Symantec Security Information Manager 4.8 User Guide

(1)

Information Manager 4.8

User Guide

(2)

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version: 4.8

Legal Notice

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

(3)

http://www.symantec.com

Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

(4)

Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the right amount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response and up-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis

■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our Web site at the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.

When you contact Technical Support, please have the following information available:

(5)

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

Customer service

Customer service information is available at the following URL: www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

(6)

contact the support agreement administration team for your region as follows:

[email protected] Asia-Pacific and Japan

[email protected] Europe, Middle-East, and Africa

[email protected] North America and Latin America

(7)

Technical Support

... 4

Section 1 Introducing Symantec Security

Information Manager

... 15

Chapter 1 Overview

... 17

About Symantec Security Information Manager ... 17

About workflow in Information Manager ... 18

About Information Manager components ... 19

About security products and devices ... 20

About event collectors ... 20

About Information Manager servers ... 21

About the Symantec DeepSight ... 22

About the Information Manager Web service ... 22

Chapter 2 Symantec Security Information Manager

Console

... 23

About the Information Manager console ... 23

About the Dashboard view ... 24

About the Intelligence view ... 25

About the Incidents view ... 26

About the Events view ... 29

About the Tickets view ... 31

About the Assets view ... 34

About the Reports view ... 36

About the Rules view ... 38

About the System view ... 56

About the Statistics view ... 57

About the features of the Information Manager console ... 58

About the incident and the alert monitors ... 58

About the event activity monitor ... 59

About the Notes feature ... 59

Creating and editing notes ... 60

(8)

About user actions ... 63

Creating and modifying user actions ... 63

Opening the Information Manager console from the command line ... 64

Changing a password ... 65

Chapter 3 Symantec Security Information Manager Web

configuration interface

... 67

About the Information Manager Web interface ... 67

Accessing the Web configuration interface ... 68

About the features of the Web configuration interface ... 68

Section 2 Planning for security management

... 73

Chapter 4 Managing the correlation environment

... 75

About the Correlation Manager ... 75

About the Correlation Manager knowledge base ... 76

About the default rules set ... 76

Chapter 5 Defining rules strategy

... 81

About creating the right rule set for your business ... 81

About defining a rules strategy ... 83

About correlation rules ... 83

About rule conditions ... 84

About rule types ... 85

About event criteria ... 89

About the Event Count, Span, and Table Size rule settings ... 92

About the Tracking Key and Conclusion Creation fields ... 92

About the Correlate By and Resource fields ... 94

Importing existing rules ... 95

Creating custom correlation rules ... 96

Creating a multicondition rule ... 100

Creating a correlation rule based on the X not followed by Y rule type ... 105

Creating a correlation rule based on the X not followed by X rule type ... 107

Creating a correlation rule for the Y not preceded by X rule type ... 108

Creating a correlation rule for the Lookup Table Update ... 110

Enabling and disabling rules ... 112

(9)

Creating a user-defined Lookup Table ... 117

Importing Lookup Tables and records ... 119

Section 3 Getting started with the Information

Manager

... 121

Chapter 6 Configuring the Console

... 123

About configuring Information Manager ... 123

Identifying critical systems ... 124

Adding a policy ... 126

Specifying networks ... 126

About customizations for a Service Provider Master console ... 127

Chapter 7 Managing roles and permissions

... 129

About managing roles ... 129

About the administrator roles ... 130

About the default roles in the Information Manager server ... 130

About planning for role creation ... 131

Creating a role ... 132

Editing role properties ... 135

Deleting a role ... 147

About working with permissions ... 147

About permissions ... 148

About the propagation of permissions ... 149

Modifying permissions from the Permissions dialog box ... 150

Chapter 8 Managing users and user groups

... 153

About users and passwords ... 153

Customizing the password policy ... 155

Creating a new user ... 156

Creating a user group ... 158

About editing user properties ... 159

Changing a user’s password ... 160

Specifying user business and contact information ... 160

Managing role assignments and properties ... 161

Managing user group assignments ... 162

Specifying notification information ... 164

About modifying user permissions ... 166

Modifying a user group ... 166

(10)

About integrating Active Directory with the Information Manager

server ... 168

Managing Active Directory configurations ... 168

Changing the password for Linux accounts ... 170

Changing the password for symcmgmt Linux account ... 171

Chapter 9 Managing organizational units and computers

... 173

About organizational units ... 173

About managing organizational units ... 173

Creating a new organizational unit ... 174

About determining the length of the organizational unit name ... 175

Editing organizational unit properties ... 176

About modifying organizational unit permissions ... 176

Deleting an organizational unit ... 177

About managing computers within organizational units ... 177

Creating computers within organizational units ... 178

About editing computer properties ... 179

Distributing configurations to computers in an organizational unit ... 192

Moving a computer to a different organizational unit ... 193

About modifying computer permissions ... 194

Deleting a computer from an organizational unit ... 194

Section 4 Understanding event collectors

... 197

Chapter 10 Introducing event collectors

... 199

About Event Collectors and Information Manager ... 199

Collectors ... 200

About Symantec Universal Collectors ... 201

About Custom Log Management ... 201

Downloading and installing the Symantec Universal Collectors ... 203

Correlating the logs collected in a file from a proprietary application ... 204

Chapter 11 Configuring collectors for event filtering and

aggregation

... 207

Configuring the event filtering rules ... 207

(11)

Section 5 Working with events and event

Chapter 12 Managing event archives

... 217

About events, conclusions, and incidents ... 217

About the Events view ... 218

About the event lifecycle ... 218

About event archives ... 220

About multiple event archives ... 220

Creating new event archives ... 221

Specifying event archive settings ... 222

Creating a local copy of event archives on a network computer ... 224

Restoring event archives ... 225

Viewing event data in the archives ... 226

About the event archive viewer right pane ... 227

Manipulating the event data histogram ... 227

Setting a custom date and time range ... 228

About viewing event details ... 229

Modifying the format of the event details table ... 229

Searching within event query results ... 231

Filtering event data ... 231

About working with event queries ... 236

Using the Source View query and Target View query ... 236

Creating query groups ... 237

Querying across multiple archives ... 237

Creating custom queries ... 238

Editing queries ... 244

Managing the color scheme that is used in query results ... 245

About querying for IP addresses ... 246

Importing queries ... 246

Exporting queries ... 247

Publishing queries ... 247

Scheduling queries that can be distributed as reports ... 248

Deleting queries ... 249

Chapter 13 Forwarding events to the Information Manager

Server

... 251

About forwarding events to an Information Manager server ... 251

About registering a security directory ... 253

Registering Collectors ... 254

(12)

Activating event forwarding ... 256

Stopping event forwarding ... 259

Chapter 14 Understanding event normalization

... 261

About event normalization ... 261

About normalization (.norm) files ... 263

Chapter 15 Collector-based event filtering and

aggregation

... 265

About collector-based event filtering and aggregation ... 265

About identifying common events for collector-based filtering or aggregation ... 267

About preparing to create collector-based rules ... 268

Accessing event data in the Information Manager console ... 270

Creating collector-based filtering and aggregation specifications ... 271

Examples of collector-based filtering and aggregation rules ... 273

Filtering events generated by specific internal networks ... 273

Filtering common firewall events ... 274

Filtering common Symantec AntiVirus events ... 277

Filtering or aggregating vulnerability assessment events ... 278

Filtering Windows Event Log events ... 279

Section 6 Working with incidents

... 283

Chapter 16 Managing Incidents

... 285

About incident management ... 285

Incident identification ... 286

Example: Information Manager automates incident management during a Blaster worm attack ... 287

Threat containment, eradication, and recovery ... 287

Follow-up ... 287

Viewing incidents ... 287

About the incident list ... 287

Viewing and modifying the incident list ... 289

About creating and modifying incidents ... 290

Creating incidents manually ... 291

Modifying incidents ... 292

Merging incidents ... 293

Closing an incident ... 294

(13)

Printing incident details ... 295

Printing the incident, ticket, or asset list ... 296

Exporting the incident, ticket, or asset list ... 296

Assigning incidents automatically to the least busy member in a user group ... 298

Chapter 17 Working with filters in the Incidents view

... 301

About filtering incidents ... 301

Modifying a custom filter ... 301

Creating a custom filter ... 302

Deleting a custom filter ... 302

Searching within incident filtering results ... 303

Section 7 Working with tickets

... 305

Chapter 18 Managing tickets

... 307

About tickets ... 307

About creating tickets ... 308

Creating a ticket manually ... 308

Creating a ticket category ... 309

Viewing tickets ... 310

About the Ticket Details window ... 310

Viewing tickets associated with a specific incident ... 311

Setting ticket task dispositions ... 312

Changing the priority of a ticket ... 312

Adding a ticket note ... 313

Closing a ticket ... 313

Printing the ticket list ... 314

Chapter 19 Working with filters in Tickets view

... 315

Filtering tickets ... 315

Modifying a custom ticket filter ... 316

Deleting a custom ticket filter ... 317

Chapter 20 Working with Assets

... 319

About the Assets view ... 319

(14)

Section 8 Working with reports and dashboards

... 323

Chapter 21 Managing reports

... 325

Working with reports ... 325

About reports ... 325

Creating custom reports ... 325

Creating a report group or folder ... 328

Editing tabular queries in reports ... 329

Publishing reports ... 329

Enabling the email distribution of reports ... 330

Scheduling and distributing reports ... 331

Modifying the report distribution ... 335

Viewing reports ... 335

Configuring a report for portrait or landscape mode ... 337

Printing and saving reports ... 337

Exporting reports ... 338

Importing reports ... 339

Performing a drill-down on reports ... 339

Chapter 22 Managing dashboards

... 343

About the dashboard ... 343

Viewing dashboards ... 344

Viewing queries in the Dashboard ... 346

Performing a drill-down on dashboards ... 346

Refreshing the dashboard ... 347

Customizing the dashboard ... 348

(15)

Introducing Symantec

Security Information

Manager

■ Chapter 1. Overview

■ Chapter 2. Symantec Security Information Manager Console

■ Chapter 3. Symantec Security Information Manager Web configuration interface

1

(16)

(17)

Overview

This chapter includes the following topics:

■ About Symantec Security Information Manager

■ About workflow in Information Manager

■ About Information Manager components

About Symantec Security Information Manager

Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. Information Manager collects and archives security events from across the enterprise. These events are correlated with the known asset vulnerabilities and current security information from Symantec DeepSight. The resulting information provides the basis for real-time threat analysis and security incident identification. Information Manager archives the security data for forensic and regulatory compliance purposes.

Information Manager collects, analyzes, and archives information from security devices, critical applications, and services, such as the following:

Information Manager provides the following features to help you recognize and respond to threats in your enterprise:

■ Normalization of events from multiple vendors.

■ Normalization and correlation of events from multiple vendors.

■ Event archives to retain events in both their original (raw) and normalized formats.

■ Distributed event filtering and aggregation to ensure that only relevant security events are correlated.

1

(18)

■ Real-time security intelligence updates from Symantec DeepSight. These updates keep you apprised of global threats and let you correlate internal security activity with external threats.

■ Customizable event correlation rules to let you fine-tune threat recognition and incident creation for your environment.

■ Security incident creation, ticketing, tracking, and remediation for quick response to security threats. Information Manager prioritizes incidents based upon the security policies that are associated with the affected assets.

■ An Event Viewer that lets you easily mine large amounts of event data and identify the computers and users that are associated with each event.

■ A client-based console from which you can view all security incidents and drill down to the related event details. These details include affected targets, associated vulnerabilities, and recommended corrective actions.

■ Predefined and customizable queries to help you demonstrate compliance with the security and the data retention policies in your enterprise.

■ A Web-based interface that lets you view and customize the dashboard, configure settings, and manage events, incidents, and tickets remotely. You can download various utilities and perform routine maintenance tasks such as backup and restore. You can use the custom logs feature with the universal collectors to collect and map information from devices for which standard collectors are not available.

About workflow in Information Manager

The Symantec Security Information Manager workflow includes the following steps:

■ Event collectors gather events from Symantec and third-party point products. See“About Event Collectors and Information Manager”on page 199.

■ Events are filtered and aggregated.

See“Configuring the event filtering rules”on page 207. See“Configuring event aggregation”on page 210.

■ Symantec Event Agent forwards both the raw and the processed events to the Information Manager server.

See“About forwarding events to an Information Manager server”on page 251. See“Activating event forwarding”on page 256.

■ The Information Manager server stores the event data in event archives. See“About event archives”on page 220.

(19)

■ The Information Manager server correlates the events with threat and asset information based on the various correlation rules.

See“About the Correlation Manager”on page 75.

■ Information Manager security events trigger a correlation rule and create a security incident.

See“About incident management”on page 285.

About Information Manager components

Symantec Security Information Manager has the following components:

■ Security products and devices

See“About security products and devices”on page 20.

■ Symantec Event Agent

■ Event collectors

See“About event collectors”on page 20.

■ Information Manager servers

See“About Information Manager servers”on page 21.

■ DeepSight

See“About the Symantec DeepSight ”on page 22.

■ Web service

(20)

Figure 1-1 Components in an Information Manager setup

About security products and devices

The security products and devices in your enterprise can generate overwhelming amounts of security data. Many firewalls can generate over 500 GB of security data per day; intrusion detection systems can trigger over 250,000 alerting incidents per week. Most security products store event data in a proprietary format, accessible only by the tools that the security products provide. To secure your enterprise effectively, you need to collect, normalize, and analyze the data from all parts of your enterprise.

See“About Information Manager components”on page 19.

About event collectors

Event collectors gather security events from a variety of event sources, such as databases, log files, and syslog applications. Event collectors translate the event data into a standard format, and optionally filter and aggregate the events. The event collectors then send the events to Symantec Security Information Manager. You can configure event collectors to also send the event data in its original format. You install event collectors either on the security product computer or at a location with access to the security product events. To facilitate installation and setup, event collectors for third-party firewalls are preinstalled on the Information Manager server. After the event collector is registered with Information Manager, you can configure event collector settings from the Information Manager console.

(21)

The event collector settings include the event source specification and any event filter or aggregation rules.

Symantec provides event collectors for the following types of products:

■ Firewalls

■ Routers, switches, and VPNs

■ Intrusion detection and prevention systems

■ Vulnerability scanners

■ Web servers, filters, and proxies

■ Databases

■ Mail and groupware

■ Enterprise antivirus

■ Microsoft authentication services

■ Windows and UNIX system logs

For access to the extensive library of event collectors, visit Symantec support at the following Web site:

http://www.symantec.com/enterprise/support/

About Information Manager servers

Information Manager server can be installed on any approved hardware that meets the minimum system requirements.

You can deploy one or more Information Manager servers in various roles to satisfy the event gathering, archiving, and event correlation requirements for your enterprise. To account for traffic variation, a single Information Manager is only recommended for a security environment that generates up to 1,000 events per second (EPS) on average and that requires a maximum of 4 MB to 8 MB per day of event data storage. To increase the overall event processing rate, you can add multiple load sharing Information Managers to your deployment.

You can configure each server for dedicated event collection, event archiving, or event correlation. In most cases, a combination of multiple servers that share the event and the incident processing load is preferred.

(22)

About the Symantec DeepSight

Information Manager has access to current vulnerability, attack pattern, and threat resolution information from the Threat and Vulnerability Management Service. The Symantec DeepSight powers the Threat and Vulnerability

Management Service. The Symantec DeepSight is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity.

About the Information Manager Web service

The Web service of Symantec Security Information Manager lets you securely access and update the data that is stored on a server. You can use the Web service to publish event, asset, incident, ticket, and system setting information. You can also use the Web service to integrate Information Manager with help desk, inventory, or notification applications.

For more information on interfacing your application to use the Web service, see the application documentation or your application vendor.

(23)

Symantec Security

Information Manager

Console

This chapter includes the following topics:

■ About the Information Manager console

■ About the features of the Information Manager console

About the Information Manager console

You must install the Java client of the Information Manager on a Microsoft Windows, 2003, XP, Vista, Windows 2008 R2, or Windows 7 computer to access the console. The client can be downloaded from the Home > Downloads view of the Information Manager Web interface.

The console of the Information Manager client enables you to perform the following security monitoring functions:

■ Define rules to identify security incidents.

■ Identify critical network hosts.

■ View Symantec Global Intelligence Network information

■ Manage incidents

■ Manage tickets

■ Create reports

■ Connect Symantec Information Manager with Symantec Managed Security Services (MSS).

2

(24)

MSS combines global threat intelligence, enterprise-wide monitoring, advanced analytics, and expert staff to provide 24x7 security monitoring and protection for enterprises from known and emerging threats.

■ Perform Service Provider management tasks

The console consists of the following views that help you manage the Information Manager Server: ■ Dashboard view ■ Intelligence view ■ Incidents view ■ Events view ■ Tickets view ■ Assets view ■ Reports view ■ Rules view ■ System view ■ Statistics view

About the Dashboard view

The Dashboard view on the console of the Information Manager client provides a high-level view of the critical security information in your environment. Information Manager users can customize the dashboard to display the required event, ticket, and incident information.

The Dashboard view provides an overview of the incident activity that is presented in the following default set of queries:

■ Closed incident count for each assignee by priority

■ Closed incident count for each assignee by severity

■ Open incident count for each assignee by severity

■ Open incident count for each assignee by priority

■ Count of both open incident and closed incident by assignee

■ Incidents count for each of the last seven days

(25)

Refreshes the queries

Refresh

Toggles the automatic refresh of the dashboard queries.

When Auto Refresh is on, the dashboard queries are refreshed every five minutes, by default.

Turn Auto Refresh On

Lets you add a new query to the dashboard.

Add

Lets you remove a query from the dashboard. You can also remove the query by closing the query window.

Delete

Tiles the dashboard charts.

Tile

Cascades the dashboard charts.

Cascade

See“Viewing dashboards”on page 344. See“Customizing the dashboard”on page 348.

About the Intelligence view

The Intelligence view displays the security information that the Symantec Global Intelligence Network gathers. The Symantec Global Intelligence Network is a comprehensive collection of vendor-neutral security data sources. The service is an authoritative source of information about known and emerging vulnerabilities, threats, risks, and global attack activity.

The Intelligence view provides information about the current ThreatCon level. It also provides advice and instructions on how to guard against and respond to the current threats.

The Intelligence view presents detailed information under the following tabs:

The Analyst Watch tab provides information about IP addresses and URLs known to be involved in malicious activity.

Analyst Watch

The IDS Statistics tab displays the five most frequently occurring intrusion detection events. It also lists offending ISPs, IP addresses, destination ports, attack products, and source and destination countries.

(26)

The Firewall Statistics tab displays the top five ports on the rise and lists offending ISPs, IP addresses, destination ports, and source and destination countries.

Firewall Statistics

The AntiVirus Statistics tab displays the five most frequent corporate and consumer virus sample submissions.

AntiVirus Statistics

The Honeynet tab displays up-to-date information from the Symantec Global Intelligence Network and data analysis of threats in the wild.

Honeynet

Note:The features that appear on the Intelligence view may vary depending on the type of Global Intelligence Network services subscription that you have purchased. Contact your Symantec sales representative for more information.

See“About the Information Manager console”on page 23.

About the Incidents view

The Incidents view lets you look at and manage Information Manager incidents. You can customize the Incidents view by selecting from the security filters or the alert filters or by creating your own custom filter. When you select an incident filter, the incident list displays only the incidents that satisfy the filter criteria. Selecting an incident in the list updates the incident pane with the detailed information for the selected incident. To update the incident, modify the incident attributes and click Save. To maximize or minimize the display area for the incident pane, click the expand and collapse arrows correspondingly in the upper-left corner.

Double-clicking an incident in the list opens the Incident Details dialog box. To update the incident, modify the incident information and then click the Save icon. To export the incident details, click the Export icon. The incident details are exported to a CSV file that you can save to the desired location on your computer. To edit multiple incidents, highlight the incidents, and edit settings in the Details tab.

From the Incidents view, you can perform the following tasks:

■ Select a filter to apply to the Incidents view. The filters available for you depend on the roles to which you are assigned. The filters are grouped by Security Incidents, Alerts, and Custom filters in various states.

(27)

SeeTable 2-1on page 27.

■ Create a custom incident view filter.

■ Search for an incident by incident Reference ID.

■ Create a new incident.

■ Open the Incident Details dialog box for the selected incident.

■ Create a ticket for the selected incident or incidents.

■ Export the incident list to a file.

You can export the list in HTML, CSV, and XML format, as required.

■ Merge the selected incidents.

■ Close the selected incidents.

You must provide the disposition (for example, normal, false-positive, resolved, duplicate, or merged) and provide notes when you close an incident.

■ Lock the incident list.

You can lock the incident list to prevent the display of newly created or recently assigned incidents in the list. When you unlock the list, it is updated with the latest incidents.

Table 2-1describes the Logical Groups for the filters.

Table 2-1 Logical Groups for filters

The incidents that are assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

My Incidents

The incidents that are assigned to the current user's teams. Teams are created in the User Groups section of the System view, on the Administration tab. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

My Team Incidents

All incidents that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

All Incidents

All incidents which are open and unassigned.

Unassigned Open Incidents

The incident alerts assigned to the current user. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

(28)

Table 2-1 Logical Groups for filters (continued)

The incident alerts assigned to the current user's teams. Teams are created in the User Groups section of the System view, on the Administration tab. Following are the states of this group of incident: Open, New, In-Work, Waiting, and Closed.

My Team Alerts

All incident alerts that have been created, both assigned and unassigned. Following are the states of this group of incidents: Open, New, In-Work, Waiting, and Closed.

All Alerts

All incident alerts that are open and unassigned.

Unassigned Open Alerts

All user-defined incident and alert filters.

Custom Filters

The Incidents view details pane contains tabs from which you can view or update the selected incident.

Table 2-2lists the details pane tabs and their functions.

Table 2-2 Incident view details pane tabs

Description Tab

Displays the incident details that include the ID, status, severity, description, creator, assignee, and priority.

Details

Displays the event conclusions that are associated with the incident. To view the details of a conclusion that is associated with the incident, select a conclusion and click the Conclusion Details icon.

You can also select an event from the list and view the particular event details.

Conclusions

Displays the events that are associated with the incident. To view the details of an event that is associated with the incident, select the event and click the Event Details icon.

Events

Displays the target computers that are associated with the incident. To view the details for a target computer, select the target computer and click the Details icon. To create an asset from a target computer, select the target computer and click the Create Asset icon.

Targets

Displays the source computers that are associated with the incident. To view details for a source computer, select the source computer and click the Details icon.

Sources

Displays a visual representation of the progress of the attack that generated the incident along with the Symantec Event Code.

(29)

Table 2-2 Incident view details pane tabs (continued)

Description Tab

Displays Symantec signature information, including the malicious code or vulnerability information that may be associated with the event. You can view the intelligence information that is organized by associated signatures or by target computers.

Intelligence

Displays the tickets that have been created for the incident. To view the details of the tickets that are associated with the incident, select the ticket and click the Ticket Details icon. To create a ticket based on this incident, click the Create Ticket icon.

When you create a ticket, the Create Ticket dialog box includes the following tabs:

■ Details: Provides the fields that describe the characteristics of the

ticket: A summary description, the priority, the ticket category, the creator of the ticket, the assignee of the ticket, and the related incidents.

■ Instructions: Lets you correlate Intelligence data from the Global

Intelligence Network with the ticket, if information is available. ■ Tasks: Provides the fields to describe any additional remediation

tasks that the creator of the ticket recommends. Note that the Tasks tab of the Create Ticket dialog differs from the steps that are listed in the Remediation tab for the incident. The Remediation tab contains the instructions that are automatically created when the incident is created, based on settings in the rule that triggered the incident.

Tickets

Displays the remediation suggestions that have been associated with the rule that triggered the incident. Remediation entries can be added to a rule on the Rules view.

Remediation

Displays the information that is available on the history of the incident. The incident history contains entries for incident creation,

modifications, and closure. You can add entries to the log to record the information and the activities that are related to the incident.

Log

About the Events view

The Events view lets you explore the Information Manager event archives. Event archives contain correlated and uncorrelated event data from the security products that are set up to forward events to Symantec Security Information Manager. You can create multiple event archives that can be stored on any instance of

(30)

Information Manager. When you perform an event query, you can search across any available combination of archives, regardless of on which instance of Information Manager the archive is stored. The archives that are visible on the

Events view are created with an ordered series of event storage rules. These rules

are created on the System view.

To view the events that are stored in the event archives, you can use templates and queries to search for events you need to view. Templates are generally more complex preconfigured queries that can be customized with chosen parameters. System queries are the queries that focus on specific products or common aspects of security management.

When you run a template or a query, you set the parameters for the query, including which archives to search. Each template and query contains the parameters specific to data that the query harvests: for example, a specific IP address or a time range in which the search is to be conducted. After you run the query, the results are displayed in the right pane of the Events view. The presentation of data depends on each query, and can include graphs, pie charts, and lists of events.

If a query returns a list of events, you can click on a particular event to see the event details. You can change table columns if you want to see different information about the events. You can view details about a particular event by double-clicking the table row.

You can also filter data in the table so that it displays only the events that interest you. You can filter on a particular event parameter by right-clicking a cell and clicking Filter on cell. You can also filter results based on a unique column value. Alternatively, you can use the advanced filtering option to create a more complex query.

You can also use the Query Builder Wizard to query the event archives. This wizard helps you create the following types of queries:

■ Event queries

■ Trending queries

The trending feature is available only after you select the Event Query option.

■ Summary queries

■ Advanced SQL queries

Note:The Query Builder Wizard icon is available only when the folder for My

Queries or Published Queries is selected.

(31)

Table 2-3 Events view left pane items

Description Item

Access the static copies of the events that are archived and that are stored somewhere other than the Information Manager server. Local event archives are often created as a backup copy of an active archive. Local event archives are not updated after the copy of the archive has been made.

Local Event Archives

Provides a set of preconfigured query templates that generally provide a system-wide view of event activity. The templates use the parameters you choose, such as the event archives or the time period from which the query gathers information. A template can be customized by placing a copy in either the My Queries or the Published Queries folder and then adjusting the copy.

Access to the Template queries are controlled based on the roles.

Templates

Displays a list of queries that you have created for your own use. You can move any of these queries into the Published Queries folder to make them available to others.

My Queries

Displays a list of the queries that have been created at your site and that you want some or all of your users to be able to use.

PublishedQueries

Displays a list of queries that are included in the Information Manager package. You can use any of these queries as a template for a customized query. To create a customized query, export the selected query as a QML file, and then copy or import the query in the My

Queries folder or the Published Queries folder. You can modify it as

required.

System Queries

You can schedule queries to be distributed in a report as a CSV file. See“About working with event queries”on page 236.

See“Viewing event data in the archives”on page 226.

About the Tickets view

The Tickets view lets you view and manage Information Manager tickets. You can customize the ticket view by selecting from one of several ticket filters, or by creating a custom ticket filter. The filters that are available to you depend upon the roles to which you have been assigned. When you select a ticket filter, the ticket list displays only the tickets that satisfy the filter criteria.

(32)

Selecting a ticket in the ticket list updates the ticket pane with the detailed information for the selected ticket. To update the ticket, modify the ticket attributes and click Apply.

Double-clicking a ticket in the ticket list opens the Ticket Details dialog box. To update the ticket, modify the ticket information, and click Save or OK. You can edit multiple tickets simultaneously by opening a Ticket Details dialog box for each ticket to view or modify.

The Tickets view toolbar contains icons for the following tasks:

■ Select a filter to apply to the ticket view.

The filters that are available to you depend upon the roles to which you are assigned, and may include one or more of the following:

Lists the open tickets that are associated with the incidents assigned to the current user.

My Open Tickets

Lists the closed tickets that are associated with the incidents assigned to the current user.

My Closed Tickets

Lists all the open tickets.

All Open Tickets

Lists all the closed tickets.

All Closed Tickets

Lists all the unassigned tickets.

All Unassigned Tickets

■ Create a custom ticket view filter.

■ Search for a ticket by ticket ID.

■ Refresh the tickets view.

■ Open the Ticket Details dialog box for the selected ticket.

■ Export the list of tickets to a file.

The ticket preview pane contains tabs from which you can view or update the selected ticket.

Table 2-4lists the preview pane tabs and their functions.

Table 2-4 Ticket preview pane tabs

Description Tab

Displays the ticket details such as the ID, summary, category, status, priority, timestamp, creator, and help desk assignee.

(33)

Table 2-4 Ticket preview pane tabs (continued)

Description Tab

Displays the incidents that are associated with the ticket.

To associate a new incident with a ticket, click the Add icon.

To disassociate an incident from the ticket, select the incident and click the Remove icon.

To view the incident details, click the

Incident Details icon.

To close the incident from the tickets view, select the incident and click the Close icon.

Incidents

Displays the user tasks that are assigned to each ticket.

To add a new task to the ticket, click the

Add icon. To remove a task from the ticket,

select the task and click the Remove icon. To edit tasks, select the task and click the

Edit icon.

To add intelligence to the task, click the

Intelligence icon. Tasks

Displays the instructions that are associated with the ticket. To add or modify the instructions, edit the field and click Save. The instruction field accepts a maximum of 3000 characters.

The Instructions tab also displays the Reset icon.

You can also use the Add Intelligence to

Instructions icon. Instructions

Displays the ticket history that contains entries for ticket creation, ticket

modifications, and ticket closure. To add log entries to record information and the activities that are related to the ticket, click the Add icon.

Log

(34)

About the Assets view

The Assets view lets you view and manage Information Manager assets. Use the

Assets view to identify critical assets in your environment, and track the incidents

and the tickets that are related to those assets.

Identify the network assets that have one or more of the following attributes:

■ Host critical information or services

■ Host confidential information

■ Have specific roles on the network, such as firewall or vulnerability scanning devices

■ Require high availability

■ Comply with regulatory policies

The correlation manager uses the asset information to identify and prioritize incidents. The correlation manager creates an incident when a threat exploits an asset's vulnerabilities. The correlation manager sets the incident priority based upon the confidentiality, integrity, and availability ratings that you assign to the asset.

The correlation rules depend upon the asset information, so identifying key network assets on the Assets view is a critical configuration step.

You can populate the list of assets in any of the following ways:

■ Manually add entries in the Assets view.

■ On the Incidents view, in the Targets tab for an incident, create assets based upon computers.

■ On the Events view, under System Queries > SSIM > SSIM System, create assets from the query results of the Source view query and Target view query.

■ On the Assets view, import a list of assets in XML or CSV format. For example, you can export a list of network computers from Microsoft Active Directory, convert the file to CSV format, and then import the file into the Information Manager.

■ Create assets by integrating Information Manager with a policy compliance assessment tool, such as Symantec Control Compliance Suite or Symantec Enterprise Security Manager.

■ Create assets by integrating Information Manager with a network vulnerability scanner. Use the Asset Detector rule under Monitor > System Monitors on the Rules view to choose the vulnerability scan products that automatically populate the assets table.

(35)

If you run vulnerability scans periodically on your network, lock the asset information for particular computers. If you lock an asset, the vulnerability scan does not modify the list of the services that are hosted on the asset. A vulnerability scan always updates the asset vulnerabilities, regardless of the asset lock status.

You can filter the view of the assets in your environment using the filtering options or asset groups.

Search for an asset from each of the views by entering the IP address host name in the Search Asset field, and then clicking the Search icon.

Double-clicking an asset in the asset list opens the Asset Details dialog box. To update the asset, modify the asset fields and then click the Save icon. You can update multiple assets simultaneously by opening the Asset Editor dialog box for each asset to modify.

Table 2-5lists the Assets view tabs and their functions.

Table 2-5 Assets view tabs

Description Tab

Displays the network identification, description, priority, organization, operating system, and lock information for the selected asset.

Details

Displays any policy that is applied to the selected asset. You can add policies to an asset from a customizable list of regulatory policies. To customize the list of available policies, select the

Administration tab on the System view. You can also delete policies

from the asset.

Policies

Displays the network services that the selected computer hosts. You can add services to an asset from a customizable list of well-known services. To customize the list of services, select the

Administration tab on the System view. You can also delete services

from the asset.

Services

Lists any incidents that pertain to the selected asset. Using the incident list is a convenient way to monitor the security activity that is related to an asset.

Incidents

Lists any tickets that pertain to the selected asset. The ticket list is a convenient way to monitor the work-order activity that is related to an asset.

(36)

Table 2-5 Assets view tabs (continued)

Description Tab

Displays the discovery date, CVE ID, BugTraq ID, and description of any vulnerability that is discovered on the asset. The vulnerability information is tracked when the assets are imported from a vulnerability scanner.

Vulnerabilities

About the Reports view

The Reports view lets you create and manage Information Manager reports. To create a report, you insert one or more queries into a report template. You can also add graphic elements and text, including a header and footer. Reports can span multiple views, or you can subdivide a single view and insert multiple queries on that view.

You can distribute a report immediately, or you can schedule it to be generated at a specific time and then distributed automatically. You can also export and import reports in RML format.

The Reports toolbar contains icons for report management tasks. The tasks available to you depend upon the roles to which you have been assigned, and may include one or more of the following:

■ Refresh the Explorer pane.

■ Create a folder.

■ Create a report.

■ Save a report.

■ Remove the selected report or folder.

■ Import a report from an RML format file.

■ Export the selected report to an RML format file.

■ Adjust the view settings for a report, including the view size and orientation.

■ Publish the selected report by placing the report in the Published Reports folder.

The Reports view has the following panes:

■ Explorer

The Explorer pane lets you manage the My Reports folder and the Published

(37)

a report in the My Reports folder, it is only available to the user who created it. When you create a report in the Published Reports folder, it is available to all of the users who have the applicable permissions for the contents of the report. To publish a report, drag it from your private folder to the Published

Reports folder. When you publish a report by dragging it into the Published Reports folder, the two reports are not linked.

In addition to creating, publishing, and deleting reports, you can create and delete report folders. You can also import reports, export reports, and move reports from one folder to another.

■ Properties

The Properties pane lets you view and edit the selected report property values, such as the background color or line thickness.

■ Report

The Report pane provides the tabs that let you design, preview, and distribute the selected report.

Table 2-6describes the tabs that appear in the right pane when you create a new report or select an existing report from the list in the left pane.

Table 2-6 Report pane tabs

Description Tab

Lets you specify and format the contents of your report. You can include multiple data queries, images, annotation text, and grids in your report. The queries that are available to you depend upon the roles to which you are assigned. For example, you may have access to queries that pertain to firewall and VPN data, but may not have access to queries on antivirus data.

Design

Displays a preview of the report. You can also save or print the report from the Preview tab.

You can also drill down on the following query types by clicking on the reports that are displayed:

■ Top N by Field

■ Trending for Top N by Field

■ Summary Data Queries

See“Performing a drill-down on reports”on page 339.

(38)

Table 2-6 Report pane tabs (continued)

Description Tab

Lets you schedule the report and specify report recipients. You can compose an email report notification message, attach the report as a PDF and RTF, or include a URL link to the report.

Note:When the recipient clicks on the URL link, the report can be accessed directly if the user has already logged on to the Web configuration interface using the host name of Information Manager. However if the user has logged on using the IP address of Information Manager, then the user is prompted for authentication to access the report.

You can also test the report distribution configuration with the Test option. The reports are immediately distributed after you perform the testing.

To schedule a report for distribution, you must first publish the report by placing it in the Published Reports folder.

Distribute

Note:The Distribute option is available only for the Published Reports.

About the Rules view

The Rules view lets you create, test, and manage the rules that Information Manager uses to filter known false positives and declare security incidents. Default rules provide a starting point for determining the most common kinds of security incidents, including denial-of-service attacks and blended threats. The default filtering rules provide a set of common filters that can also be used to create customized filters. You can enable, disable, and fine-tune the default rules and filters based on the needs of your organization and the security products that are running.

The Rules view also includes folders for monitors and lookup tables. Monitoring rules are used to detect unexpected security-related changes to systems or periods of inactivity from the systems that are monitored. The lookup tables provide a set of tables that can be configured to list known malicious IP addresses, sensitive files, sensitive URLs, services, Trojan horses, and Windows events that can be used to fine-tune rules and filters. For example, if you have detected a set of IP addresses that routinely attempt to maliciously infiltrate your network, you can add these IP addresses to an IP address lookup table. You can then create a custom rule that checks the table for these known malicious IP addresses during rules processing.

(39)

When you define the actions that take place when an incident is triggered, you can create remediation notes. These notes appear on the Remediation tab for an incident that is created. When you add remediation information to a rule and save the changes, the remediation information is updated for the new and the existing incidents.

The Rules view toolbar contains icons for the following tasks:

■ Refresh the Rules list.

■ Create a rule.

■ Create a new folder.

■ Delete a rule.

■ Import rules

■ Export rules

■ Copy a rule.

■ Deploy a rule.

■ Revert changes to a rule.

■ Enable rules.

■ Disable rules.

Each folder in the navigation tree includes two subfolders: a System subfolder and a User subfolder. By default, the System subfolder contains the predefined rules, filters, monitors, and lookup tables that are included with Information Manager.

You can enable or disable the items in the System subfolders However, you cannot make changes to these predefined elements. To create a modified version of a preconfigured rule, filter, monitor, or lookup table, you can create a custom version of the rule and save it in the corresponding User folder. If you create a custom rule or lookup table, you must deploy and enable the new element before it can be used during event processing.

Table 2-7describes the items that are displayed in the Event Filters list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.

(40)

Table 2-7 Event filters

Description Item

Displays the list of default filters in the System Filters folder and custom filtering rules in the User Filters folder. Use the checkboxes to turn on the rules and turn off the rules.

Event Filters list

Displays the event criteria that the filtering rules use to filter events. If you create a custom filter, you can add or remove event criteria from this pane.

Conditions tab

Lets you test filtering rules with saved event data so that you can evaluate whether the rule filters when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from filtering events.

Testing tab

Shows the date and the time that a user last edited a rule.

History tab

Table 2-8describes the items that are displayed in the Monitors list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.

Table 2-8 Monitors

Description Category

Displays the list of default monitors in the System Monitors folder and custom monitors in the User Monitors folder. Use the checkboxes to turn on the rules and turn off the rules

Monitors list

Lists the monitor properties that let you configure the system monitors.

Properties tab

Lets you specify the follow-up actions that are required to resolve the incident. You can also specify the user or the team that is assigned to investigate and resolve the incident.

See“About automatically assigning incidents”on page 55. See“Assigning incidents automatically to the least busy member in a user group”on page 298.

Actions tab

Shows the date and time when a user last edited a monitoring rule.

History tab

Table 2-9describes the items that are displayed in the Correlation Rules list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.

(41)

Table 2-9 Correlation rules

Description Category

Displays the list of default rules in the System Rules folder and custom rules in the User Rules folder. Use the checkboxes to turn on the rules and turn off the rules.

Rules list

Displays the event criteria that the rules use to declare a security incident. If you create a custom rule, you can add or remove event criteria from this pane.

Conditions tab

Specify the follow-up actions that are required to resolve the incident. You can specify the user or the team that is assigned to investigate and resolve the incident.

See“About automatically assigning incidents”on page 55. See“Assigning incidents automatically to the least busy member in a user group”on page 298.

You can also create the remediation notes that are associated with each incident that this rule creates.

You can also configure the notifications when the rule conditions are triggered.

Actions tab

Lets you test rules with saved event data to let you evaluate whether the rule declares incidents when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from declaring incidents when it should.

Testing tab

Shows the date and time when a user last edited a rule.

History tab

Table 2-10describes the items that are displayed in the Lookup Tables list in the left pane. It also describes each of the lookup tables that are listed under System

Lookup Tables.

Table 2-10 Lookup tables

Description Tables

Lists the default lookup tables in the System

Lookup Tables folder and custom tables in

the User Lookup Tables folder.

Lookup Tables list

Lists the users who can perform administrative activities.

(42)

Table 2-10 Lookup tables (continued)

Description Tables

Lists the authorized ports through which incoming traffic is allowed as per the policies.

Authorized Ports Inbound

Lists the authorized ports through which outgoing traffic is allowed as per the policies.

Authorized Ports Outbound

Lists the IP addresses of the servers that are critical from business perspective.

Critical Servers

Lists the authorized users.

default usernames

Lists the IP addresses of known attackers. An incident is created if an event is detected from one of these IP addresses.

A configurable table that is available for manually tracking known bad IP addresses. DeepSight and LiveUpdate updates maintain separate internal IP Watch List. The list contains IP addresses known to be malicious in the larger Internet environment.

IP Watch List

Lists the Whitelist IP addresses. These IP addresses and domain names are reputed and can be trusted. You can add your trusted domain names and IP addresses to the list.

IP Whitelist

Lists the logging devices that must be monitored after a specific time span for idle state.

Monitored Logging Devices

Provides a table for the user to describe the organizational domains that are monitored.

Organization Domains

Lists the P2P programs.

P2P Programs

Lists the IP addresses of the hosts that can potentially violate the policy.

Potential Policy Violation IPs

Lists of all of the bad IP addresses on which your sensitive data can communicate.

Rapid Response Monitored Address Traffic

Lists the file names to monitor during FTP transfers.

(43)

Table 2-10 Lookup tables (continued)

Description Tables

Lists the text strings that are often included in malicious URLs.

sensitive urls

Lists the services that are associated with each port number.

services

Lists the known Trojan horse exploits.

trojans

Provides a table in which you can list users and the user names that formerly had access to the network.

user watchlist

Lists the days of the week to allow further refinement of queries based on the day or days associated with an event.

Weekdays

Lists the days of the weekend to allow further refinement of queries based on the day or days associated with an event.

Weekend

Lists the Windows events that may indicate violations of security policies or other malicious activities.

Windows events

The following tables list the event criteria available and their descriptions.

Table 2-11 Event Criteria: Common tab

Description Field

The host name of the computer on which the agent is installed.

Agent Host

The IP address of the computer on which the agent is installed.

Agent IP

The MAC address of the computer on which the agent is installed.

Agent Mac

The numeric IP address of the computer on which the agent is installed.

Agent Numeric IP

The subnet to which the agent computer belongs.

(44)

Table 2-11 Event Criteria: Common tab (continued)

Description Field

Lets you select the criteria on category of the event from among Application, Communication, Device,

Diagnostics, Environment, QS, and Security.

Category ID

The host name of computer on which the product (collector) is installed.

Collection Device Host

The IP address of computer on which the product (collector) is installed.

Collection Device IP

The device ID of computer on which the product (collector) is installed.

Collection Device ID

The MAC address of computer on which the product (collector) is installed.

Collection Device Mac

The numeric IP of computer on which the product (collector) is installed.

Collection Device Numeric IP

Identifies the sensor that recorded the event that a collector sent.

Collector Sensor

The ID of the configuration.

Configuration ID

The date that the event was created.

■ Server Time - When the event occurs, the time zone of the server is considered for the event correlation. ■ Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation.

■ Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation.

If the time zone is not specified, by default the time zone of the server is considered for the event correlation. The valid format to enter the date is mm/dd/yyyy. The valid format to enter the time is HH:MM [AM] [PM].

Created Date

The numeric value that describes the CVS score for the vulnerability, if detected.

CVSS

A description of the event.

Description

The destination host name.

(45)

Table 2-11 Event Criteria: Common tab (continued)

Description Field

Describes the action that the point product took (the event was prevented, permitted, failed, successful, or denied ).

Device Action

The domain from which the data object originated.

Domain

The effects of malicious activity.

Effects

The date when event ended.

■ Server Time - When the event occurs, the time zone of the server is considered for the event correlation. ■ Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation.

■ Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation.

If the time zone is not specified, by default the time zone of the server is considered for the event correlation. The valid format to enter the date is mm/dd/yyyy. The valid format to enter the time is HH:MM [AM] [PM].

Event ending date

The ID of the archive to which the event belongs (used in summarizers).

Event Archive ID

The possible values: symc_hdr_tkt_update_class or symc_hdr_task_update_class.

Event class ID

The number of times that an event occurred to cause the event to be logged.