.

Auto assignment and notificationsettings

About rule conditionsThe rule conditions describe the fields and conditions that the rule is processedagainst to determine if the event applies to a conclusion.

See “About correlation rules” on page 123.

Defining rules strategyAbout rule conditions

124

The RuleConditions panel provides access to all available event and schema fielddata. The analyst can use this data to further identify and define the events thatshould be escalated as a potential security threat.

About rule typesA rule type determines the underlying behavioral patterns that a rule uses toidentify a match. For example, if the rule type is set to Single Event, the ruleevaluates each event for a criteria match. It only requires a single event to triggera conclusion. A rule that uses the Many to One rule type evaluates each eventagainst the criteria. However, it then creates a conclusion when a specified numberof matching events have aggregated over a predetermined period of time.

See “About rule conditions” on page 124.

Conclusions that involve more than one event use the One to Many and Many toOne event correlation tables. In addition, the Tracking field is provided. Itidentifies the element that is used as the basis for additional events to be correlatedto existing events and conclusions.

Table 8-1 describes the rule types that are available and provides examples.

Table 8-1 Rule types

Possible ScenariosTrigger ConditionRule Type

Denial-of-service events can often be identifiedusing this rule type.

A Smurf attack uses ICMPEchoReply events froma large number of source computers to a singletarget.

Predefined rule examples:

Distributed DoS High Volume, Smurf Attack

Creates a conclusion when the eventsthat match the specified criteria aredetected from multiple unique sourceIP addresses to a single destination IPaddress within the specified period.

Many Sources, OneTarget

A rule that detects a vulnerability scan can use thisrule type.

Within the criteria for that rule, EMR values canbe set to identify multiple exploit events (such asMechanism: Buffer Overflow, or ApplicationExploitation). In this example, the criteria for thisrule includes multiple types of Mechanisms.Therefore, the rule would track multiple types ofexploit events coming from the same source.

Predefined rule example:

Vulnerability Scan Detector

Creates a conclusion when the eventsof different types that match thespecified criteria are detected from asingle source IP address within thespecified period.

Many SymantecSignatures, One Source

125Defining rules strategyAbout rule conditions

Table 8-1 Rule types (continued)


A rule that detects malicious IP hopping activitycan use this rule type.

To conceal scanning activity, an attacker mayattempt one type of attack from one IP address. Theattacker then changes to a different IP address totry a different attack until the most usefulvulnerabilities have been identified. Attackers usethis method to avoid detection as a vulnerabilityscan. Attackers know that vulnerability scannersoften operate from a single source. Using this ruletype, you can detect conditions where multipleattack types are targeted at a single host, regardlessof the attack origin.

Creates a conclusion when events ofdifferent types matching the specifiedcriteria are detected to a singledestination IP address within thespecified period.

Many SymantecSignatures, One Target

A rule that detects a MaliciousCodeOutbreak canuse this rule type.

To identify a Malicious Code Outbreak, a rule canbe configured to identify instances of a particularvirus on multiple targets. Using the EMR fields,the criteria can be set to Virus. Since the rule looksfor the same event type, this rule would trigger onlyif it was the same virus event on each target.

Creates a conclusion when events ofthe same type matching the specifiedcriteria are detected from many uniquedestination IP addresses within thespecified period.

Many Targets, OneEvent

A rule that identifies a reconnaissance attack onmultiple targets (such as a port scan) can use thisrule type.

To configure this example, you would choose theMany Targets, One Source rule type, and then setthe EMR criteria value to Portscan.


Block Scan, IRC Bot Net, Ping Scan Detector

Creates a conclusion when eventsmatching the specified criteria aredetected from a single source IPaddress to multiple unique destinationIP addresses within the specifiedperiod.

Many Targets, OneSource


126



A rule to create a port sweep can use this rule type.

A port sweep is typically described as a single IPaddress that scans for a specific port on multiplecomputers. After you choose this rule type and setthe event criteria for the rule, you set theOne-Many and the Many-One field options. In theOne-Many Fields area, select IP Source Addressand IP DestinationPort. This selection means thatthe event originates from the same IP address thatis evaluating the same port). In the Many-OneFields area select the IP Destination Addressoption. (Note that the event destination can be adifferent IP address for each event.)


MaliciousCodeOutbreak, SpywareOutbreak, DoSHighVolume, ExternalPortSweep, InternalPortSweep, Port Scan Detector, Intrusion Threshold,MultipleFilesModified, AccountGuessingAttack,Password Guessing Attack

Creates a conclusion when eventsmatching the specified criteria aredetected in a pattern that is set usingthe Many To One Fields, and the OneTo Many Field options.

In addition to the Event Criteria, thefields that must contain the sameinformation for each event (One-ManyFields) and the fields that can containdifferent values in each event(Many-One Fields) are used tocorrelate similar events occurringwithin a predetermined timeframe.

The Many to One rule requires theTracking field to be populated. For thistype of rule, the Tracking fieldgenerally matches a One-Many Fieldsentry.

Many to One

User logs on to a Windows computer andestablishes an SSH connection to a UNIX computer.The user then logs on the FTP server, anddownloads files from the FTP location.

Creates a conclusion when a sequenceof specified patterns is detected for onecombination of one-to-many fieldswithin a specified time period.

Multi-condition


AntiVirus Disabled, Malicious Code NotQuarantined, Spyware Not Quarantined, CheckFTP Transfers, Malicious URL, TrojanConnections, AttemptedDNSExploit, AttemptedFTPExploit, AttemptedWWWExploit, TFTPfromWebServer, WindowsSecurityViolationWindowsAccount Lockout, Windows Audit Log Cleared,Windows Privileged Activities by User

Creates a conclusion if an eventmatches the specified criteria. This ruletype requires the Tracking field to bepopulated.

Single Event




A rule that identifies BackOrifice exploit trafficbetween a single target and source can use this ruletype. To monitor for BackOrifice symmetric trafficevents, after you choose the Symmetric Trafficrule type, set the criteria to Symantec Signaturefor BackOrifice (attackID 1414). The rule triggersif an Intrusion Detection System logs both theconnection from a source to a target, and from thattarget back to the source as being BackOrificetraffic.


Return Trojan Traffic

Creates a conclusion when the specifiedpattern of events is detected from asingle source IP address to a singledestination IP address, then from thatdestination IP address back to theoriginal source IP address within thespecified period.

Symmetric Traffic

A rule that identifies the BackOrifice exploit trafficthat moves from one source to a target backdoor,and then the targeted computer becomes the sourcethat accesses the backdoor of a new target can usethis rule type.

To monitor for BackOrifice transitive trafficevents, after you choose the TransitiveTraffic ruletype, set the criteria to Symantec Signature forBackOrifice (attackID 1414). The rule triggers ifan Intrusion Detection System logs both theconnection from a source to a target as BackOrificetraffic and then identifies the target connecting toa new target with the same event signature.


Malicious Code Propagation

Creates a conclusion when the specifiedpattern of events is detected from asingle source IP address to a singledestination IP address. Then, thepattern is detected from thatdestination IP address to a newdestination IP address within thespecified period.

Transitive Traffic


Scan Followed by Exploit, Null LoginAuthentication Violation

Note: This rule is deprecated and is not supported.Use a Multi-condition rule type.

Creates a conclusion when a specifiedpattern is detected from a single sourceIP address to a single destination IPaddress. This pattern is followed by adifferent pattern from the same sourceIP address to the same destination IPaddress within the specified timeperiod.

X followed by Y


128



A rule to monitor user authentication failure for aspecific period of time can use this rule type.

User logon fails for a specific period of time andthe user does not log in again.

Creates a conclusion when an eventthat matches the defined criteriacannot be detected in a pattern duringa predefined number of times duringtimeout.

X not followed by X

A rule to detect a non-occurrence of a user actionafter a valid user action can use this rule type.

User logs on to a critical server but does not log offfor a long time.

Creates a conclusion when an eventoccurs that is defined by an X rulecriteria. However, an event that isdefined by the Y rule criteria does not.

X not followed by Y

A rule to detect a deletion of user before the useris added can use this rule type.

Creates a conclusion when an eventthat is defined by an X rule criteria doesnot occur. However, the next event thatis defined by the Y rule criteria occurs.

Y not preceded by X

A rule to dynamically update the lookup table withthe configured event field values for the specifiedevent criteria.

Updates the configured lookup table ifan event matches the specified criteria.

Lookup Table Update

About event criteriaThe Event Criteria field contains a vast array of possible values that a rule canuse to identify an event pattern. The EventCriteria field includes event data andschema information.


Table 8-2 describes the tabs available in the drop-down list.

Table 8-2 Event Criteria tabs

DescriptionName

Contains the data from the Normalization fields, the Symantec DeepSight Threat ManagementSystem database (using the Symantec Signature), and the Asset and the Network tables.

Common


Table 8-2 Event Criteria tabs (continued)

DescriptionName

Contains the customized data from the Normalization fields, the DeepSight database (using theSymantec Signature), and the Asset and the Network tables. The system applies logic to thesource and the destination IP addresses that results in several fields or flags being added to theevent. For fields, this information is primarily data from the Asset and Network table. For flags,this information includes: traffic direction, Source is Internal, Destination is Internal, serviceinfo, Destination Port is Open, whether the Asset entry has the destination_port value that islisted as available, whether the asset is Vulnerable, or whether the Asset entry for the event’sdestination_ip value is listed as being vulnerable to one or more of the BugTraq IDs associatedwith the event’s Symantec Event Code.

Derived

Includes all of the events that have been identified for each product that is associated with yourinstallation of Information Manager. This information is based on a combination of the defaultset of events (the Information Manager schema) and any SIPs that have been installed. Thesefields do not contain the Information Manager normalized values.

Events

Provides a means of creating a product-specific field that uses a string or an integer value thatmay not be accessible through the schema provided. Event data is included with some of theevents that are sent to Information Manager that a specific point product uses. However, thisdata is not accounted for as an identified field in the Information Manager schema that thecollector uses (also known as out-of-band data). This data can be included either by the collectoror it can be added during normalization.

Other Fields

Provides access to the fields that are associated with the knowledge base tables that InformationManager and the environment provide. Also provides access to the resource-specific data thatthe user provides. For example, the Asset and Network tables. These fields are dynamicallygenerated based on the current state of each of the knowledge base tables.

Table Lookups

The Event Criteria rows include a logical decision field that provides the operatorthat is used to determine how the event criteria are evaluated.

Table 8-3 describes the decision option operators available.

Note: The available operators vary with each criteria type.

Table 8-3 Event Criteria operators

DescriptionName

The field value is an exact match to the criteria value.Equal

The field value does not match the criteria value.Not Equal

The field value is greater than the specified value.Greater than


130

Table 8-3 Event Criteria operators (continued)

DescriptionName

The field value is less than the specified value.Less than

The field value is greater than or equal to the specified value.Greater than orequal to

The field value is less than or equal to the specified value.Less than orequal to

The field is empty.Null

The field contains a value.Not Null

The field value contains a value that is contained in the specified table.Is in

The field value does not match a value that is contained in the specified table.Is not in

The field value is True.True

The field value is False.False

The field value contains the specified string. The usage of this operator varies with the fieldagainst which the data is compared. For example, if you use EMR values, a drop-down list ofpossible values appears. However, if you evaluate the string data in a field such as target_resource,the value that you type is used to perform a substring search. For example, if you want to findout if the string root.exe was contained in the target_resource field, if target_resource fieldcontained http://www.example.com/cgi-bin/root.exe?blah, root.exe is identified and causesa match.

Contains

The field value does not contain the specified string. The usage of this operator varies with thefield that the data is compared with. For example, if you use EMR values, a drop-down list ofpossible values appear. However, if you evaluate the string data in a field such as target_resource,the value that you type is used to perform a substring search. For example, if you wanted toverify that the string root.exe was not included in the target_resource field, if target_resourcefield contained http://www.domain.com/cgi-bin/root.exe?blah, root.exe is identified andindicates that Doesn't contain condition is not met.

Doesn't contain

The field value matches the value that is specified as a regular expression.Matches

The field value does not match the value that is specified as a regular expression.Doesn't match


About the Event Count, Span, and Table Size rulesettings

The RulesEditor includes the settings that let you specify how many events mustoccur within a specified period of time to meet the criteria for the rule. In addition,you can also determine the table size for the event data that is stored.


Table 8-4 Event Count, Span, and Table Size rule settings

DescriptionSetting

Determines the number of events that must occur within a specific time period to trigger anincident. The time period is specified in the Span settings. This setting is used primarily withthe Many-One Field area on the Actions tab.

Event Count

Indicates the time period for the number of events that are specified in the Event Count fieldto occur.

Span

Specifies the state table size, in rows, that is maintained in memory for each rule.

For example, the Account Guessing Attack predefined rule requires that two events beidentified within 10 minutes for the rule to trigger an incident. After the first event matchesthe rule criteria, an internal aggregation table is created that contains the event details. Whenthe second matching event occurs, data from the second event is added to the same aggregationtable. In this case, the Table Size setting is relatively small. However, if the Event Count wereraised to a much larger number, the aggregation table could potentially run out of space. Inthat case, the table wraps (the new event data begins to overwrite the original event data insequential order).

To prevent the data from being overwritten, the Table Size should be adjusted according tothe event size expectations for the rule. Event data sizes vary widely with each implementation,but using the predefined rules as a starting point helps to identify general size parameters.

Table Size

About theTrackingKeyandConclusionCreation fieldsThe TrackingKeyandConclusionCreation fields are used to further refine rulessettings. Use these fields to establish whether an event should be correlated tothe existing events that are tracked in aggregation tables. In addition, the TrackingKey and Conclusion Creation fields include the Severity and the Descriptionfields. These fields provide a means for security analysts to escalate conclusionsbased on severity, and to include additional extracted information within theConclusion Description.

Table 8-5 describes the Tracking Key fields on the Conditions tab.

Defining rules strategyAbout the Event Count, Span, and Table Size rule settings

132

Table 8-5 Tracking Key fields (Conditions tab)

DescriptionField

Describes the elements that must remain consistent across each event in order for the eventto be correlated to an existing event aggregation table.

For example, to define a rule that tracks a single user name connecting to multiple target IPaddresses (in other words, one user name to many IP addresses), set the rule type to One toMany, and in the One-Many Fields area, select User Name. This field must be the same ineach event for any subsequent events to be correlated with previous events.

One-Many Fields

Describes the elements that must be different for each event in order for the event to becorrelated to an existing event aggregation table. This field is used with the Event Countfield to determine when the conditions for a One to Many rule have been met.

For example, you want to define a rule that tracks a single user name connecting to multipletarget IP addresses: in other words, one user name to many IP addresses. Set the rule typeto One to Many, and in the Many-One Fields select Target IP. The IP address in this fieldmust be different in each event for any subsequent events to be correlated with previousevents.

Many-One Fields

Describes the field upon which a matching event is correlated to an existing conclusion. Ifan event matches the criteria for a rule, it is compared against the tracking fields for anyexisting conclusion. If the event matches an existing conclusion it is correlated to that eventrather than being considered for a new conclusion. Required with the ManytoOne and SingleEvent rule types.

With OnetoMany rules, this field is typically used to track the same value as in the One-ManyField area. The event field data that must remain the same across each new event that is tobe added to the aggregation table.

Tracking Fields

Table 8-6 describes the Conclusion Creation fields on the Actions tab.

Table 8-6 Conclusion Creation fields (Actions tab)

DescriptionField

Describes whether an incident should be treated as an alert rather than a security incident.Alerting Incident

133Defining rules strategyAbout the Tracking Key and Conclusion Creation fields

Table 8-6 Conclusion Creation fields (Actions tab) (continued)

DescriptionField

Describes the severity of the event conclusion which can determine whether an incidentis created.

The Severity values include the following:

■ 1- Informational: Purely informational events.

■ 2 - Warning: User decides if any action is needed.

■ 3 - Minor: Action is required, but the situation is not serious at this time.

■ 4 - Major/Critical: Action is required immediately and the scope may be broad.

■ 5 - Fatal: An error occurred, but it is too late to take remedial action and the scope isbroad.

Severity

Provides a user input area for security analysts to further define the conditions that led tothe creation of the conclusion. This field also supports the use of field name variables thatcan be populated with event data.

Description

Provides a user input area for security analysts to include remediation notes for eachincident that is created. The notes appear on the Remediation tab for the incident.

Remediation

About the Correlate By and Resource fieldsThe Correlate By field determines whether a conclusion that is created shouldbe mapped to an existing incident.


For example, if a Virus Outbreak incident is in progress, using the appropriatesetting in the CorrelateBy field causes each VirusOutbreak conclusion with thesame virus name to be mapped to the existing incident.

In addition, you can use the Resource field drop-down list to further refine thecharacteristics of the correlation requirements for the incident.

Table 8-7 describes the Correlation types available in the Correlate By field.

Table 8-7 Correlate By fields

DescriptionType

Correlation does not occur for the new incidents that match this rule.None

Correlation is based on the Resource and the Conclusion type. For example, the sameVirusOutbreak Conclusion type occurs on the same host that is specified in the Resource field.Therefore, the new conclusion is correlated to an existing incident.

Resource andConclusion Type

Defining rules strategyAbout the Correlate By and Resource fields

134

Table 8-7 Correlate By fields (continued)

DescriptionType

Correlation is based on the Source and the Destination fields. For example, a new conclusionis created and the source IP and destination IP are the same. Therefore, the conclusion iscorrelated to the existing incident.

Source andDestination

Correlation is based on the Source and the Conclusion type. For example, the same IP addresscauses PortScan conclusions. Therefore, any new PortScan conclusion that originates fromthe same source is mapped to the existing incident.

Source andConclusion Type

Correlation is based on the Source field. If the Source matches, any conclusion that originatesfrom that source is correlated to the existing incident.

Source

Correlation is based on the Destination and the Conclusion type. For example, the conclusionis a denial-of-service attack that targets the same destination IP. Therefore, the conclusionis mapped to the existing incident.

Destination andConclusion Type

Correlation is based on the Destination field. If the Destination is the same, any conclusionthat applies to that destination is correlated to the existing incident.

Destination

Correlation is based on the Conclusion type. For example, all AntiVirusDisabled conclusionsare mapped to the existing incident regardless of source or destination values.

Conclusion Type

Importing existing rulesYou can import rules from separate instances of Information Manager using theImport and the Export features available in each version. If import a rule thatreferences custom lookup tables, you must also import those tables.


If you import a rule from a previous supported version of Information Manager,use the Rules view to delete any imported policy information. Then, apply thecurrent policies. Java-based rules are imported as jar files.

Note: In the User Monitor folder, you can import only those monitors that arecreated by using Information Manager version 4.5.

When you import rules from a previous version of Information Manager thatinclude user, team, or role assignments, verify that the assignments are configuredcorrectly after the import completes. Sometimes a user, team, or role that existedin a previous version is not identical to the version that exists in the upgradedversion. If so, you may need to reconfigure the rule assignment values to matchthe assignee information in the upgraded version.

135Defining rules strategyImporting existing rules

To import an existing rule

1 In the console from which you want to export the rules, navigate to the Rulesview. Then, export the rules you want to apply to the new console.

2 In the current Information Manager console, on the Rules view, expand theCorrelation Rules folder.

3 Under the Correlation Rules folder, expand the User Rules folder.

4 Click Import from disk.

5 In the Select File(s) to Import dialog box, locate the file or files to import,and click Import....

To import a Java-based rule

1 In the Information Manager console, on the Rules view, click the UserMonitors folder and then click Import from disk.

2 In the SelectFile(s) to Import dialog box, locate the jar file or files to import.

3 Click Import....

Creating custom correlation rulesThe correlation rules describe the logic that is applied to an event or a set of eventsto detect possible security concerns.


You can create correlation rules from the Rules view of the console of theInformation Manager client.


The process for creating the correlation rules is as follows:

■ Define a name for the rule.See “To define a name for the rule” on page 137.

■ Configure rule condition.See “To configure the rule conditions” on page 137.

■ Configure the rule action.See “To configure the rule actions” on page 138.

■ Deploy the rule on the server.See “To deploy the rule on the server ” on page 140.

Defining rules strategyCreating custom correlation rules

136

To define a name for the rule

1 On the Information Manager console, click Rules.

2 In the left navigation pane, under the Correlation Rules folder, click UserRules.

3 On the Rules tab, click Create new filter or rule (+).

4 In the Input dialog box, type a name for the rule.

You can now define a rule condition. A conclusion is generated if the set of eventssatisfies the defined conditions.

Note: You can configure multi-conditioned rules. Multi-conditioning lets youdefine the rules that support up to five user activities in a sequence. You can createa conclusion when a sequence of specified pattern is detected for one combinationof one-to-many fields within a specified time period.

See “Creating a multicondition rule” on page 141.

To configure the rule conditions

1 On the Conditions tab, in the Description window, type a description for therule.

2 On Conditions > Rule Type, click the entry that best matches the type ofevent and target combination that applies to the new rule.

For example, to declare an incident whenever a specific event is detected,select Single Event. To declare an incident after a specific number of eventsare detected from a specific IP address, select Many Targets, One Source.


3 In the Event Criteria area, click Add.

4 Select the left column of the new entry, and then choose an event field.

5 Select the center column and specify the operator.

6 Select the right column. Based on the operator that you chose, specify thevalue that must be true for the event type.

7 Repeat steps 3 through 6 for any other event criteria that you want appliedto the rule.

You can select multiple event criteria and apply logical operators (AND/OR)to them.

8 In Event Count, specify the number of times that the event criteria that youspecified must be true for an incident to be declared.

137Defining rules strategyCreating custom correlation rules

9 In Span, specify the time that is required for the number of events that arespecified in the Event Count to occur. For example, you can specify that 30events of a specific type must occur within 60 minutes, before an incident isdeclared.

10 In TableSize, specify the maximum number of events that the rule can trackat any one time. The table size should generally be a multiple of the EventCount setting. The Table Size setting divided by the Event Count setting isequal to the maximum number of event groups that the rule can manage.

11 In the Tracking Keys area, specify the fields to include in the incident. Thisfield can be any of the One-Many, Many-One, or Tracking fields that areassociated with the incident.

You can now define the rule actions. A conclusion is generated if the set of eventssatisfies the defined conditions.

Note: You can create rules to detect threats based on the absence of the eventsthat you expect to occur.

See “Creating a correlation rule based on the X not followed by Y rule type”on page 145.

To configure the rule actions

1 On the Actions tab, check Alerting Incident (not a Security Incident) tospecify that an incident is an alert incident and not a security incident.

Alerting incidents notify about a situation that requires your attention ifthere is a discrepancy on a system.

Security incidents notify about a situation where there is a potential threatdue to a security breach in the organization.

2 From the Severity options, select the severity that you want to be associatedwith the incident.

3 In the Description area, type a description of the problem. This informationappears to users who are assigned the incidents or the tickets based upon theincidents that this rule triggers.

(Optional) Click Add(+) to include the fields from the final event that triggeredthe conclusion. When a conclusion is generated, these fields are replacedwith their corresponding values in the description.

4 (Optional) Click Remediation to populate the Custom Remediation libraryfor this conclusion and to instruct the analysts with a remedy that is specificfor your organization.


138

5 In the Correlate By list box, select the method by which conclusions aregrouped into incidents.

6 If you selected Resource and Conclusion Type from the Correlate By listbox, you can select a field in Resource Field. This field is used to correlateconclusions within an incident. Conclusions can be correlated together intoincidents based on the value of the resource field.

7 To specify that a user or team is automatically assigned to incidents that thisrule creates, do the following:

■ Turn on Enable Auto Assign and then click Add.

■ If you want to assign incidents based upon the IP address of the affectedtarget computer, in the left column select IPAddress or Network options.Any Address is the default option. Retain the default option to ensurethat all the occurrences of the incident get assigned irrespective of the IPaddress.

■ To assign incidents to an individual user, in the User column, select theuser who should be assigned with the incidents.

■ To assign incidents to a group of users, in the User Group column, selectthe team that should be assigned with the incidents.At any time, you can click Clear to clear the selections.

■ If you want to automatically assign incidents to the least busy member ina user group, check Assign to least busy user and then select thecorresponding user group.

See “About automatically assigning incidents” on page 140.

8 In the Notification area, check Enable if you want to notify users about theincident activity.

If you want to notify users only when an incident is created, check Sendnotification for incident creation only.

9 Click Recipients to select the method of notification for each recipient. Theoptions are Email Address Entry, User, User Group, Syslog, SNMP Trap.Once the method of notification is selected, you are prompted to enter detailscorresponding to the option that you selected.

After you specify the condition and the action, you can test the rule and thendeploy it on the server.


To deploy the rule on the server

1 On the Testing tab, select the archive containing event data, and then clickStart Test.

2 When you are satisfied with the incidents and the conclusions that the rulecreates, turn on the rule in the Rules list.

3 On the top toolbar, click Deploy to the server.

See “Enabling and disabling rules” on page 152.

About automatically assigning incidentsIn Information Manager, an incident is created when an event matches a criterionthat is specified in the Rules and Monitors. Based on the rules that are set, theseincidents can be automatically assigned to a specific user group or an individualuser. Rules or Monitors can be set to assign incidents automatically to the leastbusy member in a user group.

See “Assigning incidents automatically to the least busy member in a user group”on page 141.

Incidents are automatically assigned to the individual with the lowest load factor.The load factor is calculated based on the incident count and the incident state.Each incident state is assigned a value. Incidents that are in the New state areassigned the highest value, whereas incidents in the Waiting state are assignedthe lowest value.

A user group member who has many incidents in the Newstate is considered busy.Therefore the incidents in the New state have the highest value. The incidents inthe Working state have lower value and the incidents in the Waiting state hasthe lowest value. The number of incidents that are already assigned to a user andthe value that is assigned to the incident state determines the load factor. Themembers with the lowest load factor are given priority when they assign anincident.

When two or more users have the same load factor, Information Manager usesthe timestamp to determine which user is the least busy.

Table 8-8 shows how Information Manager calculates the incident load factor.Three users are assigned the same count of incidents in different incident states.Although each user has the same number of incidents, their load factors aredifferent because the values of their incidents are different. In the example,Information Manager automatically assigns incidents to User C because User Chas the lowest load factor.


140

Table 8-8 Incident load factor

Load FactorFormula

(incident count * valueof incident state)

Incidents:Waiting

Incidents:Working

Incidents:New

User

17(4*3) + (2*2) + (1*1)124A

15(2*3) + (4*2) + (1*1)142B

11(1*3) + (2*2) + (4*1)421C

Assigning incidents automatically to the least busy member in a usergroup

Rules and Monitors can be set to assign incidents automatically to a user groupor a user within the user group. You can also set rules and monitors toautomatically assign incidents to the least busy member in a user group. Onlyuser groups are considered when incidents are automatically assigned to the leastbusy member. The member with the lowest incident load factor is considered theleast busy member in a user group.

See “About automatically assigning incidents” on page 140.

When incidents are assigned automatically to a user group for the first time, thefirst user in the user group becomes eligible for incident assignment.

When an incident gets assigned to a member in the user group, a log entry iscreated for that incident. In the Incident log, this entry is listed as SSIM againstthe user name of that member.

To assign incidents automatically to the least busy user

1 In the Information Manager console, click Rules.

2 Select a rule or a monitor that must be automatically assigned.

3 On the Actions tab, check Enable Auto Assign.

4 Check Assigntoleastbusyuser and then select the corresponding user group.When the rule is deployed, the incidents are automatically assigned to theleast busy member in the user group.

Creating a multicondition ruleConsider a sample scenario for creating an event when a combination of conditionsis fulfilled.



If the following conditions are met, then an event must be triggered:

■ The user logs on to a Windows domain controller.

■ The user creates a new user.

■ The user modifies the privileges for the newly created user. (For example, theuser gives the new user domain admin privileges.)

■ The user logs out.

Note: The event codes in the procedures are applicable to Microsoft Windows2000. They may vary for other operating systems.

To create a new rule

1 On the console of the Information Manager client, click Rules.




The rule name appears in red color under the User Rules folder.

5 In the description box, type the description for the rule. (For example, monitorfor the events that occur when all the conditions that are specified arefulfilled.)

Once you create a new rule, you must configure the rule conditions that arerequired based on the scenario.

To configure the rule conditions

1 On the Conditions tab, in the Description window, type a description for therule.

2 On the Conditions tab, on the Rule Type menu, click MultiCondition as itapplies to the new rule.

3 In the Event Criteria area, click Add.

Add the conditions that are required to trigger the rule.

To add Condition 1

1 Select the left column of the new entry. From the drop-down list that appears,select the Events tab and click on the Host Intrusion Activity folder.

From the collapsible list that is displayed, select Intrusion Action ID.

2 Select the center column and select the = operator.


142

3 Select the right column, and then select Login. This value corresponds to thelogon action.

4 If the events must occur more than once for an incident to be declared, specifythe count of events in the EventCount list that is located in the EventCriteriaarea.

Add the other conditions that are required to trigger the rule.

To add Condition 2

1 Under Rule Type, click Add to add a second condition.

2 Select the left column of the new entry for Condition 2. From the drop-downlist that appears, click the Common tab and select Symantec Event Code.


4 Select the right column, and then select 722. This value corresponds to a newuser account created.

5 If the events must occur more than once for an incident to be declared, in theEvent Criteria area, specify the count of events in the Event Count.


To add Condition 3

1 Under Rule Type, click Add to add a third condition.

2 Select the left column of the new entry for Condition 3. From the drop-downlist that appears, click the Common tab and select Vendor Signature.


Select the right column, and then select 632. This value corresponds to a newuser account being added to domain admin group for the third condition.

4 If the events must occur more than once for an incident to be declared, in theEvent Criteria area, specify the count of events in the Event Count list.


To add Condition 4

1 Under Rule Type, click Addto add a fourth condition.

2 Select the left column of the new entry for Condition 4. From the drop-downlist that appears, click the Common tab and select Symantec Event Code.


4 Select the right column, and then select 720. This value corresponds to theuser account Log-off for the fourth condition.


5 In the Tracking Keys area, under the One-Many field, click Add and selectAgent Host.

Under the Tracking field, click Add and select IP destination address.

6 If the events must occur more than once for an incident to be declared, in theEvent Criteria area, specify the count of events in the Event Count list.

7 In Span, set the time span equal to 20 minutes.

8 In TableSize, specify the maximum number of events that the rule can trackat any one time.

After you configure the rule conditions you must configure the rule actions.

To configure the rule actions

1 On the Actions tab, in the Conclusion Severity option, specify the severitythat you want associated with the incident.

2 In the Conclusion Description area, type a description of the problem. Thisinformation appears to users who are assigned the incidents or the ticketsthat are based upon the incidents that this rule triggers.

(Optional) Click Add (+) to include the values of fields from the final eventthat triggered the conclusion.

3 In the CorrelateBy drop-down list, specify the method by which conclusionsare grouped into incidents.

4 In the ResourceField menu, choose the desired event fields. Conclusions canbe correlated together into the incidents that are based on the value of thisresource field.

5 To specify that a user or team is automatically assigned to incidents that thisrule creates, do the following:

■ Turn on Enable Auto Assign.

■ If you want to automatically assign incidents to the least busy member ina user group, check Assign to least busy user and then select thecorresponding user group.

■ To assign the incident that is based upon the IP address of the affectedtarget computer, in the left column, type the IP address or netmask.

■ In the User column, click the user to whom you want to assign theincidents.

■ In the UserGroup column, click the help desk team to which you want toassign the incidents.


144

After you specify the conditions and the actions, you can test the rule and thendeploy it on the server.

To deploy the rule on the server

1 On the Testing tab, specify the location of a file containing event data, andthen click Start Test.

2 When you are satisfied with the incidents and conclusions that this rulecreates, turn on the rule in the Rules list.

3 On the top toolbar, click Deploy to the server.

Creating a correlation rule based on the X not followed by Y rule typeConsider a sample scenario wherein a user logs on to a critical system and carriesout some activity. However, the user fails to log off within an hour. Normally sucha logon should last for less than an hour. If the user does not log off within anhour, this suspicious activity results in an event with a conclusion. This samplescenario is an example of Y not following X.


To create a correlation rule for X not followed by Y





The rule name appears in red color under the User Rules folder.

Example: Rule for Event Definition with negatives

5 In the Descriptions box, type the description for the rule. Example: Monitorfor the events that have not occurred in a defined sequence.

You can now define the required rule condition. An event is generated if theset of user actions satisfies the defined condition.

In this example, X is the normal activity of a logon. Y is an activity of a logoff.Normally, Y follows X. However, in this example the logoff does not happeneven after an hour. Therefore, use the rule type of X not followed by Y totrigger an event.


To configure the rule conditions and actions

1 On the Conditions tab, on the RuleType menu, click the rule Xnot followedby Y.

2 In the Event Criteria area, click + to add a criteria for X.

3 Select the left column of the new entry, and then choose the event type asMechanisms.

4 Select the center column and select the operator contains.

5 Select the right column, and then specify the value Login.

6 To add the criteria for Y, in the EventCriteriaPostcondition area, select theleft column of the new entry, and then choose the Mechanisms event type.


8 Select the right column, and then specify the value Logout.

9 In the Tracking Keys area under the One-Many fields, click Add to specifythe fields that you want to track: for example, the Source IP address. Underthe Tracking field's column, if you want to track the date of the event, youcan add Event Date.

10 In the Event Count box, specify the number of times that the event criteriathat you specified must be true for an incident to be declared.

11 In the Span box, specify the amount of time for the two events X and Y thatare specified to occur. For example, you can specify that the two events X andY must occur within 60 minutes, failing which an incident is declared.

12 In the Table Size box, specify the maximum number of events that the rulecan track at any one time. The table size should generally be a multiple ofthe Event Count setting.

13 On the Actions tab, you can specify whether the incident is an Alertingincident and not a security incident. You can add the description and theremediation for that incident.

14 In the following areas for Autoassignments and Notifications you can specifywhether the incident should be assigned automatically to the users or groupsselected.

15 In the Notification area, you can enable notifications and specify the emailaddress of the recipients. You can add one or more recipients to receive thenotifications.

You must deploy the rule after you have created and configured the rule.


146

To deploy the rule


2 In the left navigation pane, place a check mark in the box next to the rulethat you want to deploy.

3 In the top toolbar, click Deploy.

Creating a correlation rule based on the X not followed by X rule typeConsider a sample scenario wherein a user tries to log on, fails, and does notattempt to log on again for 30 minutes. Normally, an authorized user tries to logon again within 30 minutes. However, this user waits for more than 30 minutesbefore attempting to log on again. This behavior indicates the suspicious activitythat results in an event with a conclusion. This sample scenario is an example ofX not following X.


To create a correlation rule for X not followed by X




4 In the Input dialog box, type a name for the rule. Example: Rule for EventDefinition with negatives

5 In the Descriptions box, type a brief description for the rule. Example:Monitors for predefined behavior of events.

You can now define the required rule condition. An event is generated if theset of user actions satisfies the defined condition.

In this example, X is the normal activity of a logon. Normally, a failed logonattempt is followed by another logon attempt within a 30-minute period.However, in this example the user does not attempt to log on for more than30 minutes. Therefore, you can use the rule type XnotfollowedbyX to triggeran event.


1 On the Conditions tab, on the RuleType menu, click the rule Xnot followedby X.



3 Select the left column of the new entry, and then choose the event type asMechanisms.


5 Select the right column and then specify the value Login.

6 Click Add to add the second criteria for X. Then select the left column of thenew entry, and in the drop-down list under Events, collapse the IntrusionActivity folder. Select Intrusion Outcome ID.

7 Select the center column and select the operator =.

8 Select the right column, and then specify the value Failed.

9 In the Tracking Keys area under the One-Many fields, click Add to specifythe fields to track: for example, the Source IP address. Under the Trackingfields column, if you want to track the date of the event, add Event Date.


11 In the Span box, specify the amount of time for the event. For example, youcan specify 30 minutes, failing which an incident is declared.


13 On the Actions tab, specify whether the incident is an Alerting incident andnot a security incident. Add the description and the remediation for thatincident.

14 In the following areas for Auto assignments and Notifications, specifywhether the incident should be assigned automatically to the users or groupsselected.

15 In the Notification area, enable notifications and specify the email addressof the recipients. You can add one or more recipients to receive thenotifications.


To deploy the rule


2 In the left navigation pane, place a check mark in the box next to the rule todeploy.



148

Creating a correlation rule for the Y not preceded by X rule typeConsider a sample scenario wherein a user logs on to a Linux system. The useruses putty or another secure connection mode to log on the su (superuser) roleand creates another user. Normally, to create a new user role, you log on as theroot. However, this uses bypasses the root logon and a new user account is created.This sample scenario is an example of X not preceding Y.

To create a correlation rule for Y not preceded by X





Example: Rule for Event Definition with negatives

5 In the Descriptions box, enter a brief description for the rule.

Example: Monitors for the events occurring in correct sequence.

In this example, X is an activity of the root logon. Y corresponds to the creationof a new user account. Normally, a new user is created by logging on as root.However, in this example, the user does not log on as root but as a normal user.The user is able to create a new user account. Therefore, you can use the rule typeof Y not preceded by X to trigger an event.

You can now define the required rule condition. An event is generated if the setof user actions satisfies the defined condition.


1 On the Conditions tab, on the RuleType menu, click the rule Ynotprecededby X.


3 Select the left column of the new entry, and then choose the event type asSymantec Event Code.

4 Select the center column and then select the operator =.

5 Select the right column, and then specify the value 733 which correspond tothe user action.

6 Click Add to add the second criteria for X. Then select the left column of thenew entry, and in the drop-down list under the Events tab, collapse the folderfor Intrusion Activity. Select Intrusion Outcome ID.

7 Select the center column and select the operator =.


8 Select the right column, and then specify the value Failed.

9 In the Tracking Keys area under the One-Many fields, click Add to specifythe fields to track: for example, the source IP address. Under the Trackingfields column, to track the date of the event, add Event Date.


11 In the Span box, specify the amount of time for the event. For example, youcan specify 30 minutes, failing which an incident is declared.


13 On the Actions tab, you can specify whether the incident is an Alertingincident and not a security incident. You can add the description and theremediation for that incident.

14 In the following areas for Autoassignments and Notifications you can specifywhether the incident should be assigned automatically to the users or groupsselected.

15 In the Notification area, you can enable notifications and specify the emailaddress of the recipients. You can add one or more recipients to receive thenotifications.


To deploy the rule




Creating a correlation rule for the Lookup Table UpdateThe Lookup Table Update rule is set to dynamically collect information in thelookup tables. Any rule can refer to this information to generate incidents, tickets,and assets. You can create a correlation rule which refers to an existing lookuptable that gets dynamically updated. After you create a rule, you can configurethe rule conditions and actions and deploy it. This rule is created only for updatingthe lookup table. Therefore, conclusions are not created for the Lookup TableUpdate rule.



150

Consider a sample scenario wherein a stack of intentionally bad credit cards isdistributed to serve as bait for malicious users. A malicious user intending tocommit fraud can use one of the bait cards that have been distributed. A list ofsuch baited credit cards is maintained in a lookup table. Whenever a credit cardusage event contains any of these baited credit card numbers, the source IP addressof this event is immediately stored in the lookup table of the Information Manager.Later, if a legitimate usage event originates from the stored source IP address, itindicates fraudulence by the malicious user.

A correlation rule that is set to refer to the dynamically updated lookup tablegenerates an incident for the events that occur from the stored source IP address.Here a lookup table must be configured with a Lookup Table Update rule to getupdates of the source IP address.

To create a correlation rule for Lookup Table Update

1 In the console of the Information Manager client, click Rules.


3 On the Rules tab, click Create new rule (+).

4 In the Descriptions box, enter a brief description for the rule.

You can now configure the required rule conditions and actions. An event isgenerated whenever the lookup table is updated with the specified event criteria.


1 On the Conditions tab, on the RuleType menu, select LookupTableUpdateRule.

2 In the Event Criteria area, click + and specify the event criteria.

3 On the Actions tab, configure the actions for the Lookup Table Update ruleby editing any of the following properties:

Lets you select the User Lookup Table that is modifieddynamically if the event satisfies the specified event criteria.

Lookup Table

Automatically updates the key column in the Lookup Table.Table Column

Lets you select the existing event fields. If an event satisfies thespecified event criteria, the value of this event field is used topopulate the key column in the Lookup Tables.

Event Field

Lets you specify the period after which an entry in theconfigured Lookup Tables is removed. The value can be specifiedin hours. If the value specified is 0, entries in the Lookup Tablesdo not expire.

Timeout in hours


After configuring the rule conditions, you must enable and deploy the rule.

To deploy the rule

1 In the console of the Information Manager client, click Rules.



Enabling and disabling rulesBy enabling or disabling rules in the Rules view of the Information Managerconsole, you can temporarily filter certain network events. You can also changethe way the Correlation Manager declares incidents.


Note: In some cases, such as when the server is under a heavy event load, disablingor deleting a rule may not take effect immediately.

To enable or disable a rule

1 From the Information Manager console, click Rules.

2 In the left navigation pane, check or uncheck the box next to a rule.

A check mark against the rule indicates that the rule is selected to be enabled.


Working with the Lookup Tables windowYou can view and update the lookup table information from the Rules view. Listentries change over time due to updates from LiveUpdate. You can also createuser-defined lookup tables under the User Lookup Tables folder.


The Lookup Tables provide a set of configurable tables that let you extend thefunctioning of rules. To ensure that some correlation rules function properly, youmust populate the Lookup Tables with the information that is applicable to yournetwork and resources. Key settings include the email domains that apply to yournetwork, files to be monitored, and users to be monitored. If required, additionaluser tables can be added based on your specifications.

Table 8-9 lists the LookupTables and the types of information that they contain.

Defining rules strategyEnabling and disabling rules

152

Table 8-9 Lookup Tables

DescriptionCategory

List of users who can perform administrativeactivities.

Administrative Users

List of authorized ports through which incomingtraffic is allowed as per the policies.

Authorized Ports Inbound

List of authorized ports through which outgoingtraffic is allowed as per the policies.

Authorized Ports Outbound

List the IP addresses of the servers that are criticalfrom business perspective.

Critical Servers

List of authorized users.default usernames

Lists the IP addresses of known attackers. Anincident is created if an event is detected from oneof these IP addresses.

The IPWatchList table is a configurable table thatis available for manually tracking known bad IPaddresses. DeepSight and LiveUpdate updatesmaintain separate internal IP Watch List. The listcontains IP addresses known to be malicious in thelarger Internet environment.

ip watchlist

Lists the Whitelist IP addresses. These IP addressesand domain names are reputed and can be trusted.You can add your trusted domain names and IPaddresses to the list.

IP Whitelist Table

Lists the logging devices that must be monitoredafter a specific time span for idle state.

Monitored Logging Devices

Provides a table for the user to describe theorganizational domains monitored.

Organization Domains

Lists the P2P programs.P2P Programs

Lists the IP addresses of the hosts that canpotentially violate the policy.

Potential Policy Violation IPs

Lists of all the bad IP addresses on which yoursensitive data can communicate.

RapidResponseMonitoredAddressTraffic

Lists the file names to monitor during FTPtransfers.

sensitive files

153Defining rules strategyWorking with the Lookup Tables window

Table 8-9 Lookup Tables (continued)

DescriptionCategory

Lists the text strings that are often included inmalicious URLs.

sensitive urls

Lists the services that are associated with each portnumber.

services

Lists known Trojan horse exploits.trojans

Provides a table in which you can list users and theuser names that formerly had access to thenetwork.

user watchlist

Lists the days of the week to allow furtherrefinement of queries based on the day or daysassociated with an event.

Weekdays

Lists the days of the weekend to allow furtherrefinement of queries based on the day or daysassociated with an event.

Weekend

Lists the windows events that may indicateviolations of security policies or other maliciousactivities.

windows events

Note: Additional lookup tables can be downloaded into the system throughLiveUpdates.

To add an entry to the Organization Domains watchlist


2 In the left navigation pane, expand the Lookup Tables folder.

3 Expand the System Lookup Tables folder.

4 Click Organization Domains.

5 Click New Record (+).

6 In the spaces provided, type a name and description.

7 Click Deploy to Server.

8 In the DeployedModifiedItems dialog box, enter a comment which describesthe addition of the entry and then click OK to deploy the change.

Defining rules strategyWorking with the Lookup Tables window

154

To add an entry to the IP watchlist




4 Click ip watchlist (if it is not selected).


6 In the spaces provided, type the desired IP address and description.



To add an entry to the sensitive files list




4 Click sensitive files.


6 In the space that is provided, type the name of the file.



To add an entry to the sensitive urls list




4 Click sensitive urls.


6 In the URL Substring column, type the URL.

7 In the Attack Type column, type the kind of attack that is associated withthis URL.




To add an entry to the services list




4 Click services.


6 In the Service column, type a description.

7 In the Port column, type the port number to add.



To add an entry to the Trojan horses list




4 Click trojans.


6 In the Port column, type the port number that is associated with the attack.

7 In the Protocol column, type the network protocol (such as TCP or UDP) thatis associated with the attack.

8 In the Trojan Name(s) column, type the name of the Trojan horse.



To add an entry to the user watchlist




4 Click user watchlist.


6 In the spaces provided, type the user name, name, and departure date of theemployee or account to add.


156



To add an entry to the Windows Events list




4 Click windows events.


6 In the ID column, type the desired Microsoft Windows event type.

7 In the Category column, type the kind of activity that is associated with theevent.

8 In the Description column, type a description for this kind of event.



To delete an entry from the Lookup Tables




4 Click the table with the entry to be deleted and select the entry.

5 Click Delete Records.

6 Click Yes to confirm the deletion.


8 In the DeployedModifiedItemsdialog box, enter a comment which describesthe deletion of the entry.

9 Click OK to deploy the change.

Creating a user-defined Lookup TableTo create a user-defined lookup table, you first define the columns in the table,and then you add the data.

See “Working with the Lookup Tables window” on page 152.


To create a user-defined lookup table


2 In the left navigation pane, expand the User Lookup Tables folder.

3 Click Create new filter or rule (+).

4 In the Input dialog that appears, type the name of the table you want to create,and click OK. The name of the table must not match the name of an existingtable or rule.

5 On the Content tab, click Add Records (+). Enter the Name, Type, andDescription values for a column that you want to use in your table.

You can select any of the following types of values for a record in a column:

■ Float

■ IP Mask

■ Date

■ String

■ IP address

■ Integer

6 For each additional column, repeat step 5.

7 After creating the columns, select the Key option button corresponding tothe column that forms the primary column in the table.

8 Click Done.

9 To add data to the table that you have created, do one of the following:

■ Click Add Records and enter the information in the available fields.

■ Click Import Records. After you choose the file that you want to import,a wizard guides you through the steps to map the data that is stored inthe file to the columns that you have added in the Lookup Table.

10 When you are finished, click Deploy.

11 In the Deploy Modified Items dialog box, choose the items that you want todeploy. You can enter an optional comment in the available field.

12 Click OK.


158

Importing Lookup Tables and recordsYou can import a previously exported Information Manager Lookup Table froma file. Alternatively, you can import the records that are stored in comma-separatedor tabbed format into an existing Lookup Table.

See “Working with the Lookup Tables window” on page 152.

Note: When you import records into an existing Lookup Table, you can import amaximum of 1024 entries.

To import an exported Lookup Table


2 In the left navigation pane, click the User Lookup Tables folder.

3 Click Import from Disk.

4 In the Select File(s) to Import dialog, choose the file, and click Import.

To import records into an existing Lookup Table


2 In the left navigation pane, expand the User Lookup Tables folder.

3 In the table into which you want to import records, on the Content tab, clickImport Records.

4 In the Opendialog box, choose the file that contains the data to be imported,and click Open.

5 In the Import Lookup Table Records wizard, choose the delimiter that isused in the file, and the appropriate options. The preview pane displays arepresentation of your choices.

6 Click Next.

7 In the next pane, use the Field Options area to specify how the data in thefile maps to the columns in the Lookup Table. Click Next.

8 In the next pane, click Start.

9 When the import process is finished, click Finish.



160

Understanding eventcollectors

■ Chapter 9. Introducing event collectors

■ Chapter 10. Installing event collectors

■ Chapter 11. Configuring point products and collectors

■ Chapter 12. Configuring collectors for event filtering and aggregation

4Section

Introducing event collectors


■ About Event Collectors and Information Manager

■ Components of collectors

About Event Collectors and Information ManagerSecurity products and operating systems generate many kinds of events. Someevents are informational, such as a user logging on, and others may indicate asecurity threat, such as antivirus software being disabled.

Symantec Event Collectors gather, filter, and aggregate these events and forwardboth the raw and the processed events to Information Manager.

See “Components of collectors” on page 164.

Event Collectors collect information from security devices, critical applications,and services, such as the following product types:

■ Firewalls


■ Enterprise Antivirus

■ Intrusion detection and intrusion prevention


■ Authentication servers


Information Manager stores the event data in event archives and correlates theevents with threat and asset information. If a security event triggers a correlationrule, Information Manager creates a security incident.

9Chapter

Information Manager provides real-time event correlation and data archiving toprotect against security threats and to preserve critical security data.

For more details on event collectors, refer to SymantecEventCollectors IntegrationGuide.

Components of collectorsEvent collectors gather, filter, and aggregate security events and forward boththe raw and the processed events to Information Manager.

See “About Event Collectors and Information Manager” on page 163.

Table 9-1 Major components of collectors

DescriptionComponent

Refers to the Symantec Security Information Manager whereevents are processed, filtered, and stored. Allows for thecentralized collection, classification, and normalization ofevents to enable alerts and reports across managed securityproducts.

Information Manager

Refers to the Java application that performs thecommunication functions for the Information Managercomponents on the system on which it is installed.

Symantec Event Agent

Refers to an application that collects events from securityproducts, processes them, and passes them to the Agent.

Collector

Refers to the component that reads events from a file,database, syslog, Windows event log, or other medium. Thesensor then passes the events to the remaining collectorcomponents. The information is then delivered to the Agentto be sent to Information Manager.

Sensor

Refers to the software product, such as a firewall, antivirussoftware, or an operating system. The security product ensuresthat data is not vulnerable to unauthorized use or access andis the source of events to the collector.

Security or Point product


Introducing event collectorsComponents of collectors

164

Installing event collectors


■ Before you install collectors

■ About installation and configuration tasks for collectors

■ Registering Collectors

■ Installing the Symantec Event Agent

■ Installing the collector on a remote computer

■ Installing collectors on an Information Manager server

■ About Symantec Universal Collectors

■ Downloading and installing the Symantec Universal Collectors

Before you install collectorsYou must perform the following tasks before you install the collector:

■ Meet requirements for both the point product and the collector.See “Requirements for point products and the collectors” on page 165.

■ Update the hosts file.See “Updating the hosts file” on page 166.

■ Run LiveUpdate before upgrading an earlier collector.

Requirements for point products and the collectorsEach collector is compatible with specific versions of a point product. Collectorscan generally be installed on a variety of operating systems. Please refer to thespecific collector guide to confirm compatibility with the operating system.

10Chapter

See “Before you install collectors” on page 165.

In general, the following operating systems are supported:

■ Microsoft Windows 2000 with Service Pack 4 or later

■ Microsoft Windows Advanced Server 2000 with Service Pack 4 or later

■ Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later

■ Microsoft Windows Server 2003 Standard Edition with Service Pack 2 or later

■ Windows XP with Service Pack 2 or later

■ Red Hat Enterprise Linux AS 3.0



■ Sun Solaris (SPARC) 8.0, 9.0, and 10.0

Note: You can install version 4.3 collectors and later on both 32-bit and 64-bitversions of Windows Server 2000/2003. You can install version 4.2 collectors onlyon the 32-bit version of Windows Server 2000/2003.

Minimum system requirements for a remote collector installation are as follows:

■ Intel Pentium 133-MHz processor (up to and including Xeon processor), orSPARC IIIi or later

■ 512-MB minimum; 1 GB of memory for the Symantec Event Agent

■ 35 MB of available hard disk space for collector program files

■ 95 MB of available hard disk space to accommodate the Symantec Event Agent,the JRE and the collector

■ TCP/IP connection to a network from a static IP address

Updating the hosts fileThe hosts file contains IP address and host name mapping information. You mustmanually update the hosts file if there is no fully-qualified domain name for theInformation Manager server. You must also manually update the hosts file if youdo not use a Domain Name System (DNS) server. You must add the IP address andhost name information that is relevant to Information Manager and to thecollectors that collect event data. Host names must be fully qualified domainnames.

See “Before you install collectors” on page 165.

Installing event collectorsBefore you install collectors

166

To update the hosts file

1 Navigate to the directory of the hosts file as follows:

■ On Windows, the hosts file is located inC:\WINDOWS\system32\drivers\etc folder.

■ On UNIX, the hosts file is located in the /etc directory.

2 Use a text editor such as Notepad in Windows or vi on UNIX to open the hostsfile.

3 Add the IP address and host name entries for the Information Manager server.Follow the instructions that are provided in the hosts file to add IP addressand host name mapping information to the file.

Use a tab between the IP address and host name.

4 After you have added the IP address and host name, save and close the file.

You should ensure that the text editor that you use does not add a fileextension.

About installation and configuration tasks forcollectors


Collector installation and configuration include the following major tasks:

■ Depending on the collector, a collectorcan run on various operating systems.

See “Requirements for point productsand the collectors” on page 165.

■ You must manually update the hosts fileif there is no fully qualified domain forthe Information Manager server.

See “Updating the hosts file”on page 166.

Preinstallation requirements

For all off-server collector installations, theInformation Manager server requires youto register the collector for configurationsettings and event schema.

See “Registering Collectors” on page 170.

Registration of the collector

167Installing event collectorsAbout installation and configuration tasks for collectors

You must install the Symantec Event Agenton the same computer as the collectorcomputer.

You should also verify Symantec EventAgent installation and operation.

Installation of the Symantec Event Agent

You must install the collector componentto read data from the point product.

You can install all collectors on a remotecomputer. You can install most collectorson the Information Manager server itself.However, universal collectors are installedby default on the Information Managerserver. You do not need to install theuniversal collectors on the server.

See “Installing the collector on a remotecomputer” on page 181.

See “Installing collectors on an InformationManager server” on page 182.

You should also verify collector installation.

See “Verifying collector installation”on page 182.

Installation of the collector component

See “About configuring a point product towork with a collector” on page 189.

Configuration of the point product

Installing event collectorsAbout installation and configuration tasks for collectors

168

Depending on the collector, you canconfigure the collector in the followingways:

■ Create and configure the sensor.

See “Creating and configuring sensors”on page 190.

■ You can enable the collector to collectthe entire raw event message from thepoint product instead of the parsedfields.

See “Configuring collector raw eventlogging” on page 195.

■ Configure event filtering andaggregation.

See “Configuring event filtering”on page 197.

See “Configuring event aggregation”on page 200.

You should also verify collectorconfiguration.

See “Verifying collector configuration”on page 184.

Configuration of the collector

The following installation and configuration tasks depend on various factors:

Before you use a database sensor collector,you must complete the various installationand configuration tasks that are related tothe database that is used.

A collector that uses a database sensor tocollect events requires the completion ofadditional tasks.

Syslog Director accepts syslog events fromany point product that is installed on theInformation Manager server.

A collector that uses a Syslog sensor to collectevents can possibly use Syslog Director.

Agent service must have access to the filewhich will be read by the agent.

You can configure a Logfile sensor to readlogs from the log files.

You can run LiveUpdate to receive collectorupdates such as support for new events andquery updates.

Retrieval of support for new events and queryupdates.

If you need to configure many collectors atonce, you can create a csv-formatted file.

Deploying many collectors.

169Installing event collectorsAbout installation and configuration tasks for collectors

You can uninstall the collector and itscomponents.

Uninstallation of the collector and itscomponents.

Registering CollectorsThe Information Manager Web configuration interface provides a page to registerand to unregister the configuration settings and event schema. The InformationManager server requires these settings and schema to recognize and to log eventsfrom the point product.

You must register the collector for all remote installations. If you use a collectorthat resides on the Information Manager server, you do not need to install theagent and you do not need to register the collector.

To register a collector

1 Launch the Information Manager Web configuration interface at the followingURL:

https://Information_Manager_Host_Name_or_IP_address

Symantec recommends that you use the Fully Qualified Domain Name of theInformation Manager.

If you have the Information Manager Client console open, you should closeit.

2 From the Information Manager Web configuration interface, click Settings> Collector Registration.

3 On the page that appears, click Register.

4 In the first box provided, type (or click Browse to select) the path to thecollector_name.SIP file that was provided with your collector installationpackage.

You can select paths for up to 5 files.

The default location for this file is the sip/ subdirectory of the collectorinstallation package.

5 Click Begin Registration.

Installing the Symantec Event AgentThe Symantec Event Agent sends the data that the collector collects to theInformation Manager server. The agent is always installed on the same computeras the collector component. In some cases, you may need to install agents on the

Installing event collectorsRegistering Collectors

170

same computer as the security product is installed on for which it collects events.In other cases, you can install the collector on a separate computer from thesecurity product for which it collects events. This computer must have networkaccess to the Information Manager server.

See “About installation and configuration tasks for collectors” on page 167.

Preinstallation requirementsThe prerequisites for installing the Symantec Event Agent 4.7 are as follows:

■ The host name should be resolvable from the computer on which you want toinstall Symantec Event Agent 4.7.

■ The installation process stops if any previous installations of the Event Agentare detected. You must uninstall all previous versions of the Event Agent tocontinue.


About installing the Event AgentYou can install the Event Agent on the following platforms:

■ WindowsSee “Installing the Event Agent on Windows” on page 172.

■ SolarisSee “Installing the Event Agent on Solaris” on page 173.

■ LinuxSee “Installing the Event Agent on Linux” on page 175.


Before you install the Symantec Event Agent, you should complete the followingsteps in the order presented:

■ Uninstall any previous version of the agent.

■ Ensure that there is network connectivity between the system where the agentis installed and the Information Manager server.

■ If there is a firewall between the agent computer and the Information Managerserver, ensure that the following ports are open:

■ 10012

Note: Using this port is a new option with Symantec Event Agent 4.7 andit is optional.

171Installing event collectorsInstalling the Symantec Event Agent

■ TCP 5998

■ TCP 443

■ TCP 80

When you complete the Symantec Event Agent operation, you can verifyinstallation by doing the following:

■ Verify Symantec Event Agent installation.See “Verifying Symantec Event Agent installation” on page 178.

■ Verify Symantec Event Agent operation.See “Verifying Symantec Event Agent operation” on page 179.

Installing the Event Agent on WindowsTo install the Event Agent on Windows

1 Download the installation file for Windows and the corresponding md5 filefrom the Download page of the Web configuration interface.

2 Verify the integrity of the downloaded installation file using the downloadedmd5 file.

3 Click on the install.exe file to start the installation process and then clickNext.

4 The Choose Install folder panel displays.

The installation process stops if any previous installations are detected. Youcan continue only after the detected installation is removed.

See “About uninstalling the Event Agent” on page 176.

5 Browse and select the destination folder for the installation files or retainthe default folder and click Next.

6 Enter the IP address or host name of the Information Manager server whenprompted. Ensure that you check the option box for Run Connection andcommunication tests during installation and then click Next.

7 The connection to the Information Manager server is checked. On a successfulconnection to the server, a Connectivity Test was successful message isdisplayed.

In case the connection is not successful, check the connectivity and try again.Click Next to continue.

The panel to install a third-party CA root certificate displays.

Installing event collectorsInstalling the Symantec Event Agent

172

8 Click Next to continue. If you want to install a third-party CA root certificate,enable the option box for installing the third-party CA root certificate andthen click Next.

9 Click the Choose option and browse to the folder that contains the certificate.

A list of available certificates in that folder is displayed.

10 Select the required certificate and then click Next.

The Pre-InstallationSummary panel displays the product name, installationfolder, the Information Manager server IP address and the disk spaceinformation.

11 Click Install. The Verify Agent communications panel displays.

12 Click Next to continue. The Install Complete panel displays with theinstallation folder.

Installing the Event Agent on SolarisTo install the Event Agent on Solaris

1 Connect to the Information Manager server using an account withadministrative privileges either by using an SSH client or by logging on locally.You must log on as root to install the Event Agent.

2 Download the following files to the /tmp folder from the download links forSolaris Client. The download links are found on the download page of thethin client of the Information Manager server.

symevtagent_solaris_r4.7.0.0xx.md5sum andsymevtagent_solaris_r4.7.0.0xx.tar.gz

xx should be replaced with the build number of the release.

You must use binary mode when transferring the files to the InformationManager server. Some FTP utilities use ASCII mode by default, which corruptsthe installation file.

3 Verify the integrity of the downloaded .tar file by using md5sum.

Both the .md5sum and .gz files must be present in the same directory formd5sum to execute correctly. For more information on md5sum, see the manpages.


4 To unpack the Event Agent 4.7 release, execute the commands:

gunzip symevtagent_solaris_r4.7.0.0xx.tar.gz

tar -xvf symevtagent_solaris_r4.7.0.0xx.tar


This command creates an Agent directory and unpacks the installation fileto it.

5 Change directories to the Event Agent 4.7 release folder as shown:

cd Agent

6 Execute the following commands:

chmod + x install.sh

./install.sh



7 Enter the destination folder path or accept the default path to continue whenprompted.

8 Enter the IP address or host name of the Information Manager server whenprompted. The connection to the Information Manager server is checked anda message is displayed if the connection is successful.

9 If you want to install third-party CA root certificates, enter the path for thefolder that contains the certificates when prompted.


174

Installing the Event Agent on LinuxTo install the Event Agent on Linux

1 Connect to the Information Manager server using an account withadministrative privileges either by using an SSH client or by logging on locally.You must log on as root to install the Event Agent.

2 Download the following files to the /tmp folder from the download links forLinux Client. The download links are found on download page of the Webconfiguration interface of the Information Manager.

symevtagent_linux_r4.7.0.0xx.tar.gz andsymevtagent_linux_r4.7.0.0xx.md5sum


Use binary mode to transfer the files to the Information Manager server.Some FTP utilities use ASCII mode by default, which corrupts the installationfile.

3 Verify the integrity of the downloaded .tar file by using md5sum.

Both the .md5sum and .gz files must be present in the same directory formd5sum to execute correctly. For more information on md5sum, see the manpages.

4 Unpack the Event Agent 4.7 release by executing the following command:

gunzip symevtagent_linux_r4.7.0.0xx.tar.gz

tar -xvf symevtagent_linux_r4.7.0.0xx.tar


This command creates an Agent directory and unpacks the installation fileto it.

5 Change directories to the Event Agent 4.7 release folder by executing thefollowing command:

cd Agent

6 Execute the following command:

sh install.sh



7 Enter the destination folder path or accept the default path to continue whenprompted.


8 Enter the IP address or host name of the Information Manager server whenprompted. The connection to the Information Manager server is checked anda message is displayed if the connection is successful.

9 If you want to install third-party CA root certificates, enter the path for thefolder which contains the certificates when prompted.

About uninstalling the Event AgentYou can uninstall the Event Agent installation on Windows, Linux, or Solaris ifrequired using the following options.

■ Uninstalling the Event Agent on WindowsSee “About uninstalling the Event Agent on Windows” on page 176.

■ Uninstalling the Event Agent on Linux and SolarisSee “About uninstalling the Event Agent on Linux and Solaris” on page 176.

About uninstalling the Event Agent on WindowsUse one of the following methods to uninstall the Event Agent:

■ Remove the Event Agent program through the Add or Remove Programs.This feature is applicable only for Symantec Event Agent 4.7 release.

Note: Add or Remove Programs is known as Programs and Features in allthe versions of Windows 2008.

■ Execute the Uninstall Symantec Event Agent.exe file in the Event Agentfolder.


About uninstalling the Event Agent on Linux and SolarisIf you want to uninstall the Event Agent, change to the Event Agent installationfolder and run the install.sh script with the –u switch as follows:

./install.sh -u


Event Agent Management with agentmgmt.bat utilityTable 10-1 lists the options that are available when you run the agentmgmt.batutility.


176


Table 10-1 Options available with the agentmgmt.bat utility

InformationOption

Shows the following information about theagent status:

■ Port to which it is connected

■ Connection status

■ Number of events received

■ Number of events sent

■ Name of the server it is connected to

Option 1

Show Agent Status

Forces the agent to reconnect and send datato the server.

If agent is in disconnected mode, thenflushing the queue resets the agent toconnected mode and send events to theserver.

Option 2

Flush Agent Queue

Reloads the agent configuration from theInformation Manager server withoutrestarting the agent

Option 3

Reload Agent Configurations

Forces the agent to send information aboutsoftware inventory and state updates toLDAP directory.

Option 4

Force Agent to send its Software Inventoryand state Updates

Opens the log files to see using Swing basedUI.

Note: Selecting this option displays an errorif UI is not supported on the Linux andSolaris terminal.

Option 5

View log files

Re-bootstraps the agent to the existing or todifferent server, used to reconnect to thesame server or different server.

Option 6

Force Re-Bootstrap of Agent to same or todifferent server

Gathers the data such as logs, configurationswhich are added into a compress file namedsesa-<HostName>-<guid>.zip.

Option 7

Gather data for Technical Support

Changes the log level to debug.Option 8

Enable or disable Collector Debug


Table 10-1 Options available with the agentmgmt.bat utility (continued)

InformationOption

Starts the agent.Option 9

Start the Agent

Stops the agent.Option 10

Stop the Agent

Quits the menu-based script file.Option 11

Quit the menu

Verifying Symantec Event Agent installationTo verify installation of the Symantec Event Agent, you can perform the followingtasks in the order presented:

■ Verify Symantec Event Agent connectivity from Information Manager.

■ Verify the Information Manager IP address and Symantec Event Agent port.


To verify Symantec Event Agent connectivity from Information Manager

1 From a Windows computer that has the Information Manager Client installed,log on with an Information Manager user account with sufficient rights toview events.

The Information Manager user must belong to a role that has rights to theInformation Manager-integrated collector.

2 In the Information Manager console, in the left pane, click System.

3 On the Administration tab, expand the tree until you see OrganizationalUnits.

4 Expand Organizational Units > Default.

5 Verify that the name of the collector computer is listed.

6 Right-click the computer name, and then click Properties.

7 In the Computer Properties dialog box, on the Services tab, verify that theAgent Service displays Yes in the Started column.


178

To verify the Information Manager IP address and the Symantec Event Agent port

1 From the collector computer, navigate to the Symantec Event Agentinstallation folder.

On Windows, the default location is C:\Program Files\Symantec\Event Agent

On UNIX, the default location is /opt/Symantec/sesa/Agent

On UNIX, you must become superuser.

2 In a text editor, such as Notepad on Windows or vi on UNIX, open theconfigprovider.cfg file.

3 Verify that the following options contain the correct settings for the collectorproduct to which you want to send events:

■ MgmtServer contains the correct Symantec Security Information ManagerIP address.

■ MgmtPort contains the correct Symantec Event Agent port number (defaultvalue is 443).

Verifying Symantec Event Agent operationYou can verify that the Symantec Event Agent is operating correctly by runningthe Show Agent Status script.

To run the Show Agent Status script Symantec Event Agent operation

1 On the collector computer, navigate to the Agent directory as follows:

■ On Windows, the default location is C:\Program Files\Symantec\EventAgent.

■ On UNIX, the default location is /opt/Symantec/sesa/Agent.On UNIX, you must become superuser.

2 To access the Collector and Agent Management scripts, at the commandprompt, do one of the following steps:

■ On Windows, type the following command:agentmgmt.bat

■ On UNIX, type the following command:./agentmgmt.sh

3 At the SSIM Collector / Agent Management Scripts menu, select the followingoption:

1. Show Agent Status

If the Agent is not running, the following message appears:


The agent command cannot be executed.

Failed to make a connection to the agent.

The Symantec Event Agent is possibly not running.

If the Agent is running, something similar to the following message appears:

Symantec Event Agent (v 4.5.0.12) - Copyright(c) - Symantec Corporation

Symantec Event Agent status: running

Listening on: 172.16.0.1:8086

SSL: Off

SESA Manager URL: https://172.16.0.1:443/sesa/servlet/

Outbound Thread State: CONNECTED

Java Version 1.6.0

Queue Status

Total events accepted: 502

Total events forwarded: 502

Entries waiting in queue: 0

Direct events accepted: 0

Queue File: .\agent.que

Flush Size (KB): 2000

Flush Count: 1000

Flush Time (sec): 4

Spool Size (KB): 20000

Max Queue Size (KB): 80000

Forwarding Provider: Symc_SESAEventForwardingProvider

Post failures due to unexpected response code: 6

Total number of post failures: 0

Event Acceptor HTTP ThreadPool:

Thread 0 state = IDLE




Last state update time: Mon Apr 28 18:24:17 PDT 2008

Last configuration download request time:

Mon Apr 28 18:24:17 PDT 2008

Last configuration update invocation time:

Mon Apr 28 18:24:17 PDT 2008

Last configuration update completion time:

Mon Apr 28 18:24:17 PDT 2008


180

Installing the collector on a remote computerThe collector component reads the data from the security product, formats thedata, and forwards it to the Symantec Event Agent. The collector computer musthave access to the product to monitor.

Before you install the collector component, you must complete the following tasksin the order shown:

■ Register the collector.Refer the online Help on the Web configuration interface for more informationon how to register the collectors.

■ Install the Symantec Event Agent.

Note: You must install the agent for all remote installations. If you use acollector that resides on the Information Manager server, you do not have toinstall the agent.


When you have completed the installation of the collector on a remote computer,you should verify that the Symantec Event Agent and collector are running.

See “Verifying collector installation” on page 182.

To install the collector on a remote computer

1 On the collector computer, navigate to install subdirectory of the collectorinstallation files. The installation files are located in a temporary directory.

You must install some collectors on the same computer as the product forwhich it collects events.

2 At a command prompt, do one of the following steps:

■ On Windows, type the following command:install.bat

■ On UNIX, type the following command:sh ./install.sh

3 Follow the installation wizard prompts.

Symantec recommends that you run LiveUpdate at the end of the installation.

181Installing event collectorsInstalling the collector on a remote computer

Installing collectors onan InformationManager serverIf you install the collector on the server, you do not need to register the collectornor install the Symantec Event Agent.


To install a collector on an Information Manager server

1 Unzip the installation package onto your Information Manager clientcomputer.

You can obtain the collector package from https://fileconnect.symantec.com.

The installation package includes a subdirectory that is named server. Theserver subdirectory contains a file that is named as follows:

install-collector_name collector.jar

where collector_name represents the name of the collector.

2 On the Web configuration interface, click Maintenance > System Updates.

3 Click Install in the tree pane, and then browse to the server directory whereyou unzipped the installation package.

4 Select the install-collector_name collector.jar file and click Uploadand Install.

5 On the Confirm Installation page, click Continue.

The status of the install process is displayed.

6 When you have completed the steps required, close the Information ManagerWeb configuration interface.

Verifying collector installationTo verify the collector installation, you must complete the following proceduresin the order presented:

■ On the collector computer, verify that the appropriate services or daemonsare started.On a Windows computer, you verify that services have started. On a UNIXcomputer, you verify that daemons have started.See “To verify that the appropriate services have started on Windows”on page 183.See “To verify that the appropriate daemons have started on UNIX” on page 183.

■ Verify that the Symantec Event Agent and collector are running.

Installing event collectorsInstalling collectors on an Information Manager server

182

https://fileconnect.symantec.com

See “To verify that the Symantec Event Agent and collector are running”on page 183.

To verify that the appropriate services have started on Windows

1 On the collector computer, on the Start menu, click Settings>ControlPanel.

2 In the Control Panel window, select Administrative Tools.

3 In the Administrative Tools window, select Services.

4 In the Services dialog box, verify that the Symantec Event Agent Service islisted and is started.

To verify that the appropriate daemons have started on UNIX

1 On the collector computer, log on as superuser.

2 At the command prompt, type the following command:

ps -ef | grep sesagentd

3 Verify that the sesagentd process exists.

To verify that the Symantec Event Agent and collector are running

1 On the collector computer, navigate to the agent directory as follows:

■ On Windows, the default location is C:\Program Files\Symantec\EventAgent

■ On UNIX, the default location is /opt/Symantec/sesa/AgentOn UNIX, you must become superuser.

2 To access the Collector and Agent Management scripts, on the commandprompt, do one of the following:

■ On Windows, type the following command:agentmgmt.bat

■ On UNIX, type the following command:./agentmgmt.sh

3 On the SSIM Collector / Agent Management Scripts menu, select thefollowing option:

1. Show Agent Status

If the Agent is not running, the following message appears:

The agent command cannot be executed.

Failed to make a connection to the agent.

The Symantec Event Agent is possibly not running.

If the Agent is running, something similar to the following message appears:

183Installing event collectorsInstalling collectors on an Information Manager server

Symantec Event Agent (v 4.7.1.21) - Copyright(c) 2002-2011 - Symantec Corporation

Symantec Event Agent status: running

Listening on: 127.0.0.1:8086

Sending on Port: 10012

SSL: Off

SSIM Server URL: http://127.0.0.1:80/sesa/servlet/

Outbound Thread State: CONNECTED

Java Version 1.6.0_26

Queue Status

Total events accepted: 10567

Total events forwarded: 10567

Entries waiting in queue: 0

Queue File: ./QueueFiles/filequeue.1314524056106.que

Flush Size (KB): 2000

Flush Count: 512

Flush Time (sec): 4

Spool Size (KB): 20000

Max Queue Size (KB): 80000

HTTP forwarding statistics:

Post failures due to HTTP response code 400: 12

Total number of HTTP post failures: 12

Event Acceptor HTTP ThreadPool:





Last state update time: Mon Aug 29 16:11:49 IST 2011

Last configuration download request time: none

Last configuration update invocation time: Tue Aug 30 07:59:36 IST 2011

Last configuration update completion time: Tue Aug 30 07:59:39 IST 2011

Verifying collector configurationYou verify collector configuration by performing the following procedures in theorder shown:

■ View audit events.The audit events display whether or not a successful connection was made tothe data source.You can view audit events again to troubleshoot a problem.See “To view audit events” on page 185.

Installing event collectorsInstalling collectors on an Information Manager server

184

■ Verify that the Symantec Event Agent and sensor are up.See “To verify that the Symantec Event Agent and Sensor are up” on page 185.

To view audit events

1 On a Windows computer that has the Information Manager console installed,start the console.

2 Log on with an administrator account.

3 In the Information Manager console, in the left pane, click Events.

4 In the tree, click System Queries > SSIM > SSIM system > Audit events forSSIM.

5 In the right pane, check the name of the Information Manager server, andthen click Run Query.

6 Check for the following entry in the Event Type ID column: SuccessfulConnection to Data Source.

The Severity ID for this type of event is 1 - Informational.

7 Right-click on rows with a Severity ID that is higher than 1, and click EventDetails.

The EventDetails window includes a more detailed description of the problem.

Following is an example of an event with a Severity ID of 6:

Report file rename failed.

To verify that the Symantec Event Agent and Sensor are up

1 On a Windows computer that has the Information Manager Java clientinstalled, start the client.

2 Log on with an administrator account.


4 On the Visualizer tab, click Table View.

5 In the Statistics Viewer, locate the collector by the Product ID field, and thesensor and agent in the Type field.

6 In the Status field, check for the following entries:

■ Agent Up

■ Sensor Up

If the Agent and Sensor are not up, the status field displays the followingentry:

Unknown

185Installing event collectorsInstalling collectors on an Information Manager server

About Symantec Universal CollectorsSymantec provides universal collectors. These universal collectors gather, filter,and aggregate events from security devices, critical applications, and services.The collectors then forward both the raw and the processed events to InformationManager. Universal collectors are used in scenarios where standard options arenot available.

You can use the CustomLogs view on the Web configuration interface to map thelog information to the fields that the Information Manager supports.

Universal collectors are installed on an Information Manager by default. To installthe universal collectors on an off-box system, you can download the followinguniversal collectors from the Downloads option on the Home view of the Webconfiguration interface:

■ Universal Collector for Windows

■ Universal Collector for Windows Vista

■ Universal Collector for Syslog

■ Universal Collector for Log file

See “Downloading and installing the Symantec Universal Collectors” on page 186.

Downloading and installing the Symantec UniversalCollectors

To collect logs from a proprietary application, first download and install theuniversal collectors on the computer on which Symantec Event Agent is installed.

See “About Symantec Universal Collectors” on page 186.

To download the universal collectors

1 Log on to the Web configuration interface as an administrator.

2 In the Web configuration interface of Information Manager, click Home >Downloads.

3 Click the download link for the universal collector that you want to download.

4 Save the installation zip file for the universal collector on the computerwhere you want to install the collector.

Installing event collectorsAbout Symantec Universal Collectors

186

To install the universal collector on a remote computer that has Symantec EventAgent installed

1 On the computer on which Symantec Event Agent is installed, log on asadministrator.

2 Unzip the installation package.

The installation package includes a subdirectory that is named install. Theinstallation files are located in a temporary directory.

You must install some collectors on the same computer as the product forwhich it collects events.

3 On the command prompt, do one of the following:

■ On Windows, type the following command:install.bat

■ On UNIX, type the following command:sh ./install.sh

4 Follow the installation wizard prompts.

All the universal collectors are installed by default on the Information Managerserver. The universal log file and syslog collectors are also installed by default onthe Information Manager server.

187Installing event collectorsDownloading and installing the Symantec Universal Collectors

Installing event collectorsDownloading and installing the Symantec Universal Collectors

188

Configuring point productsand collectors


■ About configuring a point product to work with a collector

■ Creating and configuring sensors

■ Creating a new sensor configuration

■ Configuring the collector sensor to receive security events

■ Adding, renaming, deleting, and disabling sensors

■ Importing and exporting sensor properties

■ Updating sensor properties globally

■ Configuring collector raw event logging

About configuring a point product to work with acollector

After you have installed the necessary collector components, you may need toconfigure the point product to make the event information available to thecollector.

For example, if the collector uses a syslog sensor, you must configure the pointproduct to send syslog events to the collector.

See “Requirements for point products and the collectors” on page 165.

11Chapter

Creating and configuring sensorsYou must create a new sensor configuration for each collector.

See “About configuring a point product to work with a collector” on page 189.

The creation of sensor configurations includes the following tasks:

All collectors include a sensorconfiguration named Default that youcannot use. You must create a new one.

See “Creating a new sensorconfiguration” on page 191.

Creating a new sensor configuration.

After you create a sensor configuration,you create and configure the sensor.

See “Configuring the collector sensorto receive security events” on page 192.

Configuring the collector sensor to receivesecurity events.

You can add, rename, delete, anddisable sensors.

Note: Avoid using the specialcharacters such as <, &, and ' (singlequotes) for sensor names.

See “Adding, renaming, deleting, anddisabling sensors” on page 193.

Adding, renaming, deleting, and disabling sensors.

Most collectors use one of the followingsensor types, that you must configure:

■ Syslog sensor

■ Database sensor

■ Log sensor

■ Syslog file sensor

■ Log file sensor

■ Windows Event Log sensor

■ OPSEC Lea sensor

Configuring sensor properties.

Some database sensor collectors arecompatible with more than one type ofdatabase. An alternate sensor propertyfile is provided for this purpose.

See “Importing and exporting sensorproperties” on page 193.

Importing and exporting sensor properties,optional.

Configuring point products and collectorsCreating and configuring sensors

190

If you have many sensors that arewithin the same configuration, you canupdate them all at once.

See “Updating sensor propertiesglobally” on page 194.

Globally updating sensor properties.


Creating a new sensor configurationCollectors use the sensors that you configure to receive security events. Thesensors are grouped according to the sensor configurations. The collectors includea sensor configuration named Default. You cannot use this configuration; youmust create a new configuration.

See “Creating and configuring sensors” on page 190.

See “Configuring the collector sensor to receive security events” on page 192.

Note: In case of custom logs, Administrators can create the sensor configurationthrough the Information Manager console only after the log type is added andthe direct and the literal mappings are specified through the Custom Logs viewin the Web configuration interface.

Note: Avoid using the special characters such as <, &, and ' (single quotes) forsensor names. To effectively use the custom log management feature, you mustmaintain unique sensor names across different configurations for each universalcollector type.

To create a new sensor configuration


2 From the Product Configurations tab, expand the tree until you see thecollector name.

3 Right-click the collector name, and choose New.

4 On the Create a New Configuration wizard page, click Next.

5 On the General page, enter a name and a description for the newconfiguration, and click Next.

6 On the Computers page, do the following steps in the order given:

■ Click Add.

191Configuring point products and collectorsCreating a new sensor configuration

■ Under the Available computers column, click a system from the list, andclick Add.In order for a computer to be listed, the Symantec Event Agent on thatcomputer must be bootstrapped to the Information Manager

■ Click OK, and then click Next.

7 On the Configurationsummary panel, make changes to any of your previousselections.

8 Click Finish, and then click Close.

Configuring the collector sensor to receive securityevents

Before you configure a sensor, you must create a sensor configuration.

See “Creating a new sensor configuration” on page 191.

After you create a sensor configuration, you must configure its sensor or sensorsto receive security events.

After the sensors are configured, or when a change is made to sensor properties,the sensor properties are distributed to the collector computers.


To configure the collector sensor to receive security events


2 Select the Product Configurations tab, and then expand the tree until yousee the collector name.

3 In the left pane, select the appropriate configuration.

4 In the right pane, on the Sensor tab, under the list of sensors, click the sensor.

You can rename the sensor, add new sensors, and delete sensors.

See “Adding, renaming, deleting, and disabling sensors” on page 193.

5 In the sensor property table under the Value column, change any of theinformation.

6 Click Save.

7 In the left pane, right-click the appropriate configuration, and then clickDistribute.

8 When you are prompted to distribute the configuration, click Yes.

Configuring point products and collectorsConfiguring the collector sensor to receive security events

192

Adding, renaming, deleting, and disabling sensorsWhen you create a new sensor configuration, a sensor is automatically createdfor you. You may create additional sensors, rename the sensor, delete the sensor,or disable the sensor.

Note:Avoid using the special character <, &, and ' (single quote) for sensor names.

See “Creating a new sensor configuration” on page 191.


To add, rename, delete, or disable a sensor




4 In the right pane, select the sensor tab, and then, under the list of sensors,do one of the following:

■ To add a sensor, click the + (plus sign) icon.By default, the sensors that you create are named Sensor 0, Sensor 1,Sensor 2, Sensor 3, and so on.

■ To rename a sensor, double-click in the sensor name box, and type in anew name.

■ To delete a sensor, click the - (minus sign) icon.You cannot delete the default sensor. You are required to have at leastone sensor.

■ To delete all sensors, click the trash can icon.

■ To disable a sensor without deleting it, uncheck the sensor.

5 Click Save.

6 In the left pane, right-click the appropriate sensor, and then click Distributeto update the collector on the target computer with new properties.


Importing and exporting sensor propertiesSome database sensor collectors are compatible with more than one type ofdatabase. An alternate sensor property file is provided.

193Configuring point products and collectorsAdding, renaming, deleting, and disabling sensors

You can both import sensor properties from an XML file and export sensorproperties to an XML file.


To import and export sensor properties




4 In the right pane, on the sensor tab, do one of the following tasks:

■ To import a configuration from an XML file, click the Import Sensorsicon. Then, in the ImportConfigurationFromFile window that appears,specify the XML file from which you want to import the configuration.

■ To export the selected configuration to an XML file, click the ExportSensors icon. Then, in the Export Configuration to File window thatappears, specify a file name to which to export the configuration.

Updating sensor properties globallyYou can copy the selected sensor properties to other sensors that are within thesame configuration. You can use the Global Update function if you have manysensors that you need to update.

See “Configuring the collector sensor to receive security events” on page 192.


To globally update sensor properties




4 In the right pane, on the sensor tab, select a sensor so that it appearshighlighted.

5 In the right pane, on the lower right, click Global Update.

6 In the Select Properties for Global Update window, place a checkmark nextto the property whose value you want to propagate to all other sensors withinthe same configuration.

7 Click OK to complete the global update process.

Configuring point products and collectorsUpdating sensor properties globally

194

8 Proceed to change the sensor properties as needed.

9 In the left pane, right-click the configuration, and then click Distribute.


Configuring collector raw event loggingYou can enable the collector to collect the entire raw event message from thepoint product instead of the parsed fields. Raw event messages are useful forforensics, incident investigation, and log retention requirements. It also lets youpreserve unaltered event messages.

See “About configuring a point product to work with a collector” on page 189.

Note: Raw event logging substantially increases event sizes.

195Configuring point products and collectorsConfiguring collector raw event logging

Configuring point products and collectorsConfiguring collector raw event logging

196

Configuring collectors forevent filtering andaggregation


■ Configuring event filtering

■ Configuring event aggregation

Configuring event filteringYou can use event filtering to exclude events from being forwarded to InformationManager. Event filters let you reduce the event traffic and the number of eventsthat are stored in the event database. Filters also let you discard the data that isless important to your organization’s security.

You can also import and export filtering configurations. Filtering configurationsare exported in an XML file format; you must use the same XML file format toimport the configuration.

Event filtering is not advisable for all collectors.

The XML file for filtering should be in the following format:

<?xml version="1.0" encoding="UTF-8"?>

<filter>

<filter-spec enabled="false" index="0" name="Specification 0">

<filter-field comparator="EQ" name="queue_product_id">1</filter-field>

</filter-spec>

<filter-spec enabled="true" index="1" name="Specification 1">

12Chapter

<filter-field comparator="EQ" name="server">33</filter-field>

</filter-spec>

</filter>

Event filter configuration consists of the following actions:

■ Adding and enabling the event filtering rulesSee “To add and enable event filtering rules” on page 198.

■ Changing the existing event filtering rulesSee “To change existing event filtering rules” on page 199.

■ Importing and exporting the event filtering rulesSee “To import and export event filtering rules” on page 200.

Some collectors include predefined filtering rules. Some of these predefinedfiltering rules are also pre-enabled.

To add and enable event filtering rules


2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach the sensor configuration of a collector.

3 In the right pane, on the Filter tab, click Add.

4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name forthe rule, and click OK.

5 Under the rule properties table, click Add, and perform the following tasksin the order shown:

■ In the Name column, type a name for the event filter property (for example,IP Destination Port). You can also double-click in the Name text box tobring up an Information Manager fields window. You can choose from thelist of items that are presented in the expanded directories of theInformation Manager fields window.

■ In the Operator column, select an operator from the drop-down list (forexample, equal to).

■ In the Value column, type a value or select a preset value for the eventfilter property (for example, 80 for the port number).You can filter events by pattern by using a regular expression function.For example, to filter all events that contain "SUCCESS", enter thefollowing in the Value column:

regex(.*SUCCESS.*)

Configuring collectors for event filtering and aggregationConfiguring event filtering

198

Where all characters within the parentheses are part of the regularexpression"." and "*" are both metacharacters"." matches any character"*" matches zero or more occurrences of the preceding element. Therefore,match zero or more occurrences of any character, followed by the literalstring SUCCESS, followed by zero or more occurrences of any character.To rephrase, match the literal string SUCCESS anywhere within the field.

6 Repeat step 5 to add more event filtering information for the rule.

All rules within a given specification use the Boolean AND to determinewhether an event is a candidate for filtering. If there are multiplespecifications, each specification uses the Boolean OR.

7 When you are finished adding information for the rule, in the filter list, checkthe filter name.

8 Click Save.

9 In the left pane, right-click the appropriate configuration, and then clickDistribute.


11 In the Configuration Viewer window, click Close.

To change existing event filtering rules


2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach a sensor configuration of a collector.

3 In the right pane, on the Filter tab, perform any of the following tasks:

■ To add a specification, click Add.

■ To delete a specification, select the specification, and then click Remove.

■ To delete all specifications, click Remove All.

4 Perform any of the following tasks:

■ To determine the order in which Information Manager invokes the eventfilters, next to the list of specifications, click the arrow icons.

■ To change the name of the specification, double-click the specification inthe specification list, and then, in the Name text box, type a new name.

■ If you want to disable a specification, but you do not want to delete it, inthe filter list, uncheck the filter name.

199Configuring collectors for event filtering and aggregationConfiguring event filtering

5 In the rule properties table, change the information in any of the followingcolumns:

■ Name

■ Operator

■ Value

6 Under the rule properties table, perform any of the following tasks:

■ To add a rule property, click Add.

■ To delete a rule property, select the rule property, and click Remove.

■ To delete all rule properties, click Remove All.

7 Click Save.

8 In the left pane, right-click the appropriate collector configuration, and thenclick Distribute.


10 In the Configuration Viewer window, click Close.

To import and export event filtering rules



3 In the right pane, on the Filter tab, perform one of the following tasks:

■ If you want to import, click Import configuration from XML file.

■ If you want to export, click Export configuration to XML file.

4 Perform one of the following tasks:

■ In the Import Configuration From File window that appears, specify theXML file to import into the collector.

■ In the Export Configuration to File window that appears, specify a filename to export the configurations.

Configuring event aggregationCollectors include a feature that lets you group similar events. By grouping events,you reduce event traffic and the number of events that are stored in the eventdatastore. The first event of a given type is sent to Symantec Security InformationManager immediately. All subsequent events of the same type are sent as one

Configuring collectors for event filtering and aggregationConfiguring event aggregation

200

aggregated event. Aggregated events contain start and end times, but all otherevent fields are taken from the first event in the aggregated set.

Not all collectors should use event aggregation.

You can also import and export aggregation configurations. Aggregationconfigurations are exported in an XML file format; you must import configurationsin the same XML file format.


The XML file for aggregation should be in the following format:

<?xml version="1.0" encoding="UTF-8"?>

<aggregator maxbuffer="0">

<aggregator-spec enabled="true" index="0" name="Specification 0"

time="124">

<aggregator-fields>

<aggregator-field name="display_id" operator="EQ">15</aggregator-field>

</aggregator-fields>

<similarity-fields>

<similarity-field name="data_scan_guid"/>

</similarity-fields>

</aggregator-spec>

<aggregator-spec enabled="false" index="1" name="Specification 1"

time="234">

<aggregator-fields>

<aggregator-field name="connection_type_name" operator="NEQ">1

</aggregator-field>

</aggregator-fields>

<similarity-fields/>

</aggregator-spec>

</aggregator>

Event aggregation configuration includes the following actions:

■ Adding and enabling event aggregation rulesSee “To add and enable event aggregation rules” on page 202.

■ Changing existing event aggregation rule configurationsSee “To change existing event aggregation rule configurations” on page 202.

■ Importing and exporting event aggregation rulesSee “To import and export event aggregation rules” on page 203.This feature is not advisable with all collectors.

Event aggregation rules are not configured by default. You must add the rulesbefore you can enable or configure them.

201Configuring collectors for event filtering and aggregationConfiguring event aggregation

To add and enable event aggregation rules


2 On the ProductConfigurations tab, in the middle pane, expand the tree untilyou reach the sensor configuration of a collector.

3 In the right pane, on the Aggregator tab, click Add.

4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name forthe rule.

5 Under the rule properties table, click Add, and perform the following tasksin the order shown:

■ In the Name column, select or type a name for the event aggregationproperty (for example, Event Date). You can also double-click in the Nametext box to open an Information Manager fields window. You can choosea name from the list of items that are presented in the expanded directoriesof the Information Manager fields window.

■ In the Operator column, select an operator from the drop-down list (forexample, greater than).

■ In the Value column, type a value or select a preset value for the eventaggregation property (for example, 2004-03-30 19:18:31).

6 Repeat step 5 to add more event aggregation information for the rule.

All rules within a given specification use the Boolean AND to determinewhether or not an event is a candidate for aggregation. If there are multiplespecifications, each specification uses the Boolean OR.

7 In the Aggregationtime(ms) text box, type the time in milliseconds by whicha subsequent event should occur to be aggregated by this rule.

The default value is 100. This property applies to all aggregation rules.

8 When you are finished adding information for the rule, in the aggregator list,check the aggregator name.

9 Click Save.

10 In the left pane, right-click the appropriate configuration, and click Distribute.


To change existing event aggregation rule configurations




202

3 In the right pane, on the Aggregator tab, under the list of rules, perform anyof the following tasks:

■ To add a specification, click Add.

■ To delete a specification, select the rule, and click Remove.

■ To delete all specifications, click Remove All.

4 To determine the order in which Information Manager follows the eventaggregation specifications, next to the list of specifications, click the arrowicons.

5 To change the name of the specification, double-click the specification in thespecification list, and, in the Name box, type a new name.

6 To change the time by which a subsequent event should occur for aggregationby this rule, in the Aggregation time (ms) box, type the new time inmilliseconds.

The default value is 100. This property applies to all aggregation rules.

7 To disable a specification without deleting it, in the aggregator list, uncheckthe aggregator name.

8 In the rule properties table, change information in any of the followingcolumns:

■ Name

■ Operator

■ Value

9 Under the rule properties table, perform any of the following tasks:

■ To add a rule property, click Add.

■ To delete a rule property, select the rule property, and click Remove.

■ To delete all rule properties, click Remove All.

10 Click Save.

11 In the left pane, right-click the appropriate collector configuration, and clickDistribute.


To import and export event aggregation rules


2 On the ProductConfigurations tab, in the middle pane, and expand the treeuntil you see a sensor configuration of a collector.

203Configuring collectors for event filtering and aggregationConfiguring event aggregation


4 In the right pane, on the Aggregator tab, perform one of the following tasks:

■ If you want to import, click Import configuration from XML file.

■ If you want to export, click Export configuration to XML file.

5 Perform one of the following tasks:

■ If you want to import, in the Import Configuration From File windowthat appears, specify the XML file you want to import into the collector.

■ If you want to export, in the Export Configuration to File window thatappears, specify a file name to which to export the configurations.


204

Working with events andevent archives

■ Chapter 13. Managing event archives

■ Chapter 14. Forwarding events to an Information Manager server

■ Chapter 15. Understanding event normalization

■ Chapter 16. About Effects, Mechanisms, and Resources

■ Chapter 17. Collector-based event filtering and aggregation

■ Chapter 18. Working with the Assets table

5Section

Managing event archives


■ About events, conclusions, and incidents

■ About the Events view

■ About the event lifecycle

■ About event archives

■ About multiple event archives

■ Creating new event archives

■ Restoring event archives

■ Specifying event archive settings

■ Creating a local copy of event archives on a network computer

■ Viewing event data in the archives

■ About working with event queries

About events, conclusions, and incidentsSecurity products and operating systems generate many kinds of events. Someevents are informational, such as a user logging on, and others may indicate asecurity threat, such as antivirus software being disabled.

A conclusion occurs when one or more events match a correlation rule pattern.Information Manager normalizes events from multiple security products andlooks for the patterns that indicate potential threats.

An incident is the result of one or more conclusions that are identified as a typeof an attack. There can be many conclusions that are mapped to a single incident.

13Chapter

For example, if a single attacker causes a number of different patterns to bematched; those are grouped into a single incident. Similarly, if a vulnerabilityscan uncovers a computer that suffers from a number of different vulnerabilities;these are all grouped into a single incident. Or, if a number of different computersreport the same virus, Information Manager creates a single outbreak incident.

See “About security products and devices” on page 31.

About the Events viewThe Events view provides access to all of the event archives used by InformationManager server. Each archive stores events that are based on the Event StorageRules that you configure on the System view. To view the events that are storedin any archive, you can do the following:

■ Use the preconfigured query templates or system queries. The preconfiguredtemplates and queries provide the parameters that you can set. You can choosethe archive that you want to search, the time period within which you wantto search for events, and so forth. Some templates and queries have moreparameters than others depending on the purpose of the query.

■ Save a copy of any preconfigured template query with the parameters thatyou have chosen, and customize the copy.

■ Create a new query using the Query Wizard.

■ Schedule queries to be distributed as CSV reports.

When a template or query is run, the results are displayed in the results pane ofthe Events view. The results pane enables you to view and search for informationabout archived events in both graphical formats and text formats. You select thearchive you want to research, and the viewer displays a histogram that representsthe data that are stored in that archive. You can then narrow the display to aparticular historical period (for example, the previous month or a specific one-hourperiod).

You can display event details in a table and drill down to get all details about oneevent at a time. You can also filter the results in this view.

See “About events, conclusions, and incidents” on page 207.

About the event lifecycleFigure 13-1 shows the lifecycle of an Information Manager event.

Managing event archivesAbout the Events view

208

Figure 13-1 Event lifecycle

Information Manager processes security event data in the following manner:

■ The event collector collects the raw event data from the security product.

■ The event collector normalizes the event data and filters and aggregates theevents according to the event collector configuration settings.

■ The agent sends the normalized events and if configured, the raw event datato the designated Information Manager.

■ Information Manager stores the event in the event archive.

■ Information Manager updates the event summary tables with the eventinformation.

■ Information Manager correlates the event, and, if the event triggers acorrelation rule, creates an incident.

■ Information Manager stores the incident in the incident database.

■ Information Manager console users view incident and event reports.


209Managing event archivesAbout the event lifecycle

About event archivesEvent archives provide a compact, convenient way to store event data forregulatory compliance, forensic research, and long-term data retention. Eventarchives contain event data from the security products that are set up to forwardevents to a Symantec Security Information Manager Server.

Note: By default, newly created event archives are stored for seven days, but youcan adjust this period to meet your requirements. However, when the availableserver disk space runs low, the server purges event archives. The default maximumquota is 90%, and the default free space quota is 1%. If your company requireslong-term retention of event data, you can usescporrsyncover an SSH connectionto copy the event archives from the server.


About multiple event archivesYou can create multiple event archives to organize events into the logical foldersthat Information Manager stores. You can create up to 16 archives on any server.Multiple event archives lets you distribute the events Information Managerreceives into separate folders and across multiple servers based on the criteriathat you choose. For example, you can create an individual archive for each productthat you monitor, such as an antivirus product. You can store the product generatesevents in a separate archive. You can create multiple archives on a single instanceof Information Manager, on an attached storage device such as a DAS. You canalso spread out the archives across multiple servers.

To query the event data for further analysis, you can perform a query on any orall of the event archives that you have created. That includes the archives thatare stored on separate instances of Information Manager. For example, if youcreated an archive that is exclusively used for antivirus events, you can chooseto search the contents of that single archive or any combination of archives. Byorganizing events into individual archives, you can improve the performance ofthe queries used.

When an event is received, the event is evaluated against the filter criteria in theorder that is listed for the event filters in the console. Beginning with the firstfilter in the list, the event is passed through the filter to see if there is a match. Ifa match is found, the event is stored in the archive that you have specified forthat filter, and event storage is complete. If the event does not match, it movesto the next filter in the list for evaluation. If no match is found in any of the filtersthat you have created, the event falls into the default archive.

Managing event archivesAbout event archives

210

To create a new event archive, you use create a set of event filters that are usedto distribute the events into the appropriate archive. When you define a filter thatspecifies an archive in which the events are stored, you define a subfolder on theserver that behaves as a separate archive.

See “About event archives” on page 210.

Creating new event archivesWhen you install the Information Manager, two archives are created namely SSIMLogs and Default Archive.

Note: An archive ID must be unique throughout the entire Information Managerdomain. You cannot use the same archive ID in any other Event Storage Rule onany other server in the Information Manager domain.


To create a new event archive

1 On the console of the Information Manager client, click System.

2 In the left pane of the Server Configurations tab, expand the tree for theInformation Manager server you want to configure, and click Event StorageRules.

3 Click the Add (plus sign) icon.

4 In the Archive Rule Properties dialog box, in the Rule name field, type aname for the new archive.

5 In the Inclusion Filter area, add the criteria for the events that you want tostore. For example, to store all Information Manager System events in thisarchive, the filter would be Product = SSIM System. If you do not select anyfilter criteria, the archive stores all events by default.

6 In the Enter data retention (days) field, type the number of days that youwant the archive the data. Events that are outside of this range are purged.

A setting of 0 for retention days means that events are purged based on theirage.

7 In the Max archive quota drop-down list, choose a percentage.

8 In the Free space quota drop-down list, choose a percentage.

9 In the Archive ID field, type an ID if you use customized IDs for archives, oraccept the default setting.

211Managing event archivesCreating new event archives

10 In the ArchivePath field, you can specify a path relative to the Events folderon the server or accept the default path.

The path name that you specify cannot start with a slash, and must bealpha-numeric. The path is created in the server’s file system from the/eventarchive folder. For example, if a user entered the archive path ascollectors/pix, then a folder in the file system will exist as/eventarchive/collectors/pix.

11 Click OK and then click Apply.

To be able to view new archives in the Events view in the console, you mustfirst log out then log on again.

Restoring event archivesYou can view events from the archives that were copied from other computers.

To view the archives that were copied from another computer you must copy theentire archive folder to the appropriate location. When you copy archives fromanother computer, only the owner has read and write permissions on the archivefolder. Group users and other users do not have any permission on the files andfolders. To be able to view events from the archives that were copied from anothercomputer, you must grant read permissions to group and other users. To grantappropriate permissions, you must do the following:


■ Change the permissions on the files in the destination archive folder from 600to 644.

■ All folders under the /eventarchive partition should have permissions 755 or(drwxr-s).

■ You must also change the ownership of the folder to sesuser.

To restore archives from another computer

1 Copy the archive folder that you want to the /eventarchive partition into itsappropriate location (archive path).

2 All folders under the eventarchive partition should have the owner andgroup as sesuser:ses.

Run the following commands to change the ownership of the folders:

cd /eventarchive

chown -R sesuser:ses default

chown -R sesuser:ses ssimlogs

Managing event archivesRestoring event archives

212

3 All folders under the eventarchive partition should have permissions 755or (drwxr-sr-x). You must change the permissions on the folders to 755 asshown in the following example:

cd /eventarchive

chmod /R 755 default

chmod /R 755 ssimlogs

4 All the files in the archive folders must have the permissions as 644(-rw-r--r--).

You must change the permissions on all the files in the archive folders to 644as given in the following example:

chmod 644 /eventarchive/default/2009/08/01/1249139954617.edx

You must change the permissions for all the files in the folder.

Specifying event archive settingsThe event archive feature has several settings that determine how much data isstored and how long the data is stored. You can change the default settings in theInformation Manager console.

Event archiving is automatically enabled during Information Manager installation.The name of the Information Manager server appears in the left pane of theSystem view. If you have multiple Information Manager servers or multiplearchives, each one appears in the tree.

If you also use direct-attached storage for off-box storage, use the InformationManager Web configuration interface to specify the event archive settings for it.


After you have configured the event archives, you should verify that the necessarysummarizers have been enabled. You can enable the summarizers from theDatabase option under the Settings view of the Web configuration interface.

To specify event archive settings


2 In the left pane of the ServerConfigurations tab, expand the tree, includingthe Information Manager server to configure.

3 Under the Information Manager server, click Event Storage Rules.

4 In the Event StorageRules area of the details pane, double-click the archiveto configure.

213Managing event archivesSpecifying event archive settings

5 In the ArchiveRuleProperties dialog box, change the following as required:

You can change the Archive ID. However, the ID must beunique across the Information Manager domain.

Archive ID

You can change the name of the rule.Rule name

Lets you add the criteria for the events that you want tostore. For example, to store all Information ManagerSystem events in this archive, the filter would be Product= SSIM System. If you do not select any filter criteria,the archive stores all events by default.

Inclusion filter

Lets you specify the number of days that you want toarchive the data. Events that are outside this range arepurged. A setting of 0 for retention days means thatevents should be retained forever, unless there are anyspace constraints.

Enter the data retention(days)

Lets you specify the proportion of server disk space thatcan be used for storing event archives.

Note: You should modify the default setting only underthe guidance of Symantec personnel. Choosing the wrongsetting can cause the server to run out of disk space.

Max archive quota

Specify the proportion of server disk space that must beavailable to continue storing event archives.

Note: You should modify the default setting only underthe guidance of Symantec personnel. Choosing the wrongsetting can cause the server to run out of disk space.

Free space quota

6 Click OK.

7 To enable the rule, in the Event Storage Rules area select the rule using thecheckbox under Enabled column.

8 Click Apply.

9 Close the Information Manager console, and then logon to the InformationManager server again.

Events are filtered through the list of archives based on the order of the eventarchive rules. The first archive in the list that matches the characteristics ofthe event stores the event, and event archive rules evaluation for that eventstops.

Managing event archivesSpecifying event archive settings

214

Creating a local copy of event archives on a networkcomputer

You can copy event archives from the Information Manager server to anothercomputer. Later you can access these archives through an instance of theInformation Manager console on that computer. Use this procedure to create alocal event archive on a computer on your network.

Warning: Do not copy individual files, because they do not work as expected. Youmust follow the steps in this procedure to preserve the directory structure, whichcontains necessary date information. You should also perform this procedureduring lower event and incident periods.


To create a local event archive

1 Make sure that you have sufficient space on the Information Manager serverfor the .tar file that this procedure generates.

2 In a command window, type the following command:

cd /

3 Type the following command:

tar -cz eventarchive >eventarchive.tar.gz

Information Manager creates a gzip.tar file in the root directory on theserver. This file contains the all of the event archives on a server, and thearchive directory structure. You can also create a copy of a single archive byidentifying the archive in the /eventarchive folder and specifying that archivein the command in this step.

4 Transfer the gzip.tar file to the desired location, by using SCP or anothermethod of your choice.

5 Unzip the gzip.tar file.

The events in the new local archive are now viewable in the InformationManager console. The user can view the events only if the user has access tothe location where the local archive resides.

See “To view the events that are stored in a local copy of an archive”on page 216.

215Managing event archivesCreating a local copy of event archives on a network computer

Viewing event data in the archivesYou can view the events for each archive that is created for each InformationManager server in your network. You can also view the events that are stored onthe local event archive of the computer on which the console is installed.

You can view event archives in the following ways:

■ Use the preinstalled templates and queries to view the events that are storedin any of the archives that you choose.See “To view the events that are stored in a local copy of an archive” on page 216.

■ Use the QueryWizard to create a query to be executed on a particular archiveor set of archives.See “About working with event queries” on page 225.

To view the events that are stored in the event archives

1 In the Information Manager console, click Events.

2 Expand the tree in the left pane to view the events template and query folders.

3 Choose an event query that returns the event data that you want to view. Forexample, in the Templates folder, click the All Events template.

4 In the details pane, select the archives that contain the events that you wantto view.

5 Click RunTemplate, or if you use a query from one of the Query folders, clickRun Query.

To view the events that are stored in a local copy of an archive


The tree in the left pane displays the ID of the Information Manager server,where the live archive is stored.

2 To access a local archive, click Local Event Archives, click the + icon (theplus sign) on the toolbar, and then navigate to the location of the archive.

3 Select Add Archive.

4 Click All Events under the appropriate address in the left pane.

5 Select Local archive, and click Run template.

Archived event data is displayed in a histogram in the right pane.

Managing event archivesViewing event data in the archives

216

To save displayed data to a file

1 After you have run the template or query, click the Export icon on the toolbar.

2 Navigate to the location where you want to save the file, and type a name inthe File name box.

3 Click Save.

To remove a local archive from the viewer

1 In the left pane, click the name of the local archive that you want to remove.

2 Click the – icon (the minus sign) on the toolbar.

Information Manager removes the event archive from the viewer. You cannow use the left pane to navigate to a different event archive.

About the event archive viewer right paneThe right pane of the event archive viewer contains the following components,which you can manipulate to display the data that you want:

■ Event data histogram

■ Event details table

See “Viewing event data in the archives” on page 216.

Manipulating the event data histogramThe X-axis of the event data histogram is the time dimension, and the Y-axis isthe event count (by default). To identify specific time periods, move the mouseover the histogram and hover (without clicking) on one bar at a time. A labeldisplays the date, time, and number of events that correspond to that bar.

Note: The histogram is available only for the All Events Query.


The toolbar above the histogram includes several tools to change the appearanceof the histogram to help you access the information that you want. You canmanipulate the histogram in the following ways:

■ To change the timeframe of the view, select an option from the View drop-downlist; for example, select Last 12 hours. You can also choose a custom view.See “Setting a custom date and time range” on page 218.

■ To expand the amount of data that is displayed in the current view of thehistogram, click the ZoomOut icon. If you keep clicking, you gradually display

217Managing event archivesViewing event data in the archives

the entire dataset in this window. To gradually narrow the amount of data thatis displayed in the current view of the histogram, click the Zoom In icon.

■ To change the time resolution on the x-axis, make a selection from theResolution drop-down list. For example, select Hours to group the data inhour-long units.

■ To search for a specific time period and event type, click the Filter icon. TheEvent Filter dialog box that appears lets you choose a time range and filtercriteria.See “To filter with the advanced filter option” on page 224.

■ To move forward and backward in time, click the right-facing and left-facingarrows beside the histogram.

■ To change the y-axis to display events per second, select Events per second.To return to the event count, select Event Count.

Setting a custom date and time rangeIf you want to fine-tune the period of time that is displayed in the histogram,select a custom view.


To set a custom date and time range

1 On the toolbar, click the calendar icon, next to the View selection box.

2 In the ArchiveTimeRange dialog box, in the Between: box, choose the startdate and time of the time range.

You can type the information in the box or use the up and down arrows. Youcan also click the calendar icon and then set the date and time on the Calendardialog box.

3 In the and: box, choose the end date and time of the time range.

You can type the information in the box or use the up and down arrows. Youcan also click the calendar icon and then set the date and time on the Calendardialog box.

4 Click OK.

The event data histogram now displays data for the time range that you selected.

About viewing event detailsIn the lower area of the right pane, you can display a table that contains detailsfor the entire range of events in the histogram. The table can also display a selectedportion of the events.


218


You can show details in the following ways:

■ To display details for the entire set of events in the histogram, click the SelectAll (green check) icon on the toolbar. To remove all event details from thetable, click the Deselect (red X) icon on the toolbar.

■ Click one of the bars in the histogram to display event details for the timeperiod that is displayed in the bar.

■ To select a time range, click any bar on the histogram, and then press the Shiftkey and click another bar on the histogram. The table displays details for allof the events in that time range.

In the lower-right corner of the details table, you can see the total number ofevents that are selected within the displayed subset. You also can see the totalnumber of events in the displayed subset. To view the next group of events, clickthe forward arrow in the lower-right corner of the table. To view all of the detailsin one event record, double-click one row in the table.

Modifying the format of the event details tableEach column in the event details table represents one field from the event record.You can add, delete, and reorganize the columns in the table.

Note: An event record may include several date fields. Most events have a singleevent date, which is the time when the event occurred (not the date whenInformation Manager captured the event). In this case, the Event Date value andthe Ending Event Date value are identical.

Note: If an event represents an aggregation of activity that takes place over aperiod of time, Event Date is the beginning of the time period. Ending Event Dateis the end time.

Occasionally the event service registers an event with an incorrect Event Date orEnding Event Date. Information Manager corrects the times in these fields andreplaces the original (incorrect) times in the Original Event Date and OriginalEnding Event Date fields.



To add, delete, and organize table columns

1 Right-click on a column heading, and click Add Column.

In the Column Filter dialog box that appears, the Selected Columns boxshows all of the fields currently in the table.

Occasionally a collector sends data to Information Manager that does notcorrespond to any fields that are defined in the existing schema. When thisscenario occurs, the Column Filter dialog box displays the raw field namefrom the collector: for example bugtraq_ids. This scenario may also occur ifa collector's SIP is not installed on the server.

2 Complete any of the tasks:

■ To add a column, click a field name in the Available Columns box, andclick Add. You may also use the Ctrl key to select multiple field names,and click Add.

■ To add all of the available columns, click Add All.

■ To delete a column, click one or more field names in the SelectedColumnsbox, and click Remove.

■ To delete all of the columns, click Remove All.

■ To change the position of a column, click a field name and click Move Upor MoveDown until the name is in the desired position. You can also clickMove To Top or Move To Bottom.

3 When you finish making changes, click OK.

The changes are reflected in the event details table.

After you have modified the event details table to display the data that you want,you must save it as a query. By saving it as a query, you can see the same data andthe same format the next time you log on to the Information Manager server.

See “To save the modified table format” on page 220.

To save the modified table format

1 After you finish modifying the table format, click the Save View icon.

2 Type a query name, and click OK.

The query is saved in the My Queries folder in the tree pane. The next timethat you log on to Information Manager, you can select that query. The tableformat appears the way that you modified and saved it.


220

Searching within event query resultsWhen you perform an event query, you can search for a specific event that iswithin the initial query results. You can perform a text search or use regularexpressions to further refine the search. You can choose whether the search spansall of the available event fields or a specific field.


To search within event query results

1 After you run the query, in the Events table in the bottom pane, click Searchfor events.

2 In the SearchEvents dialog, in the TextSearch field, type the text or regularexpression.

3 In the Options area, place a check next to the appropriate options. If the textis a regular expression, ensure that Regular Expression is checked.

4 In the Look in area, take the following action:

■ If you want to search in all of the available fields for the set of events,click All fields.

■ If you want to search for a value that is stored in a specific field, clickSelected field, and from the drop-down list, choose the field.

5 Click Search. The results are displayed in the events table.

6 In the Search Events dialog, click Close.

7 After you have analyzed the search results, to return to the original querydata, click Reset event search.

Filtering event dataYou can filter event data in the following ways:

■ Filter on an individual cell in the event details table.You can filter on a cell that has data in it. Information Manager displays onlythe rows that have the same value in that column. You can also filter on anempty cell, and Information Manager displays only the rows in which thatcolumn is not empty.

■ Use the advanced filter option to select multiple filtering conditions in oneoperation.

■ Filter based on unique column value. This filter creates a snapshot of the eventsthat were returned for the query based on the column that you chose for thefilter. For example, in the query results for an All Events query, if you


right-click any value in the Product column and choose Filter on uniquecolumn value, Information Manager creates a condensed view of the resultsthat shows which product names occur in that column. If you had 5000 eventsreturned that only involved three products, filtering on unique column valuein the Products column creates a snapshot that shows that those three productswere the only products that are returned in the results.

An additional filtering method is a sort of hybrid of an advanced filter and filteringon a cell. It is called filtering manually on a cell, and it lets you create a morecomplex query than the cell filtering method. However, it presets the first filteringcondition for you.

See “To filter manually on a table cell ” on page 223.

To filter on a table cell

1 Right-click the cell that you want use as the filter condition.

For example, to display only level 3 events, right-click a cell with severitylevel 3 in the Severity ID column.

2 Click Filter on cell. If you right-clicked an empty cell, click Filter where cellis not empty.

One of the following occurs:

■ If you clicked Filteroncell, a new table displays only the events that havethe same value as the cell where you clicked: For example, severity level3. The table has a tab at the top that is labeled Untitled.

■ If you clicked Filterwherecell isnot empty, a new table displays all rowsin which this cell is not empty.


■ To save the displayed view as a query, click the SaveView icon. Then typethe query name and click OK.If you view event data from a local archive, you cannot save the view asa query. Saving a query works only when you view event data from thelive archive on the Information Manager server.

■ To filter the displayed data even further, repeat steps 1 and 2, or use theadvanced filter option.See “To filter with the advanced filter option” on page 224.

■ To delete the table, click the red X in the upper right corner.

If no events meet the filter criteria, Information Manager displays a blanktable. If a very large number of events meet the filter criteria, it may take along time for the data to display. If you want to stop the search and view theevents that Information Manager has found so far, click Cancel.


222

To filter manually on a table cell

1 Right-click a cell that you want use as a filter condition.

For example, to display only level 3 events, right-click a cell with severitylevel 3 in the Severity ID column.

2 Click Manuallyfilteroncell. If you right-clicked an empty cell, click Manuallyfilter where cell is not empty.

The Event Filter dialog box appears. One of the following occurs:

■ If you clicked Manually filter on cell, the first condition in the Filtercriteria area contains the value of the cell in which you clicked. In thisexample, the condition would display Severity ID = 3.

■ If you clicked Manually filter where cell is not empty, the Filter criteriaarea displays the column name with the condition null.

3 To add more filter conditions, click the + icon (the plus symbol).

4 Click the first drop-down box, and then click an event field that you want touse as a filter.

5 Click the drop-down box to the right of the event field, and then click anoperator: for example, the equals (=) symbol.

6 Click the drop-down box at the far right, and then click or type a value.


■ To add more conditions, repeat steps 3 through 6. Use the AND and ORlogical operators as needed.The default operator is AND. To change it to OR, press Ctrl, and then clickon the desired boxes, then click OR.

■ To remove a field, click on the row and then click the – icon (the minussign).

■ To ungroup conditions, select two or more rows (Ctrl + click) and thenclick Ungroup.

■ In the Time range area, select the desired time range.

8 Click Preview if you want to view the filtering statement that you created.Click Preview again if you want to add or change filtering criteria.

9 When you finish creating the query, click OK.

A new table displays only the events that meet the criteria in the query. Thetable has a tab at the top that is labeled Untitled.



■ To save the displayed view as a query, click the SaveView icon. Then typethe query name and click OK.If you view event data from a local archive, you cannot save the view asa query. Saving a query works only when you view event data from thelive archive on the Information Manager server.

■ To filter the displayed data even further, repeat the previous steps, or usethe procedure for filtering on a table cell.See “To filter on a table cell” on page 222.

■ To delete the table, click the X in the upper right corner.

If no events meet the filter criteria, Information Manager displays a blanktable. If the number of events that meet the filter criteria is large, it may takea long time for the data to display. If you want to stop the search and viewthe events that Information Manager has found so far, click Cancel.

To filter with the advanced filter option

1 Click Filter at the top of the table.

2 In the Event Filter dialog box, select the desired time range.

3 In the Filter criteria area, click the + icon (the plus symbol).

4 Click the first drop-down box, and then click an event field that you want touse as a filter.

5 Click the drop-down box to the right of the event field, and then click anoperator: for example, the equals (=) symbol.

6 Click the drop-down box at the far right, and then click or type a value.


■ To filter on only one field, go to step 8.

■ To add more conditions, repeat steps 2 through 6. Use the AND and ORlogical operators as needed.The default operator is AND. To change it to OR, press Ctrl, and then clickon the desired boxes, then click OR.

■ To remove a field, click on the row and then click the – icon (the minussign).

■ To ungroup conditions, select two or more rows (Ctrl + click) and thenclick Ungroup.

8 Click Preview if you want to view the filtering statement that you created.Click Preview again if you want to add or change filtering criteria.


224

9 When you finish creating the query, click OK.

A new table displays only the events that meet the criteria in the query. Thetable has a tab at the top that is labeled Untitled.


■ To save the displayed view as a query, click the SaveView icon. Then typethe query name and click OK.If you view event data from a local archive, you cannot save the view asa query. Saving a query works only when you view the event data fromthe live archive on the Information Manager server.

■ To filter the displayed data even further, repeat the previous steps, or usethe procedure for filtering on a table cell.See “To filter on a table cell” on page 222.

■ To delete the table, click the red X in the upper right corner.

If no events meet the filter criteria, Information Manager displays a blanktable. If the number of events that meet the filter criteria is large, it may takea long time for the data to display. If you want to stop the search and viewthe events that Information Manager has found so far, click Cancel.

To filter within the results of a query

1 Click Filter at the top of the table.

2 In the Event Filter dialog box, select the desired time range.

3 In the Filter criteria area, on the Filter Within Results tab, create the filtercriteria using the table provided.

See “To filter with the advanced filter option” on page 224.

4 When you are finished creating the criteria, click OK.

To filter on unique column values

1 After you run an event query, Right-click a column that you want use as afilter condition.

2 Click Filter on unique column values.

About working with event queriesYou can query the event archives in the following ways:

■ Import a query from another location and save it in the My Queries folder orthe Published Queries folder.See “To import a query” on page 236.

225Managing event archivesAbout working with event queries

■ Use the Query Wizard to create a query against the event archives (eventquery).See “To create an event query” on page 228.

■ Use the Query Wizard to create a query against the summarized event data(summary query).See “To create a summary query” on page 229.

■ Use the Query Wizard to create a custom SQL query against the summarizedevent data (SQL query).See “To create an SQL query ” on page 231.

After you create and save a query, you can insert it on the dashboard and use itin reports.

You can also schedule queries to be distributed as reports in the CSV format.

See “Scheduling queries that can be distributed as reports” on page 238.

Using the Source View query and Target View queryThe Source View query and Target View query replace the Source and the Targetviews that were available in previous versions of Information Manager. Thesequeries return the IP address and host name of each system that InformationManager identifies. To run either query, double-click an entry in the list to viewthe incidents and the tickets that are associated with that host. If the host is notalready an asset, you can add the host to the assets table by selecting the host andclicking Create Asset.

Note: The Source View query and Target View query cannot be modified in theMy Queries or the Published Queries folders.

See “About working with event queries” on page 225.

To use the Source View query or the Target View query


2 In the left pane, click System Queries > SSIM > SSIM.

3 Select either the Source View query or the Target View query.

4 Select the database to query, and click Run Query.

5 When you view the results, you can do the following:

■ To create an asset from a host in the list, click the host, and click CreateAsset.

Managing event archivesAbout working with event queries

226

■ To view the incidents or the tickets that are associated with a host, clickDetails. You can also double-click the entry.

■ To refresh the view, click Refresh.

■ To export the current view to a file, click Export current view.

Creating query groupsYou can create query groups in the MyQueries and the PublishedQueries foldersof the Events view of the Information Manager console. You can also create querygroup subfolders in each of these folders.


To create a query group

1 In the left pane of the Events view, right-click either MyQueries or PublishedQueries, and click Add Query Group.

2 (Optional) Type the group name and the group description, and click OK.

The name of the new query group appears as a subfolder under the folderyou selected in step 1.

Creating custom queriesYou can create a custom query using different methods and save it for reuse.When you create a query, you must assign it a unique name. Be sure to followthese rules for assigning a valid query name:

■ It must not be null.

■ It must have at least one alphanumeric character.

■ It must consist only of alphanumeric characters and the white spaces that arecreated with the space bar.

■ It must not exceed 64 characters, including alphanumeric characters and whitespaces.



To create an event query

1 In the left pane of the Events view, navigate to the location where you wantto save the query. You can save the query in My Queries folder or thePublished Queries folder. The My Queries folder is available only to you.The Published Queries folder is available to you and other users. You canalso save the query in a query group folder under either of these folders.

2 Right-click the name of the folder where you want to save the query, clickQuery Wizard.

3 On the first panel of the QueryBuilderWizard, select EventQuery, and clickNext.

4 Select the event query type, and then click Next.

Select a query from the following query types that are displayed:

■ Event DetailsGenerates a table that contains all of the fields in the event archive.

■ Event Counts by FieldGenerates a Top N summary query that is sorted by the field that youselect in the By box. You also select the event count value in the Top box.

■ Trending Event Counts by FieldGenerates a trend of the events over the selected time period

5 In the Archives area, you can select the archive that you want to query. Bydefault, the Promptatrun-time option is selected. This option lets you selectthe archives at run-time. You can uncheck the default option and select thearchive that you want to query.

6 Specify the time range and filter criteria in one of the following options:

■ If you select View, select a time-period option from the drop-down list.

■ If you select Between, use the calendar drop-down lists to set the timerange.

■ If you select Complete, Information Manager queries the entire eventarchive.

■ If you want to filter the data, specify the filter criteria.See “To filter with the advanced filter option” on page 224.

7 Click Next and then choose the columns that must be displayed.

8 Click Next.

One of the following panels appears:


228

■ If you selected Event Details in step 4, the ArchiveEvents panel appears.Go to step 12.

■ If you selected Event Counts by Field in step 4, the Chart Presentationpanel appears. Go to step 9.

A panel displays a sample table that is based on the filtering options that youselected.

9 Click Chart Properties and use the Chart Type drop-down box to select atype. For example, you can select a pie chart or a table. You may also changethe chart's orientation, and you may choose to show the legend for charttypes other than Table. Optionally, you may assign the following labels:

■ A title to appear above the table or graph (not necessarily the same as thequery name)

■ Labels for the y-axis and the x-axis, for some chart types

■ A footer, for table charts

10 If you want to see a preview of the query results, click Preview.

11 When you finish customizing the appearance of the chart, click Next.

A chart sample appears, displaying the title and any labels that you assigned.

12 In the Query Name box, type the name that you want to appear in the leftpane. Be sure to use only alphanumeric characters in the query name.

If this query is an Event Details query, you can click Preview to see a previewof the query results.

13 Click Finish.

The query is saved, and its name appears under the folder that you selectedin the left pane. The query results appear in the right pane.

To create a summary query


2 Right-click the name of the folder where you want to save the query, and clickQuery Wizard.

3 On the first panel of the QueryBuilderWizard, select SummaryQuery, andclick Next.

4 Select a database and then click Next.


5 In the Summary Table box, expand Events, and select a table from the listof presummarized tables in the database.

A description of the table appears in the Table Description box. The iconnext to the table name indicates its type, which is spelled out in the Legendbox.

6 After you select the table that you want, click Next.

7 Select a column index from the drop-down list.

A list of indexed fields from the database index appears in the DisplayColumns area.

8 Click to select one or more columns to display in the query, and click Next.

9 Specify the time range:

■ If you select View, select a time-period option from the drop-down list.

■ If you select Between, use the calendar drop-down lists to set the timerange.

■ If you select Complete, Information Manager queries the entire eventarchive.

10 If you want to filter the data, specify the filter criteria, and click Next.

See “To filter with the advanced filter option” on page 224.

11 Sort the columns in the query (optional for use with the Table format).

See “To sort columns in a summary query” on page 231.

12 Click Chart Properties and use the Chart Type drop-down box to select atype. For example, a pie chart or a table. You may also change the chart'sorientation, and you may choose to show the legend for chart types otherthan Table. Optionally, you may assign the following labels:




13 Click Next.

A query sample appears, displaying the title and any labels that you assigned.


230


15 Click Finish.


When you view the results of a Summary query, clicking chart elements toview the details for that portion of the chart is not supported.

Symantec recommends that you disable summarizers on the Web configurationinterface if you do not use summary queries. The summarizers are maintained inSymantec Security Information Manager 4.7 only to provide backwardcompatibility to previous versions of Information Manager. The summarizers relisted under Settings > Database > Event Summarizers.

To sort columns in a summary query

1 On the right side of the Column Sorting panel, click Add Column.

2 Click in the Sort Column, and select a field to be sorted in the query table.

3 Click Asc (ascending) or Desc (descending) to determine the way the data inthe column must appear.

4 Repeat steps 1 through 3 if you want to sort more fields.

5 Use the other icons (for example, Move Up) until you have the columnsarranged in the proper order.

6 For Max Rows Return, take one of the following actions:

■ To return every row in the database, click All.

■ To return a specific number of rows, click Top, and select a number.

7 Click Next to continue creating a summary query.

Return to the step in which you select the format for the query results.

See “To create a summary query” on page 229.

To create an SQL query


2 Right-click the name of the folder where you want to save the query, and clickQuery Wizard.


3 On the first panel of the QueryBuilderWizard, select AdvancedSQLQuery,and click Next.

Note: You must be a member of the Domain Administrators group to createand execute Advanced SQL Queries.

4 Select a database and then click Next.

5 In the text box, type or paste an SQL statement. The following actions areoptional:

■ In the Maximum rows box, select the maximum number of rows to appearin the table.

■ View a list of tables and fields in the database by clicking Show Schema.

6 Click Test Query.

Information Manager runs the SQL query and displays the result in tableform. While the query runs, you may stop it by clicking Stop Query.

7 Repeat steps 5 and 6 until you are satisfied with the query, and click Next.

8 Click Chart Properties and use the Chart Type drop-down box to select atype. For example you can select a pie chart or a table. You may also changethe chart's orientation, and you may choose to show the legend for charttypes other than Table. Optionally, you may assign the following labels:




9 If you want to see actual data in a preview chart, click Preview.

10 When you finish customizing the appearance of the chart, click Next.

A chart sample appears, displaying the title and any labels that you assigned.


12 Click Finish.



232

Querying across multiple archivesWhen you run a query, you can choose to retrieve event data from multiplearchives. The query description includes a list of all of the known archives in theright pane of each query.

In some cases, the query that you run may include the archives that areunavailable. For example, if you save a query and then run it later, a change mayhave been made that makes an archive unavailable. If you run a query using RunQuery on the Events view and an archive is unavailable, when the query runs youare prompted to choose from the following options:

Allows the query to continue to run on any other archivesthat are part of the query and that are available

OK

Same as OK, except that you are not prompted again in thecurrent session for that archive if it continues to beunavailable.

Ignore

Same as OK, except that you are not prompted for any ofthe unavailable archives in the current session.

Ignore all

Note:When you run a scheduled report, Information Manager generates the reportusing the available archives if an archive is unavailable. You are not notified ofan unavailable archive when the report is created, and no indication is given inthe generated report.

When scheduled reports are executed, queries run on all available archives andskip the archives that are not accessible. Therefore, results can be inaccurate. Theuser is not warned that some archives were not processed.

To query across multiple archives


2 In the left pane, navigate to the desired query and select it.

3 In the right pane, under Please select archives toquery, place a check in thecheckbox for each archive that you want to include.

4 If necessary, configure any of the other required fields, and then click RunQuery.

Some queries may take longer than others to return the expected results. Ifa query may return a large amount of data, create a scheduled report to runthe query at a specified time.



Managing the color scheme that is used in query resultsWhen you run a query, you can use a customized color scheme for the queriesthat are displayed in chart format. You can add or remove colors, and change theorder in which they appear in the query results view. You can then save yourchanges as template.

To create a customized color template


2 Click the Administration tab.

3 Expand the domain tree, and then click Reporting.

4 Click Add Color.

5 In the Add Color box, on the Swatches tab, make your selection. You canmake additional adjustments to the color on the HSB and the RGB tabs.

6 Click OK.

7 If you want to move up the color in the reporting list, click Move Up.

8 When you have finished making your modifications, click Create Template.

9 Type a name for the template, and then click OK.

To adjust the color configuration in an existing template


2 Click the Administration tab.

3 Expand the domain tree, and then click Reporting.

4 From the drop-down menu, select the template you want to modify.

5 After you make your changes, click Create Template.

6 Type the name of the template modify, and then click OK.


Editing queriesYou can edit any query in the MyQueries folder or the PublishedQueries folder.If you want to edit a predefined query or use one as a template, you can make acopy of the predefined query and then paste it into the My Queries folder or thePublished Queries folder.



234

Note: If you cannot view queries on the Events view, your role may lack thenecessary permissions. You must have Read and Search permission for theappropriate query groups and the database. A user who is a member of anAdministrator role can assign permissions.

Table 13-1 provides some examples of the methods with which you can editpredefined queries to suit your needs.

Table 13-1 Predefined query editing examples

Sample modificationsFieldQueryQuery group in SystemQueries

In the Filter criteria, change the Product codeto create an identical query for Oracle.

ProductDatabase FailedLogins

Product Queries > MS SQLServer

■ To increase the queried time period, changethe time range from Last week to Lastmonth.

■ To query a different port, change the valuefor IP Destination Port in the Filter criteria.

■ After changing the port, rename the queryto reflect the new port number. Right-clickthe query name, and then select Rename.

■ Time range(View)

■ Filter criteria

BlockedConnections onPort 80 or 443by IP address

Security Queries > Firewall

In the Filter criteria, add a filter to show onlyevents with Severity ID=4.

Filter criteriaSSIM FailedLogins

SSIM > SSIM system

Note: In a tabular query, you can add and remove columns from the table in whichdata is displayed. However, if you place the modified query in a report, the columnchanges do not persist. You must insert the query in the report, and then add andremove table columns.

To edit a predefined query


2 In the left pane, navigate to the desired query in the System Queries folderand select it.

3 Drag and drop the query into the MyQueries folder or the PublishedQueriesfolder. A customizable copy of the query is created.

4 In the new folder, right-click the query name, and then select Edit Query.

5 Modify the desired query parameters, and then click OK.


Importing queriesInformation Manager lets you import a query (a file with the .qml extension) froma folder on your computer. You can place the query in the MyQueries folder, thePublished Queries folder, or in any query group in one of those folders.

To import a query

1 In the left pane of the Events view, click on the location where you want tosave the query. You can save the query in MyQueries (available only to you)or Published Queries (available to you and other users). You can also savethe query in a query group folder under either of these folders.

2 On the toolbar, click Import Query.

3 Browse to the location where the query resides, and click the name of thequery file.

4 Click Open.

The name of the query appears in the left pane under the folder that youselected. The results of the query appear in the right pane.


Exporting queriesYou can save a query in a different location. For example, you can save a queryas a file on a computer hard drive or CD. You can then attach the query to an emailmessage or copy it to another computer. The export feature also lets you exporta System Query, which you can then import into the My Queries folder or thePublished Queries folder for editing.

To export a query to a file

1 In the left pane of the Events view, click the name of the query that you wantto export.

The query parameters appear in the right pane.

2 On the toolbar, click Export Query.

3 In the Save dialog box, navigate to the location where you want to save thefile and type a name in the File Name box.

4 Select the file type from the Files of Type drop-down list.

If you want to be able to edit the file, select QML Files as the file type.

5 Click Save.

Information Manager saves the query in the location that you specified.


236


Publishing queriesYou are the only user who can access the queries in the My Queries folder andits subfolders. If you want to make a query available to other users, you can copyit to the Published Queries folder.

To publish a query

1 In the left pane of the Events view, locate the query under My Queries thatyou want to publish.

2 Right-click the query name, and then click Publish Query.

3 Click Yes to confirm that you want to publish the query.

The query name appears under the PublishedQueries folder in the left pane.

4 If you want to move the query into a query group under Published Queries,use the mouse to drag the query name to the desired group.


About querying for IP addressesWhen you create a custom SQL query for an IP address, Information Managerreturns an integer value of the address. To return an IP address in the morefamiliar nnn.nnn.nnn.nnn format, use the following macro in your SQL query.

SELECT CASE WHEN E.SOURCE_IP >= 0 THEN

rtrim(char(mod(E.SOURCE_IP/16777216,256))) || '.' ||



rtrim(char(mod(E.SOURCE_IP,256))) ELSE

rtrim(char(mod((4294967296 + E.SOURCE_IP) / 16777216, 256))) ||

'.' || rtrim(char(mod((4294967296 + E.SOURCE_IP) / 65536, 256)))

|| '.' || rtrim(char(mod((4294967296 + E.SOURCE_IP) / 256, 256)))

|| '.' || rtrim(char(mod(4294967296 + E.SOURCE_IP, 256)))

END as "Source IP" FROM SYMCMGMT.SYMC_SIM_EVENT E WHERE

<Parameter to filter events>


For more information, refer to your SQL manual.


Deleting queriesIf you no longer need a query, you can delete it.

Note: You can delete only the queries under My Queries folder and PublishedQueries folder. You cannot delete the System Queries folder or its contents.

To delete a query

1 In the left pane of the Events view, navigate to the query to delete.

2 Right-click the query name, and then click Delete Query.

3 Click Yes to confirm.

The query name is removed from the list in the left pane.


Scheduling queries that can be distributed as reportsYou can now schedule queries to be distributed in a report as a CSV file. TheSchedule option is available on the Events view when you select a query from thePublished and System queries. On saving the scheduled queries in the Eventsview, the scheduled query reports are created under the PublishedReports folderunder the Reports view.

You can send the scheduled query reports by email as a compressed CSV file, andmake them available by a URL link within the mail. You can also download thesereports from the Web configuration interface under ManageReports>ScheduledQuery Reports in CSV format in a compressed file. The maximum row limit ofthe CSV file is 1 million rows corresponding to 1 million events. The maximumsize of the CSV file that you can send by email is limited to 15 MB.

Note: Scheduled queries are limited to one query only. If the scheduled querycontains a chart, it is converted to a table in the created reports.

Note: The Design option is not available for scheduled query reports.


You can schedule the following types of queries:

■ Summary data query

■ Event detail query


238

■ Custom SQL query

Note: Top N by Field and Trending Event Count by Field queries cannot bescheduled from the Events view as scheduled query reports.

To schedule a query as a report

1 In the console of the Information Manager client, click Events.

2 In the Explorer pane, under PublishedQueries or SystemQueries, click thename of the query that you want to schedule and distribute as a report.

3 In the right pane, click Schedule.

4 Type the name of scheduled query.

5 In the SetScheduleforQuery dialog box, specify the time, date, and recipientsfor the generated reports.

Set the message subject and body text as required.

6 Select the option for CSV attachment or a URL link as required.

When the recipient clicks the link, the report is directly accessible. Note thatthe user must be logged on to the Web configuration interface using the hostname of Information Manager. If the user has logged on using the IP addressof Information Manager, then the user is prompted for authentication. Thereport becomes accessible.

7 Take one or more of the following actions as required:

■ To save the query report to the Published Reports folder and close theSet Schedule for Query dialog box without scheduling the query, clickOK.

■ To enable the Schedule and Test icons and save the query report in thePublished Reports folder, click Save.

■ To ignore any changes that were made since the last save and exit thedialog box, click Cancel.

■ To verify the entered details, click Test to send the query to the specifiedrecipients.

■ To schedule the query, click Schedule.

The published query report is also available under the ScheduledQueryReportsoption under Manage > Reports on the Web configuration interface.



240

Forwarding events to anInformation Manager server


■ About forwarding events to an Information Manager server

■ About registering a security directory

■ Registering the Information Manager with a security domain

■ Activating event forwarding

■ Stopping event forwarding

About forwarding events to an Information Managerserver

Event forwarding lets you create the distributed configurations that can handlehigher event loads more efficiently by allowing events to be forwarded to multipleservers. Event forwarding lets you forward events to multiple servers.

For example, you can set up one event forwarding rule to send all events toInformation Manager server A. You can set up another event forwarding rule tosend all events to Information Manager server B. This setup is good for redundancy.You can also archive different event types on different systems. You specifydifferent event criteria on each event forwarding rule and point them to theappropriate Information Manager server.

A Collection Server is an instance of the Information Manager server that collectsand forward events from multiple sources to another server. A Correlation Serveris an instance of Information Manager on which correlation is enabled and eventsare received.

14Chapter

For example, you can have multiple Information Manager servers store eventsfrom security products. You can then forward only those events that are neededfor determining security incidents to a Correlation Server. The Collection Serversstore the uncorrelated events (when archiving is enabled) to support compliancewith policies such as Sarbanes-Oxley. The Correlation Server processes theforwarded events to allow monitoring of the security incidents in your network.


During the Information Manager installation process, one default event forwardingrule is created. This rule is created on the Information Manager server to forwardevents from the event service to the correlation manager at 127.0.0.1. If you havemultiple Information Manager servers, you may need to configure this forwardingrule. You can configure the rule to specify the destination Information Managerserver to which to forward events. You may also choose to forward events to anevent service (port 10012) on the destination server, instead of the correlationmanager (port 10010).

You can create additional event forwarding rules on a single instance ofInformation Manager for backup purposes. You can also create these rules if youwant to store certain types of events separately. For example, you can set up oneforwarding rule to send events to Information Manager A. You can set up anotherforwarding rule to send events to Information Manager B. You can define eventcriteria to filter certain events to be forwarded to Information Manager A. Thenyou can specify that other types of events are forwarded to Information ManagerB.

To configure event forwarding from one server to another, you must do thefollowing:

■ Register the collector of each security product that you want to monitor withthe destination Information Manager server.See “Registering Collectors” on page 170.

■ Use the Web configuration interface of the Information Manager to join theCollection Server with the security directory of the Correlation Server.See “Registering the Information Manager with a security domain” on page 244.

■ Configure the Collection Server to forward events.See “Activating event forwarding” on page 245.

Note: You cannot create incidents manually on an Information Manager serverthat is configured as a Collection Server. After you set up an instance ofInformation Manager as a Collection Server, you cannot reconfigure InformationManager to correlate events using software settings.

Forwarding events to an Information Manager serverAbout forwarding events to an Information Manager server

242

To forward events through a firewall, make sure to open the ports that are requiredfor the Information Manager servers to communicate.

When the Correlation Server is unavailable, by default the forwarding servercontinues to queue events until the Correlation Server is available again. If thequeue on the forwarding server fills up, the forwarding server stops receivingevents. When the forwarding server stops receiving events, the collectors try toqueue events until the forwarding server is able to accept events again.

The event criteria determine which events are forwarded to the destinationInformation Manager server. You set event criteria in the console of theInformation Manager client, on the System view, Server Configurations tab. Ifthe Event Criteria pane is empty, all events are sent to the Information Managerserver. If you add a condition to the event criteria, only the events that matchthose criteria are sent.

To view forwarded events, a user in the console of the Information Manager clientmust have sufficient rights to view those types of events. The product, domain,or organizational unit might not match those allowed by the role that is assignedto the user. However, the events do not appear. The ability to view the forwardedevents also depends on whether archiving is enabled on the console or not.

Note: Information Manager Event Services cannot forward events to a CorrelationServer if they cannot resolve the host name that generates the Correlation Server'sSSL certificate. To resolve this problem, add a DNS entry for the IP address andhost name of the Correlation Server. You can also generate a new certificate forthe Information Manager server that is based on its IP address.

If you forward events to an event service on the destination Information Managerserver, you can enable data encryption. The data encryption option is not availablewhen you forward events to a correlation manager.

About registering a security directoryYou can register the security directory of an Information Manager server withthe security directory of another Information Manager server. The registrationcan be performed from the DirectoryRegistration view of the Web configurationinterface.

Using the Register option on the Directory Registration view configures aCollection Server to use the same LDAP directory as the Correlation Server. Afteryou register, the Collection Server also inherits the same LDAP configuration asthe Correlation Server. If the Correlation Server is configured to use a local or aremote LDAP, then the Collection Server uses that database to store event

243Forwarding events to an Information Manager serverAbout registering a security directory

information. However, if the Correlation Server is configured as a Correlation-onlyServer (event pass-through enabled, events not stored), the Collection Serverinherits similar settings. In that case, you must create a new database configurationon the Collection Server if you want to store events in its database.

Note:You can perform a directory registration of an Information Manager serverwith another Information Manager server. However, the User Filters, UserMonitors, User Rules, and User Lookup Tables that existed on the first InformationManager server before registration become unavailable.

For information on creating database configurations, refer to the Help of the Webconfiguration interface.

When you specify the name of the remote directory to which you register, ensurethat you specify the correct domain name. In addition, make sure that you usethe correct case (for example, symantec.ses instead of symantec.SES). LDAPdirectory connections are not case-sensitive, but database connections are. If youuse the wrong case, the Collection Server connects to the LDAP directory of theCorrelation Server but not to the database. When this situation occurs, no eventsappear in queries and reports.


Registering the Information Manager with a securitydomain

The Information Manager Web configuration interface lets you add InformationManager to the security domain of the destination Information Manager server.The process of registering the Information Manager with the security directoryof the other Information Manager may take 10 minutes.

To register the Information Manager with a security domain

1 Log on to the Information Manager Web configuration interface with theadministrative credentials.

2 Click Settings > Directory Registration.

3 In the Directory Registration view, click Register.

Forwarding events to an Information Manager serverRegistering the Information Manager with a security domain

244

4 In the details pane, under Directory Registration, type the followinginformation in the provided fields:

The host name or IP address of the externalsecurity directory.

Host name or IP address

The LDAP communications port that the securitydirectory uses. The default is 636.

LDAP port

The password for the cn=root account.LDAP cn=root password

The Domain Administrator account on theremote Information Manager server.

Administrator

The SSIM Domain Administrator password forthe external Information Manager server.

Password

The name of the remote security directory, suchas Symantec.SES.

Domain

5 Click Register.

You can use the Visualizer tab on the System view to confirm that thedirectory registration is successful.

6 Configure the primary Information Manager server to forward events to thedestination Information Manager server.

See “Activating event forwarding” on page 245.

Activating event forwardingYou can modify the default event forwarding rule, and can create additional eventforwarding rules. You can also delete or modify an existing event forwarding rule.

When an Information Manager server receives the forwarded events, it stores theevents according to the Event Storage Rules that are configured for that server.

To specify the archive in which the forwarded events are stored, you must do thefollowing:

■ Configure the forwarding Information Manager server to send the events tothe receiving Information Manager server.

■ Configure the receiving Information Manager server to store the events in theappropriate archive.

245Forwarding events to an Information Manager serverActivating event forwarding

Note: Before completing the following steps, make sure that you have connectednetwork cabling between the collection and the correlation Information Managerserver.

See “About forwarding events to an Information Manager server” on page 241.

To configure the default event forwarding rule

1 In the console of the Information Manager client, click System.

2 On the Server Configurations tab, expand the Information Manager serverthat forwards the events to the Correlation Server and click EventForwardingRules.

3 In the right pane, double-click the rule.

4 In the Event Forwarding Rules dialog box, in the Inclusion filter area, donot insert any filter criteria. Leaving this area empty ensures that all eventsare forwarded to the default correlation Information Manager server. Youcan create additional event forwarding rules to specify forwarding criteria.

5 Under Primary and Failover Servers, type the host name or IP address ofthe correlation Information Manager server.

You may choose not to configure the failover server. You can also forward tothe servers that are not Correlation Servers. Usually, the failover is configuredto fail over to another collection server.

6 Under Select the service to forward to, select one of the following:

■ To forward events to a Correlation Server, select Correlation Service.

■ To save the events in the destination Information Manager server's eventarchive, select Event Service.If you want the forwarded event data to be encrypted between thecollection servers and the correlation servers, go to step 7

7 To encrypt the event data between the collection servers and the correlationInformation Manager servers, select Event Service (Encrypted).

If you choose to encrypt event data, the data is sent using HTTPS (port 443).

8 By default, event forwarding rules queue events on the host if the destinationInformation Manager server is not available. If you do not want InformationManager to queue events, uncheck Queue events if target service isunavailable.

Forwarding events to an Information Manager serverActivating event forwarding

246

9 You can enable the Use Persistent Queues option. This option enables allevents to be written on the hard disk queue and then forwarded to thespecified destination. If the destination is not available, the event servicecontinues to write events to the disk queue (without blocking the eventstream). It flushes the queue when it detects that the destination is backonline.

Enabling the PersistentQueues may affect the event forwarding performance.

10 Click OK.

11 Make sure that the appropriate event forwarding rule is selected (enabled)in the pane.

For example, to enable the default event forwarding rule on a collectionInformation Manager server named Denver, select the CorrelationForwarding box under the Denver folder.

12 Click Apply.

To create a new event forwarding rule


2 On the Server Configurations tab, expand the Information Manager serverto which you want to add an event forwarding rule. Click Event ForwardingRules.

3 On the toolbar, click + (the Add icon).

4 In the Rule name box, type the name of the new rule.

5 By default, all events are forwarded. To limit the types of events forwarded,complete the following steps in order:

■ In the Inclusion filter area, click Add (+).

■ In the left column, click an entry in the Common, Events, or OtherFieldstabs.

■ In the middle column, specify a logical operator.

■ In the right column, specify the value that you filter on.

■ Repeat these steps for any other conditions that you want to include.

6 To complete the configuration, click OK.

7 To apply, click Apply.

247Forwarding events to an Information Manager serverActivating event forwarding

Todelete anevent forwarding rule (stopevent forwarding to an InformationManagerserver)


2 On the Server Configurations tab, expand the Information Manager serverfor which you want to delete an event forwarding rule. Click EventForwardingRules.

3 Select the rule to delete.

4 In the toolbar, click Remove (-).

5 Click Apply.

Stopping event forwardingTo stop event forwarding, disable the event forwarding rule from the ServerConfigurations tab of the System view on the console of the Information Managerserver.

See “About forwarding events to an Information Manager server” on page 241.

Forwarding events to an Information Manager serverStopping event forwarding

248

Understanding eventnormalization


■ About event normalization

■ About normalization (.norm) files

About event normalizationNormalization occurs when the server receives an event after the collector hasharvested the raw data. The normalization process analyzes received event dataand adjusts the fields to prepare the data for interpretation by InformationManager, including any applicable rules. A normalization configuration file witha .norm file extension is used to adjust the fields where necessary. The .norm filemaps the event fields that the collectors provide to the event fields thatInformation Manager requires. Normalization accomplishes tasks such aspopulating empty fields and locating information about source and target.

For example, if you try to trap a consistent target IP address, the point productthat harvested the data may have placed the IP address in a field that does notindicate the nature of the contents of the field. For example, the field name maybe ip_address, which may not indicate whether the IP is the address of the sourceor the target. Information Manager includes a set of mapping files that identifyand parse the data in the fields that the supported products provide. It maps thesevalues to the appropriate database schema fields. Symantec creates and updatesthe .norm files using LiveUpdate as more information from each of the pointproducts becomes available.

Normalization adds information to events using a standardized set of fields thatcan be used to refine rules processing. For example, a unique event identifier can

15Chapter

be mapped to a Standard Event Code (Symantec Signature). This informationallows multiple product events to be correlated despite unique identifiers for eachproduct.

Normalization also uses the information that you provided in the Asset andNetwork tables. It uses this information to uniquely identify the elements thatare related to the event which can be used during rules creation. Additional fieldsfrom the Asset table include the assigned Confidentiality, Integrity, and Availability(CIA) values and the host name. These fields also identify who owns the system,the current operating system and what policies or roles apply to the computer.In addition, the fields identify what services are open by a computer (populatedby a vulnerability scanner). They also identify what vulnerabilities are on thatcomputer (for example, if specific patches have not been rolled out to a computer).For example, if a system has been assigned the role of a vulnerability scanner, theevents that vulnerability scanners usually generate can be filtered if they areassociated with that computer.

The Network table information is used to identify the location and directionalflow of the event. Normalization can help to identify whether an event is internalonly (contains IP addresses within your network). Normalize can also help identifywhether the traffic is inbound, outbound, traveling to or from specific locations.For example, if the source of a virus event is an internal source, the event can beflagged as an internal virus infection.

Normalization also adds any information available with the Symantec Signatureusing the Symantec DeepSight Threat Management System database.

For example, when a security incident occurs that is mapped to a SymantecSignature, the following pieces of information may be provided:

■ The Symantec Event Code, which facilitates cross-product correlation

■ EMR categorization, helping the analyst to aggregate attack data to betterunderstand the outbreak

■ Vulnerability IDs (BugTraq) that include information on the vulnerabilitiesthat are typical to this type of security threat

■ Exposure IDs that include the potential attack exposure information thatInformation Manager provides. For example, telnet is enabled or weakpasswords are used.

■ Malicious code IDs that include the information that Symantec SecurityResponse creates to describe the known malicious code activity that isassociated with an attack

See “About normalization (.norm) files” on page 251.

Understanding event normalizationAbout event normalization

250

About normalization (.norm) filesWhen you create a rule, it is often helpful to view the mapping that takes placeduring normalization by using the normalization (.norm) files. Normalizationfiles are included in the file system of the server. They are not available from theInformation Manager Web configuration interface. Collectors usually populatethe event fields with the data that matches the descriptive name that is specifiedin the schema. However, the event fields the collector provides may containadditional information that Information Manager can parse. In these cases, youcan view the normalization (.norm) file to understand from where the event datacomes, and how Information Manager interprets it. The Information Managerserver contains a default .norm file. It also contains the .norm files that are specificto the collectors that are used on your network. The mapping in a .norm file maybe a direct one-to-one mapping. In this mapping, the value in the collector fieldcan be directly imported into the field that Information Manager expects. In othercases, the collector field may contain more data than the Information Managerfield expects. In these cases, regular expressions are commonly used to parse thecollector field for the data that Information Manager expects.

Note: Although you can alter the contents of the .norm files, do not rely on thismethod as a means of modifying how data is normalized and accessed throughthe rule set. If you have LiveUpdate or Symantec DeepSight Threat ManagementSystem updates enabled, the default .norm file is often refreshed during the updateprocess. Any changes you make to the .norm file are lost.

In the following example, the first line of each block specifies the schema used.The field name to the left is the field name that the collector uses. The values onthe right indicate the data and the field name that is the Information Managerserver uses. The parsed data may include a data type in parentheses, followed bythe name of the field that Information Manager uses. The right side may alsoinclude the regular expressions that are used to parse the event data from thecollector field.

(intrusion_data ^ "Failure Audit") & (intrusion_data ^ "User Name")

intrusion_symc_sig -> (string)deviceAlert

machine_ip -> (ip)sourceIp (ip)targetIp

machine -> (string)sourceHost (string)targetHost

intrusion_data -> /User\s+Name:\s+(\S+)/ (string)eventResource

intrusion_target_type_id := 1037112

intrusion_outcome_id := 1027204

vendor_device_id := 36

251Understanding event normalizationAbout normalization (.norm) files

See “About event normalization” on page 249.

Understanding event normalizationAbout normalization (.norm) files

252

About Effects, Mechanisms,and Resources


■ About Effects, Mechanisms, and Resources (EMR)

■ About Effects values

■ About Mechanisms values

■ About Resources values

■ EMR examples

About Effects, Mechanisms, and Resources (EMR)Effects, Mechanisms, and Resources (EMR) values define the event classificationscheme that Information Manager uses. EMR replaces the Category andSubcategory fields that were used in previous versions of Information Manager.All of the events that are assigned a Symantec Signature use EMR classification.In addition, EMR has been established as a DMTF (Distributed Management TaskForce) standard.

EMR values provide security classification data that applies to each event type.However, EMR values only represent potential threat conditions. The process ofdetermining whether an event is an actual attack is performed at the Rulesprocessing, Event Correlation, and security analysis phase. The assigned EMRvalues should not be interpreted as conclusions as to whether any particular eventis a security incident. For example, an incorrect logon event may include EMRdata that suggests a Guess Password mechanism. However, it is up to the securityanalyst to create a rule that describes a Guess Password threat (such as a rule thattriggers when three or more failed logon attempts occurs over a specified period).

16Chapter

Alternatively, the security analyst can analyze the event manually to determinewhether the event constitutes a threat. EMR values are most useful when theyare used with other available fields to further identify whether a security incidenthas taken place.


About Effects valuesEffects values describe the effects of the event from the detector's point of view(for example, Degradation or Reconnaissance). Symantec Signatures can havemore than one value in the Effects field (for example, Access and Reconnaissance).The Effects values reflect the Confidentiality, Integrity, and Availability (CIA)values that describe security events. For example, what is the effect of this eventto the Intrusion Detection System? The Intrusion Detection System does notevaluate whether the event is a false positive. It only knows the potential effectsof the event that has occurred.

See “About Effects, Mechanisms, and Resources (EMR)” on page 253.

Security devices such as packet filters may not be able to detect the notion of anevent's effect. In these cases, the Effects field is populated with Unknown.Although the effect of an attack is intended, not all attacks have a known intent.For example, viruses or other malicious code may have multiple varied effects. Ifmore than one value is in the Effects field, the first element in the list generallyrepresents what the detector considers the most significant or the most severeeffect. Three of the values correspond exactly to the standard security attributes:confidentiality, integrity, and availability.

Table 16-1 describes the EMR Effects values that are available.

Table 16-1 EMR Effects values

DescriptionEffects value

Access to data or services has been attempted or accomplished.Access

An attempt was made to damage or impair usability, performance,service availability, and so forth.

Degradation

An attempt was made to gather information useful for attacks, ora probe for vulnerabilities occurred that did not exploit them.

Reconnaissance

About Effects, Mechanisms, and ResourcesAbout Effects values

254

Table 16-1 EMR Effects values (continued)

DescriptionEffects value

The integrity of the targeted system has been compromised. Asystem is said to be compromised when an attacker gainsunauthorized system access or privileges allowing for remoteexecution of code.

For example, a compromised system is likely to be susceptible toremote execution.

The events that use this Effect type are the events that may lead toan intruder gaining access to the system. Access may occur if theintruder uses a remote management method (SNMP). Access mayalso occur if the intruder uses a shell prompt and bypasses orotherwise nullifies the required authentication scheme.

SystemCompromised

An attempt was made to modify or delete data.Integrity

The Effect of the event is unknown.Unknown

About Mechanisms valuesThe Mechanisms values describe the method of attack that was used to generatean event from the detector's point of view: for example, a virus or a port sweep.A Symantec Signature may have more than one mechanism: for example, SSHCRC32 Corruption has mechanisms Buffer Overflow, and Remote Execution. TheMechanisms values can be used with any of the Effects values, depending on themethod that was employed in an attack or probe.

For example, a denial-of-service attack that uses ICMP packets has an Effectsvalue of Degradation and a Mechanisms value of NetworkICMP. If the attack is aport sweep, the Effects value is Reconnaissance and the Mechanisms value is PortSweep.

If the event contains more than one mechanism, the first element usuallyrepresents one of the following: the most specific, the most significant, or themost severe mechanism from the detector's point of view. However,implementation of this guideline is not enforced. Consequently, the order shouldnot be used as a determining factor of the characteristics of the mechanisms thatthe event uses.


Although the value map is a flat enumeration, hierarchical relationships areselected in most-specific to most-general ascending order in the list of values. Forexample, Network Protocol is a parent value to Network ICMP. If Network ICMP

255About Effects, Mechanisms, and ResourcesAbout Mechanisms values

is the desired value, Network Protocol is selected and placed as the next elementin the list of mechanism values.

Table 16-2 describes the Mechanisms values that are available.

Table 16-2 EMR Mechanisms values

DescriptionMechanisms value

The mechanism matches adware behavior.Adware

The mechanism appears to take advantage of a flaw in the operation of a program.Alternatively, the mechanism may appear to be an unintended behavior of the program tocompromise the program or the host system in some way. This attack differs from a bufferoverflow because it is not recompiling code. Instead, the application is used to perform a taskthat is possible with the released version of the product or system.

Application Exploit

Address Resolution Protocol (ARP) poisoning (also known as ARP Spoofing) sends fake ARPrequests to a network using a forged MAC address. Using this technique, a network devicemay send packets to a forged, sniffable address or may halt traffic across the device.

ARP Poisoning

The mechanism appears to be a backdoor. A backdoor bypasses normal authentication orsecurity of remote access to a system, while also attempting to remain hidden from casualinspection.

Worms such as Mydoom and Sobig create backdoors on non-secure systems to propagateemail traffic. A backdoor may be an installed program (for example, BackOrifice) or anunintended modification to an existing program. A backdoor in a logon system can take theform of a hard-coded user and password combination which gives access to the system.

Backdoor

The mechanism appears to be a buffer overflow attack.Buffer Overflow

The mechanism appears to be code that has been executed within a URL or similar cross-sitecode execution. For example, Apache and IIS can detect this activity when a client requestsa URL that contains the <script></script> tag set.

Cross-site Scripting

The mechanism appears to have altered data with malicious intent. For example, a DNS servercache is forced to update with a malicious IP mapping. This type of attack is typicallyperformed as part of an HTTP hijack attack.

Data Manipulation

The mechanism appears to be a Guess Password attack. For example, some point productslog multiple failed logon events, which may indicate a Guess Password condition.

Guess Password

The mechanism appears to be a host sweep.Host Sweep

The mechanism was a logon event.Login

The mechanism was a logoff event.Logout

The mechanism appears to be a network sweep.Network Sweep

About Effects, Mechanisms, and ResourcesAbout Mechanisms values

256

Table 16-2 EMR Mechanisms values (continued)


Child of Network Protocol. The event uses the ICMP protocol. For example, this mechanismis common in ping attacks and probes.

Network ICMP

Child of Network Protocol. The event uses the TCP protocol.Network TCP

Child of Network Protocol. The event uses the UDP protocol.Network UDP

The mechanism appears to be malicious code of a non-viral (non-propagating) nature.Non-Viral Malicious

The parent for any attack mechanism that uses a network protocol.Network Protocol

Child of Network Protocol. The event uses the HTTP protocol.Network HTTP

The mechanism appears to be a network flood or denial-of-service attack that attempts tooverload the available bandwidth for a network. For example, a Ping flood triggers thiscondition because the number of packets that are involved prevents any other traffic frompassing over the network.

OverloadingCongestion

The mechanism appears to be a host flood or denial-of-service attack that overloaded orattempts to overload the available resources for a particular host. For example, a Syn floodwould trigger this condition, as a Syn flood does not affect the network itself but focuses ona particular host. Consequently, it prevents other computers from establishing connectionswith the targeted computer.

OverloadingSaturation

Parent of the Overloading Congestion and Overloading Saturation types. This mechanismoften indicates a generic denial of service condition.

Overloading

The mechanism appears to be a port sweep.Port Sweep

The mechanism matches the behavior of a phishing attack.Phishing

The mechanism appears to be a port scan .Port Scan

The mechanism appears to indicate that the attack has caused the redirection of the victim'ssession to a malicious server instead of the intended server: for example, an HTTP hijacksessions in which a malicious site impersonates a bank site and causes the victim to connectto the impersonated site instead of the actual bank site. When the user types in their logoninformation, the logon information is collected, and then the customer is redirected to theauthentic bank site.

Redirection

The event that is capable of being executed remotely.Remote Execution

257About Effects, Mechanisms, and ResourcesAbout Mechanisms values

Table 16-2 EMR Mechanisms values (continued)


A rootkit is used for a variety of covert system activities. These activities include terminaland connection sniffing, keystroke monitoring, and cleaning up or obscuring logon records,processes, and event logs. Kernel-level rootkits replace system calls with the binary code thatis hidden in a Trojan horse. Application-level rootkits replace application code with the codethat is hidden in a Trojan horse.

Rootkit

The mechanism may be a Replay attack. A Replay attack is a fraudulent repetition of a validdata transmission.

Replay attack

Any technique that attempts to represent one end of a client-server relationship or networksession as a different entity from the actual entity.

This mechanism can be used to attack a network session to hijack the session: for example,a Man-in-the-Middle attack

Spoof Identity

The mechanism appears to be a script injection.Script Injection

The mechanism matches spyware behavior.Spyware

The mechanism appears to be a stale data scan. A stale data scan is defined as when a toolreads the memory that has been deallocated but not erased. Confidential or secure informationmay still be present in the memory.

Stale Data Scan

The mechanism may be a SQL injection. A SQL injection is a method in which malicious codeis inserted into strings for parsing and execution to the SQL server.

SQL Injection

The mechanism appears to be a Trojan horse.Trojan

The mechanism is unknown.Unknown

The mechanism appears to be a virus.Virus

The mechanism appears to be a worm.Worm

About Resources valuesThe EMR Resource value indicates the type or types of resources that the eventis likely to affect: for example, Mail or Host. A Symantec Signature may havemore than one Resource value.

For example, DB indicates that an attack was made against a database server.Mail indicates that some type of mail server is affected. DB, DNS, and other valuescan indicate a server or service. No distinction exists between a DNS serverresource and a DNS service resource. If there is more than one Resource value,

About Effects, Mechanisms, and ResourcesAbout Resources values

258

the first element usually represents the most specific resource or the mostsignificant resource from the detector's point of view.

Although the value map is a flat enumeration, hierarchical relationships areselected in most-specific to most-general ascending order of values. For example,Remote Service is a parent value to DNS. If DNS is the desired value, RemoteService is the next element in the list.


Table 16-3 describes the Resource values that are available.

Table 16-3 EMR Resource values

DescriptionResource value

Parent of Application Data and Application Configuration. The affected resource was anon-operating system program that runs on a single host computer.

Application

Child of Application. The affected resource was an application configuration.ApplicationConfiguration

Child of Application. The affected resource was Application Data.Application Data

The affected resource was a cookie.Cookies

Child of Remote Share. The affected resource was a Windows file share.CIFS

CPU. Requires the Host value. The affected resource was a CPU.CPU

Child of Remote Service. The affected resource was a database server.DB

Child of Remote Service. The affected resource was a DNS service.DNS

The affected resource was a firewall, which includes a packet filter or application proxy thatdiscriminates and filters network packets and application sessions.

Firewall

Child of Remote Service. The affected resource was an FTP service.FTP

Child of OS. The subsystem of the operating system that allows basic persistence, inputs, andoutput. Requires the OS and the Host values.

File System

Child of OS. Requires the OS and the Host values. The affected resource was a group policy.Group

The affected resource was a host computer.Host

The affected resource was a hardware device.Hardware

Child of Naming Service. The affected resource was an LDAP directory.LDAP

Child of Remote Service. The affected resource was a mail server, such as an SMTP server .Mail

259About Effects, Mechanisms, and ResourcesAbout Resources values

Table 16-3 EMR Resource values (continued)


Child of Remote Service. The affected resource was a naming service.Naming Service

Parent of Firewall, Router, Switch. The affected resource was a network device.Network Device

Session Hijack target resource. A related set of packets traveling between two or more entitiescommunicating from different endpoints on a network.

For example, the target of a TCP spoofing mechanism like Spoof Identity for the purpose ofa session hijack or a Man-in-the-Middle attack.

Network Session

Child of Remote Share. The affected resource was a Network File System service.NFS

The affected resource was network data.Network Data

Child of OS. The affected resource was the trusted computing base of the operating system.Requires the OS and the Host values.

OS Kernel

Child of OS. A particular configuration of the operating system based on settings and policies.Requires the OS and the Host values.

OS Configuration

Child of OS. A particular instance of an interactive or batch-running environment on theoperating system. Requires the OS and the Host values.

OS Session

Parent of OS Kernel, OS Configuration, OS Session, File System, Process, Service, UserAccount, Privileges, User Policy, Group, Registry, and File. The affected resource was anoperating system that runs on a single host computer. This value requires the Host value tobe provided.

OS

Child of OS. Requires the OS and the Host values. The affected resource was a process on thetarget computer.

Process

Child of OS. Requires the OS and the Host values. The affected resource was the target of aprivilege escalation attack (Integrity).

Privileges

Child of Remote Service. The affected resource was a remote share.Remote Share

Child of Remote Service. The affected resource was a remote procedure call service.RPC

Parent of RemoteShare, NamingService, DB, FTP, Mail, RPC, and Web. The affected resourcewas a remote service.

Remote Service

Child of OS. Requires the OS and the Host values. The affected resource was a registry value.Registry

Child of Remote Service. The affected resource was an SNMP Agent.SNMP

Child of OS. Requires the OS and the Host values. The affected resource was a service on thetarget computer.

Service

About Effects, Mechanisms, and ResourcesAbout Resources values

260

Table 16-3 EMR Resource values (continued)


Child of Remote Share. The affected resource was a Windows file share, or Simple MessageBlocks (SMB).

SMB

Child of Network Device. The affected resource was a router.Router

Child of Network Device. The affected resource was a switch.Switch

The affected resource was a URL.URL

Child of OS. Requires the OS and the Host values. The affected resource was a user policy.User Policy

Child of OS. Requires the OS and the Host values. The affected resource was a user account.User Account

The affected resource was user activity.User Activity

The affected resource type was unknown.Unknown

Child of Remote Service. The affected resource was an HTTP server.Web

EMR examplesYou can use examples to understand EMR values.


Table 16-4 provides examples of the application of EMR values for attacks.

Table 16-4 EMR examples

Resource(s)Mechanism(s)Effect(s)Attack

DNSBuffer overflowDegradationDNS Exploit x86 Linux (Snort)

DNSBuffer overflowAccess, IntegrityDNS Exploit x86 Freebsd

(Snort)

DNSBuffer overflow, NetworkUDP,NetworkTCP, NetworkProtocol

Access, IntegrityXS – BIND – TSIG – attempt

(Snort)

Network DeviceNetworkHTTP, NetworkProtocolDegradationWEB-MISC sml3com access

(Snort)

Network DeviceNetworkSNMP, Network ProtocolDegradationDOS Cisco null snmp

Network DeviceNetworkHTTP, Network Protocol,Application Exploitation

Degradation2106045 (BlackIce)

261About Effects, Mechanisms, and ResourcesEMR examples

Table 16-4 EMR examples (continued)

Resource(s)Mechanism(s)Effect(s)Attack

FTPGuess PasswordAccessFTP:PASS-4DGIFTS (Dragon)

FTPGuess PasswordAccessFTP:PASS-LRKR0X (Dragon)

FTPApplication ExploitAccess, IntegrityFTP-rhosts (Snort)

FTPApplication ExploitAccessFTP-BOUNCE

About Effects, Mechanisms, and ResourcesEMR examples

262

Collector-based eventfiltering and aggregation


■ About collector-based event filtering and aggregation

■ About identifying common events for collector-based filtering or aggregation

■ About preparing to create collector-based rules

■ Accessing event data in the Information Manager console

■ Creating collector-based filtering and aggregation specifications

■ Examples of collector-based filtering and aggregation rules

About collector-based event filtering and aggregationInformation Manager lets you filter and aggregate security events before theyare sent to the server. Information Manager provides the filtering and aggregationcapabilities that can be used at the collector. Filtering and aggregating event databefore it reaches the server can improve network and server performance.Collector-based filtering and aggregation can also effectively increase eventstorage capacity on the server. Collector-based filtering and aggregation discardsunnecessary events or stores summaries of events, which typically use less storagespace.

When an event collector gathers events from security products, it parses the eventfor the information that can be sent to the server. When relevant data is identified,it is translated into fields in the Information Manager schema. InformationManager uses the schema to correlate existing events, create incidents, and soforth.

17Chapter

Security products are responsible for identifying security breaches and threats.In many cases, these products also act as event identification and storage devicesfor any event that may be used for forensics research. Some products store theseevents locally. Others offload the event data to a storage device such as a Syslogserver or a Windows event log. In general, Information Manager collectors monitorthese devices, databases, and log files for security-related events. The collectorsthen forward all of these events to the Information Manager server. By default,event collectors gather all security-related events, and do not discriminate basedon event severity or relevance. This feature is useful for policy compliance.However, many organizations prefer to use the powerful event reporting andcorrelation features of Information Manager on the security events that are morethreat-related.

You can limit (or restrict) the events that are sent to the server to those eventsthat represent potential security threats and incidents. In contrast to eventfiltering and correlation at the server, collector-based filtering lets you excludeevents from forwarding to Symantec Security Information Manager. Similarly,collector-based aggregation lets you group similar events to reduce event traffic.Grouping also lets you reduce the number of single events that are stored in theevent database. Event aggregation groups the events that contain identical eventinformation into a single summary event which is forwarded to the server. Thissummary event includes a count of the events that matched the aggregationcriteria.

Note: When aggregation occurs, the summary event that is created and sent tothe server does not contain the raw event data for each individual event. Asummary event cannot be separated into the individual events that comprise theaggregated event.

Collector-based event filtering and aggregation rules (also referred to asspecifications) are created using the Information Manager console, and thendeployed to the corresponding collectors. When you filter events at the collector,you remove the events from the event storage, correlation, and incident creationprocesses. Use caution when you determine which events you want to filter at thecollector.

Note: Collector-based filtering or aggregation should not be used if you useInformation Manager as your primary tool for policy compliance. Filtering oraggregating event data may exclude the events or the event details that areunnecessary for security monitoring but are necessary for compliance.

Collector-based event filtering and aggregationAbout collector-based event filtering and aggregation

264

See “About identifying common events for collector-based filtering or aggregation”on page 265.

About identifying commonevents for collector-basedfiltering or aggregation

Table 17-1 describes filtering and aggregation guidelines for specific securitydevice types.

Table 17-1 Filter and aggregation guidelines

SuggestionsDevice type

Test networks can generate the security events that do not indicate any actual threat. Considerfiltering all events originating from isolated test networks.

All

Firewalls generate many events that are not required for correlation. Consider filtering oraggregating the following types of events:

■ Connection rejected.

These indicate that the firewall operates as it is configured. These events do not ordinarilypose a security threat and can be filtered at the Event Collector.

■ Connection accepted.

Typically, legitimate network traffic generates these events. These events can be filteredentirely or they can be aggregated according to IP address. If an individual unwanted connectionis accepted, the Intrusion Detection System identifies and reports the attack.

■ Possible attack.

Not all possible attack events indicate a true security threat. Consider filtering or aggregatingpossible attack events based upon specific attack IDs.

Firewall

Enterprise antivirus systems customarily report a number of informational events for eachprotected system. If you use a product such as Symantec Client Security, consider filtering oraggregating the following types of events:

■ Scan start and scan stop

These events do not pose a security threat and can be filtered or aggregated.

■ Virus repaired

These events indicate that the antivirus software has repaired infected systems. If there areinfections in your environment that are commonly repaired, consider aggregating virusrepaired events by the virus name.

■ Irreparable virus

These events may indicate a virus outbreak. The spread of a virus can generate many redundantevents. To avoid unwanted event traffic during an outbreak, consider aggregating irreparablevirus events.

EnterpriseAntivirus

265Collector-based event filtering and aggregationAbout identifying common events for collector-based filtering or aggregation

Table 17-1 Filter and aggregation guidelines (continued)

SuggestionsDevice type

Typically, all vulnerability scan events should be sent to Information Manager for correlation.Vulnerability assessment events in some cases can be aggregated to reduce network traffic.

Vulnerability

Typically, all intrusion detection and intrusion prevention events should be sent to InformationManager for correlation.

IntrusionDetection

The Windows event log stores both operating system events and application events. Because eachWindows system may have different applications installed, broad filtering or aggregation is notadvised. All aggregation and filtering must be based upon specific event criteria. Consider filteringor aggregating the following types of events:

■ Application

Some applications generate an excessive number of informational and warning events. Theseevents can be filtered or aggregated based upon the specific event source and event identifier.

■ Security

Success audit events do not indicate a security threat and can be aggregated based upon thespecific user.

■ System

System event sources such as the Service Control Manager generate many informationalevents. These events can be filtered or aggregated based upon the event source and identifier.

Windows EventLog

See “About collector-based event filtering and aggregation” on page 263.

About preparing to create collector-based rulesBefore you create collector-based filtering and aggregation rules, you need tounderstand the event data that is generated on your network. You need to gatherevent data over a period of time and evaluate the event fields that are includedin each event. In the Information Manager console, you can use the Event Viewerto view a summary of the events that the enabled collectors identified. The EventViewer may give you an idea of the categories or types of data that can be used.However, the event field is the most accurate source of information for creatingevent filters. Each product has customized event fields specific to that product.Therefore, you should create filtering and aggregation rules based on the eventsthat are specifically related to that product. You can view the event fields bydouble-clicking an event in the Event Viewer. You can then analyze the fields thatappear in the Event Details window.

Informational firewall events may be good filtering candidates. The firewall eventsthat are classified as informational can often be filtered at the collector to reducetraffic to the server. The firewall events that are categorized as informational aregenerally used for accounting purposes. These events usually do not indicate an

Collector-based event filtering and aggregationAbout preparing to create collector-based rules

266

attempted security breach. However, the collector correctly detects these eventsas security-related events. The collector sends them to Information Manager bydefault. It may be unnecessary to analyze these events to maintain the securitypolicies of your organization. If analysis is unnecessary, you can filter the eventsat the collector to reduce event traffic. To filter these events, analyze the eventdetails to find the fields on which the filter for this specific event can be created.

To understand the event data and create a filtering rule to filter informationalfirewall events, you perform the following tasks:

■ With the collector enabled, generate a series of informational firewall events.In most cases, bringing a firewall online and performing connection tasksthrough the firewall generates these types of events. To make the event datamore useful, generate the common firewall events that might more accuratelyresemble a live network environment: For example, FTP sessions and failedconnection attempts.

■ After you generate a series of events, use the Event Viewer or an availableevent report in the Dashboard. Double-click an event to open the EventDetailswindow.

■ In the EventDetails window, analyze the field names that are included in theevent. Many of these fields are added at the server rather than at the collectionpoint as part of the normalization process. Therefore, the most effective fieldsto base a filter on are generally the fields that are generated in the raw eventdata: For example, the fields that contain event IDs that are specific to themonitored device. For example, if you use the Cisco Pix collector, the firewallgenerates a unique value in the Event Info 4 field.

■ Make note of the field and value pair that you want to base your filter on andopen the configuration on the Product Configurations tab.

To create a new specification

1 On the System view, in the Product Configurations tab, find the collectorfor the product that you want to monitor. For example, if you use the CheckPoint Firewall, navigate to the settings for CheckPointFireWall-1Collector.

Note: You cannot edit the default configuration. You must create a newconfiguration and specify the settings for that configuration.

2 Select the product and right-click to create a new configuration. Type a nameand description for the new configuration, and then click Next.

3 Add computers to the configuration using the + icon. Then click Next.

4 Click Finish. Click Close to save and exit the Configuration Wizard .

267Collector-based event filtering and aggregationAbout preparing to create collector-based rules

5 Select the newly created configuration. In the right pane, on the Filter tab,create a new specification.

6 In the new specification, double-click the name field and find the field namein the list. Alternatively, type the name of the field exactly as it appears inthe event details.

7 In the operator column, choose the appropriate operator. In most cases, thisvalue is the equal to operator.

8 In the Value field, type the value exactly as it appears in the event details.

9 Enable the specification, save, and then distribute using the Distributesettings to computers icon.


Accessing event data in the Information Managerconsole

The Information Manager console provides several different ways to access theevent data that each collector gathers. To gain an understanding of the eventsthat can be filtered, you should analyze the event data that is viewable in theEvent Details view.

You can also create custom reports for specific events. For more information onhow to create custom reports, see the documentation that is provided with eachcollector.

Accessing event data using the Events view


2 In the Events view, expand the Templates folder.

3 Under the Templates folder, click All Events.

Note: This example uses the All Events query. However, you can use any ofthe event queries in the Events view that return the event data for which yousearch.

4 In the right pane, select the archives that contain the event data that youwant to review, and then click Run Template.

5 After the query completes, use the results view to find the event you want toanalyze.

Collector-based event filtering and aggregationAccessing event data in the Information Manager console

268

6 Find the event that you want to analyze, and click View the event details.

7 In the EventDetails window, analyze the event fields and data. Many eventshave unique event IDs that can be used to create the filters that are specificto the event that you want to filter.

See “About identifying common events for collector-based filtering or aggregation”on page 265.

Creating collector-based filtering and aggregationspecifications

After you analyze your event data, you can create filtering and aggregationspecifications based on the fields that are viewable in the Event Details window.The Filters and Aggregation tabs let you create, enable, and edit filters to excludeevents from being forwarded to the server (filtering). You can also use these tabsto create, enable, and editor filters to gather multiple events into a single event(aggregation). No event filtering or aggregation rules are configured by default.You must add the rules before you can enable or configure them.


To create a collector-side filtering rule

1 In the Information Manager console, on the System view, click ProductConfigurations.

2 In the left pane, expand the product to which you want to add a filtering rule.Expand the folders until you reach the configurations that are available forthe product. If the only configuration available is Default, you must create anew configuration. The Default configuration cannot be edited. If necessary,to create a new configuration, click the folder of the product, and then clickAdd. Follow the on-screen instructions.

3 Select the configuration you want to modify, and then in the right pane, onthe Filter tab, under the list of filters, click Add.

4 Double-click Specification n (where n is 0, 1, 2, and so on), type a name forthe rule, and then press Enter.

5 Under the rule properties table, click Add, and then do the following:

■ In the Name column, double-click the name field and find the value in theevent fields list that appears. If you know the exact name of the field thatthe collector created you can also type a name for the event filter property.Fields are case-sensitive.

■ In the Operator column, select an operator from the drop-down list.

269Collector-based event filtering and aggregationCreating collector-based filtering and aggregation specifications

■ In the Value column, type a value for the event filter property.

To add more event filtering information for the rule, repeat this step.

6 When you are finished, in the filter list, check the filter name.

7 Click Save.

8 In the left pane, right-click the appropriate default folder, and then clickDistribute.


To create a collector-based aggregation rule

1 In the Information Manager console, on the System view, click ProductConfigurations.

2 In the left pane, expand the product to which you want to add an aggregationrule. Expand the folders until you reach the configurations that are availablefor the product. If the only configuration available is Default, you must createa new configuration. The default configuration cannot be edited. If necessary,to create a new configuration, click the folder of the product, and then clickAdd. Follow the on-screen instructions.

3 In the right pane, on the Aggregator tab, under the list of filters, click Add.

4 Double-click Specification (where n is 0, 1, 2, and so on), type a name for therule, and then press Enter.

5 Under the rule properties table, click Add, and then do the following:

■ In the Name column, select the name for the event aggregation property.

■ In the Operator column, select an operator from the drop-down list.

■ In the Value column, type a value for the event aggregation property.

To add more event aggregation information for the rule, repeat this step.

6 In the Aggregation time (ms) box, type the time in milliseconds in which theaggregated events should correspond to the rule property.

The default value is 100. This property applies to all aggregation filters.

7 When you are done, in the aggregation list, check the aggregation name.

8 Click Save and enable the rule before you distribute.

9 In the left pane, right-click the appropriate default folder, and then clickDistribute.


Collector-based event filtering and aggregationCreating collector-based filtering and aggregation specifications

270

Examples of collector-based filtering and aggregationrules

As you begin to understand the details of the event fields populated, you woulddiscover the common filtering and aggregation candidates. These candidates canbe safely implemented at the collector level. You are provided with generalguidelines for filtering and aggregation. Before you deploy these examples, eachconfiguration should be carefully evaluated to ensure that the configurationconforms to the specific needs of your security environment. The examples thatare provided are common to many deployments, but may not be in compliancewith your security policies. Creating filtering and aggregation specifications isan iterative process. This process is based on a careful evaluation of the eventdata that is specific to your security environment. Filtering at the collectorprevents event data from being sent to the Information Manager server forevaluation. Consequently, analysts do not have access to this data for forensicanalysis unless the events are stored separately from Information Manager.

For example, the events that are classified as informational can be good candidatesfor event filtering or aggregation at the collector. In some cases, a network maygenerate a large number of informational events that may not constitute animmediate security threat. From a threat perspective, these events may not be asuseful in evaluating a high priority security incident in progress. The informationalevent details may subsequently help to gain a better understanding of the seriesof events that led to the security breach. For this reason, an event filter oraggregation specification at the collector should be carefully evaluated before itis deployed.

When you determine which events can be safely filtered or aggregated, base yourcollector-based filtering or aggregation specification on specific event criteria.Basing a filter on a broad field such as severity level may have unintended results.When you create filtering rules, specificity helps to prevent unexpected gaps inthe information that is available to the analyst. For example, you should use theevent IDs generated by the monitored product to control the information that isdiscarded from Information Manager. This option is more effective than using abroader severity category to control that information.


Filtering events generated by specific internal networksYou can filter events from the particular subnets that generate a high volume ofevents that do not pose a threat. For example, a network that is dedicated to testingand developing software applications may generate many events that do not

271Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

threaten internal network resources. These events can be filtered at the collectorto reduce this type of false positive.

See “Examples of collector-based filtering and aggregation rules” on page 271.

To filter network events generatedby a specific subnet andacquiredby theWindowsevent log collector

1 On the System view, on the Product Configurations tab, expand the defaultconfiguration for the Snare for WindowsEventLog collector. On the Filterstab, add a new specification. Add a new entry for the specification, and thendouble-click the Name field. In the Eventfields list, choose MachineNumericSubnet.

2 Set the Operator to equal to, and in the Value field, enter the subnet that youwant to filter against.

3 Save and enable the rule, and then distribute the configuration.

Filtering common firewall eventsFirewall products typically generate a large number of events. Many of theseevents are recorded primarily for lower priority, informational purposes.Depending on the security policies that you have in place, you may be able tosafely filter these events at the collector. By filtering at the collector, you canreduce network traffic and increase overall performance.


Filtering Connection Rejected eventsEvents that are classified as Connection Rejected events can often be filteredbased on the severity of the event and the event ID. For example, in many cases,TCP Connection Rejected events that the Cisco PIX collector (PIX-6-106015)detects can be filtered at the collector. Depending on the security policies of yourorganization, you may decide to filter or aggregate these events to reduce theamount of data to evaluate.

If you want to filter additional events, you can add additional event types to thespecification. For example, you can use the Event Info4 field to identify Noroutetodest_addrfromsrc_addr(PIX-6-110001) or HTTPdaemoninterfaceint_name:connection denied from IP_addr (PIX-6-605001) PIX events.

To filter Cisco PIX TCP Connection Rejected events

1 On the System view, on the Product Configurations tab, navigate to theproduct to configure.

2 On the Filters tab, create a new specification.

Collector-based event filtering and aggregationExamples of collector-based filtering and aggregation rules

272

3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Firewall Network Event > Event Info 4. For the Cisco PIX collector,the Event Info 4 field contains the name of the event that PIX uses.

4 Set the Operator to equal to, and then in the Value field, enter the PIX eventcode (PIX-6-106015).


Filtering Connection Accepted eventsEvents that are classified as Connection Accepted can often be filtered based onthe severity of the event and specifically the event ID. For example, the ConnectionAccepted events that the Cisco PIX collector detects can be filtered at the collector.The user user_name executed cmd: command (PIX-7-111009). PIX-7-111009events are generally used for accounting purposes only. These events indicatethat the command that the user entered was not capable of modifying theconfiguration. Depending on the security policies of your organization, you maydecide to filter or aggregate these events to reduce the amount of data to evaluate.

To filter Cisco PIX Connection Accepted events




4 After you have selected the field name, set the Operator to equal to, and thenin the Value field, enter the PIX event code (PIX-7-111009).


Filtering Possible Attack eventsIn many cases, events that are classified as possible attacks can be either filteredor aggregated. For example, if you use the Cisco PIX collector, the collector gathersevents such as failed telnet session attempts as possible attacks. It displays themin the console. . Based on your policies, you can filter or aggregate these eventsat the collector to reduce the amount of data to evaluate.

If you want to filter similar events (or the events that carry a similar severity),you can add additional event types to the specification. For example, you can use


the Event Info 4 field to identify Telnet Login Session Failed (PIX-6-307003)events, or Retrieved IP address for FTP session (PIX-6-303002).

To filter Cisco PIX failed telnet session events




4 After you have selected the field name, set the Operator to equal to, and thenin the Value field, enter the PIX event code (PIX-6-307001).


Filtering Remote Management Connection eventsRemote Management Connection events can often be aggregated if you expectremote management connections to take place from trusted sources or on anexpected host computer. Remote Management Connection events often includethe events that are classified as Informational, and in many cases can be safelyaggregated.

For example, if you use the Juniper Netscreen Firewall collector, you can createan aggregation specification that gathers specific types of Remote ManagementConnection events into a single summary event that is sent to the server. Forexample, you may have a host computer that manages remote connections forwhich you expect many Remote Management events to take place. You canaggregate these events into a single event summary.

To aggregate events for the Juniper Netscreen Firewall collector based on a specifichost computer


2 Expand the default configuration for the Juniper Netscreen Firewall EventCollector.

3 On the Aggregation tab, add a new specification. Add a new entry for thespecification, and then double-click the Name field. In the Event fields list,navigate to Common Event > Destination Host Name.

4 Set the Operator to equal to, and then enter the host name in the value field.


274

5 In the Aggregation time (ms) box, type the time in milliseconds in which theaggregated events should correspond to the rule property.


Filtering common Symantec AntiVirus eventsSymantec AntiVirus generates the events that can often be filtered or aggregated.For example, most antivirus products provide proactive event notifications ofmaintenance tasks such as data scan start and stop events. As thesesecurity-related events indicate expected behavior, they can often be safely filteredor aggregated at the collector.

To filter the events that Symantec AntiVirus generates, edit the configurationfile (.conf) that is included when the collector is installed on the SymantecAntiVirus parent server. The collector monitors the parent server for events, anduses the configuration files to determine which events are forwarded to the server.


The following events are common Symantec AntiVirus events that can be filteredat the collector:

■ Unscannable Violation

■ Data Scan Start

■ Data Scan End

■ Data Scan Cancel

■ Data Scan Pause

■ Data Scan Resume

■ Application Start

■ Application Stop

Note: Application Stop events can indicate that Symantec AntiVirus has beendisabled. The AntiVirus Disabled event correlation rule on the server detectsthis event. If you filter ApplicationStop events at the collector, this rule does nottrigger during correlation.

Symantec AntiVirus and Symantec Client Security configuration files are storedon the parent server on which the collector is installed. The files are stored bydefault in the following locations:

■ Symantec AntiVirus: C:\ProgramFiles\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg


■ Symantec Client Firewall: C:\ProgramFiles\Symantec\Collector\Plugins\SCFSesa\scfsesa.cfg

■ Symantec Client Security: C:\ProgramFiles\Symantec\Collector\Plugins\SCSState\scsstate.cfg

You can also filter the events that are forwarded from individual clients or serversusing the Log Event Forwarding wizard. The wizard is available through theSymantec System Center interface that is provided with Symantec AntiVirus andSymantec Client Security. The Log Event Forwarding wizard lists a complete setof events that can be forwarded to parent servers. For more information on usingSymantec System Center, see the documentation that is provided with SymantecAntiVirus and Symantec Client Security.

To enable event filtering on a Symantec AntiVirus parent server

1 On the parent server that you are monitoring, use a text editor such as Notepadto open the following file: C:\ProgramFiles\Symantec\Collector\Plugins\SAVSesa\savsesa.cfg.

2 In the conf file, find the ExcludeEvents section.

3 From the list of events in this section, remove the comment symbol (;) frombefore the event type or types you want to filter.

4 Save the file as a .cfg file. You may need to restart the collector.

Filtering or aggregating vulnerability assessment eventsTypically all vulnerability assessment scans should be sent to the CorrelationManager for analysis. However, vulnerability assessment events in some casescan be aggregated to reduce the number of events that are sent individually tothe Information Manager server. For example, the Symantec ESM collector detectsthe vulnerability assessment events that are related to whether files are backedup on the systems that it scans (Backup Integrity events). This information isuseful for a variety of network analysis tasks. However, based on the policies ofyour organization, this information may not represent an immediate securitythreat.

A Different ACL entry event is another potential candidate for aggregation ofvulnerability assessment events. A DifferentACLentry event typically indicatesa permissions misconfiguration rather than an actual security breach.



276

To aggregate Backup Integrity events for the Symantec ESM collector


2 On the Aggregation tab for that product, create a new specification.

3 In the new aggregation specification, double-click the Name field, and in theAggregation list that appears, expand the list. From the list of categories,choose Vulnerability > Vulnerability Custom 2. For the Symantec ESMcollector, the Vulnerability Custom 2 field contains the type of event thatthe vulnerability assessment scan generates.

4 Set the Operator to equal to. Then in the Value field, type Backup Integrityexactly as it appears in the Event Details entry for the VulnerabilityCustom2 field.

5 In the Aggregation time (ms) box, type the time (milliseconds) in which theaggregated events should correspond to the rule property.


To aggregate Different ACL entry events


2 On the Aggregation tab for that product, create a new specification.

3 In the new aggregation specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Vulnerability>VulnerabilityName. For the Symantec ESM collector,the Short Descriptive Name field contains a brief description of the eventthat the vulnerability assessment scan generates.

4 After you have selected the field name, set the Operator to equal to. Then inthe Value field, type Different ACL entry exactly as it appears in the EventDetails entry for the Vulnerability Name field.

5 In the Aggregation time (ms) box, type the time (milliseconds) in which theaggregated events should correspond to the rule property.


Filtering Windows Event Log eventsIf you use the Windows event log collector, you can reduce traffic by filtering thecommon network events that generally do not pose a threat. The Windows eventlogs generate a large number of events that track a variety of activities, includingthose related to security. These events produce the unique event codes that are


included in the raw event data. You can use these event codes to createcollector-based filters to reduce the number of events that has passed to the server.

For example, Successful Network Logon events (Windows event ID 540) do nottypically pose a security risk if the appropriate security measures are in place:For example, secure passwords, multiple layers of access defense, and limitingadministrator privileges.

Another example of a Windows event log event that can be filtered is the successfullogin Application event. As an alternative, you can also choose the Event ID fieldwith a value of 17055.


To filter Windows Successful Network Logon events (540)



3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Windows and Novell Event>Option8. For this type of event, Option8 contains the event ID. Note that the option fields vary with each event forWindows event log entries. For more information on the WindowsEventLogoption fields, see the documentation that Microsoft provides.

4 Set the Operator to equal to. In the Value field, type Security:540 exactly asit appears in the Event Details entry for the Option 8 field.

As an alternative, you can also choose the Event ID field with a value of 540.


To filter Windows successful login Application events



3 In the new filtering specification, double-click the Name field, and in theEvent fields list that appears, expand the list. From the list of categories,choose Windows and Novell Event>Option8. For this type of event, Option8 contains the event ID. Note that the option fields vary with each event forWindows event log entries. For more information on the WindowsEventLogoption fields, see the documentation that Microsoft provides.


278

4 Set the Operator to equalto. In the Value field, type Application:17055 exactlyas it appears in the Event Details entry for the Option 8 field.




280

Working with the Assetstable


■ About the Assets table

■ About vulnerability information in the Assets table

■ Using the Assets table to help reduce false positives

About the Assets tableThe Assets table provides a centralized list of network assets that Informationuses for event correlation and rules processing. You can identify theConfidentiality, Integrity, and Availability (CIA) values for each asset. You canalso identify the applicable policies, the ports that are potentially vulnerable, andthe specific vulnerabilities of each asset. In addition, you can associate the hostname of an asset with the IP address, as well as the operating system, operatingsystem version, and distinguished name for each system.

Assets can be added to the Assets table using the following techniques:

■ Manually entering each asset in the Assets list

■ Importing a list of the assets that are stored in a comma-separated value (.CSV)file or an Extensible Markup Language (.XML) file.

■ In the Incidents view, clicking the Create Asset icon on the Target tab of theIncident Details view adds the targeted IP address to the asset list.

■ Automatically populating the table using a supported vulnerability scanner.This method also populates the Services and Vulnerabilities tabs for eachasset.

18Chapter

Note: Information Manager requires that the IPv4 address of each computerbe unique. If you use network address translation (NAT) and you have two ormore computers on separate subnets that use the same IP address,automatically populating the asset table overwrites the asset entry with themost recently scanned computer's information. To use the same IP addressfor two or more computers using a NAT table, use a separate instance ofInformation Manager for each subnet.

The Assets table provides an automated means of identifying vulnerabilities onthe assets that are listed when used with a supported vulnerability scan. By havingthis information available in the Information Manager console, an analyst canquickly gain an accurate understanding of the vulnerabilities of a target duringan attack.

By adding assets to the Assets table, you can use a variety of fields on the Rulesview to correlate events with the specific characteristics of the target or sourceasset that is identified in the event. For example, the Destination HostAvailability, DestinationHostConfidentiality, and DestinationHost Integrityfields access the Confidentiality, Integrity, and Availability settings that you selectfor each asset in the Assets table. This information can help to reduce the amountof data that security analysts must evaluate. If you do not add the assets that youwant to track, with the corresponding details for each asset, these fields cannotbe leveraged.

See “About the Assets table” on page 281.

See “About CIA values in the Assets table” on page 283.

See “Searching, filtering, and sorting assets” on page 284.

About how event correlation uses Assets table entriesThe Assets table lets analysts identify the network assets that range from criticalbusiness assets to less important systems from a business or operationsperspective. The Assets table lets the security analyst or network administratorquantify the importance of the listed assets based on Confidentiality, Integrity,and Availability (CIA) values. Information Manager can use these values to escalatethe security incidents that are related to a particular asset.

You can also use the Assets table to identify the policies that are associated witheach asset. You can use the Rules view to create the rules that access the list ofpolicies that you have assigned. You can configure a rule to discard the eventsthat do not apply to the policies that are associated with the target. Alternatively,you can configure the rule to escalate the event to an incident if the threat applies.

Working with the Assets tableAbout the Assets table

282

You can use information on the Services and Vulnerabilities tabs to help furtheridentify potential threats to the assets that you have listed. The Services tabincludes a list of ports available on each asset. You can either manually choosethese ports, or you can use a vulnerability scanner to automatically identifyavailable ports. The Vulnerabilities tab is automatically populated by avulnerability scanner. The information is used primarily during the analysis phaseto provide an immediate summary of the known vulnerabilities on a particularasset. The information in the Vulnerabilities tab can only be added through avulnerability scanner. This information is used during correlation to increase ordecrease the priority of the incident. If any vulnerability is discovered during avulnerability scan of a particular asset, the asset is automatically flagged asvulnerable.

You can access the information that is entered for each asset through theNormalized fields accessible through the Rules view. By using these fields, youcan filter false positives or refine the incidents generated based on the assetinformation you provide.


About CIA values in the Assets tableThe assignment of Confidentiality, Integrity, and Availability values should bean integral part of a network security audit. CIA values are unique to each networkenvironment, and are typically determined as part of risk assessment. The CIAvalues can be used as components of event processing rules that you create in theRules view. The correlation engine also uses the CIA values to adjust the priorityof an incident when appropriate.

The CIA values that are available in the Assets table range from 1 (non-critical)to 5 (critical) for each CIA category. The values determine the importance of thecomputer or device relative to other assets listed.

For example, a financial services company might rate a publicly facing server thatmanages account information using the following:

■ Confidentiality value of 5 (critical that the data stays secure and confidential)

■ Integrity value of 5 (critical that the data is not altered in a way that is notintended)

■ Availability value of 5 (critical that the publicly facing server is online all thetime, and likely needs redundancy to prevent failure)

In this example, the CIA values would be assigned because of the server’s businessimportance. By contrast, the administrator or analyst might list an internal,non-public FTP server that only hosts lightweight applications for internaldownload as a 1 or 2 for each CIA value. This rating reflects the administrator or

283Working with the Assets tableAbout the Assets table

analyst's view that the internal server is less important from a businessperspective.

After you enter the CIA values for the assets that you track in the Asset table, youcan export a backup copy of these assets. To export a copy, click the Export iconin the Assets table and export the list in the CSV or the XML format as required.


Importing assets into the Assets tableYou can use a comma-separated value (CSV) file or an.XML file to import assetinformation into the Assets table.

Note: If you import assets using a CSV file, policy and services information is notincluded during the import. To retain this information for the assets that arealready listed in the console, export the assets to an XML file. Use the XML file tore-import the assets. The XML files that Information Manager generates includeany existing policy and services data that is available for each asset. The CSV filesdo not include this information.


To import assets into the Assets table

1 Create a CSV file containing comma-separated values using the appropriateformat. To see the correct format, create an asset in the Asset table, and thenexport the asset list as a CSV file. Use the exported list as a template foradding assets to the file.

If you use the Active Directory Users and Computers snap-in that Microsoftprovides, export the list of computers that Active Directory tracks. Save thefile as a CSV file.

2 In the Information Manager console, on the Assets view, click Import.

3 In the Import Assets dialog box, navigate to the folder in which you savedthe assets file, select the file, and click Open.

If you import a set of assets that includes non-UTF-8 character data, youmust select the appropriate set from the Character Set drop-down list.

4 Follow the on-screen instructions.

Searching, filtering, and sorting assetsYou can search for assets and filter the results using the tools provided. You canalso sort the results using the columns provided.

Working with the Assets tableAbout the Assets table

284

Note: Searches for assets may take several minutes depending on the number ofresults returned and the filter settings you choose. The results tile is limited tothe first 5000 assets that the asset search retrieves. When possible you shouldrefine the filter to reduce the number of results returned.


To create a filter for an asset search

1 In the Information Manager console, on the Assets view, click Filter.

2 In the Asset Filters window, click Add.

3 In the New Filter window, under Filter Criteria, click Add (+).

4 Using the row that appears, choose your criteria using the cells available.

5 When you are finished selecting the filter criteria, click OK.

6 In the Input dialog box, provide a name for the filter, and click OK.

7 Click OK to close any remaining filter windows. The new filter is added tothe Filter: drop-down list.

You can filter the results of a search using the filters you have created eitherbefore or after you perform the search.

To filter the results of an Asset search

1 In the Information Manager console, on the Assets tab, from the Filterdrop-down list choose the filter that you want to use.

2 In the Search Asset text box, type the element you want to search for.

3 Click the Search button, or press Enter.

To sort the order of the assets display area

1 In the Information Manager console, click Assets.

2 In the Assets list, click the column on which you want to sort.

Searching for an asset by substring valueTo find a specific asset or set of assets within the group you view, you can use theSearchAsset text box. The SearchAsset feature searches the assets in the groupfor the occurrence of a specified substring in any of the string-based asset fields.Non-string values, such as date or system-defined integer values are not includedin the search. The search is not case-sensitive. To search the entire set of assets,change the Group By selection to None and then click All, which displays all ofthe available assets.

The fields searched include the following:

285Working with the Assets tableAbout the Assets table

■ Host name

■ DN

■ OS Version

■ Location

■ Organizational Unit

■ Description

■ External ID

■ Owner

■ OS Name

To search for an asset by substring value

1 In the Information Manager console, on the Assets view, in the SearchAssettext box, type the substring.

2 Click Search Asset.

Visual identification of the IP addresses also on the IP WatchlistWhen an IP address is displayed in a table and it is also found in a watchlist, theIP address appears in bold red. You can right-click an IP address to view a dialogbox that contains all of the known information about this IP address.


About vulnerability information in the Assets tableIn the Assets table, each asset includes a Vulnerabilities tab that contains thevulnerability information that a vulnerability scanner identified.

The information on the Vulnerabilities tab for each asset lists the CVE ID(Common Vulnerabilities and Exposures ID). It also lists the BugTraq ID, the datethat the vulnerability was discovered, and the source that identified thevulnerability. in addition, the CVE ID may describe the vulnerability type. Asecurity analyst can use the list of specific vulnerabilities to gain a betterunderstanding of the characteristics of a particular computer. The vulnerabilitiesare not accessible by rules entries. If an incident is created, the vulnerabilities listis used during event correlation to adjust the priority of the incident. For example,if an incident involves a vulnerability that is not on the list of the vulnerabilitiesfor the specific target, the priority of the incident is reduced.


Working with the Assets tableAbout vulnerability information in the Assets table

286

About using a vulnerability scanner to populate Assets tableInformation Manager integrates with supported vulnerability scanner data byautomatically importing vulnerability information into the Assets table when ascan is performed. Every asset that is listed in the Assets table includes the fieldsthat describe the services that are running and the vulnerabilities that areassociated with that asset. When a scan is performed, the services and thevulnerabilities tabs are populated with the data that is specific to each asset.

To automatically populate the Assets table with scan information, you must havethe collector installed that corresponds to the supported scan. When you use theESM collector, DNS resolution must be implemented to allow the collector to mapIP addresses to host names.

See “About vulnerability information in the Assets table” on page 286.

Managingwhich vulnerability scanners update theAssets tableSome environments include multiple vulnerability scanners that monitor theenvironment. You may not want all of the vulnerability information that isgathered from separate scanners to be used to automatically populate the Assetstable. You can use the Asset Detector monitor on the Rules view to choose whichscanners are used for auto populating the Assets table.

Note: When you view a product that is capable of auto-populating the Asset tablebut has not been configured to do so, the product ID is displayed rather than theproduct name. To ensure that the product does not auto-populate the Asset table,move the product ID for that product to the left pane.

To manage which vulnerability scanners update the Assets table

1 In the Information Manager console, click Rules.

2 In the left pane, expand Monitors > System Monitors.

3 Click Asset Detector.

4 On the Properties tab, click the ellipses (...) to open the Property Editor.

5 In the Property Editor, use the options that are available to add or removethe appropriate products.

6 Click OK.

7 When you are finished, click Deploy to Server.

To ensure that the configuration is current, you can uncheck the monitor.Then click DeploytoServer and recheck the monitor. Click DeploytoServeragain.

287Working with the Assets tableAbout vulnerability information in the Assets table

See “About using a vulnerability scanner to populate Assets table” on page 287.

About locked and unlocked assets in the Assets tableWhen you list an asset in the Assets table, you have the option of locking the assetinformation or leaving it in the default (unlocked) state. When a supportedvulnerability scan is performed, the Assets table overwrites any unlocked assets(including the settings that you have manually changed) that were identified ina previous scan.

Table 18-1 describes the Locked and the Unlocked states.

Table 18-1 Locked and Unlocked assets in the Assets table

DescriptionSetting

Prevents the asset from being overwritten when a new vulnerabilityscan is performed. The Services and Vulnerabilities tabs are updated.

Locked

Allows the asset to be overwritten with current asset informationwhen a supported vulnerability scan is performed.

Unlocked

See “About vulnerability information in the Assets table” on page 286.

Using the Assets table to help reduce false positivesYou can use the Assets table to reduce false positives by affecting the priority ofincidents that are generated.


To use the Assets table to reduce false positives:

1 Populate the Assets table with the assets that you want to track. Include thesystems that may generate large amounts of the traffic that can be filteredor aggregated, such as firewalls or intrusion detection devices. Include theIP address , Host name, Distinguished name, and operating system details.

2 For each asset, assign the CIA values that have been determined as part of anetwork security audit or external risk assessment. Higher CIA values generateincidents with higher priority.

3 Use a supported vulnerability scanner to scan the assets listed. The Servicesand Vulnerabilities tabs are automatically populated with the ports andservices available and the potential vulnerabilities for each asset. If you donot use a supported vulnerability scanner, select the Services that you wantto identify for filtering and correlation purposes for each asset.

Working with the Assets tableUsing the Assets table to help reduce false positives

288

4 For each asset, on the Policies tab, choose any policies that apply to the asset.For example, if the asset is a firewall, add the Firewall policy to the list ofpolicies that apply to that asset.

5 On the Rules view, create any new filters (or correlation rules) based on thesettings in the Assets table for each asset. You can combine the fields thataccess the Assets table with other conditions, such as EMR values. Forexample, you can create a rule that checks to see if the asset has a Vulnerablevalue of True, the Mechanism equals Buffer Overflow, and then create anincident.

6 Save and distribute the new rules or filters.

About filtering events based on the operating systemAn example of using the Assets table information to reduce false positives is touse the Destination Operating System field available in the Rules view with aspecific event ID. The DestinationOperatingSystem field accesses the informationthat is entered in the OSName field in the AssetDetails window. The events thatare specific to a UNIX or Linux operating system often do not apply to a computerthat uses Windows. This situation can be a source of false positives. For example,a BIND Transaction Signature Overflow event primarily applies to UNIX or Linuxsystems. If the Vendor Event Code field uses a BugTraq ID, you could create afilter that uses the following logic: If the Vendor Event Code field contains 2302(the BugTraq ID for this event), and the Destination Operating System fieldcontains Windows, then filter the event.

See “Using the Assets table to help reduce false positives” on page 288.

About using CIA values to identify critical eventsAfter you populate the Assets table with the assets you want to track,, you assignCIA values for each asset. You can use the CIA values associated with an asset tobuild the rules that create incidents based on those values.

For example, to create a rule that escalates ESM events on the assets that have aCIA value of 3 or greater for any CIA category, create a rule that uses the followinglogic: If the Product equals ESM, and the DestinationHostConfidentiality field,the Destination Host Availability field, or the Destination Host Integrity fieldhas a value that is greater than or equal to 3, then create an incident.


289Working with the Assets tableUsing the Assets table to help reduce false positives

About using Severity to identify events related to critical assetsYou can use the Severity setting for a rule with the information that you providedin the Assets table. You can use this information to help identify the critical eventsthat are related to specific assets. By adjusting the severity of an incident, a securityanalyst can focus on the highest priority events from a security perspective. UsingCIA values with the Severity setting of a rule lets you correlate more importantsystems on your network with a higher visibility for the analyst. They are likelyto analyze higher severity incidents first. Identifying systems with lower CIAvalues and correlating that information with a lower severity level helps to reducethe number of incidents that an analyst must review.

For example, you use the Vulnerable field to identify whether a vulnerabilityexists on the Destination asset. You want to escalate an incident that uses a VirusMechanism. Use the following logic: If Vulnerable equals Yes, and the Mechanismfield contains Virus, then create an Incident. You can also increase the importanceof this event for the analyst. On the Actions tab for this rule, set the Severity toa high number, such as 5. You can further refine this rule by adding the conditionsthat use the Destination Host Availability, Destination Host Confidentiality,and Destination Host Integrity fields.


About using the Services tabFor each asset that is listed in the Assets table, the Services tab lists the portsthat are available for that asset. These ports may also be potentially vulnerable.The Services tab can be manually populated by choosing the ports from theprovided list that you are interested in. A vulnerability scanner can also populateit. Running a supported scan on an asset that is listed in the Assets tableautomatically populates the Services view with the available ports. It overwritesany services you added manually.

A number of fields in the Rules view use the Services tab to identify potentialincidents. You can use the information in the Services tab to reduce false positives.You create the rules and the filters that access the list of ports that have beenidentified for each asset. You filter or aggregate based on this information. Forexample, the Attempted DNS Exploit rule uses the Destination Host Services field.This field references the services information in the Assets table. The rule usesthis field to determine whether a buffer overflow event is associated with a targetcomputer that acts as a Domain Name Server (port 53). If the asset that is targetedhas port 53 listed on the Services tab, this condition for the rule is met. If theother conditions that are listed in this rule also match this event, a securityincident is created.


290

You can customize the services that are available to choose from by editing a list.The list is in System>Services. The Services tab of the System view determinesthe list of services that you can choose from when describing an asset in the Assetstable.


About associating policies with assets to reduce false positives orescalate events to incidents

You can populate the Assets table with the assets on your network, and associatepolicies with each asset. Associating policies with assets helps describe eachsystem with more granularity. In the Assets view, on the Policies tab, you canchoose from a predetermined set of policies. The policies describe the use of theasset from a policy perspective. Several fields in the Rules view use policyassociation to further identify the type of asset that is associated with an event.For example, the External Port Sweep rule uses the Source Host Policies field. Ituses this field to determine whether the source host for the event is associatedwith the Firewall or Proxy policy. If the SourceHostPolicies field contains eithervalue, the event does not match the correlation criteria for that rule.

Assign policies to assets to use the power of the Correlation Engine to reduce thenumber of events that the security analyst reviews. If you have a large numberof assets that are used for a similar purpose such as a firewall or a vulnerabilityscanner, you can create a rule for them. The rule identifies events based on thepolicies that are associated with the assets involved with the event. You may haveassets on your network that are required to be in compliance with a specificregulatory policy, such as the Visa Cardholder Information Security Program(VisaCISP). If you have identified the servers or the devices that are used to meetthe compliance requirements for Visa CISP, you can add this policy to thedescription of the asset in the table. If an attack relates to the potential compromiseof the data related to this policy (such as unauthorized logon attempts detectedby an Intrusion Detection System), you can develop a set of rules that immediatelyescalate these events as security incidents.

The set of policies that are available may be periodically updated by a mechanismsuch as Symantec DeepSight Threat Management System or LiveUpdate. Whenthe policies are updated, the policies that you have assigned to each asset are notaffected. In addition, you can create the custom policies that are added in theSystem view under the Policies tab. When you add a policy to the list in the Systemview, the policy can then be assigned to an asset in the Asset Details windowunder the Policies tab.


291Working with the Assets tableUsing the Assets table to help reduce false positives


292

Configuring the InformationManager

■ Chapter 19. Configuring the Console

■ Chapter 20. Configuring general settings in the Web configuration interface

■ Chapter 21. Managing Global Intelligence Network content

■ Chapter 22. Working with Information Manager configurations

6Section

Configuring the Console


■ About configuring Information Manager

■ Identifying critical systems

■ Adding a policy

■ Specifying networks

About configuring Information ManagerFor the correlation rules to function properly, it is essential that you specify theinformation that is used to determine incident severity. Key settings includespecifying the systems that host critical or sensitive information and the systemsthat require high availability. You can also specify the networks that exist in yourorganization so that you can increase the priority of incidents based on the affectednetwork. For example, the incidents that affect the networks that reside withinyour firewall can be assigned a higher priority than those that reside outside thefirewall.

See “Identifying critical systems” on page 296.

You can specify the policies that are used within your network. Symantec SecurityInformation Manager includes default policies. You can also add custom policies.Once you have defined the available policies, you can associate them with networkcomputers when you add entries to the Assets list.

See “Adding a policy” on page 297.

See “Specifying networks” on page 298.

You should also create your list of response teams so that Information Managercan automatically assign incidents to these teams based on the rules settings. You

19Chapter

use the Information Manager console to create the teams. However, the list ofmembers that you can assign to those teams is maintained on the System view.

Another key factor that lets you determine incident severity and the functioningof rules is the information that is stored in the knowledge base. The GlobalIntelligence Network Integration Manager provides some of this information. Youcan configure some settings. For example, you can add entries to the IP watchlist.

Note: When you add a new policy or service to the Policies or Services lists, thenew entries appear in the Event Criteria on the Rules view after you restart theconsole for the Information Manager.

Identifying critical systemsFor the correlation rules to function properly, you must specify the informationthat is used to determine incident severity. Key settings include specifying thesystems that host critical or sensitive information and the systems that requirehigh availability.

See “About configuring Information Manager” on page 295.

Complete the following steps to identify critical systems in your organization.

To identify critical systems

1 In the console of the Information Manager client, click Assets.


3 In the Asset Editor dialog box, in the IP Address box, type the IP address ofthe system.

4 Fill in the following optional information, if you want:

■ In the Host Name box, type the host name of the system.

■ In the MAC Address box, type the MAC address of the system.

■ In the DN box, type the Distinguished Name of the system.

■ In the Description box, type a description of the system.

Configuring the ConsoleIdentifying critical systems

296

5 (Optional) In the Asset Priority area, select values for Confidentiality,Integrity, and Availability as follows:

Value range 1–5, where level 5 means that the computer hostscontent that must be maintained with the highest level ofconfidentiality.

Confidentiality

Value range 1–5, where level 5 means that the computer hostscontent that must be maintained with the highest level ofintegrity.

Integrity

Value range 1–5, where level 5 means that the computer hostsapplications and the content that must always be available foryour business.

Availability

6 (Optional) In the Additional Information area, provide in the followinginformation:

■ The name of the organization that uses this system

■ The physical location of the system

■ The name of the operating system that is running on the system

■ The version of the OS that is running on the system

■ The owner of the system

■ External ID information if used

7 Select Lock for Auto Update if you do not want the Assets list entry for thishost to be overwritten when new information is imported from a vulnerabilityscanner.

8 Click the Save Asset icon.

Adding a policyYou can add a policy against which you want to check the compliance.


You can add a policy from the Assets view. The policy is added for the specificasset that you select from the Assets view.

To add a policy from the Assets view

1 In the console of the Information Manager client, click Assets.

2 Select an asset to which you want to add the policy.

297Configuring the ConsoleAdding a policy

3 Double-click the asset or go to the details pane in the Assets view.

4 In the AssetDetails dialog box, under the Policies tab, click the (+) plus icon.

5 Select a policy and click OK.

You can add an entirely new policy from the System view.

To add a new policy from the System view


2 On the Administration tab, click Policies.


4 Type a name and description in the spaces that are provided.

5 Click OK.

Specifying networksYou can specify the networks that exist in your organization to be associated withthe Information Manager server.


To specify a network


2 On Administration tab, click Networks.


4 In the Create New Network dialog box, type a name for the network in theName box.

5 In the Netmask box, type the subnet IP address and subnet mask for thenetwork.

6 (Optional) In the Physical Location box, type the location of the network.

7 (Optional) From the Time Zone list, select a time zone to specify the timezone in which this network is situated. You can also type the time zone detailsin the GMT +/- HH:MM format. When the time zone is specified, the timeinformation from where an event has originated can be tracked.

8 (Optional) In the Logical Location box, type the logical location or select thelogical location of the network.

9 (Optional) In the Description box, type a description of the network.

Configuring the ConsoleSpecifying networks

298

10 Check Auto-Updateable if you want the new entry to be overwritten whenthe new network information is imported from a vulnerability scanner.

11 Click OK.

299Configuring the ConsoleSpecifying networks

Configuring the ConsoleSpecifying networks

300

Configuring generalsettings in the Webconfiguration interface


■ About the Settings view

■ Editing the Hosts file

■ Changing the network settings

■ Changing date and time settings

■ Changing a Network Time Protocol Server

■ About the Password view

■ Changing the password for Linux accounts

■ Changing the password for symcmgmt Linux account

■ About the Global Intelligence Network configuration view

■ About running LiveUpdate

■ Running LiveUpdate from the Information Manager Web configurationinterface

■ About integrating Active Directory with the Information Manager server

■ Managing Active Directory configurations

■ Adding the CA root certificate

20Chapter

■ Shutting down the Information Manager server

■ Restarting the Information Manager server

■ About using the multipath feature for storage options

■ About External Storage

■ Creating NAS Configuration

■ Deleting NAS configuration

■ Connecting Information Manager to a SAN

■ Connecting Information Manager to a DAS

■ Configuring Information Manager with DAS/SAN Storage

■ Extending the storage capacity of an existing DAS/SAN configuration

■ Unmounting the DAS/SAN configuration

■ Restoring a DAS/SAN configuration

■ Deleting a DAS/SAN configuration

About the Settings viewThe Settings view on the Web configuration interface of the Information Managerlets you configure the various settings for the Information Manager serverremotely.


The Settings view contains the following options:

Lets you configure the GIN update settings.

See “About the Global Intelligence Networkconfiguration view” on page 311.

GIN

Lets you enable or disable EventSummarizers and specify the maintenanceoptions.

Database

Configuring general settings in the Web configuration interfaceAbout the Settings view

302

Lets you add an Information Manager serverto the LDAP domain of another InformationManager server.

See “About registering a security directory”on page 243.

Directory Registration

Lets you register and unregister the collectordefinitions which contain configurationsettings and the event schemas that theInformation Manager server requires. TheInformation Manager server needs theinformation to recognize and log events froma security product.

Collector Registration

Lets you map application log data to fieldsthat are defined in the Information Managerserver.

Custom Logs

Lets you create Active DirectoryConfigurations for addition of users from anActive Directory to the SSIM configuration.

See “About integrating Active Directory withthe Information Manager server” on page 313.

Active Directory

Lets you manage the Symantec SecurityInformation Manager and Global IntelligenceNetwork licenses.

Licensing

Lets you configure the certificate settings.Certificate

Lets you configure an external storage devicefor use with the Information Manager.

External Storage

Lets you change passwords for Linuxaccounts and modify the password policy forthe Information Manager.

See “Changing the password for Linuxaccounts ” on page 309.

See “Changing the password for symcmgmtLinux account” on page 310.

See “Customizing the password policy”on page 74.

Password

303Configuring general settings in the Web configuration interfaceAbout the Settings view

Lets you configure the network settings forthe Information Manager.

See “Changing the network settings”on page 305.

Network

Lets you configure the date and the timesettings.

See “Changing date and time settings”on page 307.

Date Time

Editing the Hosts fileTo make the host names resolvable, add the IP address of the Information Managerservers and the names of the hosts file on the Information Manager server.

See “About the Settings view” on page 302.

To add entries to the hosts file of the Information Manager

1 On the Web configuration interface, click Settings > Network > Hosts File.

2 In the details pane of the Edit Hosts File view, append the host IP addressand host name in the text area in the format. Make this entry similar to theprevious lines in the hosts file.

3 Click Save Hosts File to save the entered information.

If you change the contents of the hosts file or load an earlier version it andclick Save Hosts file, the current hosts file is overwritten.

The original hosts file on the Information Manager server is modified and asequence number is appended to the name. The new hosts file contains all ofthe changes that are made through the Web configuration interface. All ofthe versions of the hosts file appear in a table under the text area.

4 To view and edit any previous hosts file that is displayed in the table, clickon the file name.

The contents of the file are displayed in the text area of the Edit Hosts fileview.

5 Add the host IP address and name to the next line in the display in the formatof the previous lines.

Click Save Hosts File to save the entered information.

The hosts file is located in the /etc directory.

Configuring general settings in the Web configuration interfaceEditing the Hosts file

304

Changing the network settingsYou can use the Information Manager Web configuration interface to changenetwork settings.

Warning: You cannot change the domain name after you specify a domain nameor accept the default name. You must reinstall the Information Manager softwarein case you want to change the domain name.


Changing the host name or IP address of the primary Ethernet connection (eth0)creates a new self-signed certificate for the Information Manager server. If youuse a signed certificate from a Certified Signing Authority, generate a new signedcertificate using the CA. Then install it the certificate after changing the hostname or IP address.

If you change the host name or IP address of an Information Manager server, allremote agents that communicate with it must be configured to use the newsettings. This requirement does not apply to the agent that is running on theInformation Manager server.

Warning: The Information Manager server restarts if the network settings arechanged.

To change the network settings

1 On the Web configuration interface, click Settings > Network > NetworkCard Settings.

2 In the details pane of the Network Card Settings view, type the host namein the provided box.

3 In the Search Domain box, type the search domain for the InformationManager server. You can enter up to six domain names. Separate the namesby using spaces, and use a total of 256 characters.

This parameter defines the domains that must be looked up in case a domainis not specified. Therefore, adding the domain names that are not local maygenerate network traffic and slow down the system.

305Configuring general settings in the Web configuration interfaceChanging the network settings

4 (Optional) Enter the names of up to three Domain Name Servers in the boxesthat are provided.

Note: You can provide an IPv4 address as well as an IPv6 address for theDomain Name Servers.

5 In the Network interface 0 (eth0) Settings area, do the following:

■ In the box that is provided, type the IP address for the first networkinterface card of the Information Manager server.

■ In the Netmask text box, type the mask that is used for addresses in thenetwork or subnet where the Information Manager is used.

■ In the Gateway text box, type the IP address of the gateway server for theInformation Manager server.

■ In the IPv6 Address text box specify the IPv6 address for the networkinterface card of the Information Manager server.

■ In the IPv6 Prefix type the decimal value that is the contiguous,higher-order bits of the address that form the network part of the address.The prefix can be any integer value between 0 and 64. For example,10FA:6604:8136:6502::/64.

■ In the IPv6Gateway text box, type the IPv6 address of the gateway serverfor the Information Manager server.

■ You can select the Speed mode from the options available in the drop-downlist. If you select an option other than Auto Negotiate, you must specifythe duplex mode also (whether full or half).

6 If you use the second Ethernet connection on the Information Manager server,do the following in the Network interface 1 (eth1) Settings area:

■ In the box that is provided, type the IP address for the second networkinterface card in the Information Manager server.

■ In the Netmask box, type the mask that is used for addresses in thenetwork or subnet where the Information Manager server is used.

■ In the Gateway box, type the IP address of the gateway server for theInformation Manager server.

■ In the IPv6 Address text box specify the IPv6 address for the networkinterface card of the Information Manager server.

■ In the IPv6 Prefix type the decimal value that is the contiguous,higher-order bits of the address that form the network part of the address.

Configuring general settings in the Web configuration interfaceChanging the network settings

306

The prefix can be any integer value between 0 and 64. For example,10FA:6604:8136:6502::/64.

■ In the IPv6Gateway text box, type the IPv6 address of the gateway serverfor the Information Manager server.

■ You can select the Speed mode from the options available in the drop-downlist. If you select an option other than Auto Negotiate, you must specifythe duplex mode also (whether full or half).

7 If you have changed the IP address or the host name of network interface 0,complete the following steps. Otherwise, skip to step 8.

■ In the Management Directory Logon area of the Network Card Settingsview, select Force hostname and eth0 IP address update.

■ In the username(DN) text box, type a user name with administrator rightsfor the current LDAP directory that the Information Manager uses.

■ In the Password box, type a password.

■ In the Domain text box, type the domain of the Information Manager.

The default user name for the security directory is cn=root.

8 Click Change Settings.

Changing date and time settingsYou can use the Information Manager Web configuration interface to specify theInformation Manager server date and time settings.


To specify date and time settings

1 On the Web configuration interface, click Settings>DateTime>Date/Time.

2 Use the controls that are provided to specify the date, time, and time zonesettings.

3 To ensure the proper functioning of the system, a new self-signed certificateis created when you change the system date or time. Specify the details forthe self-signed certificate.

4 Specify the LDAP directory user name and password.

5 Click Update.

You can also synchronize the time on your Information Manager to an NTP timeserver.

307Configuring general settings in the Web configuration interfaceChanging date and time settings

Warning: The Information Manager restarts when you add an NTP server.

To synchronize the Information Manager to a new NTP server

1 On the Web configuration interface, click Settings>DateTime>NTPStatus.

2 NTP is disabled by default. Remove the checkmark against the NTPDisabledbox.

3 Click Apply.

4 Click Settings > Date Time > NTP Server Settings.

5 In the NTPServer tobeAdded text box, add the IP address or the host nameof the NTP server that you want to add.

6 Click Add.

The Information Manager restarts when you change your NTP server settings.Therefore, you must close your browser session and log on again.

Changing a Network Time Protocol ServerYou can configure the Information Manager to get time settings from a networktime protocol (NTP) Server. By default, NTP synchronization is disabled.


To add an NTP Server

Warning: The Information Manager restarts when you add an NTP server.

1 On the Web configuration interface, click Settings>DateTime>NTPStatus.

2 In the details pane of the NTPStatus view, clear the NTPDisabled checkbox.

3 Click Apply.

4 Click OK in the confirmation dialog box.

5 Click NTP Server Settings in the tree pane. In the details pane, specify theIP address or the host name of the NTP Server to be added and then clickApply.

6 In the NTPStatus view, select the NTP Server in the drop-down list and clickApply.

The Information Manager restarts when you change your NTP server settings.Therefore, you must close your browser session and log on again.

Configuring general settings in the Web configuration interfaceChanging a Network Time Protocol Server

308

To remove an NTP Server

1 On the Web configuration interface, click Settings>DateTime>NTPServer.In the details pane, select the server to be deleted.

2 Click Delete.

About the Password viewThe Password view lets you change the passwords of Linux accounts on thisserver and set the password policy for the system.


You can access the Password view from Settings > Password.

The Password view contains the following options:

Lets you change the password of Linuxaccounts on server.

Change Password

Lets you set the password policy for thesystem.

Password Policy



Changing the password for Linux accountsYou can use the Information Manager Web configuration interface to change thepassword that is used for Linux administrative accounts of root and simuser.Console administrator accounts and other Information Manager accounts arechanged in the Information Manager console.


To change system settings such as account passwords, do not attempt to manuallyrun the scripts that are included on the Information Manager server. You shouldbe able to use the Information Manager Web configuration interface to accomplishmost system level tasks.

To change the password for Linux accounts

1 On the Web configuration interface, click Settings > Password > ChangePassword.

2 In the details pane of the Change Password view, type the name of a useraccount on the Information Manager server in the box provided.

309Configuring general settings in the Web configuration interfaceAbout the Password view

3 Type the current password for the account in the box provided.

4 Type the new password and then confirm the new password in the boxes thatare provided.

5 Click Change Password.

Note:The password for the symcmgmt linux account cannot be changed from theWeb configuration interface. You can change the symcmgmt password by usingthe standard Linux commands. Later, the symcmgmt password must be updatedfrom the Information Manager console.


If you need to perform an operation on an Information Manager server that is notavailable through the Web configuration interface or the Information Managerclient, contact technical support.

Changing the password for symcmgmt Linux accountThe symcmgmt account is a Linux account, but must also have its passwordchanged in the Information Manager client. You can change the symcmgmtpassword by using the standard Linux commands. Later, the symcmgmt passwordmust be updated from the Information Manager console under System >Administration > Data Stores.

To change the symcmgmt account in Linux

1 Log on to Information Manager server as root or connect using db2admincredentials and then obtain the root environment.

2 Run the command passwd symcmgmt.

3 Enter the new password when prompted.

4 Confirm the new password.

To update the symcmgmt account password in the Information Manager Client

1 From the Information Manager client, log on to the Directory server usingthe Administrator privileges.

2 Go to System > Administration and navigate to DataStores.

3 In the right pane, right-click the datastore for the appropriate InformationManager server and then click Properties.

Configuring general settings in the Web configuration interfaceChanging the password for symcmgmt Linux account

310

4 Go to the Connection tab and type the new password in the Password textbox.

5 Confirm the new password in the Confirm password text box.


About the Global Intelligence Network configurationview

The Information Manager server has access to current vulnerability, attack pattern,and threat resolution information from the DeepSight Threat and VulnerabilityManagement Service. This service powers the Symantec Global IntelligenceNetwork. The Global Intelligence Network is a comprehensive collection ofvendor-neutral security data sources. It is an authoritative source of informationabout known and emerging vulnerabilities, threats, risks, and global attack activity.


The GIN configuration view on the Web configuration interface lets you checkthe statistics for the Global Intelligence Network.

You can access the GIN configuration view from Settings > GIN.

The GIN configuration view presents the following options:

The tree pane of the GIN view presents thefollowing options:

■ GIN

Lets you configure the Global IntelligenceNetwork update settings.

Click Close to close the tree pane.

Tree pane

311Configuring general settings in the Web configuration interfaceAbout the Global Intelligence Network configuration view

The details pane of the GIN view presentsthe following options that let you configureGlobal Intelligence Network update settings:

■ Source of security content area

Lets you select the source for the updates.

■ Global Intelligence Network ServerSettings area

Lets you specify the server URL, pollinginterval, and IP address limit details.

■ GlobalIntelligenceNetworkIntegrationManager Server Chaining area

Lets you enter the Global IntelligenceNetwork Integration Manager server hostand polling details, if applicable.

■ Proxy Server Settings area

Lets you specify the URL, port, username, and password of the proxy serverfor the updates.

Click Save to save the settings.

Click Reset to clear data and restore defaultvalues.

See “Receiving Global Intelligence Networkcontent updates” on page 329.

Details pane

About running LiveUpdateThe Information Manager server lets you obtain updates for software componentssuch as event collectors, relays, security content, rules, and filters through theLiveUpdate feature. You can update the predefined reports folders with the latestversions that are available on the LiveUpdate Web site. You can run the LiveUpdateprocess from the Web configuration interface of the Information Manager server.

Note:To be able to run LiveUpdate successfully, your license to update LiveUpdatecontent must be valid.

See “Running LiveUpdate from the Information Manager Web configurationinterface” on page 313.

Configuring general settings in the Web configuration interfaceAbout running LiveUpdate

312

Running LiveUpdate from the Information ManagerWeb configuration interface

The Information Manager server lets you obtain updates for software componentssuch as event collectors, relays, security content, rules, and filters through theLiveUpdate feature. You can update the predefined reports folders with the latestversions that are available on the LiveUpdate Web site. You can run the LiveUpdateprocess from the Web configuration interface of the Information Manager server.

See “About running LiveUpdate” on page 312.

To run LiveUpdate from the Information Manager Web configuration interface

1 On the Web configuration interface, click Maintenance > LiveUpdate.

2 In the Update column on the details pane, select the components that youwant to update and then click Update. By default, no component is selected.

Note:To be able to run LiveUpdate successfully, your license to update LiveUpdatecontent must be valid. If the license has expired, install a valid license using theInformation Manager Licensing view at Settings>Licensing>SSIM on the Webconfiguration interface.

About integrating Active Directory with theInformation Manager server

The Active Directory Integration feature on the Web configuration interface ofInformation Manager lets you synchronize the Information Manager server withan Active Directory server. This integration enables Active Directory users toaccess the Information Manager server. You can create and add more than oneActive Directory configuration to the Information Manager server. You can setthe synchronization schedule for each configuration as required so that the usersare periodically refreshed with each synchronization cycle.

The synchronized Active Directory users can log on to the Information Managerserver through the console as well as the Web configuration interface. Membersof the External Users role do not have any Information Manager privileges. Thisrole is used only by Active Directory users for Pass-through Authentication. TheActive Directory user must be assigned another Information Manager role to logon to the Information Manager server.

See “Managing Active Directory configurations” on page 314.

313Configuring general settings in the Web configuration interfaceRunning LiveUpdate from the Information Manager Web configuration interface

Managing Active Directory configurationsThe Active Directory Integration feature on the Settings view of the Webconfiguration interface lets you create and synchronize Information Managerwith Active Directory servers. The view also lets you create, add, edit, orsynchronize the Active Directory configurations as required.

See “About integrating Active Directory with the Information Manager server”on page 313.

Prerequisites for creating an Active Directory configuration are as follows:

■ If the Active Directory server and Symantec Security Information Managerare not in the same DNS, you must add the FQDN and the IP address of theActive Directory server to the Information Manager hosts file.

■ Certificate authority (CA) must be installed on the domain controller withwhich Information Manager is to integrate.

■ The CA Root certificate must be assigned to the user to be used in the ActiveDirectory integration configuration.

■ Add the CA root certificate of the Active Directory that you want to synchronizeon the Information Manager server.See “Adding the CA root certificate” on page 316.For more details on obtaining an Active Directory root certificate, refer to theMicrosoft Web site.

To create a new Active Directory configuration

1 On the Web configuration interface, click Settings > Active Directory.

2 On the details pane, click Create Configuration.

3 Fill in the required details of the host name, IP address, user name, andpassword.

If possible, keep the port number as 636 ( the LDAP service runs on Port 636by default).

4 In a scenario in which the Active Directory domain name and InformationManager domain name are identical, check the box for Active Directoryoverrides SSIM. This setting gives the Active Directory user a preferenceover the Information Manager user when the user logs on to the InformationManager server.

Configuring general settings in the Web configuration interfaceManaging Active Directory configurations

314

5 Enter the users and groups that you want to synchronize or exclude in therespective boxes.

The default Active Directory group domain users cannot be added to theInformation Manager because it is a special group that does not have memberattributes for the users.

6 Enter the password. The user name appears by default and cannot be modified.

7 Check the DisableScheduling box if you want to disable the synchronization.

8 Enter the synchronization schedule in minutes, hours, or days as required.

9 Click Save to apply.

Configurations are saved and listed by the domain name. You can edit ordelete the configurations that are listed.

The ibmldap service of the Information Manager server restarts when yousave the Active Directory configuration.

Note:The External Users Role on Information Manager grants access permissionto Active Directory domain users. Therefore, this role must not be removed forActive Directory users. Members of the External Users Role do not have anyInformation Manager privileges. Therefore, the Active Directory user must beassigned another Information Manager role to log on to the Information Managerserver.

To edit an Active Directory configuration


2 On the details pane, click List Configurations.

3 Select the configuration that you want to work with.

4 Click the Edit icon.

5 Change the details in appropriate fields as required.

6 Click Save.

To remove an Active Directory configuration



3 Select the configuration that you want to remove.

315Configuring general settings in the Web configuration interfaceManaging Active Directory configurations

4 Click the Remove icon.

5 Enter the cn=root password in the RemoveActiveDirectoryConfigurationsdialog box, and click Ok.

To synchronize an Active Directory configuration



3 Select the configuration with which you want to synchronize InformationManager.

4 Click the Synchronize Now icon.

5 Click View Synchronization Log to see the results.

Adding the CA root certificateYou must add the CA root certificate from the Active Directory to the InformationManager server. This addition ensures that Information Manager accepts thecertificates from that authority.

Information Manager supports the root certificates that are encoded and exportedin the following formats:

■ DER encoded binary X.509

■ Base 64 encoded X. 509

For more details on obtaining an Active Directory CA root certificate, refer to theMicrosoft Web site.

You must also add the FQDN and the IP address of Active Directory to the hostsfile. This addition ensures that the Active Directory Server and the InformationManager server are not on the same DNS.

See “Editing the Hosts file” on page 304.

To add the root CA certificate

1 On the Web configuration interface of the Information Manager server, clickSettings > Certificate.

2 In the tree pane, click Add CA Root.

3 In the details pane, in the Certificate File option, click Browse, and thennavigate to the root certificate file.

Configuring general settings in the Web configuration interfaceAdding the CA root certificate

316

4 In the Key Label text box, type a name for this root certificate.

5 Click Add.

This operation restarts the Information Manager server.

Shutting down the Information Manager serverYou can shut down the Information Manager server by using the Shutdown optionon the Home view.

Symantec recommends that you use the Shutdown option on the Home view andnot turn off the Information Manager server. The Shutdown option shuts downthe services and leaves the onboard database in a stable state before the servershuts downs.

To shut down the Information Manager

1 ClickHome > Shutdown/Restart.

2 In the details pane of the Shutdown/Restart view, click Shutdown.

3 Click OK to confirm the server shutdown or click Cancel to cancel theshutdown action.

See “Restarting the Information Manager server” on page 317.

Restarting the Information Manager serverYou can restart the Information Manager server using the Shutdown/Restartoption on the Home view.

Symantec recommends that you use the Restart option on the Home view andnot turn off or restart the Information Manager server. The Restart option shutsdown the services and leaves the onboard database in a stable state.

To restart the Information Manager server

1 Click Home > Shutdown/Restart.

2 In the details pane of the Shutdown/Restart view, click Restart.

3 Click OK in the confirmation message to confirm the server restart or clickCancel to cancel the restart action.

See “Shutting down the Information Manager server” on page 317.

317Configuring general settings in the Web configuration interfaceShutting down the Information Manager server

About using themultipath feature for storage optionsAs a system administrator, you must avoid single points of failure in the systemto minimize downtime and service disruptions. To use storage area networks withInformation Manager, set up multiple redundant data paths (multipaths) betweenthe Information Manager server and the storage systems. This setup helps youto avoid interruptions in data flow should a hardware failure occur. Configure themultipath I/O feature in Linux to properly access data from the storage systemsand fail over to secondary data paths.


The Information Manager supports device-mapper multipath and EMC PowerPathmultipath I/O applications.

For more details on configuring the multipath feature in Linux, visit the Red Hatknowledge base Web site.

Note: The Web configuration interface supports detection of multipathconfigurations on a new installation of 4.7.4 using the installation DVD. To detectand manage multipath devices through the Web configuration interface in version4.7.4, you may need to perform additional steps: for example, installing multipathsoftware and modifying the configuration files. This feature was not supportedin previous releases. Configurations that are created manually for multipath inprevious versions are retained after you upgrade to 4.7.4. However, theseconfigurations cannot be managed using the Web configuration interface.

About External StorageNetwork attached storage (NAS), Direct attached storage (DAS) and the storagethat resides on a Storage area network (SAN) can be used as external storage byInformation Manager to store event archives. To use external storage, you cancreate external storage configurations from the Web configuration Interface ofthe Information Manager. Any external storage configurations are specific to thatserver on which they are created. These configurations cannot be shared oraccessed from other servers in the setup.

See “Creating NAS Configuration” on page 319.

See “Connecting Information Manager to a DAS” on page 322.

See “Connecting Information Manager to a SAN” on page 320.

See “Configuring Information Manager with DAS/SAN Storage” on page 322.

Configuring general settings in the Web configuration interfaceAbout using the multipath feature for storage options

318

Creating NAS ConfigurationBefore configuring NAS ensure that the NFS server can be reached from theInformation Manager server. The NFS directory or volume must be exported fromthe NFS server. Moreover the NFS directory or volume must be configured toprovide read or write permission to the Information Manager server.

To create a NAS configuration

1 Go to Web Configuration Interface > Settings > External Storage > NASConfiguration. If you have already created NAS configurations then thoseconfigurations are displayed.

2 Click Create and specify the following parameters:

■ NAS IP AddressType the IP address of the NFS Server which has the exported directoryor volume.

■ NAS Mount PointType the absolute path for the directory or volume that is exported by theNFS Server.

■ Local Mount PointType the folder name and not the absolute path of the mount point. Thisfolder gets created in the /eventarchive directory of the InformationManager server. The remote directory is mounted on this folder.

■ Mount Automatically on RestartCheck this option, if you want to mount the remote directory afterrestarting Information Manager server. (This option should be checkedif you intend to create an Event Storage rule to use the NAS for eventarchive storage.)

3 Click Apply Configuration.

The mount point that is set when you create a NAS configuration may now beused in to store event archives. You must also create an Event Storage Rule andconfigure the rule to use that mount point as the archive path. You can createEvent Storage Rule from the Information Manager console for the respectiveInformation Manager server.

See “Creating new event archives” on page 211.

While creating Event Storage Rule, enter the same archive path that is specifiedfor the Local Mount Point folder.

See “About External Storage” on page 318.

See “Deleting NAS configuration” on page 320.

319Configuring general settings in the Web configuration interfaceCreating NAS Configuration

Deleting NAS configurationBefore deleting any logical volume you must ensure to delete the correspondingEvent Storage Rule that is associated with that logical volume.

To delete an existing Configuration

1 Go to Web Configuration interface > Settings > External Storage > NASConfiguration.

2 On the details pane, click Unmount. The configured NAS archives are listedwhich can be deleted.

Note: Before deleting a NAS configuration, ensure that the Event StorageRule that is associated with that NAS configuration is either disabled ordeleted.

3 Select the NAS configuration to be deleted.

4 Click Unmount Configuration.

Note: Only one configuration can be deleted at a time.

See “Creating NAS Configuration” on page 319.

Connecting Information Manager to a SANThe following components are required for attaching a SAN to InformationManager:

■ Storage server network

■ Fiber Channel switch

■ Fiber cables

■ Host bus adapter (HBA)

■ Information Manager server

Configuring general settings in the Web configuration interfaceDeleting NAS configuration

320

To configure SAN with Information Manager

1 Attach host bus adapter (HBA) to Information Manager server.

Information Manager is tested with QLogic and Emulex HBA cards only.

2 Download HBA card driver that corresponds to the Information Managerserver’s current kernel. Restart is necessary to load drivers, once installationis finished. To install a driver for Linux 32-bit operating system, refer to theDriver documentation.

3 Connect your HBA to your SAN.

HBA card has a port or ports which must be connected to a fiber channelswitch by fiber optic cables. For more details consult with your organization'sstorage administrator.

4 Provide your HBA’s unique World Wide Name (WWN) or WWNs (in the caseof HBAs with multiple ports) to your storage administrator.

A unique WWN is assigned to each fiber channel port. Your storageadministrator allocates storage LUNs that can be used by your HBA’s WWNs.If you intend to use multipath storage, your storage administrator must bealso informed about multipath usage to configure the SAN infrastructureaccordingly.

5 If you have SAN multipath configuration, then you need to installdevice-mapper-multipath or EMCpowerPath rpm. Information Managersupports only these two multipath software programs. The configurationthat is specific to a user environment can be specified for these multipathsoftware programs. For example, if you install device-mapper-multipath rpmthen configuration file is/etc/multipathd.conf. Administrator must changethe file corresponding to the environment.

■ If you have DAS or SAN without multipath configuration, then executethe following command to verify that disks of expected sizes are shownin the output:fdisk -l

■ If device-mapper-multipath rpm multipath software is used, then verifythat the /dev/mapperfolder has device files such as mapth0 or mpath1.

■ If the multipath software that is used is EMCpowerPath rpm, then verifythat the/dev folder has device files such as emcpowera or emcpowerb


321Configuring general settings in the Web configuration interfaceConnecting Information Manager to a SAN

Connecting Information Manager to a DASIf you want to use third-party DAS device with Information Manager, ensure thatit meets the following requirements:

■ Configured as RAID-5 (For high availability)

■ Uses the drivers for RHEL 4.8

■ Uses the SCSI adapters that support PCIe

■ Compatible with supported hardware for SSIM

Once the physical disks are attached to the Information Manager server, you mustconfigure the virtual disks by entering the RAID Controller BIOS. You need toinitialize virtual disks before you use them.

For more information regarding setting the RAID configuration refer to therespective hardware documentation. If the Information Manager server has morethan two internal disks that are attached to it, with the exception of these twodisks all the remaining disks are shown as DAS on the External Storage page ofthe Web configuration interface which is configured for event archives.


Configuring Information Manager with DAS/SANStorage

Use the following steps to configure Information Manager with DAS/SAN Storage.

To configure Information Manager with DAS/SAN Storage

1 Go to WebConfiguration interface>Setting>ExternalStorage>DAS/SANConfiguration. If you have already created DAS/SAN configuration thenthose configurations are displayed along with the corresponding disk size.

2 From the toolbar on the details pane, click Create. The disks available forcreating a new configuration are displayed. If you use DAS or SAN withoutmultipath, these disks are displayed as /dev/sda or /dev/hda. For multipathSAN configurations these disks are displayed as /dev/mapper/mapth0 or/dev/emcpowera depending on the multipath rpm installed.

3 Select the disks that you want to configure for an archive.

Configuring general settings in the Web configuration interfaceConnecting Information Manager to a DAS

322

4 Enter the logical volume name for configuration. A directory is created andthe name of this directory must be unique in the /eventarchive folder.

5 Click Create Configuration.

If the configuration is successfully created, the DAS/SAN status page isdisplayed. In case an error occurs, you can check the log file and analyze theroot cause of the error. You must create an Event Storage Rule and configurethat rule to use the mount point as the archive path. You can create EventStorage Rule from the Information Manager console for the respectiveInformation Manager server.

See “Creating new event archives” on page 211.

While creating Event Storage Rule, specify the local volume name as thearchive path.


See “Restoring a DAS/SAN configuration” on page 324.

See “Unmounting the DAS/SAN configuration” on page 324.

See “Deleting a DAS/SAN configuration” on page 325.

Extending the storage capacity of an existingDAS/SAN configuration

For an attached DAS/SAN, you may require more storage capacity in the future.This extended storage facility can be provided in the form of disks. To extend thestorage capacity of the attached DAS/SAN in Information Manager, you must addthe details of the disk to the DAS/SAN configurations.

To extend the storage facility for a DAS/SAN configuration

1 Go to WebConfiguration interface>Setting>ExternalStorage>DAS/SANConfiguration. If you have already created DAS/SAN configuration thenthose configurations are displayed along with the corresponding disk size.

2 Click Extend.

The disks available are displayed which can be used for extending the size oflogical volume that is already created.

3 Select any number of disks and select one logical volume which needs to beextended.

4 Click Extend Configuration.

The selected disks are added to the configuration and the size of the logicalvolume is automatically increased.

323Configuring general settings in the Web configuration interfaceExtending the storage capacity of an existing DAS/SAN configuration


Unmounting the DAS/SAN configurationAn Administrator can move the data in a logical volume from one InformationManager server to another by using the Unmount option. This option exports theselected logical volume to another Information Manager server without loss ofany data.

Before unmounting ensure that, the Event Storage Rule that is associated withthe logical volume which is to be unmounted is either disabled or deleted.

To unmount a DAS/SAN configuration

1 Go to WebConfiguration interface>Setting>ExternalStorage>DAS/SANConfiguration.

2 Click Unmount and then select a logical volume that must be unmounted.

3 Click Unmount Configuration.

Note: Unmount operation is not supported for multipath configuration.

After successfully unmounting detach DAS/SAN from the Information Managerserver. You must now restore the DAS/SAN configuration to another InformationManager server.


Restoring a DAS/SAN configurationThe restoration of the DAS/SAN configuration must be performed on theInformation Manager server to which the DAS/SAN is attached. The logical volumeis unmounted from the previous Information Manager server. Restoring theDAS/SAN configuration reverts the unmount operation. The restoration must beperformed carefully as this operation cannot accept repeated attempts. Anunsuccessful attempt may lead to an unstable logical volume configuration.

Note: If a restoration operation fails, you must immediately contact the SymantecSupport team before attempting further operations. Such attempts may lead tofurther loss in data.

Before you restore the DAS/SAN configuration, login to the Information Managerserver and execute the following command:

Configuring general settings in the Web configuration interfaceUnmounting the DAS/SAN configuration

324

vgdisplay

Note: If there are any errors during the execution of this command, you mustcheck and set the LVM configuration appropriately.

To restore DAS/SAN configuration


Note: The DAS/SAN configuration that is already created is displayed alongwith the attached disks and size. However, the logical volume configurationis not displayed since it is in the unmount state.

2 Click Restore and enter the logical volume name which is in the unmountstate.

3 Click Restore Configuration.

On a successful restore the DAS/SAN status page is displayed with the newlyrestored configuration. You can use it as an event archive.


Deleting a DAS/SAN configurationBefore deleting any logical volume you must ensure to delete the correspondingEvent Storage Rule that is associated with that logical volume .

To delete a DAS/SAN configuration


2 Click Delete.

3 Select the logical volume that you want to delete and then click DeleteConfiguration.

If the deletion fails, check the log file and analyze the root cause of the error.


325Configuring general settings in the Web configuration interfaceDeleting a DAS/SAN configuration

Configuring general settings in the Web configuration interfaceDeleting a DAS/SAN configuration

326

Managing GlobalIntelligence Networkcontent


■ About managing Global Intelligence Network content

■ Registering a Global Intelligence Network license

■ Viewing the status of Global Intelligence Network content

■ Receiving Global Intelligence Network content updates

AboutmanagingGlobal IntelligenceNetwork contentThe Symantec Global Intelligence Network is comprehensive collection ofvendor-neutral security data sources. The service is an authoritative source ofinformation about known and emerging vulnerabilities, threats, risks, and globalattack activity.

See “About the Global Intelligence Network configuration view” on page 311.

The Global Intelligence Network provides information about the current ThreatConlevel. The network also provides advice and instructions on how to guard againstand respond to the current threats.

The Web configuration interface of Information Manager lets you configure yourInformation Manager server to update the Global Intelligence Network content.The content is from the Global Intelligence Network Web site. You can use theInternet or a proxy server to obtain this content. By updating Global IntelligenceNetwork content or receiving updates from a proxy server, the Information

21Chapter

Manager server maintains current security content without being connected tothe Internet.

Registering a Global Intelligence Network licenseIf you have purchased the license for the Global Intelligence Network, completethe following steps to activate your Global Intelligence Network content updates.


To register a Global Intelligence Network license

1 On the Web configuration interface of the Information Manager, click Settings> Licensing.

2 On the tree pane, click GIN.

3 Click Browse, and then navigate to the Global Intelligence Network licensefile.

4 When you locate the file, click Open.

5 Click Import License.

Viewing the status of Global Intelligence Networkcontent

The Status view provides the following information about the status of GlobalIntelligence Network content:

■ The status and version of the server that provides the updated security content

■ The status of the Global Intelligence Network content license, includingexpiration date

■ The number of entries under the category of the server database

■ Refresh timestamps for DataFeed and Intelligence updates


Managing Global Intelligence Network contentRegistering a Global Intelligence Network license

328

To view the status of Global Intelligence Network content

1 On the Web configuration interface of the Information Manager, click Monitor> SSIM.

2 Click GIN Status.

The Status view displays information about the security content server, thecontent license, and the server database. It also displays timestamps for thelatest content updates.

In the Content License Status area, you can see the number of days beforethe license expires, along with the expiration date. If you have multiplelicenses, the latest expiration date appears.

Receiving Global Intelligence Network contentupdates

The Global Intelligence Network configuration view provides controls to specifythe following sources for security content updates:

■ Static (or LiveUpdate)

■ Global Intelligence Network Internet service (requires a Global IntelligenceNetwork license)

■ An additional Integration Manager server Global Intelligence Network Internetservice

The Global Intelligence Network configuration view also lets you specify proxyserver settings.

To receive Global Intelligence Network content from an Internet connection

1 On the Web configuration interface of the Information Manager, click Settings> GIN.

2 In the GIN configuration view, in the SourceofSecurityContent area, selectGlobal Intelligence Network Internet Service.

To select this option, you must have an active Global Intelligence Networklicense.

3 In the Global IntelligenceNetworkServerSettings area, make sure that theDataFeed Service URL is set to the following:

https://deepsightinfo.symantec.com/DataFeeds2/DataFeed.asmx

If you use an IP address instead of deepsightinfo.symantec.com, the proxytest fails.

329Managing Global Intelligence Network contentReceiving Global Intelligence Network content updates

https://deepsightinfo.symantec.com/DataFeeds2/DataFeed.asmx

4 In the Global IntelligenceNetworkServerSettings area, make sure that theIP Service URL is set to the following:

https://deepsightinfo.symantec.com/DeepSight/Intelligence.asmx

If you use an IP address instead of deepsightinfo.symantec.com, the proxytest fails.

5 In the DataFeed Polling Interval box, specify how often the server shouldcheck for updates.

6 In theIPPollingInterval box, specify how often the server checks for updatesto the IP watchlist.

The watchlist is a list of IP addresses that are known to be associated withsecurity exploits.

7 In the IPaddressLimitbox, specify how many IP addresses to download witheach update.

8 Click Save.

To receive Global Intelligence Network content updates from a network server


2 In the Source of Security Content area, click Another Global IntelligenceNetwork Integration Manager Server.

3 In the Global Intelligence Network Integration Manager Server Chainingarea, in the Global Intelligence Network Integration Manager Server Hostbox, type the host name or the IP address of the Information Manager serverthat provides content updates.

4 In the Global Intelligence Network Integration Manager Polling Intervalbox, specify how often (in minutes) the Information Manager server checksfor updates.

For example, if you want to update every hour, type 60. If you want to disablethis function, type 0.

5 Click Save.

To receive Global Intelligence Network content by LiveUpdate


2 On the GIN Configuration view, in the Source of Security Content area,select Static.

3 Click Save.

Managing Global Intelligence Network contentReceiving Global Intelligence Network content updates

330

https://deepsightinfo.symantec.com/DeepSight/Intelligence.asmx

To specify proxy server settings


2 On the GIN Configuration view, in the Proxy Server Settings area, ensurethat a check mark is placed in Use Proxy Server.

3 In the HTTPS/Secure Proxy Server box, type the URL of the proxy server.

4 In the HTTPS/Secure Proxy Port box, type the port that is used tocommunicate with the proxy server.

5 If the proxy server you use requires a user name and password to connect,type them in the HTTPS/SecureProxyUsername and HTTPS/SecureProxyPassword boxes, respectively.

6 Click Save.

331Managing Global Intelligence Network contentReceiving Global Intelligence Network content updates

Managing Global Intelligence Network contentReceiving Global Intelligence Network content updates

332

Working with InformationManager configurations


■ About agent configurations

■ About Agent Connection Configurations

■ Configuring Agent to Manager failover

■ About the Information Manager configurations

■ About the Manager components configurations

■ Setting up blacklisting for logon failures

■ Modifying administrative settings

■ About Manager configurations

■ Increasing the minimum free disk space requirement in high logging volumesituations

■ About Manager connection configurations

■ About configuring Information Manager directories

■ About configuring LiveUpdate

About agent configurationsAgent configurations describe how agents behave and how they communicatewith their corresponding Managers.

22Chapter

The settings include which primary and secondary server to connect to and howto get configuration information and report inventory. In addition, the settingsinclude how these computers should receive LiveUpdate information.

See “Components of collectors” on page 164.

For more information on the Symantec Event Agent refer the Symantec EventAgent 4.7 Release Notes.

Table 22-1 lists the tabs on which you can change settings for AgentConfigurations.

Table 22-1 Agent Configuration tabs

DescriptionTab

Contains the name, description, and last modification date of theconfiguration.

General

Lets you specify how often the Agent Configuration Provider checkswith its Manager for configuration updates.

This value is independent of using Distribute to send configurationsto the Agent directly through the Command Servlet. This setting refersto how long the client waits before it asks for new configurations, ifit is not contacted sooner.

See Table 22-2 on page 335.

Configuration

Lets you configure the Agent Inventory Provider to report inventoryinformation for each Agent.

This inventory contains information as to what components areinstalled, and what version of those components resides on the Agent.You can set how often to report inventory, and how long to waitbetween failed inventory attempts.

Inventory

Lets you configure the Agent State Provider to report state informationfor all Agent providers.

Each provider is given the opportunity to report its operational stateto its Manager. This information includes what Manager it is currentlyconnected to, what its starting mode is, and what configuration itcurrently uses.

State

Working with Information Manager configurationsAbout agent configurations

334

Table 22-1 Agent Configuration tabs (continued)

DescriptionTab

Manages the Information Manager Event Logging Provider so that allevents that are logged through the Agent are sent reliably to itsManager. The logging provider stores events locally if it cannotforward them immediately to its Manager.

You can specify the listening port, what Manager servlet to contact,and how to cache events before sending them to the Manager. Manyof these settings control how events are forwarded to the Manager.

You can also specify the Statistics reporting interval.

If you change the Logging Servlet value to an incorrect value, you maynot be able to forward events to the Agent’s Manager.

See Table 22-3 on page 336.

Logging

Lets you schedule a one-time LiveUpdate for the Agent. You can alsoset several retry and delay settings that relate to running a LiveUpdatesession on the Agent.

LiveUpdate

Table 22-2 describes the various settings for the Agent configuration that can beconfigured on the Information Manager console.

Table 22-2 Agent configuration settings

DescriptionSetting

The interval in minutes after which theagent automatically requests a newconfiguration from the configuration servleton its Information Manager server.

The maximum value is 10080 minutes. Theminimum value is 0.

If the agent is unable to receive aconfiguration at startup, it retries therequest at an increasing (doubling) interval.The initial retry interval is one minute.

Default: 480 minutes

Config poll time

Specifies that Anonymous SSLcommunication with the InformationManager server is allowed.

Default: On

Allow Anonymous SSL connection

335Working with Information Manager configurationsAbout agent configurations

Table 22-2 Agent configuration settings (continued)

DescriptionSetting

Specifies FQDNs to be used in configurationupdate requests. Default setting: Off

Use Fully Qualified Domain Name

Lets you configure the Agent to send eventson Direct Event Port (port 10012) which isunsecured.

Note:The on-box agent always sends eventson Direct Event port.

Use Direct Event Port

Lets you specify the throttling schedule tolimit the bandwidth as required.

Throttling schedule

Lets you specify the interval for the EventFeeder retry in milliseconds.

Event Feeder Retry Interval

Lets you specify the Event Feeder RetryCount

Event Feeder Retry Count

Lets you specify the switch back time.Event Feeder Switch Back Time

Table 22-3 describes the various Agent logging settings that can be configuredon the Java client of the Information Manager.

Table 22-3 Agent logging Settings

DescriptionSetting

The IP address that the agent listens on forall requests.

If not specified, the first IP address that isconfigured for the local computer is used.

If it is specified, the dotted-decimal IPaddress on the local computer that the agentlistens on is used.

Default: 127.0.0.1

Listen IP

The port number that the agent listens onfor requests from integrating products.

Valid values are any positive integer under65,535 that refers to a free port address onthe IP address that are specified in ListenIP.

Default: 8086

Listen port


336

Table 22-3 Agent logging Settings (continued)

DescriptionSetting

Identifies the Information Manager serverservlet to which the agent sends messages.

Set to any valid servlet name running on theInformation Manager server that is specifiedin the Primary manager server setting onthe Common tab.

Use extreme caution if you decide to changethis setting.

Default: EventLogger

Event logging servlet

The time in minutes that the agent waitsbefore it sends events to the InformationManager server when it runs in disconnectedmode.

The agent goes into disconnected modeautomatically when the InformationManager server cannot be contacted.Consequently, this value is the retry intervalfor sending events to the InformationManager server. The minimum value is 0minutes.

Default: 0 minutes

Disconnected mode retry interval

The maximum size in kilobytes of any singleapplication’s queue.

Once an application’s queue reaches this sizeany future log requests are refused. Otherapplications may continue to log events untiltheir queue has also reached this number.The most likely cause for an application’squeue to reach this size is if the InformationManager server cannot be contacted. Thevalue should be an integer between 60 KBand 1,000,000 KB.

Default: 80,000 KB

Maximum queue size

337Working with Information Manager configurationsAbout agent configurations


DescriptionSetting

The number of seconds that the agentqueues up events for the given ProductIdbefore the agent sends the events to theInformation Manager server.

The value should be an integer between 1and 600.

Default: 4 seconds

Event queue flush time

The size in kilobytes of an application’squeue that the agent holds before it sendsthe events to the Information Managerserver.

The value should be an integer between 768KB and 10,000 KB.

Default: 2000 KB

Event queue flush size

The number of items in an application’squeue that cause the agent to send the eventsto the Information Manager server.

The value should be an integer between 256and 10,000.

Default: 512

Event queue flush count

The size in kilobytes of an application’squeue that the agent holds in memory whennot able to send the normal queue to theInformation Manager server.

If the queue exceeds this size and continuesto increase, the queue is written to disk. Adisk-based queue is slower than amemory-based queue because all queueinformation that is written to disk isencrypted.

The value should be an integer between 1and 50,000.

Default: 20,000 KB

Event queue spool size


338


DescriptionSetting

Indicates that the configuration file that islocated at the agent should be encrypted.This feature prevents anyone from obtainingsensitive information by opening theconfiguration.

Default: Disabled

Encrypt config file

Enables or disables event compression.

Default: Enabled

Event Compression

Specifies the interval for reporting agentstatistics.

Default: 300 seconds

Agent Queue Statistics Report Interval

Lets you specify the maximum File QueueSize.

Maximum File Queue Size

About Agent Connection ConfigurationsAgent Connection Configurations let you configure Agent to Manager failover.

See “Configuring Agent to Manager failover” on page 340.

Failover is the ability of Information Manager components to automatically switchto designated secondary resources if the primary resource fails or terminatesabnormally.

After you configure failover, distribute the configurations to computers thatrequire failover protection.

Table 22-4 lists the tabs on which you can change the failover setting for theAgent.

Table 22-4 Agent Connection Configurations tabs

DescriptionTab

Contains the name, description, and the last modificationdate of the configuration.

General

Lets you specify the primary Manager and an ordered listof Managers to which the Agent can failover if the primaryManager becomes unavailable.

SSIM Manager Failover

339Working with Information Manager configurationsAbout Agent Connection Configurations

Configuring Agent to Manager failoverYou configure Manager failover to identify a primary Manager and provide anordered list of failover Managers to which the Agent can connect if the primaryManager fails.

See “About Agent Connection Configurations” on page 339.

To configure Agent to Manager failover

1 In the Information Manager console, on the System view, on the ProductConfigurations tab, expand the domain, expand SSIM Agent and Managerand click Agent Connection Configurations.

2 Select the custom configuration to edit. You cannot edit the Defaultconfiguration.

3 In the right pane, on the SSIM Manager Failover tab, next to the PrimaryManager text box, click the browse button (...).

4 In the Find Computers dialog box, do one of the following:

■ To proceed without modifying the Available computers list, select acomputer to be the primary manager, and then continue at step 6.

The Available computers list shows all Managers for the domain, up tothe number of the computers that is indicated by the Maximum searchcount text box.

■ To modify the Available computers list by specifying search criteria, inthe revised Available computers list, select one or more computers.

5 Click OK.

6 On the SSIM Manager Failover tab, check Enable automatic ManagerFailover.

7 Under Primary Manager Failover, do the following:

■ In the Reconnect attempts before failover text box, type the number oftimes that the Agent should attempt to connect to the Primary Managerbefore it fails over to the first Manager in the Secondary Managers list.

■ In the Seconds between reconnect attempts text box, type the timeinterval in seconds to elapse between each reconnect attempt.

8 Under Secondary Manager Failover, do the following:

■ In the Reconnect attempts before failover text box, type the number oftimes that the Agent should attempt to connect to the initial SecondaryManager before it fails over to the next computer in the SecondaryManager list.

Working with Information Manager configurationsConfiguring Agent to Manager failover

340

■ In the Seconds between reconnect attempts text box, type the timeinterval in seconds to elapse between each reconnect attempt.

9 To create an ordered list of failover Managers, do the following:

■ Under the Secondary (failover) Managers list, click Add.

■ In the FindComputers dialog box, in the Availablecomputers list, selectthe computer to make the first failover Manager.

If you cannot immediately find the computer that you want, on the leftside of the dialog box, enter search criteria. Then click Start Search, andin the Available computers list, select a computer.

■ Click Add.

■ Continue selecting and adding computers in the order in which you wantthem to be used for failover.

■ Click OK.

The computers that you selected are added to the Secondary (failover)Managers list.

■ To change the order of the failover Managers, select a Manager and usethe Move Up and Move Down arrows to the right of the list to move theManager relative to the other Managers in the list.

10 To have the Agent automatically attempt to failback to the primary Manager,do the following:

■ Ensure that Enable automatic failback recovery is checked.

■ In the Seconds between failback connection attempts text box, type thenumber of seconds that should elapse between attempts to failback.

■ In the Maximum failback retry period (minutes) text box, type themaximum amount of time to wait before all failback attempts end and anew, permanent primary Manager is established.

■ After a new, permanent primary Manager is established, if you want toreset the connection between the Agent and the original Manager, youmust do it manually, using the Primary Manager drop-down list.

11 To generate a single event when multiple connection failures occur, underGenerate a Multiple Connection Failure Event, do the following:

■ In the Number of connection failures that must occur text box, type anumber.

■ In the Time span during which connection failures occur (seconds) textbox, type a time period.

341Working with Information Manager configurationsConfiguring Agent to Manager failover

When the specified number of failovers occurs within the specified timeperiod, an event is logged.

If you enable Manager failover, connection failure events occur with the samefrequency as failovers, based on the values for reconnect attempts.

If you do not enable failover, connection failures can still occur. The valuesyou provide here determine how often events are logged for these occurrences.

12 Click Save.

About the Information Manager configurationsInformation Manager relies on the following to collect, store, process, and reportsecurity events to the Information Manager console: agents, Information Managerdirectory, Information Manager datastore, manager, and archives. Thesecomponents also distribute configuration changes to Information Manager andintegrated products.

Information Manager configurations lets you configure these components.

See “About the Manager components configurations” on page 342.

Note:You can create customized configurations for each of the collectors that areinstalled. For more information on creating collector configurations, refer to thedocumentation that is provided with each collector.

About the Manager components configurationsManager Components Configurations contain specific settings for each of theManager components. They let you configure the specific settings for eachcomponent individually, based on the component's configuration requirements.These components generally refer to specific services within the Manager, suchas the Event Logging subsystem or the Configuration Service.

See “About the Information Manager configurations” on page 342.

Table 22-5 lists the tabs on which you can change settings for the ManagerComponents Configurations.

Table 22-5 Manager Components Configurations tabs

DescriptionTab

Lets you specify the name, description, and modification date of theconfiguration.

General

Working with Information Manager configurationsAbout the Information Manager configurations

342

Table 22-5 Manager Components Configurations tabs (continued)

DescriptionTab

Lets you specify the email and the retry settings that the alert servletuses.

These settings control how alerts are sent from Information Manager.

Notifications

Lets you configure the Information Manager Configuration Serviceby specifying how many times a client can request its configurationduring a polling interval.

If a client exceeds this value, it is flagged as hyperactive, and is notallowed to get its configuration again for a configured interval.

Configuration

Lets you controls the settings for the command servlet.

When you use the Distribute option to initiate the distribution ofconfigurations, the Command servlet contacts each computer usingthe configuration. The servlet notifies it to reload its configuration.

These settings let you configure throttling information for how manyAgents to notify in a given period of time. They can be adjusted basedon your environment. If you make this setting too high, you run therisk of overloading your Managers. If the throttling is set too low, itcould take a long time to push new settings to a large number ofcomputers.

Command

Lets you modify administrative protections such as how long a consolesession should be idle before it times out.

You can lengthen the session idle interval to keep the console fromtiming out quickly or shorten it to increase security.

You can also specify the character set that the console uses to exportinformation. This toggle lets you select US English ANSI exporting orUnicode encoding for most double-byte character sets, such asJapanese.

Administrative

Lets you specify the settings that control how alert notifications aresent to an SNMP Server.

You can specify the host, port, and community of the SNMP Server towhich alerts are forwarded. You can also specify the version of SNMPtraps to send to that server.

SNMP

Lets you schedule a one-time update for the Manager. In addition, letsyou schedule several retry and delay settings that are related toupdating the Manager using LiveUpdate.

LiveUpdate

343Working with Information Manager configurationsAbout the Manager components configurations

Setting up blacklisting for logon failuresWhen failed attempts to log on to the Information Manager console occurrepeatedly, it may indicate an attempt to break in to the system. InformationManager blacklists computers from which repeated failed logon attempts aremade.

See “About agent configurations” on page 333.

The Administrative tab lets you control how Information Manager responds tologon failures.

To set up blacklisting for logon failures

1 In the Information Manager console, on the System view, on the ProductConfigurations tab, expand the domain, expand SSIM Agent and Managerand click Manager Components Configurations.

2 Select the custom configuration that you want to edit. You cannot edit theDefault configuration.

3 On the Administrative tab, to control how Information Manager handlesblacklisting for logon failures, do the following:

Adjust the window of time during which failed logonattempts are accumulated.

When the accumulated count is larger than theblacklist threshold count, the IP address from whichthe logon attempts originate is added to the blacklist.

Blacklist threshold time

Specify the number of failed logon attempts within theblacklist threshold time that causes an IP address tobe placed on the blacklist.

Blacklist threshold count

Specify the length of time for the IP address to remainon the blacklist before it is automatically removed andlogons from the IP address are again permitted.

Blacklist entry duration

4 Click Save.

Modifying administrative settingsYou can control the following behaviors of the Information Manager console bychanging administrative settings:

■ How long a console session is idle before it times out

Working with Information Manager configurationsSetting up blacklisting for logon failures

344

■ The character set that is used when you export reports

■ How Information Manager responds to repeated failed logon attempts

See “About the Manager components configurations” on page 342.

To modify administrative settings

1 In the Information Manager console, on the System view, on the ProductConfigurations tab, expand the domain, expand SSIM Agent and Managerand click Manager Components Configurations.

2 Select the custom configuration that to edit. You cannot edit the Defaultconfiguration.

3 In the right pane, on the Administrative tab, next to Session idle interval,do one of the following:

■ To increase the time before the Information Manager console times out,type a higher value.

Increase the value if you do not want the Information Manager consolesession to time out so quickly.

■ To decrease the time before the Information Manager console times out,type a lower value.

Lower the value to increase security.

4 If the Datastore contains double-byte characters for languages such asJapanese, next to Export character set selector, select the check box.

This setting configures the Manager to export data in Unicode encoding,which lets you export reports with double-byte characters to the HTML orthe CSV formats.

5 If necessary, configure the blacklist settings.

See “Setting up blacklisting for logon failures” on page 344.

6 To compress the results, select Compress the results.

7 Click Save.

If session timeout occurs on an Information Manager console, the logonscreen is displayed so that the user can log on again.

About Manager configurationsCommon settings in the Manager configurations may affect one or more of themanager components across Managers. These common settings include selecting

345Working with Information Manager configurationsAbout Manager configurations

the Information Manager Directory and Datastore for the domain, and settingthrottle options that control connection attempts to Managers.

See “About agent configurations” on page 333.

Table 22-6 lists the tabs on which you can change settings for Managerconfigurations.

Table 22-6 Manager Configuration tabs

DescriptionTab

Contains the name, description, and the date of last modification ofthe configuration.

General

Lets you balance security and scalability issues on a Manager bycontrolling when or how often events are sent to the InformationManager Datastore.

For example, you can set a threshold for all Managers. When anAgent tries to contact a Manager too many times in a given timeperiod, the computer is denied access to the Manager for an allottedtime.

If you make the timeouts shorter, you protect yourself more againsthyperactive clients, or denial-of-service attacks. If you make thetime allotments longer, you may increase the performance of theserver and avoid problems with false positives for hyperactiveclients.

Throttle

Controls how Information Manager handles the validation of clients.

For example, on this tab, you can set how Information Managerreacts to clients who provide bogus passwords. If InformationManager attempts to validate a client and fails, the client isblacklisted until the entry times out. This tab lets you set how longthose timeouts last.

Client Validation

This tab is deprecated and should not be used.Web Server

Contains the miscellaneous settings that let you fine-tune theoperation of your Manager.

For example, one setting lets you configure the minimum disk spacethat the Manager requires before its logging and other functionsare suspended.

See “Increasing the minimum free disk space requirement in highlogging volume situations” on page 347.

Other

Working with Information Manager configurationsAbout Manager configurations

346

Increasing theminimum free disk space requirementin high logging volume situations

The Other tab of the Manager Configurations includes the free space minimumsize property. This configuration specifies the amount of free space that is neededfor the Manager to function properly. The amount of free space is checked everytwo minutes and an event is created if the free space is less than the minimumspecified.

See “About Manager configurations” on page 345.

In an environment that generates a high volume of log messages, you shouldincrease the free space minimum size.

To increase the free space minimum size

1 In the Information Manager console, in the System view, on the ProductConfigurations tab, expand the domain, expand SSIM Agent and Managerand click Manager Configurations.

2 Select the custom configuration that you want to edit. You cannot edit theDefault configuration.

3 In the right pane, on the Other tab and for the Free space minimum sizeproperty, increase the value to meet the needs of your environment.

By default, the free space minimum size is 50 MB.

In an environment with a high volume of log messages, you should increasethe minimum disk space to at least 100 MB or higher. If the Manager isinstalled on the operating system drive, you should set the free spaceminimum to at least 2 GB.

4 Click Save.

About Manager connection configurationsManager connection configurations let you configure failover for Managers.

Failover is the ability of Information Manager components to automatically switchto designated secondary resources if the primary resource fails or terminatesabnormally.

You can configure the Directory on one Information Manager server to fail overto the Directory on another Information Manager server.


347Working with Information Manager configurationsIncreasing the minimum free disk space requirement in high logging volume situations

After you configure failover, distribute the configurations to Managers that requirefailover protection.

Table 22-7 lists the tabs on which you can change the failover settings for theManager.

Table 22-7 Manager Connection Configurations tabs

DescriptionTab

Contains the name, description, and date of the lastmodification of the configuration.

General

Lets you specify the primary Information Manager Directoryand control how failover takes place when that primaryInformation Manager Directory becomes unavailable.

SSIM Directory Failover

About configuring Information Manager directoriesFailover enables Information Manager to automatically switch to a standbyInformation Manager Directory if the primary Information Manager Directoryfails or terminates abnormally.


The SSIMDirectoryFailover tab of the Manager Connection Configurations letsyou do the following tasks:

■ Configure the Information Manager to Information Manager directory failover.

■ Log Information Manager directory connection failures.

About configuring LiveUpdateLiveUpdate is the Symantec technology that lets installed Symantec productsconnect to a server automatically for program updates. You can use LiveUpdateto update the Manager and the agent components.

About Java LiveUpdateSymantec LiveUpdate uses Java LiveUpdate to update Information Managercomponents such as lookup tables, normalization content, rules, system queries,filters, monitors, collectors, and sensors. When you install the Symantec EventAgent on a computer, Java LiveUpdate automatically installs. You can alsodistribute the Java LiveUpdate configurations to any of the computers in anorganizational unit.

Working with Information Manager configurationsAbout configuring Information Manager directories

348

When Java LiveUpdate runs, it connects to the server that is specified inliveupdate.conf. The compressed catalog file (livetri.zip) is downloaded into thelocal LiveUpdate package directory and the LiveUpdt.tri files are extracted. JavaLiveUpdate determines if there are updates available for the specified products.For each update that is found, a temporary directory is created under the localdirectory into which the compressed files are copied. The packages areauthenticated, decompressed, and installed.

Java LiveUpdate tracks configuration information about multiple LiveUpdateservers or hosts. It tries each of the servers in the order in which they are listedin the Java LiveUpdate configuration file. When a specified server is unreachable,it automatically fails over to the next host.

Java LiveUpdate requires Java Runtime Edition 1.1.8 or later. Information Managerand Symantec Event Agent uses Java LiveUpdate 3.7 which is the latest versionof Java LiveUpdate. When you upgrade Information Manager to 4.7 MaintenancePack 3, Java LiveUpdate 3.7 gets installed on the Information Manager server.

See “Creating Java LiveUpdate configurations ” on page 349.

See “Modifying Java LiveUpdate configurations” on page 351.

See “Editing Java LiveUpdate configuration properties ” on page 357.

See “Distributing a Java LiveUpdate configuration” on page 358.

Creating Java LiveUpdate configurationsJava LiveUpdate is installed with a default configuration specified in theLiveUpdate.conf configuration file. However, you may want to modify or distributeadditional configurations to the client computers. You can use the InformationManager console to create and distribute additional Java LiveUpdate configurationsto the computers on which Java LiveUpdate 3.7 is installed. When you create ormodify a Java LiveUpdate configuration, you must specify the client computersto associate with the configuration.

Before distributing a Java LiveUpdate configuration, you must first configure itfor distribution. You can do this configuration by modifying an existingconfiguration, or you can create a new Java LiveUpdate configuration. To createa new LiveUpdate configuration, you must use the Create a new Configurationwizard.



Host data is not passed from Java LiveUpdate server to the Java LiveUpdate clientif there are blank entries in the host settings. For example, if you enter host datafor Host 2, but leave Host 1 settings empty, host information is not sent to the

349Working with Information Manager configurationsAbout configuring LiveUpdate

Java LiveUpdate client computer. As soon as you enter data for Host 1, hostinformation is sent to Host 1 as well as to Host 2.

To create Java LiveUpdate configuration

1 In the Information Manager console, go to System>ProductConfigurationsand navigate to LiveUpdate.

2 Expand the tree view and select Java LiveUpdate.

3 Click Add. You can enter the details about the configuration in the Createnew configuration wizard. You can also add the computers on which thisconfiguration is applied.

4 Click Finish.

See “About Java LiveUpdate” on page 348.


Scheduling LiveUpdate requestsIn the Information Manager console, you can schedule a LiveUpdate request fornew versions of the Manager and the agent.

See “About configuring LiveUpdate” on page 348.

Note: Events are not generated when a Manager or an agent LiveUpdate occurs.

To schedule a LiveUpdate request

1 In the Information Manager console, on the System view, on the ProductConfigurations tab, do one of the following:

■ To schedule LiveUpdate of the Manager, expand the domain, expand SSIMAgent and Manager and click Manager Components Configurations.

■ To schedule LiveUpdate of the agent, expand the domain, expand SSIMAgent and Manager and click Agent Configuration.

2 Select the custom configuration that you want to edit. You cannot edit thedefault configuration.

3 In the right pane, on the LiveUpdate tab, specify the date and time to performthe LiveUpdate by clicking the ellipses (...) to the right of the Datetime value.

Working with Information Manager configurationsAbout configuring LiveUpdate

350

4 In the Calendar dialog box, set the date and time for LiveUpdate to run:

Select a month.Month drop-down list

Select a year.Year

Select a day.Calendar

Click each section of the time control (hours, minutes)to change the value.

Select from AM or PM as relevant.

Time control

5 Click OK.

6 On the LiveUpdate tab, do one or more of the following:

Specify how often to retry the LiveUpdate if the firstattempt is not successful.

Retry interval

Specify a random delay to be used to stagger updaterequests.

Random delay

Select this check box to enable LiveUpdate to take placeat the time that is scheduled on the LiveUpdate tab.

Enable

Specify whether the local time should be used forscheduling purposes.

Use local time

7 Click Save.

Modifying Java LiveUpdate configurationsTo change an existing Java LiveUpdate configuration, you can modify one or moresettings on the Java LiveUpdate tabs.

To modify a Java LiveUpdate configuration

1 In the Information Manager console, go to System>ProductConfigurationsand navigate to LiveUpdate > Java LiveUpdate.

2 Under Java LiveUpdate, select the configuration that you want to modify.Java LiveUpdate configuration settings tabs appear in the right pane.

3 Modify the configuration using the following tabs as necessary:

■ GeneralSee “Java LiveUpdate: General tab” on page 352.

■ Java LiveUpdate


See “Java LiveUpdate: Java LiveUpdate tab” on page 352.

■ HostsSee “Java LiveUpdate: Hosts” on page 356.

Java LiveUpdate: General tabThe General tab displays the name and description of the selected Java LiveUpdateconfiguration. A Java LiveUpdate configuration is a collection of settings that youcan apply to products on computers directly.

The Default Java LiveUpdate configuration is used by default. The General tabcontains the following options:

DescriptionOption

Name of the configuration. You cannot modify this nameafter creating it.

Configuration name

A description of the configuration. You cannot change thedescription of the Default configuration.

Description

The date and time the configuration was last modified. Thevalue is set automatically when you change a configuration.You cannot change it manually.

Last Modified On



See “Java LiveUpdate: Hosts” on page 356.

Java LiveUpdate: Java LiveUpdate tabThe Java LiveUpdate tab lets you specify the network proxy server settings thatmay be required for Java LiveUpdate sessions in your network environment. Youcan also specify additional LiveUpdate HTTP or FTP servers to use for downloadingproduct updates. Java LiveUpdate tab also lets you specify the maximum size ofLiveUpdate log files.

You can also enable the cacheMode option which ensures storage of LiveUpdatepackage data until the data size reaches a threshold. This threshold is defined inthe downloadcachesize field. Once the threshold is reached, the cached data ispurged and maintained to the size that is defined in the downloadcachesize field.


352

DescriptionOption

Specifies a proxy server address. If you usean HTTP proxy server for Java LiveUpdate,use the FQDN (fully qualified domain name)or the IP address of the network proxyserver.

Proxy server

Specifies the port on which the proxy serverlistens (optional). If a port number is notspecified, it defaults to 80. The address mustbe either the TCP/IP address or the FQDN ofthe proxy server. The port must be theTCP/IP port that the proxy server listens on.This setting is not supported for FTP.

ProxyServerPort

Specifies a proxy server address. If you usean HTTP proxy server for Java LiveUpdate,use the user name for the account that isused to log on to the proxy server. The username and password let Java LiveUpdateauthenticate itself to the proxy server. Thisauthentication is not SSL authentication.

ProxyUsername

Specifies the password that is associatedwith the specifiedproxyusername account.If you use an HTTP proxy server for JavaLiveUpdate, use the password for theaccount that is used to log on to the proxyserver. The user name and password let JavaLiveUpdate authenticate itself to the proxyserver. This authentication is not SSLauthentication.

ProxyPassword


DescriptionOption

Check this option if you want to overwritethe existing configuration data in theLiveUpdate.conf file with the JavaLiveUpdate configuration settings.

Uncheck this option if you want to appendthe existing configuration data in theLiveUpdate.conf file with the JavaLiveUpdate configuration settings.

When you distribute the Java LiveUpdateconfiguration, the configuration data in theLiveUpdate.conf file is overwritten orappended, accordingly.

You can use the Java LiveUpdate Hosts tabto append additional host server entries tothe existing LiveUpdate.conf file. If you do,make sure that you type the information ina numbered Host field that is not alreadyused in the LiveUpdate.conf file.

Each numbered Host field corresponds tothe numbered host entries inLiveUpdate.conf. As a result, if you type anentry for Host 0 in the Hosts tab, and theexisting LiveUpdate.conf file already has aHost 0 value, then the Host 0 valueoverwrites the existing Host 0 value,regardless of whether the option is checkedor unchecked.

You can check this option to configure JavaLiveUpdate to have all users use the sameproxy server user name and password. Youcan uncheck this option, if you have alreadyset up individual user names and passwordsfor each Java LiveUpdate computer in yournetwork environment.

The default setting is false.

OverrideExistingConfig


354

DescriptionOption

Check this option, if you want JavaLiveUpdate to use an alternative method ofretrieving host- and connection-basedinformation.

When you uncheck this option, JavaLiveUpdate uses the default LiveUpdate.conffile to obtain its connection settings.However, when you set the value to true,Java LiveUpdate obtains host- andconnection-based settings another way. Themethod depends on how the LiveUpdateenvironment is set up to get informationeither from a .hst (host) file that was createdusing the LiveUpdate Administration Utility,or from a LiveUpdate.conf file other thanthe default one.

To set up Java LiveUpdate to use a .hst filefor its host- and connection-basedinformation, an administrator must edit thedefault LiveUpdate.conf file to include a .hstvalue for the host file entry. A host file istypically used to let corporate clientsconnect to an intranet server designated asan internal LiveUpdate or Java LiveUpdateserver.

An administrator can also set up JavaLiveUpdate to use a LiveUpdate.conf fileother than the default one to obtain host-and connection-based information. Appenda -c command-line switch along with the fullpath of the non-default LiveUpdate.conf filewhen the Java LiveUpdate session isexecuted at the command line.

For either method to work, the AllowConfiguration Swapping option must bechecked. If it is unchecked, Java LiveUpdateignores the -c command-line switch and the.hst file entry, and uses the configurationsettings in the Default LiveUpdate.conf fileinstead. The default setting is false.

AllowConfigSwapping


DescriptionOption

You can modify the maximum size of theLiveUpdate log file on the end-usercomputers. When a log file reaches itsmaximum size, the earliest log entry orentries are deleted to make room for themost recent log entry. The default setting is1024 KB.

MaxLogFileSize

If you enable this option, the LiveUpdatepackage data is cached after each JavaLiveUpdate session. This data is stored untilthe cache size reaches the threshold that isdefined in the downloadcachesize field.Once this threshold is reached, the cacheddata is purged and maintained to the sizethat is defined in downloadcachesize field.By default the cacheMode option is enabled.

cacheMode

Lets you specify the threshold fordownloading the cache. When the thresholdreaches its maximum size, the earliest cacheentries are deleted. You can set thedownloadcachesize value between 16 MB to4096 MB. The default setting is 2048 MB.

downloadcachesize


See “Java LiveUpdate: General tab” on page 352.

See “Java LiveUpdate: Hosts” on page 356.

Java LiveUpdate: HostsThe Hosts tab lets you configure up to 10 different LiveUpdate servers for updatingInformation Manager components. For each Java LiveUpdate server in yournetwork environment, you must specify a URL. If the server uses the FTP protocolfor Java LiveUpdate, you must also specify the FTP user name and password.


356

DescriptionOption

The URL of the computer that can be usedas a LiveUpdate server. You can use HTTPor FTP protocols (HTTPS and FTPS are notsupported). If you do not specify a protocolin the URL, Java LiveUpdate uses the HTTPprotocol.

Host#URL

The FTP user name if the LiveUpdate serveruses the FTP protocol.

Host#Username

The FTP password if the LiveUpdate serveruses the FTP protocol.

Host#Password


See “Java LiveUpdate: General tab” on page 352.


Editing Java LiveUpdate configuration propertiesYou can edit the Java LiveUpdate configuration properties and add the computersthat can use the Java LiveUpdate configuration before you distribute theconfiguration.

To edit Java LiveUpdate configuration properties

1 On the ProductConfigurations tab, in the left pane, under the top-level SESAdomain, expand LiveUpdate > Java LiveUpdate.

2 Under JavaLiveUpdate, right-click the configuration that you want to modifyand then click Properties.

3 In the ConfigurationProperties dialog box, on the Computers tab, click Add.

4 In the Find Computers dialog box, in the Computer name text box, type acomputer name or a combination of letters and an asterisk. Click StartSearch.

5 By default, the Computername text box contains an asterisk (*), which servesas a wildcard character, displaying all computers that have been defined.

6 From the Availablecomputers view, select one or more computers and clickAdd.

7 In the Configuration Properties dialog box, click OK.






Distributing a Java LiveUpdate configurationAfter you have created or modified a Java LiveUpdate configuration as appropriate,you can distribute it to Java LiveUpdate client computers. These configurationscan be distributed to any of the following computer platforms:

■ Windows 32-bit

■ Windows 64-bit

■ Solaris

■ RHEL 4.0

■ RHEL 5.0

To successfully distribute a Java LiveUpdate configuration, you must specify thetarget computers when you create or modify the Java LiveUpdate configuration.

To distribute a Java LiveUpdate configuration

1 On the ProductConfigurations view tab, in the left pane, under the top-levelSESA domain, expand LiveUpdate > Java LiveUpdate.

2 Under JavaLiveUpdate, right-click a configuration and then click Distribute.


A message is sent to all the computers to check for new configurations. Whena computer receives this message, it contacts Information Manager to requesta download of the configurations.






358

Managing application data

■ Chapter 23. Maintaining the Information Manager database

■ Chapter 24. Managing data backup, restore, and purge

7Section

Maintaining theInformation Managerdatabase


■ About database maintenance

■ Checking database status

■ About the database health monitor service

■ About purging event summary, alerts, and incident data

About database maintenanceThe Symantec Security Information Manager uses an IBM DB2 database to storeevent summary, incident, ticket, asset, rule, and report data. These elements arestored in separate tablespace containers in the database. The most commonmaintenance tasks have been automated to make the database largelyself-maintaining. The status of the database is checked regularly, and such tasksas database reorganization and statistics-gathering occur automatically as theyare required.

See “Checking database status” on page 361.

Checking database statusThe Database Status view displays the current information about the overallhealth of the Information Manager database. The Jobs status area in the details

23Chapter

pane displays the status of maintenance jobs that run to keep the database healthy.The information in the details pane of Database Status view is updatedautomatically as conditions change.

On the Web configuration interface, you can access the Database Status viewfrom Monitor > SSIM > Database Status.

The Status view includes the following:

■ Database Health MonitorIndicates the current health status of the database.See “About the database health monitor service” on page 362.

■ Database SpaceDisplays the amount of space that the incidents and tablespaces currently use.For each tablespace, the value is expressed as a percentage of the total spacethat is available to that tablespace.

■ Job StatusLists the current status of data maintenance activities. Regularly scheduledjobs are listed, along with any jobs that you initiate manually.

To check database status

1 Log on as an administrator to the Web configuration interface of theInformation Manager server.

2 Go to Monitor > SSIM Database Status.

3 To refresh the status information immediately, click Refresh.

About the database health monitor serviceThe database on the Symantec Security Information Manager server includes ahealth monitor service that checks the health status of the database. The pagerefreshes every 60 seconds.

You can access the Database Health Monitor Service from Monitor > SSIM >Database Status.

In the details pane of the DatabaseStatus view, the Database Health Monitor areadisplays one of the following status indicators: OK, Warning, Alarm, or Critical.

The Warning, Alarm, and Critical status indicators appear in the followingcircumstances:

■ The Warning indicator appears if a tablespace reaches 60 percent of totalcapacity. It also appears if a tablespace reaches the Safe Level parameter inthe Automated Purge area of Settings > Database > Maintenance Options.

Maintaining the Information Manager databaseAbout the database health monitor service

362

■ The Alarm indicator appears if a tablespace reaches 70 percent of total capacity.It also appears if a tablespace reaches the Alarm Level parameter in theAutomated Purge area of Settings > Database > Maintenance Options.If a tablespace reaches the Alarm threshold, data is purged automatically untilthe size falls under the configured safe level.

■ The Critical indicator appears if the tablespace reaches 95 percent of totalcapacity.The tablespace size can reach the critical level in certain situations. Forexample, a lengthy backup might delay a scheduled health check at the sametime that a high number of new incidents are generated. In this case, thetablespace size can reach the critical level before the health check is run.If the tablespace size reaches the critical level, data is purged automatically.Event logging and correlation are suspended during the purge. Event loggingand correlation resume once the size falls under the configured safe level.

About purging event summary, alerts, and incidentdata

Summary events, alerts and incidents data are purged as follows:

See “About database maintenance” on page 361.

An automatic daily purge is performed for all the data that doesnot meet the configured retention criteria.

You can configure the retention period for the data. You can alsoconfigure the types of incidents and alerts that should be retainedor purged, based on the status.

See “Adjusting parameters for automated purges” on page 364.

Daily maintenancepurge

A purge of data that you can initiate at any time.

See “Purging incident or event summary data” on page 376.

See “Purging selective backup files” on page 378.

Manual purge

The database is automatically reorganized after a purge whenever necessary.

Note: In some situations, the size of a tablespace can reach the critical level, whichis 95 percent of total capacity. When this threshold is reached, a purge is initiatedautomatically, and event logging and correlation are suspended until the size fallsunder the safe level.

363Maintaining the Information Manager databaseAbout purging event summary, alerts, and incident data

Adjusting parameters for automated purgesDuring the daily maintenance purge, the data is purged automatically using thefollowing default criteria:

■ All Hourly (Short Term) Summary events more than eight days old are purgedfrom the event data.

■ All Daily, Weekly, Monthly (Long Term) Summary events more than 60 daysold are purged from the event data.Summary event data is used in event reports. By default, report data is retainedfor 30 days.

■ All Closed incidents or Open incidents more than 30 days old are purged.

■ All Closed Alerts, and Deleted Alerts that are more than 30 days old are purged.

You can adjust the parameter values for the daily maintenance purge to suit yourneeds. Do not increase the retention periods unless it is necessary. Depending onyour deployment, event data can fill the tablespace quickly, and lead to frequentsize-based purges.

To adjust parameters for daily automated purges

1 In the Web configuration interface, go to Settings>Database>MaintenanceOptions.

2 In the details pane, under the Automated Purge area, to specify the type ofdata to purge, select the options that you want from the following:

■ Hourly (or Short Term) Event Summary Data

■ Daily (or Long Term) Event Summary Data

■ Incidents, Alerts, and Tickets

3 Under Incidents, Alerts and Tickets, select one or more of the following:

■ Closed Incidents

■ Deleted Incidents

■ Open Incidents

■ Closed Tickets

■ Open Tickets

■ Closed Alerts

■ Deleted Alerts

■ Open Alerts

Maintaining the Information Manager databaseAbout purging event summary, alerts, and incident data

364

4 In the box where you specify how many days of data to retain, type a number.

The default data retention value is seven days. Only the summary eventsincidents and alerts that are more than seven days old are purged.

5 You also need to set the values for the safe level and alarm levels in thecorresponding boxes.

See “Setting the safe level and the alarm level for automated purges”on page 365.

6 To apply your changes, click Apply.

Setting the safe level and the alarm level for automated purgesIn most deployments you do not need to adjust the thresholds for automatedpurges. They are designed to help maintain the Information Manager serverautomatically, and to help you evaluate database usage on the InformationManager server. If the alarm threshold for summary events is triggered frequently,consider ways to reduce the flow of data to the server instead of increasing thethreshold values.

If necessary, you can configure the following parameters for automated purgesbased on size:

The percentage of total tablespace capacity at which the automated,size-based purge is triggered.

The Alarm Level value must be less than the critical level, which is 95percent of total capacity. The critical level cannot be changed.

By default, the Alarm Level for both events and incidents is 70 percent.

Alarm Level

The percentage of total capacity at which the size-based purgeoperation stops.

The Safe Level value must be at least 10 percent less than the AlarmLevel.

By default, the Safe Level for both summary events and incidents is60 percent.

Safe Level

The summary events and incidents tablespaces are monitored independently. Forexample, the thresholds for incidents apply to the size of the incidents tablespace,regardless of the size of the summary events tablespace.

365Maintaining the Information Manager databaseAbout purging event summary, alerts, and incident data

To configure the alarm level and safe level values for automated purges

1 Go to Settings > Database > Maintenance Options.

2 In the details pane, in theAutomatedPurge section, in SafeLevel and AlarmLevel, type a new percentage value.

3 To apply your changes, click Apply.

Maintaining the Information Manager databaseAbout purging event summary, alerts, and incident data

366

Managing data backup,restore, and purge


■ About backup, restore, and purge

■ Performing a complete LDAP directory server backup

■ Performing a complete LDAP directory server restore

■ Performing a complete database backup

■ Performing a complete database restore

■ Performing a selective backup

■ Performing a selective restore

■ Scheduling a backup

■ Editing a scheduled backup

■ Deleting a scheduled backup

■ Purging incident or event summary data

■ Purging selective backup files

About backup, restore, and purgeSymantec Security Information Manager uses an IBM DB2 database to store eventsummary, incidents, tickets, assets, rules, and report data. The BackupandRestorefeature in Information Manager lets you perform maintenance tasks such asbackup, restore, and purge. You can backup an existing Information Manager

24Chapter

database. You can also back up the LDAP directory server and perform selectivebackup. You can use an existing backup to restore an Information Managerdatabase. You can also restore the LDAP directory server from an existing backup.Moreover you can perform selective restore of the components that are selectivelybacked up.

Event summary data, incidents, tickets, and alerts can be purged manually. Youcan also perform selective purge of the files that were selectively backed up.

Purges can be carried out automatically as per configured options on a daily basisto prevent the database overload.

See “Adjusting parameters for automated purges” on page 364.

Performing a complete LDAPdirectory server backupTo perform an LDAP backup operation, you must use LDAP credentials with theadministrative privileges. You can also enter an encryption password which isused to encrypt the backup file. Using the encryption password, the LDAP directorycan be restored with the backup.

A complete LDAP backup is permitted only on the directory server.

Warning: If you work with the Information manager client during the backupprocess, there can be some authentication errors. These errors occur due to thedirectory server that gets shut down during the backup process.

To back up the LDAP directory server

1 Log on to the Web configuration interface with Administrator credentials.

2 Click Maintenance > Backup and Restore > Backup.

3 From the options, select Full LDAP Backup.

4 Type the directory administrator (cn=root) user name in the LDAPdistinguished name format and the password.

The user name in the LDAP distinguished name format and the password ofthe LDAP user are mandatory.

5 (Optional) You can also supply an encryption password that encrypts thedata. If a password is supplied here, then the encryption password is requiredduring restore.

6 Click Backup Data.

See “Performing a selective backup” on page 371.

Managing data backup, restore, and purgePerforming a complete LDAP directory server backup

368

See “Performing a complete database backup” on page 370.

Performing a complete LDAPdirectory server restoreYou can initiate a complete restore of the LDAP directory server by using the FullLDAPRestore option on the Restore view of the Web configuration interface. Toperform an LDAP restore operation, you must use LDAP credentials with theadministrative privileges.

The tools in the LDAP Restore script use the ldifbackup file to restore thedirectory. To use a different file, you must rename the file to ldifbackup andensure that the file is included in the following folder on the server:

/dbsesa/backup/ldap

The root directory includes the /dbsesa/backup/ldap folder and the ldifbackupfile in the ldap folder. You must connect to the Information Manager server overan SSH connection, change to the root user, and run the following commands:

chown root:root /dbsesa/backup/ldap

chown root:root /dbsesa/backup/ldap/ldifbackup

You must not restore an LDAP backup on the Information Manager server forwhich replication is configured. Doing so may corrupt the data on the InformationManager server and stop some services from functioning normally.

To perform a complete LDAP directory server restore


2 Click Maintenance > Backup and Restore > Restore.

3 From the options, select Full LDAP Directory Server Restore.

4 Type the directory administrator (cn=root) user name in the LDAPdistinguished name format and the password.

The user name in the LDAP distinguished name format and the password ofthe LDAP user are mandatory.

5 (Optional) You can also supply an encryption password that encrypts thedata. If a password is supplied here, then the encryption password is requiredduring restore.

6 Click Restore.

Once the restoration is completed the Information Manager Web configurationinterface is closed and the Information Manager server restarts automatically.An active Information Manager console is also closed after the restoration.

369Managing data backup, restore, and purgePerforming a complete LDAP directory server restore

See “Performing a selective restore” on page 373.

See “Performing a complete database restore” on page 370.

Performing a complete database backupYou can initiate a complete backup of the database using the FullDatabaseBackupoption on the Backup view of the Web configuration interface. This backupoperation is independent of the automated backup operations that may be enabled.The complete database backup can affect the performance of the InformationManager server.

To perform a complete Database backup



3 From the options, select Full Database Backup and then click Backup.

4 Click OK in the confirmation message box. The full backup operation is alengthy process and affects server performance. The complete backup processis initiated for the database and the notification is displayed on the detailspane.

See “Performing a selective backup” on page 371.

See “Performing a complete LDAP directory server backup” on page 368.

Performing a complete database restoreYou can initiate a complete restore of the database using the FullDatabaseRestoreoption on the Restore view of the Web configuration interface. All the availablebackup images are listed according to the date and time of when the backup wascreated.

The complete database backup can affect the performance of the InformationManager server.

To perform a complete database restore



3 From the options, select Full Database Restore.

Managing data backup, restore, and purgePerforming a complete database backup

370

4 In the details pane, from the Restore from drop-down list, select the backupfile that you want to restore.

Here, the date and time of the backup file creation is listed.

5 Click Restore.

Warning: The Information Manager server is offline during this operation.Once the restoration is completed the Information Manager Web configurationinterface is closed and the Information Manager server restarts automatically.An active Information Manager console is also closed after the restoration.

See “Performing a selective restore” on page 373.

See “Performing a complete LDAP directory server restore” on page 369.

Performing a selective backupInformation Manager lets you back up and restore data selectively. You can selectthe items for backup from the various components available for backup. Thebackup can be run immediately or you can schedule it for a later period. Thebackup data can be also stored on a mounted file system which may be a remotelocation. The destination location can be configured through the Web configurationinterface.

The directory administrator (cn=root) logon credentials for LDAP must be providedfor selective backup. You can subsequently select any or all of these items forbackup:

Lets you back up the data that is associated with incidents,alerts, and tickets.

Incidents Data

Lets you back up the data that is associated with assets usedin Information Manager.

Assets Data

Lets you back up the data that is associated with services usedin Information Manager.

Services

Lets you back up the data that is associated with networks inInformation Manager.

Networks

Lets you back up the data that is associated with policies usedin Information Manager.

Policies

Lets you back up the data that is associated with locationsused in Information Manager.

Locations

371Managing data backup, restore, and purgePerforming a selective backup

Lets you back up the data that is associated with the operatingsystems used by Information Manager.

Operating systems

Lets you back up the data that is associated with Collectors,Agent Sensors, Appliances, Agents, and Help deskconfigurations.

Product Configurations

Lets you back up the published reports.Published Reports

Lets you back up the published queries.Published Queries

Lets you back up the data that is associated with user rules aswell as system rules.

Rules

Lets you back up the data that is associated with user filtersas well as system filters.

Event Filters

Lets you back up the data that is associated with user monitorsas well as system monitors.

Monitors

Lets you back up the data that is associated with user lookuptables as well as system lookup tables.

Lookup tables

Lets you back up the data that is associated with pagingservices in Information Manager.

Paging services

Lets you back up the data that is associated with the users inInformation Manager such as My Reports or My Queries. Theroles that are assigned with users are not backed up when youback up the User component.

Users

Lets you back up the data that is associated with the usergroups in Information Manager.

User groups

Lets you back up the data that is associated with the rolesassigned to users as well as the user groups in InformationManager.

Roles

Lets you back up the data that is associated with Event Storagerules, Incident Forwarding rules, and Correlation Forwardingrules.

Applianceconfigurations

Lets you back up the reports that can be downloaded from theInformation Manager Web configuration interface.

Managed reports

To perform a selective backup



Managing data backup, restore, and purgePerforming a selective backup

372

3 From the options, select Selective Backup and then type the directoryadministrator (cn=root) user name and password in the LDAP distinguishedname format.

Providing the directory administrator (cn=root) logon credentials for LDAPis mandatory for selective backup.

4 From the Components list, select the items for backup.

5 Type the file path or click Reset to default to set the default file path forstoring the backup file.

You can provide the path of the mounted file system in case you choose tostore the backup files there.

6 Click Backup for running an immediate backup or click Schedule Backup.

The backup complete notification is displayed on the details pane. The selecteditems are backed up and saved at the file path provided.

See “Performing a complete database backup” on page 370.

See “Performing a complete LDAP directory server backup” on page 368.

See “Scheduling a backup” on page 374.

Performing a selective restoreInformation Manager lets you back up and restore data selectively. From the listof backup files, you can select the components that need to be restored. You canselect and restore only those data items that you require, instead of restoring allthe data to an earlier state.

If the backup file is created on a different Information Manager server, componentsthat are associated with the database may not be available for restore. Some ofthe LDAP components are also not available for restore if the backup file is createdon a different Information Manager server.

The directory administrator (cn=root) logon credentials for LDAP must be providedfor selective restore.

Warning: In case you have used Network File System (NFS) mounted directory forbackup, during selective restore you must ensure that the NFS server is running.If the NFS server is not running, you must ensure that the Information Managerserver does not use any NFS mounted directory from that NFS server.

373Managing data backup, restore, and purgePerforming a selective restore

To perform a selective restore



3 From the options, select Selective Restore and then type the directoryadministrator (cn=root) user name and password in the LDAP distinguishedname format.

Providing the directory administrator (cn=root) logon credentials for LDAPis mandatory for selective restore.

4 From the backup files list, select the file whose backup components need tobe restored.

5 From the restore list, check the components that need to be restored.

These listed components are the items selected during a selective backup.

6 Click Restore.

Warning: The Information Manager server is offline during this operation.Once the restoration is completed the Information Manager Web configurationinterface is closed and the Information Manager server restarts automatically.An active Information Manager console is also closed after the restoration.

See “Performing a complete database restore” on page 370.

See “Performing a complete LDAP directory server restore” on page 369.

Scheduling a backupYou can schedule a backup to run once on a specific date, daily, weekly, or monthly.A user must have administrative privileges to schedule a backup. You can scheduleselective backups only; you cannot schedule full database backups or full LDAPbackups. You must provide the directory administrator (cn=root) logon credentialsfor LDAP when you schedule a backup process.

Information Manager lets you schedule only one backup at a time. To create anew schedule, you can either edit the current schedule or delete the currentschedule and create a new schedule.

To schedule a backup

1 Log on to the Web configuration interface using Administrator credentials.


Managing data backup, restore, and purgeScheduling a backup

374

3 From the options, select Selective Backup and then type the directoryadministrator (cn=root) user name and password in the LDAP distinguishedname format.

Providing the directory administrator (cn=root) logon credentials for LDAPis mandatory for selective backup.

4 From the Components list, select the items for backup.

5 Type the file path or click Reset to default to set the default file path forstoring the backup file.

You can provide the path of the mounted file system in case you choose tostore the backup files there.

6 Click Schedule Backup and specify the details for scheduling the backup.

Enter the following details as required:

Lets you select the frequency for scheduling a backup. Thisfrequency can be once on a specified day, daily, weekly, ormonthly.

Frequency

Lets you select the time when the scheduled backup mustbe run.

At

Lets you select the date when the scheduled backup mustbegin.

You can select today's date or any date after today's date.

Starts on

Daily frequency - Lets you select the period range in daysto run the scheduled backup.

Weekly Frequency - Lets you select the period range in weeksto run the scheduled backup.

Monthly Frequency - Lets you select the period range inmonths to run the scheduled backup.

Every

Weekly Frequency - Lets you select the day in the week tobegin the scheduled backup.

Monthly Frequency - Lets you select either a day in a monthor the last day of the month to run the scheduled backup.

On

If a backup is already scheduled, Schedule Backup is disabled. To create anew schedule, you can edit the current schedule or delete the current scheduleand create a new one.

7 Click Save Schedule.

See “Editing a scheduled backup” on page 376.

375Managing data backup, restore, and purgeScheduling a backup

See “Deleting a scheduled backup” on page 376.

Editing a scheduled backupInformation Manager lets you run a single schedule at a time. Therefore, to createa new schedule, you can modify or delete the existing schedule.

To edit a scheduled backup



3 From the options, select Selective Backup.

4 Click Edit and edit the details of the schedule.

5 Click Save Schedule.

See “Scheduling a backup” on page 374.

See “Deleting a scheduled backup” on page 376.

Deleting a scheduled backupInformation Manager lets you run a single schedule at a time. Therefore, to createa new schedule, you can modify or delete the existing schedule.

To delete a scheduled backup



3 From the options, select Selective Backup and then click Delete.

See “Editing a scheduled backup” on page 376.

Purging incident or event summary dataOn the Information Manager, you can select and purge event, incidents, tickets,and alerts based on the status or on the data type. You also have the option topurge all the data associated with the incidents and event summary. TheInformation Manager server restarts automatically after all of the selected datais purged. You must ensure to back up the database before purging data.

To purge selected incident or event summary data


2 Click Maintenance > Backup and Restore > Purge.

Managing data backup, restore, and purgeEditing a scheduled backup

376

3 From the options, select Purge Incident or Event Summary Data.

4 From the Purge view, check the data type items that you want to purge.

Lets you purge hourly event summary dataolder than the specified number of days. Typethe required value of days in the Older thancolumn. By default, the value is set to sevendays.

Hourly (or Short Term) EventSummary Data

Lets you purge daily event summary databased on age. Type the required value of daysin the Older than column. By default, thevalue is set to seven days.

Daily, Weekly, Monthly (or LongTerm) Event Summary Data

Lets you select incidents, alerts, and ticketsfor purging based on their age and state. Typethe required value of days in the Older thancolumn. By default, the value is set to sevendays.

■ Closed IncidentsLets you purge Closed Incidents that areolder than the specified number of days.

■ Deleted IncidentsLets you purge deleted incidents.

■ Open IncidentsLets you purge open incidents.

■ Closed AlertsLets you purge closed alerts.

■ Open AlertsLets you purge open alerts.

■ Deleted AlertsLets you purge deleted alerts.

■ Closed TicketsLets you purge closed tickets.

■ Open TicketsLets you purge open tickets.

Incidents, Alerts and Tickets

5 Click Purge.

To purge all incident or event summary data


2 Go to Maintenance > Backup and Restore > Purge.

3 From the options, select Purge Incident or Event Summary Data.

377Managing data backup, restore, and purgePurging incident or event summary data

4 From the Purge All view, check the options that are required for purging.

5 Click Purge All.

See “Purging selective backup files” on page 378.

Purging selective backup filesIn Information Manager, you can select and purge backup files. Only those backupfiles that were selectively backed up can be purged. You can view and select anyof the components that are backed up in a .bckp file for purging.

Warning: In case you have used Network File System (NFS) mounted directory forbackup, during purge you must ensure that the NFS server is running. If the NFSserver is not running, ensure that the Information Manager server does not useany NFS mounted directory from that NFS server.

To purge selective backup files


2 Click Maintenance > Backup and Restore > Purge.

3 From the options, select Purge Selective Backup Files.

4 From the list of backup files, select the file that you want to purge and thenclick Purge.

See “Purging incident or event summary data” on page 376.

Managing data backup, restore, and purgePurging selective backup files

378

Appendix

■ Appendix A. Firewall Settings for the Information Manager

8Section

Firewall Settings for theInformation Manager

This appendix includes the following topics:

■ Firewall settings

Firewall settingsThe IP table firewall policy has been configured to block all ports except thefollowing:

■ 22 (SSH)

■ 443 (HTTPS)

■ 636 (LDAPS)

■ 3539 (ibmdiradm)

■ 3700 (db2tcpcm)

■ 10010 (simserver)

■ 10012 (eventservice)

■ 50000 (db2tcp)

■ 10099-49999 (Ethereal ports)

■ 10514-10650 (Collector ports)

Table A-1 shows the list of ports that Symantec Security Information Manageruses. It also shows the service that uses that port and whether the service isblocked by the firewall that is running on the server. In addition, it shows thenetwork protocol that is associated with the service.

AAppendix

Table A-1 Ports used by Information Manager

ProtocolBlocked by firewallService/ProcessPort

TCPNoLinux Secure Shell (SSH)service/SSH

22

TCPYesIBM Apache Web server(HTTPD)/http

80

TCPNoSecure Sockets Layer(HTTPS)/https

443

TCPNoIBM Tivoli (LDAP)Directory Service/ldaps

636

TCPNoIBM Tivoli (LDAP)DirectoryService/ibmdiradm

3539

TCPNoIBM DB2 databaseservice/Db2tcpcm

3700

TCPNoSymantec Event Agent5998

TCPYesInformation ManagerTomcat eventservice/eventservice

8090

TCPNosimserver10010

TCPNoEvent forwardingport/eventservice

10012

TCPYessimserver

The simserver service isresponsible for correlatingevents and generatingincidents.

10021

TCPYeseventservice10022

UDPYesInformation Managerservicemonitor/Svclauncher

18777

TCPNoIBM DB2 databaseservice/Db2tcpcm

50000

Firewall Settings for the Information ManagerFirewall settings

382

Table A-1 Ports used by Information Manager (continued)


TCPYesShut down port forInformation ManagerTomcat service/Manager

127.0.0.1:8005

TCPYesmodjk connector forInformation ManagerTomcat service/Manager

127.0.0.1:8009

TCPYesmodjk connector forInformation ManagerTomcat eventservice/eventservice

127.0.0.1:8015

TCPYesmodjk connector forInformation ManagerTomcat eventservice/eventservice

127.0.0.1:8019

TCPYesWeb Services/Wsrf127.0.0.1:8025

TCPYesWeb Services/Wsrf127.0.0.1:8029

TCPYesSymantec Event Agent

Collects and forwards theevents to the InformationManager server.

127.0.0.1:8086

TCPYesQueueMonitor127.0.0.1:8889

TCPYesInformation ManagerDatabase ManagementUtility/Simdbmu

127.0.0.1:10030

TCPYesHelpDeskEventSink/Manager

127.0.0.1:10050

TCPYesassetsvc

The assetsvc service isresponsible for storing theassets information.

127.0.0.1:10080

TCPYesRx protocolservice/rxservice

127.0.0.1:55550

TCPYesassetsvc127.0.0.1:55557

383Firewall Settings for the Information ManagerFirewall settings



TCPYesnotificationsvc

The notificationsvcservice notifies the usersof the various activitieshappening on theInformation Managerserver. A notification needsto be created for theservice.

127.0.0.1:55558

TCPYesrulesvc

The rulesvc service isresponsible for thecreating, updating, anddeployment of rules.

127.0.0.1:55559

TCPYesdimserver

The dimserver service isresponsible for polling theGIN Server and retrievingGlobal Intelligence dataand intelligence feeds.

127.0.0.1:55560

TCPYesschedulersvc

The schedulersvcservice lets you scheduleexecution of differentactivities on a given timeperiod. For example,scheduling reports.

127.0.0.1:55561

TCPYesicesvc

The ice service isresponsible for storing andretrieving incidents,conclusions, and eventsinto and from the database.

127.0.0.1:55562


384



TCPYeskbsvc

The kbsvc serviceprovides the knowledgebase for LiveUpdate data.

127.0.0.1:55566

TCPYesticketsvc

The ticketsvc service isused for creating andstoring tickets.

127.0.0.1:55567

TCPYeseventfindersvc

The eventfindersvcservice provides thefunctionality for accessingthe event archives.

127.0.0.1:55568

TCPYesquerysvc

The querysvc service isused for querying thedatabase and to manageQueries and Reports.

127.0.0.1:55569

TCPYesstatsvc

The statsvc serviceprovides statistics for theInformation Managerserver.

127.0.0.1:55570

TCPYesconfigurationsvc

The configurationsvcservice synchronizes theInformation Manager roleand services running onInformation Managerserver.

127.0.0.1:55571

385Firewall Settings for the Information ManagerFirewall settings


386

Aaccess rights 47

See also permissionsInformation Manager console 47

accountAdministrator 62default password 61Linux 61

Active Directoryabout integrating 313configuration

creating a 314editing a 315removing 315synchronize a 316

Active Directory configurationscreating

editing 314list

remove 314administrative settings

modifying 344Agent

configuring Manager failover 340scheduling LiveUpdate 350

agentediting agent computer 83

Agent Configurations 333batch logging 333for 1.1 Agent 333

Agent to Manager failoverconfiguring 340

aggregationexporting 200importing 200

aggregation tables 132archives. See event archives

viewing event data 216assets

identifying 296

Assets table 250about 281CIA values 283filtering based on operating system 289how event correlation uses entries 282importing assets 284locked and unlocked assets 288managing vulnerability scanners 287policies 291Services tab overview 290using a vulnerability scanner to populate the

table 287using CIA values to identify critical events 289using Severity settings 290using to reduce false positives 288vulnerability information 286

attackssample EMR values 261

Bbackup

about backup and restore view 367deleting scheduled backup 376editing schedule 376performing complete database backup 370performing complete LDAP directory server 368performing selective backup 371scheduling 374

batch logging, Agent 333blacklisting, configuring 344BugTraq 250business information

users 67Bypass Event RBAC 45–46

CCA root certificate

adding 316Category field. See EMRclient validation, configuring 346

Index

collector filtering and aggregationantivirus examples 275creating specifications 269events generated by specific internal

networks 271examples 271firewall examples 272overview 263policy compliance 264preparing to create 266suggestions 265vulnerability assessment examples 276Windows Event Log examples 277

collectors. See event collectorsbefore you install 165components of 164configuring point product 189configuring raw event logging 195installating on remote computer 181installation and configuration tasks 167installing on Information Manager server 182overview 163registration 170requirements 165sensor

configuring to receive security events 192creating new configuration 191deleting 193disabling 193globally updating properties 194importing and exporting properties 193renaming 193

sensorscreating and configuring 190

universal 186downloading and installing 186

updating hosts file 166verifying configuration 184verifying installation 182

column sorting in queries 231Command servlet, configuring 342computers

addingconfiguration groups 90configurations 86

adding to organizational units 82creating 82defined 81deleting 94

computers (continued)distributing configurations 93editing agent

with agent 83editing properties 83editing without agent 84identification information 85modifying permissions 94moving 93specifying

IP addresses 85MAC addresses 85

viewingservice properties 91services 91

with agents 81conclusions

about 207escalating based on severity 132

Confidentiality, Integrity, and Availability valuesassigning 283

configuration groupsadding to

computers 90Configuration service, configuring 342configurations

adding tocomputers 86organizational units 78

Agent Configurations 333Agent Connection Configurations 339distributing

by way of computer Service properties 91to computers 93using organizational units 92

Manager 346Manager components 342

consoleconfiguring 295

contact informationusers 67

Correlation Managerabout 115knowledge base 116rule set 116

correlation rules 123. See rulesabout 123creating custom 136

Index388

create Java LiveUpdate configurationgeneral configuration settings 352host configuration settings 356Java LiveUpdate configuration settings 352

critical systems. See assets

DDAS

connecting Information Manager 322DAS/SAN configuration

delete 325extend storage capacity 323restore 324unmount 324

DAS/SAN storageconfiguring Information Manager 322

data purgeadjusting parameters 364setting levels 365

data retention 210data retention entry(days) 214Database

CapacityCritical level 363

databasealarm level 365capacity

viewing percentage used 361health monitoring 362job status 361maintenance of 361purging 363

purge types 363safe level 365status indicators 362

Date settingchanging the 307

date values for events 219DeepSight Threat Management

normalization and 251Direct attached storage

connecting Information Manager 322diskspace, configuring minimum free space 347Distribute menu option 92–93domain 305Domain Administrator role 39

permissions 56domain name 305

double-byte characters, for exported InformationManager reports 344

Eeffects. See EMRemail address

notification 71EMR

described 253Effects

values 255effects 254examples 261Mechanisms

values 258mechanisms 255Resource

values 261resources 258

Ending Event Date column 219environment diagram. See VisualizerEvent Agent

uninstalling on Linux and Solaris 176event archive

specifying settings 213event archive viewer

right pane 217event archives

about 210about multiple 210adding and removing table columns 220calendar setting 218creating new 211date and time range 218event details 218

event date values 219filtering 221–224modifying table columns 220

exporting a query 236graph 217histogram 217importing a query 236live 216local 216local client copy

creating 215querying

Event Query wizard 228naming rules 227

389Index

event archives (continued)querying (continued)

SQL Query wizard 231Summary Query wizard 229

removing an archive from event viewer 217restoring 212saving data from event viewer 217settings 213zooming 218

event collectors 31functions 31installing and configuring 31types 31

Event Count rule setting 132Event Criteria field 129

operators 130event data

purging 363Event Date column 219event forwarding

activating 245configuring default forwarding rule 246creating a rule 247deleting a forwarding rule 248described 241stopping 248

Event Logger 241event logging

configuring for Agent 333event queries

about working with 225color scheme

managing used in query results 234creating groups 227deleting 238editing 234importing 236IP addresses 237multiple archives 233publishing 237scheduling to be distributed as reports 238using Source view 226using Target View 226

event querysearching within 221

Event Query wizard 228event summary data

purging 376Event to Conclusion Correlation fields 132

events 249See also normalizationabout 207about normalization 249accessing data in the console 268aggregation 200filtering 197lifecycle 209mapping during normalization 251role for viewing 40

events viewabout 208

exportingqueries 235

external storageabout 318

Ffailover 347–348

configuringAgent to Manager 340

fieldsEvent Criteria 129Event to Conclusion Correlation 132operators for event criteria 130

filter configurationsexporting 197importing 197

filtering events 197filters

event data 221forwarding events. See event forwardingFree space quota setting 214

Ggateway 305GIN

about managing 327Global Intelligence Network 32

about 311configuring view 311receiving content updates 329registering a license 328viewing content status 328

Hhistogram

manipulating the 217

Index390

histogram (continued)viewing event details 218

host criticality. See assetshosts file

editing 304

Iimporting

queries 235incident data

purging 363, 376Incident Forwarding

disabling from Service Provider Master 110incidents

about 207automatic assigment to least busy member 141automatic assignment 140exporting from Client Incident viewer 107synchronizing with Service Provider Master 110

Information Managerabout 19components 30event lifecycle 208features 22overview 19workflow 29

Information Manager componentsevent collectors 31Global Intelligence Network 32Information Manager server 32security products and devices 31Web service 32

Information Manager configurationsabout 342

Information Manager consolecreating tickets for Service Provider Master 106modify access rights 47Move menu option 93preventing timeout 344

Information Manager console access rightsadding to roles 47

Information Manager server 32configuring for Service Provider Master 107Service Provider examples 102using as a service provider 101

Information Manager Web service 32Information Manager workflow 29

installationcollector

remote computer 181inventory, configuring for Agent 333IP address 305

specifying for computers 85IP addresses

querying for 237

Kknowledge base

Correlation Manager 116

LLDAP directory accounts 62Linux account 61LiveUpdate

normalization and 251running from Web configuration interface 313running the 312scheduling

Agent 350Manager 350

LiveUpdate Javaabout 348creating configuration 349distribute configuration 358edit configuration properties 357modify configuration 351

local event archivesviewing 216

loggingconfiguring for Agent 333

logon failure, configuring blacklisting 344Lookup Table Update

create rule 150Lookup Tables 152

records 159user-defined 157

MMAC addresses

specifying for computers 85Manager

configuring 342, 346Agent connections 339Manager connections 347

scheduling LiveUpdate 350

391Index

Max archive quota setting 214Mechanisms

values 255mechanisms. See EMRminimum free disk space, configuring 347multipath

using for storage options 318

NNAS configuration

create 319delete 320

network settingschanging 305

Network table 250networks

specifying 298normalization

described 249example 251files 251

modifying 251normalization files

about 251notification

email address 71user information 70

email address 71pager numbers 71times 72

NTP Serverspecifying 308

NTP serveradd

synchronize 307

Ooperators

Event Criteria 130organizational units

adding computers to 82creating 78deleting 80deleting computers 94description 77distributing configurations 92editing 80managing 77

organizational units (continued)moving computers 93name length limits 79

Original Ending Event Date column 219Original Event Date column 219

Ppager numbers 71password view

changing 309Passwords

changing the 309passwords 61

changing 66customizing policies 74security recommendation 62

permissions 47See also access rightsdescription 56examples of modifying permissions 53in roles 45, 49modifying 58

computers 94propagating 57user 72

Permissions dialog box 58policy

adding a 297publishing

queries 237purge

about backup and restore view 367purging alerts 363purging data

purge types 363

Qqueries

column sorting 231editing 235event 228exporting 235–236importing 235naming rules 227SQL 231summary 229tables in 235

query groups 227

Index392

Rregistering collectors 170reports,

exportingconfiguring character set 344

resources. See EMRrestarting

server 317restore

about backup and restore view 367performing complete database 370performing complete LDAP directory server 369performing seletive 373

role membershipassigning to users 68

rolesadding user groups 43adding users 43administrator roles 39creating 40definition 37deleting 55Domain Administrator 39

permissions 56editing role properties 42Information Manager console access rights 47management of policies and configurations 40managing 37permissions 49, 56

examples 53planning 38product access assignment

modifying 44SES Administrator 39

permissions 56SIM permissions 45viewing events 40

rsync 210rule

creating multicondition 141importing existing 135X not followed by X 147X not followed by Y 145Y not preceded by X 149

rule setcreating 121

rule typeLookup Table Update 150

rulescategories 123Correlate By field 134creating correlation rule for lookup table

update 150creating multicondition 141criteria 125default 116editor 132enabling/disabling 152query naming 227Resource field 134settings 132types 125

rules strategydefining strategy 123

SSAN

connecting Information Manager 320scp 210security directory

registering a collection server 243security domain

registering Information Manager with 244security environment diagram. See Visualizerselective backup files

purging 378server

restarting 317shutting down 317

server accessmodifying 48

service providerclient perspective 103configuring an Information Manager server 108configuring client management accounts 109minimum requirements for Information

Manager 101See also Service Provider Master

provider perspective 104responding to a client incident 105

Service Provider Masterconfiguring client 107configuring Information Manager as 107customizing the Incidents tile 104disconnecting a client from 110overview and examples 102synchronizing with client incidents 110

393Index

Service Provider Master (continued)viewing client incidents 105

servicesviewing for a computer 91viewing properties 91

SES Administrator role 39permissions 56

Settings viewfeatures of 302

shutdownserver 317

Span rule setting 132SQL Query wizard 231SSIM Web Start 21standard event code 250state information, configuring for Agent 333Storage area network

connecting Information Manager 320Subcategory field. See EMRSummary Query wizard 229Symantec Event Agent

installing 170–171installing on Linux 175installing on Solaris 173installing on Windows 172management with agentmgmt.bat utility 176preinstallation requirements 171uninstalling 176uninstalling on Windows 176verifying installation 178verifying operation 179

Symantec Event Code 250Symantec Signature

incident mapped to 250system criticality. See assetssystem performance

estimating 27

TTable Size rule setting 132tables

aggregation 132Lookup 152

tables in queries 235tablespace containers 361template queries

enable role-based access 46throttling, configuring 346

timespecifying NTP Server 308

Time settingchanging the 307

timeout, preventing, in Information Managerconsole 344

Uupdates

Agent 350LiveUpdate technology 348Manager 350

user groupsadding to a role 43creating 65deleting 74managing the composition of 69modifying 73

usersadding to a role 43assigning role membership 68business information 67contact information 67creating 63deleting 74description 62notification information 70

email addresses 71notification times 72pager numbers 71

permissions 72properties 66

Vvalues

Mechanisms 255Visualizer

about 95about using 95modifying properties 98tools 98

WWeb server, configuring 346wizards

Event Query 228SQL Query 231Summary Query 229

Index394

Symantec Security Information Manager 4.7.4 …vox.veritas.com › legacyfs › online ›...

Documents

Transcript of Symantec Security Information Manager 4.7.4 …vox.veritas.com › legacyfs › online ›...