Symantec™ Security Information Manager 4.7.2 Administrator Guide

Article:DOC2480  |  Created: 2010-08-12  |  Updated: 2011-02-02  |  Article URL http://www.symantec.com/docs/DOC2480
Article Type
Documentation


Description



Table of Contents:
1. Overview
About Symantec Security Information Manager
Features of Symantec Security Information Manager
Minimum requirements for the Symantec Security Information Manager Server
Minimum requirements for installing the client for the Information Manager Server
Minimum requirements for accessing the Web configuration interface
Recommended Hardware
About estimating system performance
2. Understanding the Information Manager components
Workflow in the Symantec Security Information Manager
Information Manager Components
About security products and devices
About Event Collectors
About the Symantec Global Intelligence Network
About the Information Manager Web Service
3. Managing roles and permissions
Creating and managing roles
About the administrator roles
How to plan for role creation
Creating a role
Editing role properties
Deleting a role
Working with permissions
About permissions
Propagation of permissions
Modifying permissions from the Permissions dialog box
4. Managing user and user groups
Users and passwords
Customizing the password policy
Creating a new user
Creating a user group
Editing user properties
Changing a user's password
Specifying user business and contact information
Managing role assignments and properties
Managing user group assignments
Specifying notification information
Modifying user permissions
Modifying a user group
Deleting a user or a user group
5. Managing organizational units and computers
About organizational units
Managing organizational units
Creating a new organizational unit
Determining the length of the organizational unit name
Editing organizational unit properties
Deleting an organizational unit
Managing computers within organizational units
Creating computers within organizational units
Editing computer properties
Distributing configurations to computers in an organizational unit
Moving a computer to a different organizational unit
Modifying computer permissions
Deleting a computer from an organizational unit
Using the Visualizer
6. Configuring a service provider
Service Provider overview
Understanding a service provider environment from a client perspective
Understanding a service provider environment from a service provider perspective
Customizations to the Incidents view in a Service Provider Master console
Responding to a client incident
Understanding Information Manager tickets in a Service Provider Master context
Exporting incident information from the Client Incident viewer
Setting up a Service Provider environment
Configuring an instance of Information Manager as a Service Provider client
Configuring an Information Manager Server as a Service Provider Master
Configuring service provider Client management accounts
Synchronizing the Service Provider Master with client incidents
Disconnecting a client from a Service Provider Master
7. Managing the correlation environment
About the Correlation Manager
About the Correlation Manager Knowledge Base
About the default rules set
8. Defining rules strategy
About creating the right rule set for your business
About defining a rules strategy
About correlation Rules
About Rule conditions
About rule types
Event Criteria
About the Event Count, Span, and Table Size rule settings
About the Tracking Key and Conclusion Creation fields
About the Correlate By and Resource fields
Importing existing rules
Creating custom correlation rules
Creating a multicondition rule
Creating a correlation rule based on the X not followed by Y rule type.
Creating a correlation rule based on X not followed by X rule type
Creating a correlation rule for Y not preceded by X
Enabling and disabling rules
Working with the Lookup Tables window
Creating a user-defined Lookup Table
Importing Lookup Tables and records
9. Introducing event collectors
About Symantec Event Collectors and Symantec Security Information Manager
Major components of collectors
10. Installing event collectors
Before you install collectors
Requirements for point products and the collectors
Updating the hosts file
Installation and configuration tasks for collectors
Registering collectors
Installing the Symantec Event Agent
Preinstallation requirements
Installing the Event Agent
Installing the Event Agent on Windows
Installing the Event Agent on Solaris
Installing the Event Agent on Linux
Uninstalling the Event Agent
Uninstalling the Event Agent on Windows
Uninstalling the Event Agent on Linux and Solaris
Event Agent Management with agentmgmt.bat utility
Verifying Symantec Event Agent installation
Verifying Symantec Event Agent operation
Installing the collector on a remote computer
Installing collectors on an Information Manager server
Verifying collector installation
Verifying collector configuration
About Universal Collectors
Downloading and installing the Universal Collectors
11. Configuring point products and collectors
About configuring the point product to work with the collector
Creating and configuring sensors
Creating a new sensor configuration
Configuring the collector sensor to receive security events
Adding, renaming, deleting, and disabling sensors
Importing and exporting sensor properties
Globally updating sensor properties
Configuring collector raw event logging
12. Configuring collectors for event filtering and aggregation
Configuring event filtering
Configuring event aggregation
13. Managing event archives
About events, conclusions, and incidents
Events view overview
About the event life cycle
About event archives
Multiple event archives
Creating new event archives
Restoring event archives
Specifying event archive settings
Creating a local copy of event archives on a network computer
Viewing event data in the archives
About the event archive viewer right pane
Manipulating the event data histogram
Setting a custom date and time range
Viewing event details
Modifying the format of the event details table
Searching within event query results
Filtering event data
Working with event queries
Using the Source View query and Target View query
Creating query groups
Creating custom queries
Querying across multiple archives
Managing the color scheme that is used in query results
Editing queries
Importing queries
Exporting queries
Publishing queries
About querying for IP addresses
Deleting queries
14. Forwarding events to an Information Manager Server
About forwarding events to an Information Manager Server
About registering a security directory
Registering the Information Manager with a security domain
Forwarding events
Stopping event forwarding
15. Understanding event normalization
About event normalization
About normalization (.norm) files
16. About Effects, Mechanisms, and Resources
About Effects, Mechanisms, and Resources (EMR)
About Effects values
About Mechanism values
About Resources values
EMR examples
17. Collector-based event filtering and aggregation
About collector-based event filtering and aggregation
About identifying common events for collector-based filtering or aggregation
About preparing to create collector-based rules
Accessing event data in the Information Manager console
Creating collector-based filtering and aggregation specifications
Examples of collector-based filtering and aggregation rules
Filtering events generated by specific internal networks
Filtering common firewall events
Filtering common Symantec AntiVirus events
Filtering or aggregating vulnerability assessment events
Filtering Windows Event Log events
18. Working with the Assets table
About the Assets table
How event correlation uses Assets table entries
About CIA values in the Assets table
Importing assets into the Assets table
Searching, filtering, and sorting assets
Visual identification of the IP addresses also on the IP Watchlist
About vulnerability information in the Assets table
About using a vulnerability scanner to populate Assets table
About locked and unlocked assets in the Assets table
Using the Assets table to help reduce false positives
About filtering events based on the operating system
About using CIA values to identify critical events
About using Severity to identify events related to critical assets
About using the Services tab
About associating policies with assets to reduce false positives or escalate events to incidents
19. Configuring the Console
About configuring Symantec Security Information Manager
Identifying critical systems
Adding a policy
Specifying networks
20. Configuring general settings in the Web configuration interface
About the Settings view
Editing the Hosts file
Changing the network settings
Changing date and time settings
Changing a Network Time Protocol Server
About the Password view
Changing the password for Linux accounts
About the GIN (configuration) view
About running LiveUpdate
Running LiveUpdate from the Information Manager Web configuration interface
Integrating an Active Directory with the Information Manager Server
Managing Active Directory configurations
Adding the CA Root certificate
Shutting down the Information Manager Server
Restarting the Information Manager Server
Using the multipath feature for storage options
21. Managing Global Intelligence Network content
About managing Global Intelligence Network content
Registering a Global Intelligence Network license
Viewing GIN content status
Receiving Global Intelligence Network content updates
22. Working with Symantec Security Information Manager Configurations
Introducing the Symantec Security Information Manager configurations
Manager configurations
Increasing the minimum free disk space requirement in high logging volume situations
About the Manager components configurations
Modifying administrative settings
Configuring LiveUpdate
Scheduling LiveUpdate requests
Manager connection configurations
Configuring Information Manager Directories
Agent Connection Configurations
Configuring Agent to Manager failover
Agent configurations
Setting up blacklisting for logon failures
23. Managing the LDAP directory
About the LDAP backup and restore
Backing up the LDAP security directory
Restoring the LDAP security directory
24. Maintaining the Symantec Security Information Manager database
About database maintenance
Checking database status
About the database health monitor service
Initiating a Backup
Restoring the database from a backup image
About purging event summary and incident data
Adjusting parameters for automated purges
Setting the safe and alarm levels for automated purges
A. Firewall Settings for the Information Manager
Firewall settings


Article URL http://www.symantec.com/docs/DOC2480


Terms of use for this information are found in Legal Notices