• No results found

Symantec Security Information Manager User Guide

N/A
N/A
Protected

Academic year: 2021

Share "Symantec Security Information Manager User Guide"

Copied!
357
0
0

Loading.... (view fulltext now)

Full text

(1)

Information Manager 4.7.4

User Guide

(2)

Documentation version: 4.7.4

Legal Notice

Copyright © 2011 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

(3)
(4)

other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and/or web-based support that provides rapid response and up-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis

■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our web site at the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:

www.symantec.com/business/support/

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.

When you contact Technical Support, please have the following information available:

(5)

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support web page at the following URL:

www.symantec.com/business/support/

Customer service

Customer service information is available at the following URL: www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

(6)

semea@symantec.com Europe, Middle-East, and Africa

supportsolutions@symantec.com North America and Latin America

Additional enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:

Managed Services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.

Managed Services

Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Consulting Services

Education Services provide a full array of technical training, security education, security certification, and awareness communication programs.

Education Services

To access more information about enterprise services, please visit our web site at the following URL:

www.symantec.com/business/services/

(7)

Technical Support

... 4

Section 1

Introducing Symantec Security

Information Manager

... 15

Chapter 1

Overview

... 17

About Symantec Security Information Manager ... 17

What's new in this release ... 18

New features ... 19

About workflow in Information Manager ... 20

About Information Manager components ... 21

About security products and devices ... 22

About event collectors ... 22

About Information Manager servers ... 23

About the Symantec Global Intelligence Network ... 23

About the Information Manager Web service ... 23

About estimating system performance ... 24

Chapter 2

Symantec Security Information Manager

Console

... 29

About the Information Manager console ... 29

About the Dashboard view ... 30

About the Intelligence view ... 31

About the Incidents view ... 32

About the Events view ... 35

About the Tickets view ... 37

About the Assets view ... 39

About the Reports view ... 41

About the Rules view ... 44

About the System view ... 61

About the Statistics view ... 62

About the features of the Information Manager console ... 63

About the incident and the alert monitors ... 63

(8)

Searching the notes ... 66

About user actions ... 68

Creating and modifying user actions ... 68

Opening the Information Manager console from the command line ... 69

Changing a password ... 70

Chapter 3

Symantec Security Information Manager Web

configuration interface

... 71

About the Information Manager server Web configuration interface ... 71

Accessing the Web configuration interface ... 72

About the features of the Web configuration interface ... 72

Section 2

Planning for security management

... 77

Chapter 4

Managing the correlation environment

... 79

About the Correlation Manager ... 79

About the Correlation Manager knowledge base ... 80

About the default rules set ... 80

Chapter 5

Defining rules strategy

... 85

About creating the right rule set for your business ... 85

About defining a rules strategy ... 87

About correlation rules ... 87

About rule conditions ... 88

About rule types ... 89

About event criteria ... 93

About the Event Count, Span, and Table Size rule settings ... 96

About the Tracking Key and Conclusion Creation fields ... 96

About the Correlate By and Resource fields ... 98

Importing existing rules ... 99

Creating custom correlation rules ... 100

Creating a multicondition rule ... 104

Creating a correlation rule based on the X not followed by Y rule type ... 107

Creating a correlation rule based on the X not followed by X rule type ... 109

(9)

Creating a correlation rule for the Y not preceded by X rule

type ... 111

Creating a correlation rule for the Lookup Table Update ... 113

Enabling and disabling rules ... 115

Working with the Lookup Tables window ... 115

Creating a user-defined Lookup Table ... 120

Importing Lookup Tables and records ... 121

Section 3

Getting started with the Information

Manager

... 123

Chapter 6

Configuring the Console

... 125

About configuring Information Manager ... 125

Identifying critical systems ... 126

Adding a policy ... 127

Specifying networks ... 128

About customizations for a Service Provider Master console ... 129

Chapter 7

Managing roles and permissions

... 131

About managing roles ... 131

About the administrator roles ... 132

About the default roles in the Information Manager server ... 132

About planning for role creation ... 133

Creating a role ... 134

Editing role properties ... 140

Deleting a role ... 149

About working with permissions ... 149

About permissions ... 150

About the propagation of permissions ... 151

Modifying permissions from the Permissions dialog box ... 152

Chapter 8

Managing users and user groups

... 155

About users and passwords ... 155

Customizing the password policy ... 157

Creating a new user ... 158

Creating a user group ... 160

About editing user properties ... 161

Changing a user’s password ... 162

Specifying user business and contact information ... 162

(10)

About modifying user permissions ... 168

Modifying a user group ... 168

Deleting a user or a user group ... 169

About integrating Active Directory with the Information Manager server ... 170

Managing Active Directory configurations ... 170

Chapter 9

Managing organizational units and computers

... 173

About organizational units ... 173

About managing organizational units ... 173

Creating a new organizational unit ... 174

About determining the length of the organizational unit name ... 175

Editing organizational unit properties ... 176

About modifying organizational unit permissions ... 176

Deleting an organizational unit ... 177

About managing computers within organizational units ... 177

Creating computers within organizational units ... 178

About editing computer properties ... 179

Distributing configurations to computers in an organizational unit ... 197

Moving a computer to a different organizational unit ... 198

About modifying computer permissions ... 199

Deleting a computer from an organizational unit ... 199

Section 4

Understanding event collectors

... 201

Chapter 10

Introducing event collectors

... 203

About Event Collectors and Information Manager ... 203

Components of collectors ... 204

About Symantec Universal Collectors ... 205

About Custom Log Management ... 205

Downloading and installing the Symantec Universal Collectors ... 207

Correlating the logs collected in a file from a proprietary application ... 208

(11)

Chapter 11

Configuring collectors for event filtering and

aggregation

... 211

Configuring event filtering ... 211

Configuring event aggregation ... 214

Section 5

Working with events and event

archives

... 219

Chapter 12

Managing event archives

... 221

About events, conclusions, and incidents ... 221

About the Events view ... 222

About the event lifecycle ... 222

About event archives ... 224

About multiple event archives ... 224

Creating new event archives ... 225

Specifying event archive settings ... 226

Creating a local copy of event archives on a network computer ... 227

Restoring event archives ... 228

Viewing event data in the archives ... 230

About the event archive viewer right pane ... 231

Manipulating the event data histogram ... 231

Setting a custom date and time range ... 232

About viewing event details ... 232

Modifying the format of the event details table ... 233

Searching within event query results ... 235

Filtering event data ... 235

About working with event queries ... 239

Using the Source View query and Target View query ... 240

Creating query groups ... 241

Querying across multiple archives ... 241

Creating custom queries ... 242

Editing queries ... 248

Managing the color scheme that is used in query results ... 249

About querying for IP addresses ... 250

Importing queries ... 250

Exporting queries ... 251

Publishing queries ... 251

Scheduling queries that can be distributed as reports ... 337

(12)

About forwarding events to an Information Manager server ... 255

About registering a security directory ... 257

Registering Collectors ... 258

Registering with a security domain ... 259

Activating event forwarding ... 260

Stopping event forwarding ... 263

Chapter 14

Understanding event normalization

... 265

About event normalization ... 265

About normalization (.norm) files ... 267

Chapter 15

Collector-based event filtering and

aggregation

... 269

About collector-based event filtering and aggregation ... 269

About identifying common events for collector-based filtering or aggregation ... 271

About preparing to create collector-based rules ... 272

Accessing event data in the Information Manager console ... 274

Creating collector-based filtering and aggregation specifications ... 275

Examples of collector-based filtering and aggregation rules ... 277

Filtering events generated by specific internal networks ... 277

Filtering common firewall events ... 278

Filtering common Symantec AntiVirus events ... 281

Filtering or aggregating vulnerability assessment events ... 282

Filtering Windows Event Log events ... 283

Section 6

Working with incidents

... 287

Chapter 16

Managing Incidents

... 289

About incident management ... 289

Incident identification ... 290

Example: Information Manager automates incident management during a Blaster worm attack ... 291

Threat containment, eradication, and recovery ... 291

Follow-up ... 291

Viewing incidents ... 291

(13)

Viewing and modifying the incident list ... 293

About creating and modifying incidents ... 294

Creating incidents manually ... 295

Modifying incidents ... 296

Merging incidents ... 297

Closing an incident ... 298

Reopening a closed incident ... 299

Printing incident details ... 299

Printing the incident, ticket, or asset list ... 300

Exporting the incident, ticket, or asset list ... 300

Assigning incidents automatically to the least busy member in a user group ... 302

Chapter 17

Working with filters in the Incidents view

... 303

About filtering incidents ... 303

Modifying a custom filter ... 303

Creating a custom filter ... 304

Deleting a custom filter ... 304

Searching within incident filtering results ... 305

Section 7

Working with tickets

... 307

Chapter 18

Managing tickets

... 309

About tickets ... 309

About creating tickets ... 310

Creating a ticket manually ... 310

Creating a ticket category ... 311

Viewing tickets ... 312

About the Ticket Details window ... 312

Viewing tickets associated with a specific incident ... 313

Setting ticket task dispositions ... 314

Changing the priority of a ticket ... 314

Adding a ticket note ... 315

Closing a ticket ... 315

Printing the ticket list ... 316

Chapter 19

Working with filters in Tickets view

... 317

Filtering tickets ... 317

Modifying a custom ticket filter ... 318

(14)

Importing assets into the Assets table ... 323

Section 8

Working with reports and dashboards

... 325

Chapter 21

Managing reports

... 327

Working with reports ... 327

About reports ... 327

Creating custom reports ... 327

Creating a report group or folder ... 330

Editing tabular queries in reports ... 331

Publishing reports ... 331

Enabling the email distribution of reports ... 332

Scheduling and distributing reports ... 333

Scheduling queries that can be distributed as reports ... 337

Modifying the report distribution ... 338

Viewing reports ... 339

Configuring a report for portrait or landscape mode ... 340

Printing and saving reports ... 341

Exporting reports ... 341

Importing reports ... 342

Performing a drill-down on reports ... 343

Chapter 22

Managing dashboards

... 345

About the dashboard ... 345

Viewing dashboards ... 346

Viewing queries in the Dashboard ... 348

Performing a drill-down on dashboards ... 348

Refreshing the dashboard ... 349

Customizing the dashboard ... 350

(15)

Introducing Symantec

Security Information

Manager

■ Chapter 1. Overview

■ Chapter 2. Symantec Security Information Manager Console

■ Chapter 3. Symantec Security Information Manager Web configuration interface

1

(16)
(17)

Overview

This chapter includes the following topics:

■ About Symantec Security Information Manager

■ What's new in this release

■ About workflow in Information Manager

■ About Information Manager components

■ About estimating system performance

About Symantec Security Information Manager

Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects and archives security events from across the enterprise. These events are correlated with the known asset vulnerabilities and current security information from the Global Intelligence Network. The resulting information provides the basis for real-time threat analysis and security incident identification. Information Manager archives the security data for forensic and regulatory compliance purposes.

Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following:

■ Firewalls

■ Routers, switches, and VPNs

■ Enterprise antivirus

■ Intrusion detection systems and Intrusion Prevention Systems

■ Vulnerability scanners

1

Chapter

(18)

Information Manager provides the following features to help you recognize and respond to threats in your enterprise:

■ Normalization and correlation of events from multiple vendors.

■ Event archives to retain events in both their original (raw) and normalized formats.

■ Distributed event filtering and aggregation to ensure that only relevant security events are correlated.

■ Real-time security intelligence updates from Global Intelligence Network. These updates keep you apprised of global threats and let you correlate internal security activity with external threats.

■ Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment.

■ Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies that are associated with the affected assets.

■ An Event Viewer that lets you easily mine large amounts of event data and identify the computers and users that are associated with each event.

■ A client-based console from which you can view all security incidents and drill down to the related event details. These details include affected targets, associated vulnerabilities, and recommended corrective actions.

■ Predefined and customizable queries to help you demonstrate compliance with the security and the data retention policies in your enterprise.

■ A Web-based configuration interface that lets you view and customize the dashboard, configure settings, and manage events, incidents, and tickets remotely. You can download various utilities and perform routine maintenance tasks such as backup and restore. You can use the custom logs feature with the universal collectors to collect and map information from devices for which standard collectors are not available.

What's new in this release

Information Manager 4.7.4 contains enhanced features. It also includes fixes for the known issues that existed in the previous versions.

(19)

New features

Information Manager 4.7.4 includes the following new features in addition to known issues and fixes:

Symantec SIEM 9700 Series appliances SSIM Web Start Client

Role-based access to the Event Query Templates Navigation option for Event Storage Rules list

Symantec SIEM 9700 Series appliances

Symantec SIEM 9700 Series appliances are scalable security information and event management appliances. These appliances provide reliable performance with Information Manager software. The SIEM 9700 Series is comprised of three models; the 9750, the 9751, and the 9752. Each model provides 3.9TB of redundant event storage and dedicated Remote Management Module features to allow remote management of the appliance. In addition, the 9751 and 9752 provide enterprise connectivity through 8GB Fibre Channel. Each physical appliance can be combined seamlessly with virtual appliances to ease interoperability.

For more information, see the following guides:

Symantec SIEM 9700 Series Appliances Maintenance Guide

Symantec SIEM 9700 Series Appliances Installation Guide

Symantec SIEM 9700 Series Appliances Product Description Guide

Symantec SIEM 9700 Series Appliances Hardware Troubleshooting Guide

Symantec SIEM 9700 Series Appliances Safety Guide

See“New features”on page 19.

SSIM Web Start Client

By using SSIM Web Start Client, you can now reach the Information Manager console directly without downloading and installing the Information Manager console.

The Launch SSIM Web Start Client link, that is located on the logon page of the Information Manager Web configuration interface, launches the Information Manager console. You can also access this link from the Downloads option on the

Home view of the Web configuration interface.

(20)

Event Query Templates. Access to Event Query Templates can be controlled based on the View Event Query Templates permission that is granted to a role. By default, this permission is enabled for new roles.

If the View Event Query Templates permission is disabled for a role, the user who is assigned with this role cannot access the Templates folder on the Events view. If the View Event Query Templates permission is enabled for a role, the user who is assigned with this role can access and run the Event Query Templates. See“Enabling access to the Event Query Templates”on page 142.

See“New features”on page 19.

Navigation option for Event Storage Rules list

A Move to top option and a Move to bottom option are now available in the Event

Storage rules list. These options can be used to move a rule directly to the top or

to the bottom of the list. See“New features”on page 19.

About workflow in Information Manager

The Symantec Security Information Manager workflow includes the following steps:

■ Event collectors gather events from Symantec and third-party point products. See“About Event Collectors and Information Manager”on page 203.

■ Events are filtered and aggregated.

See“Configuring event filtering”on page 211. See“Configuring event aggregation”on page 214.

■ Symantec Event Agent forwards both the raw and the processed events to the Information Manager server.

See“About forwarding events to an Information Manager server”on page 255. See“Activating event forwarding”on page 260.

■ The Information Manager server stores the event data in event archives. See“About event archives”on page 224.

■ The Information Manager server correlates the events with threat and asset information based on the various correlation rules.

(21)

■ Information Manager security events trigger a correlation rule and create a security incident.

See“About incident management”on page 289.

About Information Manager components

Symantec Security Information Manager has the following components:

■ Security products and devices

See“About security products and devices”on page 22.

■ Event collectors

See“About event collectors”on page 22.

■ Information Manager servers

See“About Information Manager servers”on page 23.

■ Global Intelligence Network

See“About the Symantec Global Intelligence Network ”on page 23.

■ Web service

See“About the Information Manager Web service”on page 23.

(22)

amounts of security data. Many firewalls can generate over 500 GB of security data per day; intrusion detection systems can trigger over 250,000 alerting incidents per week. Most security products store event data in a proprietary format, accessible only by the tools that the security products provide. To secure your enterprise effectively, you need to collect, normalize, and analyze the data from all parts of your enterprise.

See“About Information Manager components”on page 21.

About event collectors

Event collectors gather security events from a variety of event sources, such as databases, log files, and syslog applications. Event collectors translate the event data into a standard format, and optionally filter and aggregate the events. The event collectors then send the events to Symantec Security Information Manager. You can configure event collectors to also send the event data in its original format. You install event collectors either on the security product computer or at a location with access to the security product events. To facilitate installation and setup, event collectors for third-party firewalls are preinstalled on the Information Manager server. After the event collector is registered with Information Manager, you can configure event collector settings from the Information Manager console. The event collector settings include the event source specification and any event filter or aggregation rules.

Symantec provides event collectors for the following types of products:

■ Firewalls

■ Routers, switches, and VPNs

■ Intrusion detection and prevention systems

■ Vulnerability scanners

■ Web servers, filters, and proxies

■ Databases

■ Mail and groupware

■ Enterprise antivirus

■ Microsoft authentication services

(23)

For access to the extensive library of event collectors, visit Symantec support at the following Web site:

http://www.symantec.com/enterprise/support/

See“About Information Manager components”on page 21.

About Information Manager servers

Symantec Security Information Manager is hardware independent. You can install the Information Manager server on any approved hardware that meets the minimum system requirements.

You can deploy one or more Information Manager servers in various roles to satisfy the event gathering, archiving, and event correlation requirements for your enterprise. To account for traffic variation, a single Information Manager is only recommended for a security environment that generates up to 1,000 events per second (EPS) on average and that requires a maximum of 4 MB to 8 MB per day of event data storage. To increase the overall event processing rate, you can add multiple load sharing Information Managers to your deployment. You can configure each server for dedicated event collection, event archiving, or event correlation. In most cases, a combination of multiple servers that share the event and the incident processing load is preferred.

See“About Information Manager components”on page 21.

About the Symantec Global Intelligence Network

Information Manager has access to current vulnerability, attack pattern, and threat resolution information from the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network powers the Threat and Vulnerability Management Service. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging

vulnerabilities, threats, risks, and global attack activity. See“About Information Manager components”on page 21.

About the Information Manager Web service

The Web service of Symantec Security Information Manager lets you securely access and update the data that is stored on a server. You can use the Web service to publish event, asset, incident, ticket, and system setting information. You can also use the Web service to integrate Information Manager with help desk, inventory, or notification applications.

(24)

About estimating system performance

To determine the performance of an Incident Manager server or set of servers. consider your unique environment. Information Manager integrates with a wide range of event collectors, and by nature requires the customization of settings to match each environment. Hence, the physical performance depends greatly on the collectors and settings that you choose.

The observed events per second (EPS) rates under optimal circumstances are provided here which can be used for general planning purposes. You can create a rough estimate of system performance by using the information available in these tables. However, you must note that the system performance may vary widely from these figures depending on your specific environment. Your estimates need to be adjusted over time as your policies, settings, and storage requirements are refined.

Table 1-1lists the details of the hardware models that are used for testing the performances of the various roles of the Symantec Security Information Manager server.

The other tables list the roles in Information Manager on which the hardware models are tested. In addition, the tables list the corresponding methods in which the performances are calculated for each role.

Table 1-1 Hardware model specifications

RAM Processor type Cache size CPU Hardware 32 GB Single Quad Core

processor 6144 KB Intel Xeon CPU E5430 @ 2.66 GHz HP DL 380 8 GB 16 GB Single Dual Core

Processor 6144 KB Intel Xeon CPU E5405 @ 2.00 GHz HP DL 360 8 GB 16 GB Single Dual Core

Processor 6144 KB

Intel Xeon CPU E5430 @ 2.66 GHz IBM™ X3550

8 GB Double Quad Core Processor 8192 KB

Intel Xeon CPU E5520 @ 2.27 GHz Dell™ R610

16 GB Double Quad Core

Processor 8192 KB

Intel Xeon CPU E5520 @ 2.27 GHz Dell R710

(25)

Table 1-1 Hardware model specifications (continued) RAM Processor type Cache size CPU Hardware 16 GB Single Quad core

processor 4096 KB

Intel Xeon CPU E5320 @ 1.86 GHz Dell 1950

16 GB Single Quad core

processor 6144 KB

Intel Xeon CPU E5410 @ 2.33 GHz Dell 2950

32 GB Double Quad Core

Processor 12 MB

Intel Xeon CPU E5640 @2.67 GHz Dell R710

The tables that are listed provide the typical EPS rates that are observed under test conditions for the recommended hardware in various roles. These numbers are intended as sample guidelines only, and vary greatly with each deployment.

Table 1-2 Performance figures for HP DL 380 with 32 GB RAM

CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 55% 9100 10000 Collection only 29% 13000 13000 Correlation only 53% 12000 12000 Collection + Archive

Table 1-3 Performance figures for Dell R710 with 16 GB RAM

CPU utilization Output EPS Input EPS Role 43% 10000 10000 All in One 40% 9400 10000 Collection only 23% 12000 12000 Correlation only 40% 10450 12000 Collection + Archive

Table 1-4 Performance figures for Dell R610 with 8 GB RAM

CPU utilization Output EPS Input EPS Role 86% 8450 10000 All in One 74% 9000 10000 Collection only 86% 10650 12000 Correlation only

(26)

76% 8300

10000 Collection + Archive

Table 1-5 Performance figures for HP DL 380 with 16 GB RAM

CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 55% 9100 10000 Collection only 37% 12000 12000 Correlation only 53% 12000 12000 Collection + Archive

Table 1-6 Performance figures for HP-DL 380 with 8 GB RAM

CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 52% 9000 10000 Collection only 38% 12000 12000 Correlation only 57% 10000 10000 Collection + Archive

Table 1-7 Performance figures for IBM X3550 with 16 GB RAM

CPU utilization Output EPS Input EPS Role 90% 9000 10000 All in One 75% 11000 12000 Collection only 84% 10590 12000 Correlation only 75% 7800 10000 Collection + Archive

Table 1-8 Performance figures for Dell 2950 with 16 GB RAM

CPU utilization Output EPS Input EPS Role 60% 10000 10000 All in One 23% 12000 12000 Collection only

(27)

Table 1-8 Performance figures for Dell 2950 with 16 GB RAM (continued) CPU utilization Output EPS Input EPS Role 34% 12000 12000 Correlation only 50% 10000 10000 Collection + Archive

Table 1-9 Performance figures for Dell 1950 with 16 GB RAM

CPU utilization Output EPS Input EPS Role 60% 8600 10000 All in One 55% 10000 10000 Collection only 42% 12000 12000 Correlation only 52% 10000 10000 Collection + Archive

Table 1-10 Performance figures for HP-DL 360 with 8 GB RAM

CPU utilization Output EPS Input EPS Role 82% 8000 8000 All in One 50% 12000 12000 Collection only 86% 10000 10000 Correlation only 76% 8000 8000 Collection + Archive

Table 1-11 Performance figures for HP-DL 360 with 16 GB RAM

CPU utilization Output EPS Input EPS Role 82% 7000 7000 All in One 80% 9700 10000 Collection only 80% 10000 10000 Correlation only 75% 10000 10000 Collection + Archive

(28)

Performance is calculated on an Information Manager server which performs the role of a collection server, an archiving server, and a correlation server.

All in One

Performance is calculated on a collection server of a two-server, multiappliance setup. This setup consists of a collection server and a server performing the role of an archiving server and a correlation server.

Collection only

Performance is calculated on a correlation server of a two-server, multiappliance setup. This setup consists of a server performing the role of a forwarding server as well as of an archiving server and a correlation server. Correlation only

Performance is calculated on a server which performs the role of a collection server and of an archiving server of a two-server,

multiappliance setup. This setup consists of a server performing the role of a collection server as well as of an archiving server and a correlation server.

Collection + Archive

The details of the setup that was used for the performance estimation are as follows:

■ The test run was performed with the summarizers turned off.

Symantec recommends that you disable summarizers on the Web configuration interface if you do not use summary queries. Summarizers are maintained in Symantec Security Information Manager 4.7 only to provide backward compatibility with previous versions of Information Manager.

■ The test run used a run feeder tool with an archive comprised of WEC, Juniper NetScreen, and Cisco PIX events.

■ The average event size that was used for performance is 512 bytes.

■ The time span to calculate the EPS for each test was 15 minutes, and total time for test was 67 hours.

(29)

Symantec Security

Information Manager

Console

This chapter includes the following topics:

■ About the Information Manager console

■ About the features of the Information Manager console

About the Information Manager console

You must install the Java client of the Information Manager on a Microsoft Windows 2000, 2003, XP, or Vista computer to access the console. The client can be downloaded from the Home > Downloads view of the Web configuration interface.

The console of the Information Manager client enables you to perform the following security monitoring functions:

■ Define rules to identify security incidents.

■ Identify critical network hosts.

■ View Symantec Global Intelligence Network information

■ Manage incidents

■ Manage tickets

■ Create reports

■ Perform Service Provider management tasks.

2

Chapter

(30)

Dashboard viewIntelligence viewIncidents viewEvents viewTickets viewAssets viewReports viewRules viewSystem viewStatistics view

See“About Information Manager components”on page 21.

About the Dashboard view

The Dashboard view on the console of the Information Manager client provides a high-level view of the critical security information in your environment. Information Manager users can customize the dashboard to display the required event, ticket, and incident information.

The Dashboard view provides an overview of the incident activity that is presented in the following default set of queries:

■ Closed incident count for each assignee by priority

■ Closed incident count for each assignee by severity

■ Open incident count for each assignee by severity

■ Open incident count for each assignee by priority

■ Count of both open incident and closed incident by assignee

■ Incidents count for each of the last seven days

The toolbar of the Dashboard view presents the following options:

Refreshes the queries

(31)

Toggles the automatic refresh of the dashboard queries.

When Auto Refresh is on, the dashboard queries are refreshed every five minutes, by default.

Turn Auto Refresh On

Lets you add a new query to the dashboard.

Add

Lets you remove a query from the dashboard. You can also remove the query by closing the query window.

Delete

Tiles the dashboard charts.

Tile

Cascades the dashboard charts.

Cascade

See“Viewing dashboards”on page 346. See“Customizing the dashboard”on page 350.

About the Intelligence view

The Intelligence view displays the security information that the Symantec Global Intelligence Network gathers. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity.

The Intelligence view provides information about the current ThreatCon level. It also provides advice and instructions on how to guard against and respond to the current threats.

The Intelligence view presents detailed information under the following tabs:

The Analyst Watch tab provides information about IP addresses and URLs known to be involved in malicious activity.

Analyst Watch

The IDS Statistics tab displays the five most frequently occurring intrusion detection events. It also lists offending ISPs, IP addresses, destination ports, attack products, and source and destination countries.

(32)

IP addresses, destination ports, and source and destination countries.

The AntiVirus Statistics tab displays the five most frequent corporate and consumer virus sample submissions.

AntiVirus Statistics

The Honeynet tab displays up-to-date information from the Symantec Global Intelligence Network and data analysis of threats in the wild.

Honeynet

Note:The features that appear on the Intelligence view may vary depending on the type of Global Intelligence Network services subscription that you have purchased. Contact your Symantec sales representative for more information.

See“About the Information Manager console”on page 29.

About the Incidents view

The Incidents view lets you look at and manage Information Manager incidents. You can customize the Incidents view by selecting from the security filters or the alert filters or by creating your own custom filter. When you select an incident filter, the incident list displays only the incidents that satisfy the filter criteria. Selecting an incident in the list updates the incident pane with the detailed information for the selected incident. To update the incident, modify the incident attributes and click Save. To maximize or minimize the display area for the incident pane, click the expand and collapse arrows correspondingly in the upper-left corner.

Double-clicking an incident in the list opens the Incident Details dialog box. To update the incident, modify the incident information and then click the Save icon. To export the incident details, click the Export icon. The incident details are exported to a CSV file that you can save to the desired location on your computer. To edit multiple incidents, highlight the incidents, and edit settings in the Details tab.

From the Incidents view toolbar, you can perform the following tasks:

Select a filter to apply to the Incidents view. The filters available for you depend on the roles to which you are assigned. The filters are grouped by Security Incidents, Alerts, and Custom filters in various states.

(33)

SeeTable 2-1on page 33.

■ Create a custom incident view filter.

■ Search for an incident by incident Reference ID.

■ Create a new incident.

Open the Incident Details dialog box for the selected incident.

■ Create a ticket for the selected incident or incidents.

■ Export the incident list to a file.

You can export the list in HTML, CSV, and XML format, as required.

■ Merge the selected incidents.

■ Close the selected incidents.

You must provide the disposition (for example, normal, false-positive, resolved, duplicate, or merged) and provide notes when you close an incident.

■ Lock the incident list.

You can lock the incident list to prevent the display of newly created or recently assigned incidents in the list. When you unlock the list, it is updated with the latest incidents.

Table 2-1describes the Logical Groups for the filters.

Table 2-1 Logical Groups for filters

The incidents that are assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

My Incidents

The incidents that are assigned to the current user's teams. Teams are created in the User Groups section of the System view, on the Administration tab. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

My Team Incidents

All incidents that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

All Incidents

All incidents which are open and unassigned.

Unassigned Open Incidents

The incident alerts assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

(34)

Teams are created in the User Groups section of the System view, on the Administration tab. Following are the states of this group of incident: Open, New, In-Work, Waiting, and Closed.

All incident alerts that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

All Alerts

All incident alerts that are open and unassigned.

Unassigned Open Alerts

All user-defined incident and alert filters.

Custom Filters

The Incidents view details pane contains tabs from which you can view or update the selected incident.

Table 2-2lists the details pane tabs and their functions.

Table 2-2 Incident view details pane tabs

Description Tab

Displays the incident details that include the ID, status, severity, description, creator, assignee, and priority.

Details

Displays the event conclusions that are associated with the incident. To view the details of a conclusion that is associated with the incident, select a conclusion and click the Conclusion Details icon.

You can also select an event from the list and view the particular event details.

Conclusions

Displays the events that are associated with the incident. To view the details of an event that is associated with the incident, select the event and click the Event Details icon.

Events

Displays the target computers that are associated with the incident. To view the details for a target computer, select the target computer and click the Details icon. To create an asset from a target computer, select the target computer and click the Create Asset icon.

Targets

Displays the source computers that are associated with the incident. To view details for a source computer, select the source computer and click the Details icon.

Sources

Displays a visual representation of the progress of the attack that generated the incident along with the Symantec Event Code.

(35)

Table 2-2 Incident view details pane tabs (continued)

Description Tab

Displays Symantec signature information, including the malicious code or vulnerability information that may be associated with the event. You can view the intelligence information that is organized by associated signatures or by target computers.

Intelligence

Displays the tickets that have been created for the incident. To view the details of the tickets that are associated with the incident, select the ticket and click the Ticket Details icon. To create a ticket based on this incident, click the Create Ticket icon.

When you create a ticket, the Create Ticket dialog box includes the following tabs:

Details: Provides the fields that describe the characteristics of the

ticket: A summary description, the priority, the ticket category, the creator of the ticket, the assignee of the ticket, and the related incidents.

Instructions: Lets you correlate Intelligence data from the Global

Intelligence Network with the ticket, if information is available.

Tasks: Provides the fields to describe any additional remediation

tasks that the creator of the ticket recommends. Note that the Tasks tab of the Create Ticket dialog differs from the steps that are listed in the Remediation tab for the incident. The Remediation tab contains the instructions that are automatically created when the incident is created, based on settings in the rule that triggered the incident.

Tickets

Displays the remediation suggestions that have been associated with the rule that triggered the incident. Remediation entries can be added to a rule on the Rules view.

Remediation

Displays the information that is available on the history of the incident. The incident history contains entries for incident creation,

modifications, and closure. You can add entries to the log to record the information and the activities that are related to the incident.

Log

See“About the Information Manager console”on page 29.

About the Events view

The Events view lets you explore the Information Manager event archives. Event archives contain correlated and uncorrelated event data from the security products that are set up to forward events to Symantec Security Information Manager. You can create multiple event archives that can be stored on any instance of

(36)

Information Manager the archive is stored. The archives that are visible on the

Events view are created with an ordered series of event storage rules. These rules

are created on the System view.

To view the events that are stored in the event archives, you can use templates and queries to search for events you need to view. Templates are generally more complex preconfigured queries that can be customized with chosen parameters. System queries are the queries that focus on specific products or common aspects of security management.

When you run a template or a query, you set the parameters for the query, including which archives to search. Each template and query contains the parameters specific to data that the query harvests: for example, a specific IP address or a time range in which the search is to be conducted. After you run the query, the results are displayed in the right pane of the Events view. The presentation of data depends on each query, and can include graphs, pie charts, and lists of events.

If a query returns a list of events, you can click on a particular event to see the event details. You can change table columns if you want to see different information about the events. You can view details about a particular event by double-clicking the table row.

You can also filter data in the table so that it displays only the events that interest you. You can filter on a particular event parameter by right-clicking a cell and clicking Filter on cell. You can also filter results based on a unique column value. Alternatively, you can use the advanced filtering option to create a more complex query.

You can also use the Query Builder Wizard to query the event archives. This wizard helps you create the following types of queries:

■ Event queries

■ Trending queries

The trending feature is available only after you select the Event Query option.

■ Summary queries

■ Advanced SQL queries

Note:The Query Builder Wizard icon is available only when the folder for My

Queries or Published Queries is selected.

(37)

Table 2-3 Events view left pane items

Description Item

Access the static copies of the events that are archived and that are stored somewhere other than the Information Manager server. Local event archives are often created as a backup copy of an active archive. Local event archives are not updated after the copy of the archive has been made.

Local Event Archives

Provides a set of preconfigured query templates that generally provide a system-wide view of event activity. The templates use the parameters you choose, such as the event archives or the time period from which the query gathers information. A template can be customized by placing a copy in either the My Queries or the Published Queries folder and then adjusting the copy.

Access to the Template queries are controlled based on the roles. See“Role-based access to the Event Query Templates ”on page 20.

Templates

Displays a list of queries that you have created for your own use. You can move any of these queries into the Published Queries folder to make them available to others.

My Queries

Displays a list of the queries that have been created at your site and that you want some or all of your users to be able to use.

PublishedQueries

Displays a list of queries that are included in the Information Manager package. You can use any of these queries as a template for a customized query. To create a customized query, export the selected query as a QML file, and then copy or import the query in the My

Queries folder or the Published Queries folder. You can modify it as

required.

System Queries

You can schedule queries to be distributed in a report as a CSV file. See“About working with event queries”on page 239.

See“Viewing event data in the archives”on page 230.

About the Tickets view

The Tickets view lets you view and manage Information Manager tickets. You can customize the ticket view by selecting from one of several ticket filters, or by creating a custom ticket filter. The filters that are available to you depend upon the roles to which you have been assigned. When you select a ticket filter, the ticket list displays only the tickets that satisfy the filter criteria.

(38)

attributes and click Apply.

Double-clicking a ticket in the ticket list opens the Ticket Details dialog box. To update the ticket, modify the ticket information, and click Save or OK. You can edit multiple tickets simultaneously by opening a Ticket Details dialog box for each ticket to view or modify.

The Tickets view toolbar contains icons for the following tasks:

■ Select a filter to apply to the ticket view.

The filters that are available to you depend upon the roles to which you are assigned, and may include one or more of the following:

The open tickets that are associated with the incidents assigned to the current user

My Open Tickets

The closed tickets that are associated with the incidents assigned to the current user

My Closed Tickets

All tickets

All Tickets

The open tickets

All Open Tickets

The closed tickets

All Closed Tickets

All tickets that are assigned to the current user, both open and closed

My Assigned Tickets

■ Create a custom ticket view filter.

■ Search for a ticket by ticket ID.

■ Refresh the tickets view.

Open the Ticket Details dialog box for the selected ticket.

■ Export the list of tickets to a file.

The ticket preview pane contains tabs from which you can view or update the selected ticket.

Table 2-4lists the preview pane tabs and their functions.

Table 2-4 Ticket preview pane tabs

Description Tab

Displays the ticket details such as the ID, summary, category, status, priority, timestamp, creator, and help desk assignee.

(39)

Table 2-4 Ticket preview pane tabs (continued)

Description Tab

Displays the incidents that are associated with the ticket. To associate a new incident with a ticket, click the Add icon. To disassociate an incident from the ticket, select the incident and click the Remove icon.

To view the incident details, click the Incident Details icon. To close the incident from the tickets view, select the incident and click the Close icon.

Incidents

Displays the user tasks that are assigned to each ticket.

To add a new task to the ticket, click the Add icon. To remove a task from the ticket, select the task and click the Remove icon. To edit tasks, select the task and click the Edit icon. To add intelligence to the task, click the Intelligence icon.

Tasks

Displays the instructions that are associated with the ticket. To add or modify the instructions, edit the field and click Save. The instruction field accepts a maximum of 3000 characters. The Instructions tab also displays the Reset icon.

You can also use the Add Intelligence to Instructions icon.

Instructions

Displays the ticket history that contains entries for ticket creation, ticket modifications, and ticket closure. To add log entries to record information and the activities that are related to the ticket, click the Add icon.

Log

See“About the Information Manager console”on page 29.

About the Assets view

The Assets view lets you view and manage Information Manager assets. Use the

Assets view to identify critical assets in your environment, and track the incidents

and the tickets that are related to those assets.

Identify the network assets that have one or more of the following attributes:

■ Host critical information or services

■ Host confidential information

■ Have specific roles on the network, such as firewall or vulnerability scanning devices

(40)

The correlation manager uses the asset information to identify and prioritize incidents. The correlation manager creates an incident when a threat exploits an asset's vulnerabilities. The correlation manager sets the incident priority based upon the confidentiality, integrity, and availability ratings that you assign to the asset.

The correlation rules depend upon the asset information, so identifying key network assets on the Assets view is a critical configuration step.

You can populate the list of assets in any of the following ways:

Manually add entries in the Assets view.

On the Incidents view, in the Targets tab for an incident, create assets based upon computers.

On the Events view, under System Queries > SSIM > SSIM System, create assets from the query results of the Source view query and Target view query.

On the Assets view, import a list of assets in XML or CSV format. For example, you can export a list of network computers from Microsoft Active Directory, convert the file to CSV format, and then import the file into the Information Manager.

■ Create assets by integrating Information Manager with a policy compliance assessment tool, such as Symantec Control Compliance Suite or Symantec Enterprise Security Manager.

■ Create assets by integrating Information Manager with a network vulnerability scanner. Use the Asset Detector rule under Monitor > System Monitors on the Rules view to choose the vulnerability scan products that automatically populate the assets table.

If you run vulnerability scans periodically on your network, lock the asset information for particular computers. If you lock an asset, the vulnerability scan does not modify the list of the services that are hosted on the asset. A vulnerability scan always updates the asset vulnerabilities, regardless of the asset lock status.

You can filter the view of the assets in your environment using the filtering options or asset groups.

Search for an asset from each of the views by entering the IP address host name in the Search Asset field, and then clicking the Search icon.

Double-clicking an asset in the asset list opens the Asset Details dialog box. To update the asset, modify the asset fields and then click the Save icon. You can

(41)

update multiple assets simultaneously by opening the Asset Editor dialog box for each asset to modify.

Table 2-5lists the Assets view tabs and their functions.

Table 2-5 Assets view tabs

Description Tab

Displays the network identification, description, priority, organization, operating system, and lock information for the selected asset.

Details

Displays any policy that is applied to the selected asset. You can add policies to an asset from a customizable list of regulatory policies. To customize the list of available policies, select the

Administration tab on the System view. You can also delete policies

from the asset.

Policies

Displays the network services that the selected computer hosts. You can add services to an asset from a customizable list of well-known services. To customize the list of services, select the

Administration tab on the System view. You can also delete services

from the asset.

Services

Lists any incidents that pertain to the selected asset. Using the incident list is a convenient way to monitor the security activity that is related to an asset.

Incidents

Lists any tickets that pertain to the selected asset. The ticket list is a convenient way to monitor the work-order activity that is related to an asset.

Tickets

Displays the discovery date, CVE ID, BugTraq ID, and description of any vulnerability that is discovered on the asset. The vulnerability information is tracked when the assets are imported from a vulnerability scanner.

Vulnerabilities

See“About the Information Manager console”on page 29.

About the Reports view

The Reports view lets you create and manage Information Manager reports. To create a report, you insert one or more queries into a report template. You can also add graphic elements and text, including a header and footer. Reports can span multiple views, or you can subdivide a single view and insert multiple queries on that view.

(42)

import reports in RML format.

The Reports toolbar contains icons for report management tasks. The tasks available to you depend upon the roles to which you have been assigned, and may include one or more of the following:

Refresh the Explorer pane.

■ Create a folder.

■ Create a report.

■ Save a report.

■ Remove the selected report or folder.

■ Import a report from an RML format file.

■ Export the selected report to an RML format file.

■ Adjust the view settings for a report, including the view size and orientation.

Publish the selected report by placing the report in the Published Reports folder.

The Reports view has the following panes:

Explorer

The Explorer pane lets you manage the My Reports folder and the Published

Reports folders, as well as any new folders that you create. When you create

a report in the My Reports folder, it is only available to the user who created it. When you create a report in the Published Reports folder, it is available to all of the users who have the applicable permissions for the contents of the report. To publish a report, drag it from your private folder to the Published

Reports folder. When you publish a report by dragging it into the Published Reports folder, the two reports are not linked.

In addition to creating, publishing, and deleting reports, you can create and delete report folders. You can also import reports, export reports, and move reports from one folder to another.

Properties

The Properties pane lets you view and edit the selected report property values, such as the background color or line thickness.

Report

The Report pane provides the tabs that let you design, preview, and distribute the selected report.

(43)

Table 2-6describes the tabs that appear in the right pane when you create a new report or select an existing report from the list in the left pane.

Table 2-6 Report pane tabs

Description Tab

Lets you specify and format the contents of your report. You can include multiple data queries, images, annotation text, and grids in your report. The queries that are available to you depend upon the roles to which you are assigned. For example, you may have access to queries that pertain to firewall and VPN data, but may not have access to queries on antivirus data.

Design

Displays a preview of the report. You can also save or print the report from the Preview tab.

You can also drill down on the following query types by clicking on the reports that are displayed:

Top N by Field

Trending for Top N by Field

Summary Data Queries

See“Performing a drill-down on reports”on page 343.

Preview

Lets you schedule the report and specify report recipients. You can compose an email report notification message, attach the report as a PDF and RTF, or include a URL link to the report.

Note:When the recipient clicks on the URL link, the report can be accessed directly if the user has already logged on to the Web configuration interface using the host name of Information Manager. However if the user has logged on using the IP address of Information Manager, then the user is prompted for authentication to access the report. You can also test the report distribution configuration with the Test option. The reports are immediately distributed after you perform the testing.

To schedule a report for distribution, you must first publish the report by placing it in the Published Reports folder.

Distribute

Note:The Distribute option is available only for the Published Reports.

(44)

Manager uses to filter known false positives and declare security incidents. Default rules provide a starting point for determining the most common kinds of security incidents, including denial-of-service attacks and blended threats. The default filtering rules provide a set of common filters that can also be used to create customized filters. You can enable, disable, and fine-tune the default rules and filters based on the needs of your organization and the security products that are running.

The Rules view also includes folders for monitors and lookup tables. Monitoring rules are used to detect unexpected security-related changes to systems or periods of inactivity from the systems that are monitored. The lookup tables provide a set of tables that can be configured to list known malicious IP addresses, sensitive files, sensitive URLs, services, Trojan horses, and Windows events that can be used to fine-tune rules and filters. For example, if you have detected a set of IP addresses that routinely attempt to maliciously infiltrate your network, you can add these IP addresses to an IP address lookup table. You can then create a custom rule that checks the table for these known malicious IP addresses during rules processing.

When you define the actions that take place when an incident is triggered, you can create remediation notes. These notes appear on the Remediation tab for an incident that is created. When you add remediation information to a rule and save the changes, the remediation information is updated for the new and the existing incidents.

The Rules view toolbar contains icons for the following tasks:

Refresh the Rules list.

■ Create a rule.

■ Create a new folder.

■ Delete a rule.

■ Import rules

■ Export rules

■ Copy a rule.

■ Deploy a rule.

■ Revert changes to a rule.

■ Enable rules.

(45)

Each folder in the navigation tree includes two subfolders: a System subfolder and a User subfolder. By default, the System subfolder contains the predefined rules, filters, monitors, and lookup tables that are included with Information Manager.

You can enable or disable the items in the System subfolders However, you cannot make changes to these predefined elements. To create a modified version of a preconfigured rule, filter, monitor, or lookup table, you can create a custom version of the rule and save it in the corresponding User folder. If you create a custom rule or lookup table, you must deploy and enable the new element before it can be used during event processing.

Table 2-7describes the items that are displayed in the Event Filters list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.

Table 2-7 Event filters

Description Item

Displays the list of default filters in the System Filters folder and custom filtering rules in the User Filters folder. Use the checkboxes to turn on the rules and turn off the rules.

Event Filters list

Displays the event criteria that the filtering rules use to filter events. If you create a custom filter, you can add or remove event criteria from this pane.

Conditions tab

Lets you test filtering rules with saved event data so that you can evaluate whether the rule filters when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from filtering events.

Testing tab

Shows the date and the time that a user last edited a rule.

History tab

Table 2-8describes the items that are displayed in the Monitors list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.

Table 2-8 Monitors

Description Category

Displays the list of default monitors in the System Monitors folder and custom monitors in the User Monitors folder. Use the checkboxes to turn on the rules and turn off the rules

References

Related documents

Community hospitals provide a wide range of services, covering the whole spectrum of care provision, from pre- ventative [20, 21] and primary care [22, 23], through to

working class. Bernard; Champaign IL: Human KiMtics PubliShers Inc.. Soccer in America continued to grow within the working class and along ethnic divisions into the early 1890's.

On the other hand, the study of these equations fits nicely into the the larger context of (stochastic) partial differential equations, in particular Hamilton-Jacobi, heat

In summary and taking into account the resonance characteristics of the ACUREX plant, the main contribution of this paper, is to improve a gain schedul- ing (GS) predictive

○ If BP elevated, think primary aldosteronism, Cushing’s, renal artery stenosis, ○ If BP normal, think hypomagnesemia, severe hypoK, Bartter’s, NaHCO3,

Results suggest that the probability of under-educated employment is higher among low skilled recent migrants and that the over-education risk is higher among high skilled

35 Female labor participation may generate many intra-household effects: time allocation effects (e.g., both parents working have less time to allocate to child care or domestic

Acknowledging the lack of empirical research on design rights, our paper wishes to investigate the risk of piracy and the perceptions of the registered and unregistered design