Configuring an alert filter
Transcription
Configuring an alert filter
TriGeo® SIM User Guide Security Information Manager Copyright © 2000–2010 by TriGeo® Network Security, Inc. TriGeo® is a registered trademark of TriGeo Network Security, Inc. TriGeo SIM™, nDepth™, nSight™, and USB-Defender™ are trademarks of TriGeo Network Security, Inc. All other company names, products, services, trademarks, or registered trademarks used herein remain the properties of their respective owners. The TriGeo software program, this manual, and other materials distributed in connection with the license of this software program are protected by U.S. copyright law and international treaty. TriGeo Network Security, Inc., retains title to and ownership of the software program and this manual. Contents Chapter 1: System Requirements 1 Package contents 1 Supported operating systems 2 TriGeo SIM Console 2 Agents 2 TriGeo Reports 2 Hardware requirements 3 Minimum hardware requirements 3 Recommended hardware 3 Technical Support 4 Chapter 2: First-time users 5 Introduction 5 About the TriGeo Security Information Manager (SIM) 6 System setup and maintenance 7 Preparing the TriGeo SIM for use 7 Connecting network security products to the TriGeo SIM 7 Ongoing maintenance 7 Finding information on using the Console 8 Console basics 8 Monitor (alerts and alert filters) 9 Alerts 9 Filters and filter groups 9 Ops Center and widgets 10 Explore 10 Build views (Users, Groups, and Rules) 12 Users 12 Groups 12 i Contents Rules 13 Manage (Agents and Appliances) 15 TriGeo Reports 16 Chapter 3: TriGeo SIM Console basics 17 Introduction to Console basics 17 Opening the TriGeo SIM Console 17 Opening views in the Console 18 Console features 19 The status bar 22 Appliances tab 22 Agents tab 23 Notifications tab 23 How to use the Notifications tab 24 Opening a filter from the Notifications tab 25 Removing notices from the Notifications tab 25 Responding to a Popup Notification form 26 Showing Console activity 27 Opening and closing panes and sidebars 28 Opening and closing nodes 29 ToolTips 30 Working with grids 31 Selecting items in a grid 31 Moving through a grid 31 Resizing grid columns 32 Rearranging grid columns 33 Sorting a grid by its columns 34 ii Contents Determining your version of the Console 36 Exiting the TriGeo Console 37 Chapter 4: Using the Ops Center 39 About the Ops Center 39 Ops Center features 40 About widgets 42 Master widgets and dashboard widgets 42 Using master widgets as templates 42 Widget independence 42 Widget storage 43 Using the Widget Manager 44 Opening and closing the Widget Manager 44 Creating new master widgets 44 Editing master widgets 45 Adding widgets to the dashboard 46 Deleting master widgets 47 Using the Widget Builder 48 Working with widgets in the Ops Center dashboard 52 Turning on a widget that has been turned off 52 Widget toolbar 52 Viewing a widget’s legend 53 Viewing specific widget data 54 Refreshing a widget’s data 54 Opening a filter from a widget 55 Editing a dashboard widget 56 Editing a widget’s chart presentation 57 Rearranging widgets on the dashboard 58 Resizing a widget 58 Deleting dashboard widgets 59 iii Contents Table of standard widgets 60 Chapter 5: Working with alerts and alert filters About the Monitor view 63 63 Alerts 63 Filters 63 The Filters pane and filter groups 64 Standard TriGeo SIM filters 65 Monitor view features 68 Using the alert grid 72 Applying a filter to the alert grid 72 Pausing and resuming a filter's alert traffic 73 Sorting the alert grid 73 Highlighting alerts 74 Copying alert data to your clipboard 76 Marking alerts as read and unread 77 Exploring alerts 78 Removing alerts 79 Using the Alert Details/Alert Description pane 80 Using the Alert Details toolbar 81 Alert severity levels 82 Responding to alert messages 83 Responding to an alert 83 Using the Respond form’s drag and drop functionality 85 Managing alert filters 87 Creating a new filter 87 Editing an existing filter 89 Cloning an existing filter 90 Pausing filters 91 Resuming paused filters 92 Turning filters on and off 93 Copying a filter 94 iv Contents Importing a filter 95 Exporting a filter 96 Deleting a filter 97 Managing filter groups 98 Adding a new filter group 98 Renaming a filter group 98 Rearranging filter groups 99 Moving a filter from one group to another 100 Deleting a filter group 101 Using a filter's Widgets pane 102 About the Widgets pane 102 Opening the Widgets pane 103 Viewing a filter’s different widgets 104 Creating a new widget 105 Editing a widget 106 Refining a filter with a widget 107 Refreshing a widget 108 Editing a widget’s presentation 108 Chapter 6: Creating custom alert filters 109 Filter Creation 109 Features of Filter Creation 110 Features of the list pane 113 Features of the Conditions box 117 Configuring filter conditions 120 Adding conditions to filters 121 Adding conditions 121 Adding groups of conditions 123 Targeting 125 Deleting conditions 126 Comparing values with operators 127 Selecting a new operator 127 v Contents Operator tips 127 Table of operators 128 Examples of AND and OR conditions 130 Filter condition table 131 Using the Status bar 133 Status bar icons 134 Using Status bar messages to resolve problems 135 Configuring alert filter notifications 137 Selecting the notification method 137 Notifications table 138 Tutorial: Configuring an alert filter 141 Preparing for the lessons 142 Lesson 1: Creating a filter based on an alert 144 Step 1: Naming the alert 144 Step 2: Capturing successful logon attempts outside of business hours 145 Step 3: Limiting the filter to Administrative accounts 146 Step 4: Capturing failed logon attempts during business hours 147 Lesson 2: Creating a filter based on an Alert Group 149 Step 1: Creating the filter 149 Step 2: Adding the first condition 149 Step 3: Adding another condition 150 Lesson 3: Adding Groups and notification settings 151 Step 1: Opening the alert filter to edit it 151 Step 2: Adding a User-Defined Group 152 Step 3: Adding a Tool Profile 152 Step 4: Adding alert notification settings 153 vi Contents Chapter 7: Using Explorers 155 About the Explore view 155 Types of explorers 156 Explore view features 158 Using the Event explorer 160 Opening the Event explorer 161 Features of the Event explorer 162 Using the event map 165 Reading an event map 165 Event map legend 168 Using the event grid 169 Viewing information in the event grid 170 Exploring from the event grid 171 Responding to an event from the event grid 171 Using the Alert Details pane 172 Opening and closing the Alert Details pane 172 Viewing an event’s alert details 172 Using the Alert Details toolbar 173 Exploring from the Alert Details pane 173 Using the NSLookup, Traceroute, and Whois explorers 174 About the NSLookup explorer 175 About the Traceroute explorer 176 About the Whois explorer 177 Exploring from the alert grid 178 Exploring from the Event explorer 178 Exploring from other explorers 178 Manually exploring an item 179 Canceling an explorer lookup 179 Using the Flow Explorer 180 Opening the Flow Explorer 180 Flow Explorer features 181 Flow Explorer history 182 vii Contents Configuring a Flow Explorer query 183 Flow analysis configuration and report combinations 185 Interpreting the Analysis Results graph 186 Interpreting the Analysis Results grid 187 Sorting the Analysis Results grid 188 Exploring flow analysis results 188 Responding to flow analysis results 188 Using the History pane 189 Hiding and showing the History pane 190 Viewing explorer history 190 Clearing explorer history 190 History pane icon legend 191 About TriGeo nDepth 192 Installing TriGeo nDepth 192 Configuring network tools for use with TriGeo nDepth 192 Using nDepth Explorer 193 Opening a blank nDepth Explorer 194 Opening nDepth Explorer from a particular data source 195 nDepth Explorer features 196 nDepth's History pane 198 Exploring nDepth Explorer search results 198 Performing a search 198 Using the nDepth Explorer Configuration form 200 Exploring search results with other TriGeo explorers 202 Responding to search results 202 Moving a search to the nDepth Browser 203 Using nDepth Browser 204 Opening nDepth Browser 204 Opening a blank nDepth Browser 205 Opening the nDepth Browser from a particular data source 206 Getting help with the nDepth Browser 207 viii Contents Chapter 8: Working with Groups 209 About Groups 209 Group types 210 Groups view features 212 Groups view features 212 Groups grid columns 214 Refining the Groups grid 215 Managing Groups 216 Adding a new Group 216 Editing a Group 217 Cloning a Group 218 Importing a Group 219 Exporting a Group 220 Deleting a Group 220 Configuring Alert Groups 221 Configuring an Alert Group 221 Alert list features 223 Configuring Directory Services Groups 225 How to use Directory Services Groups 225 Synchronizing Directory Service Groups with the TriGeo SIM 226 Viewing a Directory Services Group members 228 Directory Services Group grid columns 229 Deleting DS Groups 229 Configuring Email Templates 230 Step 1: Creating the email template 230 Step 2: Adding message parameters 231 Step 3: Creating the message 232 Managing email template folders 232 Configuring State Variables 233 Adding new State Variable fields 233 Editing State Variable fields 235 Deleting State Variable fields 236 ix Contents Managing State Variable folders 237 Configuring Time of Day Sets 238 Configuring a Time of Day Set 238 Selecting periods in the time grid 240 Configuring Tool Profiles 241 Tool Profile rules 241 Creating a Tool Profile (general procedure) 242 Step 1: Selecting a template for the profile 242 Step 2: Selecting the Agents that are members of the profile 243 Editing a Tool Profile’s tool settings 245 Opening a Tool Profile’s tool settings 245 Adding a new tool instance 246 Editing a Tool Profile’s tool settings 247 Deleting a tool instance from a Tool Profile 248 Configuring User-Defined Groups 249 Examples of User-Defined Groups 250 Configuring a User-Defined Group 251 Adding data elements to a User-Defined Group 252 Editing a data element in a User-Defined Group 253 Deleting a data element from a User-Defined Group 253 Working with Group folders 254 Default Group folders 254 Default Email Template folders 254 Default State Variable folders 254 Showing and hiding sub-folders 255 Showing the contents of a Group folder 255 Adding Group folders and sub-folders 257 Renaming a Group folder 257 Moving Group folders 258 Moving Groups from one folder to another 259 Deleting a Group folder 260 x Contents Chapter 9: Managing rules 261 About rules 261 Rules view features 262 Rules view features 262 Rules grid columns 264 Refine Results form 266 Managing rules 267 Editing rules 268 Subscribing to a rule 270 Enabling a rule 272 Placing rules in test mode 273 Activating rules 275 Disabling a rule 276 Cloning rules 277 Importing a rule 278 Exporting rules 280 Deleting rules 281 Working with rule folders 282 Default rule folders 282 Showing and hiding sub-folders 283 Showing the contents of a rule folder 284 Adding rule folders and sub-folders 285 Renaming a rule folder 285 Moving rule folders 286 Moving rules from one folder to another 287 Deleting a rule folder 287 Chapter 10: Rule Creation 289 Creating custom rules 289 Rule Creation 289 Caution: Practice with filters before creating rules 289 xi Contents Rule Creation features 290 Rule Creation view features 290 Rule window features 292 Correlations box features 296 Rule Creation procedures 299 Adding a new rule 299 Adding rule correlations 300 Configuring a rule's correlation time 303 Advanced thresholds 304 Opening the Set Advanced Threshold form 304 Setting an advanced threshold 305 Adding a threshold field 306 Editing threshold fields 306 Deleting a threshold field 307 Using the Actions box 308 Using constants and fields to make actions flexible 308 Configuring a rule’s actions 309 Rule correlation table 310 Actions table 313 Chapter 11: Users 325 About the Users view 325 Users view features 326 Users view features 326 Users grid columns 328 Refining the Users grid 329 xii Contents Adding new users 330 Viewing a user’s system privileges 333 Editing user settings 334 Deleting users 335 Chapter 12: Connecting to other products About TriGeo tools 337 337 How TriGeo tools work 337 Manager tools 338 Agent tools 338 Using Tool Profiles to configure multiple Agents 338 Supported products 339 Glossary to TriGeo tool terms 340 Tool Configuration features 342 Tool Configuration form features 342 Tools grid columns 344 Tools grid icons 345 Refining the Tools grid 346 Connecting products to the TriGeo SIM 347 First-time users 347 A note about TriGeo nDepth 348 Configuring Manager tools (general procedure) 349 Configuring Agent tools (general procedure) 350 Opening the Tool Configuration form 351 Adding new tool instances 353 Starting a tool instance 355 Stopping a tool instance 355 Editing a tool instance 356 Deleting a tool instance 357 Using an Agent to edit a Tool Profile 358 Tool configuration tables 359 Tool categories 359 xiii Contents Configuring sensors 365 Configuring actors 368 Setting up a notification system 371 Chapter 13: Appliances 373 About the Appliances view 373 Appliances view features 374 Appliances view features 374 Appliances grid columns 376 The Details pane 377 Setting up a Manager for the first time 379 Adding appliances to the Console 380 Logging in and out of Managers 382 Logging into a Manager 382 Logging out of a Manager 382 Changing an appliance’s basic configuration settings 383 Configuring a Manager's properties 384 Procedure for configuring a Manager 384 Completing the Login tab 385 Completing the License tab 387 Completing the Settings tab 389 Completing the Database tab 392 Configuring Manager network security tools 394 Using a database warehouse 395 Assigning a Manager’s alert data to a database warehouse 395 Disabling a database warehouse 395 Copying appliance data 396 Removing an appliance 396 Configuring alert distribution policy 397 Practical uses for alert distribution policy 397 Opening the Alert Distribution Policy window 398 About the Alert Distribution Policy window 400 xiv Contents Configuring alert distribution policy 402 Pushing alert policy to lower-level alert types 403 Exporting a Manager’s alert policy 404 Chapter 14: Managing Agents 405 About the Agents view 405 Agents view features 406 Agents view features 406 Agents grid columns 408 Refining the Agents grid 410 Managing Agents 411 Adding Agents 411 Configuring Agent tools 411 Responding to events that affect Agents 412 Changing an Agent’s Remote Updates setting 413 Deleting Agents 414 Deleting and recovering unused Agent licenses 415 Copying Agent data 416 Chapter 15: Running Reports 417 About TriGeo Reports 417 Opening TriGeo Reports 417 TriGeo Reports features 418 Key features of the TriGeo Reports window 418 Using the Menu Button 420 Using the Quick Access Toolbar 421 Default commands 421 Moving the Quick Access Toolbar 422 Minimizing the Ribbon 423 Configuring report preferences 424 Table of preferences 424 Selecting a (default) Primary Data Source 425 Configuring a syslog server 426 xv Contents Configuring a data warehouse 427 Troubleshooting database connections 430 Managing report categories 431 Manage Categories form 431 Selecting reports for specific industries 432 Industry options 433 Creating a list of favorite reports 435 Removing a report from the Favorite Reports tab 437 Viewing Historical Reports 438 Working with report lists 439 Viewing lists of reports by category 439 Locating a report by title 441 Viewing a report’s properties 442 Creating a list of favorite reports 443 Sorting, filtering, and grouping report lists 444 Sorting the report list 444 Filtering report lists 445 Filtering a report list 445 Changing a filter setting 446 Turning off report filters 446 Custom report filters 448 Creating a custom report filter 448 Saving a custom report filter 449 Opening a saved custom report filter 450 Grouping reports 451 Creating a report group 452 Viewing the reports within a group 452 Creating a sub-group 453 Running and scheduling reports 454 Running reports on demand 454 Report errors 456 Scheduling reports (process overview) 457 xvi Contents Step 1: Selecting the report you want to schedule 458 Step 2: Adding a new scheduled report task 459 Step 3: Scheduling the report 461 Step 4: Selecting advanced scheduling options 463 Step 5: Stating when the system can or cannot run the task 465 Step 6: Assigning the data source and scope 468 Step 7: Exporting a scheduled report 470 Managing reports 472 Editing a scheduled report task 472 Deleting a schedule from a task 473 Deleting a scheduled report task 474 Viewing reports 475 Opening your saved reports 475 Viewing the sections of a master report 476 Hiding and showing a master report’s sub-topic pane 477 Viewing the pages of a report 479 Magnifying and reducing report pages 481 Stopping a report in progress 482 Searching reports for specific text 483 Viewing the text-based details of a report 483 Using the Search tool 483 Using the Select Expert tool 485 Running a query with the Select Expert tool 486 Restoring the original report 488 Printing reports 489 Printing a report 489 Setting up printer preferences 490 xvii Contents Exporting a report 491 Appendix A: Alert Types 493 Types of alerts 493 Asset Alerts 495 Audit Alerts 498 Incident Alerts 513 Internal Alerts 514 Security Alerts 519 Appendix B: Table of alert event data fields Table of alert data fields 557 557 Appendix C: CMC commands 561 TriGeo Management Configuration Commands (CMC) 561 Logging on to CMC 562 Using the CMC 'appliance' menu 564 Using the CMC 'manager' menu 566 Using the CMC 'ndepth' menu 568 Using the CMC 'service' menu 569 Appendix D: Report Tables 573 Table of Audit reports 573 Table of Security reports 589 Table of TriGeo reports 607 Report schedule definitions 609 xviii Chapter 1: System Requirements Package contents l TriGeo Security Information Manager (SIM) Appliance(s) l TriGeo DVD: o Agent Installer o Remote Agent Installer o Remote Agent Uninstaller o Console Installer o Adobe AIR Runtime Installer o Reports Installer o Crystal Reports Runtime Installer o Upgrade and Upgrade Instructions o TriGeo SIM Installation Guide o TriGeo SIM User Guide o License Agreement o What’s New 1 Chapter 1: System Requirements Supported operating systems TriGeo SIM Console The TriGeo SIM Console is the graphical user interface used to monitor the TriGeo Manager and its Agents. It can be installed on any workstation with an operating system that supports Adobe AIR (http://www.adobe.com/products/air/systemreqs/): l Microsoft Windows 2000 l Microsoft Windows XP l Microsoft Windows 2003 l Microsoft Windows Vista l Microsoft Windows 7 l Mac OS X l Linux Agents You can install TriGeo's Agent software on workstations that run any of the following operating systems: l Microsoft Windows 2000, with Service Pack 4 l Microsoft Windows XP l Microsoft Windows 2003 l Microsoft Windows Vista l Microsoft Windows 7 l Mac OS X l Linux l Solaris (Sun or x86) TriGeo Reports You can install TriGeo Reports on workstations that run any of the following operating systems: l Microsoft Windows 2000 l Microsoft Windows XP l Microsoft Windows 2003 l Microsoft Windows Vista l Microsoft Windows 7 2 Hardware requirements Hardware requirements Minimum hardware requirements l l Console/Reports: 1 GHz Pentium III or equivalent processor, 1GM RAM, 5 GB hard disk drive space. Agent: 450 MHz Pentium III or equivalent processor, 128 MB RAM, 1 GB hard disk drive space. Recommended hardware l l Console/Reports: 2 GHz Pentium 4 or equivalent processor, 2 GB RAM, 10 GB hard disk drive space. Agent: 800 MHz Pentium III or equivalent processor, 512 MB RAM, 1 GB hard disk drive space. 3 Chapter 1: System Requirements Technical Support Please refer to the TriGeo Knowledgebase or contact TriGeo Technical Support if you receive any errors or if you are uncertain about how to properly perform a procedure. TriGeo Technical Support is available by phone or email during business hours. Please provide your TriGeo software version when contacting us. Hours of Operation: Monday - Friday, 5:00 AM to 5:00 PM, Pacific Time Telephone: Toll Free, 866–664–6068 (United States only) International Technical Support: 1–208–664–6060 Email: support@trigeo.com 4 Chapter 2: First-time users Introduction If you are a new TriGeo SIM user, read this section first. It explains many key concepts and directs you to information you will need to do the following: l prepare the TriGeo SIM for use l configure the TriGeo SIM for use with your network l maintain your TriGeo appliances l find information about using the Console l use TriGeo's reporting features. 5 Chapter 2: First-time users About the TriGeo Security Information Manager (SIM) The TriGeo Security Information Manager (SIM) is a state-of-the-art appliance that adds value to existing security products and increases efficiencies in administering, managing and monitoring security policies and safeguards on your network. The TriGeo SIM is based on brand new concepts in security. You can think of it as an immunity system for computers. It is a system that is distributed throughout your network as “points of presence” that work together to protect and defend your network. The TriGeo SIM responds effectively with focus and speed to threats and offensive actions. The TriGeo SIM system is based on software modules, called Agents, and on the management of these Agents and their information. Agents are installed on each appropriate workstation, server, and network device (where applicable). Agents communicate the logging data from each device’s security products to a Manager. These security products include anti-virus software, network-based intrusion detection systems, and logs from operating systems and firewalls. Agents collect each product’s security-related event data, normalize this data, and then pass the normalized data on to the Manager, which is a secure point for the management of Agents. All data received from the Agents are processed by the Manager’s policy engine; and when needed, the Manager initiates appropriate action. These actions can include notification of a problem via the Console, email, or pager; blocking an IP address; shutting down or rebooting a workstation; and passing the alerts on to the TriGeo database for future analysis and reporting with the Reports application. You can configure security policies based on the alerts retrieved from the security products that are installed on the Agents and the network. The TriGeo Console provides a dedicated, comprehensive, graphical interface that eases the configuration and management of the TriGeo system. 6 System setup and maintenance System setup and maintenance The topics in this section will point you to the information you need to use the TriGeo SIM and the SIM Console for the first time. Preparing the TriGeo SIM for use 1. Install the TriGeo SIM Console to your workstation. For details, see the TriGeo SIM Installation Guide. 2. Install TriGeo’s Agent software on any computers that will be monitored by a Manager. For details, see the TriGeo SIM Installation Guide. 3. Start the TriGeo SIM Console. Connecting network security products to the TriGeo SIM During the installation and training process, TriGeo typically configures the tools that connect your third-party network security products and devices to your TriGeo Managers. These products are your firewalls, anti-virus software, intrusion detection systems, and various operating system tools. If you did not receive this training, or if you are configuring TriGeo tools for the first time, please go to "Connecting products to the TriGeo SIM" on page 347 and carefully read "About TriGeo tools" on page 337 before performing any of the following procedures. Before you begin using the TriGeo SIM Console, you must do the following: 1. Add your TriGeo Managers to the Console, if you have not already done so. For details, see "Appliances" on page 373.This chapter also includes information on licensing, logging on to Managers, and other appliance properties. 2. Connect your third-party network security products and devices to the TriGeo SIM. For details, see "Connecting products to the TriGeo SIM" on page 347.Here, you will find complete information on connecting network and security data to your Managers and your Agents. Once connected, the data is ready processing by the TriGeo SIM and for viewing in the Console. Note: Before you configure a TriGeo tool (sensors and actors) for use with a network security product or device, that product or device should already be installed on or remotely logging to the computer the TriGeo SIM will be monitoring. 3. Add the users who will use the Console to manage the TriGeo SIM. For details, see "Adding new users" on page 330. Ongoing maintenance l To manage TriGeo appliances, including their network configuration, backup, and other details, see "CMC commands" on page 561. 7 Chapter 2: First-time users Finding information on using the Console The Console is organized into different functional areas, called views. These views organize and present different information about the components that make up the TriGeo SIM system. l In Ops Center, you'll find a dashboard view that presents visual representations of your data. l In Monitor, you'll filter and view alert details. l In Explore, you'll find utilities for investigating alerts and their details. l l l In Build, you'll create critical components of the TriGeo SIM that function on a TriGeo Manager for processing process data. In Manage, you'll manage properties associated with Agents and Managers, and configure data sources to integrate your network security data with the TriGeo SIM. TriGeo Reports is a separate application. Its reporting tools let you run or schedule reports about the data that is stored in your TriGeo SIM database. The following topics briefly explain the role of each view of the Console, the view’s primary uses, and where to get information on performing key tasks within that view. Topics are arranged here in an order that will help you understand the most fundamental items first, such as alerts, alert filters, and widgets. They then progress to more advanced features, such as exploring alerts, and creating Groups and rules. Console basics See "Introduction to Console basics" on page 17 for a discussion of features that are used throughout the Console’s user interface, such as panes, grids, a status bar, etc. In particular, see the following sections: l l To learn the key features of the Console, see "Console features" on page 19. "Working with grids" on page 31 explains how to perform such common tasks as selecting items in a grid, moving through a grid, resizing grid columns, rearranging grid columns, and sorting a grid by its columns. 8 Monitor (alerts and alert filters) Monitor (alerts and alert filters) Alerts The Monitor view is the heart of the TriGeo Console. As the name implies, it is used for monitoring your network activity. In Monitor, you will create filters and widgets that group and display different alerts that come from your Agents, Managers, and network devices. Alerts are messages created from Agent, Manager, and network device log entries. These log entries are processed (or normalized) to extract information and display the data in a common column/fieldbased format, rather than the often convoluted format you see in the source data. These normalized alerts are sent from the Agent to the Manager for processing. At the Manager, the alerts are processed against your Rules, sent to your TriGeo Database for archiving, and sent to the TriGeo Console for monitoring. Filters and filter groups On a busy network, there can be millions of alerts each day. Therefore, the Console uses alert filters to manage alerts. A filter is a subset of your alerts that focuses on a particular type or group of alerts and hides all others. When configuring a filter, you can examine and use individual alert properties to determine precisely which alerts are to appear in that filter. Filters apply at the Console level. This means they apply to all data sent from every Manager monitored by the Console. Filters also display alerts in real time. You can turn filters on and off, pause filters to sort or investigate their alerts, perform actions to respond to alerts, and configure filters to notify you when they capture a particular alert. Filters can also display widgets, which are charts and graphs that visually represent the alert data. Widgets are described in more detail below. The TriGeo SIM ships with many commonly used filters that support best practices in the security industry. However, you can create your own custom filters, or modify existing filters to meet your needs. There is no limit to the number of filters a Console can contain. Filters are organized into filter groups. A filter group is simply a high-level category for storing filters that logically fit into that category. Each title bar in the Monitor view’s Filters pane represents a different filter group. Each item listed in a filter group is a different alert filter. Clicking a filter in the Filters pane causes the alert grid to show a filtered view of the alert stream coming into the Console. The grid displays only those alerts that are allowed by the filter—it hides all of the other alerts. Because filters list only those events that meet their specific requirements, they are a handy way to organize and quickly sift through large quantities of alerts. 9 Chapter 2: First-time users Resources l To view and work with alerts and alert filters, see "Working with alerts and alert filters" on page 63. l To apply filters to your alert activity, see "Using the alert grid" on page 72. l To manage alert filters and alert groups, see "Managing alert filters" on page 87. l To manage filter groups, see "Managing filter groups" on page 98. l To explore the specific alert details, see "About the Explore view" on page 155. l l l To respond to an alert (that is, to take corrective or preventive action), see "Responding to alert messages" on page 83. To create your own custom alert filter, see "Creating custom alert filters" on page 109. Also see "Managing Groups" on page 216 for details on how to create Groups and Email Templates for use with your alert filters. Ops Center and widgets The Ops Center is a "dashboard" used for viewing and managing informational "widgets." Each widget represents a high-level graphical view of specific network activity. Widgets are designed to present important high-level information in easy-to-read graphical formats, such as charts and graphs. Widgets are filter-driven — that is, a filter is the data source for the graphical representation found in the widget. In fact, widgets appear in Monitor, as well, so you can see graphical views of your filters along with their grid-based views. You can choose from a library of commonly used widgets that TriGeo has prepared, or you can create your own widgets. You can add or remove widgets, edit existing widgets, or resize, refresh, and rearrange widgets to meet your personal preferences. Resources l l l For complete information on the Ops Center, Widget Manager, widgets, and how to use them, see "Using the Ops Center" on page 39. To learn how to create and manage widgets, see "Using the Widget Manager" on page 44. To learn how to view, edit, rearrange, resize, and delete dashboard widgets, see "Working with widgets in the Ops Center dashboard" on page 52. Explore The Console's Explore view contains several utilities, called explorers. You can think of this view as a center for investigating alerts and their details. Many of the explorers are utilities used for finding out more about alert specific details, such as looking up IP addresses, domain names, and host names. The Event explorer lets you view all of the events related to an alert message. It is designed to help you visualize how the alert occurred and the 10 Explore system's response to that alert. You can follow the chain of events that caused the alert, and help determine its root cause. The Explore view also has a Respond menu that you can use from any of the explorers. Respond allows you to take corrective action on an alert or other information presented in an explorer, such as manually shutting down a workstation when you see a problem reported in the Console. Resources l For general information on explorers, see "About the Explore view" on page 155. l For a description of each type of explorer, see "Types of explorers" on page 156. l To use the Event explorer, see "Using the Event explorer" on page 160. l To learn how to respond to an alert, see "Responding to alert messages" on page 83. 11 Chapter 2: First-time users Build views (Users, Groups, and Rules) The Console's Build views are used to create, manage, and organize components of the TriGeo SIM that are stored on a Manager and used for processing alerts. In the Build views, you can manage Users, Groups, and Rules. For more information on each Build view, see the descriptions below. Users The Users view is used to manage the system users who are associated with each TriGeo Manager. By adding email addresses for each user, the Console can notify users of alert conditions by email. Resources l To learn how to add and manage a Manager's users, see "Adding new users" on page 330. Groups The Console’s Build ► Groups view is used to create, manage, and organize Groups. Groups are configurable lists of related parameters that are used in rules, filters, and sometimes other areas of the TriGeo SIM. When configuring your rules and filters, you can benefit from huge gains in efficiency by the careful planning and use of Groups in those rules and filters: l l You can apply a whole set of parameters or settings to a filter or rule simply by adding that Group to the rule or filter. If you update a Group with new settings, any filters or rules that are configured to use that Group are automatically updated to use the Group’s new settings. Here are a few examples of practical uses for Groups: l l l Alert Groups are custom families of alerts that you can save as a Group. For example, you might create an Alert Group made up of similar alerts that all need to trigger the same response from the Console. When you apply the Alert Group to a rule, the Console implements the same rule when any one of the alerts in the Group occurs. Time of Day Sets allow your filters and rules to take different actions at different times of day. For example, you might define two different Time of Day Sets — “Working Hours” and “Outside Working Hours.” You may want your rules to alert your system administrator via email and cell phone during working hours. Outside of business hours, you may want your rules to automatically shut down the offending computer to alert your administrator by email only. Email Templates allow you to create pre-formatted email messages that your TriGeo rules can use to notify you of an alert event. These are just a few examples. There are many more Group types and endless possible uses. Resources l To learn more about Groups, see "About Groups" on page 209. l To learn about the different Group types you can use, see "Group types" on page 210. 12 Rules l To add, edit, clone, import, export, or delete a Group, see "Managing Groups" on page 216. l To use Groups when configuring filters, see "Configuring filter conditions" on page 120. l To use Groups when configuring rules, see "Creating custom rules" on page 289. Rules The Rules view The Console’s Build ► Rules view is used to create, configure, and manage your rules. Rules are used to monitor and respond to alert traffic. They allow you to automatically notify or respond to security events in real time, whether you are monitoring the Console or not. When an alert (or a series of alerts) meets a rule's conditions, the rule automatically prompts the Manager to take action, such as notifying the appropriate users, or performing a particular active response (such as blocking the IP address or stopping a particular process). The Console ships with a set of preconfigured rules that you can begin using immediately. However, you can use the view's Rule Creation tool to create your own custom rules and your own variations on any existing rules. Rule Creation In the Build ► Rules view, the Rule Creation tool is used to configure new rules and to edit existing rules. Like filters, you create rules by configuring conditions between alert variables other components, such as Time of Day Sets, User-Defined Groups, Constants, etc. However, rules go a step further. They let you correlate alert variables with other alerts and their alert variables. By correlate, we mean you can specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule is to initiate an active response. You can configure rules to fire after multiple alerts occur. The Manager will remember alerts if they meet the rule's basic conditions. It waits for the other conditions to be met, too. If they are, the Manager fires the rule. The rule does not take action until the alerts meet all of the conditions and correlations defined for that rule. The possibilities for rules are endless. Therefore, this section describes how to create rules only in very general terms. This section is not intended to be a tutorial, but rather a reference for you to fall back on if you are unclear about how any part of Rule Creation works. Learning to build rules The tools in Rule Creation are very similar to those found in Filter Creation. However, filters simply report event occurrences; rules act on them. There is no harm if you create a filter that is unusual or has logic problems. But this is not the always case with rules. Rules can have unexpected and sometimes unpleasant consequences if they are not configured exactly as you intend them to be. 13 Chapter 2: First-time users Inexperienced users should use caution when creating rules. Creating filters is an excellent way to familiarize yourself with the logic and tools needed to create well crafted rules. You should only begin configuring rules after you are at ease with configuring filters. Even then, always test your rules before implementing them. Resources l For general information on rules, see "About rules" on page 261. l To create and manage rules, see "Managing rules" on page 267. l To learn how to configure your own custom rules, see "Creating custom rules" on page 289. l Also see "Managing Groups" on page 216 for details on how to create Groups and Email Templates for use with your rules. 14 Manage (Agents and Appliances) Manage (Agents and Appliances) The Console's Manage area is used to configure and maintain properties of your TriGeo Agents and Managers. In Manage, you can change properties of your Managers such as licenses, update preferences, and password policies. This is also where you will configure Agents and Managers to monitor and respond to the logging sources of your network security products and devices. Resources l To connect the Console to your Managers, see "Setting up a Manager for the first time" on page 379. l To assign a database warehouse, see "Using a database warehouse" on page 395. l To add and manage TriGeo Agents, see "Managing Agents" on page 411. l For step-by-step instructions on connecting Agent sensor and actor tools to your network security products and devices, see "Connecting products to the TriGeo SIM" on page 347. 15 Chapter 2: First-time users TriGeo Reports TriGeo Reports is an application that lets you run or schedule reports about the data that is stored in your TriGeo SIM database. Reports combine alert details and graphical information for analysis and storage. Resources l l To open TriGeo Reports, see "Opening TriGeo Reports" on page 417. To see a list of predefined reports that are available, see "The following tables list all of TriGeo’s reports, provide descriptions of their contents, and suggest schedules for running each report. " on page 573."The following tables list all of TriGeo’s reports, provide descriptions of their contents, and suggest schedules for running each report. " on page 573. l To run or schedule a report, see "Running and scheduling reports" on page 454. l To view a report's content, see "Viewing reports" on page 475. l To search a report, see "Searching reports for specific text" on page 483. l To print a report, see "Printing reports" on page 489. l To export a report as a PDF or RPT file, see "Exporting a report" on page 491. 16 Chapter 3: TriGeo SIM Console basics Introduction to Console basics The TriGeo SIM Console is the heart of the TriGeo SIM system. You will use it to configure and access Manager and Agent functions, create filters and rules for monitoring your TriGeo SIM data, and set up related system components such as Groups and users. This chapter provides a high-level view of the TriGeo SIM Console and explains how to use some of its common user interface features. In it, you will learn the following: l Key features of the Console l Opening and closing panes l Opening and closing nodes l Working with grids l Using ToolTips l Using the status bar l Determining your version of the Console l Exiting the TriGeo Console Opening the TriGeo SIM Console Do either of the following: l l Click the Start button and then click All Programs. Then point to the TriGeo folder and click the TriGeo SIM Console shortcut. Double-click the TriGeo SIM desktop icon. After a moment, TriGeo SIM Console appears. When you start the Console for the first time, the Manage ► Appliances view appears, so you can configure and log in to a Manager. Otherwise, the Console restores the view that was open the last time you closed the Console. 17 Chapter 3: TriGeo SIM Console basics Opening views in the Console The Console is made up of multiple views, where each view has a special function. To open a view of the Console, simply click its corresponding button at the top of the Console. To open a view: l To open the Ops Center view (to work with widgets), click the Ops Center button. l To open the Monitor view (to view, manage, and create filters), click the Monitor button. l To open the Explore view (to work with TriGeo explorers), click the Explore button. l To open the Groups view (to build and manage Groups), click the Build ► Groups button l To open the Rules view (to build and manage policy rules), click the Build ► Rules button. l l l l To open the Users view (to add and manage TriGeo Console users), click the Build ► Users button. To open the Appliances view (to add and manage TriGeo appliances), click the Manage ► Appliances button. To open the Agents view (to add and manage TriGeo Agents), click the Manage ► Agents button. For instructions on using nSight and TriGeo Reports, click the Analyze button. 18 Console features Console features An active Console looks like the one shown here. This diagram shows many common features that are used throughout the Console. The following table describes each of these features. Please take a moment to familiarize yourself with them, as you will use them frequently. Item Name Description Menu This is the Console’s main menu. Each option on the menu opens the Console to a different view, where you can perform specialized tasks that are associated with that view. Some options, such as the Build menu, open multiple views. The menu option that is currently selected appears with a gray background. Window controllers Use these buttons to minimize, restore, maximize, and close the Console window. 19 Chapter 3: TriGeo SIM Console basics Item Name Description Sidebar and Refine Results pane Clicking the Sidebar button alternately opens and closes the lefthand panes. Grid A key feature of the Console is its use of grids. Grids are simply lists of items that are associated with a particular view. For example, the Users grid shows a complete list of Console users. The Monitor view’s grid displays a list of alert activity. The Refine Results pane behaves like a search engine. It lets you apply filters to a grid to reduce the number of items it shows. The fields and options in this pane change to reflect the view and grid you are working with. The Reset button restores the view to its default settings. The grid’s gear button can be thought of as a grid menu. It appears with each item listed in the grid. Clicking the button displays a list of commands that can be performed on that particular item. You can also sort a grid by clicking its column headers. For more information, see "Working with grids" on page 31. Note that grids also use scroll bars so you can see the complete contents of larger grids. Grid toolbar Many grids have a toolbar with command buttons. These buttons typically open forms for performing specialized tasks, such as adding and configuring new items for the grid, or importing, exporting, or exploring items in the grid. Help Click Help to open the Console’s online Help to content about the currently active view, window, or form. Help has complete information about each item in the Console, as well a detailed reference information about alert messages. Pane dividers (vertical and horizontal) The vertical and horizontal bars that separate the window’s various panes can also be used to resize each pane: Click a horizontal pane divider and then drag it up or down. Click a vertical pane divider and then drag it left or right. Lower pane Most grids have a lower pane, just below the grid. Depending on the view, these panes can show read-only reference information, or they can be data entry forms for configuring and editing items associated with the grid. By default, a grid’s lower pane is hidden. Click this button to alternately open and close the window’s lower pane. 20 Console features Item Name Description Forms Many commands open specialized forms, which appear on top of the view. Forms can contain read-only reference information, or they can be data entry forms that are used to configure and edit items associated with the grid. Status bar The status bar shows the Console’s current connection status and reports the status for other “in progress” activities. The status bar also displays three status panes—one for Appliances, one for Agents, and one for Notifications. These panes summarize information about your Managers, Agents, and alert activity. For more information, see "The status bar" on page 22. Save and Cancel Click Save to save your changes. The window will remain open so you can continue working. Click Cancel to cancel any changes you have made since the last time you clicked Save. Resize window Click and drag this corner to resize the Console window. 21 Chapter 3: TriGeo SIM Console basics The status bar Regardless of which view you are working with, the bottom of the Console window always displays a status bar. The Console's status bar The status bar displays information about activity the Console is performing in the background, such as communicating with the Manager, or reconnecting to a disconnected Manager. The status bar also has three status tabs—one for Appliances, one for Agents, and one for alert Notifications. The following topics explain how to use and interpret each part of the status bar. Appliances tab The Appliances tab summarizes the current status your Managers. The number in the gray box (left) shows how many Managers are currently connected. The number in the red box (right) shows how many Managers are disconnected. This tab cannot be opened. However, you can use it to open the Manage ► Appliances view as follows: l l l Click Appliances ► to open the Manage ► Appliances view. This view contains a grid that shows a complete list of your connected and disconnected Managers. Click the number in the gray box to open the Manage ► Appliances view with the grid filtered to show only those Managers that are currently connected. Click the number in the red box to open the Manage ► Appliances view with the grid filtered to show only those Managers that are currently disconnected. 22 Agents tab Agents tab The Agents tab summarizes the current status of your licensed TriGeo Agents. The number in the gray box (left) shows how many Agents are currently connected. The number in the red box (right) shows how many are currently disconnected. This tab cannot be opened. However, you can use it to open the Manage ► Agents view as follows: l l l Click Agents ► to open the Manage ► Agents view with the grid showing a complete list of your licensed TriGeo Agents. Click the number in the gray box to open the Manage ► Agents view with the grid filtered to show only those Agents that are currently connected. Click the number in the red box to open the Manage ► Agents view with the grid filtered to show only those Agents that are currently disconnected. Notifications tab The Notifications tab summarizes the alert activity from each of your active (turned on) notification filters during this session with the Console. Notification filters are those filters that are configured to notify you of alerts with either blink, popup, or sound notifications. l l l l The number in the gray box (left) shows the total number alerts from your active notification filters. The number in the red box (right) shows the total number of different notification types (blink, pop-up, or sound) that have occurred. Unlike the other status tabs, you can open the Notifications tab. Click Notifications ▲ to open the Notifications tab to see detailed information about your filter notifications. Click Notifications ▼ to close the tab. 23 Chapter 3: TriGeo SIM Console basics How to use the Notifications tab When opened, the Notifications tab lists each alert message from your active notification filters. It states the name of the filter that issues the alert, the time the alert occurred, and the total number of times it has occurred during this session with the Console. The Notifications tab, when opened The following table explains each column of the Notifications tab. Column Icon Description The Notifications tab uses icons to signify the filter's method of notification: means the filter has played a sound. means the filter has opened an alert popup window. means the filter's name is blinking in the Monitor view's Filters pane. Filter Name The name of each active notification filter that has notified you of an alert. Clicking a filter name in this column opens that filter in the Monitor view's alert grid. Time The last time a notification occurred with each filter. Total The total number of notifications that have occurred with each filter. 24 Opening a filter from the Notifications tab Opening a filter from the Notifications tab You can open a filter from the Notifications tab to see, explore, or respond to the events that are being reported by that filter. To open a filter: l In the Notifications tab, click the name of the filter you want to open. The alert grid refreshes to display the filter you selected. You may now examine the incidents you are concerned with. Removing notices from the Notifications tab After reviewing a filter notification, you can delete it so you don’t wind up investigating the same notices over and over. To remove a filter notification: l In the Notifications pane, point to the notification you want to remove, and then click 25 . Chapter 3: TriGeo SIM Console basics Responding to a Popup Notification form The Popup Notification form If a filter displays the [Filter Name] Popup Notification form, you can respond to it three different ways. To Do this Open the filter in the Monitor view to view the alert message 1. Select Take me to the filter [Filter Name]. Turn off Popup Notification form for this filter 1. Select Never show this dialog again. 2. Click OK. 2. Click For the filter [Filter Name]. 3. Click OK. Turn off Popup Notification form for all filters 1. Select Never show this dialog again. 2. Click For all filters. 3. Click OK. Note: These options directly modify the filter. To turn them back on, you must edit the filter. 26 Showing Console activity Showing Console activity The far right section of the status bar displays the Console's current connectivity status. It also displays messages that summarize activity the Console is performing in the background, such as communicating with the Manager, or reconnecting to a disconnected Manager. The status bar, showing its background activity If there are multiple activities, their number appears to the left of the message. For example, if the status bar reads (2) Reconnecting to Manager, it means the current activity is "Reconnecting to manager" and there is one other activity being performed (or queued) at the same time. If desired, you can show a detailed list of the Console's activity. To show the Console's activity: l Click the square box next to the Connected message. When activity occurs, a small pane appears, listing each activity. When the activity is over, the pane hides itself. 27 Chapter 3: TriGeo SIM Console basics Opening and closing panes and sidebars To free up room on the Console, many panes are closed by default. You can open or close these panes, as needed. In addition, most views have a sidebar that you can open and close to free up space. You can also resize each pane by dragging the vertical and horizontal bars that separate them. To open or close panes and sidebars: l l l l l In the Ops Center, click the Widget Manager button to alternately open and close the Widget Manager panes. In the Monitor view, click the Filters button to open and close the Filters and Filter Notifications panes. In the Explore view, click the History button to open and close the History pane. In the Build and Manage views, click the Console’s Sidebar button to alternately open and close the Refine Results panes. In the Monitor and Build views, click the button to alternately open and close the pane below a grid. You can also drag the top of this button up and down to resize the grid. In each case, the icon on the button changes to show the direction the go when you click the button. To resize panes: l Click a horizontal pane divider and then drag it up or down. l Click a vertical pane divider and then drag it left or right. 28 Opening and closing nodes Opening and closing nodes Some items (folders, alerts, etc.) appear in hierarchical node trees, as shown here. Closing the node hides its items. Opening the node shows its items. To open or close nodes: l To open a node, click the ► icon. This displays the next level of items beneath the node. l Click the ▼ icon to close the node. This hides the node’s lower-level items. In this picture, the node is closed, which hides its lower-level items. In this right picture, the node is open, showing the lower-level items within the node. 29 Chapter 3: TriGeo SIM Console basics ToolTips Many panes, forms, fields, and grids use ToolTips to display helpful tips about the item you are viewing. They also displays the complete contents of a text box that is partially hidden. To see ToolTips: l Move your pointer over the item you want to learn more about. After a moment, the ToolTip appears, as shown here. 30 Working with grids Working with grids Grids are used throughout the Console. The following topics explain how to perform common tasks with grids, such as selecting rows and grid cells, resizing grid columns, rearranging grid columns, and sorting a grid by its columns. Selecting items in a grid You can select an entire row or an individual cell in a grid. Some grids, such as the alert grid, allow you to select multiple rows in any order, or as a continuous series of rows. To select a row in a grid: l In the grid, click the row you want to work with. To select rows in a grid: l l To select specific rows, press and hold the Ctrl key; then click each row you want to select. To select a continuous range of rows, press and hold the Shift key; then click the first and the last row in the range. This selects the two rows, and all of the rows between them. To select a grid cell: l Click the specific cell you want to work with. The row is also selected, by default. Moving through a grid l l After selecting a row in a grid, you can use the up (↑) and down (↑) arrow keys to move up and down through the grid. If the grid contains a long list of items, use the scroll bars to move quickly up and down in the list. 31 Chapter 3: TriGeo SIM Console basics Resizing grid columns When needed, you can resize a grid column to see more of its data. To resize a grid column: 1. Position your pointer on the line between two of the grid’s column headers. 2. When the pointer turns into a two-headed arrow, resize the columns by dragging the line between the columns to the left or to the right. 32 Rearranging grid columns Rearranging grid columns When needed, you can rearrange the order in which grid columns appears. The columns will stay in their rearranged order until you exit the Console. Upon reopening the Console, the columns revert to their default order. To rearrange grid columns: l Click the header of the column you want to move; then drag it to the right or left and drop it into the desired position. Before In this example, we will swap the positions of the Role and Manager columns. First, click the Role column header. Then drag and drop it to the right of the Manager column header. After 33 Chapter 3: TriGeo SIM Console basics Sorting a grid by its columns You can sort the data in a grid by clicking its column headers. You can sort each column in ascending (alphabetical) order, or in descending (reverse alphabetical) order. In many cases, you can sort a grid by more than one column by using the Ctrl+click method. Note: Before you can sort the Monitor view’s alert grid, you must first click the grid’s Pause button to stop the incoming alert traffic. When you are done, click Resume to continue receiving alert traffic. To sort a grid: l Click one of the grid’s column headers to sort the grid by that column. If the column header shows an upward ▲ arrow, it means the column data is sorted in ascending order (alphabetically, or from lowest to highest: A to Z, 1 to 0). If the column header shows a downward ▼ arrow, it means the column data is sorted in descending order (reverse alphabetical, or from highest to lowest: Z to A, 0 to 1). l Click the column header again to sort the grid by the same column, but in reverse order. To sort a grid my multiple columns: l Press and hold the Ctrl key; then click another column header. You can tell how you the table is sorted by the small ▲ and ▼ arrows in the column headers, and by the little numbers (1 and 2) that appear next to them. An “up” ▲ arrow means the column is sorted in ascending order. A “down” ▼ arrow means it is sorted in descending order. Then numbers state the column sort order. 1 is the first sort, 2 is the second sort, and so on. l If a secondary column’s sort order is in the wrong direction, press the Ctrl key and click the column header again. This will reverse the column’s sort order. Example: In the example shown below, this tool list was first sorted by Category in ascending order. This listed the tool categories in alphabetical order. By pressing Ctrl and then clicking the Name column, you can also sort the tool names in ascending or descending order. In the example shown here, the Name column was sorted in 34 Sorting a grid by its columns ascending order, so the specific tools would appear in alphabetical order within each tool category. 35 Chapter 3: TriGeo SIM Console basics Determining your version of the Console Use the following procedure when you need to determine which version of the TriGeo SIM Console you are using. To determine your version: l In the upper-left corner of the Console, click the TriGeo logo. The About screen appears, showing the Console's version, build number, and TriGeo Technical Support contact information. 36 Exiting the TriGeo Console Exiting the TriGeo Console Exiting the TriGeo Console closes the Console window and disconnects the Console from any connected Managers. Normally, you will not exit the Console unless you want to close it. Exiting the Console causes it to disappear to the Managers. The Managers continue to gather information from their Agents. However, when you reopen the Console, it will not display the Manager and Agent alert traffic when that occurred when it was closed. Instead, the alert grid will be blank. It is recommended that you keep the Console running either on your workstation or a secondary workstation to best monitor alerts on a daily basis. To exit the TriGeo Console: l Click on the TriGeo Console’s title bar. 37 Chapter 4: Using the Ops Center About the Ops Center The Ops Center is a “dashboard” used for viewing and managing informational “widgets.” Each widget represents a high-level graphical view of specific network activity. Widgets are designed to present important high-level information in easy-to-read graphical formats, such as charts and graphs. Widgets are filter-driven — that is, a filter is the data source for the graphical representation found in the widget. In fact, widgets appear in Monitor, as well, so you can see graphical views of your filters along with their grid-based views. You can choose from a library of commonly used widgets that TriGeo has prepared, or you can create your own widgets. You can add or remove widgets, edit existing widgets, or resize, refresh, and rearrange widgets to meet your personal preferences. To begin working with a dashboard widget, simply click to select the widget you want to work with. You can point to the widget to display ToolTips and details about its graph. You can also use the control options on its toolbar to change the widget’s settings display format. You can resize widgets, but they are limited to certain sizes and aspect ratios to keep the Ops Center tidy and organized. 39 Chapter 4: Using the Ops Center Ops Center features This topic describes the key features of the Ops Center and its Widget Manager. The Ops Center view The following table describes the key features of the Ops Center view. Item Name Description Widget Manager Click this button to alternately open and close the Widget Manager. The Widget Manager includes two panes—the Categories pane and the Widgets pane. 40 Ops Center features Item Name Description Filters pane Widgets are organized by filter. You can use the Filters pane to view, add, and edit the master widgets that are associated with each filter, and to create dashboard widgets from each master widget. The Name column lists each filter that has one or more master widgets. The Count column states how many master widgets are associated with each filter. You can also sort the columns of the Filters pane. Opens the Widget Builder, so you can add a new master widget to the selected category. Opens the Widget Builder for the widget that is currently selected in the Widgets pane. The Widget Builder lets you edit the widget’s settings. Widgets pane The Widgets pane is used to view the master widgets that are associated with each filter. You can also use this pane to create dashboard widgets and to delete master widgets from the selected filter. Add to Dashboard This button adds a copy of the master widget that is currently shown in the Widgets pane to the dashboard. Delete Widget This button deletes the master widget that is currently shown in the Widgets pane. Deleting a master widget does not delete any of the dashboard widgets that came from that widget. Widget scroll bar Drag this scroll bar left and right to view each master widget in the selected category. You can also click any of the widgets shown in the preview pane to move that widget to the front. Dashboard The dashboard displays the widgets you have selected for monitoring your network. Widgets Each widget represents a high-level graphical view of specific network activity. Widgets are designed for easy interpretation and to provide important information at a glance. You can edit, refresh, resize, rearrange, and delete widgets, as required to meet your monitoring needs. 41 Chapter 4: Using the Ops Center About widgets Each widget represents a high-level graphical view of specific network activity. Widgets are designed to present important high-level information at a glance. Most widgets are filter-driven—that is, a filter is the data source for what you are graphing in the widget. The topics in this section describe some general information about widgets, their uses, and their behavior. Master widgets and dashboard widgets There are two kinds of widgets—master widgets and dashboard widgets. l l A master widget is a widget configured from a specific alert filter in such a way that it can act as a template for creating other widgets. When creating or editing a master widget, you can choose to save a copy of that widget’s current configuration to the Ops Center dashboard. This copy is called a dashboard widget. Every dashboard widget comes from a master widget. Therefore, a dashboard widget is simply a saved copy of a particular master widget configuration. Using master widgets as templates Master widgets are important because you can use them to create new dashboard widgets that are based on variations on the master widget’s basic configuration. By using a master widget as a template, you can quickly create and save variations on the master widget, without having to create them from scratch. For example, you could place two different copies of the same master widget on your dashboard— perhaps the first widget displays “events per day” and another displays “events per hour.” Both widgets use the same logic, but differ in how they display the events. Widget independence Once created, each dashboard widget becomes independent of the master widget it came from: l l Editing or deleting a master widget does not affect any previous copies (dashboard widgets) that were created from that master. Editing or deleting a dashboard widget does not affect the master widget it came from. Widget independence means you don’t have to worry about your dashboard widgets changing each time you edit a master widget, and vice versa. 42 Widget storage Widget storage Widgets appear in two areas—the Ops Center and in the Monitor view’s Widgets pane: l l In the Ops Center, master widgets always reside in the Widget Manager’s Categories list. Dashboard widgets always reside on the dashboard. Dashboard widgets cannot be saved in the Widget Manager. In the Monitor view, each master widget appears in the Widgets pane for the filter that acts as its data source. Dashboard widgets do not appear in the Monitor view’s Widgets pane. For more information on using widgets in the Monitor view, see "Using a filter's Widgets pane" on page 102. 43 Chapter 4: Using the Ops Center Using the Widget Manager The topics in this section explain how to use the Widget Manager to create and manage your widgets. Opening and closing the Widget Manager l At the top of the Ops Manager view, click Widget Manager to alternately open and close the Widget Manager. The Widget Manager includes the Filters pane and the Widgets pane. Creating new master widgets In the Ops Center, you can use the Widget Manager to create a new master widget for any of your filters. Widgets are created with a tool called the Widget Builder, which allows you to define the new widget’s foundational and aesthetic settings. It also allows you to save a copy of the new widget to the Ops Center dashboard. To create a new master widget from the Ops Center: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters and Widgets panes. 3. Click the button. The Widget Builder appears. 4. Complete the Widget Builder. For details, see "Using the Widget Builder" on page 48. 5. Select the Save to Dashboard check box if you want to save a copy of the new widget to the Ops Center dashboard. 6. When you are finished, click Save. Upon saving the new widget, several things happen: l l l l In the Filters pane, the Count value of the associated filter increases by one to account for the new widget. The new widget appears in the Widgets pane for the associated filter. The next time you open the widget’s source filter in the Monitor view, the new widget will appear in the Widgets pane’s widget list. If you selected the Save to Dashboard option, a copy of the widget also appears in the Ops Center dashboard. 44 Editing master widgets Editing master widgets In the Ops Center, you can use the Widget Manager to edit any of the master widgets that are associated with a filter. Typically, you will edit a master widget when you want to change a master widget’s name, behavior, or appearance, or whenever you want to use the master widget as a template to create a new dashboard widget based on the master widget’s current configuration. Once saved, an updated master widget appears with its new configuration in the Ops Center’s Widget Manager and in the Monitor view’s Widgets pane. Once created, each dashboard widget operates independently of the master widget it was created from. Therefore, editing a master widget does not affect any previous copies (dashboard widgets) that were created from that master. This independence lets you use a master widget as a template for creating variations of the same widget for the Ops Center dashboard. To edit a master widget in the Ops Center: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters and Widgets panes. 3. In the Filters pane, select the filter you want to work with. The widgets associated with this filter appear in the Widgets pane. 4. Drag the pane’s scroll bar left or right to browse the filter's widgets. 5. When you find the widget you want to edit, click the Filters pane gear button. The Widget Builder appears. 6. Use the Widget Builder to reconfigure the widget, as needed. For detailed instructions, see "Using the Widget Builder" on page 48. 7. Select the Save to Dashboard check box if you want to save a copy of the reconfigured master widget to the Ops Center dashboard. 8. Click Save to save your changes to the widget. The master widget’s new configuration appears in the Widgets pane. If you selected the Save to Dashboard option, a copy of the newly configured widget also appears in the Ops Center dashboard. 45 Chapter 4: Using the Ops Center Adding widgets to the dashboard Use either of the following procedures to add a copy of a master widget to the Ops Center dashboard. The original remains with its filter. Once a copy is on the dashboard, you may edit its graphical presentation, as needed. To add a widget from the Widgets pane to the dashboard: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters and Widgets panes. 3. In the Filters pane, select the filter you want to work with. The widgets associated with this filter appear in the Widgets pane. 4. To preview the widgets in the Widgets pane, do one of the following: l Drag the pane’s scroll bar left or right to browse the filter's widgets. l Click any widget to move it to the front of the pane. 5. When you find the widget you want to add to the dashboard, do either of the following: l l Click Add to Dashboard. Click anywhere on the widget. Drag it to the dashboard, and then drop it in the position you want. 46 Deleting master widgets To add a widget to the dashboard from the Widget Builder: 1. When creating or editing a master widget with the Widget Builder, configure the form so the widget will appear the way you want it to on the dashboard. 2. Select the Save to Dashboard check box. 3. Click Save. A copy of the widget appears at the bottom of the Ops Center dashboard. Deleting master widgets Widgets can only be deleted from the Ops Center, and master widgets can only be deleted from the Widget Manager. Deleting a master widget does not delete any of the dashboard widgets that came from that master. To delete a master widget: 1. Open the Ops Center view. 2. If needed, click Widget Manager to open the Filters list and the Widgets pane. 3. In the Filters list, select the filter that contains the widget you want to delete. 4. In the Widgets pane, use the scroll bar to select the widget you want to delete. 5. Click Delete Widget. 6. At the confirmation prompt, click Yes. 47 Chapter 4: Using the Ops Center Using the Widget Builder This topic explains how to use the Widget Builder. You will use this form whenever you add a new widget or edit the configuration of an existing widget. The Widget Builder The following table explains how use each field on the Widget Builder. Field Name Description Type a name for the widget. This name will appear in the widget’s title bar. 48 Using the Widget Builder Field Filter Description Select the filter that is to be the widget's data source. If a filter name appears in italics, it means the filter is currently turned off. When creating a widget from the Monitor view, this field defaults to the filter that is currently active. If you select a different filter, the widget will be associated with that filter, not the active filter. When creating a widget from the Ops Center, this field defaults to the first option in the list. Note: If you create a widget from a filter that is turned off, the widget will not display any chart information until the filter is turned back on. Description Type a brief description of the information this widget is reporting. You may use up to 80 characters. Visual Configuration Visualization Type Select the type of chart or graph you want—Pie, Bar, Line, Table, etc. Select Table for those times when a table of values is a useful way to view the data. You can display a widget with any of these display types at any time. However, some display types may not make sense for some widgets, depending on the widget’s content. Color / Color Palette Select a color palette for the chart or graph. X-Axis Label If desired, type a label for the chart or graph’s horizontal axis. Y-Axis Label If desired, type a label for the chart or graph’s vertical axis. Preview The Preview section shows what the widget will look like, based on the options you have selected in the Visual Configuration section. Data Configuration Field Select a data field you want reported from those that are available in the selected data source. 49 Chapter 4: Using the Ops Center Field Show Description Select how you want the frequency reported: l l Count: (default) This option counts each occurrence of the selected Field value. For example, if the Field you select is AlertID, you are counting the number of alerts. As a practical matter, no matter which field you select, you are counting alerts. But it is best to think of the widget as counting occurrences of the field. Distinct Count: This option does not count repeating Field values. Instead, it counts each time a distinctly different event occurs. For example, if you select a Field value like Alert Name or Detection IP, the widget will count each specific value only once. When used in a single-dimension chart, the Distinct Count option reports all values as 1, so this option is best used with multidimensional charts. Sort Select how you want the data Show data sorted: l l Descending (default) order is from highest to lowest (Z to A, or 0 to 1, etc.). Ascending order is from lowest to highest (A to Z, or 1 to 0, etc.). Sorting only applies when your Versus value is something other than Time. Versus If you want a second dimension in the chart, select another data field from those that are available in the selected data source. This field’s sort order is ascending. Split By If you want a third dimension in the chart, select another data field from those that are available in the selected data source. This field’s sort order is ascending. Limit Most filters contain a data span that exceeds what is practical to chart. The Limit value limits the number of items that will be seen. Select a limit for the number of items that are to be charted. The default value is 5. For example, this can represent your Top 5 or Bottom 5, depending on how you sort the data. 50 Using the Widget Builder Field Scope Description Select a value for the scope. This is the timeframe reported by the chart or graph. The scope is always measured backward from the moment the chart is refreshed. For example, a scope of 30 minutes means “the last 30 minutes.” The scope can be measured in Seconds, Minutes (default), Hours, or Days. For events that happen frequently, choose a narrow scope. For events that happen rarely, choose a large scope. Resolution Select the time value that defines the “tick marks” that are to be used on the chart’s horizontal X-axis. This field is required when Versus is a Time Field. For example, if you are looking at 30 minutes of data, a Resolution of 5 Minutes means the bars or line chart data points are drawn in 5 minute increments. In charts with wider scope, the resolution could be hours or even days. This option is disabled for widgets that are not reporting time-based data. Refresh Select the rate at which you want the widget to refresh its visual display. This is necessary because the Console is monitoring real-time data. Therefore, you need to periodically refresh the chart. Save and cancel Save to Dashboard Select this option to save the new or updated widget to the bottom of the Ops Center dashboard. Save Click Save to save the new or revised master widget. Upon saving, the new widget configuration immediately appears in the Op Center Widget Manager and in the Monitor view's Widget pane. Cancel Click Cancel to cancel your changes close the Widget Builder. 51 Chapter 4: Using the Ops Center Working with widgets in the Ops Center dashboard The topics in the section explain the key features of widgets, as well as how to work with and manage widgets in the Ops Center dashboard. Turning on a widget that has been turned off If a widget states "Filter is Turned Off," you can turn the widget on again by turning its filter back on. See "Turning filters on and off" on page 93. Widget toolbar The following table describes the function of each button on a widget toolbar. All of these buttons are on the widget toolbar, except for the “legend” button, which appears in the lower-left corner of the widget. Button Function Opens the widget in the Widget Builder, so you can edit its settings. “Flips” the widget, so you can configure its presentation format. Refreshes the widget’s data. Expands (maximizes) the widget to fill the desktop. 52 Viewing a widget’s legend Button Function Restores the widget from its maximized size to its default size. This button has two functions: l l In normal dashboard mode, this button deletes the widget from the dashboard. When you are editing a “flipped” widget, this button closes the widget’s edit mode, and returns it to its normal desktop view. Opens the widget’s legend. Viewing a widget’s legend Each widget bar chart, graph, and pie chart has a legend that explains what each bar, line, or wedge in the chart represents. To view a widget’s legend: l Click the widget’s legend button. The chart legend appears, as shown here. To close a widget’s legend: l Click the legend’s “close” button. 53 Chapter 4: Using the Ops Center Viewing specific widget data Widget graphs and charts display basic high-level information. However, each widget includes ToolTips that show specific data about each bar, line, or wedge in the chart. Typically, this information is the reported alert, Alert Group, or alert field, and its number of occurrences. To view specific chart data: l Point to the specific bar, line, or wedge you want to know about. A ToolTip appears, showing specific data about the item you are pointing to. Refreshing a widget’s data Widgets automatically refresh themselves according to the Refresh rate that was set when the widget was created. If a widget has a slow refresh rate, you can refresh it whenever you want. Refreshing a widget immediately updates it to show the most current real-time data from your network traffic. To refresh a widget: You can refresh the data shown by an individual widget as follows: l On the widget toolbar, click the refresh button. The widget refreshes to show the latest data from your network. 54 Opening a filter from a widget Opening a filter from a widget Widgets act as shortcuts to the alert filters that are their data sources. This means you can open the source filter directly from a widget. You do this by clicking the specific line, bar, or pie wedge of chart that interests you. The corresponding filter then opens in the Monitor view. The filter lists only the events that correspond with the chart item you selected. To open a filter from a dashboard widget: 1. Open the Ops Center view. 2. In the dashboard, locate the widget you want to work with. 3. On the widget, click the specific line, bar, or pie wedge that interests you. The Monitor view appears, with the alert grid showing the filter that is the widget’s data source. Note that the alert grid lists only those events that correspond to the line, bar, or pie wedge that you clicked. Also note that the filter is paused. Click Resume on the alert grid toolbar to begin running the filter again. Note: It is possible for you to select an item in the widget that is no longer shown in the Monitor's alert grid. That is, the filter may actually show fewer events than appear in the widget. This can happen if the widget's scope is broader than the filter's scope. In this case, the filter may no longer have some of the data shown by the widget, because the filter has had to make room for new data. Remember, the widget's scope can be different than the filter's scope. The widget tracks statistics about alerts that occurred over time (and perhaps a very large timeframe). The filter tracks only a certain quantity of events for a timeframe that may be much smaller than the widget's scope. 55 Chapter 4: Using the Ops Center To think about it another way: the Console filters are aware of 10,000 alerts at a time. With every refresh interval, a widget looks at those 10,000 alerts to draw a line, bar, or wedge that matches the right count for that time. Those 10,000 alerts are also displayed in the corresponding filter. But when the Console gets to 10,000 alerts, the widget doesn't "erase" any data points it has already drawn, but the filter has to remove the oldest alerts from the grid to make room for new data. Editing a dashboard widget In the Ops Center dashboard, you can edit any dashboard widget. Editing a dashboard widget does not affect the master widget it came from, or any other widget. You are editing only that particular widget. When editing a dashboard widget, the Save to Dashboard option is disabled, because dashboard widgets can only be created from a master widget. To edit a dashboard widget: 1. In the Ops Center dashboard, locate the widget you want to work with. 2. Click the gear button on the widget toolbar. The Widget Builder appears. 3. Make the necessary changes to the Widget Builder, as described in "Using the Widget Builder" on page 48. 4. When you are finished, click Save. The widget appears in the dashboard with its new configuration. 56 Editing a widget’s chart presentation Editing a widget’s chart presentation On the back of each widget there is a form that lets you change how the data is presented on the widget. However, your options are limited to the type of widget you are working with and the type of data it is reporting. For example, widgets that only report data in one dimension may be limited to a pie chart, while information in two dimensions can be reported in a bar chart or a line chart. To edit a widget’s presentation from the dashboard: 1. In the Ops Center dashboard, locate the widget you want to work with. 2. Click the edit button on the widget toolbar. 3. The widget flips over to display its configuration options, as shown here. 4. Configure the widget, according to its configuration options. These options are a sub-set of the fields on the Widget Builder. For complete information on each of these fields, see "Using the Widget Builder" on page 48. 57 Chapter 4: Using the Ops Center Rearranging widgets on the dashboard Use the following procedure to rearrange the widgets on the dashboard so they appear in the order you want. To arrange widgets on the dashboard: 1. Open the Ops Center view. 2. If needed, click Widget Manager to close the Categories and Widgets panes. This provides the most space for arranging your widgets. 3. In the dashboard, drag a widget’s title bar to move that widget into a new position on the dashboard. As you move the widget around the dashboard, the other widgets rearrange themselves and make room for your widget. Upon releasing the mouse button, the widget snaps into place. Resizing a widget You can view widgets in “full-screen” mode or in their normal size. You can also change the size of a widget to make it taller or wider. However, the widget’s different sizes must conform to the dashboard’s standard geometry. To resize a widget: l In the Ops Center dashboard, drag the lower-right corner of the widget in any direction. As you resize the widget, the surrounding widgets rearrange themselves to make room for the larger one. Upon releasing the mouse button, the widget snaps to the closest size allowed by the desktop’s geometry. To show a widget in full-screen mode: l In the Ops Center dashboard, click the Maximize button on the widget’s toolbar. The widget takes up the entire dashboard. To restore a widget to its normal size: l In the Ops Center dashboard, click the Minimize The widget returns to its normal size. 58 button on the widget’s toolbar. Deleting dashboard widgets Deleting dashboard widgets Widgets can only be deleted from the Ops Center. You can delete dashboard widgets directly from the dashboard. To delete a widget from the dashboard: 1. Open the Ops Center view. 2. In the dashboard, locate the widget you want to delete. 3. Click the delete button on the widget toolbar. 4. At the confirmation prompt, click Yes. The widget is deleted from the dashboard. Note: If needed, you can readily recreate the dashboard widget, so long as you do not delete the master widget it came from. 59 Chapter 4: Using the Ops Center Table of standard widgets The following table briefly describes the widgets that ship with the TriGeo SIM Console. Widget name/Filter Description All Alerts Displays all alerts from all filters. Alerts by Alert Type Displays a count of the top 10 alerts by alert type (alert name). Alerts by Tool Name Displays the number of alerts being captured by each configured tool, over time. Alerts per Minute Displays the total count of alerts per minute for the last 15 minutes. Change Management Displays alerts related to changes occurring on the network. Change Management Alerts by Agent Displays the top 10 Agents generating change management alerts Change Management Alerts by Type Displays the top 10 change management alerts by alert type. Failed Logons Displays all user account failed logon attempts. Failed Logons by User Account Displays the top 5 Failed Logons by User Account name. File Audit Failures Displays FileAuditFailure alerts, which show failed attempts to access audited files. File Audit Failures by File Name Displays the top 10 file names generating file audit failures. File Audit Failures by Source Account Displays the top 10 source accounts generating file audit failures. Firewall Displays all alerts from firewall devices. Firewall Alerts by Firewall Displays the top 5 firewalls generating firewall alerts Firewall Alerts by Type Displays the top 5 firewall alerts by alert type. Incidents Displays all Incident alerts. 60 Table of standard widgets Widget name/Filter Description Incidents by Rule Name Displays the top 5 incidents by the name of the rule that generated the Incident. Interactive Logons by User Account Displays the top 10 user logons by user account name. My Rules Fired by Rule Name Displays the top 5 subscribed alerts by the name of the rule that generated them. Network Alerts Displays all Network alerts. Network Alerts by Source Machine Displays the top 10 machines generating network alerts. Network Alert Trends Displays the top 10 network-related alerts by alert type. Rule Activity Shows all of the TriGeo rules that have fired. Rules Fired by Rule Name Displays the top 5 rules fired by rule name. Security Processes Displays process launches and exits from processes in the "Security Processes" User-Defined Group, which is used to monitor critical security-related processes. Security Processes by Agent Displays the top 10 Agents generating security process alerts. Subscriptions Displays alerts created by rules you are "Subscribed" to in the Rules area. TriGeo Alerts Displays all Internal alerts (alerts generated during operation of the TriGeo SIM). TriGeo Alerts by Alert Type Displays the top 10 TriGeo Alerts by alert type. Unusual Network Traffic Displays alerts that indicate unusual or suspicious network traffic. Unusual Network Traffic by Destination Displays the top 5 destinations for unusual network traffic. Unusual Network Traffic by Source Displays the top 10 sources of unusual network traffic. USD Defender Displays all USB-Defender events. 61 Chapter 4: Using the Ops Center Widget name/Filter Description USB-Defender Activity by Detection IP Displays the top 5 Agents with the most USB-Defender alerts. USB File Auditing Displays USB-Defender's File Auditing events. USB File Auditing by Detection IP Displays the top 5 Agents with the most USB file auditing alerts. User Logons Displays all user account logons User Logons by Agent Displays the top 5 Agents reporting user logons. User Logons by Source Machine Displays the top 5 user logons by source machine. User Logons by User Account Displays the top 10 user logons by user account name. User Logons (Interactive) Displays interactive user account logons. Virus Attacks Displays all virus attack alerts. Virus Attacks by Source Machine Displays the top 5 sources of virus attacks or infections. 62 Chapter 5: Working with alerts and alert filters About the Monitor view The Monitor view is the heart of the TriGeo Console. As the name implies, it is used for monitoring your network activity. In Monitor, you will create filters and widgets that group and display different alerts that come from your Agents, Managers, and network devices. Alerts Alerts are messages created from Agent, Manager, and network device log entries. These log entries are processed (or normalized) to extract information and display the data in a common column/fieldbased format, rather than the often convoluted format you see in the source data. These normalized alerts are sent from the Agent to the Manager for processing. At the Manager, the alerts are processed against your Rules, sent to your TriGeo Database for archiving, and sent to the TriGeo Console for monitoring. Filters On a busy network, there can be millions of alerts each day. Therefore, the Console uses alert filters to manage alerts. A filter is a subset of your alerts that focuses on a particular type or group of alerts and hides all others. When configuring a filter, you can examine and use individual alert properties to determine precisely which alerts are to appear in that filter. Filters apply at the Console level. This means they apply to all data sent from every Manager monitored by the Console. Filters also display alerts in real time. You can turn filters on and off, pause filters to sort or investigate their alerts, perform actions to respond to alerts, and configure filters to notify you when they capture a particular alert. Filters can also display widgets, which are charts and graphs that visually represent the alert data. Widgets are described in more detail below. The TriGeo SIM ships with many commonly used filters that support best practices in the security industry. However, you can create your own custom filters, or modify existing filters to meet your needs. There is no limit to the number of filters a Console can contain. 63 Chapter 5: Working with alerts and alert filters The Filters pane and filter groups Filters are managed in the Filters pane. The Filters pane stores all of the filters that can be applied to the Console’s alert grid. Filters are organized into filter groups. A filter group is simply a high-level category for storing filters that logically fit into that category. Each title bar in the Monitor view’s Filters pane represents a different filter group. Each item listed in a filter group is a different alert filter. Clicking a filter in the Filters pane causes the alert grid to show a filtered view of the alert stream coming into the Console. The grid displays only those alerts that are allowed by the filter—it hides all of the other alerts. Because filters list only those events that meet their specific requirements, they are a handy way to organize and quickly sift through large quantities of alerts. Filter attributes The number next to each filter shows the total number of alerts that are currently associated with that filter. Positioning your pointer over a filter displays a ToolTip that briefly describes the purpose of each filter, when such a description is available. Any filters that appear in italics are currently turned off. Filters pane uses You can use the Filters pane to do any of the following tasks: l Create your own custom filters and reconfigure existing filters to meet your needs. l Create filter groups for storing and organizing your filters. l Turn filters on and off, and pause them to stop the flow of alert traffic. l Move filters from one filter group to another. l Copy filters. l Rename filters and filter groups. l Import and export filters. l Delete obsolete filters and filter groups. Applying a filter to the alert grid l To apply a filter to the alert grid, simply click one of the filters listed in the Filters pane. As a response, the alert grid immediately refreshes. Its title bar shows the name of the filter, and the alert grid displays only those alert messages that are allowed by the filter—it hides or “filters out” all other alert messages. 64 Standard TriGeo SIM filters Standard TriGeo SIM filters The TriGeo SIM ships with some commonly used filters that support best practices in the security industry. Each of these filters is described in the following table. They are listed alphabetically for easy reference. The Default status column indicates if the filter is On (visible) or Off (hidden) by default. To add your own custom filters, see "Creating custom alert filters" on page 109. To change an existing filter, see "Editing an existing filter" on page 89. Note: If you are installing an upgrade, the TriGeo SIM automatically converts your existing filters into the new graphical format described in see "Editing an existing filter" on page 89. Default status Filter Description Admin Account Authentication Displays alerts for authentication to administrative-level accounts. Off All Alerts Displays all alerts from all sources. On Change Management Displays alerts for changes made to users, groups, and devices. On Denied ACL Traffic Displays alerts for network traffic that has been administratively denied. Off Domain Controllers (all) Displays all alerts from domain controller devices. Off Failed Logons Displays failed logon attempts. On File Audit Failures Displays FileAuditFailure alerts, which show failed attempts to access audited files. Off Firewall Displays all alerts from firewall devices. On FTP Traffic Displays TCP Traffic to and from ports 20 and 21, indicating file transfer activity on the network. On IDS Displays all alerts from network intrusion detection devices. On Incidents Displays all Incident Alerts. On 65 Chapter 5: Working with alerts and alert filters Default status Filter Description Network Alerts Displays all alerts in the NetworkAudit category of the alert tree. On Proxy Bypassers Displays WebTrafficAudit alerts that are not from a proxy server. This can indicates an internal machine attempting to access the Web directly, rather than by using the proxy server. Off Rule Activity Displays InternalRuleFired and InternalTestRule alerts, which indicate that TriGeo Rules have been triggered. On Security Alerts Displays all alerts in the SecurityAlert category of the alert tree. On Security Processes Displays ProcessStart and ProcessStop alerts related to critical security processes running on machines. These processes include anti-virus, anti-spyware, and firewall processes. On SMTP Traffic Displays TCP traffic to and from port 25. It can also identify potentially infected hosts. On SNMP Traffic Displays network traffic to and from port 161. This filter can be used to discover network scan attempts and normal network monitoring tools. On Subscriptions Displays alerts from user rule subscriptions. On TriGeo Alerts Displays all alerts in the InternalAlert category of the alert tree. On Unusual Network Traffic Displays alerts in the NetworkSuspicious branch of the alert tree, which indicate that potentially suspicious or unusual network activity may be occurring. On USB File Auditing Displays file-related alerts from Agents with USB-Defender installed. On USB-Defender Displays alerts from TriGeo's USB-Defender technology that are related to insertion and removal of USB devices. On 66 Standard TriGeo SIM filters Default status Filter Description User Logon (interactive) Displays UserLogon alerts where the logon type indicates a user physically logging on at a machine, or interactively logging on to a remote desktop. On User Logons Displays all UserLogon alerts from all sources, indicating varying types of user authentication and access. On Virus Attacks Displays all VirusAttack alerts. VirusAttack alerts are created when virus scanners detect potentially malicious virus activity. Off Web Traffic for Source Machine Displays WebTrafficAudit alerts that match a specific source machine. This filter can be used to track a single machine’s web activity to discover potentially abusive activity. Off Web Traffic – Spyware Displays WebTrafficAudit activity to and from URLs that are indicated by the Spyware Sites User-Defined Group to be potentially malicious websites. Off 67 Chapter 5: Working with alerts and alert filters Monitor view features The Monitor view The following table describes the key features of the Monitor view. Item Name Description Filters button Click the Filters button to alternately show and hide the Filters pane. 68 Monitor view features Item Name Description Filters pane The Filters pane stores all of the filters that you can apply to the Console’s alert messages. l l l Click a filter name to apply that filter to the alert grid. The alert grid refreshes to show only the incoming alerts allowed by the filter’s conditions. Use the plus button to create your own custom filters and filter groups. Use the pane’s gear button to edit, pause, resume, turn on, turn off, import, export, or delete filters. Alert grid TriGeo Agents monitor each configured data source on your network. The Agents then send alerts to your Managers. The Console's alert grid displays every alert that is logged to each Manager the Console is connected to. The grid’s title bar displays the name of that filter that is currently applied. By default, incoming alerts always appear at the top of the grid. This allows the Console to always show the most recent alert activity first. Respond menu Use this menu to actively respond to a particular alert message. For example, you can choose to block an IP address, or restart or shut down machine that is the source of the alert activity. For more information, see "Responding to alert messages" on page 83. Explore menu Use this menu to explore a particular alert message or one of its specific data elements with a TriGeo explorer. The menu is context-sensitive. The contents of the selected cell (called a string) determines which explorers you may choose from. For more information, see "Exploring alerts" on page 78. Pause/Resume This button toggles to pause or resume the alert traffic that is currently being reported by the filter. This button lets you “highlight” rows in the alert grid with a particular color. Highlighting can serve as a helpful visual reference point for marking and locating specific alerts in the grid. For more information, see "Highlighting alerts" on page 74. 69 Chapter 5: Working with alerts and alert filters Item Name Description The gear button at the top of the grid opens commands that you can perform on multiple selections in the grid, and commands that do not require a grid selection. You can use these commands to mark messages as read or unread, to remove messages, or to copy alert information. Sort (▼ ▲) When a filter is paused, you can click the column headers to sort the grid in ascending (▲) or desending (▼) order by each of its columns. For more information, see "Sorting a grid by its columns" on page 34. Filter Notifications pane The Filter Notifications pane summarizes the alert activity from each of your active notification filters—these are filters that use blink, popup, or sound notifications. Click a filter name in this tab to view the alerts associated with that filter. This pane behaves exactly like the status bar's Notifications tab. Widgets pane This pane displays the widgets associated with the filter that is currently applied to the alert grid. Widgets automatically refresh themselves to reflect changes in alert grid filtering. You can use this pane view the different widgets associated with the filter, change a widget’s visualization type (bar chart, pie chart, line graph, etc.), create a new widget, edit an existing widget, or save a widget to the Ops Center dashboard. Alert Details/ Alert Description Alert Details and Alert Description are two views of the same pane. This pane displays detailed information about the last alert to be selected in the grid. l l The Alert Details view displays specific technical details about the alert. You can also use this view to create a filter based on the selected alert, or to scroll through the contents of the alert grid. The Alert Description view displays a written description of the alert that is currently selected. For more information, see "Using the Alert Details/Alert Description pane" on page 80. 70 Monitor view features Item Name Description Notifications The Notifications tab summarizes the alert activity from each of your active notification filters—these are filters that use blink, popup, or sound notifications. Click a filter name in this tab to view the alerts associated with that filter. For more information, see "Notifications tab" on page 23. 71 Chapter 5: Working with alerts and alert filters Using the alert grid This section explains how to use the alert grid, which you can use to perform any of the following tasks: l Applying a filter to the alert grid l Pausing and resuming alert traffic l Sorting the alert grid l Highlighting alerts l Copying alerts to your clipboard l Marking alerts as unread and read l Exploring alerts with TriGeo explorers l Responding to alerts to take preventive or corrective action l Removing alerts from the grid. Applying a filter to the alert grid In the Monitor view, each item listed in the Filters pane represents a different alert filter. You can filter the alerts coming into the Console by selecting any of these items. To apply a filter: 1. Open the Monitor view. 2. In the Filters pane, click the title bar of the filter group you want to work with. The filter group opens to list the filters that are available for that group. 3. Select the filter you want to apply to the alert grid. The alert grid title bar displays the name of the filter you have selected, and the grid refreshes to display only those alerts that meet the special conditions of that filter. Note: Alert filters are saved on the workstation that is running the TriGeo Console. If you move to another workstation, the filters will not follow. However, you can export the filters from one workstation and import them into another workstation. For more information, see "Exporting a filter" on page 96 and "Importing a filter" on page 95. 72 Pausing and resuming a filter's alert traffic Pausing and resuming a filter's alert traffic Filters capture and report alerts in real time. This causes alerts to "stream" in the alert grid, which can make them difficult to work with. Therefore, you can pause the flow of incoming alert traffic, which allows you to more easily examine your alerts. Once paused, the incoming alert traffic stops, so you can work with the grid to sort, highlight, read, copy, and explore individual alerts, as needed. To pause a incoming filter's alert traffic: 1. Open the Monitor view. 2. In the Filters pane, click the click to select the filter you want to work with. 3. On the alert grid toolbar, click Pause. The Console stops the flow of incoming alert traffic. To resume the filter's incoming alert traffic: l On the alert grid toolbar, click Resume. The Console resumes the filter's flow of incoming alert traffic. Sorting the alert grid You can sort the alert grid by any of its columns by clicking its column headers. Doing so also changes how the graph is sorted. However, you must pause the alert grid before you can sort it. Pausing the grid temporarily stops the incoming flow of alert traffic. For example, if you click the Alert Name column header, the grid becomes sorted by alert names in ascending order. If you click the column header again, it sorts the grid by that column in descending order. To sort the alert grid: 1. On the alert grid toolbar, click Pause. 2. Sort the grid as you normally would. You can also sort the grid by more than one column. For more information, see "Sorting a grid by its columns" on page 34. 3. When you are finished working with the sorted grid, click Resume to continue receiving the filter’s unsorted alert traffic. 73 Chapter 5: Working with alerts and alert filters Highlighting alerts In the Monitor view’s alert grid, you can highlight alerts to call attention to them or mark them for future reference. This allows the alerts to really stand out as you scroll through the contents of the grid. You can highlight multiple alerts at the same time. You can also choose the color you want for each set of alerts you are highlighting. To highlight alerts: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. On the alert grid toolbar, click Pause to temporarily stop any incoming alerts. Note: It is not required to pause a filter to highlight its alerts; however, it is convenient. Pausing temporarily stops the flow of alert traffic (freezing any alert movement in the grid) so you can easily select each item. 4. In the alert grid, click to select the alerts you want highlighted. To learn how to select multiple alerts, see "Selecting items in a grid" on page 31. 5. On the alert grid toolbar, click the ▼ arrow next to the “highlight” button. 6. Use the color picker to select the highlight color you want. You can also type the hexadecimal value of any color in the Web-safe color palette. In the grid, the selected alerts become highlighted in the color you chose. 74 Highlighting alerts 7. Click Resume to continue the flow of incoming alert traffic. To highlight more alerts with the same color: 1. In the alert grid, click to select the alerts you want highlighted. 2. Click the "marker" part of the alert grid’s “highlight” button. The selected alerts become highlighted with the marker color. To turn an alert’s highlighting off: 1. (Optional) On the alert grid toolbar, click Pause to temporarily stop any incoming alerts. 2. In the alert grid, select the alerts for which you want to remove highlighting. To learn how to select multiple alerts, see "Selecting items in a grid" on page 31. 3. On the alert grid toolbar, click the ▼ arrow next to the “highlight” No Color button. The highlighting is removed from the alerts. 4. Click Resume to continue the flow of incoming alert traffic. 75 button. Then click the Chapter 5: Working with alerts and alert filters Copying alert data to your clipboard When needed, you can copy alert data from the Monitor view's alert grid or Alert Details pane to your clipboard. This allows you to paste the data into another application, such as Microsoft Excel, for comparison or analysis, to share the data with someone who does not have a Console, or to send to TriGeo Network Security for technical support. You can copy the data for a single alert or for multiple alerts. To copy alert data from the alert grid: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. In the alert grid, click to select the alerts you want to copy. You can select multiple alerts, as described in "Selecting items in a grid" on page 31. 4. Click the alert grid’s gear button and then click Copy. The alert data is now copied to your clipboard (as text), where it can be pasted into another application. To copy alert data from the Alert Details grid: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. In the alert grid, click to select the alert you want to work with. 4. In the Alert Details pane, click to select the rows you want to copy. You can select multiple alerts, as described in "Selecting items in a grid" on page 31.. 5. Click the alert grid’s gear button and then click Copy. The selected alert details are now copied to your clipboard (as text), where it can be pasted into another application. 76 Marking alerts as read and unread Marking alerts as read and unread You may want to mark the alerts in alert filter as being unread and read. A read alert is one that you have already looked at. An unread alert is one you have not looked at yet. By marking alerts this way, you can easily track which alerts you have already examined. To mark alerts as read and unread: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. In the alert grid, select the alerts you want to mark as read or unread. You can select multiple alerts, as described in"Selecting items in a grid" on page 31. Skip this step if you are going to mark all of the alerts as read or unread. 4. Click the alert grid’s gear button, and then select one of the options listed in the following table. Command Description Mark Unread Select this command to mark the selected alerts as unread. This means you have not looked at them yet. Unread alerts appear in bold text. When a filter has the “read/unread” feature turned on, any of its alerts that are captured by other filters will appear as unread in those filters, too. Mark Read Select this command to mark the selected alerts as having been read. Alerts marked as “read” appear in normal text, rather than bold text. Mark All Unread Select this command to mark all of the alerts in the active filter as unread. This means you have not looked at them yet. Unread alerts appear in bold text. Mark All Read Select this command to mark all of the alerts in the active filter as having been read. Alerts marked as “read” appear in normal text, rather than bold text. The grid refreshes to show each row’s read/unread status. To read an unread alert: l In the grid, click to select the alert. The alert’s status changes from unread to read. 77 Chapter 5: Working with alerts and alert filters Exploring alerts The alert grid’s Explore menu lets you use a TriGeo explorer to investigate a particular alert or one of its data fields. To explore an alert: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to work with. The alert grid displays the filter you have selected. 3. In the alert grid, click the row (or cell) you want to explore. 4. In the filter’s Explore menu, select the TriGeo explorer you want to work with. For a description of each menu option, see "Types of explorers" on page 156. The Explore view appears, showing the TriGeo explorer you selected. The explorer contains the data for the cell you selected. 78 Removing alerts Removing alerts When needed, you can remove individual alerts from a filter, or all of the alerts from a filter. You may want to do this to clean a filter of historical information that is no longer important to you. To remove individual alerts: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. In the alert grid, select the alerts you want to remove. You can select multiple alerts, as described in"Selecting items in a grid" on page 31. 4. Click the alert grid’s gear button, and then click Remove. The selected alerts are removed from the grid. To remove all alerts: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to work with. The alert grid displays the filter you have selected. 3. Click the alert grid’s gear button, and then click Remove All. All of the filter’s existing alerts are removed from the grid. The filter will now show only new incoming alerts. 79 Chapter 5: Working with alerts and alert filters Using the Alert Details/Alert Description pane In the Monitor view, the right half of the lower pane has two different views to show the properties of the alert that is currently selected in the alert grid: l l The Alert Details view displays detailed information about the alert that is currently selected in the grid. If more than one alert is selected, it shows the properties of the last alert to be selected. The Alert Description view displays a written description of the last alert to be selected in the grid. You can also use this pane to create a filter based on the selected alert, or to scroll through the contents of the alert grid. The Alert Details view The Alert Description view 80 Using the Alert Details toolbar Using the Alert Details toolbar The following table explains how to use the toolbar at the top of the Alert Details/Alert Description pane. Button Description Click this button to create a new filter that captures the currently selected alert type. The new filter becomes the active filter in the alert grid, and appears in the Filters pane under the last selected filter. If needed, you can edit the filter so it captures alerts of an even more specific nature. See "Editing an existing filter" on page 89. Click these buttons to move up and down among the alerts in the alert grid. The pane shows detailed technical information about each alert that is selected. This lets you view the technical details and written descriptions of each alert in the grid. Remember, you can also use your keyboard's up (↑) and down (↓) arrow keys: l l To cycle through the alerts in the alert grid, click anywhere in the alert grid. Then use your up and down arrow keys. To cycle through the fields in the Alert Details pane, click anywhere in the Alert Details grid. Then use your up and down arrow keys. Click this button to open the pane’s Alert Details view. This view shows detailed information about each of the selected alert's data fields. The actual fields that appear here vary, according to the alert type that is currently selected. For example, networkoriented alerts show fields for IP addresses and ports. Account-oriented alerts show account names and domains. For a description of each alert field that can appear in the Alert Details view, see "Table of alert data fields" on page 557. Click this button to open the pane’s Alert Description view, which provides a detailed written description of the alert type that is currently selected. 81 Chapter 5: Working with alerts and alert filters Alert severity levels Each alert is assigned a number that indicates its severity. The following table explains each severity level. Level Name Description 0 Debug Designates detailed event information used for debugging by TriGeo engineers. 1 System Error Indicates that part of the system is unusable. 2 Informational Indicates TriGeo informational messages only. 3 Normal Audit Indicates normal behavior, but could be part of a signature attack. 4 Normal Notice Indicates normal behavior that should be monitored. 5 Suspicious Indicates normal behavior under some circumstances, but should be investigated. 6 Threatening Indicates that investigation is needed and possibly an action. 7 Critical Indicates that immediate action is needed. 82 Responding to alert messages Responding to alert messages The alert grid’s Respond menu lets you take direct action on a particular alert message. Each Respond command opens the Respond form. The Respond form includes data from the field you selected and options for customizing the action, just as you would configure a rule’s active response in Rule Creation. The Respond menu is context-sensitive. The alert type or cell that is currently selected in the alert grid determines which responses you may choose from. Responding to an alert 1. In the Monitor view’s alert grid, click the specific cell of the alert message you want to respond to. 2. Click the alert grid’s Respond menu, and then select the type of response you want to make. You can choose between All Actions and a list of commonly used actions. The Respond form appears. 83 Chapter 5: Working with alerts and alert filters The Respond form has three main sections: l The top of the form shows the Manager that is affected by the action you are taking, and the specific action you are going to take. If you selected All Actions , the form displays the default action of Send Popup Message. In either case, you can select a different action from the form’s Action list. The list includes many of the actions found in Rule Creation, and you configure them the same way. l The middle of the form displays the configuration fields that apply to the action you have selected, and the contents of the cell you selected in Step 1. You will use this section to customize the action you want to take. This cell data from Step 1 appears in the appropriate configuration field of the Respond form. For example, if you selected an alert row’s InsertionIP cell and then selected a response of Send Popup Message, the value of the InsertionIP cell appears in the Action form’s Agent field. l The bottom contains an alert information grid. This grid displays the same detailed alert information as the Alert Details pane. You can drag information from this section into the form’s configuration fields. To interpret this information, see "Table of alert event data fields" on page 557. 3. In the middle of the form, complete the action’s configuration fields. You can do this by typing text into each field, by dragging and dropping information from the form’s alert information section, or some combination of the two. For complete information on configuring action fields, see the "Actions table" on page 313. Also see "Using the Respond form’s drag and drop functionality" on page 85. 4. Click OK to execute the action. Otherwise, click Cancel. 84 Using the Respond form’s drag and drop functionality Using the Respond form’s drag and drop functionality In the Respond form, you can drag and drop information from the form’s alert information section (at the bottom of the form) into its action configuration fields (in the middle of the form). You can use this method to do any of the following: l add content to a blank field l replace the content of a field l add to the content that is already in a field. You can also use a combination of typing and drag and drop to configure an action. To place alert information into a field: Follow this procedure to add content to a blank configuration field or to replace the content of an existing configuration field. 1. In the Respond form’s alert information grid, scroll to locate the field that contains the data element needed to configure the action. 2. Click the data and then drag it into the appropriate action configuration field (in the middle of the Respond form). 85 Chapter 5: Working with alerts and alert filters The the new data element appears in the configuration field. To add to the contents of a field from the alert information: Follow this procedure to add new field information to a configuration box, rather than replace it. Typically, you will use this procedure to add multiple data elements to the Message box. 1. In the Respond form’s alert information section, scroll to locate the field that contains the data element you want to add to the configuration field. 2. Select the information field’s contents by clicking its data in the Information column. 3. Press Ctrl, then drag the data into the appropriate action configuration field (in the middle of the form) to add the new data element to the configuration field. 86 Managing alert filters Managing alert filters The topics in this section explain how to create and manage alert filters. It includes instructions on the following: l creating new filters l editing an existing filter l clone an existing filter l pausing filters to stop incoming alert traffic l turning filters on and off l copying a filter l importing a filter l exporting a filter, and l deleting a filter. Creating a new filter Use the following procedure whenever you need to create a new filter. You will configure the filter with the Filter Creation tool. Instructions on using this form are provided at length in "Creating custom alert filters" on page 109. To create a new filter: 1. Open the Monitor view. 2. In the Filters pane, click the title bar of the filter group you want the new filter to reside in. If you change your mind later, you can always move the filter to a different group. The filter group opens to list the filters that are available for that group. 3. On the Filters pane, click the plus button and then click New Filter. The Monitor view changes from showing the alert grid to showing the Filter Creation tool. The tool shows a new filter with the name of [New Filter]. 4. In the Name box, type a name for the filter. This is the name that will be used to identify the filter in the Filters pane. 5. In the Lines Displayed box, type or select the total number of alerts that are to be displayed in this filter. You can use the up and down arrow buttons to the right of the box to select a value. The default value is 1000 lines. You can select up to a maximum of 2000 lines. 6. In the Description box, type a brief description of what the filter does, or the situation for which the filter is intended. 7. Use the list pane and the Conditions box to configure the conditions that define the filter. These are conditions between alerts, Alert Groups, alert fields, and other components. For more information, see "Configuring filter conditions" on page 120. 87 Chapter 5: Working with alerts and alert filters 8. If you want special notification whenever the filter captures an alert event, drag an option from the Notifications list to the Notification box. Then configure the notification method. See "Configuring alert filter notifications" on page 137 for complete instructions. 9. Click Save to save the filter’s settings. 10. If applicable, use the Filter Status section to verify, troubleshoot, and resolve any problems with the filter’s logic. For more information, see "Using the Status bar" on page 133. When finished, the new filter appears in the filter group you selected in Step 2. 88 Editing an existing filter Editing an existing filter Use the following procedure whenever you need to edit or rename an existing filter. Once the filter is open for editing, you can change its name, description, configuration, or notification settings, as needed. Filters are edited in Filter Creation. Instructions on using this tool are provided at length in "Creating custom alert filters" on page 109. To edit an existing filter: 1. Open the Monitor view. 2. In the Filters pane, open the filter group that contains the filter you want to edit. 3. Select the filter you want to edit. 4. On the Filters pane, click the gear button and then click Edit. The Monitor view changes from showing the alert grid to showing the Filter Creation tool. 5. Edit the filter’s configuration, as required. For complete instructions, see "Creating custom alert filters" on page 109. 6. Click Save to save the filter’s settings. 7. If applicable, use the Filter Status section to verify, troubleshoot, and resolve any problems with the filter’s logic. For more information, see "Using the Status bar" on page 133. 89 Chapter 5: Working with alerts and alert filters Cloning an existing filter Cloning a filter lets you copy an existing filter, but save it with a new name. Cloning allows you to quickly create variations on existing filters. To clone a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to clone. 3. On the Filters pane, click the gear 4. Click the row’s gear button and then click Edit. button and then click Clone. The newly cloned filter appears in the filter group, just below the original filter. A clone always uses the same name as the filter it was cloned from, followed by the word Clone. For example, a clone of the Virus Attacks filter would is called Virus Attacks Clone. A second clone of the Virus Attacks filter is called Virus Attacks Clone 2, and so on. 5. Edit the cloned Group, as needed, to give it its own name and to assign its own specific settings. 90 Pausing filters Pausing filters At any time, you can pause a filter to stop the stream of alert messages that are appearing on that filter. This allows you to inspect a set of alert messages without being interrupted by new incoming messages. You can pause each filter independently, or you can pause every filter on the Console. To pause a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to pause. The alert grid changes to display the filter you selected. 3. Do either of the following: l On the alert grid’s title bar, click Pause. l On the Filters pane, click the gear button and then click Pause/Resume. In the Filters pane, the word Paused appears next to the filter. To pause all filters: 1. Open the Monitor view. 2. On the Filters pane, click the gear button and then click Pause All. In the Filters pane, the word Paused appears next to every filter, except those that have been turned off. 91 Chapter 5: Working with alerts and alert filters Resuming paused filters When a filter is paused, it ceases to receive any alert traffic. To begin receiving alert traffic again, you must resume the filter. You can resume each filter independently, or you can resume every paused filter on the Console. To resume running a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to resume. The alert grid changes to display the filter you selected. 3. Do either of the following: l On the alert grid’s title bar, click Resume. l On the Filters pane, click the gear button and then click Pause/Resume. In the Filters pane, the word Paused is replaced by the number of alerts that are currently associated with the filter. To resume running all filters: 1. Open the Monitor view. 2. On the Filters pane, click the gear button and then click Resume All. In the Filters pane, the word Paused is replaced by the number of alerts that are currently associated with each filter. 92 Turning filters on and off Turning filters on and off Perhaps you only use a few filters on a regular basis. If so, you can turn off any unused filters. If you later decide you need the filter, you can easily turn it back on again. This “on/off” feature lets you conserve resources and not monitor a filter without taking the drastic measure of deleting the filter. When you turn a filter back on, it starts from that moment in time—it does not pull prior alerts from memory. Filters are turned on and off from the Filters pane. Filters that are off appear in italic type and show a status of Off. Filters that are on appear normal. To turn a filter off: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to turn off. 3. On the Filters pane, click the gear button and then click Turn Off. In the Filters pane, the filter title is now italicized and reads Off in its status column. While the filter is no longer in use now, it remains available for later use. To turn on filter back on: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to turn on. 3. On the Filters pane, click the gear button and then click Turn On. The filter appears in the alert grid and begins processing data. In the Filters pane, the filter’s status column changes from Off to showing the total number of alerts associated with the filter. 93 Chapter 5: Working with alerts and alert filters Copying a filter You can copy a filter. This allows you to quickly create variations on existing filters, or the same the same filter in multiple filter groups. To copy a filter: 1. Open the Monitor view. 2. In the Filters pane, open the filter group that contains the filter you want to copy. 3. Now open the filter group that is to receive the copied filter. 4. In the first folder, click the filter you want to copy. Then press Ctrl while dragging the filter to the group that is to receive the copy. A copy of the filter appears in the new filter group. To create a variation of the original filter: 1. In the Filters pane, click the select the newly copied filter. 2. Click the Filters pane gear button and then click Edit. 3. In Filter Creation, rename and reconfigure the filter, as desired. For more information, see "Creating custom alert filters" on page 109. 4. Click Save. 94 Importing a filter Importing a filter Alert filters are saved on the workstation that is running the TriGeo Console. If you move to another workstation, the filters will not follow. However, you can export the filters from one workstation and import them into another workstation. This allows you to move filters from one Console to another, so that another user can use the same filters on their Console, too. It also allows you to import filters that are provided by TriGeo Network Security. You may import more than one filter at a time. To import a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter group that is receive the new filters. 3. On the Filters pane, click the gear button and then click Import Filters. The Select Filter File(s) to Import form appears. 4. In the Look In box, browse to the folder that contains the filters you want to import. 5. Select the filter files you want to import, and then click Open. To select multiple files, press Ctrl key while clicking each file you want to import. The imported filters appears in the filter group you selected in Step 2. 95 Chapter 5: Working with alerts and alert filters Exporting a filter When needed, you can export a filter. Exporting does not remove the filter; it copies the filter to another location. Exporting filters is useful for the following reasons: l l l You can move filters from one Console workstation to another, so that another Console users can use the same filters. You can save a export your filters to a computer folder or network folder for archival purposes. You can provide TriGeo Network Security with a copy of a filter for technical support or troubleshooting purposes. Filters are exported from the Filters pane. You may export only one filter at a time. To export a filter: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to export. 3. On the Filters pane, click the gear button and then click Export Filter. 4. In the Browse For Folder form, browse to the folder in which you want to save the exported file. If needed, you can click Make New Folder to create a new folder for the file. 5. Click OK. The system exports the folder file to the folder. 96 Deleting a filter Deleting a filter When needed, you can delete a filter, which removes the filter from the both the alert grid and the Filters pane. Deleting a filter also deletes all of the widgets associated with that filter. Use caution when deleting a filter. The only way to restore it and its widgets is to recreate them. To delete a filter: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter you want to delete. 3. Do either of the following: l Click the selected filter’s delete l Click the pane’s gear button. button, and then click Delete. 4. At the confirmation prompt, click Yes. The filter is deleted and no longer appears in the Filters pane. 97 Chapter 5: Working with alerts and alert filters Managing filter groups The topics in this section explain how to create and manage filter groups in the Filters pane. It includes instructions on the following: l adding a new filter group l renaming a filter group l rearranging filter groups l moving a filter from one group to another, and l deleting a filter group. Adding a new filter group 1. Open the Monitor view. 2. Click the Filters pane plus button and then click New Group. 3. A new filter group appears, and its title bar is an editable text box. 4. Type a name for the new group and then press Enter. 5. The new filter group appears in the Filters list. Filter groups are listed in the order in which you create them. However, you can rearrange them, as desired. Renaming a filter group 1. Open the Monitor view. 2. In the Filters pane, do one of the following: l l Double-click the title bar of the filter group you want to rename. Click to select the title bar of the filter group you want to rename. Click the Filters pane gear button and then click Edit. The filter group’s title bar changes to an editable text box. 3. Type a new name for the filter group and then press Enter. 98 Rearranging filter groups Rearranging filter groups By default, new filter groups appear at the bottom of the Filters pane. However, you can rearrange your filter groups so they appear in the different order. For example, you may want to put your most frequently used filter groups toward the top of the pane, and your lesser used groups toward the bottom. To move a filter group: 1. Open the Monitor view. 2. In the Filters pane, click the title bar of the filter group you move, and then drag it to its new position. 99 Chapter 5: Working with alerts and alert filters Moving a filter from one group to another Once you have created your filter groups, you can organize your filters to them by dragging them from one group to another. To move a filter from one group to another: 1. Open the Monitor view. 2. In the Filters pane, open the filter group that contains the filter you want to move. 3. Do either of the following: l l Click the filter you want to move; then drag and drop it just below the title bar of the group that is to receive the filter. Open the filter group that is to receive the filter. Then drag the filter from its original group into position in the new group. The filter appears in its new filter group. 100 Deleting a filter group Deleting a filter group When needed, you can delete an entire filter group. Deleting a filter group deletes all of the filters that are stored within that group and all of the widgets that are associated with those filters. Before deleting a filter group, be sure to move any filters you want to save into another filter group. To delete a filter group: 1. Open the Monitor view. 2. In the Filters pane, click to select the filter group you want to delete. 3. Do either of the following: l Click the filter group’s delete l Click the pane’s gear button. button, and then click Delete. 4. At the confirmation prompt, click Yes. The filter group and all of its filters are deleted and no longer appear in the Filters pane. 101 Chapter 5: Working with alerts and alert filters Using a filter's Widgets pane About the Widgets pane In the Monitor view, the left half of the lower pane is called the Widgets pane. It displays widgets that are associated with the filter that is active in the alert grid. Widgets automatically refresh themselves to reflect the filter’s real-time alert traffic, according to the Refresh rate that was set when the widget was created. You can use a filter’s Widget pane to do the following: l View each master widget that is associated with the selected filter. l Create new master widgets for the filter. l l l Edit any of the filter’s master widgets. This lets you change a master widget’s default behavior or appearance, or use a filter’s master widget as a template to create new dashboard widgets. Refine a filter to show only the events associated with a particular line, bar, or pie wedge. Change a master widget’s graphical presentation; that is, you can change how it is displayed (bar chart, pie chart, or line graph) from options that are appropriate for the filter. The following topics describe each of these tasks in detail. For a more detailed discussion on widgets, see "Using the Widget Manager" on page 44. 102 Opening the Widgets pane Opening the Widgets pane Open the Monitor view. 1. In the Filters pane, select the filter you want to work with. 2. If needed, click to open the view’s lower pane. Then drag it to the desired size. The Widgets pane is the left half of this lower pane. By default, the Widgets pane does not display a widget. 3. In the drop-down list, select the widget you want to see (if any are currently available). The filter’s widgets are listed in alphabetical order. Upon closing the view, the Console will remember the Widgets pane’s last setting the next time you open it. 103 Chapter 5: Working with alerts and alert filters Viewing a filter’s different widgets 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to work with. 3. Open the Widgets pane, if it is not already visible. 4. Click the pane’s drop-down list, and then select the widget you want to view. The pane displays the widget you have selected. 104 Creating a new widget Creating a new widget In the Widgets pane, you can create a new master widget for the active filter. As in the Ops Center, widgets are created with the Widget Builder, which allows you to define the new widget’s foundational and aesthetic settings. For more information on widgets, see "Master widgets and dashboard widgets" on page 42. To create a new master widget from the Monitor view: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to work with. 3. Open the Widgets pane, if it is not already visible. 4. Click the pane’s button. The Widget Builder appears. 5. Complete the Widget Builder.For details, see "Using the Widget Builder" on page 48. 6. When you are finished, click Save. Upon saving, the new master widget appears in the Widgets pane’s drop-down list. In addition, the next time you open the Ops Center, the new widget will appear in the Widgets pane for the Category associated with this filter. You may then add the widget to your desktop. 105 Chapter 5: Working with alerts and alert filters Editing a widget You can use the Widgets pane to edit any of the widgets that are associated with the active filter. You will need to edit a widget whenever you want to change its name, behavior, or appearance. To edit a filter’s widget: 1. Open the Monitor view. 2. In the Filters pane, select the filter you want to work with. 3. Open the Widgets pane, if it is not already visible. 4. In the pane’s widget list, select the widget you want to work with. The pane displays the widget you have selected. 5. Click the pane’s gear button. The Widget Builder appears. 6. Use the Widget Builder to reconfigure the widget, as needed. For detailed instructions, see "Using the Widget Builder" on page 48. 7. Click Save to save your changes to the widget. Upon saving, the widget’s new configuration appears in the Widgets pane. If the widget’s name changed, the new name appears in the pane’s widget list. In addition, the next time you open the Ops Center, the widget’s new configuration will appear in the Widgets pane for the Category associated with this filter. However, none of the previous dashboard widgets that are based on this widget will change. 106 Refining a filter with a widget Refining a filter with a widget In the Monitor view, widgets allow you to refine the alert filters that are their data sources. You do this by clicking the specific line, bar, or pie wedge of chart that interests you. The alert grid then refreshes to lists only the events that correspond with the chart item you selected. To refine a filter with a widget: 1. In the Widgets pane, select the widget you want to view. 2. On the widget, click the specific line, bar, or pie wedge that interests you. The alert grid refreshes to list only those events that correspond to the line, bar, or pie wedge that you clicked. Note that the filter is paused. Also note that the widget remains in place, so you can click other line, bar, or wedge to investigate another part of the chart. Each time you click a different item, the data in the alert grid changes to list the alert messages associated with that item. 3. Click Resume on the alert grid toolbar to begin running the filter again. 107 Chapter 5: Working with alerts and alert filters Refreshing a widget Widgets automatically refresh themselves according to the Refresh rate that was set when the widget was created. If a widget has a slow refresh rate, you can refresh it whenever you want. Refreshing a widget immediately updates it to show the most current real-time data from your network traffic. To refresh a widget: l In the Widgets pane, click the refresh button on the widget toolbar. The widget refreshes to show the latest data from your network. Editing a widget’s presentation On the back of each widget there is a form that lets you change how the data is presented on the widget. However, your options are limited to the type of widget you are working with and the type of data it is reporting. For example, widgets that only report data in one dimension may be limited to a pie chart, while information in two dimensions can be reported in a bar chart or a line chart. To edit a widget’s presentation: 1. In the Widgets pane, click the button on the widget toolbar. The widget flips over to display its configuration options. 2. Configure the widget, according to its configuration options. These options are a sub-set of the fields on the Widget Builder. For complete information on each of these fields, see "Using the Widget Builder" on page 48. 108 Chapter 6: Creating custom alert filters Filter Creation The Monitor view has a Filter Creation tool that lets you create and edit your own custom alert filters, as well as edit any existing filters. You can use this form to name, describe, configure, and verify your filters. Alert filters are based on specific Alerts or Alert Groups. You configure them by dragging and dropping the filter’s Alert attributes into configuration boxes. When an Agent or Manager reports an event that conforms to the alert filter’s conditions, the alert message appears in the alert grid, whenever that filter is active. Each filter you create is added to the Filters pane. Selecting the filter causes it to become the active filter in the alert grid. As with other filters, the alert grid show only those alert messages that meet your filter’s requirements. The possibilities for alert filters are endless, so this section describes how to create filters in general terms. This section is not intended to be a tutorial, but rather a reference for you to fall back on if you are unclear about how any of the custom filter form’s elements, commands, or functions perform. The tools in Filter Creation are very similar to those found in Rule Creation. Filters simply report event occurrences, so there is no harm if you create a filter that is unusual or has logic problems. But this is not the case when building rules—creating an incorrect rule can have unpleasant consequences. Therefore, creating filters with Filter Creation is an excellent way to familiarize yourself with the logic and tools needed to create well crafted rules. 109 Chapter 6: Creating custom alert filters Features of Filter Creation This picture shows the main elements of the Filter Creation tool. The Filter Creation tool Each element of the form is described in the following table. The topics that follow this section describe each element in detail. 110 Features of Filter Creation Item Name Description List pane This “accordion” pane is called the list pane. It contains categorized lists of the alerts, alert groups, alert variables, groups, profiles, and constants that you can use when creating conditions for your filters If more than one Manager is linked to the Console, each item in the list pane lists the Manager it is associated with. Therefore, some list items may appear to be listed multiple times. But in reality, they are listed once for each Manager. Alerts are universal to all Managers, so they do not show a Manager association.For more information, see "Features of the list pane" on page 113. Filter identification section Use the top part of the form to name and describe the filter, so you can quickly identify it. Filter Status bar The Filter Status bar lists warnings and error messages about your filter’s current configuration logic. l l l Click ► to view a list of warning and error messages. Click a message flag to provide detailed information about the nature of that problem. Click a message to highlight the specific area or field that is the source of that problem. For more information, see "Using the Status bar" on page 133. Conditions box Use this box to define the conditions for the data that is to be reported by the filter. You configure conditions by dragging items from the list pane into the Conditions box. For more information, see "Configuring filter conditions" on page 120. Notifications box Use this box to define how the Console is to alert users of alert events, such as sound, pop-up message, etc. For more information, see "Configuring alert filter notifications" on page 137. Undo/Redo Click the Undo button to undo your last desktop action. You can click the Undo button repeatedly to undo up to 20 steps. Click the Redo button to redo a step that you have undone. You can click the Redo button repeatedly to redo up to 20 steps. You can only use Undo or Redo for any steps you made since the last time you clicked Save. 111 Chapter 6: Creating custom alert filters Item Name Description Save/Cancel Click Save to save your changes to a filter, close Filter Creation, and return to the alert grid. Click the Cancel button to cancel any changes you have made to a filter since the last time you clicked Save, exit Filter Creation, and return to the alert grid. If you have any unsaved changes, the system will prompt you to confirm that you want to cancel. 112 Features of the list pane Features of the list pane The list pane is the “accordion” list on the left side of Filter Creation and Rule Creation. It contains categorized lists of alerts, Alert Groups, alert fields, Groups (from the Groups grid), profiles, and constants that you can use when creating conditions for your filters and rules. If more than one Manager is linked to the Console, each item in the list pane lists the Manager it is associated with. Therefore, some list items may appear to be listed multiple times. But in reality, they are listed once for each Manager. Alerts are universal to all Managers, so they do not show a Manager association. The following table describes the contents of each list in the list pane. They are listed in the order in which they appear. List Description Alerts The topmost list is the Alerts list. It lists all of the Console’s alert types. You can show the alerts either of two ways—as a hierarchical node tree, or as an alphabetized list. Both views contains the same alerts—they are just presented differently. You can search either view. To do so, begin typing a word or phrase in the box at the top of the list. The Alerts list will refresh to show any alert types that include your word or phrase. Then use the list to select each alert type that you want to include as a filter condition or a rule correlation. 113 Chapter 6: Creating custom alert filters List Description Click this button to display the Alerts list as a hierarchical node tree. This is the Alerts list's default view. This view also has the following attributes: l l l The node tree displays alert types with the same hierarchy they have in in "Types of alerts" on page 493. Lower-level alert types are hidden by nodes in the alert tree. To open a node, click the ► icon. This displays the node’s next level of alerts. Using the search box displays the alert and its parent alert types, so you can see how the alert appears in the alert hierarchy. Click this button to list alert types alphabetically, regardless of their position in the hierarchy. Alert Groups The Alert Groups list displays preconfigured groups of alerts that can be used to initiate a particular alert filter condition or rule correlation. The top box lists the names of Alert Groups. The Fields list displays those fields that apply to the Alert Group that is currently selected. Alert groups are created in the Groups grid. For more information, see "Configuring Alert Groups" on page 221. Fields User-Defined Groups The Fields list displays those data fields that apply to whichever alert is selected in the Alerts or Alert Groups list. This list displays the different preconfigured User-Defined Groups that apply to the Managers. User-Defined Groups are groups of preferences used in rules and alert filters that allow you to match, include, or exclude events, information, or data fields based on their membership with a particular Group. In most cases, User-Defined Groups are used in rules as a type of white list or blacklist for choosing which events to include or to ignore. User-Defined Groups are created in the Group Builder. For more information, see "Configuring User-Defined Groups" on page 249. Tool Profiles This list displays all the different Tool Profiles that apply to the Managers. Tool Profiles are groups of Agents that have common tool configurations. You can use them to have your rules and filters include or exclude the Agents associated with a particular profile. Tool Profiles are created in the Groups grid. For more information, see "Configuring Tool Profiles" on page 241. 114 Features of the list pane List Description Directory Service Groups This list displays the Directory Service Groups that are synchronized with the Managers. Directory Service Groups are preconfigured groups of network computers and system users that you can use in rules and filters. They allow you to match, include, or exclude events to specific users or computers based on their Group membership. Directory service groups are synchronized to the TriGeo SIM through the Groups grid. For more information, see "Configuring Directory Services Groups" on page 225. Time Of Day Sets This list displays all of the different Time Of Day Sets that apply to the Managers. Time Of Day Sets are specific groups of hours that you can associate with rules and alert filters. You can use them to have your filters include or exclude messages that occur during the hours associated with a particular Time of Day Set, or to have your rules take different actions at different times of day. Time of Day Sets are created in the Groups grid. For more information, see "Configuring Time of Day Sets" on page 238. State Variables (applies only to rules) This list displays all of the different State Variables that apply to this Manager. The upper box lists the names of State Variables. The lower box lists the various fields that apply to whichever State Variable is selected in the upper box. State Variables are created within the Groups grid. For more information, see "Configuring State Variables" on page 233. Subscription Groups (applies only to filters) This list displays all of the TriGeo Console user names, and the Manager each user is currently associated with. Each name in the list represents the list of rules that each individual user is subscribed to. By adding a Subscription Group to a filter, you can build the filter so that it only displays alerts messages that are related to specific rules that a particular user is interested in (or “subscribed to”). Subscription groups are created in the Rules grid. For more information, see "Subscribing to a rule" on page 270. Constants This list displays the three types of constants that rules and filters can use for comparing alert data—text, number, or time. Actions (applies only to rules) This list displays all of the active responses that a rule can initiate, such as sending an email message, sending a pop-up message, blocking an IP address, etc. For a definition of each possible action, see the "Actions table" on page 313. 115 Chapter 6: Creating custom alert filters List Description Notifications (applies only to filters) This list includes the various notification methods the Console can use to announce an alert message for the filter. You can have the Console display a pop-up message, display the new alert as “unread,” play a sound, or have the filter name blink. If needed, you can configure multiple notification methods for the same filter. For more information, see "Configuring alert filter notifications" on page 137. 116 Features of the Conditions box Features of the Conditions box Use the Conditions box to configure the conditions that determine which alerts a filter is to report. Conditions are the various rules that state when the filter is to display an alert message. To define conditions, you drag alert variables from the Alerts, Alert Groups, and Fields lists into the Conditions box. Then use the Conditions tools (described below) to configure how these variables are to compare to other items, such as Time Of Day sets, Tool Profiles, User-defined Groups, Constants, and other alert fields. You can also compare groups with AND/OR conditions. AND conditions state which alerts must all occur together before the filter shows an alert. OR conditions state that if any one of several conditions occur, the filter shows the alert. The combined conditions dictate when the alert filter is to display an alert. The filter ignores (and does not display) any alerts that do not meet these conditions. The Conditions tools allow you to configure relationships between events in the Conditions box, and to establish conditions for when the alert filter is to display the alert message. The following table describes each item condition tool. The Conditions box The following table describes each feature of the Conditions box. 117 Chapter 6: Creating custom alert filters Item Name Description ► Individual groups (and the entire Conditions box) can be expanded or collapsed to show or hide their settings: ▼ l l Click to ► expand a collapsed group. Click to ▼ collapse an expanded group. The number that appears in parentheses indicates how many conditions are contained in the group. Once a group is properly configured, you may want to collapse it to avoid accidentally changing it. This is the Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Delete button. It appears at the top of every Group box. When you point to a condition, it also appears next to that condition. Click this button to delete a condition or a group. Deleting a group also deletes any groups that are nested within that group. Alert variable From the Alerts, Alert Groups, or Fields list, drag an alert, Alert Group, or alert field into the Conditions box. This is called the alert variable. You can think of an alert variable as the subject of each group of conditions. As alert messages stream into the Console, the filter analyzes the values associated with each alert variable to determine if the alert message meets the filter’s conditions. Operators Whenever you drag a list item or a field next to alert variable, an operator icon appears between them. The operator states how the filter is to compare the alert variable to the other item to determine if the alert meets the filter’s conditions. l l Click an operator to cycle through the various operators that are available for that comparison. Just keep clicking until you see the operator you want to use. Ctrl+click an operator to view all of the operators that are available for that comparison. Then click to select the specific operator you want to use. For more information, see "Comparing values with operators" on page 127. 118 Features of the Conditions box Item Name Description List item List items are the various non-alert items from the list pane. You drag and drop them into groups to define conditions based on your Time Of Day Sets, Tool Profiles, User-Defined Groups, Constants, etc. Some alert variables automatically add a blank Constant as its list item. You can overwrite the Constant with another list item, or you can click the Constant to add a specific value for the constant. For example, clicking a text Constant turns the field into an editable text box so you can type specific text. The text field also allows wildcard characters. Note that each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your filter’s conditions. Nested group A group within a group is called a nested group. You may drag alert variables and other items from the list pane into the nested group boxes. By using nested groups, you can refine conditions by combining or comparing one group of conditions to another. This allows you to create the logic for highly complex and exact conditions. This example above shows one nested group. It represents a set of conditions within a higher-level group. AND Conditions (and groups of conditions) are subject to AND and ORcomparisons. If you click an AND operator, it changes to an OR, and vice versa. OR For more information, see the "Comparing values with operators" on page 127. For examples of how to use the Conditions box to configure an alert filter, see "Configuring filter conditions" on page 120 and "Tutorial: Configuring an alert filter" on page 141. 119 Chapter 6: Creating custom alert filters Configuring filter conditions The topics in this section explain how to configure the conditions that define a filter. You will learn how to use the list pane and the Conditions box to configure the conditions that determine which alerts or alert events the filter will capture. These procedures are the same, whether you are configuring a new filter or editing an existing one. This section includes the following topics: l Creating the conditions that define the filter l Grouping conditions l Targeting conditions l Using operators to compare conditions l Using AND and OR relationships with conditions and condition groups l Deleting conditions and condition groups l Troubleshooting problems with filter logic 120 Adding conditions to filters Adding conditions to filters The topics in this section explain how to add the conditions that determine which alerts or alert events the filter will capture. Conditions can be based on specific alerts, alert groups, alert fields, Groups (from Build ► Groups), or Constants. Whenever you add the first condition to the Conditions form, you create a group. Groups let you combine a set of conditions so you can further combine or compare that set to some other set of conditions. You can keep adding conditions to a group. You can create new groups that you can combine or compare with your previous groups. You can also add nested groups, which are groups within groups. Nested groups let you create the logic for complex conditions. The procedures for adding conditions and groups are the same, regardless of the type of condition you are building. Adding conditions 1. Open the filter you want to work with in Filter Creation. 2. In the list pane, click the title bar of the list you want to work with. Typically, you will begin by adding an alert variable from the Alerts, Alerts Group, or alert Fields. An alert variable is any alert, Alert Group, or alert field that is part of a rule or filter condition. An alert variable can be compared to a Group, a constant, or another alert field, as needed to define each condition. Anything from an alert list is called an alert variable, and is the “subject” of the filter (or one of the subjects, if there is more than one alert variable). For a description of each alert type, see "Types of alerts" on page 493. 3. In the list, select the alert variable you want to work with. Then drag it into the Conditions box. Filter Creation’s targeting feature ensures that you place each element in a valid location. 4. Decide on the next item that defines the filter’s configuration. This could be an another alert field, a constant, or something from one of the Group lists. Then drag it from its list and drop it across from the alert variable you placed in Step 3. An operator appears between these items. The operator states how the filter is to compare the alert variable to the other item. 5. Click the operator, and then select the appropriate operator that defines the relationship between the two items. For example, you can choose if the alert variable should be “equal to,” “contained in,” “exist,” or be “greater than or equal to” the list item. For more information see "Comparing values with operators" on page 127. 121 Chapter 6: Creating custom alert filters 6. Repeat Steps 1 – 5 for each additional condition that is to define this group of conditions. 7. Determine if all of the conditions in the group must apply before the alert is to be reported (an AND condition), or if any one of the conditions may apply for the alert to be reported (an OR condition). Then click the AND or OR symbols to define the proper relationship for the conditions in the group. 8. Click Save to save your changes and close Filter Creation. You can continue using this same procedure to add new groups, new conditions, and to apply AND and OR relationships to your conditions and groups. The best way to learn how to configure alert filters is to practice. Feel free to experiment. You cannot harm anything by configuring and applying filters. To get started, see "Tutorial: Configuring an alert filter" on page 141. 122 Adding groups of conditions Adding groups of conditions Use the Group buttons to group related alerts together that are to be compared to some other alert or group. Grouping alerts lets you refine the filter by adding more complex conditions and logic. Furthermore, you can add groups within groups. This lets you refine conditions by combining or comparing one group to another. To add the first group to the Conditions box: l In the list pane, drag an alert, alert group, or alert field into the empty Conditions box. The new group appears in the Conditions box. You can now drag items from the list pane into the group. To add a another group to the Conditions box: l In the list pane, drag an alert, alert group, or alert field just below an existing group box. Before After This creates a new group just below the existing one. This new group compares directly to the other group. By default, an OR operator connects groups at the same level. However, you can change this to an AND operator. 123 Chapter 6: Creating custom alert filters To add a nested group: l Click the Group button at the top of a Group box. A new group appears below and within the group that was already present. By default, an AND operator connects the original group to the new group. But in this example we have changed it to an OR operator. You can now drag items from the list pane into the group to create the conditions for that group. To move a group: l Click the group’s title bar and then drag it to a new target position. To move a condition: l Click the condition and then drag it to a new target position. 124 Targeting Targeting The Filter Creation and Rule Creation tools both use a targeting feature to help you configure custom alert filters and rules. l l In Filter Creation, this feature applies whenever you drag an item from the list pane to a configurable Conditions or Notifications box. In Rule Creation, this feature applies whenever you drag an item from the list pane to a configurable Correlations, Correlation Time, or Actions box. Targeting in action. In this example, we are dragging the TCPTrafficAudit alert's DestinationPort field into a nested group. The orange line shows a valid place to drop the field. Here is how targeting works: l l l As you drag an item over a location where it can be placed, an orange line appears, indicating that the item can be placed there. You can place items within groups, or above, below, or on top of items that are already present. When you drag on top of an item, it replaces the item that was already there with the new item. Targeting prevents you from dragging an item to a location that is inappropriate for that item. Inappropriate targets will appear in gray to show that they are not compatible with the item you are positioning. For more information, see the "Filter condition table" on page 131, which provides a matrix of valid locations for each type of item from the list pane. 125 Chapter 6: Creating custom alert filters Deleting conditions When needed, you can delete an individual condition, a group of conditions, or the entire contents of a filter's Conditions box. These procedures also apply to the conditions in a rule's Correlations box. To delete a condition within a group: l In the Conditions box, point to the condition you want to delete. Then click the Delete button that appears. The condition is removed from the group. To delete a group: l Click the Delete button for the group you want to delete. The group and any of its nested groups are removed from the Conditions box. However, any groups that were not nested remain intact. If you deleted the top group in the Conditions box, the Conditions box remains open so you can continue working. 126 Comparing values with operators Comparing values with operators When configuring a rule or a filter, whenever you drag an item from the list pane and position it next to alert variable, an operator icon appears between them. The operator states how the alert variable must compare with the other item to be subject to rule's or filter’s conditions. For example, an operator might state whether or not an alert should be contained within or outside of an Time of Day Set; or it may state whether or not an alert applies to a particular Tool Profile. The operators that appear between two elements vary, depending on your selections. The form only allows comparisons that are logical for the elements you have selected. For more information on which operators are available for a particular field, see the following reference tables: l For configuring filter conditions, see the "Filter condition table" on page 131. l For configuring rule correlations, see see the "Rule correlation table" on page 310. Each of these tables provides a matrix of valid operators for comparing an alert variable to other elements. Selecting a new operator l l Click an operator to cycle through the various operators that are acceptable for the current condition. Ctrl+click an operator to show a list of operators you can choose from. Then click to select the operator you want to use. Operator tips The following tips apply to operators: l l l When comparing two numeric values, the full range of mathematical operator options is available. An IP address is treated as a string (or text) value. Therefore, operators are limited to “equal” and “not equal.” DateTime fields have a default value of “> Time Now”, which means, greater than the current date and time. 127 Chapter 6: Creating custom alert filters Table of operators The following table describes each operator and how it should be interpreted when used as a filter condition. An alert variable is any alert, Alert Group, or alert field that is part of a rule or filter condition. An alert variable can be compared to a Group, a constant, or another alert field, as needed to define each condition. Operator Meaning Description Exists Use these operators to specify if a particular alert or Alert Group exists. Read conditions with these operators as follows: “This [alert/Alert Group] must [exist/not exist].” Not exist Note: "Not exist" is only used in rules. is in Use these operators when comparing alert fields with groups (such as Alert Groups, User-Defined Groups, etc.). They determine the filter’s behavior, based on whether or not the field is contained a specific Group. is not in Read conditions with these operators as follows: Equals Does not equal l This [alert field] must be in this [Group]. l This [alert field] must not be in this [Group]. Read conditions with these operators as follows: l This [alert variable] must equal this [list item*]. l This [alert variable] must not equal this [list item*]. Text comparisons (for IP addresses, host names, etc.) are limited to 128 Table of operators Operator Meaning Description Greater than Read conditions with these operators as follows: l Greater than OR equal to l Less than l Less than OR equal to AND l This [alert variable] must be greater than or equal to this [list item*]. This [alert variable] must be less than this [list item*]. This [alert variable] must be less than or equal to this [list item*]. Conditions and groups of conditions are subject to AND and OR comparisons. l l OR This [alert variable] must be greater than this [list item*]. The AND symbol means two or more conditions (or groups) must occur together for the filter to apply. This is the default comparison for new groups. The OR symbol means any one of several conditions (or groups) may occur for the filter to apply. When comparing groups of distinct alerts, you must use the OR symbol. If you click an AND operator, it changes to an OR, and vice versa. *A list item can be another alert variable, such as an alert field. For example, you may want to compare that an alert's source is equal to a destination. In this case, you would compare two alert fields, such as SourceMachine = DestinationMachine. 129 Chapter 6: Creating custom alert filters Examples of AND and OR conditions Filter groups and conditions, and rule groups and correlations, are all subject to AND and OR conditions. By default, new groups, conditions, and correlations appear with an AND condition. AND and OR conditions can surround nested groups, and they can be used between groups on the same level to create complex filter conditions or rule correlations. Example Description If x AND y AND z occur, report the alert. If all of the conditions apply, report the alert. If x OR y OR z occurs, report the alert. If any of the conditions apply, report the alert. If (x AND y) OR z occurs, report the alert. If conditions x and y occur, or if condition z occurs, report the alert. If (a AND b) OR (x AND y) OR (z), occurs, report the alert. In this case, you would create three groups, two nested within the third: l l “Condition1” AND “Condition2 AND Condition3” OR “Condition4 AND Condition5.” The nested groups are configured as (a AND b) and (x AND y), joined with an OR. The outer group is configured as (z), surrounding the nested groups with an OR. In this example, the filter reports the alert when it meets the following conditions: Condition1 and Condition2 and Condition3, or Condition1 and Condition4 and Condition5. 130 Filter condition table Filter condition table The following table is for use with Filter Creation. It lists the possible filter combinations that you can create in the Conditions box for each type of field. l l l The Left field column lists each type of field you can drag into the Conditions box’s left field. The Right field column lists the corresponding field types that you can drag into the Conditions box’s right field. The Operators columns list the types of comparisons you can make between left and right fields. Operators Left field exists alert • alert group • in not in text alert field = ≠ • • text alert field • • text alert group field • • text constant < <= Right field • directory service group • • subscription group • • tool profile • • user-defined group • text alert group field >= • time alert field number alert field > • • • • time alert field • • • • time alert group field • • • • time constant time of day • • • • • • • number alert field • • • • • • number alert field group • • • • • • number constant • • text alert field • • text alert group field • • text constant 131 Chapter 6: Creating custom alert filters Operators Left field exists in not in • • directory service group • • subscription group • • tool profile • • user-defined group = ≠ time alert group field • number constant time constant >= < <= Right field • • • • time alert field • • • • time alert group field • • • • time constant time of day • number alert group field text constant > • • • • • • number alert field • • • • • • number alert group field • • • • • • number constant • • directory service group • • tool profile • • user-defined group • • directory service group • • tool profile • • user-defined group • • directory service group • • tool profile • • user-defined group 132 Using the Status bar Using the Status bar As you configure a filter or rule, the Status bar indicates if its configuration is valid by verifying its current logic. Whenever there is a problem, the Status bar lists the number of warnings and errors it has found with the configuration. The Status bar can be found in Filter Creation and in Rule Creation Clicking a warning or error message flag provides detailed information about the nature of that problem. Clicking a warning or error message highlights the specific area or field that is the source of that problem. As you make changes and corrections, the Status bar's warning and error counts automatically updates in real time to reflect each configuration change. The following topics describe how to use the Filter Status bar in Filter Creation and the Rule Status bar in Rule Creation. The two status bars behave exactly the same way. 133 Chapter 6: Creating custom alert filters Status bar icons The Status bar displays the overall status of the filter or rule configuration. The overall status is determined by the worst problem in the status list. If the configuration has both errors and warnings, its status will be Error to indicate that it has a fatal problem. Icon Description Green (No Problems) The rule or filter configuration has no errors or warnings and should behave as expected. Yellow (Warning) The rule or filter has one or more warnings, so it may not behave in the manner you expect it to. The number in parentheses indicates how many warnings exist in the filter’s current configuration. Red (Problems) The rule or filter has one or more errors, so it will not run properly in its current configuration. The number in parentheses indicates how many errors exist in the filter’s current configuration. 134 Using Status bar messages to resolve problems Using Status bar messages to resolve problems By default, the Status bar only lists the total number of warnings and error messages it has found with the current filter or rule configuration. This is to save space when you are working. However, opening the Status bar displays a complete list of warnings and errors that you can use the troubleshoot and resolve each problem. To resolve problems with the Status bar: 1. Click the Status bar (or click its ► button) to open the status list. The Status bar opens to list each specific warning and error that applies to rule or filter's current configuration logic. Note that in each instance, the message states the general nature of the problem. 2. In the problem list, click a warning or error message to identify the exact area or field that is the source of the warning or error. In the configuration form, the area or field that is the actual source of the problem becomes highlighted in red. 3. In the problem list, click the message flag to open a detailed description of the problem. 135 Chapter 6: Creating custom alert filters A popup message appears, providing a detailed description of that specific warning or error. You can use this information to troubleshoot and resolve the problem. To close the message, click its button. 4. Correct the problem, as needed. Warnings are to notify you of potential problems. Errors must be corrected for the filter or rule to work properly. 5. Repeat Steps 2 and 3 for each message until they are resolved to your satisfaction. When you resolve all of the warnings and errors, the Status section automatically collapses to hide itself. However, you can hide the Status section at any time by clicking the Status bar (or its ▼ button). 136 Configuring alert filter notifications Configuring alert filter notifications In Filter Creation, the Notifications box lets you to define how the Console is to notify a user when the filter receives an alert. Each notification option instructs the Console to announce the alert in a particular way. You can have the filter display a pop-up message, display the alert in bold text, play a warning sound, have the filter name blink, or configure a combination of these methods. Selecting the notification method 1. In the list pane, click the Notifications list. 2. Drag one or more notification option from the Notifications list to the Notifications box. 3. Configure each option, as described in the Notifications table, below. 137 Chapter 6: Creating custom alert filters Notifications table The following table lists the various notification methods that can be employed to notify a user that a filter’s alert threshold has been met. l The Notification column lists each options that is available in the list pane’s Notifications list. They are alphabetized for easy reference. l The Description column briefly states how each option behaves. l The Fields column explains the data fields that can be configured for each option. Notification Description Fields Display Popup Message This option causes the filter to display the Popup Notification form when receiving an alert. Notify on x alerts received This form states the name of the filter that is receiving the alerts, and that the filter’s alert threshold has been met. From the form, the message recipient can choose to view the filter, to turn off the pop-up form for that filter, or to turn off the pop-up form for all filters. Display New Alerts As Unread This option displays new alerts in the filter with bold text. Type the number of alerts the filter must receive before displaying the Popup Notification form. Repeat on x alerts received If you want the pop-up form to appear again after receiving repeated alerts, select the Repeat on check box. Then in the alerts received box, type how many more alerts the filter should receive before issuing the pop-up form another time. Not applicable They remain bold until you acknowledge them by clicking them or by opening them in the Event Explorer. 138 Notifications table Notification Description Fields Enable Blinking Filter Name This option causes the filter name to blink in the Filters pane. Color Click the Color button to open the Blink Color form. Choose a color from one of the three color palettes. Then click OK. The filter name will blink in this color. Time (ms) Move the slider to select the amount of time between blinks, in milliseconds. Notify on x alerts received Type the number of alerts the filter must receive before the filter tab begins blinking. Repeat on x alerts received The filter tab stops blinking once you acknowledge it by selecting it. If you want the tab to begin blinking again after receiving repeated alerts, select the Repeat on check box. Then in the alerts received box, type how many more alerts the filter should receive before it starts blinking again. 139 Chapter 6: Creating custom alert filters Notification Description Fields Play Sound This option causes the filter to play a sound upon receiving an alert. Sound/Browse To select a sound, click the Browse button. Then use the Open form to locate and select the sound file that you want to use. Sound files must be of the .wav file type. When you are done, the name of the file should appear in the Sound box. To test the sound, click the “play” button. Notify on x alerts received Type the number of alerts the filter must receive before displaying the sound. Repeat on x alerts received If you want the sound to play again after receiving repeated alerts, select the Repeat on check box. Then in the alerts received box, type how many more alerts the filter should receive before the filter plays the sound another time. 140 Tutorial: Configuring an alert filter Tutorial: Configuring an alert filter The following lessons explain how to configure an alert filter. You will create variations of a new alert filter called Admin Logon/Failure After Hours. You will configure this alert filter to display alert messages for any successful or failed attempt to log onto administrative accounts after normal business hours. These lessons illustrate how you can approach filters any number of ways to report only the alert messages that are important to you. 141 Chapter 6: Creating custom alert filters Preparing for the lessons Before you begin the examples, you will need to prepare several groups in the Build ► Groups view. You will need to prepare one Time Of Day Set, one Alert Group, one User-Defined Group, and one Tool Profile. Their practical use will become apparent as you work your way through each example. For information building Groups, see "Managing Groups" on page 216. To prepare for the tutorial: 1. Create a Time Of Day Set that represents your company’s normal daily business hours and name it Business Hours. For instructions, see "Configuring Time of Day Sets" on page 238. 2. Create a new Alert Group called Logon/Failure. For its description, type User Logon or Logon Failure. In the Alerts list, locate and select UserLogon and UserLogonFailure, and then click Save. This Alert Group represents any successful or failed logon attempt. For instructions, see "Configuring Alert Groups" on page 221. 142 Preparing for the lessons 3. Create a User-Defined Group called Admin Accounts. For its description, type Administrative-level Accounts. In the Elements list, configure an administrator and a root element, and then click Save. This User-Defined Group represents administrative accounts on your network. For instructions, see "Configuring User-Defined Groups" on page 249. 4. Create a Tool Profile called Servers. For its description, type Servers on my network. Add the Agents that represent several of your servers, and then click Save. This Tool Profile represents your company’s servers. For instructions, see "Configuring Tool Profiles" on page 241. Now, on to the lessons for creating an alert filter! 143 Chapter 6: Creating custom alert filters Lesson 1: Creating a filter based on an alert In this lesson, you will create a filter that reports the following: l l Any successful logon attempts that occur on an administrator account outside of normal business hours, and Any failed logon attempts that occur on an administrator account within normal business hours. When you are finished, the filter’s final configuration will look like the one shown here. Step 1: Naming the alert First, we will name the filter and describe its behavior. 1. Open the Monitor view. 2. On the Filters pane, click the plus button and then click New Filter. Filter Creation appears. 3. In the Name box, type Admin Logon/Failure After Hours. 4. In the Description box, type Logons or logon failures to the administrator account outside of business hours. 144 Step 2: Capturing successful logon attempts outside of business hours Step 2: Capturing successful logon attempts outside of business hours In this procedure, you will configure the filter to report successful logon attempts that occur outside of normal business hours. 1. In the list pane, click the title bar of the Alerts list. 2. Click the button to list the alerts alphabetically. 3. In the text box, search for and then select UserLogon. The Fields box below the Alerts list displays the various data fields that apply to this alert. 4. In the Fields box, select the DetectionTime field and drag it into the Conditions box. 5. In the list pane, click the Time of Day Sets title bar. 6. Select Business Hours and drag it to the Conditions box, to the right of the DetectionTime field. 7. Click the operator between them and then click the “not contained in” symbol. So far, the filter condition reads: “Report an alert if a logon occurs outside of business hours." 145 Chapter 6: Creating custom alert filters Step 3: Limiting the filter to Administrative accounts Now, we will refine the filter to limit it to reporting activities that occur on Administrative accounts. 1. Click the Alerts list title bar and select UserLogon again. 2. In the Fields box, select DestinationAccount and drag it below the previous condition. 3. In the Conditions box, click the empty field to the right of the DestinationAccount field. The field becomes an editable text box. You will use this text box to specify a constant— specifically, the destination account that is being logged on to, which in this case is “Administrator.” 4. In the text box, type *Administrator*. 5. If needed, click the operator between the DestinationAccount field and Administrator constant until you see the “equal” sign. At this point, the filter’s conditions read: “Report an alert if a logon occurs outside of business hours AND the logon occurs on an account that equals the Administrator account.” A note on wildcards (*) Text box fields support wild cards. The asterisks (*) indicate that you want to match the string with whatever comes before or after the string you enter here. The wildcards are not required, and depend on the field that is being matched. However, they will usually achieve the desired result. l l l Some fields are very short. In this case, if an exact match is desired, you would not use the wildcards. If the value is a prefix to a range of data you want to match, you may only want to include a trailing asterisk. If you are working with a field like eventinfo, which is associated with long text strings, you would definitely want to use both a leading and a trailing asterisk. 146 Step 4: Capturing failed logon attempts during business hours Step 4: Capturing failed logon attempts during business hours Now, we will expand the filter to report logon failures that occur on administrative accounts during business hours. First, we'll add a new group to contain the new set of conditions: 1. In the Alerts list, locate and select UserLogonFailure. 2. In the Fields box, select the DetectionTime field and drag it just below the existing group box. Before After Note that we have added a new group, not a nested group. This new group will compare directly to the previous group. A nested group would have defined a sub-set of conditions that only applied to the previous group. 3. Click the Time of Day Sets list. Select Business Hours and drag it to the new condition, to the right of the DetectionTime field. 4. Click the operator between them and select the “contained in” present. 147 symbol, if it is not already Chapter 6: Creating custom alert filters This new condition reads: “Report an alert if a logon failure occurs within business hours.” Now, we'll add a second condition to the group: 1. In the Alerts list, locate and select UserLogonFailure again. 2. In the Fields box, select DestinationAccount and drag it to the bottom of the new group box. 3. Click the empty field to the right of the new DestinationAccount field. Then in the Enter Text Value form, type *Administrator*. 4. If needed, click the operator between the DestinationAccount field and Administrator constant and then click the “equal” sign. The new condition reads: “Report an alert if the logon failure occurs on an account that equals the Administrator’s account.” Together, the filter’s conditions read: “Report an alert if a successful logon occurs outside of business hoursAND it occurs on the Administrator account, OR if a logon failure occurs within business hours AND it occurs on the Administrator account.” 5. Click Save to save the alert filter. 148 Lesson 2: Creating a filter based on an Alert Group Lesson 2: Creating a filter based on an Alert Group This lesson shows you how to simplify the creation of alert filters with the use of Alert Groups.You will rebuild the alert filter you made in Lesson 1. But instead of using fields from the Alerts list, you will use fields from the Alert Groups list. In particular, you will use the Alert Group you made earlier, called Logon/Failure. As you may recall, the Logon/Failure Alert Group covers both successful and failed logon attempts. Therefore, you can use this Alert Group to represent successful and failed logon attempts at the same time. When you are finished, the filter’s final configuration will look like the one shown here. Step 1: Creating the filter 1. Open the Monitor view. 2. On the Filters pane, click the plus button and then click New Filter. Filter Creation appears. 3. In the Name box, type Admin Logon/Failure After Hours #2. 4. In the Description box, type Logons or logon failures to the administrator account outside of business hours. Step 2: Adding the first condition 1. Click the title bar of the Alert Groups list. 2. Locate and select Logon/Failure Alert Group. You can jump to the Ls by clicking within the list and then typing L. The Fields list displays the various data fields that apply to the Logon/Failure Alert Group. 3. In the Fields list, select DetectionTime and drag it into the Conditions box. 4. Click the Time of Day Sets list. 149 Chapter 6: Creating custom alert filters 5. Select Business Hours and drag it to the Conditions box, to the right of the DetectionTime field. 6. Click the operator between them until you see the “not contained in” symbol. This condition reads: “Report an alert message if a successful or failed logon attempt occurs outside of business hours.” Step 3: Adding another condition 1. In the Alert Groups list, select Logon/Failure. 2. In the Fields list, select DestinationAccount and drag it to the bottom of the Conditions box. 3. Click the empty field to the right of the new DestinationAccount field. Then in the Enter Text Value form, type *Administrator*. 4. If needed, click the operator between the DestinationAccount field and *Administrator* constant until you see the “equal” sign. The new condition reads: “Report an alert message if the successful or failed logon attempt occurs on an account that equals the Administrator account.” Together, the alert filter’s conditions read: “Report an alert if a successful or failed logon attempt occurs outside of business hours AND the logon attempt occurs on the Administrator account.” 5. Click Save to save the alert filter. By using an Alert Group that represents both successful and failed logon attempts, we have simplified the filter and greatly reduced the number of steps it takes to configure it. 150 Lesson 3: Adding Groups and notification settings Lesson 3: Adding Groups and notification settings In this lesson, you will refine the filter you built in Lesson 2. You will do this by adding the following items to the filter: l l l A User-Defined Group called Admin Accounts will expand the filter to include logon events that occur on any administrative account. A Tool Profile called Servers will limit the alert messages to those that occur on servers. An alert notification format will cause the filter to blink and flash red whenever the filter reports an alert message. When you are finished, the filter’s final configuration will look like the one shown here. Step 1: Opening the alert filter to edit it You only need to perform this procedure if you have already closed the filter you created in Lesson 2. 1. Open the Monitor view. 2. In the Filters pane, click My Filters. 3. Click Admin Logon/Failure After Hours #2. 4. On the Filters pane, click the button and then click Edit. The Monitor view opens the filter in Filter Creation. 5. Click the Filters button to close the Filters pane. 151 Chapter 6: Creating custom alert filters Step 2: Adding a User-Defined Group 1. In the list pane, click the User-Defined Groups list. 2. Select Admin Accounts and drag it to the Conditions box, on top of the *Administrator* constant. 3. If needed, click the operator between them until you see the “contained in” symbol. The Conditions box should look like the one shown here. The alert filter’s conditions now read: “Report an alert if a successful or failed logon attempt occurs outside of business hours AND the logon attempt occurs on ANY administrator account.” By using an alert group that represents both successful and failed logon attempts, and a UserDefined Group that represents all administrative accounts, we have simplified the filter and expanded its reach at the same time. Step 3: Adding a Tool Profile Now you will add a Tool Profile called Servers to the alert filter. The Tool Profile limits the alert messages to those that occur on servers. 1. In the list pane, click the Alert Groups list. 2. Within the list, select Logon/Failure. 3. In the Fields box, click InsertionIP and drag it into the Conditions box, below the current filter conditions. Insertion IP represents the Agent or Manager that is being accessed during logon. 4. Click the Tool Profiles list. 5. Click Servers and drag it into the Conditions box, to the right of the InsertionIP field. 6. Click the operator between them and select the “contained in” present. 152 symbol, if it is not already Step 4: Adding alert notification settings The alert filter’s conditions now read: “Report an alert if a successful or failed logon attempt occurs outside of business hours AND the logon attempt occurs on ANY administrator account on ANY network server.” By using combinations of Alert Groups, Time Of Day Sets, Tool Profiles, and User-Defined Groups, you can quickly create filters that report very specific events. Step 4: Adding alert notification settings In this final step, you will configure the Notifications box to define how the Console is to alert a user when the filter issues an alert message. In this example, we will configure the filter so when an alert occurs, the filter name flashes and changes color. To set up an alert notification: 1. In the list pane, click the Notifications list. 2. Drag Enable Blinking Filter Name into the Notifications box. 3. Click the Color button to open the color palette. 4. Click the blink color you want. When an alert occurs, the filter name will blink in this color. If needed, you can close the color palette by clicking outside of its box. 5. Move the Time (ms) slider to around 500. This is the amount of time between blinks, in milliseconds. 6. In the After x alerts received box, type or select 1. This is the number of alerts the filter must 153 Chapter 6: Creating custom alert filters receive before the filter begins blinking. In this case, once it is active, the filter will begin blinking after reporting one alert message. You acknowledge the filter by clicking it in the Notifications pane, which opens the filter in the alert grid and causes it to stop blinking. 7. Select the Repeat on x alerts received check box, and then type or select a value of 1. This means you want the filter to begin blinking again after receiving the first message after you acknowledged the last one. If you had typed a value of 5, the filter would begin blinking again only after reporting five alert messages. 8. Click Save to save the filter configuration. When you are finished, the Notifications box should look like the one shown above. The alert filter will now behave as follows: Whenever the filter receives a new alert that matches its conditions, the filter name will flash red. When you acknowledge the filter (by clicking in the Notifications pane), it will stop blinking. However, it will begin to blink again upon receiving the next alert that matches these conditions. 154 Chapter 7: Using Explorers About the Explore view The Console's Explore view contains several utilities, called explorers. You can think of this view as a center for investigating alerts and their details. Many of the explorers are utilities used for finding out more about alert specific details, such as looking up IP addresses, domain names, and host names. The Event explorer lets you view all of the events related to an alert message. It is designed to help you visualize how the alert occurred and the system's response to that alert. You can follow the chain of events that caused the alert, and help determine its root cause. The Explore view also has a Respond menu that you can use from any of the explorers. Respond allows you to take corrective action on an alert or other information presented in an explorer, such as manually shutting down a workstation when you see a problem reported in the Console. 155 Chapter 7: Using Explorers Types of explorers The Console contains the following explorers. Explorer Description Event The Event explorer, which can only be opened from the Monitor view, allows you to view all of the events that are related to the alert that is currently selected in the Console. The Event explorer displays both sequential and concurrent events. That is, you can view the events that occurred before, during, and after the alert occurred. You can also monitor events in real time, to see where they came from and where they are going. Use this explorer when you need to know what caused the rule to fire. Whois The Whois explorer identifies the source of an IP address or domain name based on how it is registered with domain and network authorities. It can tell you where something is located physically in the world, and who actually owns the device you're searching for. For example, use this explorer if you need to know who owns a domain that corresponds to the IP that caused that rule to fire. NSLookup The NSLookup explorer resolves IP addresses to host names, and host names to IP addresses. Use this explorer to determine more information about a source or destination IP address. For example, use this explorer when you need to know a name that corresponds to that IP address that caused the rule to fire (it resolves a name like “trigeo.com” to an IP address). Traceroute The Traceroute explorer traces the network links from your host computer to the destination you specify. That is, it shows you the “hops” between your computer and the IP address of the destination. For example, use this explorer to determine the network connections between yourself and an IP that caused the rule to fire. Flow Explorer The Flow Explorer lets you perform flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. You can also analyze the volume of data (in bytes or packets) that is transferring to or from a given IP address or port number on your network. The explorer reports this information in easy-to-read graphs and tables. For example, if you see a strange IP address at the top of the Flow Explorer’s activity list, you can select the desired bar on the graph or a row in the table, and then choose the Whois explorer from the Explore menu to find out what that the IP address is and why it is transmitting so much data. 156 Types of explorers Explorer Description nDepth Explorer The nDepth Explorer is a search engine that is fully integrated with TriGeo explorers. It allows you to search data stored on the nDepth appliance from the TriGeo SIM. You can use the nDepth Explorer to conduct custom searches, to send data discovered from the nDepth Explorer to other TriGeo explorers, and to initiate searches with the nDepth Browser. To do so, select the text string that interests you, and then select an explorer (Whois, Traceroute, etc.) from the Explore menu. nDepth Browser The nDepth Browser is a self-contained browser that provides direct access to the nDepth appliance. This interface lets you search, explore, alert, and report on all your data in real time. You can also save, reuse, and share custom search strings. The following sections describe each of these explorers in detail. 157 Chapter 7: Using Explorers Explore view features The Explore view The following table describes the key features of the Explore view. Item Name Description History pane The History pane displays a record of your explorer viewing history. Selecting an item in the history list displays the corresponding explorer event in the Explorer pane. Click the History button to alternately show and hide the History pane. When needed, you can delete individual history items from the history list. The Reset button lets you remove all items from the history list. For more information, see "Using the History pane" on page 189. 158 Explore view features Item Name Description Explorer pane The Explorer pane shows the explorers that are currently open. You can have multiple explorers open at the same time. Cascade button This button arranges the open explorer windows so they appear in an organized “cascade.” Their title bars are all visible, but the windows are all stacked, one on top of another. The active explorer is at the front of the stack. Respond menu This menu lets you take action to respond to the alert or alert field that is the subject of the active explorer. You can also use the Respond menu to take action even when no explorer windows are open or active. This menu behaves exactly as it does in the Monitor view’s alert grid. For more information, see "Responding to alert messages" on page 83. Explore menu This menu contains options to open the other explorers. You can use it to further explore the alert message or alert field that is the subject of the active explorer. Or you can open a blank explorer to manually enter the item you want to explore. Explorer windows The explorers you are working with appear as individual windows within the Explorer pane. You can minimize, resize, and close each explorer window, as needed. Minimized explorers Any explorers that you have minimized appear at the bottom of the Explorer pane as a title bar. Simply click a title bar to reopen that explorer. 159 Chapter 7: Using Explorers Using the Event explorer The Event explorer, which can only be opened from the Monitor view, lets you to view all of the events that are related to the alert message currently selected in the Console. The Event explorer displays both sequential and concurrent events. That is, you can view the events that occurred before, during, and after the alert message occurred. You can also monitor events in real time, to see where they came from and where they are going. The Event explorer You can explore events for any alert in the Console. When you explore an alert, the Console makes a request to the TriGeo Manager to determine which events are related to that alert. The Event explorer then displays a summary of events that occurred before, during, and after the system issued the alert. The Event explorer shows only those events that relate to the alert that you selected. That is, it shows the event that triggered the alert, and any events that occurred because of that alert (such as a response, notification, other alert, etc.). With its straightforward graphical display, the Event explorer can help you visualize how an alert occurred and the system’s response to that alert. You can follow the chain of events that caused the alert, and help determine its root cause. 160 Opening the Event explorer Opening the Event explorer You can only open the Event explorer from the Monitor view’s alert grid. You may explore any alert that appears in the grid. To open the Event explorer: 1. In the Monitor view’s alert grid, click to select the alert you want to explore. 2. In the alert grid’s Explore menu, click Event. The Explore view opens, showing the Event explorer. The Event explorer shows all of the events that are associated with the alert you are exploring. The event that you are currently focusing on appears in the History pane. In this case, it is the alert itself. 161 Chapter 7: Using Explorers Features of the Event explorer The Event explorer has three main sections – the information pane, the event map, and the event grid. Key features of the Event explorer The following table describes the key features of each section. The following topics explain how to use each feature in detail. Item Name Description Alert Details Click this button to alternately open and close the Alert Details pane. 162 Features of the Event explorer Item Name Description Alert Details pane The Event explorer's Alert Details displays information about the event is currently selected in the event map or the event grid. l It provides detailed information about the event. l It displays a written definition of the alert. l It allows you to create a new filter based on the alert. l You can also copy text from this pane and paste it into explorers to explore specific data. This pane works exactly like Alert Details pane in the Monitor view. For details, see "Using the Alert Details/Alert Description pane" on page 80. Event map The event map displays a graphical view of the event you are exploring, as well as the related events that came before and after the central event. The event you are exploring appears in the middle. Prior events appear to the left. Events that follow appear to the right. You can double-click any event to move that event to the middle, which allows you to view its relationship with other events. For more information, see "Using the event map" on page 165. Stop Click Stop to cancel an explorer lookup at any time. Next/Previous You can step through the events in the map by clicking the Next and Previous buttons. Pane divider Drag this bar up or down to resize the event map and event grid panes. Event grid The event grid provides a tabular version of the event map. The events are listed chronologically, from earliest to latest. Clicking an event in the grid highlights the corresponding item in the event map. The information pane also changes to show information about the event you have selected. You can sort the alert grid by each of its columns, so long as you click Pause first. To learn how to sort a grid, see "Sorting a grid by its columns" on page 34.. 163 Chapter 7: Using Explorers Item Name Description Scroll bars The vertical and horizontal scroll bars let you quickly scroll through the information pane, larger event maps, and the event grid. For example, you can use the event grid’s scroll bars to view the full range of events and all of the data associated with each event. 164 Using the event map Using the event map The top section of the Event explorer is called the event map. The event map displays a graphical view of the event you are exploring, as well as related events that came before and after the central event. Each event in the map can be thought of as a node that links to other events. When you first open an alert in the Event explorer, that alert is always the central event in the event map. However, you can double-click any related event to move that event to the center of the map. This lets you see the events that came before and after that event. In this way, you can move through the entire chain of events to analyze the relationships between them. In the example shown here, we are exploring in internal rule that fired after a series of WebTrafficAudit events. The rule then triggered the HTTPClientAccess alert. Reading an event map l l l l l Read the map from left to right. The Event explorer always places the event you are currently exploring in the middle of the map. Related events prior to the central event appear to the left. These events “caused” the event you are exploring. If there are no prior events, this appears as a box labeled None. Related events that follow the central event appear to the right. These events followed or were “caused by” the central event. These are the various system responses (if any) that were triggered by the central event. If there are no events that follow, this appears as a box labeled None. If the same event occurs multiple times, they appear together in a box, like the one shown above for the prior events. In this example, WebTrafficAudit occurred 10 times before triggering the rule, so they are grouped together. You can use the scroll bar to view each event. You can also select each event in the box to view information about it in the information pane. 165 Chapter 7: Using Explorers l Click an event in the event map to highlight the corresponding item in the event grid. The information pane also changes to show information about the event you have selected. Selecting an event from the event map 166 Reading an event map l Double-click an event in the event map to move that event to the center position. The map then displays the related events that came before and after the new central event. As before, events prior to the central event appear to the left; events that follow the central event appear to the right. When you select a new central event, the information pane changes to show information about that event. The event grid also refreshes to reflect the new central event. l Click Prev (previous) to move the previous event in the map to the center position. l Click Next to move the next event in the map to the center position. l Click Stop to cancel an explorer lookup at any time. 167 Chapter 7: Using Explorers Event map legend Events that appear in the event map can be alerts, rules, or commands (system responses to an event). Each type of event in the map has its own icon. The following table explains each icon. Icon Meaning An alert from the Audit Alerts tree. An alert from the Security Alert tree. An alert from the Asset Alert tree. An alert from the Incident alert tree. An alert from the Internal Alert tree that is not related to rules or active response activity. An internal command that indicates the system has taken action to respond to an event. Rule activity, either from a rule in test mode, or from a rule that has initiated an actual active response. 168 Using the event grid Using the event grid The event grid lists all of the events that appear in the event map in a tabular form. Events are listed chronologically, from the earliest event (top) to the latest event (bottom). The grid is useful for comparing events and for exploring event data. The event grid’s Order column icons indicate when each event occurred, as described in the following table. Icon Meaning The event occurred before the central event shown in the event map. The event occurred during (as part of) the central event. The event occurred after the central event shown in the event map. The columns in the event grid show detailed information about the alert. The columns vary, depending on the alert you are viewing. For a description of each data field that can appear in the grid, see "Table of alert data fields" on page 557. 169 Chapter 7: Using Explorers Viewing information in the event grid l Click an event in the grid to highlight the corresponding item in the event map. The information pane also changes to show information about the event you have selected. Select an item in the grid to see its alert details and to its position in the event map l l l l When needed, you can use the vertical scroll bar to view all of the events. Use the horizontal scroll bar to view all of the data fields associated with a particular event. This same data also appears in the information pane, but as text. Click an individual cell in the grid to explore that field. Point to an individual cell in the grid to see a ToolTip that displays the complete contents of the cell. 170 Exploring from the event grid Exploring from the event grid 1. In the event map or the event grid, select the event you want to explore. 2. In the event grid, select the specific field you want to explore. 3. In the Explore menu, select the explorer you want to work with. The explorer appears, with the field data you selected appearing in the Search box. 4. If you are using the nDepth Explorer, click Search. The other explorers begin searching automatically. Responding to an event from the event grid You can use the event grid to perform an active response to a particular event. To respond from the event grid: 1. In the event map or the event grid, select the event you want to respond to. 2. In the event grid, select the specific field you want to respond to. 3. In the Respond menu, select the response you want. 4. Complete the Respond form. See the "Actions table" on page 313 for details on configuring each response. 171 Chapter 7: Using Explorers Using the Alert Details pane In the Event explorer, the upper-left pane is called the Alert Details pane. It has two different views to show the properties of the alert that is currently selected in the event map or the event grid: l l The Alert Details view displays detailed information about the alert that is currently selected in the grid. If more than one alert is selected, it shows the properties of the last alert to be selected. The Alert Description view displays a written description of the last alert to be selected in the grid. You can also use this pane to create a filter based on the selected alert, to scroll through the contents of the event grid, or to explore specific alert data with other TriGeo explorers. Opening and closing the Alert Details pane You can open and close the Event explorer’s Alert Details pane of two ways: l l Click the event map’s Alert Details button. Position your pointer over two thin lines next to the Alert Details pane (or if the pane is closed, next to the left side of the event map). When the pointer turns into a double-headed arrow, double-click to open or close the pane. When the Alert Details pane opens, it shows information about the alert that is currently selected in the event map or event grid. Viewing an event’s alert details To view details information about a particular alert or event: l Click the event in the event map. l Click the event in the event grid. The Alert Details pane displays information about the event you selected. 172 Using the Alert Details toolbar Using the Alert Details toolbar The following table explains how to use the toolbar at the top of the Alert Details pane. Button Description Click this button to create a new filter that captures the currently selected alert type. Upon doing so, the Monitor view opens, with the new filter open in the alert grid. The new filter appears in the Filters pane, under the last selected filter. If needed, you can edit the filter so it captures alerts of an even more specific nature. See "Editing an existing filter" on page 89. Click these buttons to move up and down among the alerts in the event grid. The pane shows detailed technical information about each alert that is selected. This lets you view the technical details and written descriptions of each alert in the grid. Remember, you can also use your keyboard's up (↑) and down (↓) arrow keys: l l To cycle through the alerts in the alert grid, click anywhere in the event grid. Then use your up and down arrow keys. To cycle through the fields in the Alert Details pane, click anywhere in the Alert Details grid. Then use your up and down arrow keys. Click this button to open the pane’s Alert Details view. This view shows detailed information about each of the selected alert's data fields. The actual fields that appear here vary, according to the alert type that is currently selected. For example, networkoriented alerts show fields for IP addresses and ports. Account-oriented alerts show account names and domains. For a description of each alert field that can appear in the Alert Details view, see "Table of alert data fields" on page 557. Click this button to open the pane’s Alert Description view, which provides a detailed written description of the alert type that is currently selected. Exploring from the Alert Details pane 1. In the event map or the event grid, select the event you want to explore. 2. In the Alert Details pane's Information column, click the alert field you want to explore. 3. In the Explore list, select the explorer you want to work with. The explorer appears, with the field data you selected appearing the Search box. 4. If you are using the nDepth Explorer, click Search. The other explorers begin searching automatically. 173 Chapter 7: Using Explorers Using the NSLookup, Traceroute, and Whois explorers The NSLookup, Traceroute, and Whois explorers all have different functions, but they all behave the same way. Therefore, their functions and behavior are explained here together. You can explore with NSLookup, Traceroute, and Whois several different ways: l You can explore directly from an alert filter. l You can explore from the Event explorer’s event map, event grid, or information pane. l You can explore from other explorers. l You can manually explore a particular data source by typing its IP address, destination IP address, host name, or domain name. 174 About the NSLookup explorer About the NSLookup explorer The NSLookup explorer is a network utility that is designed to resolve IP addresses to host names, and host names to IP addresses. Use this explorer whenever you need to know a name that corresponds to the IP address that caused the rule to fire. For example, it resolves a name like “trigeo.com” to an IP address. In the example shown here, we opened the NSLookup explorer for an alert field that has an IP address of 192.168.168.10 (which appears in the Search field). The explorer retrieved the corresponding host name, which is grendel.corp.trigeo.com. Opening the NSLookup explorer adds an item to the Explore view’s History pane. The new item has a NSLookup explorer icon. 175 Chapter 7: Using Explorers About the Traceroute explorer The Traceroute explorer is a network utility that is designed to trace the network links from your host computer to the destination you specify. Use this explorer whenever you need to determine the network connections between yourself and the IP address that caused the rule to fire. In the example shown here, we used the Traceroute explorer on the IP address of 192.168.167.1. It shows you the “hops” between your computer and that IP address. In this example, connecting to that IP address required two “hops.” Opening the Traceroute Explorer adds an item to the Explore view’s History pane. The new item has a Traceroute explorer icon. 176 About the Whois explorer About the Whois explorer The Whois explorer is a network utility that is designed to identify the source of an IP address or domain name based on how it is registered with domain and network authorities. This explorer contacts the central databases for IP addresses and domain names and returns the results of any of your searches. It can tell you where something is located physically in the world, and who actually owns the device you’re searching for. For example, use this explorer if you need to know who owns a domain that corresponds to the IP address that caused a rule to fire. The example on the left shows the results for an IP address. The example on the right shows the results for the TriGeo domain name, trigeo.com. From these, you can find out who owns the IP address and where the server is hosted. Opening the Whois Explorer adds an item to the Explore view’s History pane. The new item has a Whois explorer icon. 177 Chapter 7: Using Explorers Exploring from the alert grid 1. In the Monitor view’s alert grid, click the alert message you want to explore. 2. To explore a particular field, click the corresponding cell in the grid. 3. In the alert grid’s Explore menu, select the explorer you want to work with. The Console’s Explore view appears, showing the explorer you have selected. The explorer provides information on the item you are exploring, and adds a new entry to the History pane. Exploring from the Event explorer For information on using the NSLookup, Traceroute, and Whois explorers with the Event explorer, see "Exploring from the event grid" on page 171 and "Exploring from the Alert Details pane" on page 173. Exploring from other explorers Once an explorer is open, you can continue exploring its search results with any of the other explorers. To continue exploring: 1. In an open explorer window, click and drag to select the IP address, host name, or domain name you want to explore. 2. In the Manager list, select the Manager you want to explore from, if different from the one shown. 3. In the Explore menu, select the explorer you want to use. The new explorer opens with the item you selected appearing in the Search box. It automatically begins searching for that item. 178 Manually exploring an item Manually exploring an item At any time, you can manually explore an IP address, host name, or domain name. You can do this by opening a new, empty explorer, or by typing directly into the Search box of an explorer that is already open. To manually explore an item: 1. Open the Console’s Explore view or the Monitor view. 2. In the Explore menu, select the explorer you want to work with. The explorer you selected appears. In this case, the explorer is blank because you did not open it from an alert, an event, or another explorer. Note: You can also perform this procedure from an explorer that is already open. 3. In the Manager list, select the Manager you want to explore from, if different from the one shown. 4. In the Search box, type the IP address, host name, or domain name you want to explore. 5. Click Search. The explorer provides information on the item you are exploring, and adds a new entry to the History pane. Canceling an explorer lookup l You can cancel an explorer lookup at any time by clicking the Stop button. 179 Chapter 7: Using Explorers Using the Flow Explorer The Flow Explorer lets you perform flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. You can also analyze the volume of data (in bytes or packets) that is transferring to or from a given IP address or port number on your network. The explorer reports this information in easy-to-read graphs and tables. This is how it works. The TriGeo SIM has a “collector” that gathers flow data from routers, switches, and other flow-enabled devices, and puts this information in a database. The Flow Explorer then queries this database to find out what is happening on your network. The explorer then reports which IP addresses or port numbers are generating or receiving the most activity, and the volume of their data. If you see something unusual, you can use the Flow Explorer to open other explorers. For example, if you see a strange IP address at the top of the activity list, you can click the address and select Whois from the Explore menu to find out who that IP address belongs to and why it is transmitting so much data. You can also use the Respond menu to take action on any items that are reported by the Flow Explorer. Each time you perform a flow analysis, a new item representing the search is added to the History pane. Opening the Flow Explorer The Flow Explorer always opens with its default settings. It is used to configure your own flow analysis query of the IP addresses or ports that are generating or receiving the most network traffic. To open the Flow Explorer from the Monitor view: l In the Monitor view’s Explore menu, click Flow Explorer. The Explorer view opens, showing the Flow Explorer with its default settings. To open the Flow Explorer from the Explorer view: l In the Explorer view’s Explore menu, click Flow Explorer. The Flow Explorer opens with its default settings. 180 Flow Explorer features Flow Explorer features The Flow Explorer The Flow Explorer has three main sections: l l l The Analysis Configuration form lets you configure a query to the flow database to find out what is happening on your network. For more information, see "Configuring a Flow Explorer query" on page 183. The Analysis Results graph displays flow analysis data in a graphic format. The graph also provides access to other explorers and lets you respond to events with specific actions. The Analysis Results grid displays flow analysis data in a tabular format. You can sort the columns of this grid, which in turn updates the graph. The grid also provides access to other explorers and lets you respond to events with specific actions. Note: The Flow Explorer does not show any Analysis Results information until you perform a query. 181 Chapter 7: Using Explorers Flow Explorer history Every time you perform a new flow analysis with the Flow Explorer, it adds a new item to the Explorer view’s History pane. History item for the Flow Explorer The history item provides detailed information about the flow analysis: l l The number preceding the item is the Maximum in Table setting. This is followed by the Endpoint and Top Talker choices. So, a history item might read as follows: (20) Top By Destination IP. Pointing to the history icon opens a ToolTip that displays the query’s Start and End dates and times, and whether the query was sorted by Bytes or Packets. If you click an earlier Flow Explorer history item, the Flow Explorer’s Analysis Configuration and Analysis Results areas refresh to appear as they did for that query. If you change anything in the Flow Explorer for an earlier query and then click Analyze, the analysis becomes a new history item. 182 Configuring a Flow Explorer query Configuring a Flow Explorer query This topic explains how to use the Flow Explorer’s Analysis Configuration form to configure (or reconfigure) a flow analysis query. To configure a query: 1. At the top of the Flow Explorer, click Configure to open the Analysis Configuration form, if it is not already showing. 2. Complete the Analysis Configuration tab as described in the following table. Option Description Manager Select the Manager you want to query. This list only includes flowenabled Managers. Note: To enable flow, use the CMC command enableflow. It enables the SIM appliance to collect data and the Manager to perform analysis against the database. For information on this CMC command, see "Using the CMC 'service' menu" on page 569. Flow Time In the drop-down list, select the timeframe for which you want to query the flow data. By default, the form opens with the flow time set for the last hour (the end time is now, and the start time is one hour ago). 183 Chapter 7: Using Explorers Option Description Creating custom timeframes To create a custom timeframe, select Custom range. in the Flow Time list. Then, in the From and To boxes, type or select the start date and time, and the end date and time, respectively. If you type a timeframe, you must use the date and time format shown on the form. Or you can click each box’s “time” button to open a calendar that lets you select the date and time of your choice. You can use your keyboard’s up, down, right, and left arrows to move within the calendar and to select a time. To close the calendar, click anywhere outside of its boundary. Top Talker Endpoint The “top talkers” are the most significant or active communicators on your network. Choose how you want to aggregate (gather and report) your network’s top talkers: l Click By IP to aggregate the flow data by IP address. l Click By Port to aggregate the flow data by port number. Choose how you want to aggregate (gather and report) the top talker flow data: l l Order by Click Source to aggregate by source IP address or port number. Click Destination to aggregate by destination IP address or port number. Select the value by which you want to sort the graph and table— Bytes (kB) or Packets. Both values will appear in the report. This just defines how the report is to be sorted. 184 Flow analysis configuration and report combinations Option Description Maximum in Graph Type or select the number of items that you want to appear in the results graph. The maximum is 50. Maximum in Table Type or select the number of items that you want to appear in the results table. The maximum is 1000. 3. Click Analyze. The Analyzing status bar appears while the Flow Explorer submits your query to the TriGeo SIM. After a few moments, the Flow Explorer’s Analysis Results appear, displaying the results of your query. In addition, a new item representing the search appears in the History pane. Flow analysis configuration and report combinations This is a list of the various flow analysis combinations that you can query and report on with the Flow Explorer, where: X = the number of results that appears in the graph, and Y = the number of results that appear in the table Top X,Y by Source IP by Bytes Top X,Y by Source IP by Packets Top X,Y by Destination IP by Bytes Top X,Y by Destination IP by Packets Top X,Y by Source Port by Bytes Top X,Y by Source Port by Packets Top X,Y by Destination Port by Bytes Top X,Y by Destination Port by Packets 185 Chapter 7: Using Explorers Interpreting the Analysis Results graph The Flow Analysis graph and table is called the Analysis Results section The Flow Explorer’s Analysis Results section displays a graphical version of your query results The graph has the following features: l l l l The numbers to the left of the bars show the “top talker” IP addresses or port numbers, based on your query options. The orange bars, the scale at bottom of the graph, and graph title all identify and measure your Order By query option. The green bars and the scale at the top of the graph identify and measure the other Order By option. Pointing to a bar displays the actual number of kilobytes or packets associated with that item. Note: The graph shows only the top results of your query. The Analysis Results table shows results up to the Maximum in Table value. In the example shown here, the query sorted the report by packets. So the orange bars and the bottom scale are for packets. The green bars and the top scale are for kilobytes. 186 Interpreting the Analysis Results grid Interpreting the Analysis Results grid The Explorer’s Analysis Results grid displays your query results in tabular form. The actual columns that appear in the grid depend on the query options you selected. Grid columns The following table describes each column that can appear in the Analysis Results grid. Column Description Source IP The IP address the network traffic is coming from. Destination IP The IP address the network traffic is going to. Source Port The port number the network traffic is coming from. Destination Port The port number the network traffic is going to. Service Displays a service name based on the registered ports database. This is a “friendly” name, such as “HTTP” instead of “port 80”. If a port does not have a registered name, it appears as “Unassigned”. Packets Displays the number of packets that are being transmitted from the reported IP addresses or over the given port (from the source, or to the destination, depending on what you selected). Bytes (kB) Displays the quantity of bytes (in kilobytes) that are being transmitted from the reported IP addresses or over the given port (from the source, or to the destination, depending on what you selected). Protocol Name Displays the protocol used in this result, such as ICMP, TCP, or UDP. 187 Chapter 7: Using Explorers Sorting the Analysis Results grid You can sort the Analysis Results grid by any of its columns by clicking its column headers. Doing so also changes how the graph is sorted. For example, if you click the Packets column header once, it sorts the Packets column in descending order. If you click it again, it sorts the column in ascending order. In each case, the graph changes to reflect each change in sort order. You can also sort the grid by more than one column. For information on sorting grids, see "Sorting a grid by its columns" on page 34. Note: Sorting the grid causes the graph to refresh, to reflect the grid’s new data arrangement. Because the graph always shows the top results from the grid, sorting lets you use the graph to view and compare different sets of data. Exploring flow analysis results You can pass a port number or IP address from the Flow Explorer’s Analysis Results graph or grid to another explorer. To explore flow results: 1. In the Analysis Results graph or grid, click the port number or IP address you want to explore. 2. In the Explore menu, select the explorer you want to work with. The explorer you selected opens, exploring the item you have selected. Responding to flow analysis results You can respond to any port number or IP address that is reported by the Flow Explorer’s Analysis Results graph or grid. To respond to flow results: 1. In the Analysis Results graph or grid, click the port number or IP address you want to respond to. 2. In the Respond menu, select the active response you want to take. The Respond form opens, so you can configure the appropriate response. For more information, see "Responding to alert messages" on page 83. 188 Using the History pane Using the History pane You can do a lot of things with the Explore view’s History pane: l l l l You can hide the pane and then reopen it when you need it. You can remove individual items or all of the items from the list. You can point to a history icon to open a ToolTip to find out more about that history item. But most importantly, you can re-open each event in the list simply by clicking it. This reopens the explorer window that originally investigated that item. In this way, you can move through your exploration history, quickly viewing the events you explored before and after the event you are exploring now. The Explore view's History pane 189 Chapter 7: Using Explorers Hiding and showing the History pane Use the History pane’s History button to alternately hide and show the History pane. Hiding the pane provides additional space for your explorers. To hide or show the History pane: l With the History pane showing, click the History button. The History pane becomes hidden along the left side of the window. l With the History pane hidden, click the History button. The History pane reappears on the left side of the window. Viewing explorer history l Click any item listed in the Explore view’s History pane. The Explorer window reopens the explorer that was used to investigate that item. Clearing explorer history When needed, you can clear individual items or all items from the History pane. To clear an item from the History pane: 1. In the History pane, point to the item you want to remove. 2. Click Clear. 3. At the confirmation prompt, click Yes to remove the item from the History pane. To clear all items from the History pane: 1. At the bottom of the History pane, click Reset. 2. At the confirmation prompt, click Yes to remove all of the items from the History pane; otherwise, click No to keep them. 190 History pane icon legend History pane icon legend The following table explains the meaning of each icon that can appear in the History pane. Icon Meaning An alert from the Audit Alerts tree. An alert from the Security Alert tree. An alert from the Asset Alert tree. An alert from the Incident alert tree. An alert from the Internal Alert tree that is not related to rules or active response activity. An internal command that indicates the system has taken action to respond to an event. Rule activity, either from a rule in test mode, or from a rule that has initiated an actual active response. An NSLookup explorer event. A Traceroute explorer event. An nDepth Explorer event. A Whois explorer event. A Flow Explorer event. 191 Chapter 7: Using Explorers About TriGeo nDepth TriGeo nDepth is an add-on appliance and plug-in application that are sold separately. If purchased, each TriGeo Manager has its own dedicated nDepth appliance that is mounted in a rack with the TriGeo SIM. The appliance stores all of the original log file source data that passes through a particular TriGeo Manager. The log data is stored in its entirety, in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager. nDepth also contains a powerful search engine. It indexes the original log file source data in real time and allows you to search that data with simple or highly specific search criteria. nDepth has two different search tools: l l The nDepth Explorer is a search engine that is fully integrated with the Console’s other explorers. It allows you to search data stored on the nDepth appliance from the TriGeo SIM. You can use nDepth Explorer to conduct custom searches, to open alert data fields in other TriGeo explorers, and to initiate searches with the nDepth Browser. The nDepth Browser is a web browser-based explorer that provides direct access to the nDepth appliance. This interface lets you search, explore, alert, and report on all your data in real time. You can also save, reuse, and share custom search strings. It opens in your default web browser. nDepth is intended for customers who have very specific data analysis needs, and who fully understand how to interpret the raw log file data that is generated by their network devices and tools. The following topics explain how to open the nDepth Explorer, perform a basic search, interpret your search results, explore additional search options, and open other explorers. Installing TriGeo nDepth For complete information on installing TriGeo nDepth, see the TriGeo SIM Installation Guide. Configuring network tools for use with TriGeo nDepth If you are using nDepth, you must configure each tool (TriGeo sensors and actors) for use with nDepth through the TriGeo Tool Configuration system. First, decide which network devices, applications, and tools being monitored by the Manager are to also send their log file data to nDepth. Then configure each of these tools for use with nDepth. You can choose to route a tool’s log file data to the TriGeo SIM, directly to TriGeo nDepth, or to both. TriGeo recommends that nDepth users configure each tool so it routes its log data to both nDepth and the TriGeo SIM. This allows you to receive alerts on these tools, and to search data stored on the nDepth appliance with both the TriGeo Explorer and the nDepth Browser. For complete information on configuring tools for use with nDepth, see "Connecting products to the TriGeo SIM" on page 347. 192 Using nDepth Explorer Using nDepth Explorer nDepth Explorer is a search engine that is fully integrated with the Console’s other explorers. It allows you to search data stored on the nDepth appliance from the TriGeo SIM. You can use nDepth Explorer to conduct custom searches, to open alert data fields in other TriGeo explorers, and to initiate searches with the nDepth Browser. You can open a blank nDepth Explorer to conduct a new custom search. Or you can open the nDepth Explorer from an existing data source, such as an alert field or another TriGeo explorer (NSLookup, Whois, and Traceroute, and Flow), to search for similar events or data. You can also use nDepth Explorer to further explore your search results by adding new search strings to the search box, or by appending text to an existing search strings. The following topics explain how to open the nDepth Explorer, perform a basic search, interpret your search results, explore additional search options, and open other explorers. Note: To use nDepth Explorer, you must purchase an nDepth appliance and configure it for use with the TriGeo Manager. Otherwise, all nDepth Explorer commands are disabled. 193 Chapter 7: Using Explorers Opening a blank nDepth Explorer Do either of the following: l In the Monitor view’s Explore menu, click nDepth Explorer. l In the Explore view’s Explore menu, click nDepth Explorer. In either case, the Explorer pane opens, showing a blank nDepth Explorer. To use the nDepth Explorer, you must select your search parameters. See "Using the nDepth Explorer Configuration form" on page 200. 194 Opening nDepth Explorer from a particular data source Opening nDepth Explorer from a particular data source 1. Do one of the following: l l l In the Monitor view’s alert grid, select the alert row or field you want to explore. In the Event explorer’s Alert Details pane, event map, or event grid, click the item or field you want to explore. In a TriGeo explorer, select the data source you want to explore. 2. In the Explore menu, click nDepth. The Explore view opens, with the nDepth Explorer appearing. Note that the explorer’s search field contains the alert field you are exploring. 3. Click Search. nDepth searches all hosts and sources for all instances of that alert field that have occurred in the last 10 minutes. If needed, you can refine your search by refining settings with the Configuration form. See "Using the nDepth Explorer Configuration form" on page 200. 195 Chapter 7: Using Explorers nDepth Explorer features Key features of the nDepth Explorer The following table describe the key features of nDepth Explorer. Item Name Description Configure button Click this button to alternately show and hide the Configuration form. Configuration form Use the Configuration form to search all of the original log file source data that passes through a particular TriGeo Manager. The log data is stored in its entirety, in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager. You can perform simple searches or highly specific searches. For more information, see "Using the nDepth Explorer Configuration form" on page 200. 196 nDepth Explorer features Item Name Description Results The Results box displays all of the data that matches your search criteria from the Configuration form. To make viewing easier, each result appears with an alternating gray or white background. The number of results that appear depend entirely on your query. The first line of every search displays the raw log data that matched your search criteria. The second line of each result displays the following information about the matched data: l host is the network device the data originated from. l source is the source tool the data originated from. l source type is the category of the source tool the data originated from. Note: Sources and source types match TriGeo’s tool configuration categories. If there is more than one page of search results, you can view each page with the arrows in the lower-right corner of the explorer. Refresh Refreshes the data to show the most current data that matches your Configuration form settings. Stop Click this button at any time to stop a search that is in progress. nDepth Browser Opens nDepth Browser, which then performs a search based on your current nDepth Explorer search settings. The nDepth Browser is a web-based interface that allows you to perform extremely precise searches and analysis on data that is stored on the nDepth appliance. For more information, see "Using nDepth Browser" on page 204, and see nDepth Browser Help. Viewing range and search result total The lower-right of the explorer shows the total number of items that matched your search results, as well as the block of items within that range that you are currently viewing. ◄◄ Displays the first page of the search results. ◄ Displays the previous page of the search results. ► Displays the next page of the search results. ►► Displays the last page of the search results. 197 Chapter 7: Using Explorers nDepth's History pane Each nDepth Explorer search adds an item to the Explorer view’s History pane. The history item (shown here) displays an nDepth icon, the number of search results, and your search string text, if applicable. Pointing to the item's history icon also displays the number of search results and your search string. If your search specified a particular host or source, they are listed here, too. A new search always adds a history item. If you click an earlier history item, the system takes you back to that search; it does not make a new item. As soon as you change something in the nDepth Explorer and perform a new search, that search becomes a new history item. Exploring nDepth Explorer search results You can use nDepth Explorer to further explore your search results by adding new search strings to the search box, or by appending text to an existing search strings. Performing a search 1. Select the nDepth Explorer you want to work with (if more than one are open). 2. Click Reset to make the Configuration form editable. 3. Select the text string you want to explore. Then press Ctrl+C to copy the search string. 4. Click the Search box. Then press Ctrl+V to paste the search string into the Search box. 5. Make any necessary changes to the Configuration form. 6. To begin the search, do either of the following: l After entering a search string, press Enter. l After completing the Configuration form, click Search. The Results box displays all of the log file data that matches the Manager, time frame, host, source, and search string you have selected. If no results are found, the following message appears: “No matching results found.” 198 Performing a search To explore your search results: 1. In the Results box, drag to select the string you want to explore. 2. In the Explore menu, select the explorer you want to use. 3. If needed, click Search. 199 Chapter 7: Using Explorers Using the nDepth Explorer Configuration form Use nDepth Explorer’s Configuration form to search all of the original log file source data that passes through a particular TriGeo Manager. In this case, you are not actually searching so much as you are applying filters to reduce the amount of reported data. To use the nDepth Explorer’s Configuration form: Complete the Configuration form as described in the following table. Field Description Manager Select the select the Manager on which you want to perform an nDepth search. Each Manager is linked to a single nDepth appliance, so by selecting a Manager, you are effectively selecting the corresponding nDepth appliance. Enter search term In the search box, enter the search string or text you want to find in the data. To enter a search string: l Type a search string directly in the search box. l Copy (Ctrl+C) a search string and paste (Ctrl+V) it in the text box. The search box behaves the same as in the nDepth Browser. You can use all of the same options, and it has all of the same complexity. For more information on advanced search features, see nDepth Browser Help. If desired, you can begin a search immediately after entering a search string by pressing Enter. Search Time In the Search Time list, select the timeframe in which you want to search the log file data. By default, the form’s search time is for the last 10 minutes (the end time is now, and the start time is 10 minutes ago). 200 Using the nDepth Explorer Configuration form Field Description Creating custom timeframes To create a custom timeframe, select Custom range in the Search Time list. Then, in the From and To boxes, type or select the start date and time, and the end date and time, respectively. If you type a timeframe, you must use the date and time format shown on the form. Or you can click each box’s “time” button to open a calendar that lets you select the date and time of your choice. You can use your keyboard’s up, down, right, and left arrows to move within the calendar and to select a time. To close the calendar, click anywhere outside of its boundary. Host A host is a specific network device. In the Host list, select which host’s data you want to search. This narrows your search results to data from that host. The default is ALL, which returns all matches to your search from all network devices that have sent data to the Manager’s nDepth appliance. Source A source is a specific type of data that is generated by a tool on a network device and collected by the Manager’s nDepth appliance. In the Source list, select which specific data source you want to search. This narrows your search results to data from that source. The default is ALL, which searches all source data from the host you selected. Reset Click Reset to return the form to its default settings. Search After completing the form, click Search to begin your search. Note: You can stop a search at any time by clicking the Stop at the top of the Results area. 201 Chapter 7: Using Explorers Exploring search results with other TriGeo explorers You can access other TriGeo explorers from the nDepth Explorer’s Results box. This allows you to further investigate your nDepth search results with other TriGeo explorers. For example, if you see an IP address in your nDepth search results, you may want to use the NSLookup, Traceroute, or Whois explorers to figure out where that IP is. Or, if you see something unusual in your nDepth Explorer, you may want to take some kind of corrective action. To explore nDepth Explorer results: 1. In the Results box, select the text you want to investigate. 2. In the Explore menu, select the explorer you want to open. The system “passes” the selected text to the TriGeo explorer you selected. Responding to search results As with other explorers, you can respond to any item that is reported in the nDepth Explorer search results. For example, you could send a user account a popup message, or block a hostile IP address. To respond to nDepth Explorer results: 1. In the Results box, select the text you want to respond to. 2. In the Respond menu, select the active response you want to take. The Respond form opens, so you can configure the appropriate response. For more information, see "Responding to alert messages" on page 83. 202 Moving a search to the nDepth Browser Moving a search to the nDepth Browser When needed, you can move a search from the nDepth Explorer into nDepth Browser. This allows you to precisely tailor the search to your needs. To open a search in the nDepth Browser: l l In the nDepth Explorer’s Results box, select the text you want the nDepth Browser to search for. Then in the Explore menu, click nDepth Browser. In the nDepth Explorer’s Results box, select the text you want the nDepth Browser to search for. Then, above the Results box, click the nDepth Browser button. nDepth Browser opens in your default web browser and performs a search based on your current nDepth Explorer search settings. The nDepth Browser searches all hosts and sources for all instances of that alert field that have occurred in the last 10 minutes. For more information, see "Using nDepth Browser" on page 204. 203 Chapter 7: Using Explorers Using nDepth Browser nDepth Browser is a web browser-based explorer that provides direct access to the nDepth appliance. This interface lets you search, explore, alert, and report on all your data in real time. You can also save, reuse, and share custom search strings. This section explains how to open and access the nDepth Browser. For instructions on using the browser, see nDepth Browser Help. For best results, TriGeo recommends using Mozilla Firefox as your default web browser. Opening nDepth Browser You can open nDepth Browser from any place you can open nDepth Explorer. In the Monitor view, you can open the nDepth Browser from an existing alert field. Or from the Explorer view, you can open nDepth Browser from any other TriGeo explorer to search for similar events or data. When working with explorers, nDepth Browser uses the selected text as its search string. For example, if you were using NSLookup to resolve “trigeo.com”, you could then click the resulting IP address and look that up in the nDepth Browser. Or if you were looking at something in the nDepth Explorer, you could click the nDepth Browser button to perform the same search in the browser. You can also open a blank nDepth Browser to conduct your own custom searches. Note: If you have not purchased an nDepth appliance, nDepth Browser commands are disabled. 204 Opening a blank nDepth Browser Opening a blank nDepth Browser Do either of the following: l In the Monitor view’s Explore menu, click nDepth Browser. l In the Explore view’s Explore menu, click nDepth Browser. In either case, your default web browser opens, showing the nDepth Browser's home page. nDepth Browser default page 205 Chapter 7: Using Explorers Opening the nDepth Browser from a particular data source 1. Do one of the following: l l In the Monitor view’s alert grid, select the alert row or field you want to explore. In the Explorer view’s Event explorer’s information pane, event map or event grid, click the item or field you want to explore. l In any TriGeo explorer, select the data source you want to explore. l In the nDepth Explorer’s Results box, select the text you want to explore. 2. In the Explore menu, click nDepth Browser. Note: If you are starting from nDepth Explorer, you can also click nDepth Browser to begin exploring the selected text in nDepth Browser. In each case, your default web browser opens. The Console passes the alert field or search string you selected to nDepth Browser, which searches all hosts and sources for all instances of that alert field that have occurred in the last 10 minutes. nDepth Browser showing search results. In this case, we searched for an IP address of 192.168.168.10. 206 Getting help with the nDepth Browser Getting help with the nDepth Browser TriGeo SIM Console Help contains complete information and numerous examples on creating, refining, and saving search strings. To open nDepth Browser Help: 1. From either the TriGeo SIM Console or nDepth Browser, click the Help button. 2. In Help's Contents tab, open nDepth Browser Help. 207 Chapter 8: Working with Groups About Groups The Build ► Groups view is used to create, name, configure, and organize groups of parameters. You may then choose from these Groups when configuring filters (in Filter Creation) and rules (in Rule Creation) to include or exclude the specific elements defined within each Group. Throughout this manual, when you see the word Groups (capitalized), it refers to a Group that has been configured in the Build ► Groups view. The capitalization indicates that these Groups are configurable objects that can be applied to your rules and filters, and it helps distinguish them from other, generic groups of things. Each Group you create only applies to the Manager that is selected when you create the Group. If you need a similar Group for another Manager, you must create it separately with that other Manager; or you must export the Group, and then import it from the other Manager’s Groups grid. 209 Chapter 8: Working with Groups Group types You can use the Build ► Groups view to create any of the Groups listed in the following table. Group type Description Alert Groups Alert Groups are custom families of alerts that you can save as a Group. You can then associate the Alert Group with your rules and filters. For example, you might create an Alert Group made up of similar alerts that all need to trigger the same response from the Console. When you apply the Alert Group to a rule, the Console implements the same rule when any one of the alerts in the Group occurs. Directory Service Groups If you use a directory service, such as Active Directory, you can connect the TriGeo SIM to the server that stores your existing directory service (DS) Groups. Once connected, you can synchronize your DS Groups with the TriGeo SIM and apply them to your TriGeo rules and filters. DS Groups allow you to match, include, or exclude events to specific users or computers, based on their DS Group membership. In most cases, DS Groups are used in rules and filters as a type of white list or blacklist for choosing which users or computers to include or to ignore. When used by a filter, a DS Group lets you limit the scope of the alerts included in the filter to those users or computers that have membership in a particular Group. Email Template Email Templates allow you to create pre-formatted email messages that your TriGeo rules can use to notify you of an alert event. State Variables State Variables are used in rules. They represent temporary or transitional states. For example, you can create a State Variable to track the “state” of a particular system, setting it to a different value depending on whether the system comes online or goes offline. Time of Day Sets Time of Day Sets are specific groups of hours that you can associate with rules and filters. Time of Day Sets allow them to take different actions at different times of day. For example, if you define two different Time of Day Sets for “Working Hours” and “Outside Working Hours,” you can assign different rules to each of these Time of Day Sets. For instance, you may want a rule that automatically shuts down the offending computer and alerts your system administrator via email. 210 Group types Group type Description Tool Profiles Tool Profiles are groups of Agents that have common tool configurations. Most Agents in a network have only a few different network security tool configurations. Tool Profiles allow you to group Agents by their common tool configurations. You can then have your rules and filters include or exclude the Agents associated with a particular profile. User-Defined Groups User-Defined Groups are groups of preferences that are used in rules and filters. They allow you to match, include, or exclude events, information, or data fields based on their membership in a particular Group. In most cases, User-Defined Groups are used in rules and filters as a type of white list or blacklist for choosing which events to include or to ignore. 211 Chapter 8: Working with Groups Groups view features The topics in this section describe the key features of the Groups view, including its major sections, the meaning of its grid columns, and how to refine its grid. Groups view features The following table describes the key features of the Build ► Groups view. Item Name Description Refine Results This form behaves like a search engine, letting you apply filters to the Groups grid to reduce the number of Groups it shows. For information on using this form, see "Refining the Groups grid" on page 215. 212 Groups view features Item Name Description Groups grid By default, the Groups grid shows every Group associated with each Manager the Console is connected to. If the same Group is configured for more than one Manager, it will appear in the grid multiple times—once for each Manager it is associated with. You can sort the grid and refine it with the Refine Results form. The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. It has commands for editing, cloning, exporting, and deleting the selected Group. Click this button whenever you want to create a new Group. Selecting an option from this list opens the Edit pane as an editable form, which you can use to create the new Group. The gear button at the top of the grid opens commands that you can perform on multiple selections in the grid, and commands that do not require a grid selection. In this case, it has a command to import Groups from a remote source. You can import Groups from one Manager to another, or you can import Groups that are provided by TriGeo Network Security. You may import only one Group at a time. Group Details pane This pane displays detailed information about the Group that is currently selected in the grid. When you select a Group in the grid, the pane's name changes to reflect the Group type you are currently viewing. When adding or editing a Group, the pane turns into an editable form, and the form's name changes to reflect the type of Group you are working with. This pane can be hidden when it is not needed. Folders pane The Folders pane lets you create folders and sub-folders for organizing your State Variables and Email Templates. This pane is disabled when you are working with other Groups. For instruction on performing these tasks, see "Working with Group folders" on page 254. Clicking a folder in the Folders pane causes the Groups grid to display only the Groups that are stored in that folder and any of its sub-folders, if applicable. 213 Chapter 8: Working with Groups Groups grid columns The following table describes the meaning of each column in the Groups grid. Column Description The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. It has commands for editing, cloning, exporting, and deleting the selected Group. Type Displays the type of the Group—Tool Profile, User-Defined Group, Time of Day Set, etc. Name Displays the name of the Group. Description Displays a description of the Group. Pointing to this field displays the complete description as a ToolTip. Created By Displays the name of the Console user who created the Group. Created Date Displays the date the Group was created. Modified By Displays the name of the Console user who last modified the Group. Modified Date Displays the date on which the Groups was last modified. Manager Displays the name of the Manager the Group is associated with. 214 Refining the Groups grid Refining the Groups grid By default, the Groups grid shows every Group associated with each Manager the Console is connected to. If the same Group is configured for more than one Manager, it appears in the grid multiple times—once for each Manager it is associated with. To help you work more efficiently with a long list of Groups, the Refine Results pane lets you apply filters to the Groups grid to reduce the number of Groups it shows. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other items in the grid are still there; however, they are hidden. To restore them, simply click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Field Description Reset Click Reset to return the form and the Groups grid to their default settings. Search Use this field to perform keyword searches for specific Groups. To search, type the text you want to search for in the text box. The grid displays only those Groups that match or include the text you entered. Type Select the type of the Group you want to work with (Tool Profile, UserDefined Group, Time of Day Set, etc.) to have the grid display only Groups of that type. Manager Select a Manager to have the grid display only the Groups that are associated with that Manager. Created By Select the name of the Console user who created the Group to have the grid display only Groups from that user. Created Date Range Type or select a date range to have the grid display only Groups that were created on or within that date range. Modified By Select the name of the Console user who last modified the Group to have the grid display only Groups modified by that user. Modified Date Range Type or select a date range to have the grid display only Groups that were modified on or within that date range. 215 Chapter 8: Working with Groups Managing Groups The topics in this section explain how to create and manage Groups. It includes procedures on performing the following tasks: l adding a new Group l editing a Group l cloning a Group l importing a Group l exporting a Group l deleting a Group. Adding a new Group 1. Open the Build ► Groups view. and then click the Group type you want to create. For a 2. In the Groups grid, click description of each Group type option, see the "Group types" on page 210. The Group Details pane opens to show an editable form for the Group type you have selected. 3. In the Name box, type a name for Group. 4. In the Description box, type a brief description of the Group and its intended use. 5. In the Manager list, select the Manager on which the Group is to reside. 6. Complete the rest of the form to configure the Group. For instructions on configuring a particular Group, see the following topics: l See "Configuring Alert Groups" on page 221. l See "Configuring Directory Services Groups" on page 225. l See "Configuring Email Templates" on page 230. l See "Configuring State Variables" on page 233. l See "Configuring Time of Day Sets" on page 238. l See "Configuring Tool Profiles" on page 241. l See "Configuring User-Defined Groups" on page 249. 7. When you are finished, click Save. The new Group appears in the Groups grid. 216 Editing a Group Editing a Group Editing a Group is very much like creating a new one. The only difference is that you are reconfiguring an existing item. To edit a Group: 1. Open the Build ► Groups view. 2. In the Groups grid, do one of the following: l Double-click the Group you want to edit. l Click the gear button for the Group you want to edit and click Edit. The Edit pane opens as an editable form, showing the selected Group’s current configuration. 3. Make any necessary changes to the Edit form to reconfigure the Group. 4. When you are finished, click Save. The revised Group is applied to the Manager and appears in the Groups grid. 217 Chapter 8: Working with Groups Cloning a Group Cloning a Group lets you copy an existing Group, but save it with a new name. Cloning allows you to quickly create variations on existing Groups for use with your rules, filters, and Agents. Cloned Groups must be for the same Manager as the original Group. That is, you cannot clone a Group from one Manager for use with another Manager. To clone a Group: 1. Open the Build ► Groups view. 2. In the Groups grid, click to select the Group you want to clone. 3. Click the row’s gear button and then click Clone. The newly cloned Group appears in the Groups grid in the row just below the original Group. A clone always uses the same name as the Group it was cloned from, followed by the word Clone. For example, a clone of the Disk Warning Group would be called Disk Warning Clone. A second clone of the Disk Warning Group would be called Disk Warning Clone 2, and so on. 4. Edit the cloned Group, as needed, to give it its own name and to assign its own specific settings. 218 Importing a Group Importing a Group You can import Groups from a remote source into the Groups grid. You can import a Group that you have exported from another Manager, or you can import Groups that are provided by TriGeo Network Security. You may import only one Group at a time. To import a Group: 1. Open the Build ► Groups view. 2. On the Groups grid toolbar, click the gear button and then click Import. The Open form appears. 3. In the Look In box, browse to the folder that contains the Group file you want to import. 4. Do either of the following: l Double-click the file to open it. l Click to select the file you want to import, and then click Open. The Group appears in the Groups grid and in the Group Details form for editing. 5. In the Group Details form, select the Manager this Group is to be assigned to. 6. Make any other desired changes in the Group Details form. 7. Click Save to send the Group to the Manager. 8. If you are working with Email Templates or State Variables, drag the new Group from the Groups grid into the folder (in the Folders pane) that is to store the Group. 219 Chapter 8: Working with Groups Exporting a Group When needed, you can export Groups. Exporting Groups is useful for three reasons: l Once exported, you can import the Group into another Manager. l You can save a copy off of the Manager for any reason. l You can provide TriGeo Network Security with a copy of your Group for technical support or troubleshooting purposes. You may export only one Group at a time. To export a Group: 1. Open the Build ► Groups view. 2. In the Groups grid, click to select the Group you want to export. 3. Click the row’s gear button and then click Export. 4. After a moment, the Save As form appears. 5. Use the Save As form to select the folder in which you want to save the exported Group. 6. In the File name box, type a name for the exported Group. 7. Click Save to export and save the Group; otherwise, click Cancel. You can now import the Group for use with another Manager. For the import procedure, see "Importing a Group" on page 219. Deleting a Group When needed, you can delete any of your Groups. To delete a Group: 1. Open the Build ► Groups view. 2. In the Groups grid, select the Group you want to delete. 3. Click the row’s gear button and then click Delete. 4. At the confirmation prompt, click Yes to delete the Group. The item disappears from the Groups grid. 220 Configuring Alert Groups Configuring Alert Groups Whenever you create or edit an Alert Group, the Build ► Groups view’s Edit pane opens and becomes the Alert Group form. The Alert Group form lets you create custom families of alerts that you can save as a Group. You can then associate the Alert Group with your rules and filters. For example, you might create an Alert Group made up of similar alerts that all need to trigger the same response from the Console. When you apply the Alert Group to a rule, the Console implements the rule when any one of the alerts in the Group occurs. Each Alert Group you create only applies to the Manager that is selected when you create the Group. If you need a similar Alert Group for a different Manager, you must create it separately for the other Manager. Configuring an Alert Group 1. Open the Build ► Groups view. 2. On the Groups grid, click and then click Alert Group. The Edit pane opens, showing the Alert Group form. 3. In the Name box, type a name for the new Alert Group. 4. In the Description box, type a brief description of the Alert Group’s contents. 5. In the Manager list, select the Manager on which this Group is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. Now you will configure the Alert Group by selecting the alerts you want in the Group. The Alerts box lists alerts in a hierarchical tree. You may need to open the nodes in the alert tree to see the alert you are looking for. For complete information on alerts, see "Types of alerts" on page 493. 221 Chapter 8: Working with Groups 6. In the Alerts list, select each alert that you want to include in this Group. l To choose an alert, click its check box. l To remove an alert, clear its check box. Note: In the node-tree view, you can Ctrl+Click to select (or clear) an alert and all of the alerts below that item (that is, its child alerts). For example, press Ctrl and click Security Alert to select Security Alert and all of its child alerts. See the following topic to learn about each feature in the Alerts list. 7. Click Save. The new Alert Group appears in the Groups grid. 222 Alert list features Alert list features The following table explains how to use each feature of the Alerts list. Icon Description Click this button to display the Alerts list as a hierarchical node tree. Then use the list to select each alert type that you want to include in this Group. This is the default view. This view also has the following attributes: l l l l The node tree displays alerts types with the same hierarchy they have in "Types of alerts" on page 493. Lower-level alert types are hidden by nodes in the alert tree. To open a node, click the ► icon. This displays the node’s next level of alerts. Using the search box displays the alert and its parent alert types, so you can see how the alert appears in the alert hierarchy. You can Ctrl+Click to select (or clear) an alert and all of the alerts below that item (that is, its child alerts). For example, if you press Ctrl and click Security Alert, you will select Security Alert and all of its child alerts. Click this button to list alert types alphabetically, regardless of their position in the hierarchy. Then use the list to select each alert type that you want to include in this Group. You can use this box to search either view of the Alerts list. To do so, simply type a word or phrase in the text box. The Alerts list will refresh to show any alerts that include your word or phrase. ► This icon represents a closed (or collapsed) alert node in the alert tree hierarchy. Each time you see this icon, it means the alert node contains lower-level alerts. To open a node, click it. Opening the node expands the alert tree, displaying the next level of related alerts. For a complete description of alerts, see "Types of alerts" on page 493. ▼ This icon represents an open (or expanded) alert node in the alert tree hierarchy. Each time you see this icon, the node is displaying its related lower-level alerts. To close (or collapse) the node, click it. This collapses the alert tree at that level, hiding its lower-level alerts. This item has not been selected; nor have any of its lower-level items. This item has been selected; but not any of its lower-level items. 223 Chapter 8: Working with Groups Icon Description This item has not been selected, but one or more if its lower-level items has been selected. This item has been selected, and so have one or more of its lower-level items. 224 Configuring Directory Services Groups Configuring Directory Services Groups Many companies use a directory service, such as Active Directory, to organize and administer their network’s computers and system users. This computer and user information is organized into Directory Service Groups (or more simply, DS Groups) that are managed with the directory service. If you use such a directory service, you can connect the TriGeo SIM to the server that stores your existing DS Groups, synchronize your Groups with the TriGeo SIM, and apply your Groups to your TriGeo rules and filters. Once your directory service is connected, your DS Groups become seamlessly integrated with the TriGeo SIM. Whenever you make a change to a Group in the directory service, TriGeo automatically updates your rules and filters to reflect the change. The topics in this section explain how to retrieve and synchronize information from your directory service for use with the TriGeo SIM. How to use Directory Services Groups DS Groups allow you to match, include, or exclude events to specific users or computers based on their Group membership, to determine if a particular alert event is relevant or not. In most cases, DS Groups are used in rules and filters as a type of white list or blacklist for choosing which users or computers to include or to ignore. When used by a filter, a DS Group lets you limit the scope of the alerts included in the filter to those users or computers that have membership in a particular Group. For example, you may want to use a DS Group that you created in your directory services that contains the names of high-risk network users. You can then refer to this Group in a rule or filter. For instance, your rule may dictate to always disable these users if you detect malicious activity. 225 Chapter 8: Working with Groups Synchronizing Directory Service Groups with the TriGeo SIM This procedure explains how to retrieve Group data from your directory service and select which DS Groups are to be synchronized with the TriGeo SIM. This procedure ensures that you capture the most current information from any Groups that are not currently synchronized with the TriGeo SIM. You can also use this procedure to remove DS Groups that no longer require synchronization. Note: To use DS Groups, first make sure the Directory Service Query Tool is configured and running on the TriGeo SIM Manager for which you want to use DS Groups. For more information, see "Connecting products to the TriGeo SIM" on page 347. DS Groups only apply to Managers that are connected to them. If you need a similar DS Group for another Manager, you must connect to the directory service with the other Manager. To retrieve DS Group data from your directory service: 1. Open the Build ► Groups view. 2. On the Groups grid, click and then click Directory Services Group. The Select Directory Services Group form appears. You will use this form to select which directory service Groups you want to synchronize for use with the TriGeo SIM. 3. In the Manager list (the upper-right drop-down list), select the Manager that is going to use the DS Groups. 4. In the other drop-down list, select the directory services domain you want to work with. The form displays the actual contents (folders and Group categories) of your directory service system: l l Each folder to the left contains the Group categories that are associated with that area of your directory service. You can click a folder node (►) to display the Group categories contained within that folder. The Available Groups box lists a different set of Group categories with each folder 226 Synchronizing Directory Service Groups with the TriGeo SIM you select. For example, clicking the Users folder shows a different set of Group categories than if you click the Laptops folder. 5. In the folder list, click the Group category you want to work with. 6. In the Available Groups list, do the following: l Click the check box for each Group you want to synchronize with the TriGeo SIM. l Clear the check box for each Group you want to remove from synchronization. 7. Repeat Steps 5 and 6 until you have selected all of the DS Groups you want synchronized with the TriGeo SIM. 8. Click Save. The system synchronizes the DS Groups to the TriGeo SIM and adds them to the Groups grid. The DS Groups are now ready for use with your rules and filters. 227 Chapter 8: Working with Groups Viewing a Directory Services Group members The Groups grid shows each DS Group that is synchronized with the TriGeo SIM. When you select a DS Group in the Groups grid, the Directory Service Groups pane appears to show the members of that DS Group. To view a DS Group: 1. Open the Build ► Groups view. 2. In the Groups grid, select the DS Group you want to view. The Edit pane opens, showing the Directory Services Group form. The form displays the contents of the Group, as shown here. 228 Directory Services Group grid columns Directory Services Group grid columns The grid in the Directory Services Group form provides information on each specific computer account and user account that is currently associated with the DS Group. The following table describes the meaning of each grid column. Column Description Type Displays an icon that shows if the group member is a User or a Computer. The computer icon represents a computer account. The person icon represents a user account. Name Displays the display name of the group member. Description Displays the description associated with the group member in directory services. SAM Name Displays the account name of the member. Principal Name Displays the principal name of the member. Distinguish Name Date Displays the complete distinguished name of the member. Email Displays the email address of the member. Deleting DS Groups You can delete DS Groups from the Console, just as you would any other Group. Deleting a DS Group does not remove the Group from your original directory service. You can restore a DS Group at any time if you ever need to use it again. For the procedure, see "Deleting a Group" on page 220. 229 Chapter 8: Working with Groups Configuring Email Templates Email templates allow you to create pre-formatted email messages that rules can use to notify you of an alert event. These templates become available in the Actions component list, whenever you drag Send Email Message or Send Pager Message to the Actions box. You will then be prompted to fill in the message variables from the Alerts or Alert Groups lists. You create and manage templates in the Build ► Groups view’s Email Template form. As with rules, you can add, edit, clone, and delete templates, and you can organize them in folders. Step 1: Creating the email template This section describes how to create the actual email template. Email templates allow you to report specific information about an alert event, because you can include variables that capture specific parameters about that event. For example, you can report which server is affected, what time the event occurred, or which Agent was shut down. The possibilities for message templates are endless. To create an email template: 1. Open the Build ► Groups view. 2. In the Groups grid, do one of the following: l To add a new email template, click and then click Email Template. l Double-click the email template you want to edit. The Email Template form appear. If you are editing an existing template, the form shows any parameters that have already been configured for the template. 3. In the Manager list, select the Manager on which this template resides. If you are editing an existing template, this field shows the Manager this template is associated with. 230 Step 2: Adding message parameters 4. In the Name box, type a name for the template. This should be a name that makes it easy to identify the type of event that has occurred, or where or to whom the email message is going. 5. In the From box, type whom the message is from. Typically, this is “TriGeo” or “TriGeo Manager.” 6. In the Subject line, type a subject for the message. Typically, you will want a subject that indicates the nature of the alert event. 7. Click Save to save the template. Step 2: Adding message parameters In the Parameters list, you will add variables that are placeholders for specific items within the message text. When the Manager sends the message, it will complete the message by filling in the variable parameters with the appropriate text. You can add as many parameters as you like. For example, you may want a message to tell you which Agent or server was affected. Or you may want to know the time the event occurred. So you can create a variables for Agents, servers, or time. In the previous example, there are parameters for the server and for the destination computer. If you add too many or unnecessary parameters, you can easily delete the ones you don’t need. To add message parameters: 1. In the Name box, type the name of the parameter you want to capture in the email message. 2. Click the Add button. The new parameter appears in the Parameters list. 3. Repeat Steps 1 and 2 for each parameter you want to capture in this message. 4. Click Save so save your changes to the template. 231 Chapter 8: Working with Groups To delete a parameter: 1. In the Parameters list, select the parameter you want to delete. 2. Click the Delete button. 3. The parameter disappears from the Parameters list. 4. Click Save to permanently delete the parameter. Step 3: Creating the message Now, in the Message box, you will create the actual text of the email message. To create an email template message: 1. In the Message box, type the email message that the Manager is to send when an event occurs, like in the example shown here. 2. In the Parameters list, select a parameter. Then drag it to the appropriate spot in the message text. The parameters serve as placeholders for information that the Manager will fill in. 3. Repeat Step 2 for each parameter. 4. When you have finished with the template, click Save. The new template appears in Groups grid. Managing email template folders As with rules and State Variables, you can use the Folders pane to organize your email templates into folders and sub-folders. You can add, rename, move, and delete template folders. For instruction on performing these tasks, see "Working with Group folders" on page 254. 232 Configuring State Variables Configuring State Variables You can use the Groups grid to add, edit, and delete State Variables and the number, text, and time fields associated with each State Variable. State Variables are used in rules. They represent temporary or transitional states. For example, you can create a State Variable to track the “state” of a particular system, setting it to a different value depending on whether the system comes online or goes offline. You can also configure rules to monitor the contents of a State Variable to validate or invalidate a rule. For example, you can set a DEFCON value and ensure that the DEFCON value is over 3 before notifying on-call staff. The procedures in this section explain how to do the following: l How to add and configure a new State Variable l How to edit an existing State Variable field l How to delete a State Variable field. Note: If you require permanent lists of data that can be preserved over long periods of time, you can use User-Defined Groups in a similar manner. For more information, see "Configuring User-Defined Groups" on page 249. Adding new State Variable fields 1. Open the Build ► Groups view. 2. In the Groups grid, do one of the following: l To add a new State Variable, click and then click State Variable. l Double-click the State Variable you want to edit. l Click the gear icon for the State Variable you want to edit, and then click Edit. The State Variables pane opens as an editable form. If you are editing an existing State Variable, the form shows any fields that have already been configured. 233 Chapter 8: Working with Groups 3. In the Name box, type a name for the State Variable. 4. In the Manager list, select the Manager on which this State Variable is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. Now you will add the State Variable fields that make up the Group. Adding State Variable fields is a straightforward process. You simply name the field, and then select what the variable represents—text, a number, or time. 5. Click the Add button. The Add Variable Field form becomes active. 6. In the Name box, type a name for the State Variable field. 7. In the Type list, select the type of State Variable the field represents—Text, Number, or Time. 8. Click the left Save button to save the field; otherwise, click Cancel. The new State Variable field appears in the State Variables grid, showing the field’s name and comparison type. 9. Repeat Steps 5–8 for each field you want to add to the State Variable. 10. Click the rightmost Save button to save the State Variable settings. The new State Variable appears in the Groups grid and the Rule Builder’s State Variables list. You can now incorporate this State Variable whenever you add or edit a rule. 234 Editing State Variable fields Editing State Variable fields 1. Open the Build ► Groups view. 2. In the Groups grid, do either of the following: l Double-click the State Variable you want to edit. l Click the gear icon for the State Variable you want to edit, and then click Edit. The State Variables pane opens as an editable form. 3. In the fields grid, select the State Variable field you want to edit. The Add Variable Field form becomes active, showing the field’s current configuration. 4. Make the necessary changes to the field’s Name or Type. 5. Click the form’s Save button to apply your changes to the field. The updated field appears in the fields grid. 6. Click the rightmost Save button to save your changes to the State Variable. 235 Chapter 8: Working with Groups Deleting State Variable fields 1. Open the Build ► Groups view. 2. In the Groups grid, do either of the following: l Double-click the State Variable you want to edit. l Click the gear icon for the State Variable you want to edit, and then click Edit. The State Variables pane opens as an editable form. 3. In the fields grid, select the field you want to delete. 4. Click the Delete button. The field disappears from the fields grid. 5. Click Save to save the changes to the State Variable. 236 Managing State Variable folders Managing State Variable folders As with rules and email templates, you can use the Folders pane to organize your State Variables into folders and sub-folders. You can add, rename, move, and delete State Variable folders. For instruction on performing these tasks, see "Working with Group folders" on page 254. 237 Chapter 8: Working with Groups Configuring Time of Day Sets Time of Day Sets are Groups of hours that you can associate with rules and filters. Time of Day Sets allow your rules and filters to take different actions at different times of day. For example, if you define two different Time of Day Sets for “Business Hours” and “Outside Business Hours,” you can assign different rules to each of these Time of Day Sets. For instance, you may want your rules to alert your system administrator via email and pager during working hours. Outside of business hours, you may want your rules to alert your administrator by pager only, and automatically shut down the offending PC. You can easily create as many Time of Day Sets as you needed, to reflect all of your business needs. A well-planned group of Time of Day Sets provides you with versatile and responsive rules that perform the way you want, when you want. Each Time of Day Set you create only applies to the Manager that is selected when you create it. If you need a similar Time of Day Set for another Manager, then you must create it separately with that other Manager. Configuring a Time of Day Set 1. Open the Build ► Groups view. 2. In the Groups grid, do either of the following: l To add a new Time of Day Set, click and then click Time of Day Set. l Double-click the Time of Day Set you want to edit. The Edit pane opens, showing the Time of Day Set form. 3. In the Name box, type a name for the new Time of Day Set. 4. In the Description box, type a brief description of the Time of Day Set and its intended use. 5. In the Manager list, select the Manager on which this Time of Day Set is to reside. If you are editing an existing Group, this field shows the Manager on which it resides. 238 Configuring a Time of Day Set The form has a time grid that lets you define a Time of Day Set for the Manager. The time grid is based on a one-week period, and is organized as follows: l l l It has seven rows, where each row represents one day of the week. It has 24 numbered columns, where each column represents one hour of the day. The white column headers represent morning hours (midnight to noon). The shaded column headers represent evening hours (noon to midnight). Each column has two check boxes that divide each hour into two half-hour (30-minute) periods. Together, the rows, columns, and check boxes divide an entire week into 30-minute periods. 6. In the time grid, click to select the half-hour periods that are to define this Time of Day Set. For assistance, see the table in the topic, below. 7. Click Save. The new Time of Day Set appears in the Groups grid. 239 Chapter 8: Working with Groups Selecting periods in the time grid The following table explains how to select periods in the Time of Day Sets time grid. To Do this Select a period Click an individual check box to select that period. Select a group of periods Click and drag to select a range of periods. You can drag up, down, or diagonally. Delete a selected period Click the check box to clear that selection. You can also click and drag over a range of selected periods to clear those selections. 240 Configuring Tool Profiles Configuring Tool Profiles Most Agents in a network have only a few different tool configurations. Because of this, the Group Builder lets you to group Agents that share the same tool configurations into Tool Profiles. Once you define a Tool Profile, your rules and filters can use it to include or exclude the Agents associated with that profile. You can create as many Tool Profiles as you need to reflect each of your common network security tool configurations. For example, you might set up a standard user workstation profile, a web sever profile, etc. TriGeo provides several default Tool Profiles that address common configurations. One of the great benefits of using Tool Profiles is that you can maintain all of the Agents in a profile at once by updating only the Tool Profile’s tool configuration. The Group Builder then propagates your changes to all of the Agents in the profile. A well-planned set of Tool Profiles provides you with a versatile and efficient method to update and maintain your Agents’ tool configurations. Tool Profile rules l l An Agent can only be a member of one Tool Profile. It cannot be in multiple profiles. Each Tool Profile you create only applies to the Manager that is selected when you create it. If you need a similar Tool Profile for another Manager, you must create it separately for the other Manager. 241 Chapter 8: Working with Groups Creating a Tool Profile (general procedure) Tool Profiles are created in the Build ► Groups view. Creating a Tool Profile is a two-step process: 1. Select the Agent that is to act as a template for the profile. 2. Add the Agents that are to be members of the profile. Upon saving, the system applies the template Agent’s tool configuration to every other Agent that you added to the profile. When you select an Agent for use as a template, select one that has a very similar tool configuration to how you want profile’s final tool configuration to look. One trick is to prepare a template Agent in advance, by manually configuring an Agent that you know will be a member of the new profile. Edit its tools to get them exactly how you want them. Then use the Agent as the template for the new profile. This minimizes your need to edit the profile’s tool configuration later on. The complete procedure for creating at Tool Profile is given below. Step 1: Selecting a template for the profile In this procedure, you will create, name, describe, and select a template for the new Tool Profile. To create a Tool Profile: 1. Open the Build ► Groups view. 2. On the Groups grid toolbar, click and then click Tool Profile. The Tool Profile form appears. 3. In the Name box, type a name for the Tool Profile. 4. In the Description box, type a brief description of the Tool Profile and its intended use. 5. In the Manager list, select the Manager on which this Tool Profile is to reside. If you are editing 242 Step 2: Selecting the Agents that are members of the profile an existing Group, this field shows the Manager on which its resides. Note: If the Manager you want is not listed, go to Manage ► Appliances and log on to that Manager. You must be logged on to a Manager before you can create Groups for it. 6. In the Template list, select the Agent with the tool configuration this profile is to be based on. If you do not want to use a template, select None. Note: For best results, always select a template when creating a new Tool Profile. Otherwise, the profile will delete the tools on every Agent in the profile. If you do not want to use a template, then be sure click Edit Tools and add tools to the profile before you add Agents and save the profile. If you do not, there will be no tools in the profile; and upon saving, any Agents in that profile will have their tools deleted. 7. Click Save. The new Tool Profile appears in the Groups grid. Step 2: Selecting the Agents that are members of the profile Now you will select the Agents that are to be members of the Tool Profile. These Agents will be governed by the Tool Profile’s tool configuration. The Tool Profile form contains two list boxes. The Available Agents box lists each Agent that is associated with the Manager but is not in the Tool Profile. The Selected Agents box lists those Agents that are in the Tool Profile. To add Agents to a Tool Profile: 1. In the Groups grid, locate the new Tool Profile you just created. 2. Double-click the Tool Profile to re-open it. The profile appears in the Tool Profile form. As you can see, the Agent you selected as a template appears in the Selected Agents list, by default. 3. In the Available Agents list, select an Agent that you want to add to the Tool Profile. Or, in the Selected Agents list, select an Agent that you want to remove from the Tool Profile. 4. Use the appropriate arrow button to add or remove Agents to or from the profile, as described in the following table. Button Function Moves the selected Agent from the Available Agents list to the Selected Agents list (and into the profile). Moves all Agents from the Available Agents list to the Selected Agents list (and into the profile). 243 Chapter 8: Working with Groups Button Function Removes the selected Agent from the Selected Agents list to the Available Agents list (and out of the profile). Removes all Agents from the Selected Agents list to the Available Agents list (and out of the profile). 5. Click Save to save the Tool Profile. Upon saving, the system applies the template Agent’s tool configuration to every other Agent that you added to the profile. Note: If you remove an Agent from a Tool Profile (that was previously saved with that profile), the Agent retains the profile's tool configuration, but will no longer have membership in the profile. Troubleshooting tip At times, not all of the Agents in a Tool Profile will use the same logging path for a particular tool. You can verify this by checking the Agent’s configured tool status. If a tool has a status of (Not Running), it is likely that tool has a different logging path. To correct this problem, you may want to add another tool instance to the profile’s tool catalog that points to the alternative logging path. Or, you can create a new profile that has the alternative logging path. 244 Editing a Tool Profile’s tool settings Editing a Tool Profile’s tool settings When editing a Tool Profile, you can use the Tool Profile form’s Edit Tools command to add, edit, or delete the tool instances associated with the profile. When doing this, be aware that when you change a Tool Profile, you change the tool configuration of every Agent that is associated with that Tool Profile. When editing an individual Agent, you have to stop and start each tool instance, because you are making direct changes to the running configuration of the Agent. But when editing a Tool Profile’s tool configuration, you do not need to stop or start each tool instances. However, you must still activate the changes. This difference is because any time you edit a Tool Profile’s tool configuration, you are working on the profile’s configuration data, not an actual Agent. When editing a Tool Profile, you do not actually change the Agents that are members of the profile until you click Activate. Upon activating, the system automatically sends the changes out to every Agent that is a member of that profile, stops each tool instance, makes the changes, and then restarts each tool instance. Opening a Tool Profile’s tool settings 1. Open the Build ► Groups view. 2. In the Groups grid, locate the Tool Profile you want to edit. 3. Do one of the following: l Double-click the Tool Profile you want to edit. l Click the gear button and then click Edit. The Tool Profile pane opens, showing the Agents that are in the profile. 4. At the bottom of the Tool Profile pane, form, click Edit Tools. The Tool Configuration for [Tool Profile] form appears. The form’s Tools grid contains all of the tool instances that define the Tool Profile. 245 Chapter 8: Working with Groups Adding a new tool instance 1. On the Tools grid, select the tool you want to configure. 2. Click New. 3. In the Properties form, update the tool settings, as needed: l l l To configure a sensor that will gather data from the product’s event log data, see "Configuring sensors" on page 365. To configure an actor that will allow the Manager to perform active responses, see "Configuring actors" on page 368. To configure a notification setting that will allow the Manager to notify users of alert events via email, see "Setting up a notification system" on page 371. 4. Click Save. 5. Do one of the following: l Click Activate to apply your changes to every Agent associated with the Tool Profile. l Click Discard to discard your changes and reload the tools’ previous configuration. 6. Click Close to return to the Groups grid. 246 Editing a Tool Profile’s tool settings Editing a Tool Profile’s tool settings 1. In the Tools grid, select the tool instance you want to edit. 2. Click the row’s gear button and then click Edit. 3. In the Properties form, update the tool settings, as needed: l l l To configure a sensor that will gather data from the product’s event log data, see "Configuring sensors" on page 365. To configure an actor that will allow the Manager to perform active responses, see "Configuring actors" on page 368. To configure a notification setting that will allow the Manager to notify users of alert events via email, see "Setting up a notification system" on page 371. 4. Click Save. 5. Do one of the following: l Click Activate to apply your changes to every Agent associated with the Tool Profile. l Click Discard to discard your changes and reload the tools’ previous configuration. At times, not all of the Agents in a profile will use the same logging path for a particular tool. You can verify this by checking the Agent’s configured tool status. If a tool has a status of (Not Running), it is likely that tool has a different logging path. To correct this problem, you may want to add another tool instance to the profile’s tool catalog that points to the alternative logging path. Or, you can create a new profile that has the alternative logging path. 6. Repeat this procedure for each tool instance you want to reconfigure. 7. Click Close to return to the Groups grid. 247 Chapter 8: Working with Groups Deleting a tool instance from a Tool Profile 1. In the Tools grid, click to select the tool instance you want to delete. 2. Click the gear button and then click Delete. 3. At the confirmation prompt, click Yes. 4. Do one of the following: l Click Activate to apply your changes to every Agent associated with the Tool Profile. l Click Discard to discard your changes and reload the tools’ previous configuration. 5. Click Close to return to the Groups grid. 248 Configuring User-Defined Groups Configuring User-Defined Groups User-Defined Groups are groups of preferences that are used in rules and filters. User-Defined Groups allow you to match, include, or exclude events, information, or data fields based on their membership in a particular Group. This section includes examples of User-Defined Groups, as well as the procedures for performing the following tasks: l Configuring a User-Defined Group l Configuring data elements for a User-Defined Group l Editing an existing data element in a User-Defined Group l Deleting a data element from a User-Defined Group. 249 Chapter 8: Working with Groups Examples of User-Defined Groups In most cases, User-Defined Groups are used as a type of white list or blacklist for choosing which events to include or to ignore. When used by a filter, a User-Defined Group lets you limit the scope of the alerts included in the filter to those items that have membership in a particular Group. Each User-Defined Group is made up of one or more elements that define the Group. The elements can be almost anything: IP addresses, user names, email addresses, web site URLs, etc. Because of their versatility, the possibilities of User-Defined Groups are almost endless. For example, you may want to create a Group of trusted IP addresses that you can use in rules and filters. You can then refer to this Group in a rule. For instance, your rule may dictate to never block these IP addresses. Or you may want to create a Group of trusted accounts for the local administrator. You could then format your rules so that they never block these accounts. Or, because these accounts are trusted, you may want to watch them more carefully so that you are notified whenever they log on or make changes. You can create as many User-Defined Groups as you need to reflect all of your different rule and filtering needs. Well-planned User-Defined Groups can provide you with the precise feedback active responses you need to manage and maintain your network security. Each User-Defined Group you create only applies to the Manager that is selected when you create it. If you need a similar User-Defined Group for another Manager, then you must create it separately with that other Manager. 250 Configuring a User-Defined Group Configuring a User-Defined Group 1. Open the Build ► Groups view. 2. In the Groups grid, do one of the following: l To add a new User-Defined Group, click and then click User-Defined Group. l Double-click the User-Defined Group you want to edit. The Edit pane opens, showing the User-Defined Group form. If you are editing an existing User-Defined Group, the form shows any parameters that have already been configured for the Group. 3. In the Name box, type a name for the Group. 4. In the Description box, type a brief description of the Group and its intended use. 5. In the Manager list, select the Manager on which this Group resides. If you are editing an existing Group, this field shows the Manager on which it resides. 6. Make any necessary additions, changes, or deletions to the Group’s Element Details grid, as described below in "Adding data elements to a User-Defined Group." 7. Click Save to save your changes to the User-Defined Group. 251 Chapter 8: Working with Groups Adding data elements to a User-Defined Group Once you have created a User-Defined Group, you can add the data elements that make up the Group. To add a User-Defined Group’s data elements: 1. Open the Build ► Groups view. 2. In the Groups grid, double-click the User-Defined Group you want to work with. The Edit pane opens, showing the Group’s current configuration. 3. At the bottom of the Edit pane, click the Add button. The Element Details form becomes active. 4. Complete the Element Details form as described in the following table. Field Description Name Type a name for the data element. Data Type the specific data element that you want to include or ignore in your rules and filters. You can use an asterisk ( * ) as a wildcard to include all similar data elements. Description Type a detailed description of the data element and its intended use, if appropriate. In this example, the data elements are a list of anti-virus firewall processes. 5. Click Save. The new element appears in the data element grid. Note that the table displays each element’s name, data element, and description. 6. Repeat Steps 3–5 for each data element you want to add to the Group. 252 Editing a data element in a User-Defined Group Editing a data element in a User-Defined Group 1. Open the Build ► Groups view. 2. In the Groups grid, double-click the User-Defined Group you want to work with. The Edit pane opens, showing the Group’s current configuration. 3. In the form’s data element grid, select the data element you want to edit. The Element Details form displays the data element’s current configuration. 4. Make the necessary changes to the Element Details form. 5. Click Save to save your changes to the Group. The revised data element appears in the data element grid. Deleting a data element from a User-Defined Group 1. Open the Build ► Groups view. 2. In the Groups grid, double-click the User-Defined Group you want to work with. The Edit pane opens, showing the Group’s current configuration. 3. In the form’s data element grid, select the data element you want to delete. 4. Click the Delete button. The element is removed from the Group’s data element grid. 5. Click Save to save the changes to the Group. 253 Chapter 8: Working with Groups Working with Group folders In the Build ► Groups view, the Folders pane lets you categorize and organize your State Variables and Email Templates. The Folders pane behaves just like the folders in an operating system. You can create folders and sub-folders, and you can move, rename, and delete folders. The topics in this section explain how to manage your Group folders. Note: The Folders pane is disabled whenever you are working with a Group that does not support folders. Default Group folders The Folders pane for Email Templates and State Variables both have their own sets of default folders. Default Email Template folders In the Build ► Groups view, the Folders pane has two fixed top-level Email Templates folders. Each folder contains the Email Templates that are currently configured for its corresponding Group list. l l The Email Templates folder contains your own custom Email Templates and allows you to organize them into your own custom set of sub-folders. The NATO5 Templates folder contains TriGeo's predefined Email Templates. TriGeo provides these through automatic or manual updates. To help ensure that you can always go back to a secure starting point, TriGeo recommends that you do not edit the templates in the NATO5 Templates folder. Instead, you can clone a copy of any of these pre-defined templates and then store the cloned copy in a custom Email Templates folder. You may then edit the cloned copy as you see fit. Default State Variable folders l The State Variables folder contains your own custom State Variables and allows you to organize them into your own custom set of sub-folders 254 Showing and hiding sub-folders Showing and hiding sub-folders In the Build ► Groups view, the Folders pane is organized as a hierarchical node tree of folders and sub-folders. By default, the tree is collapsed, showing only the top level of folders. This procedure explains how to show and hide the pane’s sub-folders. To open (expand) a folder to see its sub-folders: l Click a folder with an ► icon to open a folder and show its first level of sub-folders. To close (collapse) a folder to hide its sub-folders: l Click a folder with an ▼ icon to close the folder and hide its sub-folders. Showing the contents of a Group folder Select a Group folder in the Folders pane to display the contents of that folder and its sub-folders in the grid. To view the contents of a State Variable folder: 1. Open the Build ► Groups view. By default, the Groups grid lists all of your Groups. 2. Do either of the following: l l In the Groups grid, select a State Variable. In the Refine Results form’s Type list, select State Variable. Then, in the Groups grid, select a State Variable. The Folders pane becomes active, expanding and highlighting the folder that is associated with the State Variable you selected in the Groups grid. The Groups grid also lists any other State Variables that are stored in the same folder or any of its sub-folders. 3. View the relationship between a State Variable and its folder as follows: l l In the Folders pane, click a folder to have the Groups grid display the State Variables stored within that folder and any of its sub-folders. In the Groups grid, click a State Variable. The Folders pane then highlights the folder that variable is stored in. 255 Chapter 8: Working with Groups To view the contents of an Email Template folder: 1. Open the Build ► Groups view. By default, the Groups grid lists all of your Groups. 2. Do either of the following: l l In the Groups grid, select an Email Template. In the Refine Results form’s Type list, select Email Template. Then, in the Groups grid, select an Email Template. The Folders pane becomes active, expanding and highlighting the folder that is associated with the template you selected in the Groups grid. The Groups grid also lists any other templates that are stored in the same folder or any of its sub-folders. 3. View the relationship between an Email Template and its folder as follows: l l In the Folders pane, click a folder to have the Groups grid display the Email Templates stored within that folder and any of its sub-folders. In the Groups grid, click an Email Template. The Folders pane then highlights the folder that template is stored in, as shown here. 256 Adding Group folders and sub-folders Adding Group folders and sub-folders Whenever needed, you can add new Group folders and sub-folders to the Folders pane. This allows you to organize your State Variables and Email Templates in a manner that makes them easy to organize and identify. To add a new Group folder: 1. Open the Build ► Groups view. 2. In the Refine Results form’s Type list, select or Email Template or State Variable, as appropriate for the Group for which you are creating a folder. The Groups grid list the Groups associated with the Group type you selected. 3. In the Groups grid, click a Group name to activate the appropriate Folders pane. 4. In the Folders pane, select the folder for which you want to create a sub-folder. If needed, click the folder’s ► icon to view the folder’s sub-folders, if present. 5. Click the button at the bottom of the Folders pane. A new sub-folder appears with the default name of folder. 6. Double-click the new folder. The folder becomes highlighted and its name is surrounded by an editable box. 7. Type a name for the new folder, and then press Enter. You may now store items in the new folder. Renaming a Group folder When needed, you can rename your own custom Group folders in the Folders pane. However, you may not rename any of the Console’s preconfigured folders. To rename a folder: 1. Open the Build ► Groups view. 2. In the Folders pane, double-click the folder you want to rename. A box appears around the folder, and its name becomes editable. 3. Type a new name for the folder, and then press Enter. The folder appears in the Folders pane with its new name. 257 Chapter 8: Working with Groups Moving Group folders When needed, you can rearrange Group folders by moving them around. However, all of the folders must be of the same Group type. For example, you can move a State Variable folder to another other State Variable folder or sub-folder. But you cannot move a State Variable folder to an Email Template folder or sub-folder. Moving a folder moves the entire contents of that folder, including any of its subfolders. To move a Group folder: 1. Open the Build ► Groups view. 2. In the Folders pane, select the folder that is to be the new parent of the folder you want to move. 3. Click the folder’s ► icon to open the folder and view its sub-folders. 4. Now select the folder you want to move, and then drag and drop it just below its new parent folder. When the pointer is in the correct position, a black line will appear below the parent folder. The folder you moved now appears with its new parent folder. 258 Moving Groups from one folder to another Moving Groups from one folder to another You can use the Folders pane and the Groups grid to move State Variables and Email Templates from one folder to another. Moving Groups has the following restrictions: l l l Pre-configured TriGeo Group folders cannot be moved. However, you can clone copies of these Groups and then place the copies in your custom folders. You may only move Groups into folders that are associated with the same Manager as the Groups you are moving. All other folders are disabled. When moving a Group, you must move it to a folder for the same type of item. For example, you cannot move an Email Template to a State Variable folder, or vice versa. However, you can move an Email Template from one Email Template folder to another. To move a Group from one template to another: 1. Open the Build ► Groups view. 2. In the Folders pane, click the folder that contains the State Variable or Email Template you want to move. The Groups grid displays the items that make up the contents of that folder. 3. In the Groups grid, select the Variable or Email Template you want to move. Then drag it to the Folders pane and drop it in the folder you want to move it to. By default, the Folders pane shows an expanded folder tree. This allows you to easily select a new folder for the item you are moving. Only those folders that are associated with the same Manager as the State Variable or Email Template are moving are available. In the Folders pane, the Variable or Email Template now appears in the new folder. 259 Chapter 8: Working with Groups Deleting a Group folder When needed, you can delete a Group folder. However, doing so also deletes the contents of the folder, including any sub-folders. So be sure to move or archive any State Variables or Email Templates you want to save before deleting a folder. To delete a folder: 1. Open the Build ► Groups view. 2. In the Folders pane, click to select the folder or sub-folder you want to delete. 3. Click the Delete button. 4. At the Confirm Delete prompt, click Yes to delete the folder; otherwise, click No. The folder and its sub-folders disappear from the Folders pane. 260 Chapter 9: Managing rules About rules The Console’s Build ► Rules view is used to create, configure, and manage your rules. Rules are used to monitor and respond to alert traffic. They allow you to automatically notify or respond to security events in real time, whether you are monitoring the Console or not. When an alert (or a series of alerts) meets a rule's conditions, the rule automatically prompts the Manager to take action, such as notifying the appropriate users, or performing a particular active response (such as blocking the IP address or stopping a particular process). The Console ships with a set of preconfigured rules that you can begin using immediately. However, you can use the view's Rule Creation tool to create your own custom rules and your own variations on any existing rules. Note: Each rule you create only applies to the Manager that is selected when you created the rule. If you need a similar rule for another Manager, you must create it separately on the other Manager; or you can export the rule, and then import it from the other Manager’s Rules grid. 261 Chapter 9: Managing rules Rules view features This topic describes the key features of the Rules view and the Rules grid, and explains how to refine the Rules grid. Rules view features The Rules view The following table describes the key features of the Build ► Rules view. Item Name Description Sidebar Click this button to alternately hide and show the Refine Results and Folders panes. 262 Rules view features Item Name Description Refine Results This form lets you apply filters to the Rules grid to reduce the number of rules it shows. See "Refine Results form" on page 266, below. Folders pane The Folders pane lets you create folders and sub-folders for organizing your rules. Clicking a folder in the Folders pane causes the Rules grid to display only the rules from that folder and its sub-folders. You can add, rename, move, and delete folders, and you can move rules from one folder to another. For more information, see "Working with rule folders" on page 282. Rules grid The Rules grid manages all rules that are configured for all of the Managers that are connected to the Console. If the same rule is configured for more than one Manager, it appears multiple times—once for each Manager it is associated with. Like other grids, the Rules grid can be sorted. Activate Rules Click this button to activate any new rule changes. Subscribe Use this list to select which Console users are to subscribe to a particular rule. This means the system will notify the subscribing users' Consoles each time the rule triggers an alert. The alert appears in their Monitor view’s alert grid. Click this button whenever you want to create a new rule. It opens the Rule Builder form, which lets you configure custom policy rules by dragging and dropping the rule’s attributes into correlation and action boxes. Click this button to open a menu of commands that you can perform on one or more selected rules. There are commands to Edit (to open the rule in the Edit Creation form), Enable, Disable, Test On, Test Off, Delete, Import, and Export. ToolTips If you point to a cell in the grid to that is partially hidden, a ToolTip appears, displaying the entire contents of that cell. This is a great way to view the complete description of a particular rule. 263 Chapter 9: Managing rules Rules grid columns The Rules grid contains all policy rules that are configured for all Managers that are connected to the Console. The Manager column indicates which Manager each rule applies to. By default, the view shows the rules from the Custom Rules folder in the Folders pane. If you do not have any custom rules, then click the TriGeo Rules folder to list the rules that the Console ships with. The following table describes the meaning of each column in the Rules grid. Columns are listed in their default order, from left to right. Column Description The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. These commands let you edit, enable, disable, test, clone, and delete the selected rule. Enabled Indicates whether or not the rule is enabled and ready for use with your policies. means the rule is enabled and is in active use. means the rule is disabled, and is not in use. Test Indicates whether or not the rule is in test mode. When a rule is in test mode, it causes alerts to appear in the Console, but it cannot perform any active responses. This lets you see how the rule would behave when it is fully enabled, but without risking any negative unintended consequences. means the rule is in test mode. means the rule is not in test mode. Note: A rule must be Enabled before you can test it. Name The name of the rule. Description A description of the rule. Pointing to this field displays the complete description as a ToolTip. Folder The name of the folder (in the Folders pane) in which the rule is stored. Created By The name of the Console user who created the rule. Created Date The date the rule was created. 264 Rules grid columns Column Description Modified By The name of the Console user who last modified the rule. Modified Date The date and time on which the rule was last modified. Manager The Manager the rule is associated with. 265 Chapter 9: Managing rules Refine Results form You can use the Refine Results form to refine the Rules grid. The form behaves like a search engine, letting you apply filters to the Rules grid to reduce the number of rules it shows. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other items in the grid are still there; however, they are hidden. To restore them, simply click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Field Description Reset Click Reset to clear the form. This returns the form and the Rules grid to their default settings. Search Use this Search field to perform keyword searches for specific rules. To search, type the text you want to search for in the text box. The grid displays only those rules whose Name fields match or include the text you entered. Enabled Click this check box to show only those rules that are Enabled. Clear this check box to show both Enabled and Disabled rules. Test Click this check box to show only those rules that are in test mode. Clear this check box to show rules that are both in and out of test mode. Manager Select a Manager to have the grid display only the rules that are associated with that Manager. Created By Select the name of the Console user who created the rule to have the grid display only rules created by that user. Created Date Range Type or select a date range to have the grid display only rules that were created within that date range. Modified By Select the name of the Console user who last modified the rule to have the grid display only rules modified by that user. Modified Date Range Type or select the begin and end date range to have the grid display only rules that were modified on or within that date range. 266 Managing rules Managing rules The topics in this section explain how to manage your rules. Many management tasks can be done from the Rules grid, or in Rule Builder as you are configuring a rule. This section includes procedures for doing the following: l editing a rule l subscribing to a rule l enabling a rule l testing a rule l activating a rule l disabling a rule l cloning a rule l importing a rule l exporting a rule, and l deleting a rule. 267 Chapter 9: Managing rules Editing rules Whenever you need to edit a rule’s name or configuration, you use the Rule Creation tool to make the necessary changes to the rule. When needed, you can edit multiple rules at the same time. It is not necessary to disable a rule before editing it. When you edit a rule, you are editing a local copy until you save and activate it. If the rule was enabled when you began editing it, it will continue to be enabled while you work on the new version. When you save the new version and then click Activate Rules, the Manager replaces the original rule with the new version. To open rules for editing: 1. Open the Build ► Rules view. 2. In the Folders pane, click the folder that contains the rules you want to edit. The Rules grid displays the rules associated with the selected folder and its sub-folders. 3. In the Rules grid, click to select the rule (or rules) you want to edit. 4. Open the rules for editing as follows: l To edit a single rule, either double-click the rule, or click the row's gear button and then click Edit. l To edit multiple rules, click the grid's gear button and then click and then click Edit. Rule Creation appears, showing the rule’s current configuration. If you opened multiple rules, they all appear as "cascaded" windows. You may now edit the rules. Locked rules If a prompt like the one shown here appears, it means another user is already editing one of the selected rules and has those rules "locked." In this case, you can do either of two things: l l You can proceed in a read-only fashion, which allows you to see the details of a rule. You can break the lock and take control over the rule, which means the other person will not be able to save any changes he or she makes to the rule. 268 Editing rules To edit the rule: 1. Use Rule Creation to make any necessary changes to the rule’s name, Manager, folder, description, enabled status, test-mode state, correlations, correlation time, or actions. For more information, see "Creating custom rules" on page 289. l If you want to use the rule immediately upon saving it, select the Enable check box. l If you want to try the rule in test mode, select the Test check box. 2. Click Save. The Rules grid appears. 3. To begin using (or testing) the rule’s new configuration, click Activate Rules. 269 Chapter 9: Managing rules Subscribing to a rule You can assign rules to specific Console users, which means those users will subscribe to those rules. This means the system will notify the subscribing users' Consoles each time one of the subscribed-to rules triggers an alert. The alerts will appear in their Monitor view’s alert grid. Rule subscriptions can be used in conjunction with filters and reports to monitor activity for specific rules. Each user can subscribe to as many different rules as needed. You can assign subscriptions in Rule Creation while you are creating the rule, or anytime later directly from the Rules grid. To manage rule subscribers from the Rules grid: 1. Open the Build ► Rules view. 2. In the Folders pane, click the folder that contains the rule you want to work with. 3. In the Rules grid, select the rules you want to work with. 4. On the Rules grid toolbar, click Subscribe. The Subscribe list opens. It only includes those Console uses who are associated with the same Manager as the selected rule. A check box with a gray background means the user already subscribes to one or more of the selected rules, but not all of them. 5. Select the check box for each Console user who is to subscribe to the selected rules: l l l Select an empty user's check box to have that user subscribe to all of the selected rules. Clear a gray user's check box to remove the user's subscription to all of the selected rules. Clear a gray user's check box and then select it again, to have that user subscribe to all of the selected rules. Remember, these users are already subscribed to some rules, but not all of them. This procedure assigns all of the selected rules to that user. As you can see, if you have multiple rules selected, each subscription change affects every selected rule. 6. Click Subscribe again to close the list. The selected Console users now subscribe to the selected rules. 270 Subscribing to a rule To add rule subscribers from Rule Creation: 1. With a rule open in Rule Creation, click Subscribe. The Subscribe list opens. It only includes those Console uses who are associated with the same Manager as the selected rule. 2. Manage the rule's subscribers as follows: l Select the check box for each Console user who is to subscribe to this rule. l Clear the check box for each subscriber who is no longer to subscribe to this rule. 3. Click Subscribe again to close the list. 4. Click Save. The selected Console users now subscribe to the rule. 271 Chapter 9: Managing rules Enabling a rule The Manager only uses rules that are enabled. It ignores all other rules. Therefore, the Manager cannot use rules until you enable them. You can enable rules from the Rules grid, or directly from Rule Creation. In either case, the Enable check box lets you turn a rule on and off. Note: In the Rules grid, you can enable multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is disabled and another is enabled, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would become enabled, and the second would become disabled. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Enabled/Disabled state. To enable rules from the Rules grid: 1. Open the Build ► Rules view. 2. In the Folders pane, select the folder that contains the rules you want to enable. 3. In the Rules grid, select the rule (or rules) you want to enable. 4. Enable the rules as follows: l To enable a single rule, click the row's gear l To enable multiple rules, click the grid's gear In the Rules grid, the rules’ Enabled button and then click Enable. button and then click Enable. icons become active, which means the rules are now enabled. However, the Manager cannot begin using these rules until you activate them. See "Activating rules" on page 275. 5. Click Activate Rules to begin using the rule. To enable a rule from Rule Creation: 1. With a rule open in Rule Creation, select the Enable check box. 2. When you are finished configuring the rule, click Save. The Rules grid appears, with the icon appearing in the rule's Enabled column. This icon means the rule is now enabled. However, the Manager cannot begin using the rule until you activate it. 3. Click Activate Rules to begin using the rule. 272 Placing rules in test mode Placing rules in test mode Before fully enabling a rule, you can try it out in test mode. In test mode, the Manager processes the rule’s alert messages as it normally would, but without performing any of the rule’s actions. This lets you see how the rule will behave when it is activated, without any possible disruption to your network. Note: In the Rules grid, you can change the test mode of multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is in test mode and another isn't, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would move out of test mode, and the second would move into test mode. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Test On/Test Off state. To place rules in test mode in the Rules grid: 1. Open the Build ► Rules view. 2. In the Folders pane, select the folder that contains the rules you want to test. 3. Check the rules' Enabled status. If any of the rules you want to test show a "disabled" icon), then they need to be enabled. You can do this by clicking the row's gear button and then clicking Enable. In the Rules grid, the icon appears in the rule’s Enabled column to indicate that the rule has been enabled. 4. In the Rules grid, select the rule (or rules) you want to test. 5. Place the rules in test mode as follows: l To put a single rule in test mode, click the row's gear button and then click Test On. l To put multiple rules in test mode, click the grid's gear button and then click Test On. In the Rules grid, the icon appears in the rules’ Test column to indicate that the rules are in test mode. 6. Click Activate Rules. The rules are now functional, but in test mode. 273 Chapter 9: Managing rules To remove a rule from test mode in the Rules grid: 1. Open the Build ► Rules view. 2. In the Folders pane, select the folder that contains the rules you want to work with. 3. In the Rules grid, select the rule (or rules) you want to work with. 4. Remove the rules from test mode as follows: l To remove a single rule from test mode, click the row's gear button and then click Test Off. l To remove multiple rules from test mode, click the grid's gear button and then click Test Off. In the Rules grid, the "disabled" icon appears in the rules’ Test column to indicate that the rules are no longer in test mode. 5. Click Activate Rules. The rules are now fully functional. To place a rule in test mode from Rule Creation: 1. Open the Build ► Rules view. 2. In the Folders pane, click the folder that contains the rule you want to test. 3. In the Rules grid, click to select the rule you want to test. 4. On the Rules grid toolbar, click Edit. Rule Creation appears, showing the rule’s current configuration. 5. Select the Enable check box. 6. Select the Test check box. Note: To test a rule, you must have both Enable and Test checked. If only Enable is checked, the rule is completely enabled (that is, it is fully in use). If only Test is checked, the rule will not be enabled, which means the Manager will not be able to use it for testing. 7. Click Save. The Rules grid appears. 8. Click Activate Rules. The rule is now in test mode. To fully activate a rule from in Rule Creation: 1. Open the rule in Rule Creation, as described above. 2. Clear the Test check box. 3. Click Save. 4. On the Rule Builder toolbar, click Activate Rules. The rule is now fully functional. 274 Activating rules Activating rules Whenever you create a new rule or change an existing rule, you are working on a “local copy” of the rule. The Manager has no way of using the rule change until you activate it. Activating a rule tells the Manager to reload the enabled rules it is working on, which allows it to upload up the changes you just made. You must activate rules whenever you create a new rule, edit an existing rule, or make changes to a rule’s Enabled/Disabled or Test On/Test Off status. Otherwise, the Manager will not recognize the change. To activate rule changes, both the Rules grid and Rule Creation have an Activate Rules command. This command sends any new rule changes to the Manager for immediate use. In Rule Creation, the Activate Rules command leaves Rule Creation open so you can continue working. To activate rules from the Rules grid: 1. Open the Build ► Rules view. 2. Many any necessary changes to your rules. 3. On the Rules grid toolbar, click Activate Rules. The Manager activates any new rule changes and begins processing all enabled rules. To activate rules from Rule Creation: l At any time, in Rule Creation, click Activate Rules. The Manager activates any new rule changes and begins processing all enabled rules. However, Rule Creation stays open so you can continue working. The rule you are currently working on is not activated. It cannot be activated until it is first saved. 275 Chapter 9: Managing rules Disabling a rule The Manager will continue to use any active rules, so long as they are enabled. If needed, you can easily turn off rules by disabling them. However, the Manager will continue to use those rules until you activate their new “disabled” status with the Activate Rules command. Note: In the Rules grid, you can disable multiple rules at the same time. However, this command acts as a toggle on each individual rule that is selected. For example, if one rule is disabled and another is enabled, performing this command on both rules at the same time will invert the settings of both rules. So the first rule would become enabled, and the second would become disabled. Therefore, when performing this command on multiple rules, you will typically want to select only those rules that already have the same Enabled/Disabled state. To disable rules from the Rules grid: 1. Open the Build ► Rules view. 2. In the Folders pane, select the folder that contains the rules you want to disable. 3. In the Rules grid, select the rule (or rules) you want to disable. 4. Disable the rules as follows: l To disable a single rule, click the row's gear l To disable multiple rules, click the grid's gear button and then click Disable. button and then click Disable. In the Rules grid, the Enabled column for each rule shows a “disabled” rules are now inactive. 5. Click Activate Rules. The Manager stops processing the disabled rules. To disable a rule from Rule Creation: 1. Open the rule you want to disable in Rule Creation. 2. Clear the Enable check box. 3. Click Save. The Rules grid appears. 4. Click Activate Rules. The Manager stops processing the disabled rule. 276 icon to indicate the Cloning rules Cloning rules The Clone command lets you copy any existing rule, make changes to the copy, and then save the copy with a new name in one of your Custom Rules sub-folders. The benefit of cloning is that you can quickly create variations on existing rules. You simply clone a preconfigured rule, such as a rule from the TriGeo Rules or NATO5 Rules folder, and then adjust the cloned copy to suit your specific needs. Note: A cloned rule must be for the same Manager as the original rule. That is, you cannot clone a rule from one Manager and save it for another Manager. To clone rules: 1. Open the Build ► Rules view. 2. In the Folders pane, click the folder that contains the rule you want to clone. 3. In the Rules grid, click to select the rule you want to clone. 4. Click the row's gear button and then click Clone. The Clone Rule form appears. 5. In the Clone Name box, type a name for the cloned rule. 6. In the Folders list, select which Custom Rules folder is to store the cloned rule. 7. Click OK to save the cloned rule; otherwise, click Cancel. The newly cloned copy of the rule automatically opens in Rule Creation so you can begin making changes. 277 Chapter 9: Managing rules Importing a rule You can import a rule from a remote source into a particular rule folder. For example, you may want to import a rule from one Manager to another. Or you can import a rule that is provided by TriGeo Network Security. You may only import one rule at a time. To import a rule to a rule folder: 1. Open the Build ► Rules view. 2. On the Rules grid toolbar, click and then click Import. The Open form appears. 3. In the Look In box, browse to and open the folder that contains the rule you want to import. 4. Select the rule file you want to import. The file you selected appears in the File Name box. 5. Click Open to import the file; otherwise, click Cancel. The Import Rules form appears. 278 Importing a rule 6. In the Manager list, select which Manager the imported rule is to be associated with. 7. In the Folders list, click to select the rule folder that is to store the imported rule. You will need to click a folder’s ► icon to view its sub-folders. 8. Click Import. The system imports the rules into the designated rule folder. 279 Chapter 9: Managing rules Exporting rules Exporting rules is useful for three reasons: l You can export a rule from one Manager and import it into another Manager. l You can export rules to save archived copies in a safe place. l You can export rules to provide TriGeo Network Security with a copy of your rule for technical support or troubleshooting purposes. You can export multiple rules at the same time. The rules will be saved to a new folder that contains each rule. To export rules: 1. Open the Build ► Rules view. 2. In the Folders pane, select the folder that contains the rule you want to export. The Rules grid displays the rules in that folder. 3. In the Rules grid, select the rules you want to export. 4. On the Rules grid toolbar, click and then click Export. The Select Directory to Export Rule to form appears. 5. In the Save in box, locate the general area in which you want to save the exported rule folder. 6. In the File name box, type a name for the folder that is to contain the exported rules. 7. Click Save. 280 Deleting rules The rules are exported and saved in the folder you specified. Each exported rule retains its name and the date and time on which it was exported. If an Export Error message appears, it means one or more of the rules failed to export. If you are exporting multiple rules, the system exports as many as it can, and the message lists which rules failed to export and which ones succeeded. Click OK to close the form. Deleting rules When needed, you can easily delete rules. You can delete one rule at a time, or you can delete multiple rules. Deleting a rule is permanent. Once a rule is deleted, it can only be restored by recreating it or by importing a previously exported rule. To delete rules: 1. Open the Build ► Rules view. 2. In the Folders pane, select the folder that contains the rule you want to delete. The Rules grid displays the rules in that folder. 3. In the Rules grid, select the rule (or rules) you want to delete. 4. Delete the rules as follows: l To delete a single rule, click the row's gear l To delete multiple rules, click the grid's gear button and then click Delete. button and then click Delete. 5. At the Confirm Delete prompt, click Yes to delete the rules; otherwise, click No. The rules disappear from the Rules grid. 6. Click Activate Rules to notify the Manager that the rules were deleted. 281 Chapter 9: Managing rules Working with rule folders In the Build ► Rules view, the Folders pane lets you categorize and organize your policy rules. You can also import rules to a folder, or export rules from a folder. The Folders pane behaves just like the folders in an operating system. You can create folders and sub-folders, and you can move, rename, and delete folders. The Folders pane is disabled whenever you are working with a Group that does not support folders. Default rule folders By default, the Rules view shows the rules from the Custom Rules folder. If you do not have any custom rules, then click the TriGeo Rules folder to list the rules that the Console ships with. In the Build ► Rules view, the Folders pane has three fixed top-level folders—one for each rule type: l l l The Custom Rules folder contains your own custom rules and allows you to organize them into your own custom set of sub-folders. TheTriGeo Rules folder contains all of the preconfigured rules that the TriGeo SIM appliance ships with. The NATO5 Rules folder contains rules that TriGeo provides to address best practices, to suggest implementations, and to address general and specific threats. TriGeo regularly updates these rules through product updates. When you click a top-level folder, the grid shows the rules from that folder, as well as any of its subfolders. For example, if you click the NATO5 Rules folder, the grid shows all NATO5 rules. But if you click the folder’s Virus/Worm sub-folder, then the grid only shows rules from that folder and any of its sub-folders, if applicable. You cannot make changes to TriGeo Rules or NATO5 Rules folders, sub-folders, or their contents. In addition, some Rules grid commands are disabled for TriGeo and NATO5 rules to ensure that their rule configurations remains intact. However, none of these limitations apply to your custom rules. You you can clone rules from any of the TriGeo Rules or NATO5 Rules folders and sub-folders, store the cloned rules in your Custom Rules folders, and then edit them as you see fit. 282 Showing and hiding sub-folders Showing and hiding sub-folders In the Build ► Rules view, the Folders pane is organized as a hierarchical node tree of folders and sub-folders. By default, the tree is collapsed, showing only the top level of folders. This procedure explains how to show and hide the pane’s sub-folders. To open (expand) a folder to see its sub-folders: l Click a folder with an ► icon to open a folder and show its first level of sub-folders. To close (collapse) a folder to hide its sub-folders: l Click a folder with an ▼ icon to close the folder and hide its sub-folders. 283 Chapter 9: Managing rules Showing the contents of a rule folder Select a rule folder in the Folders pane to display the contents of that folder and its sub-folders in the view’s grid. To view the contents of a rule folder: 1. Open the Build ► Rules view. 2. In the Folders pane, select the rule folder you want to work with. The Rules grid displays the rules stored within that folder and its sub-folders. If you double-click a rule in the grid, Rule Creation opens, showing the rule’s current configuration. 284 Adding rule folders and sub-folders Adding rule folders and sub-folders Whenever needed, you can add new folders and sub-folders to the Folders pane. This allows you to organize your rules in a manner that makes them easy to organize and identify. To add a new rule folder: 1. Open the Build ► Rules view. 2. In the Folders pane, click the Custom Rules folder’s ► icon to open the folder and view its sub-folders, if any are present. 3. Click the button at the bottom of the Folders pane. A new sub-folder appears with the default name of folder. 4. Double-click the new folder. The folder becomes highlighted and its name is surrounded by an editable box. 5. Type a name for the new folder, and then press Enter. You may now store rules in the new folder. Renaming a rule folder When needed, you can rename your own custom rule folders in the Folders pane. However, you may not rename any of the Console’s preconfigured rule folders. To rename a folder: 1. Open the Build ► Rules view. 2. In the Folders pane, double-click the folder you want to rename. A box appears around the folder, and its name becomes editable. 3. Type a new name for the folder, and then press Enter. The folder appears in the Folders pane with its new name. 285 Chapter 9: Managing rules Moving rule folders When needed, you can rearrange your custom rule folders by moving them to another custom folder or sub-folder. Moving a folder moves the entire contents of that folder, including any of its sub-folders. TriGeo’s default rule folders (TriGeo Rules or NATO5 Rules folders and sub-folders) cannot be moved. However, you can clone copies of rules from these folders and place them into your own Custom Rules folders, which you may then move around as you see fit. To move a rule folder: 1. Open the Build ► Groups or the Build ► Rules view, as appropriate. 2. In the Folders pane, select the folder that is to be the new parent of the folder you want to move. 3. Click the folder’s ► icon to open the folder and view its sub-folders. 4. Now select the folder you want to move, and then drag and drop it just below its new parent folder. When the pointer is in the correct position, a black line will appear below the parent folder. Before After. The folder you moved now appears with its new parent folder. 286 Moving rules from one folder to another Moving rules from one folder to another You can use the Folders pane and the Rules grid to move your own custom rules from one Custom Rules folder to another. Moving rules has the following restrictions: l l Rules in TriGeo’s default rule folders (TriGeo Rules or NATO5 Rules folders and sub-folders) cannot be moved. However, you can clone copies of these rules and place the clones in your Custom Rules folders. You may only move rules into folders that are associated with the same Manager as the rules you are moving. All other folders are disabled. To move a rule: 1. Open the Build ► Rules view. 2. In the Folders pane, select the folder that is to receive the rules you want to move. 3. Click the folder’s ► icon to open that folder. 4. Now click the folder that contains the rules you want to move. The Rules grid displays the rules stored within that folder. 5. In the Rules grid, select the rules you want to move. For instructions on selecting multiple rules, see "Selecting items in a grid" on page 31. 6. Drag the rules to the Folders pane, into the new folder that is to store them. The rules are now stored in their new folder. Select the folder to see its contents in the Rules grid. Deleting a rule folder When needed, you can delete a rule folder. However, doing so also deletes the contents of the folder, including any sub-folders and their associated rules. So be sure to move or archive any rules you want to save before deleting a rule folder. To delete a folder: 1. Open the Build ► Groups or the Build ► Rules view, as appropriate. 2. In the Folders pane, click to select the folder or sub-folder you want to delete. 3. Click the Delete button. 4. At the Confirm Delete prompt, click Yes to delete the folder; otherwise, click No. The folder and its sub-folders disappear from the Folders pane. 287 Chapter 10: Rule Creation Creating custom rules Rule Creation In the Build ► Rules view, the Rule Creation tool is used to configure new rules and to edit existing rules. Like filters, you create rules by configuring conditions between alert variables other components, such as Time of Day Sets, User-Defined Groups, Constants, etc. However, rules go a step further. They let you correlate alert variables with other alerts and their alert variables. By correlate, we mean you can specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule is to initiate an active response. You can configure rules to fire after multiple alerts occur. The Manager will remember alerts if they meet the rule's basic conditions. It waits for the other conditions to be met, too. If they are, the Manager fires the rule. The rule does not take action until the alerts meet all of the conditions and correlations defined for that rule. The possibilities for rules are endless. Therefore, this section describes how to create rules only in very general terms. This section is not intended to be a tutorial, but rather a reference for you to fall back on if you are unclear about how any part of Rule Creation works. Note: Each rule you create only applies to the Manager that is selected when you created the rule. If you need a similar rule for another Manager, you must create it separately on the other Manager; or you can export the rule, and then import it from the other Manager’s Rules grid. Caution: Practice with filters before creating rules The tools in Rule Creation are very similar to those found in Filter Creation. However, filters simply report event occurrences; rules act on them. There is no harm if you create a filter that is unusual or has logic problems. But this is not the always case with rules. Rules can have unexpected and sometimes unpleasant consequences if they are not configured exactly as you intend them to be. Inexperienced users should use caution when creating rules. Creating filters is an excellent way to familiarize yourself with the logic and tools needed to create well crafted rules. You should only begin configuring rules after you are at ease with configuring filters. Even then, always test your rules before implementing them. 289 Chapter 10: Rule Creation Rule Creation features The topics in this section describe the key features of the Rule Creation view, the rule window, and the Correlations box, which are all used to configure and edit policy rules. l l l The Rule Creation view is a different view of the Rules view that allows you to configure and edit policy rules. The rule window is the window that you will use to view, configure, and edit your policy rules. The Correlations box is a component of the rule window that is used to configure the specific correlations that define the rule. Rule Creation view features The key features of the Rule Creation tool The following table descries the key features of the Rule Creation tool. The topics that follow discuss some of these features in greater detail. 290 Rule Creation view features Item Name Description Back to Rules Listing Click this button to hide Rule Creation and return to the Rules grid. Rule Creation remains open in the background, so you can return to it to continue working on your rules. In the Rules grid, clicking Back to Rule Creation will return you to Rule Creation. List pane The list pane is the “accordion” list to the left. It contains categorized lists of the components you can use when configuring policy rules. It behaves exactly like the list pane in Filter Creation. To view the contents of a component list, click its title bar. To add a component to a rule, select it from its list and then drag it into the appropriate correlation box. If more than one Manager is linked to the Console, each item in the list pane lists the Manager it is associated with. Therefore, some list items may appear to be listed multiple times. But in reality, they are listed once for each Manager. Alerts are universal to all Managers, so they do not show a Manager association. For detailed information about each list, see "Features of the list pane" on page 113. Rule window Each rule you create or edit appears in its own rule window. This is where you configure name, describe, configure, edit, test, verify, and enable each rule. You can have multiple rule windows open at the same time. You can also minimize, maximize, resize, and close each window, as needed. For detailed information on configuring rules, see "Creating custom rules" on page 289. Minimized rule window bar Any minimized rule windows appear in the bar at the bottom of the Rule Creation pane, behind the active rule window. Each minimized window shows the name of its rule. Clicking a minimized rule opens that rule in the Rule Creation pane. 291 Chapter 10: Rule Creation Rule window features Each rule you create or edit appears in its own rule configuration window. You will use these windows to design and edit custom policy rules. You can use the rule window to name, describe, configure, edit, enable, and test your custom rules. The elements of a rule window The following table describes each key feature and field of a rule window. 292 Rule window features Item Name Description Title bar Each rule you create or edit appears in its own configuration window. Upon naming a rule, the window’s title bar displays the name of the rule. You can also use the title bar to minimize, maximize, and resize rule window. Minimized rule windows appear at the bottom of the Rule Creation pane. Name Type a name for the rule. on When creating a new rule, use this list to select which Manager the rule is to be associated with. Otherwise, when editing a rule, this field displays which Manager the rule is associated with. in Select the folder (in the Folders pane) in which the rule is to be stored. Description Type a description of what the rule does, or the situation for which the rule is intended. If the description extends beyond the visible area of the text box, a larger text box appears, so you can type a detailed description of the rule, its logic, its expected behavior, and its active response. When you are done typing, either press Tab or click anywhere outside the text box to close it. Enable Select this check box to enable the rule. Clear this check box to disable the rule. Test Select this check box to place the rule in test mode. Clear this check box to take the rule out of test mode. Note: You must enable a rule before you can test it. Subscribe Use this list to select which Console users are to subscribe to the rule. This means the system will notify the subscribing users' Consoles each time one of the subscribed-to rules triggers an alert. The alerts will appear in their alert grid. 293 Chapter 10: Rule Creation Item Name Description Rule Status The Rule Status bar lists warnings and error messages about your rule's current configuration logic. l l l Click ► to view a list of warning and error messages. Click a message flag to provide detailed information about the nature of that problem. Click a message to highlight the specific area or field that is the source of that problem. For more information, see "Using the Status bar" on page 133. Correlations Use the Correlations box to configure correlations between groups of alert events. You can coordinate multiple alert events into a set of conditions that will prompt the Manager to issue a particular active response. You set up correlations by dragging items from the Alerts and Alert Groups lists into this box, and then setting the specific conditions or for the alert that are to prompt action. The Correlations toolbar lets you group alert conditions, and determine if they must all apply (an AND correlation) or if any of them may apply (an OR correlation) to prompt a response. Correlation Time Use the Correlation Time box to establish the allowable frequency and time span in which the correlation events must occur before the rule applies. The Advanced section lets you define an alert event threshold, and to define the re-inference period for the threshold. The threshold tells the Manager which specific fields to monitor to determine if a valid alert event has occurred (i.e., when to “count” the alert). The box’s Advanced section lets you define a Response Window that lets the rule ignore any events that occur outside (past or future) of the established period. Actions Use the Actions box to dictate which actions the rule is to execute when the events described in the Correlations and Correlation Time boxes occur. Examples of actions include sending an email message to your system administrator, or blocking an IP address. 294 Rule window features Item Name Description Undo/Redo Click the Undo button to undo your last desktop action. You can click the Undo button repeatedly to undo up to 20 steps. Click the Red button to redo a step that you have undone. You can click the Redo button repeatedly to redo up to 20 steps. You can only use Undo or Redo for any steps you made since the last time you clicked Apply. Save /Cancel/ Apply Use these commands to save or cancel your work: l l l Click Save to save your changes to a rule and close the rule window. Click the Cancel button to cancel any changes you have made to a rule since the last time you clicked Save, and close the rule window. If you have any unsaved changes, the system will prompt you to save or discard them. Click Apply to save your changes to a rule, but keep the rule window open so you can continue working. You can click Apply at any time. 295 Chapter 10: Rule Creation Correlations box features To create a rule, you drag items from the list pane into the rule window’s Correlations box to configure the relationships (or correlations) that define the rule. These correlations define the events that must occur for the rule to take effect. The Correlations box, which is used for configuring policy rule correlations Creating rule correlations is a lot like configuring conditions for custom filters, so the Correlations box in Rule Creation behaves a lot like the Conditions box in Filter Creation. The following table describes each item shown in the Correlations box, above. Item Name ► ▼ Description Groups can be expanded or collapsed to show or hide their settings: l Click to ► expand a collapsed group. l Click to ▼ collapse an expanded group. Once a group is configured properly, you may want to collapse it to avoid accidentally changing it. 296 Correlations box features Item Name Description This is the Group button. It appear at the top of every group box. Click it to create a new group within the group box. A group within a group is called a nested group. You may then drag alert variables and other items from the list pane into the nested group box. By using nested groups, you can refine correlations by combining or comparing one group of correlations to another to create the logic for complex correlations. Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons. This is the Threshold button, which opens the Threshold form for a group. The Threshold form is described below. This is the Delete button. It appears at the top of every Group box and every correlation. Click this button to delete a correlation or a particular group. Deleting a group also deletes any groups that are nested within that group. Alert variable From the Alerts, Alert Groups, or Fields list, drag an alert, Alert Group, or alert field into the Correlations box. This is called the alert variable. A rule can have multiple alerts and Alert Groups in its correlation configuration. You can think of an alert variable as the subject of each group of correlations. As alerts stream through the Manager, the rule analyzes the values associated with each alert variable to determine if the alert meets the rule’s conditions. If so, the Manager either initiates an active response, or stores the alert for comparison with other alerts that may occur within the rule's allotted timeframe. 297 Chapter 10: Rule Creation Item Name Operators Description Whenever you drag a list item or a field next to alert variable, an operator icon appears between them. The operator states how the filter is to compare the alert variable to the other item to determine if the alert meets the rule’s conditions. l l Click an operator to cycle through the various operators that are available for that comparison. Just keep clicking until you see the operator you want to use. Ctrl+click an operator to view all of the operators that are available for that comparison. Then click to select the specific operator you want to use. For more information, see "Comparing values with operators" on page 127. List item List items are the various non-alert items from the list pane. You drag and drop them into groups to define rule correlations based on your Time Of Day Sets, Tool Profiles, User-Defined Groups, Constants, etc. Some alert variables automatically add a blank Constant as its list item. You can overwrite the Constant with another list item, or you can click the Constant to type or select a specific value for the constant. Note that each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your rules’s correlations. Threshold The Threshold section lets you define a threshold for the correlations in a Group box. You can think of a threshold as a correlation frequency for the grouping; that is, the number of times the events defined by the group must occur within a specified period before the rule takes effect. A group threshold behaves exactly like the threshold in the Correlation Time box. For more information, see "Configuring a rule's correlation time" on page 303. This is the Set Advanced Threshold button. Whenever a group threshold’s number of Alerts within [time] is greater than 1, this button becomes enabled so you can open the Set Advanced Thresholds form. This form lets you specify advanced threshold fields and define an advanced response window for the alert fields within the grouping. For more information, see "Advanced thresholds" on page 304. 298 Correlations box features Item Name AND OR Description Rule correlations and groups of correlations are subject to AND and OR comparisons. If you click an AND operator, it changes to an OR, and vice versa. For more information, see "Comparing values with operators" on page 127. 299 Chapter 10: Rule Creation Rule Creation procedures Adding a new rule Follow this general procedure whenever you want to create a new rule. Be sure to test your rules before fully implementing them. Testing helps ensure that your rules do not cause any unpleasant consequences. To add a new rule: 1. Open the Build ► Rules view. 2. On the Rule grid toolbar, click . The Rule Creation tool appears. Note: At any time while you are configuring a rule, you can click the Back to Rules Listing button to return to the Rules grid. Rule Creation remains open in the background. 3. In the Name box, type a name for the rule. Note that the name also appears on the form’s title bar. 4. In the on list, select the Manager on which this rule is to reside. 5. In the in list, select the folder and sub-folder in which this rule is to be stored in the Folders pane. 6. In the Description box, type a complete description of the rule, such its use, purpose, or behavior. 7. Configure the rule's correlations. See "Adding rule correlations" on page 300. 8. If needed, configure the rule's correlation time and advanced threshold. See "Configuring a rule's correlation time" on page 303 and "Advanced thresholds" on page 304. 9. Configure the rule's active response. See "Using the Actions box" on page 308. 10. Apply the appropriate Enabled, Test, and Subscription settings. For details, see "Managing rules" on page 267. l l l To assign rule subscribers, click the Subscribe list, and then click the check box for each user who is to subscribe to the rule. If you want to use the rule immediately upon saving it, select the Enabled check box. If you want to operate the rule in test mode before fully activating it, select the Test check box. It is highly recommended that you operate each new rule in test mode to confirm that the rule behaves as expected. 11. When you are satisfied with the rule’s configuration, click Save. Note: You can also click Apply to save your changes without closing the form. The Rules grid appears. The new rule appears in the Rules grid and in the Folders pane, in the folder you designated for the rule. 12. To begin using (or testing) the revised rule, click Activate Rules. 300 Adding rule correlations Adding rule correlations To create a rule in Rule Creation, you drag items from the list pane into the rule window’s Correlations box. The Correlations box allows you to group and configure the relationships (or correlations) that define the rule. These correlations state which events must occur for the rule to take effect. Like filters, you drag alerts, Alert Groups, or alert fields into the Correlations box, and then configure conditions between these alert variables other components, such as Time of Day Sets, User-Defined Groups, Constants, etc. You then use other correlation tools to configure how these variables compare with other alerts and alert variables. By correlate, we mean you can specify how often and in what time frame the correlations must be met before the rule is triggered. The combined correlations dictate when the rule is to initiate an active response. You can configure rules to fire after multiple alerts occur. The Manager will remember alerts if they meet the rule's basic conditions. It waits for the other conditions to be met, too. If they are, the Manager fires the rule. The rule does not take action until the alerts meet all of the conditions and correlations defined for that rule. Correlations for a complex rule Correlations for a simple rule The rule Correlations form is very similar to the Conditions form in Filter Creation. In addition, creating rule correlations is a lot like configuring conditions for custom filters. However, rules are more complex than filters and will always have something in the Correlations, Correlation Time, and Actions boxes. 301 Chapter 10: Rule Creation Tips for success l l The best way to learn how to configure rules is to practice. Because of the similarities between filters and rules, and because filters cannot disrupt your network but policy rules can, we highly recommend you experiment with creating filters before you begin configuring rules. When you are at ease with filters, you can move on to rules. For detailed instructions and a tutorial on configuring filters, see "Creating custom alert filters" on page 109. Always test your rules before actually using them, so you can avoid accidentally disrupting your network. The following procedure applies for every type of correlation you build, regardless of the type of list item you are adding. To configure rule correlations: 1. Open the rule you want to work with in Rule Creation. 2. In the list pane, click the title bar of the list you want to work with. Typically, you will begin with the Alerts or Alerts Group list to add an alert, alert group, or alert field to the Correlations box. Anything from an alert list is called an alert variable, and is the “subject” of the rule (or one of the subjects, if there is more than one alert variable). 3. In the list, select the item you want to work with. Then drag it into the Correlations box. Like Filter Creation, Rule Creation uses targeting to help you configure your custom rules. The targeting feature ensures that you place each element in a valid location. Targeting applies whenever you drag an item from the list pane to a configurable Correlations box or Actions box. For more information, see "Targeting" on page 125. 4. Decide on the next item that defines the rule’s configuration. This could be an alert field or perhaps something from one of the Group lists. Then drag it from its list and drop it next to the alert variable you placed in Step 3. An operator appears between these items. The operator states how the rule is to compare the alert variable to the other element. For more information, see "Comparing values with operators" on page 127. The operator that appears between two elements depends on your selection. In this respect, Rule Creation is context sensitive. It only allows comparisons that are logical for the elements you have selected. See the "Rule correlation table" on page 310 for more information on the operators that can be used for each field. 5. Click the operator, and then select the appropriate operator that defines the relationship between the alert variable and the list item. For example, you can choose if the alert variable should be “equal to,” “contained in,” “exist,” or be “greater than or equal to” the list item. For more information, see "Comparing values with operators" on page 127. 6. Repeat Steps 1 – 5 for each additional event correlation that is to define this rule. 7. Determine if all of the correlation in the group must apply before the rule is to be reported (an AND correlation), or if any one of the correlations may apply for the alert to be reported (an OR correlation). Then click the AND or OR symbols to define the proper relationship for the correlations in the group. 302 Adding rule correlations 8. Click Save to save your changes. Note: While configuring a rule, you can click Apply to periodically to save your changes without exiting the window. You can continue using this procedure to add new correlations and groups of correlations, and to apply AND and OR relationships to your groups and correlations. 303 Chapter 10: Rule Creation Configuring a rule's correlation time The Correlation Time box establishes the frequency in which the events in the Correlations box must occur before the rule applies. It works like this: The alert events in the Correlations box must happen x times within y amount of time before the rule applies and the Manager initiates the active response. The Correlation Time box The Response Window setting lets you decide when alert events defined by the Correlations box are out of scope by eliminating those alert responses that happen outside of that window. When issuing alert responses, the Manager ignores similar alert events that are in the past of or in the future of the response window you define here. The Manager does this by comparing its current time to the timestamp of the alert event. The response window can prevent accidental rule activation and response when, for example, a computer has been offline for several days and then comes online, triggering several “bad” events. If you define a response window of 30 minutes for a rule, the Manager ignores any events that occur 30 minutes prior to or after the current timestamp. So any events that occur more than 30 minutes before or after current time are not considered valid for the rule. To configure a rule's correlation time: 1. In the number field before Alerts within, type or select the number of times the events in the Correlations box must occur before the rule applies. The default setting is 1. 2. In the number field after Alerts within, type or select the time span in which the alert messages must occur before this rule applies. The default setting is for Seconds, but you can also select Minutes or Hours. 3. In the Response Window field, type or select the response window for this rule. The default setting is 5 minutes. However, you can set any number of seconds, minutes, or hours. 4. Click Save to save your changes. 304 Advanced thresholds Advanced thresholds Whenever a Group threshold or the Correlation Time form’s Alerts within box has a value greater than 1, the Set Advanced Thresholds button becomes enabled. This button opens the Set Advanced Thresholds form, so you can define an alert event threshold and the re-inference period for that threshold. The threshold tells the Manager which specific alert fields to monitor to determine if a valid alert event has occurred (i.e., when to “count” the alert). For example: l l Threshold event x must occur multiple times on the same destination computer with the frequency defined in the Correlation Time box. Or, threshold event y must occur on different destination computers with the frequency defined in the Correlation Time box. When the threshold event counter increases to the number shown in the Alerts box, the threshold itself becomes true and triggers the next set of conditions in the rule. Opening the Set Advanced Threshold form l In the Correlations box, click the l In the Correlation Time box, click the button on the nested group you want to work with. button. 305 Chapter 10: Rule Creation Setting an advanced threshold 1. Open the Set Advanced Thresholds form. 2. Select the Re-Infer (TOT) check box if you want to define a second threshold. Then use the adjacent fields to type or select the threshold’s time interval and unit of measure. The Re-Infer (TOT) option defines the period in which an alert must remain above the threshold before the system issues a new notification and/or active response. For example, suppose an alert has exceeded the threshold, and the alert’s Re-Infer (TOT) period is 1 Hour. If the alert stays above the threshold for more than 1 hour, the system will issue an additional notification or active response at the end of 1 hour. 306 Adding a threshold field Adding a threshold field 1. Click to open the Set Advanced Thresholds form. 2. At the bottom of the form, click Add. The Available Fields pane has two boxes. The top box lists all of the alerts that have been applied to the rule’s Correlations box. The bottom box lists the alert fields associated with whichever alert is currently selected in the top box. 3. In the top Available Fields box, select an alert. The fields associated with that alert appear in the lower Available Fields box. 4. In the lower Available Fields box, select the alert field that is to help define the alert threshold. 5. Below the Available Fields boxes, there is a drop-down list. It is called the Select Modifier list. In the Select Modifier list, select the appropriate option: l l 6. Click Select Same if the threshold is to be defined by the selected field being the same multiple times. Select Distinct if the threshold is to be defined by the selected field being different each time. . The field and its modifier appear in the Selected Fields grid. 7. Repeat Steps 2 – 6 for any additional threshold fields. 8. Click OK to save the fields to the threshold and close the form; otherwise, click Cancel. These fields now raise the threshold for the correlation event and its active response to occur. Editing threshold fields You cannot actually edit a threshold field. Instead, you must delete it, and then replace it with a corrected field configuration. To replace a threshold field: 1. Click to open the advanced threshold you want to work with. 2. In the Selected Fields list, click to remove the field you want to change. 3. In the Available Fields list, select the appropriate alert, and then the alert field. 4. in the Select Modifier list, select the new modifier for the field (Same or Distinct). 5. Click . The corrected field and its modifier appear in the Selected Fields box. 6. Click OK to close the form. 307 Chapter 10: Rule Creation Deleting a threshold field 1. Click to open the advanced threshold you want to work with. 2. In the Selected Fields list, select the field you want to delete. 3. Click the Delete button. The threshold field disappears from the Selected Fields list. 4. Click OK to close the form. 308 Using the Actions box Using the Actions box In Rule Creation, the Actions box defines which action response the Manager is to take whenever the correlation events specified by the rule occurs. You can assign more than one action to a rule. For example, you may want to shut down an Agent, and then notify your system administrator of the event via email. The fields in the Actions box indicate where the action is to be performed, what the action is supposed to do, and to whom it is supposed to happen. For example, if you want a rule to disable a user, you could select the action called Disable Domain User Account. For the action to apply, you must specify which account you want to disable, and where you want to disable it (that is, which Agent). Using constants and fields to make actions flexible When configuring an action, you can assign constants that define fixed parameters for a rule. Or you can assign alert fields (from the alerts in the Correlations box). Fields determine a rule’s parameters when some degree of flexibility is required. Constants and fields both have their uses. But fields can provide actions with a great deal of flexibility. Say you have two network users: Bob and Jane. To disable Bob’s user account, you could assign a constant to the rule that explicitly represents Bob’s account. But doing so limits the rule to Bob's account. Now if you assign a field to the rule, the rule can be interpreted as follows: “When user activity meets the conditions in the Correlations box to prompt the Disable Domain User Account action, use the alert's UserDisable.SourceAccount field to determine which user account to disable.” If Bob triggered the rule, the Manager disables Bob’s account. But if Jane also triggers the rule, the Manager can disable her account, too. 309 Chapter 10: Rule Creation Configuring a rule’s actions Use the following high-level procedure to configure a rule’s actions. To configure a rule's actions: 1. In the list pane, click the Actions list to open it. 2. Select the action you want, then drag it to the rule window’s Actions box. The top left of the Actions box shows the name the action that is to be taken. In most cases, the Actions form will prompt you for specific parameters about the computer, IP address, port, alert, user, etc., that is to receive the action. 3. Use the list pane to assign the appropriate alert field or constant to each parameter: l l In the Alerts or Alert Groups lists, select an appropriate alert field for each parameter, and drag it to the appropriate parameter box in the Actions form. When needed, in the Constants list, select a constant for a parameter, and then drag it to the appropriate parameter box in the Actions form. Typically, you will select a text constant. Once the constant is in place, double-click the parameter box to edit the constant. For details on configuring specific actions, refer to the "Actions table" on page 313. 4. Click Save to save your changes. 310 Rule correlation table Rule correlation table The following table is for use with Rule Creation. It lists the possible rule configurations you can create in the rule window’s Correlations box for each type of field. l l l The Left field column lists each type of field you can drag into the Correlations box’s left field. The Right field column lists the corresponding field types that you can drag into the Correlations box’s right field. The Operators columns list the types of comparisons you can make between left and right fields. Operators exists not exists alert • • alert group • • Left field in not in text alert field = ≠ > >= < <= Right field • • text alert field • • text alert group field • • text state variable field • • text constant • • directory service group • • tool profile • • user-defined group time alert field • • • • • time alert field • • • • time alert group field • • • • time state variable field • • • • time constant • number alert field text alert group field 311 time of day • • • • • • number alert field • • • • • • number alert group field • • • • • • number state variable field • • • • • • number constant • • text alert field • • text alert group field Chapter 10: Rule Creation Operators Left field exists not exists in not in = ≠ > >= < <= Right field • • text state variable field • • text constant • • directory service group • • tool profile • • user-defined group time alert group field • • • • • time alert field • • • • time alert group field • • • • time state variable field • • • • time constant • number alert group field text state variable time of day • • • • • • number alert field • • • • • • number alert group field • • • • • • number state variable field • • • • • • number constant • • text alert field • • text alert group field • • text state variable field • • text constant • • directory service group • • • • tool profile • • user-defined group time state variable • • • • • time alert field • • • • time alert group field • • • • time state variable field • • • • time constant • number state variable 312 time of day • • • • • • number alert field • • • • • • number alert group field • • • • • • number state variable field Rule correlation table Operators Left field text constant number constant time constant exists not exists in not in = ≠ > >= < <= • • • • • • Right field number constant • • directory service group • • tool profile • • user-defined group • • directory service group • • tool profile • • user-defined group • • directory service group • • tool profile • • user-defined group 313 Chapter 10: Rule Creation Actions table The following table is for use with the Rule Builder. It lists the various actions a Manager can take to respond to alert events. These actions are configured in the rules window’s Actions box. The table’s Action column lists the actions that are available. They are alphabetized for easy reference. The Description column briefly states how the action behaves. The Fields column lists the primary data fields that apply with each action. Some data fields will vary, depending on the options you select. Action Add Domain User To Group Description Fields This action adds a domain user to a specified user group that resides on a particular Agent. Domain Controller Agent Select the alert field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines the group that is to be modified. Username Select the alert field or constant that defines the user who is to be added to the group. Add Local User To Group This action adds a local user to a specified user group that resides on a particular Agent. Agent Select the alert field or constant that defines the Agent on which the group to be modified resides. To modify a group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines the group that is to be modified. Username Select the alert field or constant that defines the user who is to be added to the group. 314 Actions table Action Description Fields Add UserDefined Group Element This action adds a new data element to a particular user-defined group. User-Defined Group Element From the User-Defined Groups list, select the User-Defined Group that is to receive the new data Element. Value Select the alert field or constant that defines the data element that is to be added to the specified User-Defined Group. The fields will vary according to which User-Defined Group you select. Append Text To File This action appends text to a file. This allows you to data from an alert and put it in a text file. Agent Select the alert field or constant that defines the Agent on which the file to be appended is located. File Path Select the alert field or constant that defines the path to the Agent file that is to be appended with text. Text Select the alert field or constant that defines the text to be appended to file. Block IP This action blocks an IP address. IP Address Select the alert field or constant that identifies the device’s IP address. 315 Chapter 10: Rule Creation Action Description Fields Create User Account This action creates a new user account on an Agent. Agent Select the alert field or constant that defines the Agent on which the new user account is to be added. To create a user account at the domain level, specify a domain controller as the Agent. Account Name Select the alert field or constant that names the account that is to be created. Account Password Select the alert field or constant that defines the password that is to be assigned to the new account. Create User Group This action creates a specified user group on an Agent. A user group is a new group of Windows users on a Windows PC, server, or network who are external to the TriGeo system. Delete User Account Agent Select the alert field or constant that defines the Agent on which the new user group is to reside. To create a user group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines which user group is to be created. This action deletes a user account from an Agent. Agent Select the alert field or constant that defines the Agent on which the user account is to be deleted. To delete a user account at the domain level, specify a domain controller as the Agent. Account Name Select the alert field or constant that names the account that is to be deleted. 316 Actions table Action Description Fields Delete User Group This action deletes a user group from a particular Agent. Agent Select the alert field or constant that defines the Agent on which the user group to be deleted resides. To delete a user group at the domain level, specify a domain controller as the Agent. Group Name Select the alert field or constant that defines the user group that is to be deleted. Detach USB Device This action detaches a USB mass storage device that is connected to an Agent. Agent Select the alert field or constant that defines the Agent from which the USB device is to be detached. Device Select the alert field or constant that defines the device ID of the USB device that is to be detached. Disable Domain User Account This action disables a Domain User Account on a Domain Controller Agent. Domain Controller Agent Select the alert field or constant that defines the Domain Controller Agent on which the domain user is to be disabled. Destination Account Select the alert field or constant that defines the account that is to be disabled. Disable Local User Account This action disables a local user account on an Agent. Agent Select the alert field or constant that defines the Agent on which the local user is to be disabled. Destination Account Select the alert field or constant that defines the account that is to be disabled. 317 Chapter 10: Rule Creation Action Description Fields Disable Networking This action disables an Agent’s network access. Agent The result is that the specified Agent will be unable to connect to the network. Disable Windows Machine Account Select the alert field or constant that defines the Agent that is to be disabled from the network. Message Type the message that is to appear on the Agent. This action disables a Windows machine account that resides on a Domain Controller Agent. Domain Controller Agent Select the alert field or constant that defines the Domain Controller Agent on which the account is to be disabled. Destination Account Select the alert field or constant that specifies which Windows account is to be disabled. Enable Domain User Account This action enables a Domain User Account on a Domain Controller Agent. Domain Controller Agent Select the alert field or constant that defines the Domain Controller Agent on which the domain user is to be enabled. Destination Account Select the alert field or constant that defines the account that is to be enabled. Enable Local User Account This action enables a local user account on an Agent. Agent Select the alert field or constant that defines the Agent on which the local user is to be enabled. Destination Account Select the alert field or constant that defines the account that is to be enabled. 318 Actions table Action Description Fields Enable Windows Machine Account This action enables a Windows machine account that resides on a Domain Controller Agent. Domain Controller Agent Select the alert field or constant that defines the Domain Controller Agent on which the account is to be enabled. Destination Account Select the alert field or constant that specifies which Windows account is to be enabled. Incident Alert This action escalates potential issues by creating an Incident Alert. Alert Select which Incident Alert the rule is to create. Alert Fields From the list pane, select the alerts and constants that define the appropriate data elements for each alert fields The fields vary, depending on which Incident Alert alert is selected. Infer Alert Kill Process by ID This action escalates potentially irregular audit traffic into security events by creating (or “inferring”) a new alert with a higher severity. Alert Select which Alert the rule is to infer. Alert Fields From the list pane, select the alerts and constants that define the appropriate data elements for each alert field. The fields vary, depending on the which alert is selected. This action terminates the specified process on an Agent by using its process ID value. Agent Select the alert field or constant that defines the Agent on which the process is to be terminated. Process ID Select the alert field or constant that identifies the ID number of the process that is to be terminated. 319 Chapter 10: Rule Creation Action Description Fields Kill Process by Name This action terminates the specified process on an Agent by referring to the process name. Agent Select the alert field or constant that defines the Agent on which the process is to be terminated. Process Name Select the alert field or constant that identifies the name of the process that is to be terminated. Account Name Select the alert field or constant that identifies the name of the account that is running the process to be terminated. Log Off User This action logs the user off of an Agent. Agent Select the alert field or constant that defines the Agent from which the user is to be logged off. Account Name Select the alert field or constant that identifies the specific account name that is to be logged off. Modify State Variable This action modifies a state variable. State Variable From the State Variables list, drag the state variable that the rule is to modify. State Variable Fields From the appropriate component list, type or drag the data element that is to be modified in the state variable. The fields vary, depending on the which state variable is selected. 320 Actions table Action Remove Domain User From Group Description Fields This action removes a domain user from a specified user group that resides on a particular Agent. Domain Controller Agent Select the alert field or constant that defines the domain controller Agent on which the group to be modified resides. Group Name Select the alert field or constant that defines the group that is to be modified. User Name Select the alert field or constant that defines the user who is to be removed from the group. Remove Local User From Group This action removes a local user from a specified user group that resides on a particular Agent. Agent Select the alert field or constant that defines the Agent on which the group to be modified resides. Group Name Select the alert field or constant that defines the group that is to be modified. User Name Select the alert field or constant that defines the user who is to be removed from the group. Remove UserDefined Group Element This action removes a data element from a particular user-defined group. User-Defined Group From the User-Defined Groups list, select the user-defined group from which the specified data element is to be removed. Value Select the alert field or constant that defines the data element that is to be removed from the specified user-defined group. The fields will vary according to which user-defined group you select. 321 Chapter 10: Rule Creation Action Description Fields Reset User Account Password This action resets a user account password on a particular Agent. Agent Select the alert field or constant that identifies the Agent on which the user password is to be reset. To reset an account at the domain level, specify a domain controller as the Agent. Account Name Select the alert field or constant that identifies the user account that is to be reset. New Password Select the alert field or constant that defines the user’s new password. Restart Machine This action reboots an Agent. Agent Select the alert field or constant that identifies the Agent that is to be rebooted. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before rebooting the Agent. Restart Windows Service This action restarts the specified Windows service on an Agent. Agent Select the alert field or constant that identifies the Agent on which the Windows service will be restarted. Service Name Select the alert field or constant that identifies the name of the service that is to be restarted. 322 Actions table Action Description Fields Send Email Message This action sends a preconfigured email message to a predetermined email distribution list. Email Template Select the template that the email message is to use. For more information on email templates, see "Configuring Email Templates" on page 230. Recipients Click the check boxes to select which users are to receive the email message. Email Fields Either drag a field from the components list, or select a constant from the components list to select the appropriate data elements that are to appear in each email template field. The fields vary, depending on which email template is selected. Send Popup Message This action displays a pop-up message to an Agent. Agent Select the alert field or constant that identifies the Agent that is receive the pop-up message. Account Name Select the alert field or constant that identifies the user account to receive the message. Message Select the alert field or constant that defines the message that is to appear on the Agent’s monitor. Shutdown Machine This action shuts down an Agent. Agent Select the alert field or constant that identifies the Agent that is to be shut down. Delay (sec) Type the time (in seconds) after the event occurs that the Manager is to wait before shutting down the Agent. 323 Chapter 10: Rule Creation Action Description Fields Start Windows Service This action starts the specified Windows service on an Agent. Agent Select the alert field or constant that identifies the Agent on which the Windows service is to be started. Service Name Select the alert field or constant that defines the Windows service that is to be started. Stop Windows Service This action stops the specified Windows service on an Agent. Agent Select the alert field or constant that identifies the Agent on which the Windows service is to be stopped. Service Name Select the alert field or constant that defines the Windows service that is to be stopped. 324 Chapter 11: Users About the Users view The Users view is used to manage the system users who are associated with each TriGeo Manager. By adding email addresses for each user, the Console can notify users of alert conditions by email. In this chapter, you will learn how to: l use the key features of the Users grid l add new users and user email addresses l view a user's system privileges l edit user settings l delete users. 325 Chapter 11: Users Users view features This topics in this section describe the key features of the Users view, the meaning of each column in the Users grid, and how to refine the Users grid. Users view features The Users view 326 Users view features The following table describes the key features of the Users view. Item Name Description Refine Results This form behaves like a search engine. It lets you apply filters to the Users grid to reduce the number of users it shows. See "Refining the Users grid" on page 329. Users grid The Users grid displays all of the system users who are associated with each Manager throughout your network. Click this button to add a new user. User Information This pane displays detailed information about the user who is currently selected in the grid, including the user’s role, password information, and contact information. When editing a user, the User Information pane turns into an editable form. 327 Chapter 11: Users Users grid columns By default, the Users grid shows all users who are configured for all Managers that are monitored by the Console. However, you can use the Refine Results form to refine the grid’s contents. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other items in the grid are still there; however, they are hidden. To restore them, simply click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Column Description The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. l l Status Use the Edit command to edit the user’s settings and contact information. Use the Delete command to delete the user. Indicates if the user is currently logged on to the Console: means the user is logged on. means the user is not logged on. User Name Displays the name the user uses to log on to the Manager. First Name Displays the user’s first name. Last Name Displays the user’s last name. Role Displays the user role that has been assigned to the user. For more information on user roles, see "Adding new users" on page 330. Description Displays a brief description of the user’s job function or responsibility. Manager States which Manager the user is associated with. Last Login States the date and time the user last logged on to the system. 328 Refining the Users grid Refining the Users grid By default, the Users grid shows all users for all Managers. The Refine Results form behaves like a search engine, letting you apply filters to the grid to reduce the number of users it shows. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other items in the grid are still there; however, they are hidden. To restore them, simply click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Field Description Reset Click Reset to return the form and the Users grid to their default settings. Manager Select the Manager you want to work with. By default, the grid displays All Managers. Role Select the user role you want to work with. By default, the grid displays All roles. Last Login Date Range Type or select the begin and end date range to display the users who have logged in within that date range. 329 Chapter 11: Users Adding new users The following procedure explains how to add and configure new users. You will add each new user by opening and completing the User Information form. This form records each user’s individual settings. It also allows you to record a user’s email addresses, which the Manager can use to notify the user when an appropriate alert event occurs. To add a new user: 1. Open the Build ► Users view. 2. At the top of the Users grid, click Add User. Below the grid, a blank User Information form appears. A completed form is shown here for reference purposes. 3. Complete the User Information form, as described in the following table. Field Description Manager list In the upper-right corner of the form, select the Manager this user will be associated with. User Name Type the user’s TriGeo system user name. This is the name the user will use when logging into the Manager. First Name Type the user’s first name. Last Name Type the user’s last name. 330 Adding new users Field Description Password Type the user’s TriGeo system password. This is the password the user will use when logging into the Manager. This can be an initial system password or a temporary password that is assigned to replace a forgotten password. If you have the Must Meet Complexity Requirements option checked in the Appliances view's Settings tab, the Console enforces the following password policy: l l Passwords must have a minimum of six characters. Spaces are not allowed. Passwords must have two of the following three attributes: o At least one special character o At least one number o A mix of lowercase and uppercase letters. Confirm Password Type the password a second time to verify that you entered it correctly. Role Select the appropriate role for this user: l l l l Administrators are users who have full access to the system, and can view and modify everything. These users are designated with a green icon. Auditors are users who have extensive view rights to the system, but cannot modify anything other than their own filters. These users are designated with a blue icon. Monitors are users who can access the Console, but cannot view or modify anything, and must be provided a set of filters. These users are designated with a yellow icon. Contacts are users who cannot access the Console, but do receive external notification. These users are designated with a red icon. View Role After selecting a user role, you can click the View Role button to open the Privileges form, which shows the system privileges for that role. This information is provided here for reference purposes and cannot be changed. Description Type a brief description (up to 50 characters) of the user’s title, position, or area of responsibility. 331 Chapter 11: Users Field Description Contact Information Use this section to record the user’s email addresses, so the Manager can notify users of network security events by email. You can add as many email addresses as you need for each user. It is always a good idea to test each email address to confirm that it has been entered correctly and that it works properly. To add the user’s email address: 1. Click the “add” button. 2. In the box that appears (shown here), type the user’s email address and then click Save. 3. The email address appears in the Contact Information section. 4. Repeat this procedure as needed, to record each email address that applies to the user. 4. When you are finished, click Save to save the new user; otherwise, click Cancel. 332 Viewing a user’s system privileges Viewing a user’s system privileges After selecting a user role, you can use the View Role button to view the system privileges that are associated with the user’s assigned role. To view a user’s system privileges: 1. Open the Build ► Users view. 2. In the Users grid, double-click to user you want to work with. Below the grid, the User Information pane displays the user’s current settings. 3. Click the View Role button. The Privileges form appears, showing the user’s system privileges for his or her assigned role. This information is provided here for reference purposes and cannot be changed. 4. When you are finished viewing the role’s privileges, click Close to return to the Console. 333 Chapter 11: Users Editing user settings Follow this procedure to edit an existing user’s configuration settings. You can also edit the user’s email addresses to make corrections or keep them current. If an email address becomes obsolete, you can also easily remove it. To edit a user’s settings: 1. Open the Build ► Users view. 2. In the Users grid, do one of the following: l Double-click the user you want to work with. l Click to select the user you want to work with. Then click the row’s gear button and click Edit. Below the grid, the User Information pane displays the user’s current settings and becomes an editable form. 3. Make the necessary changes to the User Information form. For instruction on completing this form, see "Adding new users" on page 330. 4. Click Save. To delete a user’s email address: 1. Open the Build ► Users view. 2. In the Users grid, click to select the user you want to work with. 3. Click the row’s gear button and then click Edit. 4. In the User Information form’s Contact Information section, click the “delete” next to each email address you want to delete. The system removes that particular contact information. 5. Click Save. 334 button Deleting users Deleting users Follow this procedure to delete a user from a Manager. To delete a user: 1. Open the Build ► Users view. 2. In the Users grid, click to select the user you want to delete. 3. Click the gear button and then click Delete. Note: You cannot delete the admin user from the system. 4. At the Confirmation prompt, click Yes to delete the user; otherwise, click No. The user is removed from the Users list. This user is no longer authorized to use the Manager. 335 Chapter 12: Connecting to other products About TriGeo tools Before you can begin using the TriGeo SIM Console, you must configure your Managers and Agents to work with each of your third-party network security products, such as firewalls, anti-virus software, intrusion detection systems, and various operating system tools. You will do this with the Tool Configuration form. The Tool Configuration form connects your network security products to the TriGeo SIM. Once these products have been connected, you can receive alert messages from these products; consolidate their alerts and reports into a centralized system for automated analysis, response, and event correlation; and report any potential security incidents. Throughout this chapter, the term tool refers to the sensors or actors that are used to connect TriGeo Managers and Agents to your network security products and devices. How TriGeo tools work The Tool Configuration form integrates your security products by connecting each of their event log sources to a dedicated data sensor. A sensor is a data gathering tool that monitors and interprets a product’s log data. You will use the Tool Configuration form to identify each product you are using with the TriGeo SIM, to locate each product’s logging sources, and to connect each logging source to the appropriate data sensor. Once in place, the TriGeo sensors monitor your products’ logging source data, compare the data to a set of patterns and alert normalization assignments, identify “alert” data, and then forward that information to the Console for alert processing. Each sensor monitors only one type of log data source. If a product generates more than one log data source, you must configure a separate sensor for each source. Each configuration of a TriGeo tool is called a tool instance, or an alias. The Tool Configuration form also records the settings for tools called actors. Managers use actors to connect to active response tools and devices, such as firewalls and email, which can perform specific functions or actions when directed to do so by the Manager’s security policies. For example, an actor tells a Manager how to connect to a particular firewall when the Manager issues a command for that firewall to block an IP address. Or, if you want the Manager to notify people via email when there is a particular alert condition, the actor tells the Manager how to send the email message. 337 Chapter 12: Connecting to other products Manager tools To fully integrate your network security products and devices with the TriGeo SIM, begin by configuring the Manager’s sensor and actor tools. The Tool Configuration form lets you connect the Manager’s tools to any supported products or devices that are installed on or remotely logging to that Manager. After the tools are configured, the Manager can monitor and interact with those products and devices. Manager tools run locally, on the Manager appliance. A Manager’s sensor tools monitor log files about the Manager itself, as well as data that is logged to the Manager from remote devices that cannot have their own Agents, such as firewalls. A Manager’s active response tools (actors) allow the Manager to run remote actions and to send email. Agent tools After configuring a Manager’s tools, you must configure the sensor and actor tools for each Agent that is associated with that Manager. The Tool Configuration form lets you connect the Agent’s tools to any supported products that are installed on or remotely logging to the Agent’s computer. After the Agent tools are configured, the Manager can monitor and interact with the products and devices on that computer. Agents tools run locally to monitor data on the Agent’s computer. An Agent’s sensors generally monitor log files, as well as data that is logged to the Agent’s computer from remove devices that cannot have their own Agents. An Agent’s active response tools (actors) allow the Agent to receive instructions from the Manager and perform active responses locally, on the Agent’s computer, such as sending pop-up messages or detaching USB devices. Using Tool Profiles to configure multiple Agents Most Agents in a network have only a few different tool configurations. Therefore, you can greatly speed up the tool configuration process by creating Tool Profiles. A Tool Profile is a group of Agents that share the same tool configuration. It allows you to configure a set of standardized tool settings, and then apply those settings to all of the Agents that are assigned to that profile. Once applied, every Agent in the profile will then have the exact same tool settings. One of the great benefits of using Tool Profiles is that you can maintain all of the Agents in a profile at once by updating only the Tool Profile’s tool configuration. The system then propagates your changes to all of the Agents in the profile. By using Tool Profiles, you can greatly speed up the process of connecting your network security products to the TriGeo SIM. If you do not use Tool Profiles, you will have to create at least one tool instance for every product that you intend to integrate with the TriGeo SIM, and then repeat this process for every one of your Agents. 338 Supported products A well-planned set of Tool Profiles provides you with a versatile and efficient method for configuring and maintaining your Agents’ tool configurations. For more information on Tool Profiles, see "Configuring Tool Profiles" on page 241. Supported products TriGeo supports a continuously expanding list of leading network security products. TriGeo adds value to these products by integrating them into one comprehensive solution. You can find a current list of supported products at: www.trigeo.com/products/supportedlists/. In addition, TriGeo Network Security will work with you to integrate custom products, or to add products that are not currently supported. For more information about supporting specific products that are not listed on the TriGeo web site, please send an e-mail message to sales@trigeo.com. 339 Chapter 12: Connecting to other products Glossary to TriGeo tool terms Actor An actor is a tool that initiates or completes active responses to security alert conditions when directed to do so by the Manager’s security policies. An actor provides functionality for the Manager and Agent software to interact with a device or application (such as a firewall, router, or email server), and causes that device to perform an active response. Briefly, an actor is the interface between incoming alerts and external devices. It is the software that says which response needs to happen, and how to do it. Agent An Agent is software that is installed on a client computer that connects the client computer to a Manager. Each Agent performs the following functions: l It uses sensors to monitor network security product log source data on the client computer for potential “security alert” situations. The Agent can monitor multiple log sources for each product. l It transmits alert information from the client computer to the Manager. l It uses actors to process active responses from the Manager to the client computer. An Agent can monitor multiple network security products, so long as those products are supported by TriGeo, and they are installed on or remotely logging to the same computer the Agent is installed on. Configured tool instance (Alias) Each TriGeo sensor and actors can have more than one configuration. Each configuration is called a tool instance (also called an alias). Tool instances let you use the same sensor to monitor multiple logging sources with a single Agent. They allow you to differentiate between an Agent’s different log file-to-tool mappings. You will need to create at least one tool instance for each computer’s copy of each product that you intend to integrate with the TriGeo SIM. Most products typically write to only one log source. For these products, a single tool instance will suffice. However, some products write to more than one log. For these products, you will need to create separate tool instances—one instance for each log source. Example: Two anti-virus scanners from the same vendor write the same type of log file to two different places, and you want to monitor them both. To accomplish this, you need to create two tool instances of the same sensor. One instance (alias) points to the first log file, and a second instance (alias) points to the second log file. Each tool instance is a way of telling the sensor, “you will find the same type log source data you need, but in this location, also.” Example: A primary server is set up to share data from a secondary server to the primary server. This share defines a single Agent. The same anti-virus software monitors both servers, but the software places log files on each server. Each sensor alias can only point to one path for each antivirus log. But for the primary server, there are two different anti-virus log file paths—one on each 340 Glossary to TriGeo tool terms server. Therefore, you must set up aliases that define the paths to the log files on each server so that the Agent can tell them apart—one alias to monitor “AV-Primary Server” and one alias to monitor “AVSecondary Server.” Logging sources Logging sources record data that is reported from your network security applications and devices. Typical logging sources are text files on the hard drive, or binary sources, such as the Windows Event Log. Manager A Manager is a network appliance that consists of hardware, TriGeo’s security policy management software, the TriGeo database, and usually the Snort IDS. The Manager software is effectively the “central processing station” for all Agents that are connected to it. The Manager processes incoming alerts from its Agents, is responsible for all network security policy decisions, and is responsible for sending the data to the TriGeo database and/or an external database warehouse. You can think of a Manager as a server that collects and processes source log data from your network security products and devices. A network can have more than one Manager. For large networks, multiple Managers assist with balancing the processing load. Each Manager on a network is independent of the others—they do not share data or data processing tasks. Sensor A sensor is a TriGeo tool that is part of the Manager and Agent software. Sensors interpret the logging source data that is generated by the network security applications and devices that are integrated with the TriGeo SIM. The sensor monitors and interprets the log data, coverts it to an alert, and then forwards it to the Manager for alert processing. In general, each sensor corresponds to only one logging source from a single vendor’s application, device, or series of devices. However, some applications or devices have multiple log sources; therefore, they have multiple sensors assigned to them. For example, McAfee Anti-Virus uses several different log files, so each log file requires its own sensor. Tool Tool is the generic term for the TriGeo sensor or actor that you are configuring for use with a thirdparty network security product, such as a firewall or anti-virus software. Tools configure sensors to retrieve data from network security products, and they configure actors that allow the Manager to initiate an active response to an alert condition. Think of a tool as the connection between a your network security products’ log data and the TriGeo SIM. 341 Chapter 12: Connecting to other products Tool Configuration features The topics in this section describe key features of the Tool Configuration form, its grid columns, its tool icons, and how to use its Refine Results form. Tool Configuration form features The Tool Configuration form has similar features, whether you are configuring or editing a Manager, an Agent, or a Tool Profile. The Tool Configuration form The following table describes the key features of the Tool Configuration form. Item Name Description Sidebar button Click the Sidebar button to alternately hide and open the form’s Refine Results pane. 342 Tool Configuration form features Item Name Description Refine Results pane By default, the Tools grid shows all of the products that TriGeo supports. The Refine Results pane lets you apply filters to the grid to reduce the number of products it shows. This way, you can show only those products that are configured for use with this Agent, or that are associated with a particular product category or status (Running or Stopped). Tools grid The Tools grid lists all of the TriGeo sensor and actor tools that are available to each Agent. These tools are what allow the TriGeo SIM to monitor and interact with your network security products and devices. Tools are organized by category and product name. Each TriGeo tool is named after the third-party product it is designed to configure for use with the TriGeo SIM. Click this button to create a new tool instance the sensor or actor that is currently selected in the Tools grid. Properties pane This pane displays detailed information about the tool that is currently selected in the Tools grid. l l If the tool is not configured, this pane displays a description of the tool. If the tool is configured, this pane displays the tool’s configuration settings as read-only information. Whenever you add or edit a tool, this pane turns into an editable form for recording the tool’s configuration settings. 343 Chapter 12: Connecting to other products Tools grid columns The following table briefly describes the meaning of each column in the Tool Configuration form’s Tools grid. Column Description The gear button opens a menu of commands that apply to the tool that is currently selected in the grid. Status Shows the tool’s current connection status: means the tool is connected and running. means the tool is disconnected and not running. Category The high-level tool category, such as anti-virus tools, firewall tools, operating system tools, etc. For more information, see "Tool categories" on page 359. Name The name of the TriGeo actor, sensor, or tool instance. Typically, TriGeo tools are named after the third-party products they are designed to configure for use with the TriGeo SIM. For a description of the icons that appear in this column, see "Tools grid icons" on page 345. 344 Tools grid icons Tools grid icons The following table describes the icons used in the Tool Configuration utility’s node tree. Icon Description A blue tool icon represents a TriGeo sensor for a particular product. The sensor displays the name of the product it is designed to monitor. Each tool instance (or alias) that is currently configured to monitor that product is listed below the tool. If no tool instances are listed, it means the product, on this Agent computer, has not been configured for use with the TriGeo SIM. Whenever you select a sensor in the grid, the lower pane displays the tool’s name and a description of the TriGeo sensor, when available. The orange tool icon represents a TriGeo actor for a product that can perform an active response. The actor displays the name of the product it is designed to interact with. Each tool instance (or alias) that is currently configured to initiate an active response on that product is listed below the tool. If no tool instances are listed, it means the product, on this Agent computer, has not been configured for use with the TriGeo SIM. Whenever you select an actor in the grid, the lower pane displays the tool’s name and a description of the TriGeo actor, when available. This icon represents a configured instance of a sensor tool. Each sensor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured tool instance appears below its tool. Whenever you select a sensor tool instance in the grid, the lower pane displays the sensor tool’s name, and the tool instance’s name (or alias) and configuration settings. The Status column displays each instance’s current status—Stopped ( ) or Running ( ). This icon represents a configured instance of an actor tool. Each actor can have more than one instance, where each configuration is identified by a different name, called an alias. In the grid, each configured tool instance appears below its tool. Whenever you select an actor tool instance in the grid, the lower pane displays the actor tool’s name, and the tool instance’s name (or alias) and configuration settings. The Status column displays each instance’s current status—Stopped ( ) or Running ( ). 345 Chapter 12: Connecting to other products Refining the Tools grid By default, the Tools grid shows every tool (sensor and actor) that can be configured for use with a particular Agent or Manager. To help you work more efficiently with a long list of tools, the Refine Results pane lets you apply filters to the Tools grid to reduce the number of tools it shows. When you select options in the Refine Results pane, the Tools grid refreshes to show only those sensor and actors that match the options you have selected. The other tools are still there; however, they are hidden. To restore them to the grid, simply click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results pane. Field Description Reset Click Reset to clear the form and return the Tools grid to its default state (showing all tools). Search Use this field to perform keyword searches for specific products, such as “Cisco” or “McAfee.” To search, type the text you want to search for in the text box. Then press Enter or click the magnifying glass symbol. The grid displays only those products that match or include the text you entered. Configured Tools Select this check box to have the Tools grid show only those tool instances that are currently configured for the Manager or Agent you are working with. Clear this check box to have the grid list both configured and unconfigured tools. Category Select a high-level category to list the TriGeo tools that are available to support third-party products in that category. Each TriGeo tool is named after the product it is designed to configure for use with the TriGeo SIM. Note: If you cannot find a particular product, it is either not supported, or it is in a different category. Status Select Running to list all of the tools that are currently running on the Manager or Agent you are working with. Select Stopped to list all of the tools that are currently stopped on the Manager or Agent you are working with. 346 Connecting products to the TriGeo SIM Connecting products to the TriGeo SIM To protect the integrity of your network security infrastructure, you must configure the tools needed to connect the TriGeo SIM to your network’s various security products and devices. To do this, Managers and Agents use tools called sensors and actors. Sensors monitor the log data that is written by your security products and devices. Actors transmit responses from the Manager to your security products and devices, to prompt them to take a particular action. These tools are configured with the Tool Configuration form. You will use this form with each Manager, and with each Agent that is associated with a Manager. The procedure for configuring Manager tools and Agent tools is the same. When you are finished, your Managers will be able to monitor every one of your network security products’ logging sources, and to respond to each alert condition with the appropriate notification, escalation, and response requirements for each tool’s security policies. Note: Before you configure TriGeo tools (sensors and actors), the network security products or devices you are connecting to must already be installed on or remotely logging to the computer the TriGeo SIM will be monitoring. If you configure a TriGeo tool for a product or device that is not yet installed, you will have to start the Manager’s or Agent’s tool instance for that product after you install the product. See "Starting a tool instance" on page 355. First-time users Typically, TriGeo configures the tools that connect your network security products and devices to your company’s Managers during the installation and training process. If you did not receive this interactive installation, or if you are configuring TriGeo tools for the first time, please read this chapter carefully. Once you understand how TriGeo tools work, the following procedures will guide you through the tool configuration process needed to integrate the TriGeo SIM with your network security products and devices. 347 Chapter 12: Connecting to other products A note about TriGeo nDepth TriGeo nDepth is an appliance and plug-in application that is sold separately. If you are using nDepth, each TriGeo SIM (Manager) has its own dedicated nDepth appliance that is mounted in a rack with the Manager. nDepth stores all of the original log file data from each host (network device) and source (application or tool) that passes through the Manager. The data is stored in its entirety and in real time. This is relevant here because each TriGeo actor and sensor tool has nDepth configuration settings, whether you use nDepth or not. Therefore, you need to know what these settings mean. 1. First, decide which network security applications and devices that are being monitored by the Manager are to also send their log file data to nDepth. 2. Then, when configuring TriGeo tools (actors and sensors) in the Tool Configuration form, be sure to configure each of these products for use with nDepth. You can choose to route a product’s log file data to the TriGeo SIM, to TriGeo nDepth, or both. 348 Configuring Manager tools (general procedure) Configuring Manager tools (general procedure) Follow this procedure to configure a Manager’s tools (sensors and actors). It lets the Manager monitor and interact with the supported security products or devices that are installed on or remotely logging to the Manager computer. To configure a Manager’s tools: 1. Start the TriGeo SIM Console. 2. Open the Manage ► Appliances view. 3. If you have not already done so, add and configure each TriGeo Manager you will be using with your network. See details, see "Adding appliances to the Console" on page 380 and "Configuring a Manager's properties" on page 384. 4. Log on to the Manager you want to work with. 5. Open the Tool Configuration for [Manager] form. See "Opening the Tool Configuration form" on page 351. 6. Add a tool instance for each of the product’s event log sources. See "Adding new tool instances" on page 353. 7. When you are finished, start the tool instance. See "Starting a tool instance" on page 355. 8. Repeat Steps 6 and 7 for each product or device that is logging to the Manager computer. 9. Repeat Steps 4–8 for each Manager, until you have configured TriGeo tools for each point on your network. 349 Chapter 12: Connecting to other products Configuring Agent tools (general procedure) Follow this procedure to configure the tools (sensors and actors) the Agent uses to monitor and interact with each network’s security product and device that is running on the Agent computer. To configure an Agent’s tools: 1. Open the Manage ► Agents view. 2. Open the Tool Configuration for [Agent] form. See "Opening the Tool Configuration form" on page 351. 3. Add a tool instance for each of the product’s event log sources. See "Adding new tool instances" on page 353. 4. When you are finished, start the tool instance. See "Starting a tool instance" on page 355. 5. Repeat Steps 3 and 4 for each product or device the Agent is monitoring on the Agent’s computer. 6. If you are not using Tool Profiles, repeat Steps 2–5 for each Agent, until you have configured the TriGeo tools for each point on your network. If you are using Tool Profiles, you can use a configured Agent as a template for a Tool Profile. For more information, see "Configuring Tool Profiles" on page 241. 350 Opening the Tool Configuration form Opening the Tool Configuration form Use the following procedure whenever you need to open the Tool Configuration form. Typically, you will open this form for the following reasons: l To configure and manage a Manager’s sensor, actor, and notification tools. l To configure and manage an Agent’s sensor and actor tools. l To change the tools configured in an Agent’s Tool Profile. Note: To change a Tool Profile's membership and properties, edit the Tool Profile in the Build ► Groups view. You must be logged on to a Manager before you can configure its tools or its Agents’ tools. See "Logging in and out of Managers" on page 382. Opening a Manager’s Tool Configuration form: 1. On the TriGeo SIM Console, click Manage ► Appliances. 2. In the Appliances grid, click to select the Manager you want to work with. 3. If needed, log in to the Manager. To do so, click the gear 4. Click the gear button and then click Login. button and then click Tools. The Tool Configuration for [Manager] form appears. You may now add the tool instances for each network security product or device this Manager is to monitor or interact with on the Manager computer. For details, see "Adding new tool instances" on page 353. Opening an Agent’s Tool Configuration form: 1. If needed, log in to the Manager you want to work with. 2. On the TriGeo SIM Console, click Manage ► Agents. 3. In the Agents grid, click to select the Agent you want to work with. 4. Click the gear l l button and then click Tools. If the Agent is not in a Tool Profile, the Tool Configuration for [Agent] form appears. You may now add the tool instances for each network security product or device this Agent is to monitor or interact with on the Agent’s computer. For details, see "Adding new tool instances" on page 353. If the Agent is in a Tool Profile, the Agent Tool Configuration prompt appears. This prompt simply warns you that the Agent belongs to a Tool Profile. 351 Chapter 12: Connecting to other products You can choose to edit the Tool Profile, which affects every Agent in that profile; or you can remove the Agent from the profile to configure the Agent separately. 5. Do one of the following: l To edit the Tool Profile, click Tool Profile. The Tool Configuration for [Tool Profile] form appears. You may now begin adding, editing, or deleting the tool instances associated with that Tool Profile. l To remove the Agent from the Tool Profile and configure its tools separately, click Agent Tool Configuration. The Tool Configuration for [Agent] form appears. You may now add the tool instances for each network security product or device this Agent is to monitor or interact with on the Agent’s computer. 352 Adding new tool instances Adding new tool instances In this procedure, you will use the Tool Configuration form to do the following: l l Configure the tool settings for each sensor that is to gather data from a network security product’s event logs. Configure the tool settings for each actor that is to initiate an active response from a network security product or device. Each configuration of a TriGeo sensor or actor tool is called a tool instance. Most products typically write to only one log source. For these products, a single tool instance will suffice. However, some products write to more than one log. For these products, you will need to create separate tool instances—one instance for each log source. When a product requires more than one instance, you can differentiate between them by assigning each instance a unique name, called an alias. To add a new tool instance: 1. Open the Tool Configuration form for the Manager or Agent you want to work with. 2. If desired, use the Refine Results pane to select the tool Category you want to work with. For information on categories, see "Tool categories" on page 359. 3. In the Tools grid, click to select the tool you want to configure. l The icon means the tool is for a sensor. l The icon means the tool is for an actor. 4. Do either of the following: l At the top of the Tools grid, click New. l Click the tool row’s gear button and then click New. The Properties pane opens as an editable form, as shown here. The fields that appear on the form vary from one tool to another, in order to support the product or device you are configuring. For new instances, the form displays the default tool settings 353 Chapter 12: Connecting to other products needed to configure the associated product or device. In most cases, you can save the tool with its default settings; however, you can change the settings, as needed. 5. Complete the Properties form, as needed. To assist you, we have prepared some reference tables that explain the meaning of each field you may encounter in the Properties form. l l l To configure a sensor that will gather data from the product’s event log data, see "Configuring sensors" on page 365. To configure an actor that will allow the Manager to perform active responses, see "Configuring actors" on page 368. To configure a notification setting that will allow the Manager to notify users of alert events via email, see "Setting up a notification system" on page 371. 6. Click Save to save the tool configuration as a new tool instance; otherwise, click Cancel. Upon saving, the following things happen in the Tools grid: l If you configured a sensor, a sensor tool instance icon appears below the tool you are working with. l If you configured an actor, an actor tool instance icon appears below the tool you are working with. l The icon in the Status column means the tool instance is stopped. All new tool instances automatically have a status of Stopped. To begin using the tool, you must start it. 7. To start the tool instance, click its gear button and then click Start. After a moment, the system starts the tool instance. Upon starting, the tool’s Status icon changes to . The selected tool instance is now running. 8. If needed, repeat Steps 3–7 for each additional tool instance that is required to fully integrate this product or device with the TriGeo SIM. 354 Starting a tool instance Starting a tool instance Whenever you finish adding or reconfiguring a tool instance, you must start it so it can begin running. Starting a tool instance enables that particular tool configuration. If the tool instance is for a sensor, starting it enables the sensor to begin monitoring the product’s event log. If the tool instance is for an actor, starting it enables the actor to begin initiating active responses on that product when requested to do so by policy. To start a tool instance: 1. Open the Tool Configuration form for the Manager or Agent you want to work with. 2. In the Tools grid, click to select the tool instance you want to start. 3. Click the tool instance’s gear button and then click Start. After a moment, the system starts the tool instance. Upon starting, the tool’s Status icon changes to . The selected tool instance is now running. Common problems with starting tool instances If the tool fails to start, the TriGeo Console will display a Warning or a Failure alert that states the problem. Normally, tools fail to start for either of the following reasons: l The network security device’s log file does not exist. l The Agent does not have permission to access the file. Stopping a tool instance Use this procedure to stop a tool instance. You must always stop a tool instance before you can edit or delete that tool instance. However, you can also stop a tool instance to prevent the tool from gathering data for the TriGeo Console, or to prevent it from initiating active responses on a network security product or notification system. To stop a tool instance: 1. Open the Tool Configuration form for the Manager or Agent you want to work with. 2. In the Tools grid, click to select the tool instance you want to stop. 3. Click the tool instance’s gear button and then click Stop. After a moment, the system stops the tool instance. When the tool’s Status icon changes to , it means the tool has stopped. Once a tool instance has been stopped, it can be edited, deleted, or restarted, as needed. The tool instance will remain stopped until you restart it. 355 Chapter 12: Connecting to other products Editing a tool instance When needed, you can edit an existing tool instance’s configuration settings. However, you cannot edit its name (alias). If you need to rename a tool instance alias, you must delete the current tool instance and create a new one with the new name. Also, you cannot edit the Log File value for some Windows event log sensors. Use this procedure whenever you need to correct or change a TriGeo tool’s configuration. If you are using TriGeo nDepth, also see "A note about TriGeo nDepth" on page 348. To edit a tool instance: 1. Open the Tool Configuration form for the Manager or Agent you want to work with. 2. In the Tools grid, click to select the tool instance you want to edit. 3. Click the tool instance’s gear button and then click Stop. After a moment, the system stops the tool instance. When the tool’s Status icon changes to , it means the tool has stopped. 4. To edit the tool, click the gear button and then click Edit. 5. In the Properties form, update the tool settings, as needed: To assist you, we have prepared some reference tables that explain the meaning of each field you may encounter in the Properties form. l l l To configure a sensor that will gather data from the product’s event log data, see "Configuring sensors" on page 365. To configure an actor that will allow the Manager to perform active responses, see "Configuring actors" on page 368. To configure a notification setting that will allow the Manager to notify users of alert events via email, see "Setting up a notification system" on page 371. 6. Click Save to save your changes. 7. When you are finished, restart the tool instance by clicking the gear ing Start. 356 button and then click- Deleting a tool instance Deleting a tool instance When needed, you can delete an obsolete or incorrect tool instance. To delete a tool instance: 1. Open the Tool Configuration form for the Manager or Agent you want to work with. 2. In the Tools grid, click to select the tool instance you want to delete. 3. Click the tool instance’s gear button and then click Stop. After a moment, the system stops the tool instance. When the tool’s Status icon changes to , it means the tool has stopped. 4. Click the tool instance’s button and then click Delete. 5. At the confirmation prompt, click Yes to delete the tool instance. After a moment, the tool instance disappears from the Tools grid. 357 Chapter 12: Connecting to other products Using an Agent to edit a Tool Profile You can use an Agent that is a member of a Tool Profile as a vehicle for editing that profile’s tool settings. You can add new tool instances to the profile, or edit or delete its existing instances. Use caution when editing a Tool Profile. The changes you make will apply to every Agent that is a member of that profile. You can also edit a Tool Profile's tool settings from the Manage ► Agents view. For details, see "Editing a Tool Profile’s tool settings" on page 247. To use an Agent to edit a Tool Profile’s tool settings 1. Open the Manage ► Agents view. 2. In the Agents grid, click to select the Agent that is in the Tool Profile you want to edit. 3. Click the gear button and then click Tools. The Agent Tool Configuration prompt appears to warn you that the Agent belongs to a Tool Profile. 4. Click Tool Profile. The Tool Configuration for [Tool Profile] form appears. You may now begin adding, editing, or deleting the tool instances that are associated with that Tool Profile. 358 Tool configuration tables Tool configuration tables The tables in this section describe the various categories of network security products that can be connected to the TriGeo SIM, and explain the fields for configuring sensors, actors, and notification systems. Tool categories The following table describes the various categories of network security products that can be connected to the TriGeo SIM. The Description column describes how the TriGeo tools (sensors and actors) typically work with each type of product or device. The Use with columns indicate if each product type requires Manager tools, Agent tools, or both. Use with Category Description Anti-Virus This category lets you configure sensors for use with common anti-virus products. These products protect against, isolate, and remove viruses, worms, and Trojan programs from computer systems. Managers Agents ü ü To configure an anti-virus tool, the anti-virus software must already be installed on the Agent computer. Some anti-virus tools can also be run on the Manager by remotely logging from an Anti-Virus server. Due to software conflicts, it is recommended that you run only one brand of anti-virus software per computer. Application Switch Database This category lets you configure sensors for use with application switches. Application-Layer switches transmit and monitor data at the application layer. This category lets you configure sensors for use with database auditing products. These products monitor databases for potential database intrusions, changes, and database system events. 359 ü ü ü Chapter 12: Connecting to other products Use with Category File Transfer and Sharing Firewalls Description Managers ü This category lets you configure sensors for use with file transfer and file sharing products. These products are used to share files over the local network and/or Internet. Monitoring these products provides information about what files are being transferred, by whom, and system events. This category lets you configure sensors and actors for use with applications and devices that are used to protect and isolate networks from other networks and the Internet. Firewall sensors connect to, read, and retrieve firewall logs. Most firewalls also have an active response tool. These tools configure actors that interface with routers and firewalls to perform block commands. Actors can perform active responses either via telnet or serial/console cable. Normally, you will configure these tools on the Manager. To configure a firewall tool, the firewall product must already be installed on the Agent computer, or it must be remotely logging to an Agent or a Manager. Normally, you will configure these tools on the Manager. You must also configure each firewall’s data gathering and active response capabilities separately. For example, configuring a firewall’s data gathering capabilities does not configure the firewall’s active response settings. 360 Agents ü ü Tool categories Use with Category Description Managers Identity and Access Management This category lets you configure sensors for use with identity access, identity management, and other single-sign on tools. These products provide authentication and single-sign on capabilities, account management, and other user access features. Monitoring these products provides information about authentication and management of accounts. IDS and IPS This category lets you configure sensors and actors for use with network-based and hostbased intrusion detection systems. These products provide information about potential threats on the network or host, and can be used to raise alarms about possible intrusions, misconfigurations, or network issues. ü ü Generally, network-based IDS and IPS tools are configured to log remotely, while host-based IDS and IPS systems log locally on an agent system. Some network-based IPS systems provide the capability to perform an active response via their actor tool, allowing you to block an IP address at the IPS device. Manager This category lets you configure sensors for use with the Manager and other TriGeo Appliances. These tools monitor for conditions on the Manager that may be informational or display potential problems with the appliances. 361 Agents ü ü Chapter 12: Connecting to other products Use with Category Description Managers Agents Network Management This category lets you configure sensors for use with network management tools. These tools monitor for different types of network activity from users on the network, such as workstationlevel process and application monitoring. Generally, these systems are configured to log remotely from a central monitoring server. ü ü Network Services This category lets you configure sensors for use with different network services. These tools monitor service-level activity for different network services, including DNS and DHCP. Most network services are configured to log locally on an agent's system, however, some are configured to log remotely. ü ü 362 Tool categories Use with Category Description Managers Operating Systems This category lets you configure sensors for use with utilities in the Microsoft Windows operating system that monitor system events. Agents ü This category includes a Windows Active Response tool. This tool configures an actor that enables Windows active response capabilities on Agents using Windows operating systems. This allows the TriGeo SIM to perform operating system-level responses, such as rebooting computers, shutting down computers, disabling networking, and disabling accounts. To configure an operating system tool, the operating system software must already be installed on the Agent computer. If you perform the remote Agent installation, the Windows NT/2000/XP Event Application Logs and System Logs tools are configured by default. Proxy Servers and Content Filters This category lets you configure sensors for use with different content monitoring tools. These tools monitor user network activity for such activities as web surfing, IM/chat, and file downloads, and events related to administering the monitoring systems themselves. Generally, these tools are configured to log remotely from the monitoring system. 363 ü ü Chapter 12: Connecting to other products Use with Category Description Routers/Switches This category lets you configure sensors, and in some cases actors, for use with different routers and switches. These tools monitor activity from routers and switches such as connected/disconnected devices, misconfigurations or system problems/events, detailed access-list information, and other related messages. Some routers/switches have the capability to configure an actor tool to block an IP address at the device. Generally, these tools are configured to log remotely from the router/switch. System Scan Reporters This category lets you configure sensors for use with different asset scanning tools, such as vulnerability scanners. These tools provide information about potential vulnerabilities, exposures, and misconfigurations with different devices on the network. Generally, these tools create alerts in the 'Asset' categories in the TriGeo alert tree. System Tools This category lets you configure the Manager with an external notification system, so the TriGeo SIM can transmit alert messages to TriGeo users via email or pager. For details, see "Setting up a notification system" on page 371. ü VPN and Remote Access This category lets you configure sensors and actors for use with Virtual Private Network (VPN) server products that provide secure remote access to networks. Normally, you will configure these tools on the Manager. ü Web Server This category lets you configure sensors for use with Web server products. To configure a web server tool, the web server software must already be installed on the Agent or Manager computer. 364 Managers Agents ü ü ü ü ü Configuring sensors Configuring sensors The following table describes each field you’ll find on the Tool Configuration form when configuring sensors for data gathering tools. The actual fields that appear depend on the tool you are configuring. Not every field appears with every tool. For convenience, the table is sorted alphabetically by field name. Field Description Alias Type a name that easily identifies the application or appliance event log file that is being monitored. For more information, see "Glossary to TriGeo tool terms" on page 340. For active response tools, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response tool might be “Cisco PIX AR”. This allows you to differentiate the active response tool from the data gathering tool. Log File / Log Directory When you create a new alias for a tool, the TriGeo SIM automatically places a default log file path in the Log File box. This path tells the tool where the operating system stores the product’s event log file. For most tools, you can change the log file path, as needed. However, some products write events to the Windows Application Log or the Windows System Log. In these cases, you are actually configuring the sensor that monitors events that are written to that log file. For these tools, the Log File setting is disabled, and the system automatically populates the Log File field with the name of the Windows event log the sensor is monitoring. In most cases, you should be able to use the default log file path that is shown for the tool. These paths are based on the default vendor settings and the product documentation for each product. If a different log path is needed, type or paste the correct path in the Log File box, or use the Browse button to explore to correct folder or file. If you are uncertain about which file path to use, either refer to your original product documentation, or contact TriGeo Technical Support. Note: If the product creates separate log files based on the current date or some other fixed interval, you can either select the log directory or any log file in that directory. If you select a log file, the TriGeo SIM reads through the directory’s log files in order, from the file you selected to the most current file. The SIM then reads new files as they are added. nDepth Host Type the IP address or host name for the nDepth appliance. Generally, the default setting is correct. Only change it if you are advised to do so. 365 Chapter 12: Connecting to other products Field Description nDepth Port Type the port number to which the tool is to send nDepth data. If you are uncertain, use the default value. Generally, the default setting is correct. Only change it if you are advised to do so. New File Name Interval Select the interval in which the tool posts and names each new log file. The interval tells the TriGeo SIM when to begin reading the next log file. The default setting is Daily: yymmdd. Output If you are not using TriGeo nDepth, do not configure the form’s Output, nDepth Host, and nDepth Port settings. Use the form’s default settings for these fields. To learn more, see "A note about TriGeo nDepth" on page 348. If you are using TriGeo nDepth, select one of the following log file data output options: Alert - This is the default option. It sends the tool’s log file data as alerts to the TriGeo SIM for processing by your correlation rules, associated active responses, TriGeo Consoles, and databases. nDepth - This option sends the tool’s log file data to TriGeo nDepth for archiving. The data does not go to the TriGeo SIM, so any potential alert activity does not appear in the Alert Panel. However, you can still search the data from the SIM with the nDepth Explorer, or you can search the data directly in nDepth with the nDepth Browser. Alert, nDepth - If you are using nDepth, TriGeo recommends that you choose this option. It sends the tool’s log file data to the TriGeo SIM for alert processing and to TriGeo nDepth for data archiving. This means the SIM reports potential alert activity in the Alert Panel, and nDepth archives the tool’s output data for later reference. Furthermore, you can access the nDepth data from the SIM with the nDepth Explorer, or you can search the data directly in nDepth with the nDepth Browser. Server IP Address/ [Product] IP Address/ [Product] Server Type the IP address of the router or firewall. Use the following IP address format: 192.123.123.123. 366 Configuring sensors Field Description Sleep Time Type or select the time (in seconds) the tool sensor is to wait between event monitoring sessions. The default (and minimum) value for all tools is one (1) second. If you experience adverse effects due to too many rapid readings of log entries, increase the Sleep Time for the appropriate tools. Windows NT-based tools automatically notify Windows Event Log sensors of new events that enter the log file. Should automatic notification stop for any reason, the Sleep Time dictates the interval the sensor is to use for monitoring new events. Tool Version This is TriGeo’s release version for this tool. This is read-only information for reference purposes. Wrapper Name This is an identification key that the TriGeo SIM uses to uniquely identify the properties that apply to this particular tool. This is read-only information for TriGeo reference purposes. If the tool settings you need are not shown here, you are probably configuring an active response tool. See "Tool configuration tables," below. When you have finished configuring the tool settings, don’t forget to start the tool. See "Starting a tool instance" on page 355. 367 Chapter 12: Connecting to other products Configuring actors The following table describes each field you will find on the Tool Configuration form when configuring actors for active response tools. Because each tool is product-based, the fields that appear depend on the tool you are currently configuring. Not every field appears with every tool. For convenience, the table is sorted alphabetically by field name. Field Recommended field settings Advanced These settings are no longer applicable. Auth Port For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the LEA/OPSEC interface. Base URL Type the URL to connect to the SonicWALL firewall and perform the login. Include “http://” at the beginning of the URL. Note: TriGeo does not support HTTPS. Only use this tool for older SonicWALL firmware version. Block Timeout For CheckPoint OPSEC firewalls, type the timeout in seconds for the blocks to expire from the firewall. A value of zero (0) means “never expire.” Client DN For CheckPoint OPSEC firewalls, type the client DN string. The “CN” and “O” must be uppercase. Configuration Mode Select either telnet or SerialPort. Enable Password Type the tool’s password for entering Enable mode. Enable Windows Active Response For the Windows Active Response tool, select this check box to enable active response settings. From Zone Type the external zone used for configuring restrictions on firewall connections. Incoming Interface Type the Interface for which the block is to be made effective; that is, the Interface for which incoming traffic will be filtered to prevent traffic from the blocked IP address. Password / Login Password Type the tool’s login password. For some products, the password name must be the same one that was used when the firewall was installed. 368 Configuring actors Field Recommended field settings Port Name / Serial Port Name Select a serial port for performing active response via console cable, if applicable. The port name represents the physical communication port on the computer. The port name is only relevant if the Configuration Mode (below) is set to SerialPort. /dev/ttyS0 = serial port 1, and /dev/ttyS1 = serial port 2. If the Configuration Mode is set to telnet, then this field is disabled and the Port Name box reads: There are no ports available. Remote Connection Port Type the firewall port used for connecting to and configuring the firewall. Server DN For CheckPoint OPSEC firewalls, type the server DN string. The “cn” and “o” must be lowercase. Server Port For CheckPoint OPSEC firewalls, select the port used to connect to the CheckPoint server via the SAM/OPSEC interface. Server / Server Address / IP Address / [Product] IP Address Type the IP address of the router or firewall. This address allows the TriGeo SIM to perform active responses to events on that particular router or firewall. Use the following IP address format: 192.123.123.123. SSLCA For CheckPoint OPSEC firewalls, click the Browse button to locate the SSL certificate file to upload to the server. If the tool is already configured, then use the existing certificate on the server. You can use the same path for both the LEA (log reading) and SAM (active response) certificates. Take Admin Control Only one person can configure the firewall at one time. Selecting this check box allows the TriGeo SIM’s active response to take administrative control over the firewall when a user is logged into the WatchGuard Management Console. That is, the TriGeo SIM disconnects the user and takes control over the firewall. To Zone Type the internal zone used for configuring restrictions on firewall connections. 369 Chapter 12: Connecting to other products Field Recommended field settings Tool Configuration Instance (Alias) Type a name that easily identifies the product that the TriGeo SIM is to act on. For active response tools, we recommend you end the alias with “AR”. For example, an alias for the Cisco PIX Active Response tool might be “Cisco PIX AR”. This allows you to differentiate the active response tool from the data gathering tool. For more information on aliases, see "Glossary to TriGeo tool terms" on page 340. User Name / Login User Name Type the user name needed to log onto and configure the firewall. For some products, the user name must be the same one that was used when the firewall was installed. If the tool settings you need are not shown here, you are probably configuring a sensor (data gathering) tool. See "Configuring sensors" on page 365. When you have finished configuring the tool settings, don’t forget to start the tool. See "Starting a tool instance" on page 355. 370 Setting up a notification system Setting up a notification system The Tool Configuration form has a category called System Tools that you can use to set up an external notification system. This allows the Manager to transmit messages to TriGeo users via email or pager, to record pertinent alert data or text to a specified file, or to synchronize your existing Directory Service Groups with your existing network directory services. The following table explains how to configure each option in the System Tools category. Field Recommended field settings Append Text to File Active Response Description Use this tool to have the Agent “write” the specified alert data or text to the specified file. How to append Select Newline to write the alert data to the file so that each alert is on a distinct line (that is, one alert per line), by inserting a “return” or “newline” character. Select No Newline to stream the alert data to the file by appending the new data immediately following any existing data in the file. Maximum file size (MB) Type the allowable maximum file size for the text file, in Megabytes. Directory Service Query Description Use this tool to have the Manager communicate with existing directory services on the network to retrieve and update group information. This allows you to synchronize your existing Directory Service Groups for use with TriGeo rules and filters. User Name Type a user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. Directory Service Server Type the IP address or host name of your directory services server (commonly, this is a domain controller). Domain Name Type the fully-qualified domain name of your directory services domain. Password Type the password for the above user name that is valid on the configured domain and server for authenticating to the domain and retrieving group information. 371 Chapter 12: Connecting to other products Field Recommended field settings Directory Service Server’s Port Type the port used to communicate with the directory service server. Email Active Response Description Use this tool to have a Manager automatically notify TriGeo users of alert events when configured to do so by alert policy. Return Display Name Type the name that you want to appear in the From field of active response e-mail messages. Port Type the port used to communicate with the internal email server. Return Address Type the email address that you want to appear in the From field of active response email messages. Mail Host Type the IP address or host name of an internal SMTP server that the Manager can use to send email messages through without authentication. Authentication Server Username Type the user name needed to access the internal email server, if required. Authentication Server Password Type the password needed to access the internal email server, if required. Test E-mail Address Type the e-mail address you want to use to test the Mail Host assignment. When you click the Test Email button, a test message should appear at this email address. Test Email button This button tests your email notification settings to ensure that you entered the correct e-mail host. Click the Test Email button. Then check the email address’s in-box. If you entered the correct address, the in-box should receive the test message. 372 Chapter 13: Appliances About the Appliances view The Manage ► Appliances view (also called the Appliances view) is used to add, configure, and maintain each Security Information Manager appliance that is associated with and monitored by the TriGeo system. Throughout this chapter, we will use appliances as a generic term to include: l TriGeo Security Information Managers (or more simply, Managers). l database servers l logging servers, and l network sensors. This chapter is primarily concerned with Managers, even though other appliances may appear in your appliance list. Once a Manager is in place, you can use the Appliances view to do the following: l Use the Console to connect to and disconnect from a particular Manager. l Add a Manager’s Agents. l Configure rules, policies, and network security tools that apply to each Manager. Note: Commands in the Appliances view can take a while to execute, because they must remotely access the Manager or network appliance. 373 Chapter 13: Appliances Appliances view features This topic describes the key features of the Appliances view, the Details pane, the Appliances grid, and its Status icons. Appliances view features The Appliances view manages your TriGeo SIMs and databases 374 Appliances view features The following table describes the key features of the Manage ► Appliances view. Item Name Description Appliances grid This grid lists all of the Managers and other network appliances that are monitored by the TriGeo SIM. You can use this grid to add, configure, or remove appliances, to configure Manager tools and Manager policy, and to connect to and disconnect from Managers. Click this button to add a new Manager or network appliance to the Console. The gear button at the top of the grid opens commands that you can perform on multiple selections in the grid, and commands that do not require a grid selection. Click this button to copy the grid's information about your Managers to the clipboard, so you can paste it elsewhere, such as Microsoft Excel for analysis or the Remote Agent Installer for updates. Details The Details pane displays an image of the appliance, as well as basic properties about that appliance, such as its name, connection status, etc. TriGeo provides the images for the last few (and next) generation of appliances. When you add or configure a Manager, one of the options is to identify the model. Your choice determines which picture, if any, is shown. Properties The Properties form is used to configure each Manager. It records the Manager’s configuration settings, such as its login options, Agent licenses, its password settings, its ability to automatically send software updates to Agents, and its database warehouse connection, if applicable. Note: This form is only used for Managers. It is disabled for other types of appliances. 375 Chapter 13: Appliances Appliances grid columns The following table briefly describes the meaning of each column in the Manage ► Appliances view’s Appliances grid. Column Description The gear button in each row opens a menu of commands that you can perform on the appliance that is currently selected in the grid, such as Login, Logout, Configure, Tools (for connecting products to the appliance), Policy (for assigning alert distribution policy), and Delete. The Login, Logout, Tools, and Policy options apply only when you have a Manager selected. If you have a Manager selected but are not connected, only the Login, Configure, and Delete commands are available. Status The appliance’s current connection status: means Connected/Logged In. means Disconnected/Logged Off. Name The name of the Manager or the appliance. Type The type of appliance—Manager, Database, Logging Server, or Network Sensor. Version States the version of the TriGeo Manager software. Level The TriGeo model number for the appliance. It is directly related to the capacity and performance of the appliance, ranging from Level to Level 4. IP Address States the Manager’s or the appliance’s IP address. Port The port number the Console is using to communicate with the Manager, the network appliance, or the database. Service Tag The Dell serial number or registration number for this appliance. It uniquely identifies this piece of equipment and its specific configuration properties. Model For Managers, states the model number. User For Managers, this column displays the user name that is currently logged on to that Manager. 376 The Details pane The Details pane The Details pane displays essential information about an appliance, such as its name, connection status, IP address, etc. The image area can also display an image for each appliance, if you choose to provide them. To view an appliance’s details: 1. Open the Manage ► Appliances view. 2. If needed, log into the Manager you want to work with. 3. In the Appliances grid, click to select the Manager or appliance you want to work with. 4. If the Details/Properties pane is not already open, click the “open pane” ▲ button at the bottom of the window. 377 Chapter 13: Appliances The Details pane displays information about the Manager or appliance you have selected. Field Description Image area Displays an image of the Manager that is currently selected in the Appliances grid, if the model number is known and an image is available. Status Displays the Manager’s or the appliance’s current connection status. Name Displays the Manager’s or the appliance’s name. Type Indicates the appliance type—Manager, Database Server, nDepth, Logging Server, or Network Sensor. Version Displays the version of the TriGeo Manager software. Level Displays the specific TriGeo Manager appliance configuration level you have purchased. IP Address Displays the Manager’s or the appliance’s IP address. Port Displays the port number that the Console uses to communicate with the Manager or the appliance. Service Tag Displays Dell’s assigned serial number for the Manager appliance. You can find this number on the Manager information sheet that is provided with the appliance. Model When applicable, this field displays the Manager’s model number. If the model is unknown, the model may be Other. If the appliance is not a Manager, this field is empty. 378 Setting up a Manager for the first time Setting up a Manager for the first time If you are setting up a Manager for the first time, you should follow this order of events: 1. On the Console, open the Manage ► Appliances view. 2. Add a Manager to the Console. 3. Log on to the Manager through the Console. 4. Configure the Manager’s properties with the Properties form. 5. Configure the Manager’s tools with the Tool Configuration window. 6. (Optional) Assign the Manager’s alert distribution policy with the Alert Distribution Policy window. 379 Chapter 13: Appliances Adding appliances to the Console Use this procedure whenever you want to add a new Manager or other network appliance to the TriGeo Console. To add a new appliance: 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. At the top of the Appliances grid, click New. The New Appliance form appears. This form records information that is required for adding or configuring a new appliance. 3. Complete the New Appliance form as described in the following table. Field Description Appliance Type Select the appliance type you are adding—Manager, Database Server, nDepth, Logging Server, or Network Sensor. Name Type the network appliance’s host name, the fully-qualified domain name, or the IP address. Example: Host name: bubbles Domain name: bubbles.trigeo.com IP address: 192.1.1.1 380 Adding appliances to the Console Field Description Connection Port Type the port number the Console must use to communicate with the Manager network appliance or the database. The default port number is 8443. Note: This field only applies when the Appliance Type field is set to Manager. Level The appliance’s level. Its level is directly related to the appliance's capacity and performance, ranging from Level 1 to Level 4. If you are uncertain which level the Manager belongs to, select Unknown. If you are adding a Database Server, Level 4 is automatically selected. Model Select the appliance's appropriate model. If you are uncertain which model you have, select Unknown. If you know your model but it is not listed, select Other. Your selection here has no affect on the Manager’s operation. If you selected any of the specific models, a picture of the appliance appears at the top of the Details pane. Service Tag Type the Dell serial number or registration number found on the appliance. It uniquely identifies this piece of equipment and its specific configuration properties. Reset At any time, you can click Reset to reset the form to its default settings. 4. Click Save to add the appliance and close the form. Otherwise, click Cancel to return to the Console without adding the appliance. 381 Chapter 13: Appliances Logging in and out of Managers After setting up a new Manager, you need to log on to it. Otherwise, you will not be able to configure it, receive its alerts, or build any rules for it. When needed, you can also log out to disconnect from a Manager. You may want to do this to reconfigure the Manager, or to stop monitoring its alerts. Note: Only existing Administrator, Auditor, and Monitor TriGeo Users can log on to the TriGeo system. Contacts cannot log on to the TriGeo SIM. Logging into a Manager 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. In the Appliances grid, click to select the appliance you want to work with. 3. Click the gear button and then select Login. Depending on the Manager’s Login tab settings (in the Properties pane), the SIM Console may automatically log you on to the appliance. Otherwise, the Login form appears. 4. In the Username box, type user name for this Manager. 5. In the Password box, type your password for this Manager. 6. Click OK or press Enter to log on. A icon appears in the Manager’s Status column, indicating that you are logged on to that Manager. Logging out of a Manager 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. In the Appliances grid, click the gear button for the Manager you want to log out of, and then select Logout. After a moment, a icon appears in the Manager’s Status column, indicating that you are no longer logged on to that Manager. 382 Changing an appliance’s basic configuration settings Changing an appliance’s basic configuration settings Use this procedure whenever you need to change an appliance’s basic configuration settings, such as its type, name, IP address, connection port, etc. To reconfigure an appliance: 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. In the Appliances grid, click to select the Manager you want to work with. 3. Click the gear button and then select Configure. The Configure Appliance form appears. It is the same form used to add a new appliance. 4. Make the necessary changes to the Configure Appliance form. For information on completing the form, see "Adding appliances to the Console" on page 380. If you make a mistake, you can click Reset to reset the form to its default settings. 5. Click Save. 383 Chapter 13: Appliances Configuring a Manager's properties In the Properties pane, the Properties form is used to configure Managers. It records the Manager’s configuration settings, such as its login options, Agent licenses, its password settings, its ability to automatically send software updates to Agents, and its database warehouse connection, if applicable. Note: The Properties form is only used for Managers. It is disabled for other types of appliances. Procedure for configuring a Manager 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. In the Appliances grid, click to select the Manager you want to work with. 3. If the Details/Properties pane is not already open, click the “open pane” ▲ button at the bottom of the window. 4. Complete Properties form. The following sections describe how to complete each tab. Note: The Properties form automatically refreshes to display any changes that may have occurred with the Manager since you opened the form. This ensures that you are looking at the most current information. 384 Completing the Login tab Completing the Login tab The Login tab has two main uses: l l If the Login on console startup option is checked, the system uses this data to automatically connect to the Manager whenever the Console is opened. If you manually log in to a Manager from the Appliances grid, the system uses this data to connect the Manager so you don’t have to complete the log in dialog box. Use the following table to complete the Properties pane’s Login tab. Option Description Username Type your user name for logging into Manager. Password Type your password for logging into the Manager. Login on console startup Select this check box to have the TriGeo SIM automatically log you into the Manager upon opening the TriGeo Console. If you prefer to manually log on, then clear this check box. 385 Chapter 13: Appliances Option Description Save Credentials Select this check box to have the Console save the Manager’s user name and password locally. The Console can then automatically provide them whenever you log on to a Manager. o If you also select the Login on console startup check box, the Console will automatically log on to the Manager whenever the Console is started. o If the Login on console startup check box is not selected, then the Console automatically supplies the user name and password whenever you manually log on to the Manager. Reconnect on disconnection Select this check box to have the Console automatically attempt to reconnect with the Manager, if the Manager becomes disconnected. Try to reconnect every xx seconds Type the number of seconds the Console is to wait before attempting a new connection with the Manager. Timeout reconnection attempts after xx tries Select this check box to have the Console quit its reconnection attempts with the Manager after a given number of tries, if the previous connection attempts have been unsuccessful. Save Click Save to save the configuration settings. Cancel Click Cancel to discard any configuration settings you may have entered since the last time you saved. Then type the number of tries the Console is to attempt to reconnect with the Manager before giving up. 386 Completing the License tab Completing the License tab The License tab summarizes your available and allocated licenses. It is used to allocate available licenses of any new Agents that are to be associated with a particular Manager. This tells the Manager that you are using the Agent licenses for connections that are associated with this Manager. To add Agent licenses to a Manager: 1. In the Number of Agents to add to Manager box, type the number of new Agents you want to add to the Manager; or click the Up or Down arrows that are adjacent to the box to increase or decrease the number of Agents. The total number of Agents that you may add is equal to the number of licenses that you have purchased. 2. Click Add. 3. Click Save to add the Agents to the Manager; otherwise, click Cancel. The new Agents will appear in the Console’s Agent Panel: 4. Click Save to add the Agents to the Manager; otherwise, click Cancel. The new Agents will appear in the Console’s Agent Panel: l If you have already installed the Agent software on individual computers, you will begin to see Agents connecting in the Agent Panel. 387 Chapter 13: Appliances l If you have not installed the Agent software on individual computers, the Agent Panel will list those Agents as Open License. License reference information The following table explains the License tab's remaining reference information. Field Description Available Licenses Displays the number of available Agent licenses you have left. Licenses Awaiting Agents Displays the number of allocated Agent licenses that have not yet been assigned to a specific Agent. Installed Agents Displays the total number of Agents that are currently associated with this Manager. These are Agents that have connected to the Manager and have consumed one of those allocated licenses. Total Unused Agent Licenses Displays the total number of Agent licenses that remain unused. Total Agent Licenses Displays the total number of Agent licenses associated with this Manager. For example, if you buy a 100-Agent license pool, the available number of licenses is 100. If you allocate 10 licenses, the available license pool drops to 90, and the Licenses Awaiting Agents grows to 10. As Agents are actually installed, they pull from the 10, not from the 90. 388 Completing the Settings tab Completing the Settings tab The Settings tab defines the Manager’s password policy settings and global automatic update settings. Global automatic updates allow the Manager to automatically send software updates to Agents as new software becomes available. Use the following table to complete the Properties pane’s Settings tab. Option Description Password Policy Minimum Password Length Type or select the minimum number of characters that must be used on passwords for user account that are to connect to the Console and its Managers. Passwords must have at least six characters, but no more than 40 characters. 389 Chapter 13: Appliances Option Description Must meet complexity requirements Select this check box if passwords must meet the following complexity requirements: l Passwords must not match or contain part of the user’s user name. l Passwords must be at least six characters long. l Passwords must contain characters from three of the following four categories: o English uppercase characters (A through Z). o English lowercase characters (a through z). o Base 10 digits (0 through 9). o Non-alphanumeric characters (!, $, #, %, ^, etc.). Remote Updates Enable Global Automatic Updates This check box indicates whether or not the Manager can automatically update its Agents with new software. l l Select this check box to have the Manager automatically issue the latest software updates to qualifying Agents as they become available. If this check box is not selected, then global automatic updates for this Manager are Disabled. This means its Agents will not automatically receive new software updates from the Manager. Note that each Agent is also controlled by itsAutomatic Updates setting on the Agents grid (see "Changing an Agent’s Remote Updates setting" on page 413). The Agent’s Automatic Updates setting will not work if you do not also select this Enable Global Automatic Updates check box. Here is how it works. If you do not select this check box, but you have an Agent set to automatically receive updates, nothing will happen. The Agent will not receive its updates. But if you do select this check box and if you have an Agent set to automatically update, the Agent will automatically receive updates when they become available. Maximum Concurrent Updates Select how many Agents the Manager can update at one time. The default value is 10. If the number of Agents that require updates is greater than the value you have entered here, the remaining Agents will be queued for updating as soon as an update slot becomes available. Explorer Command Agent 390 Completing the Settings tab Option Description Current Default Agent Select the default Agent for performing TriGeo explorer functions, such as NSLookup and Whois. For best results, choose an Agent that is normally online and will return the expected results. 391 Chapter 13: Appliances Completing the Database tab Use the Database tab to have a Manager send its alerts to a database warehouse, which is a second database that can be used for reporting. Each database warehouse configuration only applies to the Manager you select when you create it. You must set up a separate data warehouse configuration for each Manager, even if it is pointing to the same database warehouse used by another Manager. Note: Before you can use this feature, you must set up the warehouse database on the data warehouse server with the utilities on the TriGeo CD-ROM. Use the following table to complete the Properties pane’s Database tab. Field Description Enable Database Warehouse Select this check box to allow the Manager to use a database warehouse. You can only enable one database warehouse at a time. By default, this check box is not selected. Database Name This read-only box displays the name of the database on the server. Server Name Type the database server name for the intended database warehouse. 392 Completing the Database tab Field Description Repository Type This read-only box displays which type of server the database warehouse is using. Username Based on your above selections, the Console automatically fills in the Username, Password, and Connection Port boxes. Only change them here if the defaults are not correct. TriGeo highly recommends that you do not change these settings unless you are absolutely certain of what you are doing. Password If you choose to change these settings, complete each field follows: l Connection Port l l In the Username box, type the user name needed for remote connection to the database warehouse. In the Password box, type the password needed for remote connection to the database warehouse. In the Connection Port, type the network port required for remote connection to the database. For information on using database warehouses, see "Using a database warehouse" on page 395. 393 Chapter 13: Appliances Configuring Manager network security tools A crucial part of the TriGeo system is the proper integration of each Manager’s network security tools. This topic is covered at length in "Connecting to other products" on page 337. To configure a Manager’s network security tools: 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. In the Appliances grid, click to select the Manager you want to work with. 3. If you have not already done so, log into the Manager. See "Logging in and out of Managers" on page 382. 4. Click the gear button and then click Tools. The Tool Configuration for [Manager] window appears. 5. See "Connecting products to the TriGeo SIM" on page 347 for complete step-by-step instructions on integrating your Manager’s network security tools with the TriGeo system. 394 Using a database warehouse Using a database warehouse If desired, you can assign a Manager's alert data to a database warehouse. The following procedures explain how to assign a database warehouse and alert data storage, and how to disable a database warehouse when it is no longer needed. Assigning a Manager’s alert data to a database warehouse 1. In the Appliances grid, click to select the Manager that has the alert data you want to send to a database warehouse. 2. If the Details/Properties pane is not already open, click the “open pane” ▲ button at the bottom of the window. 3. In the Properties pane, click the Database tab. You will use this form to assign the Manager’s alert data to a database warehouse. 4. Complete the Database tab. For instructions, see "Completing the Database tab" on page 392. 5. Click Save to save your changes and begin data warehousing. To verify your connection to the database warehouse, monitor the warehouse for warning alerts and check the database to confirm that it is receiving data from the Manager. If the warehouse is not receiving the data, verify your settings on the Configure Database Warehouse form. If necessary, reconfigure the form. Disabling a database warehouse 1. In the Appliances grid, click to select the Manager that has the alert data you want to send to a database warehouse. 2. If the Details/Properties pane is not already open, click the “open pane” ▲ button at the bottom of the window. 3. In the Properties pane, click the Database tab. 4. Clear the Enable Database Warehouse check box. 5. Click Save. The Manager will no longer transmit its alert data to the database warehouse. 395 Chapter 13: Appliances Copying appliance data If needed, you can copy your the data from the Appliances grid to your clipboard. This allows you to page the data into another application, such as Microsoft Excel for analysis or the Remote Agent Installer for updates. You can copy the data for a single appliance, multiple appliances, or for every appliance in the grid. To copy data for a single appliance: 1. Open the Manage ► Appliances view. 2. In the Appliances grid, select the appliances you want to copy. 3. Click the button, and then do one of the following: l Click Copy Selected to copy the data for the selected appliances. l Click Copy All to copy the data for every appliance in the grid. The appliance data is now copied to your clipboard, where it can be pasted into another application. Removing an appliance When needed, you can remove a Manager or other network appliance from the Console. To remove an appliance: 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. In the Appliances grid, click to select the appliance you want to remove. 3. Click the gear button and then click Delete. 4. At the confirmation prompt, click Yes to remove the appliance. Otherwise, click No to return to the Console without removing the appliance. The appliance disappears from the Appliances grid. 396 Configuring alert distribution policy Configuring alert distribution policy The topics in this section explain how to configure alert distribution policy for Managers. Alert distribution policy lets you control how alerts are routed through the TriGeo system. With the Alert Distribution Policy window, you can choose—at the alert level—which alerts are to go to the TriGeo Console, to the local TriGeo database, and to your database warehouse. Practical uses for alert distribution policy Alert distribution policy has several practical uses that are explained in the following examples. l l l Many data sources generate alerts that are difficult to control at a granular level; or, they generate alerts of little or no value. You are better off removing these alerts from the system to reduce the volume and noise being sent to your Console, database, or database warehouse. By configuring alert distribution policy, you can disable (exclude) specific alert types, at the alert level, from being sent to any or all of these destinations. The data sources will continue to generate these alerts, so you can always enable them at any time. Until then, the selected system destinations will ignore them. If you are using a database warehouse, storing data in both TriGeo’s local database and in the warehouse is redundant. Alert distribution policy is the mechanism that allows you to disable storing alerts in the local database. There may be alerts that you want to monitor in the TriGeo Console, but do not need for longterm storage and reporting. In this case, you can use alert distribution policy to disable database storage for certain alerts, while enabling processing by the Console. 397 Chapter 13: Appliances Opening the Alert Distribution Policy window 1. At the top of the TriGeo Console, click Manage and then click Appliances. 2. In the Appliances grid, click the gear button for the Manager you want to work with, and then click Policy. The Alert Distribution Policy for [Manager] window appears. 3. If you open the Alert Distribution Policy window while another user is currently using it, a Policy Locked message appears. You can choose to take over the window, or to view it in read-only mode. Any Full User can unlock any other user. l Click Yes at the prompt to break the user’s lock and take over the policy. You may now edit the policy. 398 Opening the Alert Distribution Policy window l l Click No at the prompt to view the policy in read-only mode. The Save and Apply commands will be disabled, and you will not be able to make policy changes. Click Cancel to close the prompt and return to the form. 399 Chapter 13: Appliances About the Alert Distribution Policy window The following table describes the key features of the Alert Distribution Policy window. Item Description The window’s grid is a hierarchical node tree. The Alert/Field column lists each of TriGeo’s alert categories and alert types. Opening an alert category node displays the lower-level alert types that are associated with that category. Click a node ▼ to open it, showing its lower-level alert type nodes. Click the node again to close it, hiding its lower-level alert type nodes. The check boxes in the grid’s Console, Database, and Warehouse columns indicate whether or not a particular alert type (or entire alert category) is to be sent to the TriGeo Console, to the local TriGeo database, or to your database warehouse, respectively. A check mark means the alert type will be routed to that particular destination. An empty check box means the alert type will not be routed to that destination. 400 About the Alert Distribution Policy window Item Description The Export button exports a Manager’s alert policy to a spreadsheet file. For more information, see "Exporting a Manager’s alert policy" on page 404. Click the gear button to use the Apply State to Branch command. This command pushes, or propagates, the selected alert node’s check box settings down to the related, lower-level alert types in the node tree hierarchy. For more information, see "Pushing alert policy to lower-level alert types" on page 403. The Description box provides a description of the alert type or alert category that is currently selected in the grid. The OK, Apply, and Cancel buttons let you save or cancel changes to your alert distribution policies. 401 Chapter 13: Appliances Configuring alert distribution policy The Alert Distribution Policy window makes configuring your alert distribution policy a straightforward matter. First, you find the alert types you want to work with, and then you select check boxes to determine whether or not those alerts types are to be routed to a particular destination. To configure alert distribution policy: 1. Open the Alert Distribution Policy window for the Manager you want to work with. 2. In the Alert/Fields grid, locate the alert type you want to work with. You can do this several different ways: l l In the Alert/Field list, click any node to show its lower-level alert type nodes. In the Alert/Field list, double-click any alert type row to show its lower-level alert type nodes. 3. Once you have found the alert type you want, configure it as follows: l l l l Select the row’s Console check box to have that alert type appear in the TriGeo Console. Select the row’s Database check box to have that alert type stored in the local TriGeo database. Select the row’s Warehouse check box to have that alert type stored in your database warehouse. Clear a check box to exclude the alert type from that particular destination. 4. To save or cancel your changes, do one of the following: l l l Click OK to save your alert distribution policy changes, close the window, and return to the Console. Click Apply to save your changes, but keep the window open so you can continue working. Click Cancel to close the window without saving your changes and return to the Console. Upon saving, the Applying Changes status bar appears. Please be patient. Updating the Manager with the new alert policy configuration changes can take anywhere from 30 seconds to several minutes. 402 Pushing alert policy to lower-level alert types Pushing alert policy to lower-level alert types With the Apply State to Branch command, you can propagate or “push” alert distribution policy settings from a high-level alert type to each of its lower-level “child” alert types in the alert hierarchy. For example, let’s say you select the topmost Security Alert row and then select its Console and Warehouse check boxes. Clicking Apply State to Branch assigns the same Console and Warehouse check box settings to every child item that is associated with Security Alert. Upon saving, this policy causes all alert types that are child items of Security Alert to begin sending alerts to all user’s Consoles and your data warehouse. To push policy configure alert distribution policy downward: Open the Alert Distribution Policy window for the Manager you want to work with. 1. In the Alert/Field grid, locate the alert type that is a “parent” to the alert types you want to configure. 2. In the parent row, define the policy by selecting or clearing the Console, Database, and Warehouse check boxes. 3. Click the row’s gear button and then click Apply State to Branch. The Console pushes, or propagates, the parent row’s check box settings down to each of its lower-level alert types in the node tree hierarchy. l l If you select one or more of the parent row’s check boxes, the Console selects the same check box settings for each related lower-level alert type in the node tree. Upon saving, the policy begins sending the “child” alert types to the selected destinations. Similarly, if you clear any of the parent row’s check boxes, the Console disables the same check box settings from each related lower-level alert type in the node tree. Upon saving, the policy stops sending those alert types to those destinations. 4. Click OK to save your changes. The Console immediately implements the new policy. 403 Chapter 13: Appliances Exporting a Manager’s alert policy When needed, you can export a Manager’s alert policy to a spreadsheet file. You may want to do this for any of the following reasons: l l You can view and manipulate the policy information in a spreadsheet application, such as Microsoft Excel. You can provide TriGeo Network Security with a copy of your policy information for technical support or troubleshooting purposes. To export a Manager’s policy: 1. Open the Alert Distribution Policy window for the Manager you want to work with. 2. At the top of the window, click Export. The Save As form appears. 3. In the Save In box, select the folder you want to export to. 4. In the File Name box, type a name and file type for the exported file. In the file name, include a file type of .xls to save the file as a Microsoft Excel spreadsheet. 5. Click Save to save the file. The Console saves the file to the folder and with the file name you specified. You may now view the Manager’s policy information in a spreadsheet file, such as Excel. 404 Chapter 14: Managing Agents About the Agents view The Manage ► Agents view displays the Agents that are monitored by each of your TriGeo Security Information Managers. Once you have installed the TriGeo Agents on your client PCs, you can use the Agents view to do the following: l Integrate the Agent’s network security tools with the TriGeo system. You are actually integrating the Agents themselves, but the Agents forward messages from the network security tools to the Manager for alert processing. l Connect an Agent to a Manager. l View the name, connection status, alert status, and IP address of each Agent. l Determine whether or not the Agent is using USB-Defender. l View an Agent’s properties. l Create or edit an Agent’s Tool Profile. A Tool Profile is a group of Agents that have the same tool configuration. You can use Tool Profiles with policies and alert filters to include or exclude the Agents associated with a particular profile. l Control an Agent’s automatic update settings for installing new software from the Manager. l Actively respond to events that affect Agents. l l Copy Agent information to the clipboard for use with the Remote Agent Installer, or for analysis with programs such as Microsoft Excel. Remove an Agent from a Manager. 405 Chapter 14: Managing Agents Agents view features This topic describes the key features of the Agents view and the Agents grid, and how to refine the Agents grid. Agents view features The Agents view The following table describes the key features of the Manage ► Agents view. Item Name Description Sidebar Click the Sidebar button to alternately hide and open the Refine Results pane. 406 Agents view features Item Name Description Refine Results pane By default, the Agents grid shows all Agents that are associated with all of your Managers. The Refine Results pane lets you apply filters to the Agents grid to reduce the number of Agents it shows. This way, you can show only those Agents that are associated with a particular Manager, Tool Profile, status, etc. Agents grid The Agents grid lists all of the Agents that are associated with each Manager and appliance that is monitored by the TriGeo SIM Console. Respond menu Use the Respond menu to perform an action on a particular Agent. For example, you can send an Agent a pop-up message, or shut the computer down. This menu behaves exactly as it does in the Monitor view’s alert grid. For more information, see "Responding to alert messages" on page 83. Remote Updates menu This menu lets you control the Agent’s automatic update status. Remote updates are a way for the Agent to automatically accept updated Agent software from the Manager when new software becomes available. The gear button at the top of the grid opens commands that you can perform on multiple selections in the grid, and commands that do not require a grid selection. It includes commands for copying Agent information and for deleting Agents. 407 Chapter 14: Managing Agents Agents grid columns The following table briefly describes the meaning of each column of the Agents grid. Column Description The gear button in each row opens a menu of commands that you can perform on the item that is currently selected in the grid. l The Tools command lets you configure the Agent’s tools. l The Delete command lets you delete Agent licenses from a Manager. l Status The Copy command lets you copy Agent information to the clipboard for use with the Remote Agent Installer, or for analysis in another program, such as Microsoft Excel. The Agent’s current connection status: means the Agent is Connected to a Manager. means Agent is Not Connected to a Manager (that is, it is an open license). IP Address The Agent’s IP address. Name The name of the system where the Agent is installed. Typically, this is the computer name or host name assigned to the Agent. USB The Agent’s current USB-Defender status. An icon ( ) means USB-Defender is installed on the Agent. If no icon is present, USB-Defender is not installed on the Agent. Version The version number of the TriGeo Agent software. OS The operating system of the computer the Agent is installed on. Profile The Tool Profile associated with the Agent, if applicable. Updates Enabled Indicates whether or not the Agent is enabled for receiving remote updates. means the Agent is Enabled for receiving remote updates. means the Agent is Disabled from receiving remote updates. 408 Agents grid columns Column Description Update Status This field indicates the Agent’s current software update status: Current: The Agent's software is current. Outdated: The Manager has an update newer than the version being used by this Agent. Updating: The Manager is currently sending an update to this Agent. Queued: The Agent is waiting to be updated while other Agents get updated. The number of Agents that can be updated at one time is determined by the Maximum Concurrent Updates setting in the Appliances view's Settings tab. Unknown: The Manager does not yet know the Agent’s software status. Canceled: The user canceled updating during update process. Error: An error has occurred while updating. ID The Agent’s unique identification number. Manager The TriGeo Manager that this Agent is connected to. An Agent can only be connected to one Manager. Install Date The time and date the Agents was first installed and connected to the Manager. Last Connected The time and date the Agent was last connected to the Manager. 409 Chapter 14: Managing Agents Refining the Agents grid By default, the Agents grid shows every Agents that is associated with every Managers that is monitored by the TriGeo SIM Console. To help you work more efficiently with a long list of Agents, the Refine Results pane lets you apply filters to the Agents grid to reduce the number of Agents it shows. When you select options in the Refine Results pane, the grid refreshes to show only those items that match the refinement options you have selected. The other items in the grid are still there; however, they are hidden. To restore them, simply click the Reset button or select All in the refinement lists you are using. The following table explains how to use the Refine Results form. Field Description Reset Click Reset to clear the form. This returns the form and the Agents grid to their default settings (showing all Agents for all Managers.) Search Use this field to perform a keyword search for a specific Agent in the Name field. To search, simply type the text you want to search for in the text box. The grid displays only those Agents that match or include the text you entered. Manager Select the Manager you want to work with. Select All to include Agents from every Manager. Profile Select the Tool Profile profile you want to work with. Select All to include Agents from every Tool Profile. Status Select the connection status of the Agents you want to work with (Connected or Not Connected). Select All to include both. Version Select the version of the TriGeo software on the Agent. Select All to include Agents of every version. OS Select the operating system (OS) of the computer the Agent is installed on. Select All to include all operating systems. USB Select the Agent’s USB-Defender status (Installed or Not Installed). Select All to include both. 410 Managing Agents Managing Agents The topics in this section explain how to use the Agents grid to add, configure, and manage Agents. Topics include: l adding Agents l configuring Agent tools l responding to alerts that affect Agents l deleting Agent licenses from a Manager l deleting Agents, and l changing an Agent's Remote Updates setting. Adding Agents Agent licenses are managed and allocated through Managers in the Manage ► Appliances view. To view this procedure, see "Configuring a Manager's properties" on page 384. Configuring Agent tools A crucial part of the TriGeo system is the proper integration your network security products and devices to the TriGeo SIM. Each Agent has tools that allow the Agent to monitor and interact with your network security products. See "Connecting products to the TriGeo SIM" on page 347 for complete step-by-step instructions on connecting Agent sensor and actor tools to your network security products and devices. 411 Chapter 14: Managing Agents Responding to events that affect Agents The Agents grid’s Respond menu lets you take direct action on a particular Agent. For example, you can send an Agent a pop-up message, or shut the Agent's computer down. To respond to an Agent: Open the Manage ► Agents view. 1. In the Agents grid, select the Agent you want to work with. 2. In the Respond menu, select the appropriate active response you want to take. The Respond form appears. It includes data about the Agents you selected and options for customizing the response. This is just like responding to a filter, or configuring a rule’s response in Rule Creation. 3. Complete the Respond form. For detailed information on configuring responses, see "Responding to alert messages" on page 83 and the "Actions table" on page 313. 412 Changing an Agent’s Remote Updates setting Changing an Agent’s Remote Updates setting In the Agents grid, you can manage the Remote Updates settings for each Agent. Remote Updates allow the Agent to automatically accept updated Agent software from the Manager, when new software becomes available. You can change the settings for multiple Agents, all at the same time, even when Agents are not connected. Each Agent will receive its new setting the next time it becomes connected. To change Agents’ Remote Updates settings: 1. Open the Manage ► Agents view. 2. (Optional) In the Refine Results pane, in the Status list, select Connected. The Agents grid refreshes to show only Agents that connected to Managers. 3. In the Agents grid, select the Agents you want to work with. For instructions on selecting multiple Agents, see "Selecting items in a grid" on page 31. 4. In the Remote Updates menu, select the appropriate command for these Agents. The purpose of each command is explained in the following table. Command Description Enable Allows the Agents to automatically receive the latest software updates from the Manager as they become available. Disable Prevents the Agents from automatically receiving new software from the Manager. When Agents are disabled, you must manually update them by using the Update command. Update Click Update to have the Manager send a software update to the Agent, if one is available. If no update is available, this button is disabled. This command is only needed for Agents that have a Disabled remote update status; otherwise, updates occur automatically. However, you can use the Update command on an Agent that is set for automatic updates. In this case, it forces an immediate update on the Agent. Stop If a software update in progress, you can click the Stop command to have the Manager stop sending the update. Otherwise, this button is disabled. In the grid, the Agents’ Updates Enabled and Update Status columns refresh to reflect their new Remote Updates settings and status. 5. On the Refine Results pane, click Reset to return the Agents grid to its default setting. 413 Chapter 14: Managing Agents Deleting Agents When needed, you can delete Agents. You may want to do this if the computer is no longer in commission, or if you need to delete and reinstall an Agent for maintenance reasons. Deleting an Agent does not remove the Agent software. But it does disconnect the Agent from the Manager, which means it will no longer be able to connect to and send data to the TriGeo SIM. Deleting an Agent also reallocates its license to the Open License pool, so it can be reassigned to another computer. To delete Agents: 1. Open the Manage ► Agents view. 2. In the Agents grid, select the Agents you want to delete. 3. Click the grid's gear button and then click Delete. Note: You can delete individual Agents with the Agent row's gear button, or you can delete multiple Agents at the same time with the gear button at the top of the grid. 4. Click Yes to delete the Agents from the Manager. Otherwise, click No to return to the Console without deleting the Agents. The Agents are removed from the Agents grid. In addition, your number of available unassigned licenses increases accordingly. You can now reallocate these licenses to other Agents on this or some other Manager. 414 Deleting and recovering unused Agent licenses Deleting and recovering unused Agent licenses Use this procedure to remove one or more open (unallocated) Agent licenses from a Manager. This frees the Agent licenses for later use, or for use with a different Manager. To remove an Agent from a Manager: 1. Open the Manage ► Agents view. 2. In the Agents grid, locate the [Open License] row in the grid's Name column. 3. Select the [Open License] row. 4. Click the row's gear button (not the grid's) and then click Delete. The Delete Open Licenses form appears. 5. In the counter box, type or select the number of unallocated licenses you want to remove from the Manager. 6. Click OK to remove the Agents from the Manager. Otherwise, click Cancel to return to the Console without removing the licenses. In the Appliances view, the number of available unassigned licenses increases accordingly. You can now reallocate these licenses to other Agents on this or some other Manager. Note: Removing an Agent from a Manager does not remove the Agent software from the computer. See “Removing a TriGeo Agent from a computer” in the TriGeo SIM Installation Guide. 415 Chapter 14: Managing Agents Copying Agent data If needed, you can copy your the data from the Agents grid to your clipboard. This allows you to paste the data into another application, such as Microsoft Excel for analysis or the Remote Agent Installer for updates. You can copy the data for a single Agent, multiple Agents, or for every Agent in the grid. To copy data for a single appliance: 1. Open the Manage ► Agents view. 2. In the Agents grid, select the Agents you want to copy. 3. Click the button, and then do one of the following: l Click Copy Selected to copy the data for the selected Agents. l Click Copy All to copy the data for every Agent in the grid. The Agent data is now copied to your clipboard, where it can be pasted into another application. 416 Chapter 15: Running Reports About TriGeo Reports TriGeo Reports allows you to select which Manager or data warehouse you want to report on, select the reports you want to run, and schedule when you want to run the reports. The system then automatically generates the reports according to your schedule and settings. You can run reports two different ways: l l Scheduled Reports are reports that you configure to automatically run on their own, on a particular schedule, and without intervention. On-demand reports are those reports that you run only when you need them. Reports can take quite a bit of time to run. The larger the report, the longer it takes. For that reason, it is recommended that you schedule any reports that you intend to run frequently. Opening TriGeo Reports 1. Click the Start button and then click All Programs. 2. Point to the TriGeo folder, click the TriGeo Reports shortcut. After a moment, TriGeo Reports appears. 417 Chapter 15: Running Reports TriGeo Reports features The topics in this section describe the key features of the TriGeo Reports window, its Menu Button, its Quick Access Toolbar, and its Ribbon. Key features of the TriGeo Reports window The following table describes the key features of TriGeo Reports. Item Name Description Menu Button Click the Menu Button to open, save, or print a report, and to see everything else you can do with a report. This button has a similar function to the File menu used by earlier Windows programs. 418 Key features of the TriGeo Reports window Item Name Description Quick Access Toolbar The Quick Access Toolbar is a customizable toolbar. It contains a set of commands that are independent of the tab that is currently displayed. You can customize the toolbar by adding buttons for the commands you use most often, and you can move the toolbar to two different locations. For more information, see "Using the Quick Access Toolbar" on page 421. Ribbon The Ribbon is designed to help you quickly find the commands that you need to complete a task. Commands are organized in logical groups that are collected together under tabs. Each tab relates to a type of activity, such as running and scheduling reports, or viewing and printing reports. To save space, you can minimize the Ribbon, showing only the tabs. For more information, see "Minimizing the Ribbon" on page 423. Settings tab Use the commands on this tab to choose the reports you want to run, open, and schedule, and to configure reports and the reports’ data source settings. View tab Upon opening or running a report, the Ribbon automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, and viewing the report. If you click the View tab without having opened a report, the Preview pane shows a blank page. If you click the View tab and you have run a report, the Preview pane displays the contents of the report. Grouping bar You can use the yellow bar above the grid to group, sort, and organize the reports list. For more information, see "Grouping reports" on page 451. Report list/ Preview pane By default, this section is a grid that displays a list of TriGeo’s Standard Reports. Upon selecting a different report category, the grid changes to list the reports that are in that category. You use this grid to select report that you want to run or schedule. You can also filter and sort the grid to quickly find the reports you want to work with. See "Sorting, filtering, and grouping report lists" on page 444. Upon opening or running a report, this section changes into a report Preview pane that displays the report. In Ribbon also automatically switches to the View tab, which has a toolbar for printing, exporting, resizing, or viewing the report. 419 Chapter 15: Running Reports Using the Menu Button In TriGeo Reports, the Menu Button opens a menu that lets you execute the most common report commands. The following table describes each command in the Menu Button menu. Menu option Description Open Report Opens a report that has been saved in RPT format. The report opens in the TriGeo Reports Preview pane in the View tab, where you can view, search, print, and export it. The Recent Reports list to the right shows a list of recently opened reports. Export Report Use this command to export the report you are currently viewing. Schedule Report Use this command to configure a schedule for automatically running the selected report in the Report list. Print Report This command prints the report you are viewing to your default printer, with its default settings. Printer Setup This command opens a Print Setup dialog box, which you can use to select a printer and customize its print settings. Refresh Report List This command refreshes the report list for each report category. Use this command if you have added new report files—such as some new custom reports—and they are not showing up in the report list. This command accesses your computer’s Reports directory, retrieves information about all of the reports, and rebuilds the lists for each report category. Exit Exits the TriGeo Reports application. 420 Using the Quick Access Toolbar Using the Quick Access Toolbar The Quick Access Toolbar is a customizable toolbar. It contains a set of commands that are independent of the tab that is currently displayed. You can customize the toolbar by adding buttons for the commands you use most often, and you can move the toolbar to two different locations. The Quick Access toolbar Default commands By default, the Quick Access Toolbar shows the commands listed in the following table. Button Command Description Open Opens a report that has been saved in RPT format. The report opens in the TriGeo Reports Preview pane in the View tab, where you can view, search, print, and export it. See "Opening your saved reports" on page 475. Run Runs the report that is currently selected in the report list. If the report requires any parameters, the Enter Parameter Values form appears. For the procedure on running reports, see "Running reports on demand" on page 454. Refresh Report List This command refreshes the report list for each report category. Use this command if you have added new report files—such as some new custom reports—and they are not showing up in the report list. This command accesses your computer’s Reports directory, retrieves information about all of the reports, and rebuilds the lists for each report category. Exit Exits the TriGeo Reports application. 421 Chapter 15: Running Reports Moving the Quick Access Toolbar The Quick Access Toolbar can be located in either of two places—in the upper-left corner of the window, next to the Reports Button (its default location), or below the Ribbon. If you don't want the toolbar to be displayed in its current location, you can move it to the other location. To move the Quick Access Toolbar: 1. Click the drop-down list next to the Quick Access Toolbar. The Customize Quick Access Toolbar form appears. 2. Do one of the following: l l To move the toolbar below the Ribbon, click Show Quick Access Toolbar Below the Ribbon. To move the toolbar above the Ribbon, click Show Quick Access Toolbar Above the Ribbon. 422 Minimizing the Ribbon Minimizing the Ribbon You cannot delete or replace the Ribbon with the toolbars and menus from the earlier versions of TriGeo Reports. However, you can minimize the Ribbon to make more space available on your screen. When the Ribbon is minimized, you see only the tabs. Full Ribbon Minimized Ribbon To always keep the Ribbon minimized: 1. Click the drop-down list next to the Quick Access Toolbar. 2. In the list, click Minimize the Ribbon. 3. To use the Ribbon while it is minimized, click the tab you want to use, and then click the option or command you want to use. 4. After clicking the command, the Ribbon goes back to being minimized. To restore the Ribbon: 1. Click the drop-down list next to the Quick Access Toolbar. 2. In the list, clear the Minimize the Ribbon check box. To quickly minimize or restore the Ribbon: To quickly toggle between minimizing and restoring the Ribbon, do one of the following: l Double-click the name of the active tab. l Press Ctrl+F1. 423 Chapter 15: Running Reports Configuring report preferences TriGeo Reports has a Preferences group that is used to set up database connections so the Console knows which database to draw from when running reports. Table of preferences The following table briefly describes each preference in the Preferences group. Preference Option Description Configure Primary Data Source Select this option to choose the default data source that is to be used for running reports whenever the TriGeo Reports window is opened. The option you select here becomes the default setting in the Data Source list. At any time, you can select a different data source and then run reports from that source. But whenever you reopen the TriGeo Reports window, it defaults to the data source you have selected here. Data Source Syslog Server Select this option to have a TriGeo Manager send report log information to a syslog server. A syslog server logs basic report activity, such as who is running reports, which reports are being run, which database a report is drawing from, when each report is run, when each report is complete, and any error messages that occur if a report generates errors. Data Warehouse Select this option to configure a new Database Warehouse source so it appears in the Report Data Sources list. Use this list to select the data source that you want to run reports against. When you select a data source here, it temporarily overrides the Primary Data Source (default) you have selected as the Primary Data Source in the Configure list. For more information, see "Running reports on demand" on page 454. The following topics explain how to configure each preference. 424 Selecting a (default) Primary Data Source Selecting a (default) Primary Data Source Use this procedure to select your Primary Data Source. This is the default data source that is to be used for running reports whenever the TriGeo Reports window is opened. It will appear as the default setting in the Preferences group’s Data Source list. At any time, you can select a different data source and run reports from that source. But whenever you close and then reopen the TriGeo Reports window, it defaults to your Primary Data Source. To run reports from a different data source, see "Running reports on demand" on page 454. To select a primary data source: 1. Open TriGeo Reports. 2. On the Settings tab, in the Preferences group, click Configure and then select Primary Data Source. The Select Primary Data Source form appears. 3. In the Primary Data Source list, select the default data source. 4. Click Test Connection to have the system perform a ping test a to confirm that a connection to the data source has been established. A test is not required, but highly recommended. During the test, the OK button will become disabled. l l If the test succeeds, the OK button will become enabled, and the status area below the Test Connection button will read: "Ping Test...success." If the test fails, an error message will occur. If the test fails, see "Troubleshooting database connections" on page 430. 5. Click OK. 425 Chapter 15: Running Reports Configuring a syslog server Use this procedure to have a TriGeo Manager send report log information to a syslog server. A syslog server records all report-related events and application messages. It logs basic report activity, such as who is running reports, which reports are being run, which database a report is drawing from, when each report is run, when each report is complete, and any error messages that occur if a report generates errors. By default, the syslog server is set to the Primary Manager, but it can be set to any server running a standard syslog service. However, the server must have an Agent installed so it can communicate with the Manager. To configure a syslog server: 1. Open TriGeo Reports. 2. On the Settings tab, in the Preferences group, click Configure and then select Syslog Server. The Set Syslog Server form appears. 3. In the Syslog Server (Host Name) box, type the server’s host name. 4. Click Test. The system performs a ping test to confirm that a connection has been established. You must test the connection before the server can be accepted. A successful test does not confirm if the host is actually a syslog server. l l If the ping test succeeds, it will retrieve and display the host IP address and a message appears, stating: "The Ping Test succeeded." If the ping test fails, a message appears to tell you so. In this case, confirm that you have entered the correct host name and that it matches a valid DNS entry. 5. Upon completing a successful test, click OK. 426 Configuring a data warehouse Configuring a data warehouse Use this procedure to configure a new database warehouse as a data source, so you can report against it. Once configured, it appears in the Preferences group’s Data Source list under Warehouses. This procedure also creates a matching ODBC DSN that is used by TriGeo Reports to communicate with the data warehouse server. To configure a data warehouse: 1. Open TriGeo Reports. 2. On the Settings tab, in the Preferences group, click Configure and then select Data Warehouse. The Configure Data Warehouse form appears. 3. Complete the form as described in the following table. Field Description Warehouse Name (Host Name) Type the data warehouse server’s host name. Port Number Type the port number for connecting to the data warehouse. 427 Chapter 15: Running Reports Field Description Database Type Select the type of database that is used by the data warehouse. Security Click this button to create a password for reporting against the data warehouse, if it is different than the default password. l l In the Specify Password box, type the new password, and then click OK. Click Reset to reset the password to its default setting. Timeout for database connection test x sec. Type how long (in seconds) the system is to wait for a response when performing a “ping test” to test for a connection to the database. If a connection cannot be made within this period, the test automatically stops. Set as Primary Data Source Select this option to make the data warehouse the Primary Data Source. This means it will become the default data source for reporting. Host IP Address If you perform a connection test and the test is successful, this readonly field displays data warehouse server’s IP address. Do not ping Select this option if you do not intend to perform a ping test to verify your connection to data warehouse server. Connect with Warehouse Name Select this option to have the TriGeo Reports window connect to the data warehouse server with the Host Name setting. Connect with IP Address Select this option to have the TriGeo Reports window connect to the data warehouse server with the IP Address setting. No Warehouse Click this button to clear the form’s data warehouse settings, delete any warehouse configuration details, and close the Configure Data Warehouse form. 428 Configuring a data warehouse Field Description Test Connection Click this button to have the system perform a ping test and a database connection test to confirm that a connection to the data warehouse has been established. l l If the test succeeds, a dialog box will displays the Host IP Address. If the test fails, see "Troubleshooting database connections" on page 430. If you do not perform a connection test, the system will perform one automatically when you click OK. 4. Click OK. 429 Chapter 15: Running Reports Troubleshooting database connections Use the following table to troubleshoot error messages that may occur with the ping test used to test the connection between TriGeo Reports and the data warehouse or the Primary Data Source. Error message Description Manager ping timed out. TriGeo Reports was unable to connect to the Manager's host name or IP address. Confirm that the host name (or IP address) you specified is correct. Sending the authentication packet failed. Could not flush socket buffer. Correction TriGeo Reports could resolve and connect to the IP address, but could not authenticate to the database server at that location. l l Confirm that you have entered the warehouses’s Host Name properly. Make sure it matches a valid DNS entry. Try entering the warehouse’s actual IP address in the Host Name field. Confirm that the Host Name (or IP address) you specified is correct and is allowing connections from the location on which you are running TriGeo Reports. This error may also indicate a need to modify report restrictions. See the restrictreports and unrestrictreports CMC commands in "Using the CMC 'service' menu" on page 569. Server ping test successful, but database connection test failed. TriGeo Reports could resolve, connect to the IP address, and connect to SQL Server, but could not log in using the reports user. Login incorrect. Login failed for user ‘[user name]’ 430 l l Confirm that the Host Name (or IP address) you specified contains the TriGeo database. The warehouse may require a password for reporting purposes. In this case, click the Security button and then enter the warehouse’s reporting password. Managing report categories Managing report categories TriGeo provides a large variety of standard reports that cover the needs of a several different industries. The Manage Categories form allows you to choose reports for those industries, regulatory concerns, and auditing areas that concern your company; to search for specific reports; and to add reports to your Favorite Reports list. Manage Categories form The Manage Categories form The Manage Categories form has three tabs that have the following functions: l l The Industry Setup tab lets you select the industries and areas of regulatory compliance that are of interest to your company. Reports that are related to the options you select then appear in the Industry Reports list. The Favorites Setup tab’s Search view lets you list, sort, and group the report list by industry and regulatory area. It highlights reports that are already listed in your Favorite Reports list, and allows you to add new reports to the Favorite Reports list. 431 Chapter 15: Running Reports l The Favorites Setup tab’s Favorites view displays your current list of favorite reports. You can use this view to sort and group your favorite reports to locate a specific report. When needed, this view is also used to remove a report from your list of favorites. Selecting reports for specific industries In the Manage Categories form, use the Industry Reports tab to select the industries and areas of regulatory compliance that are of interest to your company. By selecting only those reports that apply to your industry, you can greatly reduce the number of reports that appear when you view the Industry Reports list. To select industry reports: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click Manage Categories. The Manage Categories form appears. 3. Click the Industry Setup tab, if it is not already shown. The Classifications section lists those industries and regulatory areas that are supported by standard TriGeo reports. The Reports for section displays all of the standard TriGeo reports that support the classifications you select. 4. In the Classifications section, select the check box for each industry (Education, Federal, Financial, Healthcare, etc.) that your company is concerned with. The Reports for section displays all of the standard reports that support the industry or industries you have selected. 5. If you are only concerned with a few regulatory areas within these industries, select the check box for each regulatory area your company is concerned with (such as HIPAA or SOX). For a description of each regulatory option, see "Industry options" on page 433. The Reports for section now lists only those standard reports that support the regulatory areas you have selected. 6. To remove reports for any industry or regulatory area, simply click to clear the corresponding check box. 7. Click OK to save your changes and close the window. In the Category list, the Industry Reports option now lists the standard TriGeo reports that support the industries and regulatory areas you have selected. 432 Industry options Industry options Industry reports are standard reports that are designed to support the compliance and auditing needs of certain industries. Currently, TriGeo provides reports that support the financial services industry, the health care industry, and the accountability reporting needs of publicly traded companies. The following table describes which compliance and auditing areas are specifically supported. Area supported Description Education FERPA Reports in this category support compliance with the Federal Educational Rights and Privacy Act (FERPA), which gives parents and eligible students certain rights with respect to their children's education records. Federal CoCo FISMA NERC-CIP Reports in this category support compliance with the UK Code of Connection regulations. Reports in this category support compliance with the Federal Information Security Management Act (FISMA). Reports in this category support compliance with the North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) reliability standards. Finance CISP Reports in this category support compliance with the Cardholder Information Security Program, which helps safeguard credit card and bank card transactions at the point of sale, over the Internet, on the phone, or through the mail. CISP helps protect cardholder data for cardholders, merchants, and service providers. COBIT Reports in this category support compliance with Control Objectives for Information and related Technology (COBIT™). COBIT is an “open” standard for IT security and control practices. It includes more than 320 control objectives and includes audit guides for more than 30 IT processes. 433 Chapter 15: Running Reports Area supported Description GLBA Reports in this category support compliance with the Gramm Leach Bliley Act (GLBA). GLBA requires financial institutions to protect the security, integrity, and confidentiality of consumer information. It affects banking institutions, insurance companies, securities firms, tax preparation services, all credit card companies, and all federally insured financial institutions. Security information and event management (SIEM) plays a vital role in GLBA. NCUA Reports in this category support compliance with the National Credit Union Administration (NCUA). NCUA is the federal agency that charters and supervises federal credit unions and insures savings in federal and most state-chartered credit unions across the country through the National Credit Union Share Insurance Fund (NCUSIF), a federal fund backed by the United States government. PCI Reports in this category support compliance with the Payment Card Industry (PCI) Data Security Standard requirements of VISA CISP and AIS, MasterCard SDP, American Express and DiscoverCard. SOX Reports in this category support compliance with the Sarbanes-Oxley (SOX) Act of 2002. Sarbanes-Oxley protects a company’s investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws. Provisions within Sarbanes-Oxley hold executive management and the board of directors liable for criminal and civil penalties. Specifically, under Section 404 of the Sarbanes-Oxley Act, executives must certify and demonstrate that they have established and are maintaining an adequate internal control structure and procedures for financial reporting. General ISO 17799/ 27001/27002 Reports in this category support compliance with the ISO 17799, ISO 27001, and ISO 27002 international security standards. Healthcare HIPAA Reports in this category support compliance with the Health Insurance Portability and Accountability Act (HIPAA), which requires national standards for electronic health care transactions. 434 Creating a list of favorite reports Creating a list of favorite reports In the Manage Categories form, the Favorites Setup tab has a Search view. It is similar to the Industry Setup tab in that it lets you view a list of reports by industry and regulatory area. It highlights reports that are already in your Favorite Reports list and allows you to add new reports to the Favorite Reports list. Step 1: Searching the reports 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click Manage Categories. The Manage Categories form appears. 3. Click the Favorites Setup tab. 4. Click the Search button near the top of the form. As you can see, the Search view looks just like the Industry Setup tab. The Classifications area lists those industries and regulatory areas that are supported by standard TriGeo reports. The Reports Matching Search Criteria box lists every standard TriGeo report. If a report appears highlighted in green, it means the report is in your Favorite Reports tab. 435 Chapter 15: Running Reports 5. In the Classifications area, select the check box for each industry or regulatory area your company is concerned with. 6. Click the Search button below the left frame. The Reports Matching Search Criteria box displays all of the standard reports that support the options you have selected. For example, if you selected Finance, it lists only those reports that are associated with Finance. If you selected Finance and PCI, it lists every report that is associated with either Finance or PCI. If needed, you can also organize the report list by sorting, filtering, and grouping the report list. Step 2: Adding a report to your list of favorites 1. In the report list, locate the report you want to add to the Favorite Reports list. 2. Do either of the following: l Click to select the report. Then click Add To Favorites. l Right-click the report, and then click Add To Favorites. The Favorite Reports list now includes the report as one of your favorites. 436 Removing a report from the Favorite Reports tab Removing a report from the Favorite Reports tab When needed, you can use the Manage Categories form to remove a report from the Favorite Reports list. This does not delete the report; the report remains in its original category. For example, if you remove a favorite report that originally came from the Standard Reports list, it remains listed in the Standard Reports list. This means you can restore the report as a favorite at any time. To remove a report from the Favorite Reports list: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click Manage Categories. The Manage Categories form appears. 3. Click the Favorites Setup tab. 4. Click the Favorites button. The window displays your current list of favorite reports. If there are a lot of reports, you can sort, filter, and group the report list to locate the specific report you want to remove. 5. In the report list, select the report you want to remove from the Favorite Reports list. Then do either of the following: 437 Chapter 15: Running Reports l Click Remove From Favorites. l Right-click the report and then select Remove From Favorites. 6. Click Apply to save the change. 7. Repeat Steps 5 and 6 for each report you want to remove. 8. Click OK to save your changes and close the window. The reports no longer appear in your Favorite Reports list. Viewing Historical Reports On rare occasion, typically during after taking an upgrade, you may encounter a report that can only be run against the earlier version. These legacy reports are called Historical Reports. In these cases, the View Historical Reports option lets you view, schedule, and run these reports. By default, this option is disabled, as it is only used to for viewing legacy reports. To view historical reports: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Manage button and then click View Historical Reports. A Historical Reports option appears in the Category list. 3. In the Category list, select Historical Reports to display the list of Historical Reports. 4. You may now view, schedule, or run a Historical Report. 438 Working with report lists Working with report lists TriGeo Reports ships with a wide range of reports. To keep them organized, they are arranged and listed into different categories. This topic explains how to locate reports, view report properties, and create a list of your favorite reports. Viewing lists of reports by category TriGeo Reports ships with a wide range of reports. To keep them organized, they are arranged into categories. You can use report categories to select the type of reports you want to work with— TriGeo’s standard reports or your own custom reports. Each option in the Category list displays the reports that are assigned to that category. To view a list of reports by category: l On the Settings tab, in the Report Categories group, click the Category list and then select a report category. The window displays the list of reports in that category. If you select a different category, the reports list changes to display the reports that are in the new category. The following table describes each option in the Category list. Tab Description Standard Reports This list displays the standard set of reports that ship with the TriGeo system and are supported by TriGeo technical support. Most standard reports capture specific event data that occurs during a particular period. Industry Reports This list displays the standard reports that are designed to support the compliance and auditing needs of certain industries, such as the financial services industry, health care industry, and the accountability requirements of publicly traded companies. For more information, see "Selecting reports for specific industries" on page 432. Custom Reports This list displays any custom reports that you created, or that TriGeo created for your company, to meet a specific need. Standard and custom reports are essentially the same thing. They are run and scheduled in the same manner. The only difference is that custom reports are “undocumented,” as they are created specifically by you or for you. While TriGeo supports any custom reports they make for your company, TriGeo does not support any custom reports that you make yourself. 439 Chapter 15: Running Reports Tab Description Favorite Reports This list displays the standard, industry, and custom reports that you use most often. You can add and remove reports to this category as needed. 440 Locating a report by title Locating a report by title If you know a report’s title, you can quickly locate it in the TriGeo Reports window by typing its name in the appropriate report category list. To locate a report by title: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group’s Category list, select the category that contains the report. 3. Click any row in the report list. 4. In the Report Title column, begin typing the report name. The system takes you to the first report title that matches the letters you have typed. For example, if you clicked Standard Reports and began typing “even”, the system takes you to Event Summary, which is the first matching report title. 5. From here, you can scroll down to the exact report you are looking for. 441 Chapter 15: Running Reports Viewing a report’s properties In TriGeo Reports, many reports have similar titles. Therefore, you can use the Properties feature to view a written description of each report. These descriptions match the ones given in "The following tables list all of TriGeo’s reports, provide descriptions of their contents, and suggest schedules for running each report. " on page 573. To view a report’s properties: 1. In the reports list, click to select the report you want to work with. 2. Do either of the following: l In the report grid, position the mouse pointer over the report you have selected. l On the Settings tab, in the Report Selection group, click Report Properties. In either case, an Information box appears, showing a description of the report. 3. Click OK to close the Information box. 442 Creating a list of favorite reports Creating a list of favorite reports The reports you use most often are obviously your favorite reports. To easily access these reports, you can add them in the Favorite Reports list. This list contains only your favorite reports. It can include any of TriGeo’s standard reports, as well as any custom reports you may have. To designate a report as a favorite, you must copy it to the Favorite Reports list. Each Console user can set up his or her own list of favorite reports. The Console displays the favorites of the user who is currently logged on. Note: A “Console user” is determined by the user’s Windows account. If two users on the same computer log into the same account, they will share a list of favorites. To create a list of favorite reports: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Category list. Then select the category that contains the report you want to add to your list of favorites. 3. Locate the report in the report list. 4. Right-click the favorite report and then select Add Report to Favorites. The system copies the report to your Favorite Reports list. The next time you open the Favorite Reports list, the report will be there. Note: Usually, reports are added to the Favorite Reports list through the Report View Preferences window. See "Creating a list of favorite reports" on page 435 for more information. 443 Chapter 15: Running Reports Sorting, filtering, and grouping report lists Sorting the report list You can sort the report list by the clicking its column headers. This sorts the entire report list by the contents of the column you have selected. You can sort each column in either ascending order (alphabetical) or descending order (reverse alphabetical). To sort the report list: l Click a column header once to sort the report list by that column in ascending (alphabetical) order. The column header shows an upward this column in ascending order. l arrow. This arrow means the report list is sorted by Click the column header again to sort the report list by that column in descending (reverse alphabetical) order. The column header shows a downward this column in descending order. arrow. This arrow means the report list is sorted by 444 Filtering report lists Filtering report lists The TriGeo Reports window lets you filter the report list. This means you can have the list display only those reports that are associated with a particular report title, category, level, or type. You can also apply more than one filter at a time to display a very small subset of the report list. If needed, you can also create your own custom filters, and then save them for later use. Each column header in the report list has a drop-down button. Clicking the button displays a list of filter options that are available for that column, as shown here. Filtering a report list For example, the Category column has several options. Selecting Audit reduces the list to show only the reports associated with the Audit category. When you apply a filter, a yellow status bar appears below the reports list. The status bar lists which filters are currently applied. You can use this list to remove each filter individually, or to remove them all at once. Filtering a report list 1. Decide which column you want to use for the filter. 2. Click a column header's drop-down list and select a filter option. 3. The report list refreshes to display the filtered list. 4. Repeat Step 2 for each additional filter you want to apply. 445 Chapter 15: Running Reports Changing a filter setting Do either of the following: l Click a filtered column header's drop-down list and select a different filter option. l In the status bar below the report list, click the filter’s drop-down arrow . Then select a different filter option from your list of most commonly used filters. The report list refreshes to display the list with the new filter. Turning off report filters In the TriGeo Reports window, when you are finished with a report filter, you can turn it off. Turning off a filter refreshes the report list so that it displays the list without that column filter. You can turn off a single filter or all of the filters at once. To turn off a filter: Do either of the following: l In the appropriate column header drop-down list, select (All). l Clear the check box next to the filter in the status bar. The report list refreshes to display the list without that column filter. 446 Turning off report filters To turn off all of the filters: l Click the icon in the status bar. The report list refreshes to display the list without any filters. 447 Chapter 15: Running Reports Custom report filters In most cases, the standard column filters should meet your day-to-day needs. But if the filters are insufficient, you can create your own customized multi-column filters. You can also choose to save your custom filters. This allows you to save them for later use, or to pass them on to other users. Creating a custom report filter 1. On the TriGeo Reports window, click the report filter you want to use as a starting point. 2. At the bottom of the filter, click the Customize… button. The Filter Builder form appears. 3. Use the form’s buttons to select the column, column option, and specific conditions that define the filter. In the example shown above, the filter displays only those reports where the Category column equals Audit, and the Type column equals Authentication. 4. Click OK or Apply to apply the filter. Otherwise, click Cancel. 448 Saving a custom report filter Saving a custom report filter 1. Create the custom filter, as explained above. 2. Click Save As. The Save the active filter to file form appears. 3. Use the Save in list to locate and select the folder you want to store the filter in. 4. In the File name box, type a name for the filter. 5. Click Save. The filter is now saved and available for later use. 449 Chapter 15: Running Reports Opening a saved custom report filter 1. Click the Customize button. The Filter Builder form appears. 2. Click Open. The Open an existing filter form appears. 3. Use the Look in list to locate and open the folder that contains the custom filter. Then click to select the filter. 4. Click Open. 5. The custom filter’s configuration appears in the Filter Builder form. 6. On the Filter Builder form, click OK or Apply. The custom filter is applied to the report list. 450 Grouping reports Grouping reports You can sort the TriGeo Reports window’s report list into groups of reports by dragging one or more column headers into grouping box above the report list. This feature allows you to quickly organize and display groups of reports that fall into very specific categories. For example, suppose you want to group the reports by Category. By simply dragging the Category column header from the report list into the grouping box, you can rearrange the report list into groups that are defined by items from the Category column, as shown here. The tools for grouping reports Groups change the report list into a series of nodes. There is a separate node for each unique item or category from the column that defines the grouping. The nodes are alphabetized, and each node is named by the column and category that defines the grouping. For example, the Category column that defines the grouping in the example above has three unique categories—Audit, Security, and Support. So grouping by the Category column creates three nodes—Category: Audit, Category: Security, and Category: Support. Opening a particular node displays only the reports that are associated with that particular grouping configuration. You can group reports by any column header in the report list (Title, Category, Level, Type, etc.). You can also create sub-groups to create parent-child hierarchies. For example, you could create a Category group and a Type sub-group, or vice versa. 451 Chapter 15: Running Reports Creating a report group l Decide which column is to define the report groupings. Then drag that column header into the Drag a column header here to group by that column area above the report list. Before After In the example shown above, we have dragged the Category header to group the report list by Category. The report list now displays a separate node for each unique item that is in the column that is defining the grouping. The nodes are alphabetized and labeled for easy reference. Viewing the reports within a group l Click a node to display a list of reports that fall within that grouping. To close the node, simply click it again. 452 Creating a sub-group Creating a sub-group 1. Drag another column header into the Drag a column header here to group by that column area. 2. Do either of the following: l l Place the new column header above the existing header to have the new header act as the primary grouping. In the example shown above, the report list would be grouped by Level and then Type. Place the new column header below the existing header to have the new header act as the secondary grouping. In the example shown above, the report list would be grouped by Type and then Level. The report list refreshes to display two levels of nodes—one level of nodes for the primary group, and one set of nodes for the secondary group. 3. To view the reports within a particular grouping, click a higher-level group node, and then a sub-group node. The report list displays only those reports that apply to both groupings. 4. Repeat Steps 1 and 2 for each additional grouping you require. 453 Chapter 15: Running Reports Running and scheduling reports This section explains how to run reports. You can run reports two different ways: l l On-demand reports are those reports that you run only when you need them. Scheduled Reports are reports that you configure to automatically run on their own, on a particular schedule, and without intervention. All TriGeo reports are scheduled and run in the same manner. The following procedures explain the methods for running on-demand reports and scheduled reports. Reports can take quite a bit of time to run. The larger the report, the longer it takes to run. For that reason, it is recommended you schedule any reports you intend to run frequently. Running reports on demand 1. Open TriGeo Reports. 2. On the Settings tab, in the Preferences group, click the Data Source list and then select the Manager or database warehouse that is to be the data source for the report. This step is only needed if you are selecting a data source that is different from the Primary (default) Data Source. 3. In the Report Categories group, click the Category list and select the report category you want to work with. The report list displays all of the reports in the category you have selected. 454 Running reports on demand 4. In the report list, locate the report you want to run. Then do any of the following: l Double-click the report. l Right-click the report and then click Run Report. l l Click to select the report. Then on the Settings tab, in the Report Selection group, click Run. Click to select the report. Then on the Quick Access Toolbar, click the Run button. Depending on the report you selected, you may be prompted to enter certain report parameters, such as a start date/time, an end date/time, and a range. In this case, the Enter Parameter Values form appears. 455 Chapter 15: Running Reports 5. To complete the Enter Parameter Values form, select an item in the Parameter Fields box. Then, in the lower half of the form, type or select the appropriate value for that parameter. The following table explains how to complete each parameter field. Parameter field Description Start Date/Time Type or select the report’s start date and time. The time is optional. Click the Now button to populate these fields with the current date and time. End Date/Time Type or select the report’s ending date and time. The time is optional. Click the Now button to populate these fields with the current date and time. Top N Type the number of items you want reported, such as the “top 5” or the “top 10.” 6. Click OK. The report appears in the Preview pane and the Ribbon changes to the View tab. You can use the View tab to print, export, view, resize, and search the various pages of the report. Report errors If you receive the following error, it is possible that your database server for your data warehouse or your TriGeo appliance is offline, or that you need to run the restrictreports CMC command. 1. First, check to make sure that your servers are online. 2. Then check your restrictreports settings. See the CMC restrictreports command in "Using the CMC 'service' menu" on page 569. If you receive any other errors, or if you are uncertain about how to properly perform these procedures, please refer to the TriGeo Knowledgebase or contact TriGeo Technical Support. 456 Scheduling reports (process overview) Scheduling reports (process overview) Scheduling a report requires several steps. But once you configure a report schedule, TriGeo does the rest. You can create more than one schedule for the same report. This allows you to run the same report on different Managers, and to run the same report in different intervals (daily, weekly, monthly, etc.), each with a different scope. Scheduling a report is basically a seven-step process: 1. First, select the report you want to schedule and then click Schedule. 2. Name the scheduled task. You need to name the scheduled task to distinguish it from other similar tasks. For example, the same scheduled report needs to be configured separately for each data source (Manager or database warehouse). Therefore, you will name each task to readily distinguish between the scheduled tasks for each data source. 3. Set the schedule parameters. This states when the scheduled report is to run. 4. Apply any advanced scheduling options, if desired. 5. Select settings that define when the TriGeo system can and cannot run the task. 6. Apply the scheduled report to the data source (Manager or the database warehouse) for which you want a report. Then define the scope, which is the period you want to the report to cover. When the system runs the report, it retrieves any pertinent events that occurred within the period defined by the scope. 7. Finally, select any export options for the report. This allows you to export to the folder of your choice, and in a format that is easy to read and print. If you do not export the report, it will automatically print to your default printer. Each step of this process is fully explained in the following numbered topics. You must repeat this process for each report you want to schedule. 457 Chapter 15: Running Reports Step 1: Selecting the report you want to schedule In this step, you will select the report you want to schedule, then open the Report Scheduler Tasks window. To begin scheduling: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and select the report category you want to work with. The report list displays all of the reports in the category you have selected. 3. In the Report Title column, locate the report you want to schedule. Then do any one of the following: l Click the report and then click the Schedule button. l Right-click the report and then select Schedule Report. l Click the report you want to schedule. Then on the Menu Button menu, select Schedule Report. The Report Scheduler Tasks window appears. Use this window to add, edit, and delete your scheduled report tasks. Note that the Event Summary box shows only the tasks that apply to the report you selected in Step 3. 458 Step 2: Adding a new scheduled report task Step 2: Adding a new scheduled report task Here, you will name and configure the new scheduled task that is associated with this report. To create a scheduled task: 1. To add a new report schedule, click the Add button. The Enter Scheduler Task Description form appears. 2. In the Task Description box, type a name for the report, then click OK. At this point, the task scheduler form appears. The form takes the name of the report to indicate which report you are scheduling. 459 Chapter 15: Running Reports 3. Complete the Task tab as described in the following table. In this box Do this Run Normally, you will not change the default setting. But if you do, use this box to type the path to the argument that initiates the task settings for this report. If needed, click the Browse button to locate the correct folder and file. Start in Normally, you will not change the default setting. But if you do, use this box to type the path to the TriGeo Reports executable file (.exe). Comments Type a description of the report schedule you are configuring, such as “Monthly TriGeo Event Summary Graphs.” Run as By default, this box displays the current user. To change the user, type the domain and user name as follows: [Domain]\[UserName]. Then click the Set password button to set up a password for the current user to run the report. This step is required for the scheduler to work properly. Enabled (scheduled task runs at specified time) Select this check box to run the scheduled task to the schedule you will specify in the Schedule tab. If you clear this check box, the report will not run on that schedule. 4. Click Apply to save your changes to the tab. 460 Step 3: Scheduling the report Step 3: Scheduling the report Now you will create the actual report schedule. The settings on the Schedule tab tell the system when to run the report. If needed, you can create multiple schedules for each report that are within the same scope. For example, perhaps you would like to run an event summary report for the current week and have it display the running total for the week at each hour. You could set the report to “Week: Current” and have multiple schedules that run on an hourly schedule and on a twice-daily schedule. To schedule a report: 1. Click the Schedule tab. For new tasks, the tab states that the task is not scheduled. 2. Click the New button to create a new schedule for the report. The schedule shown above appears by default. You will create a new schedule by modifying this default schedule with the various boxes in the Schedule tab. 461 Chapter 15: Running Reports 3. Complete the Schedule tab as described in the following table. In this box Do this Schedule Task Select how often the system is to run the report—daily, weekly, etc. Start time Type or select the time the system is to run the report. For more detailed scheduling, click the Advanced button. See "Step 4: Selecting advanced scheduling options" on page 463 for more information. Every Type or select how often you want to run the task based on your selection in the Schedule Task box above. For example, for a daily report, you can run the report every day, every 2 days, every 3 days, etc. For a weekly report, you can run the report every week, every 2 weeks, etc. Show multiple schedules Select this check box if you will have more than one schedule for this task, where each schedule has the same scope. If you are going to create more than one schedule with different scopes, then you will need to create a different task for each schedule. If the report is to have only one schedule, then clear this check box. 4. Click Apply to save your changes. The new report schedule appears in the list box near the top of the tab. 5. If desired, repeat Steps 2 – 4 to set up each new schedule for this task. 462 Step 4: Selecting advanced scheduling options Step 4: Selecting advanced scheduling options If you clicked the Schedule tab’s Advanced button, then the Advanced Schedule Options form appears (shown here). This form provides you with complete control over your report schedules. For example, you can schedule start and end dates for the report, or set a task to repeat for a set period of time. To select advanced scheduling options: 1. Click the Advanced button on the Schedule tab. The Advanced Schedule Options form appears. 2. Complete the Advanced Schedule Options form as described in the following table. In this box Do this Start Date Type or select the date you want the system to begin running the report. End Date Select this check box if there is a date on which you want the system to stop running the report. Then type or select the end date. If there is no end date, then leave this check box blank. Repeat task Select this check box if you want the system to repeat running the scheduled report at regular intervals. Every Type or select the interval. In the example shown above, this task will run every 4 hours. 463 Chapter 15: Running Reports In this box Do this Time Type or select the time you want the system to stop running the repeated task. Duration Type or select how long you want the task to run. By limiting the time the task can run, you can prevent the task from running forever, should a problem occur. Reports can be very time consuming; therefore, use this configuration option with caution. If the task is still running, stop it at this time. Select this check box to have the system stop running a report that is running when the Time or Duration setting occurs. Keep the check box clear to have the system finish running a report that overlaps the Time or Duration setting. In the example shown above, the configured report will run every four hours, starting on Monday, August 18, and running through Sunday, August 30. Each time the task runs, the system will stop it if it continues to run for more than one hour. 3. Click OK to save your changes and exit the form; otherwise, click Cancel. You return to the task scheduler form. 464 Step 5: Stating when the system can or cannot run the task Step 5: Stating when the system can or cannot run the task In this topic, you will use the Settings tab to select options that state when the system can and cannot run the task. To define when the system can or cannot run the task: 1. Click the Settings tab to fine tune the options for this task. 2. Complete the Settings tab as described in the following table. 465 Chapter 15: Running Reports In this section Do this Scheduled Task Completed Select Delete the task if it is not scheduled to run again to have the system delete a task that has run its course. For example, you may want the system to delete a task that has a definite end date. Leave this check box clear to keep the task. Select Stop the task if it runs for [xxx] hour(s) [xxx] minute(s) to specify a maximum allowable time limit for the system to accomplish a task. Use the hour(s) and minute(s) boxes to specify a maximum allowable time. In the example shown, the system will stop the task if it exceeds 72 hours. If you leave this check box clear, then the system continues running the task until it is complete. Idle Time These options allow you to run tasks when the computer is idle. Select Only start the task if the computer has been idle for at least [xxx] minute(s) to begin running a task only if the computer is idle for the specified time. Use the minute(s) box to specify a minimum idle time. If you leave this check box clear, then the system will run the task when the computer is in use. In the If the computer has not been idle for that long, retry for up to [xxx] minute(s) box, use the minutes(s) box to specify how often you want the system to check to see if the computer has reached its minimum idle time requirement for beginning the task. Select Stop the task if the computer ceases to be idle to have the system stop running a task when the computer is once again in use. If you leave this check box clear, then the system will continue running the task until it is complete. 466 Step 5: Stating when the system can or cannot run the task In this section Do this Power Management Select Don’t start the task if the computer is running on batteries to prevent the system from running the task when the computer is running with a battery as its power source. If you leave this check box clear, then the system will run the task even when the computer is on batteries. Select Stop the task if battery mode begins to have the system stop the task when the computer switches to a battery as its power source. If you leave this check box clear, then the system will continue running the report even when the computer switches to battery power. Select Wake the computer to run this task to have the system run the computer at normal power to run the scheduled report task. If you leave this check box clear (not checked), then the report will not run until the next scheduled time after the computer is removed from “sleep.” 3. Click Apply to save your changes. 4. Click OK to close the task scheduler form and return to the Report Scheduler Tasks window. 467 Chapter 15: Running Reports Step 6: Assigning the data source and scope Once you have added your scheduled report tasks, you can assign the task to a particular data source (a Manager or a database warehouse) and define the task’s scope. The scope is the event period you want the report to cover. When the system runs the report, it retrieves any pertinent events (that the report covers) that occurred within the period defined by the scope. To assign the task’s data source: 1. In to the Report Scheduler Tasks window’s Task Description list, select the report schedule you want to assign. 2. Click the Load to View or Edit button. The window’s Report Execution Settings For Selected Task section becomes enabled. You will use this section to configure the report execution settings for the task (report schedule) you selected above. 3. Use the Select the report data source list to select the Manager or database warehouse to which you want to assign this task. 468 Step 6: Assigning the data source and scope Note: You can only assign a task to a single Manager. If you need to assign a similar or identical task to another Manager, then you must create a new task for that other Manager. To assign the task’s scope: In the Report Scope area, you will set up the task’s scope for this data source. The scope is the event period, or time frame, for the events you want the report to cover. 1. In the Date Range list, select the date range you want the report to cover for this task and this data source. In the example shown above, the date range is Day: Today. This means the report will cover the period from 12:00:00 AM to 11:59:59 PM of the current date. For a more complex example, suppose you chose Week: Previous as the date range. The scheduled report would contain information from the last full week, from 12:00:00 AM the last Monday to 11:59:59 PM the last Sunday. For example, if today is Wednesday the 11th, the task runs from 12:00:00 AM on the 2nd to 11:59:59 PM on the 8th. The following table describes each option in the Date Range list. Date Range Description Day: Today Run for the specified timeframe on the current (today’s) date. Day: Yesterday Run for the specified timeframe on the previous (yesterday’s) date. Week: Current Run from one week ago to the current time. Week: Previous Run from 12:00:00 AM last Monday to at most 11:59:59 Sunday. This report will capture the last full week of data. Month: Current Run from one month ago to the current time. Month: Previous Run from 12:00:00 AM on the first of the month until 11:59:59 PM on the last day of the month. This will report will capture the last full month of data. 469 Chapter 15: Running Reports Date Range Description User Defined Use this option to run any other report scopes. You can use this option to schedule reports for arbitrary periods, or for periods that are outside of the conventional scope of a day, week, or month. 2. In the Start Time and End Time boxes, type or select a start time and end time for reporting events that occurred on this Manager. The report will only show those events that occurred on the Manager within this period. Note: If you select a Week or a Month scope, you cannot edit the Start Date/Time and End Date/Time. 3. The Count Settings area only applies to count-based reports, such as “Top 20” reports. In the Number of Items box, type or select the number of items you want the report to track. 4. To configure the report so that it automatically exports to a file, continue to "Step 7: Exporting a scheduled report," below. Otherwise, click Save. Step 7: Exporting a scheduled report Finally, you can have the report utility automatically export a scheduled report in Adobe’s Portable Document Format (.PDF) to the folder of your choice. If you do not choose to export a scheduled report, then the system will print the report to your default printer each time it runs. To export a scheduled report to a file: 1. Open the Report Scheduler Tasks window, if you have not already done so. 2. In the Task Description box, select the scheduled report task you want to export. 3. On the Report Settings tab, select the Export check box. This enables the other fields in this section. This section allows you to name and export this report in the format and folder of your choice when the task scheduler runs this report. 4. In the Format list, select the file format in which you want to export the report. 5. Click the folder icon next to the File Name box. Browse to the folder where you want to save the report, then type a unique file name for the report. If the report has multiple schedules, then give each schedule’s exported report a different name. Otherwise, the exported filenames files will overwrite each other, or they will increment 470 Step 7: Exporting a scheduled report according to the If File Exists setting, causing it to be difficult to readily identify the different schedules’ reports. 6. In the If File Exists list, choose one of the following options: l l Select Increment to store the new report along with any previous versions of the report in the folder. The Report Console increments each report by appending the report filename with an underscore and a digit. For example, the first increment is [FileName]_ 1.pdf, the second is [FileName]_2.pdf, and so on. Select Overwrite to have each new version of the report overwrite the previous version of the report in the folder. 7. Click Save. 8. Click Close to close the Report Scheduler Tasks window and return to the TriGeo Reports window. 9. Repeat sections "Step 2: Adding a new scheduled report task" through "Step 7: Exporting a scheduled report" for each report you want to schedule and assign to a particular data source. 471 Chapter 15: Running Reports Managing reports The following topics explain how to edit a scheduled report task, how to delete a schedule from a task, and how to delete a scheduled report task. Editing a scheduled report task When needed, you can easily make changes to a scheduled report task, or to a specific task schedule, by editing its settings. To edit a schedule report task: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and then select either Standard Reports or Custom Reports. The grid displays all of the reports in the category you have selected. 3. In the grid’s Report Title column, click the name of the report that needs the schedule change. 4. On the Settings tab, in the Report Selection group, click Schedule. The Report Scheduler Tasks window appears. 5. In the Task Description list, select the report schedule you want to edit. 6. Click Modify. The scheduler form appears. 7. Make your report schedule changes to the Task, Schedule, and Settings tabs, as needed. 8. To change the settings for a particular schedule, click the Schedule tab. In the tab’s schedule list, select the schedule you want to change. Use the boxes to change the settings, then click Apply. 9. When you are finished making all of your changes, click OK to close the form. You return to the Report Scheduler Tasks form. 10. If needed, make any changes to the Report Settings. 11. Click Save. 12. Click Close to close the Report Scheduler Tasks form. 472 Deleting a schedule from a task Deleting a schedule from a task If a particular task schedule is incorrect or no longer needed, you can easily delete it from a tasks list of schedules. To delete a task schedule: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and then select either Standard Reports or Custom Reports. The grid displays all of the reports in the category you have selected. 3. In the grid’s Report Title column, click the name of the report for which you want to delete a task schedule. 4. On the Settings tab, in the Report Selection group, click Schedule. The Report Scheduler Tasks window appears. 5. In the Task Description list, select the scheduled report that has a schedule you want to delete. 6. Click Modify. The task schedule form appears. 7. Click the Schedule tab and select the Show Multiple Schedules check box if it has not been selected. 8. In the schedule list box, select the schedule you want to delete. 9. Click Delete. 10. Click Close to close the Report Scheduler Tasks form. 473 Chapter 15: Running Reports Deleting a scheduled report task If a scheduled report task is incorrect or no longer needed, you can easily delete it from your task list. To delete a scheduled report task: 1. Open TriGeo Reports. 2. On the Settings tab, in the Report Categories group, click the Category list and then select either Standard Reports or Custom Reports. The grid displays all of the reports in the category you have selected. 3. In the grid’s Report Title column, click the name of the scheduled report that has a task you want to delete. 4. On the Settings tab, in the Report Selection group, click Schedule. The Report Scheduler Tasks window appears. 5. In the Task Description list, select the scheduled report task you want to delete. 6. Click Delete. 7. At the confirmation prompt, click Yes. Otherwise, click No to keep the scheduled report task. 8. Click Close to close the Report Scheduler Tasks form. 474 Viewing reports Viewing reports The topics in this section explain how to open, view, and manipulate a report image shown in the TriGeo Reports Preview pane. Opening your saved reports Whenever a report is saved or exported to .rpt format, you can use the Open command to reopen and view the report’s contents. This applies to scheduled reports that the system has run and saved, as well as on-demand reports that you have run and exported for later viewing. To open a saved report: 1. Open TriGeo Reports. 2. Do one of the following: l Click the Menu Button and then click Open Report. l On the Quick Access Toolbar, click Open Report. l On the Settings tab, in the Report Selection group, click Open. The Open Report File form appears. 3. Use the Open Report File form to explore to the report file you want to view. Note: If the report cannot be found where it is expected, be sure you have selected Crystal Reports (*.rpt) in the File type list. 4. Select the file and then click Open. The report opens in the TriGeo Reports Preview pane. You may now view, search, resize, print, or export the report, as needed. 475 Chapter 15: Running Reports Viewing the sections of a master report Some of TriGeo’s standard reports are “master” reports. A master report is a report made up by a series of sub-topics, where each sub-topic contains a specific set of details about the higher-level master topic. Together, these topics make up the whole report, just like individual chapters make up a book. When a report has more than one sub-topic, a sub-topic pane appears on to the left of the TriGeo Reports window’s Preview pane. The sub-topic pane lists the sub-topics that are found in the report. If you click a sub-topic, the Preview pane displays the first page of that section of the report. To view a section of a master report: l In the sub-topic pane, select the sub-topic you want to see. The Preview pane displays the first page of that section of the report. In this example, the Preview pane is showing the Authentication report. The sub-topic pane shows this report has sub-topics on suspicious authentications, authentication failures, user logons, user logoffs, user logon failures, etc. Clicking a sub-topic displays that section of the report. 476 Hiding and showing a master report’s sub-topic pane Hiding and showing a master report’s sub-topic pane Whenever you are previewing a master report (that is, a report that has lower-level topics), the View tab’s Tree button becomes enabled. You can use this button to toggle between hiding and revealing the report’s sub-topic pane. To hide the sub-topic pane: l On the View tab, in the View group, click the Tree The sub-topic pane becomes hidden, as shown here. 477 button. Chapter 15: Running Reports To restore the sub-topic pane: l On the View tab, in the View group, click the Tree The sub-topic pane appears again. 478 button again. Viewing the pages of a report Viewing the pages of a report In the TriGeo Reports window, the View tab’s Navigate group has a toolbar that you can use to browse through the pages of a multi-page report. If the report has only one page, then this toolbar is disabled. To view the pages of a report: 1. In the TriGeo Reports window, open or run the report you want to view. 2. Click the View tab. 3. In the Navigate group, use the toolbar to view the report, as described in the following table. Button Function Displays the first page of the report. Displays the previous page of the report. Displays the next page of the report. Displays the last page of the report. 479 Chapter 15: Running Reports Button Function Displays the page number that is currently shown in the Preview frame, as well as the total number of pages in the report. If the Console has not yet tallied the total number of pages, you will see how ever many pages it is certain of and a “+” to indicate that there are more pages. To determine how many pages are in the report, click the button. This takes you to the last page of the report, forcing the Console to determine how many pages there are. It also causes the 1+ to display the actual number of pages. You can also use this feature to display a particular page of the report. In the Page box, type a page number you want to see and then press Enter. The Preview frame then displays that page. 480 Magnifying and reducing report pages Magnifying and reducing report pages You can use the TriGeo Reports Zoom feature to resize a report by typing or selecting a percentage of the report’s actual size. You can magnify (zoom in) or reduce (zoom out) on a report, or have the report expand or reduce to fit the Preview pane. To zoom in or out on a report: 1. In TriGeo Reports, open or run the report you want to view. The report appears in the Preview pane. 2. On the View tab, in the View group, click the Zoom list and then select the option you want. l l l l l l Select Page Width to have the width of the report page match that of the Preview pane. Select Whole Page to display the entire report page within the Preview pane. Select anything less than 100% to reduce the report accordingly. For example, 50% displays the report at have its normal size. Select 100% to display the report in its actual size. Select anything greater than 100% to magnify the page accordingly. For example, 200% displays the report at twice its normal size. In the Zoom box, type a [number]% for the magnification you want, and then press Enter. For example, type 33% to reduce the image to one-third of its actual size. Or type 175% to magnify the report so it is three-quarters larger than its normal size. 481 Chapter 15: Running Reports Stopping a report in progress l To stop running or loading a report that is progress, click the Stop button on the status bar, in the lower-right corner of the TriGeo Reports window. 482 Searching reports for specific text Searching reports for specific text In the TriGeo Reports window has a Search tool that you can use to search for key words or phrases in text-based reports. This tool only works when you are viewing a text-based view of a report in the Preview pane. You cannot use this tool with graphicalonly reports, or the default graphical view that is displayed when you first run the report. Viewing the text-based details of a report Do either of the following: l l Open a page that is past the graphical section of the report, into the report content pages. On the View tab, click the Tree button to open the report’s list of sub-topics. Then click the content-based sub-topic to jump to that section of the report. For more information, see "Viewing reports" on page 475. Using the Search tool 1. In the TriGeo Reports window, open or run the report you want to view. The report appears in the Preview pane. 2. Display the text-based details you want to search in the Preview pane. 3. On the View tab, in the Navigate group, click Search. The Find form appears. 4. In the Find what box, type the text you want to search for. 5. Select Match whole word only to search for entire words that match, omitting matching letters within words. 6. Select Match case to make the search sensitive to uppercase or lowercase letters. 7. In the Direction area, click Up to search from where you are now to the start of the document, or click Down to search from where you are now to the end of the document. 8. Click Find Next. The tool locates the next instance of the text in the report and highlights it for easy viewing. 483 Chapter 15: Running Reports 9. Continue clicking Find Next for each remaining instance of the text you want to find. 10. When you are finished, click Cancel to close the Search form. 484 Using the Select Expert tool Using the Select Expert tool The Select Expert tool lets you use queries to create a smaller, more focused report from a larger text-based report. In this manner, you can create reports with very focused information. This tool only works when you are viewing a text-based view of a report in the Preview frame. You cannot use this tool with the default graphical view that is displayed when you first run the report. Note: Using the Select Expert to filter report data by date or time fields (such as InsertionTime or DetectionTime) will result in an error. If you receive this error, clear the error prompt, return to the Select Expert, and delete the time-based filter. To filter by time and date, you must run the report with the specified range. 485 Chapter 15: Running Reports Running a query with the Select Expert tool 1. In TriGeo Reports, open or run the report you want to work with. The report appears in the Preview pane. 2. On the View tab, in the View group, click Select Expert. The Select Expert form appears. 3. Click either the New button or the <New> tab. The Fields form appears. This form displays all of the various report fields that you can query on this report. You can click the Browse button to bring up a list of available fields that you can select with the tool. 4. Select the field you want to query, then click OK. 486 Running a query with the Select Expert tool The Select Expert form appears. The first tab displays the field name you have selected. It lists the query options for that field and has an adjacent list where you can select a specific value. 5. In the tab’s left-hand list box (or boxes), select a query option for the field. Then, in the adjacent right-hand list box, select a specific value for the field. If needed, you can click the Browse Data button to see a complete list of values that are present in the report for that field. From the Browse Data box, you can select a value; then click Close to apply that value to the query. 6. Repeat Steps 3 – 5 for each field you want to add to the query. 7. Click OK to close the form and apply the query; otherwise, click Cancel. The new report appears in Preview frame. If needed, you can use the Preview frame’s toolbar to save or export the report. 487 Chapter 15: Running Reports Restoring the original report When you are through querying a report with the Select Expert tool, you can restore the report to its original state. To turn off the Select Expert settings: 1. On the View tab, in the View group, click Select Expert. The Select Expert form appears. 2. Click Delete to remove the query options. 3. Click OK. The original report appears in the Preview frame. 488 Printing reports Printing reports You can print any report shown in the TriGeo Reports window’s Preview pane. Printing a report 1. In the TriGeo Reports window, open or run the report you want to print. The report appears in the Preview pane. 2. On the View tab, in the Output group, click Print. The Print form appears. 3. Select the printer and any print options you want. 4. Click Print. The report is printed according to the print options you selected. 489 Chapter 15: Running Reports Setting up printer preferences Use the Printer Setup command to define the default print settings the Print command is to use when printing TriGeo reports. For example, if you usually print in landscape, you can select that preference here. The Print command will then print in landscape, by default. Whenever you need to override a default setting, you can always do so with the normal Print dialog box. To set up printer preferences: 1. In the TriGeo Reports window, open or run the report you want to print. The report appears in the Preview pane. 2. On the View tab, in the Preferences group, click Printer Setup. The Page Setup form appears. 3. Select the Paper, Orientation, Margin, and Printer options you want. A preview section at the top of the form displays a thumbnail version of the report with the options you have selected. 4. Click OK. The report is printed according to the print options you selected. 490 Exporting a report Exporting a report Use this procedure to export the report shown in the TriGeo Reports window’s Preview pane. You can choose to export the report as a Adobe Portable Document File (.PDF), a Crystal Reports RPT file, as HTML, as a Microsoft Excel file, or as several other common file formats. TriGeo officially supports PDF and RPT formats. To export a report: 1. In the TriGeo Reports window, open or run the report you want to export. The report appears in the Preview pane. 2. On the View tab, in the Output group, click Export. The Export form appears. 3. In the Format list, select the fine type in which you want to save the report. The Description box at the bottom of the form describes each file format that you choose. 4. Use the Destination list to browse to the folder in which you want to save the file. 5. Click OK. The system save the file to the folder and in the format that you selected. 491 Appendix A: Alert Types This appendix describes every alert type that is displayed in the Alerts Panel and that can be configured with the Policy commands. For more information, see "About the Monitor view" on page 63, and "Configuring alert distribution policy" on page 397. Types of alerts The TriGeo SIM reports alerts in a hierarchical node tree, shown here. When you click a node to open it, you will see that most nodes also have lower-level nodes. Each node that has lower-level nodes is called a parent node. Similarly, all lower-level nodes below a particular parent node can be thought of as child nodes or children to that parent node. Naturally, the term parent and child applies to the node, relative to its position and role on the node tree. That is, a node can be a child to one node, and a parent to others. The TriGeo SIM automatically assigns alerts to the nodes of the alert tree based on the specific nature of the alert and its severity. 493 Appendix A: Alert Types Alert types There are five types of alerts: l l l l l Security Alerts are generally related to network activity that is consistent with an internal or external attack, a misuse or abuse of resources, a resource compromise, resource probing, or other abnormal traffic that is noteworthy. Security Alert events indicate aggressive behavior that may lead to an attack or resource compromise, or suspicious behavior that may indicate unauthorized information gathering. The TriGeo SIM infers some Security Alerts from what is normally considered audit traffic, but it escalates the events to alert status based on thresholds that are defined by Rules. Internal Alerts are related to the operation of the TriGeo SIM system. Any events generated by TriGeo relating to Active Response, TriGeo users, or TriGeo errors will appear under one of the many children. These alerts are for informational purposes. They do not necessarily reflect conditions that should cause alarm. Alerts that may reflect potential issues within TriGeo SIM are specifically marked for forwarding to TriGeo. Audit Alerts are generally related to normal network activity that would not be considered an attack, compromise, or misuse of resources. Many of the audit alerts have rules that can be used to threshold and escalate “normal” behavior into something which may be considered a security event. Incident alerts are used to raise global enterprise-wide visibility in response to any issue detected by TriGeo Rules. Incidents generally reflect serious issues that should be addressed. Since Incidents are created by Rules, any combination of malicious or suspicious traffic from any other single alert or combination of alerts can create an Incident. Asset alerts relate to the changing state of different types of enterprise assets, including software, hardware, and users. These alerts can indicate changes made to system configurations, software updates, patch applications, vulnerability information, and other system events. The following topics list and describe every preconfigured alert message that can appear in the Alert grid. For your convenience, they are listed alphabetically. 494 Asset Alerts Asset Alerts Asset Alerts deal with assets and asset scan results. They relate to the changing state of different types of enterprise assets, including software, hardware, and users. Asset information can come from centralized directory service tools, or it can be scan information from security scan tools, including Vulnerability Assessment and Patch Management tools. Therefore, these alerts indicate changes made to system configurations, software updates, patch applications, vulnerability information, and other system events. Each Asset Alert is described below. For your convenience, they are listed alphabetically. AssetManagement AssetManagement alerts are for gathering non-realtime data about system assets (computer, software, users). The data will come from various sources, including Directory Service tools. AssetManagement > MachineAsset MachineAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates (including software installation) of specific nodes that exist in the enterprise. AssetManagement > MachineAsset > MachineAssetAdded MachineAssetAdded alerts indicate a new presence of a node (host or network device) in the enterprise. AssetManagement > MachineAsset > MachineAssetRemoved MachineAssetRemoved alerts indicate the removal of a node (host or network device) from the enterprise. AssetManagement > MachineAsset > MachineAssetUpdated MachineAssetUpdated alerts indicate a change to an existing node (host or network device) in the enterprise, including new software and software patch installations on the node. AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated SoftwareAssetUpdated alerts indicate an attempted software change (including application of a software patch) to an existing node (host or network device) in the enterprise, successful or failed. AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated > SoftwareAssetPatched SoftwareAssetPatched alerts indicate a successful application of a software patch to an existing node (host or network device) in the enterprise. AssetManagement > MachineAsset > MachineAssetUpdated > SoftwareAssetUpdated > SoftwareAssetPatchFailed SoftwareAssetPatchFailed alerts indicate a failed application of a software patch to an existing node (host or network device) in the enterprise. AssetManagement > SoftwareAsset 495 Appendix A: Alert Types SoftwareAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates of specific software and software versions that exist in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetAdded SoftwareAssetAdded alerts indicate a new presence of an installation of specific software applications or operating systems in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetAdded > SoftwareAssetVersionAdded SoftwareAssetVersionAdded alerts indicate a new version installation of specific known software applications or operating systems in the enterprise. AssetManagement > SoftwareAsset > SoftwareAssetRemoved SoftwareAssetRemoved alerts indicate removals of specific software applications or operating systems from the enterprise. AssetManagement > UserAsset UserAsset is a specific type of AssetManagement alert that indicates additions, removals, and updates to users and user groups that exist in the enterprise. AssetManagement > UserAsset > GroupAssetAdded GroupAssetAdded alerts indicate a new presence of a user group in the enterprise. AssetManagement > UserAsset > GroupAssetRemoved GroupAssetRemoved alerts indicate the removal of a user group from the enterprise. AssetManagement > UserAsset > GroupAssetUpdated GroupAssetUpdated alerts indicate a change to a user group that exists in the enterprise, including group member additions and deletions. AssetManagement > UserAsset > GroupAssetUpdated > GroupAssetMemberAdded GroupAssetMemberAdded alerts indicate an addition of a user member to a user group that exists in the enterprise. AssetManagement > UserAsset > GroupAssetUpdated > GroupAssetMemberRemoved GroupAssetMemberRemoved alerts indicate a removal of a user member from a user group that exists in the enterprise. AssetManagement > UserAsset > UserAssetAdded UserAssetAdded alerts indicate a new presence of a user in the enterprise. AssetManagement > UserAsset > UserAssetRemoved UserAssetRemoved alerts indicate the removal of a user from the enterprise. AssetManagement > UserAsset > UserAssetUpdated UserAssetUpdated alerts indicate a change to a user that exists in the enterprise. 496 Asset Alerts AssetScanResult AssetScanResult contains alerts useful for data gathered from security scan results (reports). These alerts are commonly gathered from Vulnerability Assessment and Patch Management tools. AssetScanResult > ExposureFound ExposureFound alerts indicate scan results that are not high risk but demonstrate configuration issues or potential risks. These alerts may indicate exposures that can potentially cause future exploits or have been common sources of exploits in the past, such as common open ports or host configuration issues. AssetScanResult > VulnerabilityFound VulnerabilityFound alerts indicate scan results that demonstrate high risk vulnerabilities. These alerts can indicate the presence of serious exposures that should be addressed and can represent significant risk of exploit or infection of enterprise assets. GeneralAsset GeneralAsset alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be asset issue-related. 497 Appendix A: Alert Types Audit Alerts Alerts that are children of AuditAlert node are generally related to normal network activity that would not be considered an attack, compromise, or misuse of resources. Many of the audit alerts have rules that can be used to threshold and escalate “normal” behavior into something which may be considered a security event. Each Audit Alert is described below. For your convenience, they are listed alphabetically. AuthAudit Alerts that are part of the AuthAudit tree are related to authentication and authorization of accounts and account ''containers'' such as groups or domains. These alerts can be produced from any network node including firewalls, routers, servers, and clients. AuthAudit > DomainAuthAudit DomainAuthAudit events are authentication, authorization, and modification events related only to domains, subdomains, and account containers. These alerts are normally operating system related, however could be produced by any network device. AuthAudit > DomainAuthAudit > NewDomainMember NewDomainMember events occur when an account or account container has been added to a domain. Usually, these additions are made by a user account with administrative privileges, but occasionally a NewDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > DeleteDomainMember DeleteDomainMember events occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally a DeleteDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > ChangeDomainMember A ChangeDomainMember alert occurs when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeDomainMember alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > ChangeDomainMember > DomainMemberAlias DomainMemberAlias events happen when an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear. The alias for a domain member has been changed. AuthAudit > DomainAuthAudit > NewDomain 498 Audit Alerts NewDomain events occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges. AuthAudit > DomainAuthAudit > ChangeDomainAttribute ChangeDomainAttribute events occur when a domain type is changed. These events are uncommon and usually provided by the operating system. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeDomainAttribute alert will also happen when local system maintenance activity takes place. AuthAudit > DomainAuthAudit > DeleteDomain DeleteDomain events occur upon removal of a trust relationship between domains, deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges. AuthAudit > GroupAudit GroupAudit events are authentication, authorization, and modification events related only to account groups. These alerts are normally operating system related, however could be produced by any network device. AuthAudit > GroupAudit > ChangeGroupAttribute ChangeGroupAttribute events occur when a group type is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeGroupAttribute alert will also happen when local system maintenance activity takes place. AuthAudit > GroupAudit > DeleteGroup DeleteGroup events occur upon deletion of a new group of any type. Usually, these deletions are made by a user account with administrative privileges. AuthAudit > GroupAudit > DeleteGroupMember DeleteGroupMember events occur when an account or group has been removed from a group. Usually, these changes are made by a user account with administrative privileges, but occasionally a DeleteGroupMember alert will also happen when local system maintenance activity takes place. AuthAudit > GroupAudit > NewGroup NewGroup events occur upon creation of a new group of any type. Usually, these additions are made by a user account with administrative privileges. AuthAudit > GroupAudit > NewGroupMember NewGroupMember events occur when an account (or other group) has been added to a group. Usually, these additions are made by a user account with administrative privileges, but occasionally a NewGroupMember alert will also happen when local system maintenance activity takes place. A new user, machine, or service account has been added to the group. AuthAudit > MachineAuthAudit 499 Appendix A: Alert Types MachineAuthAudit events are authentication, authorization, and modification events related only to computer or machine accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients, but are normally operating system related. AuthAudit > MachineAuthAudit > MachineAuthTicketFailure MachineAuthTicketFailure alerts reflect failed computer or machine account ticket events from network devices that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the point on the network where the computer or machine was attempting logon. In larger quantities, these alerts may reflect a potential issue with a computer or set of computers, but as individual events they are generally not a problem. AuthAudit > MachineAuthAudit > MachineAuthTicket MachineAuthTicket alerts reflect computer or machine account ticket events from network devices monitored by Contego that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the type of device the logon was intended for along with all other relevant fields. AuthAudit > MachineAuthAudit > MachineDisable MachineDisable events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a computer or set of computers. AuthAudit > MachineAuthAudit > MachineEnable MachineEnable alerts reflect the action of enabling a computer or machine account. These events are normally OS-related and will trigger when a machine is 'enabled', normally by a user with administrative privileges. AuthAudit > MachineAuthAudit > MachineLogoff MachineLogoff alerts reflect computer or machine account logoff events from network devices (including network infrastructure devices, where appropriate). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes. AuthAudit > MachineAuthAudit > MachineLogonFailure MachineLogonFailure alerts reflect failed computer or machine account logon events from network devices (including network infrastructure devices, when appropriate). Each alert will reflect the point on the network where the computer or machine was attempting logon. In larger quantities, these alerts may reflect a potential issue with a computer or set of computers, but as individual events they are generally not a problem. AuthAudit > MachineAuthAudit > MachineLogon MachineLogon events reflect computer or machine account logon events from network devices monitored by Contego (including network infrastructure devices, when appropriate). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. These events are normally operating system related. 500 Audit Alerts AuthAudit > MachineAuthAudit > MachineModifyAttribute MachineModifyAttribute events occur when a computer or machine type is changed. These events are uncommon and usually provided by the operating system. AuthAudit > MachineAuthAudit > MachineModifyPrivileges MachineModifyPrivileges events are created when a computer or machine's privileges are elevated or demoted based on their logon or activities they are performing. These events are uncommon. AuthAudit > UserAuthAudit UserAuthAudit events are authentication, authorization, and modification events related only to user accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients. AuthAudit > UserAuthAudit > UserAuthTicketFailure UserAuthTicketFailure alerts reflect failed user account ticket events from network devices that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. AuthAudit > UserAuthAudit > UserAuthTicket UserAuthTicket alerts reflect user account ticket events from network devices monitored by Contego that use a ticket-based single-sign-on system (such as Kerberos or Windows domains). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. AuthAudit > UserAuthAudit > UserDisable UserDisable events occur when a user account is actively disabled and/or when a user is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a user or set of users. AuthAudit > UserAuthAudit > UserEnable UserEnable alerts reflect the action of enabling a user account. These events are normally OS-related and will trigger both when an account is ''unlocked'' after lockout due to unsuccessful logons and 'enabled' in the traditional sense. AuthAudit > UserAuthAudit > UserLogoff UserLogoff alerts reflect account logoff events from network devices (including network infrastructure devices). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes. AuthAudit > UserAuthAudit > UserLogon UserLogon alerts reflect user account logon events from network devices monitored by Contego (including network infrastructure devices). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. 501 Appendix A: Alert Types AuthAudit > UserAuthAudit > UserLogonFailure UserLogonFailure alerts reflect failed account logon events from network devices (including network infrastructure devices). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. With TriGeo policy, you can configure combinations of this event to escalate to FailedAuthentication in the Security tree, reflecting the increase in severity of the event over several occurrences. AuthAudit > UserAuthAudit > UserModifyAttribute UserModifyAttribute events occur when a user type is changed. These events are uncommon and usually provided by the operating system. AuthAudit > UserAuthAudit > UserModifyPrivileges UserModifyPrivileges events are created when a user's privileges are elevated or demoted based on their logon or activities they are performing. These events are uncommon. GeneralAudit GeneralAudit alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be audit-related. MachineAudit MachineAudit alerts are used to track hardware or software status and modifications. These events are generally acceptable, but do indicate modifications to the client system that may be noteworthy. MachineAudit > SoftwareInstall SoftwareInstall alerts reflect modifications to the system at a software level, generally an OS level (or equivalent, in the case of a network infrastructure device). These alerts are generated when a user updates a system or launches system-native methods to install third party applications. MachineAudit > SoftwareInstall > SoftwareUpdate SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current version of software being installed to replace an older version. MachineAudit > SystemScan SystemScan alerts reflect information related to scheduled or on-demand scans of systems. These alerts are generally produced by Anti-Virus, Patch Management, and Vulnerability Assessment tools, and indicate the start, finish, and information related to a scan. MachineAudit > SystemScanInfo SystemScanInfo is a specific type of SystemScan alert that reflects information related to a system scan. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. MachineAudit > SystemScanStart 502 Audit Alerts SystemScanStart is a specific type of SystemScan alert that indicates initiation of a system scan. MachineAudit > SystemScanStop SystemScanStop is a specific type of SystemScan alert that indicates completion of a system scan. This activity is generally normal, however, in the error or failure state a specific alert will be generated. MachineAudit > SystemScanWarning SystemScanWarning is a specific type of SystemScan alert that indicates a scan has returned a 'Warning' message indicating an issue. These alerts may indicate scan issues that should be corrected for future scans. MachineAudit > SystemStatus SystemStatus alerts reflect general system state events. These events are generally normal and informational, however, they could potentially reflect a failure or issue which should be addressed. MachineAudit > SystemStatus > SystemReboot SystemReboot is a specific type of SystemStatus alert that is used to audit system restarts. This alert will only be generated if the system restart was normal and not a result of a crash or other failure condition. MachineAudit > SystemStatus > SystemReboot > SystemShutdown SystemShutdown is a specific type of SystemStatus alert that is used to audit system shutdowns, including both expected and unexpected shutdowns. In the event the shutdown was unexpected, the event detail will note the information provided by the tool related to the abnormality. PolicyAudit PolicyAudit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these alerts reflect normal system traffic. Most PolicyAudit alerts are provided by the Operating System. PolicyAudit > NewAuthPolicy NewAuthPolicy alerts occur when a new authorization or authentication package, process, or logon handler is applied to an item (usually an account or domain). In the operating system context, these events will often occur on boot as the system initializes the appropriate authentication policies for itself. PolicyAudit > PolicyAccess PolicyAccess alerts reflect all levels of access to policy, mostly targeting domain, account, access, and logon policy modifications. PolicyAudit > PolicyAccess > PolicyModify PolicyModify alerts reflect all types of modifications to contained policies, both at a local and domain/account container level. In the context of a network infrastructure device, this would be a modification to access control lists or other similar policies on the device. PolicyAudit > PolicyAccess > PolicyModify > DomainPolicyModify 503 Appendix A: Alert Types DomainPolicyModify alerts are a specific type of PolicyModify alerts that reflect changes to domain and account container level policies. These types of policies are generally related to the operating system. Usually these modifications are made by a user with administrative privileges, but occasionally these changes can also be triggered by the local system. PolicyAudit > PolicyAccess > PolicyScopeChange PolicyScopeChange alerts are a specific type of PolicyAccess alert that reflect a new scope or assignment of policy to users, groups, domains, interfaces, or other items. In the context of the operating system, these events are usually describing elevation of user privileges according to predefined policies. The process of this elevation is considered a scope change as the user is being brought under a new scope of privileges appropriate to the type of access they are requesting (and being granted). These events may accompany or precede object or file opens, including other policies. PolicyAudit > PolicyAccess > GroupPolicyModify GroupPolicyModify alerts are specific PolicyAccess alerts used to describe modifications to account group policies. Usually these modifications are made by a user with administrative privileges, but occasionally these changes can also be triggered by the local system. ResourceAudit Members of the ResourceAudit tree are used to define different types of access to network resources. These resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. ResourceAudit > FileAudit FileAudit alerts are used to track file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation. ResourceAudit > FileAudit > FileAuditFailure FileAuditFailure alerts are used to track failed file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed. ResourceAudit > FileAudit > FileRead FileRead is a specific FileAudit alert generated for the operation of reading files (including reading properties of a file or the status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileRead > FileExecute FileExecute is a specific FileRead alert generated for the operation of executing files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileRead > FileDataRead 504 Audit Alerts FileDataRead is a specific FileRead alert generated for the operation of reading data from a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite FileWrite is a specific FileAudit alert generated for the operation of writing to a file (including writing properties of a file or changing the status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some operating systems. ResourceAudit > FileAudit > FileWrite > FileDataWrite FileDataWrite is a specific FileWrite alert generated for the operation of writing data to a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileCreate FileCreate is a specific FileWrite alert generated for the initial creation of a file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileMove FileMove is a specific FileWrite alert generated for the operation of moving a file that already exists. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileDelete FileDelete is a specific FileWrite alert generated for the deletion of an existing file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileAttributeChange FileAttributeChange is a specific FileWrite alert generated for the modification of file attributes (including properties such as read-only status). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileAudit > FileWrite > FileLink FileLink is a specific FileWrite alert generated for the creation, deletion, or modification of links to other files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > FileHandleAudit FileHandleAudit alerts are used to track file handle activity on monitored network devices, usually through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation. ResourceAudit > FileHandleAudit > FileHandleClose 505 Appendix A: Alert Types FileHandleClose is a specific FileHandleAudit alert generated for the closing of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileHandleAudit > FileHandleCopy FileHandleCopy is a specific FileHandleAudit alert generated for the copying of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileHandleAudit > FileHandleOpen FileHandleOpen is a specific FileHandleAudit alert generated for the opening of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. ResourceAudit > FileSystemAudit FileSystemAudit alerts reflect hardware to filesystem mapping events and usage of filesystem resources. These events are generally normal system activity, especially during system boot. ResourceAudit > FileSystemAudit > MountFileSystem MountFileSystem alerts are a specific type of FileSystemAudit that reflect the action of creating an active translation between hardware to a usable filesystem. These events are generally normal during system boot. ResourceAudit > FileSystemAudit > UnmountFileSystem UnmountFileSystem alerts are a specific type of FileSystemAudit that reflect the action of removing a translation between hardware and a usable filesystem. These events are generally normal during system shutdown. ResourceAudit > NetworkAudit Members of the NetworkAudit tree are used to define events centered on usage of network resources/bandwidth. ResourceAudit > NetworkAudit > ConfigurationTrafficAudit ConfigurationTrafficAudit alerts reflect application-layer data related to configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic. ResourceAudit > NetworkAudit > CoreTrafficAudit CoreTrafficAudit alerts reflect network traffic sent over core protocols. Alerts that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Alerts of this type and its children do not have any application-layer data. 506 Audit Alerts Alerts placed in the parent CoreTrafficAudit alert itself are known to be a core protocol, but are not able to be further categorized based on the message provided by the tool. ResourceAudit > NetworkAudit > CoreTrafficAudit > TCPTrafficAudit TCPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be TCP. TCPTrafficAudit alerts may indicate normal traffic inside the network, normal traffic pass-through, denied traffic, or other non-application TCP traffic that is not known to have any immediate attack basis. ResourceAudit > NetworkAudit > CoreTrafficAudit > IPTrafficAudit IPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be IP. IPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of spoofs, routing issues, or other abnormal traffic. Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > CoreTrafficAudit > UDPTrafficAudit UDPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be UDP. UDPTrafficAuditAlerts may indicate normal traffic inside the network, normal traffic pass-through, denied traffic, or other non-application UDP traffic that is not known to have any immediate attack basis. ResourceAudit > NetworkAudit > CoreTrafficAudit > ICMPTrafficAudit ICMPTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the protocol is known to be ICMP. ICMPTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of scans, floods, or other abnormal traffic. Generally, for the abnormal traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > CoreTrafficAudit > IPSecTrafficAudit IPSecTrafficAudit alerts are a specific subset of CoreTrafficAudit alerts where the traffic is known to be related to non-application layer IPSec events (such as key exchanges). IPSecTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured IPSec peers, problems with IPSec communication, or other abnormal traffic. ResourceAudit > NetworkAudit > LinkControlTrafficAudit LinkControlTrafficAudit alerts are generated for network events related to link level configuration. LinkControlTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration at the link level, inappropriate usage, or other abnormal traffic. 507 Appendix A: Alert Types ResourceAudit > NetworkAudit > RoutingTrafficAudit RoutingTrafficAudit alerts are generated for network events related to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > RoutingTrafficAudit > RIPTrafficAudit RIPTrafficAudit alerts are a specific subset of RoutingTrafficAudit alerts where the protocol is known to be RIP. RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > NamingTrafficAudit NamingTrafficAudit alerts are generated for network events related to the naming of network resources and nodes, using protocols such as WINS and DNS. NamingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate DNS authority attempts, misconfiguration of naming services, and other abnormal traffic. In several cases, for traffic that is appropriate to escalate, a Contego Policy has been defined to escalate this to an alert in the Security tree based on a threshold. ResourceAudit > NetworkAudit > FileSystemTrafficAudit FileSystemTrafficAudit alerts are generated for network events related to requests for remote filesystems, using protocols such as SMB and NFS. FileSystemTrafficAudit alerts generally indicate normal traffic for networks that have remote filesystem resources such as SMB and NFS shares; however, alerts of this type could also be symptoms of attempts to enumerate shares or services, misconfiguration of such resources, or other abnormal traffic. For networks that do not have remote filesystem resources, these alerts will generally indicate abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit ApplicationTrafficAudit alerts reflect network traffic that is mostly or all application-layer data. Alerts that are children of ApplicationTrafficAudit are also related to application-layer resources. Alerts placed in the parent ApplicationTrafficAudit alert itself are known to be application-related, but are not able to be further categorized based on the message provided by the tool or because they are uncommon and rarely, if ever, imply network attack potential. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic EncryptedTraffic alerts reflect application-layer traffic that has been encrypted and is intended for a secure host. Included in EncryptedTraffic alerts are client and server side application events, such as key exchanges, that normally occur after the low-level session creation and handshaking have completed. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > EncryptedTraffic > EncryptedTrafficError 508 Audit Alerts EncryptedTrafficError alerts are a specific subnet of EncryptedTraffic alerts that reflect problems while exchanging keys or data. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > MailTrafficAudit MailTrafficAudit alerts reflect application-layer data related to mail services. Included in MailTrafficAudit are client and server mail events from protocols such as IMAP, POP3, and SMTP. MailTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of excessive mail usage, unintended mail traffic, abnormal command exchanges to a server, or generally abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > WebTrafficAudit WebTrafficAudit alerts reflect application-layer data related to web services. Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate web usage, potential abuse of web services, or other abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit TimeTrafficAudit alerts reflect application-layer data related to network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates. TimeTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, or other abnormal traffic. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > TimeTrafficAudit > NTPTrafficAudit NTPTrafficAudit alerts are a specific type of TimeTrafficAudit related to the Network Time Protocol. ResourceAudit > NetworkAudit > ApplicationTrafficAudit > FileTransferTrafficAudit FileTransferTrafficAudit alerts reflect application-layer data related to file retrieval and send to/from remote hosts. Included in FileTransferTrafficAudit are protocols such as TFTP and FTP. FileTransferTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access file transfer services, attempts to access devices that require file transfer services for configuration, or other abnormal traffic. ResourceAudit > NetworkAudit > PointToPointTrafficAudit PointToPointTrafficAudit alerts reflect application-layer data related to point-to-point connections between hosts. Included in PointToPointTrafficAudit are encrypted and unencrypted point-to-point traffic. ResourceAudit > NetworkAudit > PointToPointTrafficAudit > PPTPTrafficAudit PPTPTrafficAudit alerts are a specific type of PointToPointTrafficAudit alerts that reflect applicationlayer encrypted Peer-to-Peer Tunneling Protocol activities. Included in PPTPTrafficAudit alerts are 509 Appendix A: Alert Types tunnel creation, tunnel deletion, session creation, and session deletion, among other PPTP-related events. PPTPTrafficAudit alerts generally indicate normal traffic for networks that have PPTP-accessible devices on the network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the PPTP server or clients, other communications errors, or other abnormal traffic. For networks that do not have remote filesystem resources, these alerts will generally indicate abnormal traffic. ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit RemoteProcedureTrafficAudit alerts reflect application-layer data related to remote procedure services. Included in RemoteProcedureTrafficAudit are the traditional RPC services used to service remote logons and file shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit alerts generally indicate normal traffic for networks that have remote procedure services on their network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic. ResourceAudit > NetworkAudit > RemoteProcedureTrafficAudit > RPCTrafficAudit RPCTrafficAudit is a specific subset of RemoteProcedureTrafficAudit related to traditional RPC services, including portmapper. ResourceAudit > NetworkConnectionAudit NetworkConnectionAudit alerts are generated when a connection is initiated on a network client. ResourceAudit > NetworkConnectionAudit > LANConnection LANConnection is a specific type of NetworkConnectionAudit that reflects a successful connection on a physical network interface such as an Ethernet card. ResourceAudit > NetworkConnectionAudit > VPNConnection VPNConnection is a specific type of NetworkConnectionAudit that reflects a successful connection to a remote VPN. ResourceAudit > NetworkConnectionAudit > DialupConnection DialupConnection is a specific type of NetworkConnectionAudit that reflects a successful connection through a traditional modem. ResourceAudit > ObjectAudit ObjectAudit alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation. ResourceAudit > ObjectAudit > ObjectAuditFailure 510 Audit Alerts ObjectAuditFailure alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation. ResourceAudit > ObjectAudit > ObjectDelete ObjectDelete is a specific ObjectAudit alert generated for the deletion of an existing object. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > ObjectAudit > ObjectLink ObjectLink is a specific ObjectAudit alert generated for the creation, deletion, or modification of links to other objects. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. ResourceAudit > ProcessAudit ProcessAudit alerts are generated to track launch, exit, status, and other events related to system processes. Usually, these events reflect normal system activity. Process-related activity that may indicate a failure will be noted separately from normal activity in the alert detail. ResourceAudit > ProcessAudit > ProcessStop ProcessStop is a specific type of ProcessAudit alert that indicates a process has exited. Usually, ProcessStop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted. ResourceAudit > ProcessAudit > ProcessStart ProcessStart is a specific type of ProcessAudit alert that indicates a new process has been launched. Usually, ProcessStart reflects normal system activity ResourceAudit > ProcessAudit > ProcessWarning ProcessWarning is a specific type of ProcessAudit alert that indicates a process has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process. ResourceAudit > ProcessAudit > ProcessInfo ProcessInfo is a specific type of ProcessAudit alert that reflects information related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. ResourceAudit > ServiceAudit ServiceAudit alerts are generated to track information and other events related to system components. Usually, these events reflect normal system activity. System service-related activity that may indicate a failure will be noted separately from normal activity in the alert detail. ResourceAudit > ServiceAudit > ServiceInfo 511 Appendix A: Alert Types ServiceInfo is a specific type of ServiceAudit alert that reflects information related to a service. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. ResourceAudit > ServiceAudit > ServiceStart ServiceStart events are a specific type of ServiceAudit alert that indicates a new system service is starting. ResourceAudit > ServiceAudit > ServiceStop ServiceStop events are a specific type of ServiceAudit alert that indicates a system service is stopping. This activity is generally normal, however, in the event of an unexpected stop the abnormal state will be noted. ResourceAudit > ServiceAudit > ServiceWarning ServiceWarning is a specific type of ServiceAudit alert that indicates a service has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the service. 512 Incident Alerts Incident Alerts Incident Alerts reflect global enterprise-wide issues that should be raised for system-wide visibility. These alerts generally reflect serious issues that should be monitored and addressed. They are subcategorized into different types of Incidents Alerts that can provide more detailed information. Because Incident Alerts are created by Rules, any combination of malicious or suspicious traffic from any other single alert or combination of alerts can create an Incident Alert. Each Incident alert is described below. For your convenience, they are listed alphabetically. HostIncident HostIncident alerts reflect global enterprise-wide host system issues that should be raised for system-wide visibility. These alerts are used to indicate issues on hosts that should be tracked and addressed, including security and administrative issues that apply specifically to host-based information. HybridIncident HybridIncident alerts reflect global enterprise-wide combined network and host system issues that should be raised for system-wide visibility. These alerts are used to indicate the combination of network and host-based issues that should be tracked and addressed, including security and administrative issues that span both network and host-based information. NetworkIncident NetworkIncident alerts reflect global enterprise-wide network system issues that should be raised for system-wide visibility. These alerts are used to indicate network-based issues that should be tracked and addressed, including security and administrative issues that apply specifically to network-based information. 513 Appendix A: Alert Types Internal Alerts Alerts that are a part of the InternalAlert node are related to the operation of the TriGeo SIM system. Any events generated by the system relating to Active Response, Internal users, or Internal errors will appear under one of the many children. These alerts are for informational purposes and do not necessarily reflect conditions that should cause alarm. Alerts that may reflect potential issues within the system are specifically marked for forwarding to TriGeo. Each Internal Alert is described below. For your convenience, they are listed alphabetically. InternalAudit InternalAudit alerts reflect attempted accesses and changes to components of the TriGeo system by existing TriGeo users. Both successful and failed attempts will generate alerts in this part of the tree. InternalAudit > InternalAuditFailure InternalAuditFailure is a specific type of InternalAudit alert that indicates failed audit information. These alerts are generated when a user fails to view or modify (including creation, update, and deletion) anything within the TriGeo system. The alert will include the user, type of access, and item being accessed. InternalAuditFailure events are uncommon and can indicate an attempted privilege escalation within the TriGeo system by unprivileged users. InternalAudit > InternalAuditSuccess InternalAuditSuccess is a specific type of InternalAudit alert that indicates successful audit information. These alerts are generated when a user successfully views or modifies (including creation, update, and deletion) anything within the TriGeo system. The alert will include the user, type of access, and item being accessed. InternalCommands InternalCommands alerts are only used internally with few exceptions. These alerts are used for sending Commands through the system to complete active responses. InternalCommands > InternalAgentToolCommand InternalAgentToolCommand alerts are internal only. They are fired between Managers and Agents to manage tool settings. InternalCommands > InternalAgentFastPack InternalAgentFastPack alerts are internal only. They are fired between Managers and Agents to configure updated tool signatures. InternalFailure Alerts that are a part of the InternalFailure tree reflect potential issues within the system. These alerts could reflect configuration issues, issues that cannot be resolved without contacting TriGeo, and potential serious issues which also merit contacting TriGeo. 514 Internal Alerts InternalFailure > InternalError InternalError alerts reflect configuration or install issues that should be reported to TriGeo. These are generally internal errors related to tools that may be producing unexpected log entries or conditions that were not expected. These issues generally cannot be solved without contacting TriGeo, however they should not be fatal errors. InternalFailure > InternalException InternalException alerts reflect more serious problems within the system. These problems generally lie within the product implementation and may require a software update to eliminate. These alerts and their surrounding conditions should be reported to TriGeo. InternalFailure > InternalWarning InternalWarning alerts are generally problems which can be solved by the user. Usually, these alerts are configuration related and may assist in debugging the underlying issue. InternalWarning alerts do not reflect internal problems within the system and thus should not be immediately reported to TriGeo, however they may assist with solving a technical support issue should the need arise. InternalGeneralAlert InternalGeneralAlert events are uncommon events used to track Internal information that has not yet been placed into a more specific InternalAlert. Alerts of the InternalFailure family providing more information will be generated in addition to this event if the event is serious. InternalInfo Alerts within the InternalInfo family are related to events that are happening within the system. Generally, these informational alerts are confirming or reporting normal activity such as user updates, user logons, policy updates, and Agent connection-related events. InternalInfo > InternalAgentOffline InternalAgentOffline alerts reflect detection of disconnection of an Agent to its Manager. These alerts will happen when the Manager has detected that the Agent closed the connection, whether that be due to network down time of the Agent or due to a shut down of the Agent service. InternalInfo > InternalAgentOnline InternalAgentOnline alerts reflect successful connection of Agents to their respective Managers. These alerts will happen when an Agent initiates successful communication with the Manager, whether that be due to network down time of the Manager or Agent or due to an update of the Agent in question. InternalInfo > InternalDuplicateConnection InternalDuplicateConnection alerts occur when an Agent has attempted to connect to their given Manager more than once. Usually these alerts are triggered by network issues on the Agent end, due to a possible asynchronous disconnection detection (for example, the Manager was not able to detect the Agent went offline, but the Agent service was restarted). 515 Appendix A: Alert Types Usually this issue can be resolved by stopping the Agent service, waiting for the InternalAgentOffline alert, and then restarting the Agent service. InternalInfo > InternalInvalidConnection InternalInvalidConnection alerts occur when an Agent that the Manager recognizes, but cannot communicate with, attempts to connect. These alerts usually reflect Agents that are missing an update that has already been applied to the Manager. Please ensure that the indicated Agent has been upgraded to the same release version of the system that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert. This will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalInvalidInstallation InternalInvalidInstallation alerts occur in the unlikely case that the Manager can communicate with the Agent but there are errors detected in the Manager-to-Agent relationship. These alerts are very uncommon, but may be triggered during an upgrade process. Please ensure that the indicated Agent has been upgraded to the same release version of the system that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert. This will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalLicenseMaximum InternalLicenseMaximum alerts reflect an attempt to add more Agents to a Manager than that Manager is licensed for. The number of Agents that can be added is a hard limit that the Manager stores and this limit is also enforced by the Console. If more licenses are needed, this issue can be resolved by contacting TriGeo Sales for an update. InternalInfo > InternalNewToolData InternalNewToolData alerts generally reflect issues related to tools with unexpected log entries or other conditions that were not expected. These issues generally cannot be solved without contacting TriGeo, however they are not fatal. InternalInfo > InternalPolicyConfiguration InternalPolicyConfiguration alerts reflect successful or unsuccessful attempts to update Policy on a given Manager. These alerts are generated after Policy has been successfully installed to the Manager or after an error has been detected. Generally, an error in updating Policy will also produce an alert from the InternalFailure family, providing more information. InternalInfo > InternalToolOffline InternalToolOffline alerts reflect successful stop of an Internal Tool. These alerts are generated after a tool has stopped the log file reader that was created when the tool was brought online. Generally, an error in an attempt to stop a tool will produce an alert from the InternalFailure family providing more information. InternalInfo > InternalToolOnline 516 Internal Alerts InternalToolOnline alerts reflect successful startup of an Internal Tool. These alerts are generated after a tool has successfully created a log file reader and has begun the reading process. Generally, an error in an attempt to start a tool will produce an alert from the InternalFailure family providing more information. InternalInfo > InternalUnknownAgent InternalUnknownAgent alerts occur when an Agent that the Manager does not recognize has attempted to connect. Commonly, this alert is caused by removing the Agent from the Console before removing the Agent service on the client. These alerts may also be triggered during an upgrade process; in that case, they may reflect Agents that have not yet been brought up to date. Usually this issue can be resolved by Uninstalling and Reinstalling the Agent triggering the alert. This will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalUnsupportedAgent InternalUnsupportedAgent alerts are generated when a valid Agent connects and has not been upgraded to the same release version as the Manager. The Agent in question failed to properly negotiate its connection or respond to a query and has been assumed to be missing a feature required of it. Please ensure that the indicated Agent has been upgraded to the same release version of TriGeo that is installed on your Manager. If this alert persists: uninstall and reinstall the Agent triggering the alert, this will force the Agent to re-initialize connection to the Manager. InternalInfo > InternalUserLogoff InternalUserLogoff alerts are generated when a user logs off or is disconnected from the Console. InternalInfo > InternalUserLogon InternalUserLogon alerts are generated when a user successfully completes the logon process to a Manager via the Console. Failed log-on attempts are produced in a separate alert, InternalUserLogonFailure. InternalInfo > InternalUserLogonFailure InternalUserLogonFailure alerts are generated when a user has completed initialization of a connection to the Console, but enters an incorrect user name and/or password. InternalInfo > InternalUserUpdate InternalUserUpdate alerts are generated when a user is modified and the update has successfully been sent to the Manager, or when the update has failed to apply. These updates include change or addition of an email address, change or addition of a pager, and change or addition of blocked alerts from selected Agents. Generally, an error in updating a user will also produce an alert from the InternalFailure family. InternalPolicy InternalPolicy alerts reflect information related to correlation rules. These alerts are used to indicate that a rule has been triggered, either in test mode or in normal operating conditions. InternalPolicy > InternalTestRule 517 Appendix A: Alert Types InternalTestRule alerts reflect rule activity where a correlation rule has triggered and is set in “Test” mode. It indicates the trigger of the rule and includes an enumeration of what actions would take place, if any, if the rule were fully enabled. To remove a rule from Test mode, clear the “Test” checkbox for the Rule in the Rule Builder. InternalPolicy > InternalRuleFired InternalRuleFired alerts reflect rule activity, specifically where a correlation rule has triggered. It indicates the trigger of the rule and includes an enumeration of what actions were triggered in response to the correlation. 518 Security Alerts Security Alerts Alerts that are a part of the SecurityAlert node are generally related to network activity that is consistent with an internal or external attack, a misuse or abuse of resources, a resource compromise, resource probing, or other abnormal traffic that is noteworthy. Security Alert events indicate aggressive behavior that may lead to an attack or resource compromise, or suspicious behavior that may indicate unauthorized information gathering. The TriGeo SIM infers some Security Alerts from what is normally considered audit traffic, but it escalates the events to alert status based on thresholds that are defined by Rules. Each Security Alert is described below. For your convenience, they are listed alphabetically. AttackBehavior Alerts that are children of AttackBehavior are generally related to network activity that may be consistent of an attack, misuse or abuse of resources, a resource compromise, or other abnormal behavior that should be considered indicative of a serious security event. AttackBehavior > InferredAttack InferredAttack alerts are reserved AttackBehavior alerts used for describing attacks that are a composite of different types of alerts. These events will be defined and inferred by Contego Policy. AttackBehavior > ResourceAttack Members of the ResourceAttack tree are used to define different types of malicious or abusive access to network resources, where these resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. AttackBehavior > ResourceAttack > NetworkAttack Members of the NetworkAttack tree are used to define events centered on malicious or abusive usage of network bandwidth/traffic. These events include access to network resources, relaying attacks via network resources, or denial of service behavior on network resources. AttackBehavior > ResourceAttack > NetworkAttack > Access Children of the Access tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess ApplicationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all application-layer. Generally, ApplicationAccess alerts will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or proxy servers may also provide them. 519 Appendix A: Alert Types Alerts placed in the parent ApplicationAccess alert itself are known to be application-related, but not able to be further categorized based on the message provided by the tool or because they are uncommon. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > DataBaseAccess DataBaseAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer database traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in database server or client software. These alerts are generally provided by network-based intrusion detection systems, the database server, or the client software itself. Appropriate response to these alerts may entail better access control of database servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to database servers and/or clients, or the possible removal of the database service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess FileTransferAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPFileAccess FTPFileAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to filesystems of resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software with the intent of information gathering or low-level filesystem access of the server or client. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPInvalidFormatAccess FTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or 520 Security Alerts client software with the intent of information gathering or low-level access to the server or client. These attacks are always abnormal traffic that the file transfer server or client is not prepared to respond to; attacks, such as buffer overflows, may also result in the server or client software or system being halted. These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > FileTransferAccess > FTPCommandAccess FTPCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server software with the intent of information gathering or low-level access to the server or client. These attacks are always abnormal command traffic that the file transfer server is not prepared to respond to, but may provide access to (e.g. debug or legacy commands). These alerts are generally provided by network-based intrusion detection systems, the file transfer server, or the client software itself. Appropriate response to these alerts may entail better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to file transfer servers and/or clients, restriction of allowed commands, or the possible removal of the file transfer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess MailAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer, retrieval, or service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail-related server or client software. These alerts are generally provided by network-based intrusion detection systems or the mail server, service, or client software itself. Appropriate response to these alerts may entail better access control of mail servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail servers and/or clients, or possible removal of the mail server, service, or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess MailTransferAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the 521 Appendix A: Alert Types SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPInvalidFormatAccess SMTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the SMTP server is not prepared to respond to; attacks, such as buffer overflows, may also result in the server software or system being halted. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPInvalidFormatAccess > SmailAccess SmailAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the SMTP server is not prepared to respond to; they may also result in the server software or system being halted. The smail attack specifically attempts to execute applications resulting in compromise of the SMTP server system. These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailTransferAccess > SMTPCommandAccess SMTPCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in SMTP server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal command traffic that the SMTP server is not prepared to respond to, but may provide access to (e.g. debug or legacy commands). 522 Security Alerts These alerts are generally provided by network-based intrusion detection systems, or the SMTP server software itself. Appropriate response to these alerts may entail better access control of the SMTP server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting, especially for SMTP servers that relay mail for external/remote entities), applying updates or patches to SMTP servers, restriction of allowed commands, or the possible removal of the SMTP server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailDeliveryAccess MailDeliveryAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail retrieval traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail retrieval related server or client software - the MDA (mail delivery Agent) or MUA (mail user Agent). These alerts are generally provided by network-based intrusion detection systems, or the mail server, service, or client software itself. Appropriate response to these alerts may entail better access control of mail servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail servers and/or clients, or the possible removal of the mail server, service, or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailServiceAccess MailServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail service-related server or client software, including services such as mailing list software, spam filters, email redirection software, and other mail filtering software. These alerts are generally provided by network-based intrusion detection systems, the mail service, or the client software itself. Appropriate response to these alerts may entail better access control of mail services or servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to mail services and/or clients, or the possible removal of the mail service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > MailAccess > MailServiceAccess > MajordomoAccess MailServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in Majordomo, a specific type of mailing list software. These alerts are generally provided by network-based intrusion detection systems, or the mail service itself. Appropriate response to these alerts may entail better access control of mail services or servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to the mail service, or the possible removal of the mail service related to this event. Generally, the most appropriate response will be updates or patches that can be retrieved from the Majordomo web site (http://www.greatcircle.com/majordomo) or your operating system vendor. 523 Appendix A: Alert Types AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > NewsAccess NewsAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer news traffic (over protocols such as NNTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the news server or client software. These alerts are generally provided by network-based intrusion detection systems, the news server, or the client software itself. Appropriate response to these alerts may entail better access control of news servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to news servers and/or clients, or the possible removal of the news service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > PrinterAccess PrinterAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote printer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote printer server or client software. These alerts are generally provided by network-based intrusion detection systems, the remote printer server, or the client software itself. Appropriate response to these alerts may entail better access control of remote printer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote printer servers and/or clients, or the possible removal of the remote printer service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess WebAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the web server or client software. These alerts are generally provided by network-based intrusion detection systems, the web server, or client software itself. Appropriate response to these alerts may entail better access control of web servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers and/or clients, or the possible removal of the web service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess HTTPClientAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic where the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software or abuse and/or misuse of resources from clients. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client 524 Security Alerts software, or restriction of incoming/outgoing web requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess > FraudulentCertificateAccess FraudulentCertificateAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software through fraudulent certificates. The intent of these attacks may be to forge certificates that convince the client that the site is trusted, when in fact it is not, passing data along with those certificates that may be inappropriate and/or contain exploits. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect the abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPClientAccess > ProhibitedHTTPControlAccess ProhibitedHTTPControlAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from server to client. Generally, these alerts will reflect attempted exploitation of weaknesses in the client software or abuse and/or misuse of resources from clients through client controls such as ActiveX and Java. These alerts are generally provided by network-based intrusion detection systems, the web client software itself, proxy servers, content filters, and/or firewalls with capability to monitor incoming web traffic. Appropriate response to these alerts may entail applying updates or patches to web client software, or restriction of incoming/outgoing web requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess HTTPServerAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic where the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in the server software or abuse and/or misuse of server resources. These alerts are generally provided by network-based intrusion detection systems, the web server or service software itself, and/or firewalls with the capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess 525 Appendix A: Alert Types HTTPApplicationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of the server software, such as PHP, CGI, administrative sites, and other application services. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPAdministrationAccess HTTPAdministrationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications run on top of server software that are related to remote administration of sites, services, and/or systems. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, administrative sites, and/or clients, or the possible removal of the web service application or administrative site related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPDynamicContentAccess HTTPDynamicContentAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications, running on top of the server software, that generate dynamic content such as PHP, CGI, and ASP. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, dynamic content, and/or clients, or the possible removal of the web service application or dynamic content related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPFileRequestAccess HTTPFileRequestAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the 526 Security Alerts information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of server software that are related to remote administration of sites, services, and/or systems with the intent of information gathering or low-level filesystem access of the server or client. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPApplicationAccess > HTTPServiceAccess HTTPServiceAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in applications running on top of server software that are related to remote services such as printing or console access. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of web servers or the service itself (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers, services, and/or clients, or the possible removal of the web service application or site related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > WebAccess > HTTPServerAccess > HTTPInvalidFormatAccess HTTPInvalidFormatAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer web traffic in which the information flow is from client to server. Generally, these alerts will reflect attempted exploitation of weaknesses in web server software with the intent of information gathering or low-level access to the server. These attacks are always abnormal traffic that the web server is not prepared to respond to; attacks, such as buffer overflows, may also result in the server software or system being halted. These alerts are generally provided by network-based intrusion detection systems, the web server, the service software itself, and/or firewalls with capability to monitor incoming/outgoing web traffic. Appropriate response to these alerts may entail better access control of the web server (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to web servers or services, or the possible removal of the web server related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > NamingAccess NamingAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer naming service traffic (using protocols 527 Appendix A: Alert Types such as DNS and WINS). Generally, these alerts will reflect attempted exploitation of weaknesses in the naming server or client software. These alerts are generally provided by network-based intrusion detection systems, the naming server, or the client software itself. Appropriate response to these alerts may entail better access control of name servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to naming servers and/or clients, or the possible removal of the naming service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > RemoteConsoleAccess RemoteConsoleAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote console server or client software. These alerts are generally provided by network-based intrusion detection systems, the remote console server, or the client software itself. Appropriate response to these alerts may entail better access control of remote console servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote console servers and/or clients, or the possible removal of the remote console service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ApplicationAccess > TimeAccess TimeAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote time service traffic (using protocols such as NTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote time server or client software. These alerts are generally provided by network-based intrusion detection systems, the time server, or client software itself. Appropriate response to these alerts may entail better access control of remote time servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote time servers and/or clients, or the possible removal of the remote time service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > ConfigurationAccess ConfigurationAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these alerts will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain systemlevel access to configuration servers themselves. In the case of SNMP and similar configuration protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack. These alerts are generally provided by network-based intrusion detection systems, the configuration server, or the client software itself. Appropriate response to these alerts may entail better access control of configuration servers and services (e.g. restriction by IP address and/or user name to 528 Security Alerts ensure only trusted clients are connecting), applying updates or patches to configuration servers and/or clients, or the possible removal of the configuration service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess CoreAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess alerts will reflect attempted exploitation of weaknesses in network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. In some cases, these events are escalated from the Audit tree via Contego Policy. Alerts placed in the parent CoreAccess alert itself are known to be a core protocol-related but not able to be further categorized based on the message provided by the tool or because they are uncommon. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > ICMPRedirectAccess ICMPRedirectAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all ICMP Redirects (ICMP type 5) and the intent is to redirect traffic to either enumerate devices or client machines, or to gather information on devices or client traffic to further attack those or other resources. ICMP Redirects are generally benign ICMP messages sent to hosts to redirect traffic intended for a network that another gateway can control. In the cases where ICMP Redirects are used for attacking, a host will generally feign themselves as a router, pass a redirect to a client machine to modify it's routing table to send traffic to the false router instead of their normal network gateway, and proceed to enumerate, gather information, or attack the redirected host. The false router will then send the traffic on to the correct gateway, and the host has no idea of what has occurred (unless another device or tool detects it). This is one type of what is commonly referred to as a manin-the-middle attack. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, updates to network infrastructure devices, or restriction of incoming/outgoing ICMP redirect requests/responses to reflect inappropriate or abusive access. Appropriate methods of prevention of ICMP redirect attacks would be to limit hosts who can broadcast ICMP Redirects across network devices to correct routers and gateways, limit ingress and egress ICMP traffic, and to make sure clients, servers, and network infrastructure devices are current with regards to operating system or other networking software to ensure that other attacks related to ICMP Redirect attacks of this type (such as denial of service attacks) do not occur. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPFragmentationAccess IPFragmentationAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is to mask possible malicious or abusive data past an IDS or other detection device by using many IP fragments (usually either much larger or smaller than normal fragments). 529 Appendix A: Alert Types The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, an IDS on the network may not be able to detect the malicious traffic, only the presence of fragments (if even that). The attack may be allowed to pass through the network either incoming or outgoing, thereby eliminating one line of defense. Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an IPFragmentationAccess alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software (especially the IDS), updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPSourceRouteAccess IPSourceRouteAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is generally to misrepresent the originating address to bypass detection. IPSourceRouteAccess is a type of IP Spoofing where an attacker falsifies network information to convince the destination that the given source is something other than the actual source, directing the destination to return the traffic through an IP Source Route option that traces the traffic to the trusted host and then on to the untrusted attacker. The trusted host receives the traffic from the destination and because of the IP Source Route, it passes the traffic on to the untrusted attacker. The data is not modified and the attacker has 'tricked' the network into passing the traffic on. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal or external devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to IP Spoofing itself is difficult as the originating host may be alternating spoofed hostnames or IP addresses in order to continually circumvent detection; however, response to IP spoofing which utilizes the IP source route could entail removing the ability to pass traffic through routers or gateways that contains an IP Source Route option. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, however this may prove ineffective or unrealistic. Other responses may include applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. Unfortunately, it may prove difficult to derail an attempted attack through IP Spoofing, however, routing and firewalling policies (including disallowing traffic with the IP Source Route option) should prevent further access through spoofed addresses. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > IPSpoofAccess IPSpoofAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all IP and the intent is to misrepresent the originating address to either bypass detection or misdirect response to attack activity. IP Spoofing is done by falsifying network information to convince the destination (and any network hops in between) that the given source is something other than the actual source. 530 Security Alerts Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal or external devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to IP Spoofing is difficult as the originating host may be alternating spoofed hostnames or IP addresses in order to continually circumvent detection. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, however this may prove ineffective or unrealistic. Other responses may include applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. Unfortunately, it may prove difficult to derail an attempted attack through IP Spoofing, however, routing and firewalling policies should prevent further access through spoofed addresses. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > TCPHijackAccess TCPHijackAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all TCP and the intent is to hijack a user's connection. TCP Hijacking is done with the intent to take over another network user's connection by sending malformed packets to 'confuse' the server into thinking that the new user is the original user. In doing so, the original user gets removed from his connection to the server and the new user has injected himself, taking over all attributes the server assumed from the original - including levels of security and/or trust. TCP Hijacking can be used to place future attack tools on client systems, gather information about networks and/or client systems, immediately attack internal networks, or other malicious and/or abusive behavior. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. Appropriate response to these alerts may entail blocking or resetting the remote hijacker's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > CoreAccess > TCPTunnelingAccess TCPTunnelingAccess alerts reflect a specific type of CoreAccess alert where the attack traffic is all TCP and the intent is to tunnel a possible malicious or abusive connection through other TCP traffic. TCP tunneling uses permitted TCP traffic to bypass access policies on network devices, content filtering, monitoring, and other traffic shaping or behavior policies. TCP tunneling is done by initiating a known 'acceptable' TCP connection through allowed policies and piggybacking an unacceptable connection atop the granted one. On the new 'tunnel' that the user has built, they are allowed to pass any traffic through that does not match other policies - often after the connection has been initiated, it may be difficult to detect and prevent further malicious or abusive activity. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls or routers may also provide them. Appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software, updates to network 531 Appendix A: Alert Types infrastructure devices, or restriction of incoming/outgoing network requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess FileSystemAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote filesystem traffic (using protocols such as SMB and NFS). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote filesystem server or client software or attempts to gain system-level access to remote filesystem servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess > NFSAccess NFSAccess alerts are a specific type of FileSystemAccess alert that reflects malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via NFS (network file share) remote filesystem traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the NFS server or client software or attempts to gain system-level access to NFS servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > FileSystemAccess > SMBAccess SMBAccess alerts are a specific type of FileSystemAccess alert that reflects malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via SMB (server message block) remote filesystem traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the SMB server or client software or attempts to gain system-level access to SMB servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote filesystem server, or the client software itself. Appropriate response to these alerts may entail better access control of remote filesystems (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote filesystem servers and/or clients, or the possible removal of the remote filesystem service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > LinkControlAccess 532 Security Alerts LinkControlAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is low-level link control (using protocols such as ARP). Generally, LinkControlAccess alerts will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port analyzing activity may be forced into an unmanaged switch with no restrictions - allowing a malicious client to sniff traffic and enumerate or attack. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices with link level control (such as switches). Appropriate response to LinkControlAccess events may be to clear the link-level control mechanisms of the switching device (things such as flushing the ARP cache), applying updates or patches to switching devices, or better segmentation of networks to prevent information disclosure if an attack occurs. AttackBehavior > ResourceAttack > NetworkAttack > Access > PointToPointAccess PointToPointAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via point to point traffic (using protocols such as PPTP). Generally, these alerts will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks. These alerts are generally provided by network-based intrusion detection systems; in some cases, network infrastructure devices such as firewalls, routers, or VPN servers may also provide them. Appropriate response to these alerts may entail better access control of remote access services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote access servers and/or clients, or the possible removal of the remote point to point service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > PointToPointAccess > PPTPSpoof PPTPSpoof alerts reflect a specific type of PointToPointAccess alert where the attack traffic is all PPTP and the intent is to misrepresent the originating address to either bypass detection or misdirect response to attack activity; often times the target of these attacks are internal trusted networks that allow remote access through PPTP tunneling. PPTP Spoofing is done by falsifying network information to convince the destination (and any network hops in between) that the given source is something other than the actual source. Generally, while spoofed, clients will attempt to gather information, perform actual attacks on internal devices, or perform denial of service attacks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. Response to PPTP Spoofing is difficult, as the originating host appears to be coming from a 'trusted' address that has already completed initial handshaking and key sharing. Initial appropriate response to these alerts may entail blocking or resetting the local or remote user's connection/IP address, applying updates or patches to server and/or client software, updates to network infrastructure devices, or restriction of incoming/outgoing PPTP traffic requests/responses to reflect inappropriate or abusive access. AttackBehavior > ResourceAttack > NetworkAttack > Access > RemoteProcedureAccess 533 Appendix A: Alert Types RemoteProcedureAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote procedure server, or the client software itself. Appropriate response to these alerts may entail better access control of remote procedure (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote procedure servers and/or clients, or the possible removal of the remote procedure service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > RemoteProcedureAccess > RPCPortmapperAccess RPCPortmapperAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic using the traditional RPC portmapper service. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. These alerts are generally provided by network-based intrusion detection systems, the remote procedure server, or the client software itself. Appropriate response to these alerts may entail better access control of remote procedure (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), applying updates or patches to remote procedure servers and/or clients, or the possible removal of the remote procedure service or client application related to this event. AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess RoutingAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is routing-related protocols (RIP, IGMP, etc.). Generally, RoutingAccess alerts will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices that utilize routing protocols such as firewalls and routers. Appropriate response to RoutingAccess events may be better access control of routing devices (e.g. restriction of what devices are allowed to update routing by IP address to ensure only trusted devices are passing data), applying updates or patches to routing servers and/or devices, or the possible removal of the automated routing protocols from servers and/or devices. AttackBehavior > ResourceAttack > NetworkAttack > Access > RoutingAccess > MalformedRIPAccess MalformedRIPAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is all RIP (Routing Information Protocol). Generally, MalformedRIPAccess alerts will reflect attempted exploitation of 534 Security Alerts weaknesses in RIP by usage of malformed incoming or outgoing data, with the intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. RIP is used to automate the routing process between multiple devices that share or span networks. These alerts are generally provided by network-based intrusion detection systems and network infrastructure devices that utilize routing protocols such as firewalls and routers. Appropriate response to RIP Access events may be better access control of routing devices (e.g. restriction of what devices are allowed to update routing by IP address to ensure only trusted devices are passing data), applying updates or patches to routing servers and/or devices, or the possible removal of the automated routing protocols from servers and/or devices. AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess TrojanTrafficAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess > TrojanCommandAccess TrojanCommandAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This alert detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). 535 Appendix A: Alert Types AttackBehavior > ResourceAttack > NetworkAttack > Access > TrojanTrafficAccess > TrojanInfectionAccess TrojanInfectionAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending Trojan to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Access > VirusTrafficAccess VirusTrafficAccess alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. This alert detects the communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients. These alerts are generally provided by a virus scanner, a network-based intrusion detection system, or in some cases, the operating system or network infrastructure devices such as firewalls and routers. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent internal attacks and further compromise of the client system, updates of virus scanner pattern files on this and other network nodes to prevent future or further infection, virus scans on this and other network nodes to detect further infection if any has taken place, and research into the offending virus to find out methods of removal (if necessary). AttackBehavior > ResourceAttack > NetworkAttack > Denial Children of the Denial tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources through a denial of service attack. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial ApplicationDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer protocols. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ApplicationDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to 536 Security Alerts exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > FileTransferDenial FileTransferDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer file transfer-related protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileTransferDenial events may be attempts to exploit weaknesses in file transferrelated software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial MailDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related protocols (SMTP, IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial > MailServiceDenial MailServiceDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailServiceDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > MailDenial > MailServiceDenial > MailSpamDenial MailSpamDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related services (usually SMTP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack through excessive mail relaying. MailSpamDenial events reflect excessive attempts to relay 537 Appendix A: Alert Types mail through an SMTP server from remote sites that should not typically be relaying mail through the server, let alone excessive quantities of mail. The goal of these attacks may not be to enumerate or exploit weaknesses in the mail server, but simply to relay as much mail through an open relay mail server as quickly as possible, resulting in a denial of service attack. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the mail server itself, firewalls, or other network infrastructure devices. These alerts may indicate an open relay on the network or an attempt to find an open relay; appropriate response may be to close access to SMTP servers to only internal and necessary external IP addresses. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ApplicationDenial > WebDenial WebDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. WebDenial events may be attempts to exploit weaknesses in webrelated software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial CoreDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. CoreDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ChargenDenial ChargenDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service via UDP chargen or echo services. This attack attempts to exploit network infrastructure devices and hosts by pointing two chargen or echo hosts at each other and forcing so many responses that the network and hosts are flooded. In response to a request to the echo or chargen port, the second device will send a response, which will trigger another request, which will trigger a response, etc. The source of the initial request is a spoofed IP address, which appears as one of the hosts which will be a party in the attack (sent to the second host). This will render both devices and possibly the network they are on useless either temporarily or for a significant amount of time by the sheer amount of traffic that is created. ChargenDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. 538 Security Alerts AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPFloodDenial ICMPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an ICMP-based 'flood' attack (which uses many very large ICMP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal ICMP Traffic should not trigger an ICMPFloodDenial alert. ICMPFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPFragmentationDenial ICMPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack by using many ICMP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may overflow the stack, triggering a host or service crash). Normal ICMP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an ICMPFragmentationDenial alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > ICMPSourceQuenchDenial ICMPSourceQuenchDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an ICMP-based attack (which uses many ICMP packets set to type 4 - Source Quench). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any client listening and responding to source quench traffic may be slowed down to the point where rendered useless by way of correct response to the quench request. Normal ICMP traffic (including single, normal, source quench packets) should not trigger an ICMPSourceQuenchDenial alert. ICMPSourceQuenchDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFloodDenial IPFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by an IPbased 'flood' attack (which uses many very large IP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point 539 Appendix A: Alert Types where the device is rendered useless and cannot accept network connections). Normal IP Traffic should not trigger an IPFloodDenial alert. IPFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFragmentationDenial IPFragmentationDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack by using many IP fragments (usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may overflow the stack, triggering a host or service crash). Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger an IPFragmentationDenial alert. Fragmentation alerts themselves are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > IPFragmentationDenial > PingOfDeathDenial PingOfDeathDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'ping of death' attack (which uses many large ICMP Echo Request packets). The network infrastructure devices handling the traffic will pass on the traffic correctly, however, any vulnerable client on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Unpatched Windows NT and 95/98 clients are especially vulnerable to this type of attack. Normal ICMP Echo Traffic should not trigger a PingOfDeathDenial alert. PingOfDeathDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > LandAttackDenial LandAttackDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'land' attack (which uses TCP traffic with the SYN bit set and the same source IP and port as the destination). The network infrastructure devices handling the traffic will pass on the traffic correctly, however, any vulnerable client on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Unpatched Windows 3.11, NT, and 95 clients are especially vulnerable to this type of attack. Normal TCP traffic (with or without the SYN bit) should not trigger a LandAttackDenial alert. LandAttackDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SmurfDenial 540 Security Alerts SmurfDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'Smurf' attack. A Smurf attack attempts to exploit a vulnerability in some network infrastructure devices by sending ICMP Echo Requests to devices that will re-broadcast the traffic to internal devices. In response to the broadcast Echo Request, all of the devices will send an ICMP Echo Reply, which will effectively overflow the device. The destination of the ICMP Echo Reply is a spoofed 'victim' IP address which will also be overflowed by the actual replies sent to their host. This will render both devices useless either temporarily or for a significant amount of time. SmurfDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SnorkDenial SnorkDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a 'Snork' attack. A Snork attack attempts to exploit a vulnerability in Windows NT devices by using the Windows RPC service and sending packets to devices that will broadcast the traffic to other internal Windows NT devices using RPC. In response to the broadcast, all of the Windows NT devices will send another packet, and this process will continue until it effectively overflows the device and possibly the network. The destination or source of the initial packet is a spoofed 'victim' IP address which will create the illusion of internal activity. This will render both devices useless either temporarily or for a significant amount of time. SnorkDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > SynFloodDenial SYNFloodDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a TCP-based 'flood' attack (which uses many very large TCP packets with the SYN bit set). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may use up system resources to the point where the device is rendered useless and cannot accept network connections). Normal TCP Traffic (with or without the SYN flag) should not trigger a SYNFloodDenial alert. SYNFloodDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > TeardropDenial TeardropDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a teardrop attack (which uses many overlapping IP fragments, usually either much larger or smaller than normal fragments). The network infrastructure devices handling the traffic will reassemble and pass on the traffic correctly, however, any vulnerable client on the network may not be able to reassemble the fragmented traffic (it may be reassembled in such a way that triggers a host or service crash). Unpatched Windows NT and 95/98 clients are especially vulnerable to this type of 541 Appendix A: Alert Types attack. Normal IP fragmentation (data that has been taken apart because it is too large based on network parameters) should not trigger a TeardropDenial alert. TeardropDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > CoreDenial > UDPBombDenial UDPBombDenial alerts reflect a specific type of CoreDenial alert where the intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service by a UDP-based 'bomb' attack (which uses many large UDP packets). The network infrastructure devices handling the traffic may pass on the traffic correctly, however, any vulnerable client or device on the network may not be able to process the incoming traffic (it may be processed in such a way that triggers a host or service crash). Normal UDP Traffic should not trigger a UDPBombDenial alert. UDPBombDenial alerts are generally provided by network-based intrusion detection systems and network infrastructure devices such as firewalls or routers. AttackBehavior > ResourceAttack > NetworkAttack > Denial > ConfigurationDenial ConfigurationDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is protocols related to configuration of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > FileSystemDenial FileSystemDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote filesystem-related protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileSystemDenial events may be attempts to exploit weaknesses in remote filesystem services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > LinkControlDenial LinkControlDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is link level protocols (such as ARP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. 542 Security Alerts These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RemoteProcedureDenial RemoteProcedureDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RemoteProcedureDenial > RPCPortmapperDenial RPCPortmapperDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols, specifically related to the RPC portmapper service. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RPCPortmapperDenial events may be attempts to exploit weaknesses the remote procedure service or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > RoutingDenial RoutingDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RoutingDenial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Denial > TrojanTrafficDenial TrojanTrafficDenial events are a specific type of Denial event where the transport of the malicious or abusive usage originates with malicious code on a client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. TrojanTrafficDenial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities. 543 Appendix A: Alert Types These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Relay Children of the Relay tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is relaying inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. AttackBehavior > ResourceAttack > NetworkAttack > Relay > DDOSToolRelay DDOSToolRelay events reflect potential network traffic related to known Distributed Denial of Service tools. These tools are used to relay attacks to new remote (and possibly local) hosts to exploit or inundate the remote host with data in an attempt to cripple it. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay tool (in some cases known as a 'zombie'), and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host, better access control of clients, servers, and services (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to servers and/or clients, or the possible removal of the service related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay FileTransferRelay events reflect potential network traffic related to known attack tools that operate over file transfer protocols. These tools are used to relay attacks to new remote (and possibly local) hosts to exploit or abuse services. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the file transfer software itself, and firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay tool, and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host, better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to file transfer servers and/or 544 Security Alerts clients, or the possible removal of the file transfer service or client application related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > NetworkAttack > Relay > FileTransferRelay > FTPBounce FTPBounce events are a specific type of FileTransferRelay related to known attack tools using file transfer protocols that are used to launder connections to other services, redirect attacks to other hosts or services, or to redirect connections to other hosts or services. Generally, these attacks will have a perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. These alerts are generally provided by network-based intrusion detection systems, but may also be provided by the file transfer software or service itself, and firewalls or other network infrastructure devices. Appropriate response to these events may be to restrict the source from accessing any external network, running a virus scanner or other detection utility to detect and remove the presence of any relay tool, and if necessary, to quarantine the source node from the network to further isolate the issue. If these events are sourced from a completely external network, blocking the remote host, better access control of file transfer servers (e.g. restriction by IP address and/or user name to ensure only trusted clients are connecting), application of updates or patches to file transfer servers and/or clients, or the possible removal of the file transfer service or client application related to this event may also be appropriate actions. AttackBehavior > ResourceAttack > ServiceProcessAttack Members of the ServiceProcessAttack tree are used to define events centered on malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system. AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusAttack VirusAttack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed. These alerts are usually provided by a virus scanner running on the client system. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent further outbreak, updates of virus scanner pattern files on other network nodes to prevent further outbreak, virus scans on other network nodes to detect further outbreak if any has taken place, and research into the offending virus to find out methods of removal. AttackBehavior > ResourceAttack > ServiceProcessAttack > VirusSummaryAttack VirusSummaryAttack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the ActionTaken field which reflects whether the virus or other malicious code was successfully removed. These alerts differ from VirusAttack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan. 545 Appendix A: Alert Types These alerts are usually provided by a virus scanner running on the client system. Appropriate response to these alerts may entail a quarantine of the node from the network to prevent further outbreak, updates of virus scanner pattern files on other network nodes to prevent further outbreak, virus scans on other network nodes to detect further outbreak if any has taken place, and research into the offending virus to find out methods of removal. GeneralSecurity GeneralSecurity alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be security issue-related. SuspiciousBehavior Alerts that are children of SuspiciousBehavior are generally related to network activity that may be consistent of enumeration of resources, unexpected traffic, abnormal authentication events, or other abnormal behavior that should be considered indicative of a serious security event. SuspiciousBehavior > AuthSuspicious Members of the AuthSuspicious tree are used to define events regarding suspicious authentication and authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information. SuspiciousBehavior > AuthSuspicious > FailedAuthentication FailedAuthentication events occur when a user has made several attempts to authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure. SuspiciousBehavior > AuthSuspicious > GuestLogin GuestLogin events describe user authentication events where an attempt was made successfully or unsuccessfully granting access to a user that generally has no password assigned (such as anonymous, guest, or default) and no special privileges. Access of a user with this level of privileges may be granted access to enough of the client system to begin exploitation. These events are usually produced by a client or server operating system, however may also be produced by a network-based IDS or network infrastructure device when it is possible or appropriate. SuspiciousBehavior > AuthSuspicious > RestrictedInformationAttempt RestrictedInformationAttempt events describe a user attempt to access local or remote information that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information. SuspiciousBehavior > AuthSuspicious > RestrictedServiceAttempt RestrictedServiceAttempt events describe a user attempt to access a local or remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services. SuspiciousBehavior > InferredSuspicious 546 Security Alerts InferredSuspicious alerts are reserved SuspiciousBehavior alerts used for describing suspicious behavior that is a composite of different types of alerts. These events will be defined and inferred by Contego Policy. SuspiciousBehavior > ResourceSuspicious Members of the ResourceSuspicious tree are used to define different types of suspicious access to network resources, where these resources may be network bandwidth/traffic, files, client processes or services, or other types of shared security-related 'commodities'. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon Children of the Recon tree reflect suspicious network behavior with intent of gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate Enumerate alerts reflect attempts to gather information about target networks, or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate ApplicationEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > FileTransferEnumerate FileTransferEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to file transfer services which will elicit responses that reveal information about the application or host. This enumeration may be a simple 547 Appendix A: Alert Types command sent to the file transfer service to attempt to fingerprint what is allowed or denied by the service, requests to the file transfer service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the file transfer service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > FileTransferEnumerate > FTPCommandEnumerate FTPCommandEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to file transfer services which will elicit responses that reveal information about the application. This enumeration specifically entails commands sent to the FTP service to attempt to fingerprint what is allowed or denied by the service, requests to the FTP service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics that use FTP commands to query. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the FTP service that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > MailEnumerate MailEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to mail-related services which will elicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the mail service to attempt to fingerprint what is allowed or denied by the service, requests to the mail service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the mail service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > MailEnumerate > SMTPCommandEnumerate SMTPCommandEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to mail-related services which will elicit responses that reveal information about the application. This enumeration specifically entails commands sent to the SMTP service to attempt to fingerprint what is allowed or denied by the service, requests to the mail service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics that use SMTP commands to query. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the mail service that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > ApplicationEnumerate > WebEnumerate 548 Security Alerts WebEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data to web-related services which will elicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the web service to attempt to fingerprint what is allowed or denied by the service, requests to the web service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the web service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > BannerGrabbingEnumerate BannerGrabbingEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > MSNetworkingEnumerate MSNetworkingEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will illicit responses that reveal information about the application, host, or target network. This enumeration may be a simple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate RemoteProcedureEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate > RPCPortmapperEnumerate 549 Appendix A: Alert Types RPCPortmapperEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to the Portmapper Remote Procedure service that will illicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the portmapper service to attempt to fingerprint what is allowed or denied by the service, requests to the portmapper service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the portmapper service or client application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Enumerate > RemoteProcedureEnumerate > RPCPortScanEnumerate RPCPortScanEnumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This specific type of enumeration is done by sending queries to RPC related ports to attempt to fingerprint the types and specific services running, and may involve other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint Footprint alerts reflect attempts to gather information about target networks by tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > DNSRequestFootprint DNSRequestFootprint alerts are a specific type of Footprint alert that reflects a DNS record request that may serve to reveal DNS configuration. Contained within this DNS configuration may be information that reveals internal networks, protected devices, or IP addresses of potential targets. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > FirewalkingFootprint FirewalkingFootprint alerts are a specific type of Footprint alert that reflects the usage of a tool that attempts to gather information about network infrastructure device access control and filtering lists. Firewalking works by passing TCP and UDP packets to determine what packets a given device will forward. This activity may reflect attempts to enumerate devices beyond the perimeter of a network, gathering information about activity that is allowed or denied past given gateways. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Footprint > TraceRouteFootprint TraceRouteFootprint alerts are a specific type of Footprint alert that reflects an IP packet route trace from source to destination. Generally, this route will not reveal specific information about device 550 Security Alerts types or hosts on a network, but will trace the path of IP traffic across routing devices. This traffic may be an attempt to discover routing devices that are misconfigured (which may be vulnerable to attacks such as IP spoofing or IP fragmentation). SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan Scan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan CoreScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > HostScan HostScan alerts reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > ICMPQuery ICMPQuery alerts reflect attempts to gather information about specific target hosts, or networks, by sending ICMP-based queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep 551 Appendix A: Alert Types PingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending ICMP or TCP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep > ICMPPingSweep ICMPPingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending ICMP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PingSweep > TCPPingSweep TCPPingSweep alerts reflect a specific type of CoreScan alert that describe an attempt to gather information about target networks, and hosts on those networks, by sending TCP ping packets to test whether hosts are alive. The originating source of the scan is generally attempting to acquire information about network topology or groups of specific hosts on the network and may have the intent of gathering information for future attack attempts. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan PortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Portscans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan > TCPPortScan TCPPortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over TCP that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. TCP portscans specifically operate by sending TCP probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. 552 Security Alerts SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > PortScan > UDPPortScan UDPPortScan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over UDP that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. UDP portscans specifically operate by sending UDP probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint StackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint > ICMPStackFingerprint ICMPStackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of ICMP packets to probe a device's ICMP stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > CoreScan > StackFingerprint > TCPStackFingerprint TCPStackFingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of TCP packets to probe a device's TCP/IP stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. 553 Appendix A: Alert Types SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > Recon > Scan > TrojanScanner TrojanScanner alerts reflect attempts of Trojans on the network to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, and how much of the target network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic UnusualTraffic alerts reflect suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualICMPTraffic UnusualICMPTraffic alerts reflect ICMP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualICMPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualIPTraffic UnusualIPTraffic alerts reflect IP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualIPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualProtocol UnusualProtocol alerts reflect suspicious behavior on network devices where the traffic is targeted at unknown, unassigned, or uncommonly used protocols. This traffic may have no known exploit, but is unusual and should be considered potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualProtocol may have no impending response, however, it could reflect a suspicious host that should be monitored closely. SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualTCPTraffic UnusualTCPTraffic alerts reflect TCP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualTCPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. 554 Security Alerts SuspiciousBehavior > ResourceSuspicious > NetworkSuspicious > UnusualTraffic > UnusualUDPTraffic UnusualUDPTraffic alerts reflect UDP-based suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. UnusualUDPTraffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. 555 Appendix B: Table of alert event data fields Table of alert data fields The following table explains the meaning of each grid column or data field that can appear in various alert grids, event grids, and information panes throughout the Console. The actual columns and fields that are shown vary according to the alert, view, or grid you are working with. But the meaning of these fields remains the same, regardless of where you see them. For convenience, the fields are listed in alphabetical order. Grid column or field Description AlertName The name of the alert. For information on a particular alert, see "Alert Types" on page 493. ConnectionName The name of the dial-up or VPN connection. ConnectionStatus The current status of the dial-up or VPN connection. DestinationMachine The IP address the network traffic is going to. DestinationPort The port number the network traffic is going to. DetectionIP The network node that is the originating source of the alert data. This is usually a Manager or an Agent and is the same as the InsertionIP field, but can also be a network device such as firewall or an intrusion detection system that may be sending log files over a remote logging protocol. DetectionTime The time the network node generated the data. This is usually the same as the InsertionTime field, but they can differ when the Agent or Manager is reading historical data, or if a network device has an incorrect time setting. EventInfo A short summary of the alert details. Additional details appear in the following fields, but EventInfo provides enough information to view a “snapshot” of the alert information. 557 Appendix B: Table of alert event data fields Grid column or field Description ExtraneousInfo Extra information that is relevant to the alert, but may not be reflected in other fields. This can include information useful for correlating or summarizing alert information in addition to the EventInfo field. InferenceRule The name of the correlation that caused this alert. The InferenceRule field will generally be blank, but in cases where the alert was related to a rule, it displays the rule name. InsertionIP The Manager or Agent that first created the alert. This is the source that first read the log data from a file or other source. InsertionTime The time the Manager or Agent first created the alert. This time indicates when the data was read from a log file or other source. Manager The name of the Manager that received the alert. For data generated from an Agent, this is the Manager the Agent is connected to. Order In the Event explorer’s event grid, the Order field indicates when each event occurred: means the event occurred before the central event shown in the event map. means the event occurred during (as part of) the central event shown in the event map. means the event occurred after the central event shown in the event map. Protocol Displays the protocol associated with this alert (TCP or UDP). ProviderSID A unique identifier for the original data. Generally, the ProviderSID field includes information that can be used in researching information on the alert in the originating network device vendor's documentation. 558 Table of alert data fields Grid column or field Description Severity Each alert is assigned a number that indicates its severity. The following table explains each severity level. Level Name Description 0 Debug Designates detailed event information used for debugging by TriGeo engineers. 1 System Error Indicates that part of the system is unusable. 2 Informational Indicates TriGeo informational messages only. 3 Normal Audit Indicates normal behavior, but could be part of a signature attack. 4 Normal Notice Indicates normal behavior that should be monitored. 5 Suspicious Indicates normal behavior under some circumstances, but should be investigated. 6 Threatening Indicates that investigation is needed and possibly an action. 7 Critical Indicates that immediate action is needed. SourceMachine The IP address the network traffic is coming from. SourcePort The port number the network traffic is coming from. ToolAlias The Alias Name entered when configuring the tool on the Manager or Agent. For more information on configuring tools, see "Connecting to other products" on page 337. 559 Appendix C: CMC commands TriGeo Management Configuration Commands (CMC) CMC commands are the only means to access TriGeo SIM and nDepth Appliances. Use CMC to upgrade and maintain the appliances. You can use the CMC commands for such tasks as: l upgrading the TriGeo Manager software l deploying new tool infrastructure to the Managers and Agents l rebooting or shutting down the network appliance l configuring trusted reporting hosts l configuring supplemental services on the Manager appliance, and l controlling your nDepth appliances. The following topics describe how to log on to CMC and describe each command found in the appliance, manager, service and ind menus. 561 Appendix C: CMC commands Logging on to CMC Before connecting to the CMC, get your “Manager Information Sheet,” which you can find on your TriGeo DVD. To log on to CMC: 1. Connect to the Network Appliance either of two ways: l l Connect directly to the Network Appliance with a keyboard and monitor. If you connect in this manner, skip to Step 7. Connect using SSH on port 32022. SSH stands for Secure Shell, which is a remote administration tool. To connect to the network appliance using SSH, you can use PuTTY, which is a free SSH tool. You can find this tool on the TriGeo CD-ROM in the Extras\ssh client folder. The following example shows the PuTTY Configuration form with the default TriGeo Manager settings. Your own connection settings can be found on your “Manager Information Sheet.” 562 Logging on to CMC 2. In the Host Name (or IP address) box, type the IP address of your TriGeo Manager (in this example, the IP address is 10.1.1.200). 3. Under Protocol, click SSH. 4. In the Port box, type 32022. 5. So you don’t have to do this again, type TriGeo Manager into the Saved Sessions box, and then click Save. 6. Click Open. Note: To reopen this connection for future sessions, simply double-click TriGeo Manager in the Saved Session box. The connection will reopen 7. Whether you connect remotely or physically, the system will prompt you for your CMC user name and password. Type the CMC user name and password found on your “Manager Information Sheet.” 563 Appendix C: CMC commands Using the CMC 'appliance' menu After typing the appliance command, the cmc::acm# prompt appears. You may then use any of the commands listed in the following table. The commands are listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. Command Description checklogs Check the contents of the TriGeo Manager appliance’s log files from sources such as syslog and SNMP. cleantemp * Removes temporary files created by the TriGeo Manager during normal operation. You may run this command to recover used disk space, or at the suggestion of TriGeo Technical Support. dateconfig Set the TriGeo Manager’s date and time. demote * Demotes this appliance to a secondary appliance in a high availability or disaster recovery configuration. This appliance will disable running TriGeo services and resume replicating its configuration information from the configured primary appliance. diskusage Checks and provides a summary of disk usage for your TriGeo Manager and several of the internal components (such as the database or log files). This information is included when you send TriGeo Technical Support information using the support command. exit Returns you to the main CMC menu. exportsyslog Exports system logs. help Displays a brief description of each command within the appliance menu. 564 Using the CMC 'appliance' menu Command Description netconfig This command configures the network parameters. You can choose between several configurations. By default, the Manager comes with a DHCP configuration. Each choice is described below: l DHCP with server-assigned DNS All parameters are provided by the DHCP server. No configuration parameters are needed. l DHCP with static-assigned DNS The DHCP server only provides an IP address but no DNS address. You will need to know the network DNS address. l Static with static-assigned DNS There is no DHCP server, or you wish to statically assign the IP address without using a DHCP reservation. You will need to know the IP address, netmask, gateway, and DNS address for the Network Appliance. It is critical for the operation of the TriGeo system that the network DNS is functional. The Manager needs to be resolvable by all Agents and vice-versa. Without functioning DNS, the TriGeo system will not operate properly. ntpconfig Configure the Network Time Protocol (NTP) service on the TriGeo Manager for synchronization with a time server. password Change the cmc user password. ping Pings other IP addresses or host names from the TriGeo Manager appliance to verify network connectivity. promote * Promotes this appliance to the primary appliance in a high availability or disaster recovery configuration. The prompted appliance will take over TriGeo services until it is demoted with the demote command. reboot Reboots the TriGeo Manager. shutdown Shuts down the TriGeo Manager. top Displays and monitors CPU and memory usage, as well as per-process information for the Manager Network Appliance. tzconfig Configure the TriGeo Manager’s time zone information. viewnetconfig Display the current network configuration parameters (IP address, netmask, DNS) for the TriGeo Manager. 565 Appendix C: CMC commands Using the CMC 'manager' menu After typing the manager command, the cmc::cmm# prompt appears. You may then use any of the commands listed in the following table. The commands are listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. Command Description actortoolupgrade * Upgrades the TriGeo Manager’s Actor Tools from CD or floppy disk. archiveconfig Configures the TriGeo Manager appliance database archives to a remote file share on a daily, weekly, or monthly schedule. backupconfig Configures the TriGeo Manager appliance software and configuration backups to a remote file share on a daily, weekly, or monthly schedule. cleanagentconfig Reconfigures the Agent on this Manager to a new Manager. dbquery Queries the TriGeo Manager appliance database directly. debug Emails the TriGeo Manager debugging information to any given email address. The email message contains a collection of data that can be useful in diagnosing problems. exit Return to main CMC menu. exportcert Exports the CA certificate for Console. exportcertrequest Exports a certificate request for signing by CA. help Displays a brief description of each command within the trigeo menu. importcenter * Imports a certificate used for Console communication. logbackupconfig Configures the TriGeo Manager appliance remote log backups to a remote file share on a daily, weekly, or monthly schedule. resetadmin * Resets the admin password to the default value, as noted in the Manager Information Sheet provided on your TriGeo DVD. This command does not affect other users on the system and all settings will be preserved. 566 Using the CMC 'manager' menu Command Description restart * Restarts the TriGeo Manager service. This will take the Manager offline for 1–3 minutes. sensortoolupgrade Upgrades the TriGeo Manager’s Sensor Tools from a CD or floppy disk. showlog Allows you to page through the Manager’s log file. showmanagermem Displays the Manager's configured memory utilization settings. start Starts the TriGeo Manager service. If the Manager is already started, then nothing will happen. stop * Stops the TriGeo Manager service. This makes the Manager inactive until it is started again. support Sends debugging information via email to support@trigeo.com. This command will prompt you for your name and email address. It then sends TriGeo a collection of data that can be useful in diagnosing problems. upgrade Upgrade the TriGeo Manager software from a CD or floppy disk. This command looks for Manager upgrades on the floppy disk or CD, and prompts you for which updates you wish to install. viewsysinfo Displays appliance settings and information, useful for support and troubleshooting. watchlog Displays 20 lines of the current Manager log file and monitors the log for further updates. Any new log entries appear as they are written to the log. whpause Temporarily pause logging from the TriGeo Manager appliance to the Database Warehouse. The Manager will queue any data that would normally be sent to the warehouse until the connection is resumed with the whresume command. whresume Resumes paused logging from the TriGeo Manager appliance to the Database Warehouse. 567 Appendix C: CMC commands Using the CMC 'ndepth' menu If you have one or more nDepth appliances, CMC has an ind menu that lets you control these appliances. After typing the ind command, the cmc::ind# prompt appears. You may then use any of the commands listed in the following table. The commands are listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. Command Description backupconfig Configures nDepth data backup to store all data. disableretirement Disables automatic nDepth archiving of retired data. enableretirement Enables automatic nDepth archiving of retired data. exit Exits nDepth Configuration/Maintenance (returns to main CMC menu). help Shows the help menu. licenseupgrade * Installs a new nDepth license file or upgrades an existing one. restart * Restarts the nDepth Service. setminfree * Specifies the minimum amount of disk space for the nDepth appliance to preserve. The appliance will retire data before exceeding the available space in order to always keep this amount of space available. start Starts the nDepth service. stop Stops the nDepth service. 568 Using the CMC 'service' menu Using the CMC 'service' menu After typing the service command, the cmc::scm# prompt appears. You may then use any of the commands listed in the following table. The commands are listed in alphabetical order. Command descriptions with an asterisk (*) mean the command requires an automatic restart of the Manager service. Command Description addsymantechost Configures additional Symantec Velociraptor-based log import hosts for integration with the TriGeo system. You will need the IP address of the Velociraptor, the connection port, and the password that was assigned when creating the configuration on the Velociraptor itself. copysnortrules Copy the existing Snort rules from the Manager onto a floppy disk or network file share. This allows you to retrieve the Snort rules from the Manager’s hard drive and make any rule updates or modifications. This requires a formatted floppy disk or a network file share. deletesymantechost Remove any configured Symantec Velociraptor-based log import hosts. disableflow Disables NetFlow/sFlow collection on the TriGeo Appliance (and in the TriGeo Explorer). disablesnmp Disables SNMP trap logging to the TriGeo Manager. The SNMP trap logging service will be permanently disabled until the enablesnmp command is issued. enableflow * Enables NetFlow/sFlow collection on the TriGeo Appliance (and in the TriGeo Explorer). enablesnmp Enables SNMP trap logging to the TriGeo Manager. By default, SNMP is disabled on the TriGeo Manager. This command enables SNMP to allow integration with some security tools that can only log using SNMP. exit Returns to the main CMC menu. getflowdbsize Checks the size of the Flow database. help Displays a brief description of each command within the service menu. 569 Appendix C: CMC commands Command Description loadsnortbackup Loads Snort rules from “factory default” on the Manager. This allows you to revert to the Snort rules’ original default settings in case of an error. This command overwrites any changes that were made to the main set of rules with the original rules that were installed with the TriGeo system. loadsnortrules Loads Snort rules from a floppy disk or a network file share to the Manager. This allows you to update the Snort rules on the Manager. The floppy disk must be in the same format (i.e., the same names and directories) that the copysnortrules command uses to issue the original rules; otherwise, the rules will not be updated. restartsnort Restarts the Snort service. restartssh Restarts the SSH service. If the SSH service is running, this command stops and then restarts the service. restartsymantec Stops and restarts all log import connections for configured Symantec Velociraptor-based firewalls. restrictconsole Restricts access to the TriGeo Console’s graphical user interface to only certain IP addresses or hostnames. This command prompts you to provide the allowable IP addresses or hostnames. Once the restriction is in place, only the given IP addresses/hostnames are able to connect to the Console. Users are still required to log in with a password to fully access the TriGeo Console. restrictreports Restricts access to reports to only certain IP addresses or hostnames. This command prompts you to provide the allowable IP addresses or hostnames. Once the restriction is in place, only the given IP addresses/hostnames are able to create and view reports. restrictssh Restrict the SSH service to only certain IP addresses. This command prompts you to provide the allowable IP addresses. Once the restriction is done, only the given IP address/user combinations will be able to connect to the TriGeo Manager using the SSH service. startssh Start running the SSH service. startsymantec Begin log import process for all configured Symantec Velociraptorbased firewalls. The command sends the log data to a file on the Manager for integration with the TriGeo system. stopopsec Terminate any connections from the TriGeo Manager Appliance to Check Point® OPSEC™ hosts. 570 Using the CMC 'service' menu Command Description stopssh Stops running the SSH service. If you issue this command, you can only access the Manager with a keyboard and monitor until you issue a reboot command. To restrict access to the SSH service (outside of the user name and password requirements), see the restrictssh command. stopsymantec Stops any running log import connections to Symantec Velociraptorbased firewalls. unrestrictconsole Removes restrictions to the TriGeo Console’s graphical user interface. This command removes all restrictions and allows any valid TriGeo system user to connect to the TriGeo Console. The only protection at this point is the user name and password combination. unrestrictreports Removes restrictions on access to reports. This command removes all restrictions and allows anyone with the TriGeo Reports Console, or any alternative database connection software, with the proper username and password, to create and view reports and browse the TriGeo database. unrestrictssh Removes restrictions to the SSH service. Any connection attempts will still require a user name and password. viewsymantechost Displays all currently configured Symantec Velociraptor-based log import hosts. 571 Appendix D: Report Tables The following tables list all of TriGeo’s reports, provide descriptions of their contents, and suggest schedules for running each report. Table of Audit reports The following table lists and describes each of TriGeo’s audit reports. For your convenience, the reports are listed alphabetically by title. Title Description File name Schedule Authentication Report This report lists all authentications tracked by the TriGeo system, including user logon, logoff, failed logon attempts, guest logons, etc. RPT2003-02.rpt Weekly Authentication Report Authentication Audit This report lists alert events that are related to authentication and authorization of accounts and account “'containers'” such as groups or domains. These alerts can be produced from any network node including firewalls, routers, servers, and clients. RPT2003-02-10.rpt As needed Authentication Report Suspicious Authentication This report lists alert events that are related to suspicious authentication and authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information. RPT2003-02-9.rpt As Needed Authentication Report Top User Log On by User This report lists the Top User Log On alerts grouped by user name. RPT2003-02-6-2.rpt As needed Authentication Report Top User Log On Failure by User This report lists the Top User Log On Failure alerts grouped by user name. RPT2003-02-7-2.rpt As needed Authentication Report TriGeo Authentication This report shows logon, logoff, and logon failure activity to the TriGeo Console. RPT2003-02-8.rpt As needed Authentication Report User Log Off User Logoff alerts reflect account logoff events from network devices (including network infrastructure devices). Each alert will reflect the type of device from which the user was logging off. These alerts are usually normal events but are tracked for consistency and auditing purposes. RPT2003-02-5.rpt As needed 573 Appendix D: Report Tables Title Description File name Schedule Authentication Report User Log On User Logon alerts reflect user account logon events from network devices monitored by TriGeo (including network infrastructure devices). Each alert will reflect the type of device that the logon was intended for along with all other relevant fields. RPT2003-02-6.rpt As needed Authentication Report User Log On by User This report lists all account logon alerts, grouped by user name. RPT2003-02-6-1.rpt As needed Authentication Report User Log On Failure User Logon Failure alerts reflect failed account logon events from network devices (including network infrastructure devices). Each alert will reflect the point on the network where the user was attempting logon. In larger quantities, these alerts may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. RPT2003-02-7.rpt As needed Authentication Report User Log On Failure by User This report lists all account logon failure alerts, grouped by user name. RPT2003-02-7-1.rpt As needed Change Management General Authentication Related Events This report includes changes to domains, groups, machine accounts, and user accounts. RPT2006-20.rp As needed Change Management General Authentication: Domain Events This report includes changes to domains, including new domains, new members, and modifications to domain settings. RPT2006-20-01.rpt As needed Change Management General Authentication: Domain Events Change Domain Attribute This report lists changes to domain type. These events are uncommon and usually provided by the operating system. Usually, these changes are made by a user account with administrative privileges, but occasionally a change will happen when local system maintenance activity takes place. RPT2006-20-01-7.rpt As needed Change Management General Authentication: Domain Events Change Domain Member This report lists alert events that occur when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally an alert occurs when local system maintenance activity takes place. Alerts of this nature mean a user, machine, or service account within the domain has been modified. RPT2006-20-01-4.rpt As needed Change Management General Authentication: Domain Events - Delete Domain This report lists alert events that occur upon removal of a trust relationship between domains, deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges. RPT2006-20-01-8.rpt As needed 574 Table of Audit reports Title Description File name Schedule Change Management General Authentication: Domain Events - Delete Domain Member This report lists alert events that occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. RPT2006-20-01-3.rpt As needed Change Management General Authentication: Domain Events Domain Member Alias This report lists alert events that happen when the alias for a domain member has been changed. This means an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear. RPT2006-20-01-5.rpt As needed Change Management General Authentication: Domain Events DomainAuthAudit This report lists authentication, authorization, and modification events that are related only to domains, subdomains, and account containers. These alerts are normally related to operating systems. However, they can be produced by any network device. RPT2006-20-01-1.rpt As needed Change Management General Authentication: Domain Events - New Domain This report lists alert events that occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges. RPT2006-20-01-6.rpt As needed Change Management General Authentication: Domain Events - New Domain Member This report lists alert events that occur when an account or an account container (a new user, machine, or service account) has been added to the domain. Usually, these additions are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. RPT2006-20-01-2.rpt As needed Change Management General Authentication: Group Events This report lists changes to groups, including new groups, members added/removed to/from groups, and modifications to group settings. RPT2006-20-02.rpt As needed Change Management General Authentication: Group Events - Change Group Attribute This report lists alert events that occur when a group type is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a they occur when local system maintenance activity takes place. RPT2006-20-02-6.rpt As needed Change Management General Authentication: Group Events - Delete Group This report lists alert events that occur upon deletion of a new group of any type. Usually, these additions are made by a user account with administrative privileges. RPT2006-20-02-5.rpt As needed 575 Appendix D: Report Tables Title Description File name Schedule Change Management General Authentication: Group Events - Delete Group Member This report lists alert events that occur when an account or group has been removed from a group. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. RPT2006-20-02-3.rpt As needed Change Management General Authentication: Group Events - Group Audit This report lists authentication, authorization, and modification events related only to account groups. These alerts are normally operating system related, however could be produced by any network device. RPT2006-20-02-1.rpt As needed Change Management General Authentication: Group Events - New Group This report lists NewGroup events. These events occur upon creation of a new group of any type. Usually, these additions are made by a user account with administrative privileges. RPT2006-20-02-4.rpt As needed Change Management General Authentication: Group Events - New Group Member This report lists NewGroupMember events. These events occur when an account (or other group) has been added to a group. Usually, these additions are made by a user account with administrative privileges, but occasionally an alert will occur when local system maintenance activity takes place. A new user, machine, or service account has been added to the group. RPT2006-20-02-2.rpt As needed Change Management General Authentication: Machine Account Events This report includes changes to machine accounts, including enabling/disabling machine accounts and modifications to machine account settings. RPT2006-20-03.rpt As needed Change Management General Authentication: Machine Account Events - Machine Disabled This report lists MachineDisable events. These events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a computer or set of computers. RPT2006-20-03-3.rpt As needed Change Management General Authentication: Machine Account Events - Machine Enabled This report lists MachineEnable alerts, which reflect the action of enabling a computer or machine account. These events are normally related to the operating system, and will trigger when a machine is “enabled,” normally by a user with administrative privileges. RPT2006-20-03-1.rpt As needed Change Management General Authentication: Machine Account Events - Machine Modify Attribute This report lists MachineModifyAttribute events, which occur when a computer or machine type is changed. These events are uncommon and usually provided by the operating system. RPT2006-20-03-2.rpt As needed 576 Table of Audit reports Title Description File name Schedule Change Management General Authentication: User Account Events This report includes changes to user accounts, including enabling/disabling user accounts and modifications to user account settings. RPT2006-20-04.rpt As needed Change Management General Authentication: User Account Events User Disabled This report lists UserDisable events. These events occur when a user account is actively disabled and/or when a user is forcibly locked out by the operating system or other authentication tool. These events are usually related to the operating system and can reflect a potential issue with a user or set of users. RPT2006-20-04-3.rpt As needed Change Management General Authentication: User Account Events User Enabled This report lists UserEnable alerts, which reflect the action of enabling a user account. These events are normally related to the operating system . They occur both when an account is “'unlocked'” after lockout due to unsuccessful logons, and when an account is “enabled” in the traditional sense. RPT2006-20-04-1.rpt As needed Change Management General Authentication: User Account Events User Modify Attributes This report lists UserModifyAttribute events that occur when a user type is changed. These events are uncommon and usually provided by the operating system. RPT2006-20-04-2.rpt As needed Change Management Network Infrastructure: Policy/View Change This report includes accesses to network infrastructure device policy, including viewing or changing device policy. RPT2006-21.rpt As needed Change Management Windows/Active Directory Domains: Group Created This report includes creations of Windows/Active Directory groups. RPT2006-22-01.rpt As needed Change Management Windows/Active Directory Domains: Group Deleted This report includes deletions of Windows/Active Directory groups. RPT2006-22-02.rpt As needed Change Management Windows/Active Directory Domains: Group Events This report includes Windows/Active Directory group-related events. RPT2006-22.rpt As needed Change Management Windows/Active Directory Domains: Group Property Updated This report includes changes to Windows/Active Directory group properties, such as the display name. RPT2006-22-03.rpt As needed Change Management Windows/Active Directory Domains: Machine Events This report includes Windows/Active Directory machine-related events. RPT2006-23.rpt As needed 577 Appendix D: Report Tables Title Description File name Schedule Change Management Windows/Active Directory Domains: Machine Events Account Created This report includes creations of Windows/Active Directory machine accounts. RPT2006-23-01.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Account Deleted This report includes deletions of Windows/Active Directory machine accounts. RPT2006-23-02.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Account Disabled This report includes disables of Windows/Active Directory machine accounts. RPT2006-23-03.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Account Enabled This report includes enables of Windows/Active Directory machine accounts. RPT2006-23-04.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Account Properties Update This report includes changes to Windows/Active Directory machine account properties, such as the display name. RPT2006-23-05.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Added To Group This report includes additions of Windows/Active Directory machine accounts to groups. RPT2006-23-06.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Added To OU This report includes additions of Windows/Active Directory machine accounts to Organizational Units. RPT2006-23-07.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Removed From Group This report includes removals of Windows/Active Directory machine accounts from groups. RPT2006-23-08.rpt As needed Change Management Windows/Active Directory Domains: Machine Events Removed From OU This report includes removals of Windows/Active Directory machine accounts from Organizational Units. RPT2006-23-09.rpt As needed 578 Table of Audit reports Title Description File name Schedule Change Management Windows/Active Directory Domains: New Critical Group Members This report includes additions of Windows/Active Directory user accounts to critical groups, such as Domain or Enterprise Admins. RPT2006-22-04.rpt As needed Change Management Windows/Active Directory Domains: OU Events This report includes Windows/Active Directory Organizational Unit-related events. RPT2006-24.rpt As needed Change Management Windows/Active Directory Domains: OU Events - OU Created This report includes creation of Windows/Active Directory Organizational Units. RPT2006-24-01.rpt As needed Change Management Windows/Active Directory Domains: OU Events - OU Deleted This report includes deletion of Windows/Active Directory Organizational Units. RPT2006-24-02.rpt As needed Change Management Windows/Active Directory Domains: OU Events - OU Properties Update This report includes updates to Windows/Active Directory Organizational Unit properties, such as the display name. RPT2006-24-03.rpt As needed Change Management Windows/Active Directory Domains: User Events This report includes Windows/Active Directory user-related events. RPT2006-25.rpt As needed Change Management Windows/Active Directory Domains: User Events - Account Created This report includes creations of Windows/Active Directory user accounts. RPT2006-25-01.rpt As needed Change Management Windows/Active Directory Domains: User Events - Account Deleted This report includes deletions of Windows/Active Directory user accounts. RPT2006-25-02.rpt As needed Change Management Windows/Active Directory Domains: User Events - Account Disabled This report includes disables of Windows/Active Directory user accounts. RPT2006-25-03.rpt As needed Change Management Windows/Active Directory Domains: User Events - Account Enabled This report includes enables of Windows/Active Directory user accounts. RPT2006-25-04.rpt As needed 579 Appendix D: Report Tables Title Description File name Schedule Change Management Windows/Active Directory Domains: User Events - Account Lockout This report includes user-driven disables of Windows/Active Directory user accounts, such as a user triggering an excessive failed password limit. RPT2006-25-05.rpt As needed Change Management Windows/Active Directory Domains: User Events - Account Properties Updated This report includes changes to Windows/Active Directory user account properties, such as the display name. RPT2006-25-06.rpt As needed Change Management Windows/Active Directory Domains: User Events - Added To Group This report includes additions of Windows/Active Directory user accounts to groups. RPT2006-25-07.rpt As needed Change Management Windows/Active Directory Domains: User Events - Added To OU This report includes additions of Windows/Active Directory user accounts to Organizational Units. RPT2006-25-08.rpt As needed Change Management Windows/Active Directory Domains: User Events Removed From Group This report includes removals of Windows/Active Directory user accounts from groups. RPT2006-25-09.rpt As needed Change Management Windows/Active Directory Domains: User Events Removed From OU This report includes removals of Windows/Active Directory user accounts from Organizational Units. RPT2006-25-10.rpt As needed File Audit Events This report tracks file system activity associated with audited files and system objects, such as file access successes and failures. RPT2003-05.rpt Weekly File Audit Events - File Attribute Change File Attribute Change is a specific File Write alert generated for the modification of file attributes (including properties such as readonly status). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-41.rpt As needed File Audit Events File Audit File Audit alerts are used to track file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation. RPT2003-05-11.rpt As needed 580 Table of Audit reports Title Description File name Schedule File Audit Events File Audit Failure File Audit Failure alerts are used to track failed file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed. RPT2003-05-12.rpt As needed File Audit Events File Create File Create is a specific File Write alert generated for the initial creation of a file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-42.rpt As needed File Audit Events File Data Read File Data Read is a specific File Read alert generated for the operation of reading data from a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-31.rpt As needed File Audit Events File Data Write File Data Write is a specific File Write alert generated for the operation of writing data to a file (not just properties or status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-43.rpt As needed File Audit Events File Delete File Delete is a specific File Write alert generated for the deletion of an existing file. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-44.rpt As needed File Audit Events File Execute File Execute is a specific File Read alert generated for the operation of executing files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-32.rpt As needed File Audit Events File Handle Audit File Handle Audit alerts are used to track file handle activity on monitored network devices, usually through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation. RPT2003-05-21.rpt As needed File Audit Events File Handle Close File Handle Close is a specific File Handle Audit alert generated for the closing of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. RPT2003-05-22.rpt As needed 581 Appendix D: Report Tables Title Description File name Schedule File Audit Events File Handle Copy File Handle Copy is a specific File Handle Audit alert generated for the copying of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. RPT2003-05-23.rpt As needed File Audit Events File Handle Open File Handle Open is a specific File Handle Audit alert generated for the opening of file handles. These alerts may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. RPT2003-05-24.rpt As needed File Audit Events File Link File Link is a specific File Write alert generated for the creation, deletion, or modification of links to other files. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-45.rpt As needed File Audit Events File Move File Move is a specific File Write alert generated for the operation of moving a file that already exists. These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-46.rpt As needed File Audit Events File Read File Read is a specific File Audit alert generated for the operation of reading files (including reading properties of a file or the status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-33.rpt As needed File Audit Events File Write File Write is a specific File Audit alert generated for the operation of writing to a file (including writing properties of a file or changing the status of a file). These alerts may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some operating systems. RPT2003-05-47.rpt As needed File Audit Events Object Audit Object Audit alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation. RPT2003-05-51.rpt As needed 582 Table of Audit reports Title Description File name Schedule File Audit Events Object Audit Failure Object Audit Failure alerts are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation. RPT2003-05-52.rpt As needed File Audit Events Object Delete Object Delete is a specific Object Audit alert generated for the deletion of an existing object. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-53.rpt As needed File Audit Events Object Link Object Link is a specific Object Audit alert generated for the creation, deletion, or modification of links to other objects. These alerts may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. RPT2003-05-54.rpt As needed Incident Alerts This report tracks the Incident, HostIncident, HybridIncident and NetworkIncident alerts that have been generated to reflect enterprisewide issues. RPT2006-19.rpt Daily Inferred Alerts This report tracks alerts that are triggered by correlations built in the TriGeo Rule Builder. RPT2006-27.rpt As needed Inferred Alerts by Inference Rule This report tracks alerts that are triggered by correlations, and orders them by the correlation rule name. RPT2006-27-01.rpt As needed Log On/Off/Failure Track activity associated with account events such as log on, log off and log on failures. This is a refined version of the Authentication Report that does not include TriGeo authentication events. It is more appropriate for management reports or audit reviews than regular use. RPT2003-03.rpt Weekly Network Traffic Audit Track activity associated with network traffic audit events such as TCP, IP and UDP alerts. Specifically, this report tracks regular network traffic activity, such as encrypted traffic, web traffic, and other forms of UDP, TCP and ICMP traffic. It gives you both an overview and some details of exactly what is flowing through your network. This report can be quite large. RPT2003-06.rpt Daily, if needed 583 Appendix D: Report Tables Title Description File name Schedule Network Traffic Audit Application Traffic ApplicationTrafficAudit alerts reflect network traffic that is mostly or all application-layer data. Alerts that are children of ApplicationTrafficAudit are also related to application-layer resources. Alerts placed in the parent ApplicationTrafficAudit alert itself are known to be application-related, but are not able to be further categorized based on the message provided by the tool or because they are uncommon and rarely, if ever, imply network attack potential. RPT2003-06-11.rpt As needed Network Traffic Audit Application Traffic by Destination Machine This report lists all Application Traffic alerts (such as WebTrafficAudit), grouped by destination machine/IP. RPT2003-06-11-2.rpt As needed Network Traffic Audit Application Traffic by Provider SID This report lists all Application Traffic alerts (such as WebTrafficAudit), grouped by provider SID. RPT2033-06-11-3.rpt As needed Network Traffic Audit Application Traffic by Source Machine This report lists all Application Traffic alerts (such as WebTrafficAudit), grouped by source machine/IP. RPT2003-06-11-1.rpt As needed Network Traffic Audit Application Traffic by Tool Alias This report lists all Application Traffic alerts (such as WebTrafficAudit), grouped by the TriGeo sensor tool alias that reported each alert. RPT2003-06-11-0.rpt As needed Network Traffic Audit Configuration Traffic Configuration Traffic Audit alerts reflect application-layer data related to configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic. RPT2003-06-02.rpt As needed Network Traffic Audit Core Traffic CoreTrafficAudit alerts reflect network traffic sent over core protocols. Alerts that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Alerts of this type and its children do not have any application-layer data. Alerts placed in the parent CoreTrafficAudit alert itself are known to be a core protocol, but are not able to be further categorized based on the message provided by the tool. RPT2003-06-03.rpt As needed 584 Table of Audit reports Title Description File name Schedule Network Traffic Audit Core Traffic by Destination Machine This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by destination machine/IP. RPT2003-06-03-2.rpt As needed Network Traffic Audit Core Traffic by Provider SID This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by provider SID. RPT2003-06-03-3.rpt As needed Network Traffic Audit Core Traffic by Source This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by source machine/IP. RPT2003-06-03-1.rpt As needed Network Traffic Audit Core Traffic by Tool Alias This report lists all Core Traffic alerts (such as TCPTrafficAudit), grouped by the TriGeo tool sensor alias that reported the alert. RPT2003-06-03-0.rpt As needed Network Traffic Audit Encrypted Traffic Encrypted Traffic Audit alerts reflect application-layer traffic that has been encrypted and is intended for a secure host. Included in Encrypted Traffic Audit are client and server side application events, such as key exchanges, that normally occur after the lowlevel session creation and handshaking have completed. RPT2003-06-04.rpt As needed Network Traffic Audit Link Control Traffic Link Control Traffic Audit alerts are generated for network events related to link level configuration. Link Control Traffic Audit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfiguration at the link level, inappropriate usage, or other abnormal traffic. RPT2003-06-05.rpt As needed Network Traffic Audit Network Traffic Members of the Network Audit tree are used to define events centered on usage of network resources/bandwidth. RPT2003-06-06.rpt As needed Network Traffic Audit Point to Point Traffic Point To Point Traffic Audit alerts reflect application-layer data related to point-to-point connections between hosts. Included in Point To Point Traffic Audit are encrypted and unencrypted point-to-point traffic. RPT2003-06-07.rpt As needed 585 Appendix D: Report Tables Title Description File name Schedule Network Traffic Audit Remote Procedure Traffic Remote Procedure Traffic Audit alerts reflect application-layer data related to remote procedure services. Included in Remote Procedure Traffic Audit are the traditional RPC services used to service remote logons and file shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit alerts generally indicate normal traffic for networks that have remote procedure services on their network; however, alerts of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic. RPT2003-06-08.rpt As needed Network Traffic Audit Routing Traffic Routing Traffic Audit alerts are generated for network events related to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. RPT2003-06-09.rpt As needed Network Traffic Audit Time Traffic Time Traffic Audit alerts reflect applicationlayer data related to network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates. RPT2003-06-10.rpt As needed Network Traffic Audit Top Application Traffic by Source This report lists the Top Application Traffic alerts (such as WebTrafficAudit), grouped by source machine/IP. RPT2003-06-01-2.rpt As needed Network Traffic Audit Top Core Traffic by Source This report lists the Top Core Traffic alerts (such as TCPTrafficAudit), grouped by source machine/IP. RPT2003-06-03-2.rpt As needed Network Traffic Audit Web Traffic WebTrafficAudit alerts reflect application-layer data related to web services. Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit alerts generally indicate normal traffic, however, alerts of this type could also be symptoms of inappropriate web usage, potential abuse of web services, or other abnormal traffic. RPT2003-06-01.rpt As needed Network Traffic Audit Web Traffic by Destination Machine This report lists all WebTrafficAudit alerts grouped by destination machine/IP. RPT2003-06-01-2.rpt As needed 586 Table of Audit reports Title Description File name Schedule Network Traffic Audit Web Traffic by Provider SID This report lists Web Traffic Audit alerts grouped by provider SID. RPT2003-06-01-3.rpt As needed Network Traffic Audit Web Traffic by Source Machine This report lists all WebTrafficAudit alerts grouped by source machine/IP. RPT2003-06-01-1.rpt As needed Network Traffic Audit Web Traffic by Tool Alias This report lists Web Traffic Audit alerts grouped by tool alias. RPT2003-06-01-0.rpt As needed Network Traffic Audit Web URL Requests by Source Machine This report lists the most frequently visited URLs grouped by the requesting client source machine. RPT2003-06-01-5.rpt As needed Network Traffic Audit Web URL Requests by Source Machine Graphs This report shows graphs of the most frequently visited URLs for each client source machine. RPT2003-06-01-4.rpt As needed Resource Configuration The Resource Configuration report details events that relate to configuration of user accounts, machine accounts, groups, policies and their relationships. Items such as domain or group modification, policy changes, and creation of new network resources. RPT2003-08.rpt Weekly Resource Configuration Authorization Audit Alerts that are part of the Auth Audit tree are related to authentication and authorization of accounts and account ''containers'' such as groups or domains. These alerts can be produced from any network node including firewalls, routers, servers, and clients. RPT2003-08-01.rpt As needed Resource Configuration - Domain Authorization Audit Domain Auth Audit events are authentication, authorization, and modification events related only to domains, subdomains, and account containers. These alerts are normally operating system related, however could be produced by any network device. RPT2003-08-02.rpt As needed Resource Configuration - Group Audit Group Audit events are authentication, authorization, and modification events related only to account groups. These alerts are normally operating system related, however could be produced by any network device. RPT2003-08-03.rpt As needed Resource Configuration Machine Authorization Audit Machine Auth Audit events are authentication, authorization, and modification events related only to computer or machine accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients, but are normally operating system related. RPT2003-08-04.rpt As needed 587 Appendix D: Report Tables Title Description File name Schedule Resource Configuration - Policy Audit Policy Audit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these alerts reflect normal system traffic. Most PolicyAudit alerts are provided by the Operating System. RPT2003-08-06.rpt As needed Resource Configuration - User Authorization Audit User Auth Audit events are authentication, authorization, and modification events related only to user accounts. These alerts can be produced from any network node including firewalls, routers, servers, and clients. RPT2003-08-05.rpt As needed 588 Table of Security reports Table of Security reports The following table lists and describes each of TriGeo's security reports. For your convenience, the reports are listed alphabetically by title. Title Description File name Schedule Authentication Report Failed Authentication Failed Authentication events occur when a user has made several attempts to authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure. RPT2003-02-1.rpt As needed Authentication Report Guest Login This report shows logins to various Guest accounts. RPT2003-02-2.rpt As needed Authentication Report Restricted Information Attempt Restricted Information Attempt events describe a user attempt to access local or remote information that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information. RPT2003-02-3.rpt As needed Authentication Report Restricted Service Attempt Restricted Service Attempt events describe a user attempt to access a local or remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services. RPT2003-02-4.rpt As needed Console The Console report shows every alert that passes through the system in the given time interval. It mimics the basic management console view. It does not contain the same level of field detail, but it is useful to get a quick snapshot of activity for a period, a lunch hour, for example.This report can be very large, so you will only want to run for small time intervals, such as hours. RPT2003-10.rpt As needed Console - Overview An overview of all alerts during the specified time range. Shows graphs of the most common generic alert field data from the console report. RPT2003-10-00.rpt As needed Event Summary Attack Behavior Statistics Event Summary Sub Report - Attack Behavior Statistics RPT2003-01-02.rpt As needed Event Summary Authorization Audit Statistics Event Summary Sub Report - Authorization Audit Statistics RPT2003-01-03.rpt As needed 589 Appendix D: Report Tables Title Description File name Schedule Event Summary Graphs The event summary report gathers statistical data from all major event categories, summarizes it with a one-hour resolution, and presents a quick, graphical overview of activity on your network. RPT2003-01.rpt Daily Event Summary Machine Audit Statistics Event Summary Sub Report - Machine Audit Statistics RPT2003-01-05.rpt As needed Event Summary Policy Audit Statistics Event Summary Sub Report - Policy Audit Statistics RPT2003-01-06.rpt As needed Event Summary Resource Audit Statistics Event Summary Sub Report - Resource Audit Statistics RPT2003-01-07.rpt As needed Event Summary Suspicious Behavior Statistics Event Summary Sub Report - Suspicious Behavior Statistics RPT2003-01-08.rpt As needed Event Summary Top Level Statistics Event Summary Sub Report - Top Level Statistics RPT2003-01-01.rpt As needed Machine Audit Track activity associated with machine process and service audit events. This report shows machinelevel events such as software installs, patches, system shutdowns, and reboots. It can be used to assist in software license compliance auditing by providing records of installs. RPT2003-09.rpt Weekly Machine Audit File System Audit This report tracks activity associated with file system audit alerts including mount file system and unmount file system alerts. These events are generally normal system activity, especially during system boot. RPT2003-09-010.rpt As needed Machine Audit - File System Audit - Mount File System Mount File System alerts are a specific type of File System Audit that reflect the action of creating an active translation between hardware to a usable files ystem. These events are generally normal during system boot. RPT2003-09-012.rpt As needed Machine Audit - File System Audit - Unmount File System Unmount File System alerts are a specific type of File System Audit that reflect the action of removing a translation between hardware and a usable files ystem. These events are generally normal during system shutdown. RPT2003-09-013.rpt As needed Machine Audit - Process Audit This report tracks activity related to processes, including processes that have started, stopped, or reported useful process-related information. RPT2003-09-030.rpt As needed Machine Audit - Process Audit - Process Audit This report lists Process Audit alerts that are generated to track launch, exit, status, and other events related to system processes. Usually, these events reflect normal system activity. Processrelated activity that may indicate a failure will be noted separately from normal activity in the alert detail. RPT2003-09-031.rpt As needed 590 Table of Security reports Title Description File name Schedule Machine Audit - Process Audit - Process Info Process Info is a specific type of Process Audit alert that reflects information related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. RPT2003-09-032.rpt As needed Machine Audit - Process Audit - Process Start Process Start is a specific type of Process Audit alert that indicates a new process has been launched. Usually, Process Start reflects normal system activity. RPT2003-09-033.rpt As needed Machine Audit - Process Audit - Process Stop Process Stop is a specific type of Process Audit alert that indicates a process has exited. Usually, Process Stop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted. RPT2003-09-034.rpt As needed Machine Audit - Process Audit - Process Warning Process Warning is a specific type of Process Audit alert that indicates a process has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process. RPT2003-09-035.rpt As needed Machine Audit - Service Audit This report tracks activity related to services, including services that have started, stopped, or reported useful service-related information or warnings. RPT2003-09-040.rpt As needed Machine Audit - Service Audit - Service Info This report tracks ServiceInfo events, which reflect information related to a particular service. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. RPT2003-09-041.rpt As needed Machine Audit - Service Audit - Service Start This report tracks ServiceStart events, which indicate that a new system service is starting. RPT2003-09-042.rpt As needed Machine Audit - Service Audit - Service Stop This report tracks ServiceStop events, which indicate that a system service is stopping. This activity is generally normal, however, in the event of an unexpected stop the abnormal state will be noted. RPT2003-09-043.rpt As needed Machine Audit - Service Audit - Service Warning This report lists ServiceWarning alerts. These alerts indicate a service has returned a “'Warning” message that is not a fatal error and may not have triggered an exit of the service. RPT2003-09-044.rpt As needed Machine Audit - System Audit This report tracks activity associated with system status and modifications, including software changes, system reboots, and system shutdowns. RPT2003-09-020.rpt As needed Machine Audit - System Audit - Machine Audit Machine Audit alerts are used to track hardware or software status and modifications. These events are generally acceptable, but do indicate modifications to the client system that may be noteworthy. RPT2003-09-021.rpt As needed 591 Appendix D: Report Tables Title Description File name Schedule Machine Audit - System Audit - Software Install SoftwareInstall alerts reflect modifications to the system at a software level, generally at the operating system level (or equivalent, in the case of a network infrastructure device). These alerts are generated when a user updates a system or launches system-native methods to install third party applications. RPT2003-09-025.rpt As needed Machine Audit - System Audit - Software Update SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current version of software being installed to replace an older version. RPT2003-09-026.rpt As needed Machine Audit - System Audit - System Reboot System Reboot alerts occur on monitored network devices (servers, routers, etc.) and indicate that a system has restarted. RPT2003-09-022.rpt As needed Machine Audit - System Audit - System Shutdown System shutdown alerts occur on monitored network devices (servers, routers, etc.) and indicate that a system has been shutdown. RPT2003-09-023.rpt As needed Machine Audit - System Audit - System Status SystemStatus alerts reflect general system state events. These events are generally normal and informational, however, they could potentially reflect a failure or issue which should be addressed. RPT2003-09-024.rpt As needed Machine Audit USB-Defender This report tracks activity associated with USBDefender, including insertion and removal events related to USB Mass Storage devices. RPT2003-09-050.rpt As needed Malicious Code This report tracks event activity associated with malicious code such as virus, Trojans, and worms, both on the network and on local machines, as detected by anti-virus software. RPT2003-04.rpt Weekly Malicious Code - Service Process Attack Members of the Service Process Attack tree are used to define events centered on malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system. RPT2003-04-01.rpt As needed Malicious Code - Trojan Command Access Trojan Command Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This alert detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). RPT2003-04-05.rpt As needed 592 Table of Security reports Title Description File name Schedule Malicious Code - Trojan Infection Access Trojan Infection Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). RPT2003-04-04.rpt As needed Malicious Code - Trojan Traffic Access Trojan Traffic Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This alert detects the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). RPT2003-04-02.rpt As needed Malicious Code Report Trojan Traffic Denial Trojan Traffic Denial events are a specific type of Denial event where the transport of the malicious or abusive usage originates with malicious code on a client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Trojan Traffic Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities. RPT2003-04-03.rpt As needed Malicious Code Report Virus Attack Virus Attack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed. RPT2003-04-06.rpt As needed 593 Appendix D: Report Tables Title Description File name Schedule Malicious Code Report Virus Summary Attack Virus Summary Attack alerts reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this alert will depend on the Action Taken field which reflects whether the virus or other malicious code was successfully removed. These alerts differ from Virus Attack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan RPT2003-04-07.rpt As needed Malicious Code Report Virus Traffic Access Virus Traffic Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. This alert detects the communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients. RPT2003-04-08.rpt As needed Network Events: Attack Behavior This report tracks activity associated with top-level NetworkAttack alerts. RPT2003-11-00.rpt As needed Network Events: Attack Behavior - Access This report shows malicious asset access via the network. For example, attacks on FTP or Windows Network servers, malicious network database access, abuses of services, or attempted unauthorized entry. RPT2003-11.rpt Weekly Network Events: Attack Behavior - Access Access Children of the Access tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources. RPT2003-11-01.rpt As needed Network Events: Attack Behavior - Access Application Access Application Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all application-layer. Generally, ApplicationAccess alerts will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy. RPT2003-11-02.rpt As needed 594 Table of Security reports Title Description File name Schedule Network Events: Attack Behavior - Access Configuration Access Configuration Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these alerts will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain systemlevel access to configuration servers themselves. In the case of SNMP and similar configuration protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack. RPT2003-11-03.rpt As needed Network Events: Attack Behavior - Access - Core Access Core Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess alerts will reflect attempted exploitation of weaknesses in network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices. RPT2003-11-04.rpt As needed Network Events: Attack Behavior - Access Database Access Database Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer database traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in database server or client software. RPT2003-11-05.rpt As needed Network Events: Attack Behavior - Access - File System Access File System Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote filesystem traffic (using protocols such as SMB and NFS). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote filesystem server or client software or attempts to gain system-level access to remote filesystem servers themselves. RPT2003-11-06.rpt As needed Network Events: Attack Behavior - Access - File Transfer File Transfer Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in file transfer server or client software. RPT2003-11-07.rpt As needed 595 Appendix D: Report Tables Title Description File name Schedule Network Events: Attack Behavior - Access - Link Control Access Link Control Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is low-level link control (using protocols such as ARP). Generally, Link Control Access alerts will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port analyzing activity may be forced into an unmanaged switch with no restrictions - allowing a malicious client to sniff traffic and enumerate or attack. RPT2003-11-08.rpt As needed Network Events: Attack Behavior - Access - Mail Access Mail Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer, retrieval, or service traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in mail-related server or client software. RPT2003-11-09.rpt As needed Network Events: Attack Behavior - Access Naming Access Naming Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer naming service traffic (using protocols such as DNS and WINS). Generally, these alerts will reflect attempted exploitation of weaknesses in the naming server or client software. RPT2003-11-10.rpt As needed Network Events: Attack Behavior - Access News Access News Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer news traffic (over protocols such as NNTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the news server or client software. RPT2003-11-11.rpt As needed Network Events: Attack Behavior - Access - Point to Point Access Point To Point Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via point to point traffic (using protocols such as PPTP). Generally, these alerts will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks. RPT2003-11-12.rpt As needed 596 Table of Security reports Title Description File name Schedule Network Events: Attack Behavior - Access Printer Access Printer Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote printer traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the remote printer server or client software. RPT2003-11-13.rpt As needed Network Events: Attack Behavior - Access Remote Console Access Remote Console Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote console server or client software. RPT2003-11-14.rpt As needed Network Events: Attack Behavior - Access Remote Procedure Access Remote Procedure Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. RPT2003-11-15.rpt As needed Network Events: Attack Behavior - Access Routing Access Routing Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is routing-related protocols (RIP, IGMP, etc.). Generally, Routing Access alerts will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks. RPT2003-11-16.rpt As needed Network Events: Attack Behavior - Access - Time Access Time Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote time service traffic (using protocols such as NTP). Generally, these alerts will reflect attempted exploitation of weaknesses in the remote time server or client software. RPT2003-11-17.rpt As needed 597 Appendix D: Report Tables Title Description File name Schedule Network Events: Attack Behavior - Access - Virus Traffic Access Virus Traffic Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. Generally, these alerts will reflect attempted exploitation of weaknesses in the web server or client software. RPT2003-11-19.rpt As needed Network Events: Attack Behavior - Access - Web Access Web Access alerts reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic. Generally, these alerts will reflect attempted exploitation of weaknesses in the web server or client software. RPT2003-11-18.rpt As needed Network Events: Attack Behavior - Denial / Relay Track activity associated with network denial or relay attack behaviors. This report shows malicious asset relay attempts and denials of service via the network. For example, FTP bouncing, Distributed Denial of Service events, and many protocol abuses. RPT2003-12.rpt Weekly Network Events: Attack Behavior - Denial / Relay - Application Denial Application Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer protocols. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Application Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. RPT2003-12-01.rpt As needed Network Events: Attack Behavior - Denial / Relay - Configuration Denial Configuration Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is protocols related to configuration of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. RPT2003-12-02.rpt As needed 598 Table of Security reports Title Description File name Schedule Network Events: Attack Behavior - Denial / Relay - Core Denial Core Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Core Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. RPT2003-12-03.rpt As needed Network Events: Attack Behavior - Denial / Relay - Denial Children of the Denial tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources through a denial of service attack. RPT2003-12-04.rpt As needed Network Events: Attack Behavior - Denial / Relay - File System Denial File System Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote filesystem-related protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. File System Denial events may be attempts to exploit weaknesses in remote filesystem services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. RPT2003-12-05.rpt As needed Network Events: Attack Behavior - Denial / Relay - File Transfer Denial File Transfer Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer file transferrelated protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileTransferDenial events may be attempts to exploit weaknesses in file transferrelated software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. RPT2003-12-06.rpt As needed 599 Appendix D: Report Tables Title Description File name Schedule Network Events: Attack Behavior - Denial / Relay - Link Control Denial Link Control Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is link level protocols (such as ARP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. RPT2003-12-07.rpt As needed Network Events: Attack Behavior - Denial / Relay - Mail Denial MailDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related protocols (SMTP, IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. RPT2003-12-08.rpt As needed Network Events: Attack Behavior - Denial / Relay - Relay Children of the Relay tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is relaying inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. RPT2003-12-09.rpt As needed Network Events: Attack Behavior - Denial / Relay - Remote Procedure Denial Remote Procedure Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedurerelated protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. RPT2003-12-10.rpt As needed 600 Table of Security reports Title Description File name Schedule Network Events: Attack Behavior - Denial / Relay - Routing Denial Routing Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Routing Denial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities. RPT2003-12-11.rpt As needed Network Events: Attack Behavior - Denial / Relay - Web Denial Web Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Web Denial events may be attempts to exploit weaknesses in web-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. RPT2003-12-12.rpt As needed Network Events: Suspicious Behavior Track activity associated with suspicious network behaviors such as reconnaissance or unusual traffic. Specifically, this report shows potentially dangerous activity, such as excessive authentication failures, port scans, stack fingerprinting, and network enumerations. RPT2003-07.rpt Weekly Network Events: Suspicious Behavior Application Enumerate Application Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. RPT2003-07-01.rpt As needed 601 Appendix D: Report Tables Title Description File name Schedule Network Events: Suspicious Behavior Banner Grabbing Enumerate Banner Grabbing Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected. RPT2003-07-02.rpt As needed Network Events: Suspicious Behavior Core Scan Core Scan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. RPT2003-07-03.rpt As needed Network Events: Suspicious Behavior Enumerate Enumerate alerts reflect attempts to gather information about target networks, or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would. RPT2003-07-04.rpt As needed Network Events: Suspicious Behavior Footprint Footprint alerts reflect attempts to gather information about target networks by tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would. RPT2003-07-05.rpt As needed Network Events: Suspicious Behavior General Security General Security alerts are generated when a supported product outputs data that has not yet been normalized into a specific alert, but is known to be security issue-related. RPT2003-07-17.rpt As needed 602 Table of Security reports Title Description File name Schedule Network Events: Suspicious Behavior Host Scan Host Scan alerts reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation. RPT2003-07-06.rpt As needed Network Events: Suspicious Behavior ICMP Query ICMP Query alerts reflect attempts to gather information about specific target hosts, or networks, by sending ICMP-based queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation. RPT2003-07-07.rpt As needed 603 Appendix D: Report Tables Title Description File name Schedule Network Events: Suspicious Behavior MS Network Enumerate MS Networking Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will illicit responses that reveal information about the application, host, or target network. This enumeration may be a simple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. RPT2003-07-08.rpt As needed Network Events: Suspicious Behavior Network Suspicious Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources. RPT2003-07-09.rpt As needed Network Events: Suspicious Behavior Port Scan Port Scan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Port Scans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. RPT2003-07-10.rpt As needed 604 Table of Security reports Title Description File name Schedule Network Events: Suspicious Behavior Recon Children of the Recon tree reflect suspicious network behavior with intent of gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking. RPT2003-07-11.rpt As needed Network Events: Suspicious Behavior Remote Procedure Enumerate Remote Procedure Enumerate alerts reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time enabling them to modify their methodology to go on relatively undetected. RPT2003-07-12.rpt As needed Network Events: Suspicious Behavior Scan Scan alerts reflect attempts to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. RPT2003-07-13.rpt As needed 605 Appendix D: Report Tables Title Description File name Schedule Network Events: Suspicious Behavior Stack Fingerprint Stack Fingerprint alerts reflect attempts to gather information about specific target hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. RPT2003-07-14.rpt As needed Network Events: Suspicious Behavior Trojan Scanner Trojan Scanner alerts reflect attempts of Trojans on the network to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, and how much of the target network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information. RPT2003-07-15.rpt As needed Network Events: Suspicious Behavior Unusual Traffic Unusual Traffic alerts reflect suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. Unusual Traffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. RPT2003-07-16.rpt As needed Rule Subscriptions by User The Rule Subscriptions report tracks those events that the user has subscribed to monitor. RPT2006-28-01.rpt Daily TriGeo Actions The TriGeo Action Report lists all commands or actions initiated by TriGeo Network Security. RPT2003-18.rpt As needed 606 Table of TriGeo reports Table of TriGeo reports TriGeo reports are diagnostic tools used by TriGeo Customer Support. You will normally only run these reports at TriGeo’s request. For your convenience, the reports are listed alphabetically by title. Title Description File name Schedule Agent Connection Status This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report tracks internal agent online and offline alerts. RPT2009-33-1.rpt As requested Agent Connection Status by Agent This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report tracks internal agent online and offline alerts grouped by agent. RPT2009-33-2.rpt As requested Agent Connection Summary This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report shows high level summary information for when agents go online and offline. RPT2009-33.rpt As requested Audit - Internal Audit Report Audit - Internal Audit Report RPT2006-31-01.rpt As requested Audit - Internal Audit Report by User Internal Audit Report grouped by User RPT2006-31-02.rpt As requested Agent Maintenance Report This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report displays internal alert data for possible misconfigured agents. RPT2007-32.rpt As requested Database Maintenance Report This report is a diagnostic tool used by Customer Support, and generally run only at their request. RPT2006-26.rpt As requested Database Maintenance Report - MSSQL This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report should only be run against a SQL database warehouse. RPT2006-26-1.rpt As requested List of Rules for Rule Subscriptions This report lists available rules for the Rule Subscriptions. RPT2006-29-02.rpt As needed List of Subscription Rules by User This report lists the rules that users have subscribed to. RPT2006-29-03.rpt As needed List of Users This report lists each user entered. Currently, the users are only used for Rule Subscriptions. RPT2006-29-01.rpt As needed 607 Appendix D: Report Tables Title Description File name Schedule Tool Maintenance by Alias This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data alerts based on Tool Alias. RPT2003-14.rpt As needed Tool Maintenance by Insertion Point This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data alerts based on Agent InsertionIP. RPT2003-15.rpt As needed Tool Maintenance by Provider This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data alerts based on ProviderSID. RPT2003-13.rpt As needed Tool Maintenance Detail Report This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of all TriGeo error messages received from various tools. RPT2003-14.rpt As requested Tool Maintenance Report This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of unique TriGeo error messages received from various tools. RPT2003-13.rpt As requested 608 Report schedule definitions Report schedule definitions The following table describes each recommended report schedule. Schedule Description Daily Run and review this report once each day. Weekly Run and review this report once each week. As needed TriGeo suggests that you run these reports only when needed for specific auditing purposes, or when you need the details surrounding a Priority event or a suspicious event. As requested These reports are diagnostic tools and should only be run at the request of TriGeo's technical support personnel. 609 Index A actor 340 applying filters to 72 copying alert messages 76 exploring alerts 78 74 actors 368, 370 highlighting alerts Agents 405, 415 Pause/Resume buttons 91 387, 411 pausing alerts 73 77 adding to Managers configuring network tools 411 read messages defined 340 removing alerts 79 deleting 414 responding to alerts 83 editng Tool Profiles with 358 resuming alerts 73 Remote Update settings 413 sorting 73 412 unread messages 77 responding to events Agents tab (status bar) Agents view Agents grid Alert Groups 23 alert messages 405, 415 408, 411, 415 210, 221-222 72, 79 copying 76 copying grid data 416 exploring 78 features 406 pausing 91 410 read 77 removing 79 unread 77 Refine Results form alert Alert Description pane 9, 63 70 alert properties 80 82 alert severity 82 70 alerts Alert Details alert severity Alert Details pane alert distribution policy alert descriptions Alert Distribution Policy window 397, 404 Asset Alerts 494-495, 497 401 Audit Alerts 494, 498, 512 397, 404 highlighting 74 402 Incident Alerts 494, 513 defined 397 Internal Alerts 494, 514, 518 exporting Manager policy 404 Security Alerts 494, 519, 555 locked policies 398 types of configuring 493 alias opening 398 pushing policy downward 403 defined 340 window features 400 examples 340 alert fields alert grid alert severity 557 AND conditions 119 69, 72, 79 AND operators 129 anti-virus tools 359 82 611 Index: C – E appliances 404 node tree 400 configuration settings 383 Configure Appliance form 383 removing 396 Configure Users form 335 Appliances tab (status bar) Appliances view 22 adding users 404 configuring tools 330 349-350 about 373 general procedure appliance status 376 nDepth options Appliances grid 376 Console. See TriGeo SIM Console copying grid data 396 content filter tools 363 features 374 copying grid data 396, 416 Properties pane 384, 393 Correlations box 294, 296, 302 Database tab 392 License tab 387 Login tab 385 opening 384 Settings tab 389 appliances. See Managers. 373 application switch tools 359 Apply button 295 Asset Alerts 495, 497 Audit Alerts 498, 512 Custom Reports tab dashboard widgets. See widgets. CMC commands about appliance menu 17 439 52, 59 Data Warehouse command 424 database servers 373 database tools 359 database warehouse 395 assigning disabling C CISP 348 D database warehouses Cancel command 349-350 395 395 427, 430 Details pane 21 Managers 433 Directory Service Groups 561, 568 561 564-565 CMC menus 561 logging into CMC 562 manager menu 566 ndepth menu 568 service menu 569 COBIT 433 CoCo 433 33 resizing 32 sorting 34 400 check boxes 400 locked policies 398 226 assigning to Managers 228 defined 225 grid columns 229 Email Templates 230 configuring 230 creating messages 232 folders 254 message parameters 231 template folders Event explorer about 612 210, 230, 232 about moving between folders Configure Alert Distribution Policy window Alert/Field column adding to TriGeo SIM E columns rearranging 377-378 210, 225, 229 259 232, 256 156, 160, 173 160 Index: F – F Alert Details pane deleting conditions 126 about 172 features 110 closing 172 filter status exploring from 173 Filter Status bar 111 opening 172 Group button 118 viewing alert details 172 groups of conditions 156 list pane 111, 113, 116 notifications 111, 137, 140 operators 118, 127, 130 description event grid 172-173 169, 171 133, 136 123 exploring from 171 Order column 169 AND/OR 129-130 responding from 171 selecting 127 structure 169 selection tips 127 viewing events from 170 table of 128 event map legend 168 OR conditions 119 event maps 165 Redo command 111 about 165 targeting legend 168 tutorial reading 165 Undo command 125 141, 154 111 features 162 filter groups 64 opening 161 Filter Notifications pane 26 Exit command 420 Filtering Alerts Explore menu 69 Explorer view 155, 207 Event explorer features filters alert severity 156, 160, 173 158 109 9, 63 82 conditions table 131-132 configuring 120, 132 Flow Explorer 156, 180, 188 adding conditions 121 History pane 182, 189, 191 groups of conditions 123 nDepth Browser 157, 204, 207 targeting 125 nDepth Explorer 157, 193, 203 tutorial 141, 154 NSLookup explorer 156, 175 configuring. See "Filter Creation" Traceroute explorer 156, 176 copying 94 Whois explorer 156, 177 creating 87 420 defined 63 deleting 97 editing 89 exporting 96 Export Report command F Favorite Reports tab 440 FERPA 433 file transfer tools 360 Filter Creation filter groups 109, 154 about 109 AND conditions 119 Conditions box 111, 117, 119 conditions table 131-132 9, 98, 101 adding 98 deleting 101 moving filters between groups 100 rearranging 99 renaming 98 importing 613 127 95 Index: G – G managing 64 moving Group folders 258 pausing 91 moving Groups to folders 259 pausing/resuming 91 moving rule folders 286 showing in Alert Panel 93 moving rules to folders 287 standard filters 65 NATO5 Rules folder 282 turning on/off 93 NATO5 Templates folder 254 renaming folders 257 renaming rule folders 285 showing Group folder contents 255 284 Filters pane filter groups 64, 67, 69 98, 101 adding 98 deleting 101 showing rule folder contents moving filters between groups 100 State Variables folders rearranging 99 sub-folders renaming 98 TriGeo Rules folder managing filters 64 standard filters 65 Filters pane. See Widget Manager. 360 FISMA 433 Flow Explorer about grids Agents grid alert grid 180 183, 185 Analysis Results graph 186 Analysis Results grid 187 description 156 exploring results 188 features 181 history 182 opening 180 possible configurations 185 responding to results 188 Folders pane GLBA 156, 180, 188 Analysis Configuration 254 adding Group folders 257 adding rule folders 285 Custom Rules folder 282 Custom State Variables folder 254 default Group folders 254 default rule folders 282 deleting Group folders 260 deleting rule folders 287 Email Template folders 232 Email Templates 232 Email Templates folder 254 434 31, 35 408, 411, 415 69, 72, 79 applying filters to 72 copying alert messages 76 exploring alerts 78 highlighting alerts 74 pausing filters 91 removing alerts 79 responding to alerts 83 sorting 73 Appliances grid 254, 260, 282, 287 about Group folders 282 G 41 firewall tools 237 255, 283 375-376 moving within 31 rearranging columns 33 resizing columns Rules grid 32 264 selecting cells 31 selecting rows 31 sorting columns 34 ToolTips Groups Alert Groups 30 209, 237 210, 221-222 configuring 614 Alert Groups 221-222 Directory Service Groups 225, 229 Email Templates 230, 232 State Variables 233, 237 Index: H – I Time Of Day Sets Tool Profiles User-Defined Groups default Group folders defined Directory Service Groups 238-239 State Variables 241 249, 253 254 12, 209 210, 225, 229 210, 233, 237 adding fields 233 configuring 233 defined 233 deleting fields 236 editing fields 235 folders 254 adding to TriGeo SIM 226 assigning to Managers 228 defined 225 configuring 238 grid columns 229 defined 238 Email Templates Time Of Day Sets 210, 230, 232 Tool Profiles 210, 238-239 211, 241, 338 about 230 adding tools 246 configuring 230 adding/removing Agents 243 creating messages 232 creating 242 folders 254 defined 241 message parameters 231 deleting tools template folders 232 editing tools 220 editing via Agent 358 opening tool configuration 245 rules of 241 exporting Folders pane 254, 260 248 245, 247 adding folders 257 default Email Template folders 254 default Group folders 254 default State Variables folders 254 adding data elements 252 deleting folders 260 configuring 251 Email Tempalte folders 232 defined 249 moving folders 258 deleting data elements 253 moving Groups to folders 259 editing data elements 253 renaming folders 257 showing folder contents 255 State Variables folders 237 sub-folders 255 Group types template User-Defined Groups H highlighting alerts HIPAA 210 History pane Groups grid adding Groups 216 cloning Groups 218 columns 214 deleting Groups 220 editing Groups 217 refining 215 242 211, 249, 253 Groups view 74 434 158, 182, 189, 191 clearing history 190 Flow Explorer items 182 hiding 190 nDepth Explorer items 198 opening 190 viewing explorer history 190 about 209 I features 212 Incident Alerts 513 219 Industry Reports tab 439 importing 615 Index: L – N Internal Alerts 514, 518 Monitor view 63 ISO 17799 434 about 63 ISO 27001 434 Alert Description 70 ISO 27002 434 Alert Details 70 features filter groups L Lines Displayed 87 log file directory 365 log file path 365 logging servers 373 logging sources 341 adding 98 deleting 101 moving filters between group 100 rearranging renaming Filter Notifications pane deleting notices M Popup Notification form Managers 404 68 98, 101 Filters pane 99 98 25-26 25 26 64, 67 adding Agents 387 copying filters 94 appliances 373 creating filters 87 Appliances grid 376 deleting filters 97 editing 89 exporting filters 96 configuring configuring tools 380-381, 383 394 connecting to Console 380-381 database warehouses 395 importing filters 95 defined 341, 373 managing filters 64 Details pane 377-378 filter groups 98, 101 pausing filters 91 first time setup 379 standard filters 65 global automatic updates 390 turning filters on/off 93 logging in 382 Notifications pane 70 logging out 382 Remove All command 79 Properties 384, 393 Remove command 79 Database tab 392 Respond form License tab 387 widgets Login tab 385 creating 105 opening 384 editing 106 Settings tab 389 editing graphs 108 removing 396 refining filters with 107 status 376 refreshing 108 users. Also see "users" 325, 335 Mark All As Read command 77 Mark All As Unread command 77 Mark As Read command 77 Mark As Unread command 77 master widgets. See widgets. 44 viewing Widgets pane 83 102, 108 104 70, 102 N NCUA nDepth Browser description 616 434 157, 204, 207 157 Index: O – P getting help 207 OR conditions 119 introduction to 204 OR operators 129 204 Organize Filters form opening nDepth Explorer 157, 193, 203 description 157 exploring results 202 exploring searching results 193, 198 features 196 history items 198 opening 194 opening nDepth Browser with 203 refining log file data 200 responding to results 202 searching with 200 nDepth options 348 NERC-CIP 433 network sensors 373 network services tools 362 nodes 371 Notifications pane 70 Notifications tab (status bar) 24 deleting notifications 25 opening 25 NSLookup explorer 175 description 156 using 93 1 panes closing 28 nodes 29 opening 28 resizing 28 Pause button 69 Pause command 156, 174, 179 about showing filters package contents 23, 26, 71 contents of 93 P 29 notification system hiding filters 434 PDF (reports) 470 policy rules 323 activating 275 cloning 277 configuring rules 323 default folders 282 delting 281 disabling 276 editing 268 enabling 272 exporting 280 folders 174, 179 O 73 PCI 282, 287 adding folders 285 deleting folders 287 moving folders 286 Open Report command 420 moving rules to folders 287 operating system tools 363 renaming folders 285 showing folder contents 284 sub-folders 283 operators about 118, 127, 130, 297 127 AND/OR 129-130 importing 278 selecting 127 subscribers 270 selection tips 127 test mode 273 table of Ops Center dashboard features Widget Manager 128 policy rules. See "rules" 39, 62 Popup Notification form 52, 59 Primary Data Source 425 Primary Data Source command 424 Print Report command 420 40 44, 47 617 261 26 Index: R – R Printer Setup command 420 report properties 442 products. See tools. 337 running on demand 454 Properties pane Managers proxy server tools running reports 384, 393 363 R Redo command 111, 295 Refine Results form Agents view 410 Rules view 266 Refresh Report List command 420 Remote Updates 413 Remove All command 79 Remove command 79 reports 417, 491 about 417 deleting a task 473 exporting 491 favorites adding to favorites 436 removing from favorites 437 searching for 435 grouping report lists 451, 453 hiding sub-topics 477 Historical Reports 438 industry options 433 industry reports 432 listing by favorites 443 locating by title 441 magnifying 481 opening 475 Preview pane 476 Primary Data Source 425 printer preferences 490 printing 489 reducing 481 report categories report errors report lists 445, 450 sorting 444 473 editing 472 schedules 609 scheduling 457, 471 adding scheduled tasks 459 advanced schedule options 463 assigning to Manager 468 assigning to warehouse 468 exporting to PDF 470 process overview 457 schedule settings 465 scheduling reports 461 selecting the report 458 Search tool 483 searching for text 483 Select Expert tool 485, 488 showing sub-topics 477 stopping report in progress 482 syslog servers 426 609 audit reports 573, 588 security reports 589, 606 TriGeo reports 607 about 417 configuring 424 database warehouses 439, 453 filtering 474 deleting task schedules TriGeo Reports 456 448, 450 deleting scheduled tasks TriGeo report tables 431, 438-439, 443 custom filters 454, 471 scheduled report tasks 418 Menu Button 420 opening 417 Quick Access Toolbar 421 Ribbon 423 viewing pages of 479 viewing report sections 476 Zoom feature 481 Respond form drag and drop functionality Respond menu 618 427, 430 features 83 85 69, 83 Index: S – R Resume button 69 OR correlations 119 Resume command 73 Redo command 295 router tools 364 rule status Rule Creation 323 rule subscribers 271 rule window features 292 targeting 125 about 13, 261, 289 133, 136, 294 actions 308-309 about 308 test mode 274 294 Threshold button 297 Undo command 295 using caution 289 Actions box Actions table configuring using constants and fields with 313, 323 309 308 rules activating rules 274-275 activating advanced thresholds 304, 307 274-275 adding new rules 299 adding fields 306 caution when configuring 289 configuring 305 cloning 277 defined 304 configuring deleting 307 configuring rules 289 editing fields 306 configuring. See "Rule Creation" 127 Set Advanced Threshold form 304 defined 13, 261 119 deleting 281 295 disabling 276 edting 268 enabling 272 AND correlations Apply button configuring rules correlation time 289, 292, 299, 309 294, 303 292, 309 event frequency 303 exporting 280 response window 303 importing 278 locked rules 268 correlations adding correlations 300 subscribing 270 configuring correlations 301 targeting 301 Correlations box features 296 defined 294 Correlations table test mode Rules view 310, 312 273-274 13, 261, 323 description 262 264 Delete button 297 enabled status indicators deleting correlations 126 features disabling rules 276 Folders pane edting rules 269 adding folders 285 enabling rules 272 default rule folders 282 features 290 deleting folders 287 Group button 297 moving folders 286 127, 130 moving rules to folders 287 AND/OR 129-130 renaming folders 285 selecting 127 showing folder contents 284 selection tips 127 sub-folders 283 table of 128 operators locked rules 619 262 282, 287 268 Index: S – T Refine Results form Rules grid 266 Notifications tab 264, 281 status bars 23 22, 27 activating rules 275 subscribing to policy rules adding rules 299 Supported Operating Systems cloning rules 277 supported products 339 deleting rules 281 switch tools 364 disabling rules 276 Syslog Server command 424 editing rules 268 syslog servers 426 enabling rules 272 system requirements 2-3 exporting rules 280 Agents 2 importing rules 278 hardware 3 opening rules for editing 268 operating systems 2 Rules grid columns 264 recommended hardware 3 subscribers 270 TriGeo SIM Console test mode 273 test status indicators System Tools 270 2 2 364 264 T S Sarbanes-Oxley Save command Schedule Report command targeting 301 434 technical support 4 21 Time Of Day Sets 210, 238-239 420 Security Alerts 519, 555 Select Expert tool 485, 488 configuring 238 defined 238 Tool Configuration form 347, 358 restoring original report 488 first-time procedure 347 running query with 486 opening for a Manager 351 sensor sensors 341 opening for an Agent 365, 367 Tool Profiles 351 211, 241, 338 sleep time 367 adding tools 246 SOX 434 adding/removing Agents 243 Standard Reports tab 439 creating 242 State Variables 210, 233, 237 defined 241 adding fields 233 deleting tools configuring 233 editing tools defined 233 editing via Agent 358 deleting fields 236 opening tool configuration 245 235 rules of 241 template 242 editing fields folders moving between folders 237, 254-255 259 tools status appliances 248 245, 247 376 status bar actors 340 Agent tools 338 Agents 340 Agents tab 23 alias 340 Appliances tab 22 anti-virus tools 359 620 Index: U – W application switches configuring 359 installing 192 347, 358, 394 nDepth Browser 204, 207 configuring actors 368, 370 nDepth Explorer 194, 203 configuring sensors 365, 367 options 348 database tools 359 TriGeo Reports. See "reports" defined 341 TriGeo SIM file transfer tools 360 TriGeo SIM Console firewall tools 360 exiting 37 how TriGeo tools work 337 features 19 log file path 365 opening 17 logging sources 341 Manager 341 Manager tools 338 notification system 371 notification system tools 364 opening Tool Configuration form 341 starting 355 stopping 355 supported products 339 System Tools 364 tool configuration tables Undo command 359 editing 356 reconfiguring 356 starting 355 stopping 355 Tool Profiles 338 tool version 367 VPN tools 364 web server tools 364 wrapper name 367 ToolTips Traceroute explorer 408 audit report 592 252 configuring 251 defined 249 deleting data elements 253 editing data elements adding users Configure Users form adding users deleting users deleting 330, 332 335 330 335 334 pager and email settings deleting 334 V VPN tools 30 364 156, 174, 179 176 W description 156 web server tools TriGeo nDepth 253 325, 335 email settings about using 211, 249, 253 adding data elements users 353-354 357 111, 295 Agent status User-Defined Groups 359, 364 deleting 337 USB-Defender tool instances adding 17 U 351-352 sensors tool categories TriGeo tools. See tools. 417 6, 373 174, 179 Whois explorer 192, 207 about about 192 description configuring network for use with 192 using 621 364 156, 174, 179 177 156 174, 179 Index: U – S Widget Builder Widget Manager 48, 51 40, 44, 47 about 44 closing 44 Filters pane 41 opening 44 Widgets pane 41 widgets buttons dashboard widgets 39, 44, 62, 102, 108 52 52, 59 defined 42 deleting 59 editing graphs 57 editing in Widget Builder 56 legend 53 opening filters with 55 rearranging 58 refreshing 54 resizing 58 viewing data on 54 independence of master widgets adding to dashboard as templates 42 44, 47 46 42 creating 44, 105 defined 42 deleting editing from Monitor view editing from Ops Center 47 106 45 editing graphs 108 refining filters with 107 refreshing 108 viewing filter widgets Widget Builder 104 48, 51 predefined 60 storage of 43 toolbar Widgets pane (Monitor view) Widgets pane (Ops Center) 52 70, 102 41 wild cards (*) 146 wrapper name 367 622