Information Manager 4.7.4
User Guide
Documentation version: 4.7.4
Legal Notice
Copyright © 2011 Symantec Corporation. All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s support offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ Telephone and/or web-based support that provides rapid response and up-to-the-minute information
■ Upgrade assurance that delivers software upgrades
■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis
■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our web site at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support
Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support web page at the following URL:
www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and support contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
semea@symantec.com Europe, Middle-East, and Africa
supportsolutions@symantec.com North America and Latin America
Additional enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
Managed Services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Managed Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Consulting Services
Education Services provide a full array of technical training, security education, security certification, and awareness communication programs.
Education Services
To access more information about enterprise services, please visit our web site at the following URL:
www.symantec.com/business/services/
Technical Support
... 4Section 1
Introducing Symantec Security
Information Manager
... 15Chapter 1
Overview
... 17About Symantec Security Information Manager ... 17
What's new in this release ... 18
New features ... 19
About workflow in Information Manager ... 20
About Information Manager components ... 21
About security products and devices ... 22
About event collectors ... 22
About Information Manager servers ... 23
About the Symantec Global Intelligence Network ... 23
About the Information Manager Web service ... 23
About estimating system performance ... 24
Chapter 2
Symantec Security Information Manager
Console
... 29About the Information Manager console ... 29
About the Dashboard view ... 30
About the Intelligence view ... 31
About the Incidents view ... 32
About the Events view ... 35
About the Tickets view ... 37
About the Assets view ... 39
About the Reports view ... 41
About the Rules view ... 44
About the System view ... 61
About the Statistics view ... 62
About the features of the Information Manager console ... 63
About the incident and the alert monitors ... 63
Searching the notes ... 66
About user actions ... 68
Creating and modifying user actions ... 68
Opening the Information Manager console from the command line ... 69
Changing a password ... 70
Chapter 3
Symantec Security Information Manager Web
configuration interface
... 71About the Information Manager server Web configuration interface ... 71
Accessing the Web configuration interface ... 72
About the features of the Web configuration interface ... 72
Section 2
Planning for security management
... 77Chapter 4
Managing the correlation environment
... 79About the Correlation Manager ... 79
About the Correlation Manager knowledge base ... 80
About the default rules set ... 80
Chapter 5
Defining rules strategy
... 85About creating the right rule set for your business ... 85
About defining a rules strategy ... 87
About correlation rules ... 87
About rule conditions ... 88
About rule types ... 89
About event criteria ... 93
About the Event Count, Span, and Table Size rule settings ... 96
About the Tracking Key and Conclusion Creation fields ... 96
About the Correlate By and Resource fields ... 98
Importing existing rules ... 99
Creating custom correlation rules ... 100
Creating a multicondition rule ... 104
Creating a correlation rule based on the X not followed by Y rule type ... 107
Creating a correlation rule based on the X not followed by X rule type ... 109
Creating a correlation rule for the Y not preceded by X rule
type ... 111
Creating a correlation rule for the Lookup Table Update ... 113
Enabling and disabling rules ... 115
Working with the Lookup Tables window ... 115
Creating a user-defined Lookup Table ... 120
Importing Lookup Tables and records ... 121
Section 3
Getting started with the Information
Manager
... 123Chapter 6
Configuring the Console
... 125About configuring Information Manager ... 125
Identifying critical systems ... 126
Adding a policy ... 127
Specifying networks ... 128
About customizations for a Service Provider Master console ... 129
Chapter 7
Managing roles and permissions
... 131About managing roles ... 131
About the administrator roles ... 132
About the default roles in the Information Manager server ... 132
About planning for role creation ... 133
Creating a role ... 134
Editing role properties ... 140
Deleting a role ... 149
About working with permissions ... 149
About permissions ... 150
About the propagation of permissions ... 151
Modifying permissions from the Permissions dialog box ... 152
Chapter 8
Managing users and user groups
... 155About users and passwords ... 155
Customizing the password policy ... 157
Creating a new user ... 158
Creating a user group ... 160
About editing user properties ... 161
Changing a user’s password ... 162
Specifying user business and contact information ... 162
About modifying user permissions ... 168
Modifying a user group ... 168
Deleting a user or a user group ... 169
About integrating Active Directory with the Information Manager server ... 170
Managing Active Directory configurations ... 170
Chapter 9
Managing organizational units and computers
... 173About organizational units ... 173
About managing organizational units ... 173
Creating a new organizational unit ... 174
About determining the length of the organizational unit name ... 175
Editing organizational unit properties ... 176
About modifying organizational unit permissions ... 176
Deleting an organizational unit ... 177
About managing computers within organizational units ... 177
Creating computers within organizational units ... 178
About editing computer properties ... 179
Distributing configurations to computers in an organizational unit ... 197
Moving a computer to a different organizational unit ... 198
About modifying computer permissions ... 199
Deleting a computer from an organizational unit ... 199
Section 4
Understanding event collectors
... 201Chapter 10
Introducing event collectors
... 203About Event Collectors and Information Manager ... 203
Components of collectors ... 204
About Symantec Universal Collectors ... 205
About Custom Log Management ... 205
Downloading and installing the Symantec Universal Collectors ... 207
Correlating the logs collected in a file from a proprietary application ... 208
Chapter 11
Configuring collectors for event filtering and
aggregation
... 211Configuring event filtering ... 211
Configuring event aggregation ... 214
Section 5
Working with events and event
archives
... 219Chapter 12
Managing event archives
... 221About events, conclusions, and incidents ... 221
About the Events view ... 222
About the event lifecycle ... 222
About event archives ... 224
About multiple event archives ... 224
Creating new event archives ... 225
Specifying event archive settings ... 226
Creating a local copy of event archives on a network computer ... 227
Restoring event archives ... 228
Viewing event data in the archives ... 230
About the event archive viewer right pane ... 231
Manipulating the event data histogram ... 231
Setting a custom date and time range ... 232
About viewing event details ... 232
Modifying the format of the event details table ... 233
Searching within event query results ... 235
Filtering event data ... 235
About working with event queries ... 239
Using the Source View query and Target View query ... 240
Creating query groups ... 241
Querying across multiple archives ... 241
Creating custom queries ... 242
Editing queries ... 248
Managing the color scheme that is used in query results ... 249
About querying for IP addresses ... 250
Importing queries ... 250
Exporting queries ... 251
Publishing queries ... 251
Scheduling queries that can be distributed as reports ... 337
About forwarding events to an Information Manager server ... 255
About registering a security directory ... 257
Registering Collectors ... 258
Registering with a security domain ... 259
Activating event forwarding ... 260
Stopping event forwarding ... 263
Chapter 14
Understanding event normalization
... 265About event normalization ... 265
About normalization (.norm) files ... 267
Chapter 15
Collector-based event filtering and
aggregation
... 269About collector-based event filtering and aggregation ... 269
About identifying common events for collector-based filtering or aggregation ... 271
About preparing to create collector-based rules ... 272
Accessing event data in the Information Manager console ... 274
Creating collector-based filtering and aggregation specifications ... 275
Examples of collector-based filtering and aggregation rules ... 277
Filtering events generated by specific internal networks ... 277
Filtering common firewall events ... 278
Filtering common Symantec AntiVirus events ... 281
Filtering or aggregating vulnerability assessment events ... 282
Filtering Windows Event Log events ... 283
Section 6
Working with incidents
... 287Chapter 16
Managing Incidents
... 289About incident management ... 289
Incident identification ... 290
Example: Information Manager automates incident management during a Blaster worm attack ... 291
Threat containment, eradication, and recovery ... 291
Follow-up ... 291
Viewing incidents ... 291
Viewing and modifying the incident list ... 293
About creating and modifying incidents ... 294
Creating incidents manually ... 295
Modifying incidents ... 296
Merging incidents ... 297
Closing an incident ... 298
Reopening a closed incident ... 299
Printing incident details ... 299
Printing the incident, ticket, or asset list ... 300
Exporting the incident, ticket, or asset list ... 300
Assigning incidents automatically to the least busy member in a user group ... 302
Chapter 17
Working with filters in the Incidents view
... 303About filtering incidents ... 303
Modifying a custom filter ... 303
Creating a custom filter ... 304
Deleting a custom filter ... 304
Searching within incident filtering results ... 305
Section 7
Working with tickets
... 307Chapter 18
Managing tickets
... 309About tickets ... 309
About creating tickets ... 310
Creating a ticket manually ... 310
Creating a ticket category ... 311
Viewing tickets ... 312
About the Ticket Details window ... 312
Viewing tickets associated with a specific incident ... 313
Setting ticket task dispositions ... 314
Changing the priority of a ticket ... 314
Adding a ticket note ... 315
Closing a ticket ... 315
Printing the ticket list ... 316
Chapter 19
Working with filters in Tickets view
... 317Filtering tickets ... 317
Modifying a custom ticket filter ... 318
Importing assets into the Assets table ... 323
Section 8
Working with reports and dashboards
... 325Chapter 21
Managing reports
... 327Working with reports ... 327
About reports ... 327
Creating custom reports ... 327
Creating a report group or folder ... 330
Editing tabular queries in reports ... 331
Publishing reports ... 331
Enabling the email distribution of reports ... 332
Scheduling and distributing reports ... 333
Scheduling queries that can be distributed as reports ... 337
Modifying the report distribution ... 338
Viewing reports ... 339
Configuring a report for portrait or landscape mode ... 340
Printing and saving reports ... 341
Exporting reports ... 341
Importing reports ... 342
Performing a drill-down on reports ... 343
Chapter 22
Managing dashboards
... 345About the dashboard ... 345
Viewing dashboards ... 346
Viewing queries in the Dashboard ... 348
Performing a drill-down on dashboards ... 348
Refreshing the dashboard ... 349
Customizing the dashboard ... 350
Introducing Symantec
Security Information
Manager
■ Chapter 1. Overview
■ Chapter 2. Symantec Security Information Manager Console
■ Chapter 3. Symantec Security Information Manager Web configuration interface
1
Overview
This chapter includes the following topics:
■ About Symantec Security Information Manager
■ What's new in this release
■ About workflow in Information Manager
■ About Information Manager components
■ About estimating system performance
About Symantec Security Information Manager
Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects and archives security events from across the enterprise. These events are correlated with the known asset vulnerabilities and current security information from the Global Intelligence Network. The resulting information provides the basis for real-time threat analysis and security incident identification. Information Manager archives the security data for forensic and regulatory compliance purposes.
Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following:
■ Firewalls
■ Routers, switches, and VPNs
■ Enterprise antivirus
■ Intrusion detection systems and Intrusion Prevention Systems
■ Vulnerability scanners
1
Chapter
Information Manager provides the following features to help you recognize and respond to threats in your enterprise:
■ Normalization and correlation of events from multiple vendors.
■ Event archives to retain events in both their original (raw) and normalized formats.
■ Distributed event filtering and aggregation to ensure that only relevant security events are correlated.
■ Real-time security intelligence updates from Global Intelligence Network. These updates keep you apprised of global threats and let you correlate internal security activity with external threats.
■ Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment.
■ Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies that are associated with the affected assets.
■ An Event Viewer that lets you easily mine large amounts of event data and identify the computers and users that are associated with each event.
■ A client-based console from which you can view all security incidents and drill down to the related event details. These details include affected targets, associated vulnerabilities, and recommended corrective actions.
■ Predefined and customizable queries to help you demonstrate compliance with the security and the data retention policies in your enterprise.
■ A Web-based configuration interface that lets you view and customize the dashboard, configure settings, and manage events, incidents, and tickets remotely. You can download various utilities and perform routine maintenance tasks such as backup and restore. You can use the custom logs feature with the universal collectors to collect and map information from devices for which standard collectors are not available.
What's new in this release
Information Manager 4.7.4 contains enhanced features. It also includes fixes for the known issues that existed in the previous versions.
New features
Information Manager 4.7.4 includes the following new features in addition to known issues and fixes:
Symantec SIEM 9700 Series appliances SSIM Web Start Client
Role-based access to the Event Query Templates Navigation option for Event Storage Rules list
Symantec SIEM 9700 Series appliances
Symantec SIEM 9700 Series appliances are scalable security information and event management appliances. These appliances provide reliable performance with Information Manager software. The SIEM 9700 Series is comprised of three models; the 9750, the 9751, and the 9752. Each model provides 3.9TB of redundant event storage and dedicated Remote Management Module features to allow remote management of the appliance. In addition, the 9751 and 9752 provide enterprise connectivity through 8GB Fibre Channel. Each physical appliance can be combined seamlessly with virtual appliances to ease interoperability.
For more information, see the following guides:
■ Symantec SIEM 9700 Series Appliances Maintenance Guide
■ Symantec SIEM 9700 Series Appliances Installation Guide
■ Symantec SIEM 9700 Series Appliances Product Description Guide
■ Symantec SIEM 9700 Series Appliances Hardware Troubleshooting Guide
■ Symantec SIEM 9700 Series Appliances Safety Guide
See“New features”on page 19.
SSIM Web Start Client
By using SSIM Web Start Client, you can now reach the Information Manager console directly without downloading and installing the Information Manager console.
The Launch SSIM Web Start Client link, that is located on the logon page of the Information Manager Web configuration interface, launches the Information Manager console. You can also access this link from the Downloads option on the
Home view of the Web configuration interface.
Event Query Templates. Access to Event Query Templates can be controlled based on the View Event Query Templates permission that is granted to a role. By default, this permission is enabled for new roles.
If the View Event Query Templates permission is disabled for a role, the user who is assigned with this role cannot access the Templates folder on the Events view. If the View Event Query Templates permission is enabled for a role, the user who is assigned with this role can access and run the Event Query Templates. See“Enabling access to the Event Query Templates”on page 142.
See“New features”on page 19.
Navigation option for Event Storage Rules list
A Move to top option and a Move to bottom option are now available in the Event
Storage rules list. These options can be used to move a rule directly to the top or
to the bottom of the list. See“New features”on page 19.
About workflow in Information Manager
The Symantec Security Information Manager workflow includes the following steps:
■ Event collectors gather events from Symantec and third-party point products. See“About Event Collectors and Information Manager”on page 203.
■ Events are filtered and aggregated.
See“Configuring event filtering”on page 211. See“Configuring event aggregation”on page 214.
■ Symantec Event Agent forwards both the raw and the processed events to the Information Manager server.
See“About forwarding events to an Information Manager server”on page 255. See“Activating event forwarding”on page 260.
■ The Information Manager server stores the event data in event archives. See“About event archives”on page 224.
■ The Information Manager server correlates the events with threat and asset information based on the various correlation rules.
■ Information Manager security events trigger a correlation rule and create a security incident.
See“About incident management”on page 289.
About Information Manager components
Symantec Security Information Manager has the following components:
■ Security products and devices
See“About security products and devices”on page 22.
■ Event collectors
See“About event collectors”on page 22.
■ Information Manager servers
See“About Information Manager servers”on page 23.
■ Global Intelligence Network
See“About the Symantec Global Intelligence Network ”on page 23.
■ Web service
See“About the Information Manager Web service”on page 23.
amounts of security data. Many firewalls can generate over 500 GB of security data per day; intrusion detection systems can trigger over 250,000 alerting incidents per week. Most security products store event data in a proprietary format, accessible only by the tools that the security products provide. To secure your enterprise effectively, you need to collect, normalize, and analyze the data from all parts of your enterprise.
See“About Information Manager components”on page 21.
About event collectors
Event collectors gather security events from a variety of event sources, such as databases, log files, and syslog applications. Event collectors translate the event data into a standard format, and optionally filter and aggregate the events. The event collectors then send the events to Symantec Security Information Manager. You can configure event collectors to also send the event data in its original format. You install event collectors either on the security product computer or at a location with access to the security product events. To facilitate installation and setup, event collectors for third-party firewalls are preinstalled on the Information Manager server. After the event collector is registered with Information Manager, you can configure event collector settings from the Information Manager console. The event collector settings include the event source specification and any event filter or aggregation rules.
Symantec provides event collectors for the following types of products:
■ Firewalls
■ Routers, switches, and VPNs
■ Intrusion detection and prevention systems
■ Vulnerability scanners
■ Web servers, filters, and proxies
■ Databases
■ Mail and groupware
■ Enterprise antivirus
■ Microsoft authentication services
For access to the extensive library of event collectors, visit Symantec support at the following Web site:
http://www.symantec.com/enterprise/support/
See“About Information Manager components”on page 21.
About Information Manager servers
Symantec Security Information Manager is hardware independent. You can install the Information Manager server on any approved hardware that meets the minimum system requirements.
You can deploy one or more Information Manager servers in various roles to satisfy the event gathering, archiving, and event correlation requirements for your enterprise. To account for traffic variation, a single Information Manager is only recommended for a security environment that generates up to 1,000 events per second (EPS) on average and that requires a maximum of 4 MB to 8 MB per day of event data storage. To increase the overall event processing rate, you can add multiple load sharing Information Managers to your deployment. You can configure each server for dedicated event collection, event archiving, or event correlation. In most cases, a combination of multiple servers that share the event and the incident processing load is preferred.
See“About Information Manager components”on page 21.
About the Symantec Global Intelligence Network
Information Manager has access to current vulnerability, attack pattern, and threat resolution information from the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network powers the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging
vulnerabilities, threats, risks, and global attack activity. See“About Information Manager components”on page 21.
About the Information Manager Web service
The Web service of Symantec Security Information Manager lets you securely access and update the data that is stored on a server. You can use the Web service to publish event, asset, incident, ticket, and system setting information. You can also use the Web service to integrate Information Manager with help desk, inventory, or notification applications.
About estimating system performance
To determine the performance of an Incident Manager server or set of servers. consider your unique environment. Information Manager integrates with a wide range of event collectors, and by nature requires the customization of settings to match each environment. Hence, the physical performance depends greatly on the collectors and settings that you choose.
The observed events per second (EPS) rates under optimal circumstances are provided here which can be used for general planning purposes. You can create a rough estimate of system performance by using the information available in these tables. However, you must note that the system performance may vary widely from these figures depending on your specific environment. Your estimates need to be adjusted over time as your policies, settings, and storage requirements are refined.
Table 1-1lists the details of the hardware models that are used for testing the performances of the various roles of the Symantec Security Information Manager server.
The other tables list the roles in Information Manager on which the hardware models are tested. In addition, the tables list the corresponding methods in which the performances are calculated for each role.
Table 1-1 Hardware model specifications
RAM Processor type Cache size CPU Hardware 32 GB Single Quad Core
processor 6144 KB Intel Xeon CPU E5430 @ 2.66 GHz HP DL 380 8 GB 16 GB Single Dual Core
Processor 6144 KB Intel Xeon CPU E5405 @ 2.00 GHz HP DL 360 8 GB 16 GB Single Dual Core
Processor 6144 KB
Intel Xeon CPU E5430 @ 2.66 GHz IBM™ X3550
8 GB Double Quad Core Processor 8192 KB
Intel Xeon CPU E5520 @ 2.27 GHz Dell™ R610
16 GB Double Quad Core
Processor 8192 KB
Intel Xeon CPU E5520 @ 2.27 GHz Dell R710
Table 1-1 Hardware model specifications (continued) RAM Processor type Cache size CPU Hardware 16 GB Single Quad core
processor 4096 KB
Intel Xeon CPU E5320 @ 1.86 GHz Dell 1950
16 GB Single Quad core
processor 6144 KB
Intel Xeon CPU E5410 @ 2.33 GHz Dell 2950
32 GB Double Quad Core
Processor 12 MB
Intel Xeon CPU E5640 @2.67 GHz Dell R710
The tables that are listed provide the typical EPS rates that are observed under test conditions for the recommended hardware in various roles. These numbers are intended as sample guidelines only, and vary greatly with each deployment.
Table 1-2 Performance figures for HP DL 380 with 32 GB RAM
CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 55% 9100 10000 Collection only 29% 13000 13000 Correlation only 53% 12000 12000 Collection + Archive
Table 1-3 Performance figures for Dell R710 with 16 GB RAM
CPU utilization Output EPS Input EPS Role 43% 10000 10000 All in One 40% 9400 10000 Collection only 23% 12000 12000 Correlation only 40% 10450 12000 Collection + Archive
Table 1-4 Performance figures for Dell R610 with 8 GB RAM
CPU utilization Output EPS Input EPS Role 86% 8450 10000 All in One 74% 9000 10000 Collection only 86% 10650 12000 Correlation only
76% 8300
10000 Collection + Archive
Table 1-5 Performance figures for HP DL 380 with 16 GB RAM
CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 55% 9100 10000 Collection only 37% 12000 12000 Correlation only 53% 12000 12000 Collection + Archive
Table 1-6 Performance figures for HP-DL 380 with 8 GB RAM
CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 52% 9000 10000 Collection only 38% 12000 12000 Correlation only 57% 10000 10000 Collection + Archive
Table 1-7 Performance figures for IBM X3550 with 16 GB RAM
CPU utilization Output EPS Input EPS Role 90% 9000 10000 All in One 75% 11000 12000 Collection only 84% 10590 12000 Correlation only 75% 7800 10000 Collection + Archive
Table 1-8 Performance figures for Dell 2950 with 16 GB RAM
CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 23% 12000 12000 Collection only
Table 1-8 Performance figures for Dell 2950 with 16 GB RAM (continued) CPU utilization Output EPS Input EPS Role 34% 12000 12000 Correlation only 50% 10000 10000 Collection + Archive
Table 1-9 Performance figures for Dell 1950 with 16 GB RAM
CPU utilization Output EPS Input EPS Role 60% 8600 10000 All in One 55% 10000 10000 Collection only 42% 12000 12000 Correlation only 52% 10000 10000 Collection + Archive
Table 1-10 Performance figures for HP-DL 360 with 8 GB RAM
CPU utilization Output EPS Input EPS Role 82% 8000 8000 All in One 50% 12000 12000 Collection only 86% 10000 10000 Correlation only 76% 8000 8000 Collection + Archive
Table 1-11 Performance figures for HP-DL 360 with 16 GB RAM
CPU utilization Output EPS Input EPS Role 82% 7000 7000 All in One 80% 9700 10000 Collection only 80% 10000 10000 Correlation only 75% 10000 10000 Collection + Archive
Performance is calculated on an Information Manager server which performs the role of a collection server, an archiving server, and a correlation server.
All in One
Performance is calculated on a collection server of a two-server, multiappliance setup. This setup consists of a collection server and a server performing the role of an archiving server and a correlation server.
Collection only
Performance is calculated on a correlation server of a two-server, multiappliance setup. This setup consists of a server performing the role of a forwarding server as well as of an archiving server and a correlation server. Correlation only
Performance is calculated on a server which performs the role of a collection server and of an archiving server of a two-server,
multiappliance setup. This setup consists of a server performing the role of a collection server as well as of an archiving server and a correlation server.
Collection + Archive
The details of the setup that was used for the performance estimation are as follows:
■ The test run was performed with the summarizers turned off.
Symantec recommends that you disable summarizers on the Web configuration interface if you do not use summary queries. Summarizers are maintained in Symantec Security Information Manager 4.7 only to provide backward compatibility with previous versions of Information Manager.
■ The test run used a run feeder tool with an archive comprised of WEC, Juniper NetScreen, and Cisco PIX events.
■ The average event size that was used for performance is 512 bytes.
■ The time span to calculate the EPS for each test was 15 minutes, and total time for test was 67 hours.
Symantec Security
Information Manager
Console
This chapter includes the following topics:
■ About the Information Manager console
■ About the features of the Information Manager console
About the Information Manager console
You must install the Java client of the Information Manager on a Microsoft Windows 2000, 2003, XP, or Vista computer to access the console. The client can be downloaded from the Home > Downloads view of the Web configuration interface.
The console of the Information Manager client enables you to perform the following security monitoring functions:
■ Define rules to identify security incidents.
■ Identify critical network hosts.
■ View Symantec Global Intelligence Network information
■ Manage incidents
■ Manage tickets
■ Create reports
■ Perform Service Provider management tasks.
2
Chapter
■ Dashboard view ■ Intelligence view ■ Incidents view ■ Events view ■ Tickets view ■ Assets view ■ Reports view ■ Rules view ■ System view ■ Statistics view
See“About Information Manager components”on page 21.
About the Dashboard view
The Dashboard view on the console of the Information Manager client provides a high-level view of the critical security information in your environment. Information Manager users can customize the dashboard to display the required event, ticket, and incident information.
The Dashboard view provides an overview of the incident activity that is presented in the following default set of queries:
■ Closed incident count for each assignee by priority
■ Closed incident count for each assignee by severity
■ Open incident count for each assignee by severity
■ Open incident count for each assignee by priority
■ Count of both open incident and closed incident by assignee
■ Incidents count for each of the last seven days
The toolbar of the Dashboard view presents the following options:
Refreshes the queries
Toggles the automatic refresh of the dashboard queries.
When Auto Refresh is on, the dashboard queries are refreshed every five minutes, by default.
Turn Auto Refresh On
Lets you add a new query to the dashboard.
Add
Lets you remove a query from the dashboard. You can also remove the query by closing the query window.
Delete
Tiles the dashboard charts.
Tile
Cascades the dashboard charts.
Cascade
See“Viewing dashboards”on page 346. See“Customizing the dashboard”on page 350.
About the Intelligence view
The Intelligence view displays the security information that the Symantec Global Intelligence Network gathers. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity.
The Intelligence view provides information about the current ThreatCon level. It also provides advice and instructions on how to guard against and respond to the current threats.
The Intelligence view presents detailed information under the following tabs:
The Analyst Watch tab provides information about IP addresses and URLs known to be involved in malicious activity.
Analyst Watch
The IDS Statistics tab displays the five most frequently occurring intrusion detection events. It also lists offending ISPs, IP addresses, destination ports, attack products, and source and destination countries.
IP addresses, destination ports, and source and destination countries.
The AntiVirus Statistics tab displays the five most frequent corporate and consumer virus sample submissions.
AntiVirus Statistics
The Honeynet tab displays up-to-date information from the Symantec Global Intelligence Network and data analysis of threats in the wild.
Honeynet
Note:The features that appear on the Intelligence view may vary depending on the type of Global Intelligence Network services subscription that you have purchased. Contact your Symantec sales representative for more information.
See“About the Information Manager console”on page 29.
About the Incidents view
The Incidents view lets you look at and manage Information Manager incidents. You can customize the Incidents view by selecting from the security filters or the alert filters or by creating your own custom filter. When you select an incident filter, the incident list displays only the incidents that satisfy the filter criteria. Selecting an incident in the list updates the incident pane with the detailed information for the selected incident. To update the incident, modify the incident attributes and click Save. To maximize or minimize the display area for the incident pane, click the expand and collapse arrows correspondingly in the upper-left corner.
Double-clicking an incident in the list opens the Incident Details dialog box. To update the incident, modify the incident information and then click the Save icon. To export the incident details, click the Export icon. The incident details are exported to a CSV file that you can save to the desired location on your computer. To edit multiple incidents, highlight the incidents, and edit settings in the Details tab.
From the Incidents view toolbar, you can perform the following tasks:
■ Select a filter to apply to the Incidents view. The filters available for you depend on the roles to which you are assigned. The filters are grouped by Security Incidents, Alerts, and Custom filters in various states.
SeeTable 2-1on page 33.
■ Create a custom incident view filter.
■ Search for an incident by incident Reference ID.
■ Create a new incident.
■ Open the Incident Details dialog box for the selected incident.
■ Create a ticket for the selected incident or incidents.
■ Export the incident list to a file.
You can export the list in HTML, CSV, and XML format, as required.
■ Merge the selected incidents.
■ Close the selected incidents.
You must provide the disposition (for example, normal, false-positive, resolved, duplicate, or merged) and provide notes when you close an incident.
■ Lock the incident list.
You can lock the incident list to prevent the display of newly created or recently assigned incidents in the list. When you unlock the list, it is updated with the latest incidents.
Table 2-1describes the Logical Groups for the filters.
Table 2-1 Logical Groups for filters
The incidents that are assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.
My Incidents
The incidents that are assigned to the current user's teams. Teams are created in the User Groups section of the System view, on the Administration tab. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.
My Team Incidents
All incidents that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.
All Incidents
All incidents which are open and unassigned.
Unassigned Open Incidents
The incident alerts assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.
Teams are created in the User Groups section of the System view, on the Administration tab. Following are the states of this group of incident: Open, New, In-Work, Waiting, and Closed.
All incident alerts that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.
All Alerts
All incident alerts that are open and unassigned.
Unassigned Open Alerts
All user-defined incident and alert filters.
Custom Filters
The Incidents view details pane contains tabs from which you can view or update the selected incident.
Table 2-2lists the details pane tabs and their functions.
Table 2-2 Incident view details pane tabs
Description Tab
Displays the incident details that include the ID, status, severity, description, creator, assignee, and priority.
Details
Displays the event conclusions that are associated with the incident. To view the details of a conclusion that is associated with the incident, select a conclusion and click the Conclusion Details icon.
You can also select an event from the list and view the particular event details.
Conclusions
Displays the events that are associated with the incident. To view the details of an event that is associated with the incident, select the event and click the Event Details icon.
Events
Displays the target computers that are associated with the incident. To view the details for a target computer, select the target computer and click the Details icon. To create an asset from a target computer, select the target computer and click the Create Asset icon.
Targets
Displays the source computers that are associated with the incident. To view details for a source computer, select the source computer and click the Details icon.
Sources
Displays a visual representation of the progress of the attack that generated the incident along with the Symantec Event Code.
Table 2-2 Incident view details pane tabs (continued)
Description Tab
Displays Symantec signature information, including the malicious code or vulnerability information that may be associated with the event. You can view the intelligence information that is organized by associated signatures or by target computers.
Intelligence
Displays the tickets that have been created for the incident. To view the details of the tickets that are associated with the incident, select the ticket and click the Ticket Details icon. To create a ticket based on this incident, click the Create Ticket icon.
When you create a ticket, the Create Ticket dialog box includes the following tabs:
■ Details: Provides the fields that describe the characteristics of the
ticket: A summary description, the priority, the ticket category, the creator of the ticket, the assignee of the ticket, and the related incidents.
■ Instructions: Lets you correlate Intelligence data from the Global
Intelligence Network with the ticket, if information is available.
■ Tasks: Provides the fields to describe any additional remediation
tasks that the creator of the ticket recommends. Note that the Tasks tab of the Create Ticket dialog differs from the steps that are listed in the Remediation tab for the incident. The Remediation tab contains the instructions that are automatically created when the incident is created, based on settings in the rule that triggered the incident.
Tickets
Displays the remediation suggestions that have been associated with the rule that triggered the incident. Remediation entries can be added to a rule on the Rules view.
Remediation
Displays the information that is available on the history of the incident. The incident history contains entries for incident creation,
modifications, and closure. You can add entries to the log to record the information and the activities that are related to the incident.
Log
See“About the Information Manager console”on page 29.
About the Events view
The Events view lets you explore the Information Manager event archives. Event archives contain correlated and uncorrelated event data from the security products that are set up to forward events to Symantec Security Information Manager. You can create multiple event archives that can be stored on any instance of
Information Manager the archive is stored. The archives that are visible on the
Events view are created with an ordered series of event storage rules. These rules
are created on the System view.
To view the events that are stored in the event archives, you can use templates and queries to search for events you need to view. Templates are generally more complex preconfigured queries that can be customized with chosen parameters. System queries are the queries that focus on specific products or common aspects of security management.
When you run a template or a query, you set the parameters for the query, including which archives to search. Each template and query contains the parameters specific to data that the query harvests: for example, a specific IP address or a time range in which the search is to be conducted. After you run the query, the results are displayed in the right pane of the Events view. The presentation of data depends on each query, and can include graphs, pie charts, and lists of events.
If a query returns a list of events, you can click on a particular event to see the event details. You can change table columns if you want to see different information about the events. You can view details about a particular event by double-clicking the table row.
You can also filter data in the table so that it displays only the events that interest you. You can filter on a particular event parameter by right-clicking a cell and clicking Filter on cell. You can also filter results based on a unique column value. Alternatively, you can use the advanced filtering option to create a more complex query.
You can also use the Query Builder Wizard to query the event archives. This wizard helps you create the following types of queries:
■ Event queries
■ Trending queries
The trending feature is available only after you select the Event Query option.
■ Summary queries
■ Advanced SQL queries
Note:The Query Builder Wizard icon is available only when the folder for My
Queries or Published Queries is selected.
Table 2-3 Events view left pane items
Description Item
Access the static copies of the events that are archived and that are stored somewhere other than the Information Manager server. Local event archives are often created as a backup copy of an active archive. Local event archives are not updated after the copy of the archive has been made.
Local Event Archives
Provides a set of preconfigured query templates that generally provide a system-wide view of event activity. The templates use the parameters you choose, such as the event archives or the time period from which the query gathers information. A template can be customized by placing a copy in either the My Queries or the Published Queries folder and then adjusting the copy.
Access to the Template queries are controlled based on the roles. See“Role-based access to the Event Query Templates ”on page 20.
Templates
Displays a list of queries that you have created for your own use. You can move any of these queries into the Published Queries folder to make them available to others.
My Queries
Displays a list of the queries that have been created at your site and that you want some or all of your users to be able to use.
PublishedQueries
Displays a list of queries that are included in the Information Manager package. You can use any of these queries as a template for a customized query. To create a customized query, export the selected query as a QML file, and then copy or import the query in the My
Queries folder or the Published Queries folder. You can modify it as
required.
System Queries
You can schedule queries to be distributed in a report as a CSV file. See“About working with event queries”on page 239.
See“Viewing event data in the archives”on page 230.
About the Tickets view
The Tickets view lets you view and manage Information Manager tickets. You can customize the ticket view by selecting from one of several ticket filters, or by creating a custom ticket filter. The filters that are available to you depend upon the roles to which you have been assigned. When you select a ticket filter, the ticket list displays only the tickets that satisfy the filter criteria.
attributes and click Apply.
Double-clicking a ticket in the ticket list opens the Ticket Details dialog box. To update the ticket, modify the ticket information, and click Save or OK. You can edit multiple tickets simultaneously by opening a Ticket Details dialog box for each ticket to view or modify.
The Tickets view toolbar contains icons for the following tasks:
■ Select a filter to apply to the ticket view.
The filters that are available to you depend upon the roles to which you are assigned, and may include one or more of the following:
The open tickets that are associated with the incidents assigned to the current user
My Open Tickets
The closed tickets that are associated with the incidents assigned to the current user
My Closed Tickets
All tickets
All Tickets
The open tickets
All Open Tickets
The closed tickets
All Closed Tickets
All tickets that are assigned to the current user, both open and closed
My Assigned Tickets
■ Create a custom ticket view filter.
■ Search for a ticket by ticket ID.
■ Refresh the tickets view.
■ Open the Ticket Details dialog box for the selected ticket.
■ Export the list of tickets to a file.
The ticket preview pane contains tabs from which you can view or update the selected ticket.
Table 2-4lists the preview pane tabs and their functions.
Table 2-4 Ticket preview pane tabs
Description Tab
Displays the ticket details such as the ID, summary, category, status, priority, timestamp, creator, and help desk assignee.
Table 2-4 Ticket preview pane tabs (continued)
Description Tab
Displays the incidents that are associated with the ticket. To associate a new incident with a ticket, click the Add icon. To disassociate an incident from the ticket, select the incident and click the Remove icon.
To view the incident details, click the Incident Details icon. To close the incident from the tickets view, select the incident and click the Close icon.
Incidents
Displays the user tasks that are assigned to each ticket.
To add a new task to the ticket, click the Add icon. To remove a task from the ticket, select the task and click the Remove icon. To edit tasks, select the task and click the Edit icon. To add intelligence to the task, click the Intelligence icon.
Tasks
Displays the instructions that are associated with the ticket. To add or modify the instructions, edit the field and click Save. The instruction field accepts a maximum of 3000 characters. The Instructions tab also displays the Reset icon.
You can also use the Add Intelligence to Instructions icon.
Instructions
Displays the ticket history that contains entries for ticket creation, ticket modifications, and ticket closure. To add log entries to record information and the activities that are related to the ticket, click the Add icon.
Log
See“About the Information Manager console”on page 29.
About the Assets view
The Assets view lets you view and manage Information Manager assets. Use the
Assets view to identify critical assets in your environment, and track the incidents
and the tickets that are related to those assets.
Identify the network assets that have one or more of the following attributes:
■ Host critical information or services
■ Host confidential information
■ Have specific roles on the network, such as firewall or vulnerability scanning devices
The correlation manager uses the asset information to identify and prioritize incidents. The correlation manager creates an incident when a threat exploits an asset's vulnerabilities. The correlation manager sets the incident priority based upon the confidentiality, integrity, and availability ratings that you assign to the asset.
The correlation rules depend upon the asset information, so identifying key network assets on the Assets view is a critical configuration step.
You can populate the list of assets in any of the following ways:
■ Manually add entries in the Assets view.
■ On the Incidents view, in the Targets tab for an incident, create assets based upon computers.
■ On the Events view, under System Queries > SSIM > SSIM System, create assets from the query results of the Source view query and Target view query.
■ On the Assets view, import a list of assets in XML or CSV format. For example, you can export a list of network computers from Microsoft Active Directory, convert the file to CSV format, and then import the file into the Information Manager.
■ Create assets by integrating Information Manager with a policy compliance assessment tool, such as Symantec Control Compliance Suite or Symantec Enterprise Security Manager.
■ Create assets by integrating Information Manager with a network vulnerability scanner. Use the Asset Detector rule under Monitor > System Monitors on the Rules view to choose the vulnerability scan products that automatically populate the assets table.
If you run vulnerability scans periodically on your network, lock the asset information for particular computers. If you lock an asset, the vulnerability scan does not modify the list of the services that are hosted on the asset. A vulnerability scan always updates the asset vulnerabilities, regardless of the asset lock status.
You can filter the view of the assets in your environment using the filtering options or asset groups.
Search for an asset from each of the views by entering the IP address host name in the Search Asset field, and then clicking the Search icon.
Double-clicking an asset in the asset list opens the Asset Details dialog box. To update the asset, modify the asset fields and then click the Save icon. You can
update multiple assets simultaneously by opening the Asset Editor dialog box for each asset to modify.
Table 2-5lists the Assets view tabs and their functions.
Table 2-5 Assets view tabs
Description Tab
Displays the network identification, description, priority, organization, operating system, and lock information for the selected asset.
Details
Displays any policy that is applied to the selected asset. You can add policies to an asset from a customizable list of regulatory policies. To customize the list of available policies, select the
Administration tab on the System view. You can also delete policies
from the asset.
Policies
Displays the network services that the selected computer hosts. You can add services to an asset from a customizable list of well-known services. To customize the list of services, select the
Administration tab on the System view. You can also delete services
from the asset.
Services
Lists any incidents that pertain to the selected asset. Using the incident list is a convenient way to monitor the security activity that is related to an asset.
Incidents
Lists any tickets that pertain to the selected asset. The ticket list is a convenient way to monitor the work-order activity that is related to an asset.
Tickets
Displays the discovery date, CVE ID, BugTraq ID, and description of any vulnerability that is discovered on the asset. The vulnerability information is tracked when the assets are imported from a vulnerability scanner.
Vulnerabilities
See“About the Information Manager console”on page 29.
About the Reports view
The Reports view lets you create and manage Information Manager reports. To create a report, you insert one or more queries into a report template. You can also add graphic elements and text, including a header and footer. Reports can span multiple views, or you can subdivide a single view and insert multiple queries on that view.
import reports in RML format.
The Reports toolbar contains icons for report management tasks. The tasks available to you depend upon the roles to which you have been assigned, and may include one or more of the following:
■ Refresh the Explorer pane.
■ Create a folder.
■ Create a report.
■ Save a report.
■ Remove the selected report or folder.
■ Import a report from an RML format file.
■ Export the selected report to an RML format file.
■ Adjust the view settings for a report, including the view size and orientation.
■ Publish the selected report by placing the report in the Published Reports folder.
The Reports view has the following panes:
■ Explorer
The Explorer pane lets you manage the My Reports folder and the Published
Reports folders, as well as any new folders that you create. When you create
a report in the My Reports folder, it is only available to the user who created it. When you create a report in the Published Reports folder, it is available to all of the users who have the applicable permissions for the contents of the report. To publish a report, drag it from your private folder to the Published
Reports folder. When you publish a report by dragging it into the Published Reports folder, the two reports are not linked.
In addition to creating, publishing, and deleting reports, you can create and delete report folders. You can also import reports, export reports, and move reports from one folder to another.
■ Properties
The Properties pane lets you view and edit the selected report property values, such as the background color or line thickness.
■ Report
The Report pane provides the tabs that let you design, preview, and distribute the selected report.
Table 2-6describes the tabs that appear in the right pane when you create a new report or select an existing report from the list in the left pane.
Table 2-6 Report pane tabs
Description Tab
Lets you specify and format the contents of your report. You can include multiple data queries, images, annotation text, and grids in your report. The queries that are available to you depend upon the roles to which you are assigned. For example, you may have access to queries that pertain to firewall and VPN data, but may not have access to queries on antivirus data.
Design
Displays a preview of the report. You can also save or print the report from the Preview tab.
You can also drill down on the following query types by clicking on the reports that are displayed:
■ Top N by Field
■ Trending for Top N by Field
■ Summary Data Queries
See“Performing a drill-down on reports”on page 343.
Preview
Lets you schedule the report and specify report recipients. You can compose an email report notification message, attach the report as a PDF and RTF, or include a URL link to the report.
Note:When the recipient clicks on the URL link, the report can be accessed directly if the user has already logged on to the Web configuration interface using the host name of Information Manager. However if the user has logged on using the IP address of Information Manager, then the user is prompted for authentication to access the report. You can also test the report distribution configuration with the Test option. The reports are immediately distributed after you perform the testing.
To schedule a report for distribution, you must first publish the report by placing it in the Published Reports folder.
Distribute
Note:The Distribute option is available only for the Published Reports.
Manager uses to filter known false positives and declare security incidents. Default rules provide a starting point for determining the most common kinds of security incidents, including denial-of-service attacks and blended threats. The default filtering rules provide a set of common filters that can also be used to create customized filters. You can enable, disable, and fine-tune the default rules and filters based on the needs of your organization and the security products that are running.
The Rules view also includes folders for monitors and lookup tables. Monitoring rules are used to detect unexpected security-related changes to systems or periods of inactivity from the systems that are monitored. The lookup tables provide a set of tables that can be configured to list known malicious IP addresses, sensitive files, sensitive URLs, services, Trojan horses, and Windows events that can be used to fine-tune rules and filters. For example, if you have detected a set of IP addresses that routinely attempt to maliciously infiltrate your network, you can add these IP addresses to an IP address lookup table. You can then create a custom rule that checks the table for these known malicious IP addresses during rules processing.
When you define the actions that take place when an incident is triggered, you can create remediation notes. These notes appear on the Remediation tab for an incident that is created. When you add remediation information to a rule and save the changes, the remediation information is updated for the new and the existing incidents.
The Rules view toolbar contains icons for the following tasks:
■ Refresh the Rules list.
■ Create a rule.
■ Create a new folder.
■ Delete a rule.
■ Import rules
■ Export rules
■ Copy a rule.
■ Deploy a rule.
■ Revert changes to a rule.
■ Enable rules.
Each folder in the navigation tree includes two subfolders: a System subfolder and a User subfolder. By default, the System subfolder contains the predefined rules, filters, monitors, and lookup tables that are included with Information Manager.
You can enable or disable the items in the System subfolders However, you cannot make changes to these predefined elements. To create a modified version of a preconfigured rule, filter, monitor, or lookup table, you can create a custom version of the rule and save it in the corresponding User folder. If you create a custom rule or lookup table, you must deploy and enable the new element before it can be used during event processing.
Table 2-7describes the items that are displayed in the Event Filters list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.
Table 2-7 Event filters
Description Item
Displays the list of default filters in the System Filters folder and custom filtering rules in the User Filters folder. Use the checkboxes to turn on the rules and turn off the rules.
Event Filters list
Displays the event criteria that the filtering rules use to filter events. If you create a custom filter, you can add or remove event criteria from this pane.
Conditions tab
Lets you test filtering rules with saved event data so that you can evaluate whether the rule filters when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from filtering events.
Testing tab
Shows the date and the time that a user last edited a rule.
History tab
Table 2-8describes the items that are displayed in the Monitors list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.
Table 2-8 Monitors
Description Category
Displays the list of default monitors in the System Monitors folder and custom monitors in the User Monitors folder. Use the checkboxes to turn on the rules and turn off the rules