Symantec™ Security Information Manager 4.7 User Guide

Article:DOC2489  |  Created: 2010-08-12  |  Updated: 2010-08-12  |  Article URL http://www.symantec.com/docs/DOC2489
Article Type
Documentation


Description



Table of Contents:
1. Overview
About Symantec Security Information Manager
Features of Symantec Security Information Manager
Workflow in the Symantec Security Information Manager
Information Manager Components
About security products and devices
About Event Collectors
About Information Manager Servers
About the Symantec Global Intelligence Network
About the Information Manager Web Service
About estimating system performance
2. Symantec Security Information Manager console
About the Symantec Security Information Manager Console
About the Dashboard view
About the Intelligence view
About the Incidents view
About the Events view
About the Tickets view
About the Assets view
About the Reports view
About the Rules view
About the System view
About the Statistics view
Features of the Symantec Security Information Manager console
About the incident and alert monitor
Event activity monitor
About the Notes feature
Creating and editing notes
Searching the notes
About user actions
Creating and modifying user actions
Opening the Information Manager console from the command line
Changing a password
3. Symantec Security Information Manager Web configuration interface
Web configuration interface
Accessing the Web configuration interface
About the Web configuration interface features
4. Managing the correlation environment
About the Correlation Manager
About the Correlation Manager Knowledge Base
About the default rules set
5. Defining rules strategy
About creating the right rule set for your business
About defining a rules strategy
About correlation Rules
About Rule conditions
About rule types
Event Criteria
About the Event Count, Span, and Table Size rule settings
About the Tracking Key and Conclusion Creation fields
About the Correlate By and Resource fields
Importing existing rules
Creating custom correlation rules
Creating a multicondition rule
Creating a correlation rule based on the X not followed by Y rule type.
Creating a correlation rule based on X not followed by X rule type
Creating a correlation rule for Y not preceded by X
Enabling and disabling rules
Working with the Lookup Tables window
Creating a user-defined Lookup Table
Importing Lookup Tables and records
6. Configuring the Console
About configuring Symantec Security Information Manager
Identifying critical systems
Adding a policy
Specifying networks
7. Managing roles and permissions
Creating and managing roles
About the administrator roles
About the default roles in the Information Manager Server
How to plan for role creation
Creating a role
Editing role properties
Deleting a role
Working with permissions
About permissions
Propagation of permissions
Modifying permissions from the Permissions dialog box
8. Managing users and user groups
Users and passwords
Customizing the password policy
Creating a new user
Creating a user group
Editing user properties
Changing a user's password
Specifying user business and contact information
Managing role assignments and properties
Managing user group assignments
Specifying notification information
Modifying user permissions
Modifying a user group
Deleting a user or a user group
Integrating an Active Directory with the Information Manager Server
Managing Active Directory configurations
9. Managing organizational units and computers
About organizational units
Managing organizational units
Creating a new organizational unit
Determining the length of the organizational unit name
Editing organizational unit properties
About modifying organizational unit permissions
Deleting an organizational unit
Managing computers within organizational units
Creating computers within organizational units
Editing computer properties
Distributing configurations to computers in an organizational unit
Moving a computer to a different organizational unit
Modifying computer permissions
Deleting a computer from an organizational unit
10. Introducing event collectors
About Symantec Event Collectors and Symantec Security Information Manager
Major components of collectors
About Universal Collectors
Downloading and installing the Universal Collectors
11. Installing event collectors
Before you install collectors
Requirements for point products and the collectors
Updating the hosts file
Installation and configuration tasks for collectors
Installing the Symantec Event Agent
Preinstallation requirements
Installing the Event Agent
Installing the Event Agent on Windows
Installing the Event Agent on Solaris
Installing the Event Agent on Linux
Uninstalling the Event Agent
Uninstalling the Event Agent on Windows
Uninstalling the Event Agent on Linux and Solaris
Event Agent Management with agentmgmt.bat utility
Verifying Symantec Event Agent installation
Verifying Symantec Event Agent operation
Installing the collector on a remote computer
Installing collectors on an Information Manager server
Verifying collector installation
Verifying collector configuration
12. Configuring point products and collectors
About configuring the point product to work with the collector
Creating and configuring sensors
Creating a new sensor configuration
Configuring the collector sensor to receive security events
Adding, renaming, deleting, and disabling sensors
Importing and exporting sensor properties
Globally updating sensor properties
Configuring collector raw event logging
About Custom Log Management
Fields affected by the date format
Sensor properties for the Syslog sensor
Sensor properties for the Syslog file sensor
Sensor properties for the log file sensor
Windows Event Log sensor
OPSEC Lea Sensor
13. Configuring collectors for event filtering and aggregation
Configuring event filtering
Configuring event aggregation
14. Managing event archives
About events, conclusions, and incidents
Events view overview
About the event life cycle
About event archives
Multiple event archives
Creating new event archives
Specifying event archive settings
Creating a local copy of event archives on a network computer
Restoring event archives
Viewing event data in the archives
About the event archive viewer right pane
Manipulating the event data histogram
Setting a custom date and time range
Viewing event details
Modifying the format of the event details table
Searching within event query results
Filtering event data
Working with event queries
Using the Source View query and Target View query
Creating query groups
Querying across multiple archives
Creating custom queries
Editing queries
Managing the color scheme that is used in query results
About querying for IP addresses
Importing queries
Exporting queries
Publishing queries
Deleting queries
15. Forwarding events to the Information Manager Server
About forwarding events to an Information Manager Server
About registering a security directory
Registering collectors
Registering with a security domain
Forwarding events
Stopping event forwarding
16. Understanding event normalization
About event normalization
About normalization (.norm) files
17. Collector-based event filtering and aggregation
About collector-based event filtering and aggregation
About identifying common events for collector-based filtering or aggregation
About preparing to create collector-based rules
Accessing event data in the Information Manager console
Creating collector-based filtering and aggregation specifications
Examples of collector-based filtering and aggregation rules
Filtering events generated by specific internal networks
Filtering common firewall events
Filtering common Symantec AntiVirus events
Filtering or aggregating vulnerability assessment events
Filtering Windows Event Log events
18. Managing Incidents
About incident management
Incident identification
Example: Information Manager automates incident management during a Blaster worm attack
Threat containment, eradication, and recovery
Follow-up
Viewing incidents
About the incident list
Viewing and modifying the incident list
Creating and modifying incidents
Creating incidents manually
Modifying incidents
Merging incidents
Closing an incident
Reopening a closed incident
Printing incident details
Printing the incident, ticket, or asset list
Exporting the incident, ticket, or asset list
19. Working with filters in the Incidents view
Filtering incidents
Modifying a custom filter
Creating a custom filter
Deleting a custom filter
Searching within incident filtering results
20. Managing tickets
About Tickets
About creating tickets
Creating a ticket manually
Creating a ticket category
Viewing tickets
About the ticket details window
Viewing tickets associated with a specific incident
Setting ticket task dispositions
Changing the priority of a ticket
Adding a ticket note
Closing a ticket
Printing the ticket list
21. Working with filters in Tickets view
Filtering tickets
Modifying a custom ticket filter
Deleting a custom ticket filter
22. Managing reports
About Symantec Security Information Manager reporting
Components of Symantec Security Information Manager reporting
About Symantec Security Information Manager queries
About the query folders
About Symantec Security Information Manager reports
About the Reports folders
About the predefined System queries
What you can do with Symantec Security Information Manager queries
Using the query features
Using the report creation tools
Example: Creating a simple network health report
Identify the requirements
Divide the requirements into logical groups
Identify and customize the applicable queries in Information Manager
Prepare the report
Distribute the report
Working with reports
Creating custom reports
Creating a report group or folder
Editing tabular queries in reports
Publishing reports
Scheduling and distributing reports
Enabling email distribution of reports
Modifying report distribution
Viewing reports
Configuring a report for portrait or landscape mode
Printing and saving reports
Exporting reports
Importing reports
Performing a drill down on reports
23. Managing dashboards
About the dashboard
Viewing dashboards
Viewing queries in the dashboard
Performing a drill-down on dashboards
Refreshing the dashboard
Customizing the dashboard


Article URL http://www.symantec.com/docs/DOC2489


Terms of use for this information are found in Legal Notices