Critical System Protection

Hi All,

We have a setup where in which the SCSP logs are forwarded to a Syslog server from which the Arcsight agent correlates the logs & provides a report.

Recently we found an event where a file was modified.We got the notification, but could'nt get the user information who did that change.

Is there a way we can setup a policy in SCSP which displays the user details also who modify or delete files.

Regards,
Sathyan.K

Hi Sathyan

Some starter questions - are you refering to the use of IDS side of the product to monitor files? If so currently no username is in the event.  There has been major improvements to the filewatch engine in Windows  coming in the upcoming release of CSP 5.2.6 (and Unix in near future post releases), which include userid, alternative data streams, local ACL changes, realtime change monitoring, etc.. Look for the symantec csp site for announcement on that release.

If you are controlling the file by using IPS, then username field is available as the IPS driver provides this information. If arcsight is not picking this up then arcsight must adjust its query.

#1 I find it odd that you are using arcsight to correlate scsplogs that are then sent to a syslog server when Arcsight fully supports SCSP. The ideal solution is to have the arcsight agent on your database for SCSP (SCSPDB) and have it run queries (safe) for all data received /then/ correlate up to arcisght manager(s).