SecCenter A1000 provides a platform to effectively manage security information and events. This requires the collection of log files from devices, normalizing the data across disparate devices, aggregation of the data into a database and correlating the data for monitoring, alerting, reporting and forensic tasks. SecCenter A1000 automates all these tasks meticulously, so that the IT or security administrators’ valuable time can be spent analyzing the network’s security posture rather than the tedious manual process of managing log files.

Components in SecCenter A1000

SecCenter A1000 constitutes of two main components:

v SecCenter A1000 Server

v Syslog Server

SecCenter A1000 Server: All the network devices to be analyzed are added and licensed, profiles and alerts are configured in the SecCenter A100 server, so that when the syslog server fetches the event logs in a live environment, it can report on the event logs. These reports help the security administrators to take proactive actions and safeguard networks.

Syslog Server: This collects event logs automatically from all the configured network devices, compresses them into delta files and sends it across to the SecCenter A1000 Server for generating reports.

SecCenter A1000 helps you

v Meet HIPAA, GLBA, Sarbanes-Oxley, PCI and FISMA regulatory compliance.

v Monitor and visualize hacker and virus attacks and behavior patterns.

v Minimize or eliminate false positives with correlated alerting.

v Identify intrusions, viruses and security breaches, including blended attacks.

v Identify attack type, source, destination, port, protocols, severity, rule, etc. in real-time.

v Obtain details on virus activity such as virus source, virus type, virus details, virus impact, etc.

v Vector an attack for investigating a hackers’ behavior and attack path through the forensics module.

v Understand the protocol usage by device, user and department.

v Understand the blocked website access and allowed/denied traffic.

v Gauge the Bandwidth utilization by department, client and protocol.

v Identify inappropriate Internet usage by employees.

v Understand and obtain the details on SPAM and spyware activity.

v Provide role based access to reporting and monitoring portal, which is particularly useful for the MSSPs.

Icons in the Documentation

There are three icons used to call your attention to additional helpful information.

The "Important!" icon points out important information regarding data or system security.

The "Note" has information that should be considered.

The "Tip" has information that may aid in performing a procedure or in solving a problem.

Getting Started

This chapter provides instructions on how to start, configure default options, and create profiles using SecCenter A1000.

Starting SecCenter A1000

This section explains how to start SecCenterA1000 (registered version or a trial version).

You can start SecCenterA1000 Web UI by typing the SecCenter A1000 Web URL in the address bar of the browser window: http://192.168.0.1:9216

Note: 192.168.0.1 is the factory-default address of the SCA1000. It is assigned to the FE interface. If you want to access the SCA1000 from any other interface, input the IP address of that interface.

Provide the default user credentials created during the SecCenter A1000 install on the login screen.

To ensure uninterrupted Security Information and Event analysis for protecting your network, you should purchase the product at the earliest.

Navigating through SecCenter A1000

By default, SecCenter A1000 starts the Event Viewer console. From this screen you can navigate to all the features provided in SecCenter A1000. The following figure highlights important features of the product to evaluate.

1. Dashboard: View security events data from hundreds of heterogeneous and multi-vendor network devices.

2. Alerts: Template driven Alert Manager allows creation and definition of any number of alerts.

3. Policies: Rule Based Policies provide the ability to trigger Alert notification, set the threat levels and group the events under an Event Class to facilitate monitoring and reporting.

4. Forensics: Provides the ability for forensics search of 100s of GB of log data for security audits.

5. Security Center: Comprises of Reporting and Monitoring tabs.

§ Reporting: Delivers powerful custom and pre-defined reports for security including reports for ant virus, Spam, spyware, and regulatory compliance.

§ Monitoring: Provides a quick, consolidated real-time view of the security posture of the network.

6. Topology: Provides the ability to obtain real-time security topology to visualize significant threats on the network.

7. Device Manager: Provides central location to configure devices. In addition to this, there are two more options—Hosts and Groups, which provide respective central platforms to manage hosts and groups.

Help

Extensive online help is available for all the modules by clicking on the top right-hand corner of each screen. If you have any questions about SecCenter A1000, our support team will be glad to assist you.

Syslog Server

The SecCenter A1000 syslog server helps you do away with the manual configuration of devices. While some devices can export log files in a readable format, others typically do not write log information to a readable file. In such cases, SecCenter A1000 relies on a syslog server to capture log information. The SecCenter A1000 syslog server eliminates the need for manual configuration of devices and automatically detects and configures devices. The syslog server can be installed on any machine in the network.

One of the first things you should do after installing SecCenter A1000 is configure a syslog server. You can backup all the logs that are streamed to the syslog server from various devices by configuring a backup syslog server.

The backup syslog server can be a non-SecCenter A1000 or SecCenter A1000 syslog server. The SecCenter A1000 syslog server forwards all the packets that it receives from the configured devices to the backup syslog server. Please note that a backup syslog server cannot forward any data to the SecCenter A1000 syslog server and in case that happens, the SecCenter A1000 syslog server drops all such data packets.

When you create a profile, you can choose to collect your log files from:

v SCA Database

v File

SCA Database: The SecCenter A1000 syslog server streams log file data to the data collector service installed on the SecCenter A1000 machine, where it is parsed and stored in the database.

Regional-Central Architecture

Once the syslog server is installed on the machine local to the network of the device, it automatically updates delta file to the database regularly without any intervention from the administrator.

File: Use this option to report on static log files obtained from a manually added device (device that is not configured to send data to the syslog server).

To make device log files accessible in a consistent log file format, the SecCenter A1000 syslog server collects log data from the device and writes it in a usable format to an IP address on the machine running SecCenter A1000. The default port number is 514 using UDP protocol. The log files collected by the SecCenter A1000 syslog server are stored locally on the machine running SecCenter A1000 and log files created by the device remain there.

By default, the SecCenter A1000 syslog server is configured to start when the SecCenter A1000 starts and continues to run as long as the machine is running. The syslog service collects log data in real-time, hence up-to-date logs are available for reporting. If the syslog service is not running, any log data generated will be lost.

Dashboard

Dashboard Manager delivers monitoring and reporting metrics—so that the authorized security personnel in the organization can monitor and understand the security posture of the network. Easy to build and user friendly, SecCenter A1000 dashboards give a quick birds eye view of your existing network infrastructure for deep analysis of security measures. By managing dashboards, you can track metrics, gain insight into the underlying security status by complete analysis of network components. Dashboard Manager provides a consistent and accurate way to monitor critical security areas.

Severity	Description
Emergency	An Emergency Event indicates a significant problem, such as a loss of functionality or data, and the user should pay immediate attention.
Alert	An Alert Event is a security event fired when an alert message is received from the server and is immediately displayed to the user.
Critical	A Critical Event indicates a problem that is not immediately significant but may cause future complications
Error	An Error Event indicates a significant problem the user should know about, such as a loss of functionality or data.
Warning	A Warning Event indicates a problem the user should know about, like attempts to perform a task that he is not permitted to.
Notice	A Notice event indicates a normal but significant condition has occurred such as when a user login fails or when a session closes.
Information	An Information event indicates a significant action that takes place such as when a user successfully logs on or off or creates or renames a mailbox.
Debug	Debug events indicates all actions performed during an operation and lists all individual steps within each process or task, to pinpoint problems.

Dashboard View

The default Dashboard screen comprises of six distinct panels giving you an overview of the activity in your network.

v Events_Graph

v Network Performance

v Port Activity

v Event Severities

v Activity Per Protocol

v Protocol Activity

Using the real-time Event Viewer, details on all requests that result in an emergency are readily available, such as the requests that triggered it, where it came from, what device was attacked and the port of attack. You can choose the lowest severity up to which monitoring can be performed. This helps you quickly take corrective actions to protect your network perimeter.

The Event Viewer console on a SecCenter A1000 Central displays recent events from all the SecCenter A1000 regional servers.

Each panel has the following options for each monitor:

v Snap: Allows you to take a snap of the monitor and analyze it.

v Zoom: Allows you to maximize the view of the monitor.

v Edit: Allows you to edit the settings of user defined monitors only.

v Table: Place the cursor on the table icon and it displays the information of the selected monitor in a tabular format.

Note: If the number of Graph attributes for a monitor is more than twelve, its corresponding information cannot be shown in tabular format.

v List of Monitors: Allows you to see the list of default and user defined monitors.

Note: You can change the monitor to be displayed in the each frame by selecting one from the list.

Events Graph

You can view the rate at which the events are generated at all the configured devices.

On the Events Graph panel, you can view all the event severities occurring for Emergency, Alert, Critical, Error, Warning, Notice, Information, and Debug events triggered from the configured devices and hosts in the last 10 minutes.

Note: Severity level of the events is listed in the table as integers ranging from 0 to 7.

This graph provides event count details of all severity types from all the configured devices and facilitates you to obtain a quick view on the status of the events that can lead to complications.

Manage Dashboard

A dashboard is a user interface that organizes and presents complex information in a way that is easy to comprehend. SecCenter A1000 comes with an interactive, user friendly Dashboard comprising of viewing panels — Real-Time Events, Event Graphs and Alert Graphs etc.

To change the dashboard view, create your own dashboard view with custom preferences from the Manage Dashboard wizard.

How to Manage?

On the dashboard main screen, the Dashboards drop-down lists containing all the dashboard views is available to the user. To set a view as the default, select it from the drop-down list and click the set as default icon. To restore the default dashboard view, click the restore dashboard view icon.

From the dashboard main screen, click the list icon placed right to the DashBoards drop-down list to create a custom dashboard view.

The manage dashboard wizard opens. It highlights the six monitors that are currently set in the dashboard view. You can change the way you want to arrange rows and columns to appear in the view. See the image below.

Creating New Dashboard

1. Click on the New button from the Manage Dashboard window. The Create Dashboard window opens.

2. Select from the Item Count drop-down list, the number of monitors you want to view in the dashboard.

Note: Sum of Monitors and Reports selected must be equal to the Item count.

3. You can change the way you want to arrange rows and columns to appear in the dashboard view. For example, if you want to see eight monitors in your view, you can either select 2 rows and 4 columns or 4 rows and 2 columns.

4. Select the monitors you want to set in the dashboard view from the Monitoring TOC.

5. Select the query(s) to generate a report on the selected monitor from the Reports pane.

6. Click Next button. Create dashboard wizard displays a custom dashboard based on your selection.

7. Selected Query/Monitor(s) list is seen in the left pane, Use the Reset button to reset the position of dashboard panels. Double-click to choose your selection from the list, drag and drop it in one of the available panes on the right-hand side.

8. Click Save. The dashboard view is saved and listed in the dashboards drop-down list.

By default, dashboard view opens in the Run Mode. To change the mode to Design Mode, click on the mode icon, change the size of the desired panels and then click on the mode icon to restore the run mode.

Event Viewer Filters

Event Viewer Filters help you filter the view of the Event Viewer console. You can select the entities to be displayed as columns in the events view. Click Filters in the Event Viewer screen to select the entities you want to filter.

Select Entities to Filter

In the Event Viewer console all the events are displayed in a color code depending on its severity level. By using Event Viewer filter you can select specific severity types from the Select at least one severity check box. Available severity types are Emergency, Alert, Critical, Error, Warning, Notice, Information, and Debug. By default the first five severity types are selected. You can also select the rest of the entities to view them in the event viewer.

To select the entities you want to filter, follow the steps described below:

1. Select the entities you want to filter from the list of available entity types.

v User Name

v Device Name

v Device Type

v Protocol

v Event ID

v Event Category

v Date & Time

v Group Name

v Virtual Device

v Source IP

v Destination IP

v Destination Port

v Event Description

v Virus Name

v Virus ID

v Attack ID

v BII

v Flow

v Rule

v Severity

v Shun

v From Attacker

v Bytes Sent

v Native Log

v Bytes Recv

v From Victim

2. Click to move the selected entities into the Selected Entities list.

3. Click Next to provide additional details for the selected filters or Finish to complete the process.

Devices/Hosts

8. Select the Licensed Devices/Host you want to create a filter for.

9. Click Next or Finish to complete the process.

Device Type

If you have selected Device Type, follow the steps described below:

1. All the configured device types whose logs are available with SecCenter A1000 server to filter will be displayed in the list.

2. Select the device type you want to filter.

Note: If no device types are selected, all available event types will be monitored.

3. Click Next to go to the next screen or Finish to complete the process.

Protocol

If you have selected Protocol, follow the steps described below:

1. Select the protocols you want to filter.

2. Click to move the selected protocols to the Selected Protocols list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

5. Click Next to go to the next screen or Finish to complete the process.

Event ID

If you have selected Event ID, follow the steps described below:

1. Enter the event ID you want to filter in the Event ID box and click Add. Repeat the procedure to add more event IDs.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

4. Click Next to go to the next screen or Finish to complete the process.

Event Category

If you have selected Event Category, follow the steps described below:

1. Enter the event category you want to monitor.

2. Click Add to add the event category to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

5. Click Next to go to the next screen or Finish to complete the process.

Source IP

If you have selected Source IP, follow the steps described below:

1. Select the Source IP option and enter the source IP address you want to filter. To specify a range of source IP addresses, select the Source IP Range option and enter the IP range.

2. Add the source IP or the range by clicking the Add button.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

5. Click Next to go to the next screen or Finish to complete the process.

Destination IP

If you have selected Destination IP, follow the steps described below:

1. Select the Destination IP button and enter the source IP you want to filter. To specify a range of destination IPs, select the Destination IP Range option and enter the IP range.

2. Add the destination IP or the range by clicking the Add button.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

5. Click Next to go to the next screen or Finish to complete the process.

Destination Port

If you have selected Destination Port, follow the steps described below:

1. Enter the destination port number you want to filter in the Destination Port box.

2. Click Add to add the port number to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

5. Click Next to go to the next screen or Finish to complete the process.

BII

By using the BII filter you can focus and prioritize on events that have the most business impact when there is a large number of EPS (Events per Second) from several devices.

1. Enter the range for BII you want to associate with the filter in the following input areas.

v Greater than

v Less than

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

4. Click Next to go to the next screen or Finish to complete the process.

Rule

5. If you have selected Rule, follow the steps described below:

1. Select the rules you want to associate with this filter.

2. Click Add to apply the rules to the filter you created.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

5. Click Next to go to the next screen or Finish to complete the process.

Workbench

You can drill-down and narrow your scope to excavate further details of any event that is displayed on any monitor or report in SecCenter A1000. Right or double-click on any event from any where in the application, the details associated with the selected event are subsequently displayed in the Workbench window.

Workbench: It is a platform where all the entities attributed to any single event, compiled in the report or event viewer are displayed along with the respective 'value' details.

Other than Event Viewer, users can launch workbench from the following modules in the application:

v Monitoring

v Reporting

v Topology

v Forensics

v Alerts

The following Options are available through the combo-box in the workbench to obtain further details of the selected columns (entities):

v Monitoring

v Forensic

v Apply Filter

v Drill Down

v Quarantine Report

v View Topology

Notes:

v View Topology action type can be accessed only when the Workbench is launched from either Monitoring or Event Viewer module.

v You can use the Drill Down option only on device based data.

v You can generate Quarantine Report only on host data depending on presence of quarantine events in the log files.

v You can drill-down up to level 1 by using Drill Down option and Forensic option allows you to drill-down up to level 2.

Editing Event Attribute Values

You can edit the event attribute values from the Workbench. This saves the cumbersome task of going back to the Events and sifting through reams of data to select the desired event value. Follow the steps given below to edit attribute values and perform the required action on them:

1. Double-click on the desired event to open the Workbench.

2. Select the action to be performed from the Choose Action combo-box.

3. Double-click on the event attribute value that you want to edit. Modify the value and press enter to save the edited value.

4. Click the Apply button for executing the action with the edited value.

Note: You can perform the Drill-down and Forensic drill down action on IP address and Port range by entering the specific range in the respective value columns.

Monitoring

Select the action type as Monitoring from the Workbench to view further details of the events associated with the selected column(s) (entities) bearing specific values.

1. Select Column Name(s), you want to view the details for.

2. Now click on the Apply button. Only those events which are associated with the chosen column(s) (entities) are displayed in a new window.

By selecting the Monitoring action from the Workbench, you can further drill information on the desired entities and obtain the events view on them. By right or double clicking any event from the Events View, you can again access the Workbench and excavate further details. You can continue excavating into events until you find the required details as you can go back to the workbench from any event on the Events View window.

Event Cache for Devices and Hosts

For events generated from Cisco PIX/ASA, Cisco IOS/CatOS, FortiGate, NetScreen and Top Layer devices (OR) from Windows hosts, double-clicking on Event ID attribute will result in opening an event cache URL page containing the Error Message description, Explanation and Recommended Action that should be taken if the event messages persist from the same source.

You can also access the event cache by choosing Start -> Programs -> SecCenter A1000 -> Event Cache Index.

Important: Incase of Cisco IOS device, to view the event details associated with the selected Event ID, manually create the eventcacheURL.ext file in the application path containing the information of CISCO Network Security Database Documentation in the following format: 29~<URL of CISCO Network Security Database Documentation>.

Forensic

Select the action type as Forensic from the workbench to see the Forensic report on the selected event attribute.

Select any event attribute from the workbench column and then click the Apply button. A window opens, displaying the forensic report based on the applied filter expression (event attribute), for example- event code, protocol, event id and so on.

You can investigate on the event details by using the Forensic option up to two levels. The Forensic report generated from the workbench is similar to the one generated from the Forensics main module.

The Forensic report on the selected filter expression can be exported to desired location in a customized view. Use the following options to customize your report view:

v From-To - To specify records within a range. By default only 25 records are displayed in the forensic drill-down report. To specify a different range, you need to modify the number of records from forensicDrillCol.ext file found in the installation path.

Note: The specified range cannot exceed more than 1000 records.

v Export Report - You can export the forensic report to a specific location and in HTML or Text format. To customize the view of the exported report, select the fields you want to include in the report that is being exported.

Information: Values in a report saved in text format are separated by a comma separator.

Forensic drill-down from Workbench is almost similar to the main Forensic Search module, in addition to the regular features it supports the regular expressions like- '*'. For example, you can edit the attribute value and insert a regular expression to track down the events that contain a common string in their event attribute values.

This support is available for forensic search from Workbench for following filters:

v Content Category

v Spam Source Mail

v Spam Destination Mail

v URL

Apply Filter

Open the Workbench from any event displayed in the Reports; select the action type as Apply Filter. This feature provides the ability to drill-down into a report to obtain further details. This is extremely useful when you want to study the behavior of a specific user or find out what contributed to the data present in the reports.

You can select the event attributes from the workbench column, apply them as filters and generate a report on it. You can perform hierarchical investigation only up to one level. After accessing the workbench the second time from the consecutive report, you cannot delve and investigate any further. Further drill down on the report will overwrite the earlier report and will launch a new drill-down cycle.

Drill Down

From the Choose Action combo-box, select the Drill Down option to drill down further on the event attributes. This is extremely useful when you want to generate a quick report and find out what contributed to the numbers present in the reports.

Information: Since the drill-down is performed on the data present in the Forensic Summary files, it is faster than the forensic drill-down.

You can investigate on the event details by using the Drill Down option only up to first level. After you access the workbench the second time from the consecutive Drill Down report, you cannot perform investigate any further.

Note:

v Filter attributes in grey color background cannot be selected to drill-down further. For example Date & Time, Event Description and Native Log filter attributes cannot be selected in the workbench image seen on this page.

v Double-click on filter attributes shown in blue color to see the description in a dialog box.

v To negate the filter in the reports, select the Negate Filter check box on the workbench.

Quarantine Report

If the event on the Workbench has associated quarantine data, you can generate a quarantine report on it. Follow the steps given below to generate a quarantine report from the workbench:

1. Select the action type as Quarantine from the Workbench.

2. Apply settings. A quarantine report on the selected event is generated in another window.

Notes:

v You can investigate up to first level in the quarantine reports.

v A report user can select only Quarantine Report and Apply Filter options from the Action drop-down list.

Use the Negate Filter Expression to exclude the events bearing specific values, and show the rest.

View Topology

Use the View Topology button to see the topology view of the selected device where the events are originating from. Double-click on any event shown within a monitor having at least one of the following columns:

v Device/Host IP

v Packet Source i.e. client-IP

v Packet Destination i.e. server-IP

Click on the View Topology button. The topology window opens displaying how the selected device/host is graphically present in the network and how is it connected to other devices/hosts in the network.

Use the Negate Filter Expression to exclude the events bearing specific values, and show the rest.

Alerts

Without security measures and controls in place, your data might be subjected to an attack. Some attacks are passive, where the information is monitored, whereas others are active, where the information is altered with intent to corrupt or destroy the data or the network itself. The Alerts feature of SecCenter A1000 provides warning in advance, so that you can respond proactively.

The Alert Manager displays the list of all the Alerts configured to the Policies. The Alert Name corresponds to the name of the Policy for which it is configured. The alerts warn you whenever a specified event type or attack activity is detected or if the total number of attack attempts exceeds a specified value.

The Alert Manager

Important: A Console user, given the Access Using Console privilege to monitor alerts of a specific user will only see triggered alerts for that user.

An alert Manager displays the following information pertaining to an Alert:

v Alert Name: The Alert name corresponds to the Policy name. For example, if an Alert is configured on a policy called Policy1, the Alert name will also be Policy1.

v Alert Description: Alert description displays the description of the corresponding Policy.

v Alert Notification: This displays the method of Alert notification opted by you in the Policies. You can either notify Alerts via e-mail or by SNMP trap; if none is specified then “on screen” notification is displayed.

v Unacknowledged Events: Once the Alert is triggered the events, which are filtered through Rules to be a part of the Policy are displayed. As and when SecCenter A1000 encounters such events they are marked as Unacknowledged and are displayed here. You can acknowledge each event by clicking on the corresponding count field. With every event you acknowledge the count decreases by one. Alternatively you can acknowledge all events at once.

v Last Triggered Time: This column displays the date and time when the Alert was last triggered.

v Last Archive: This column informs about the status of the Alert. If the Alert criterion is not met then “Not yet triggered” message is displayed. The triggered Alert is archived and the message shown in that case is “Archive”. You can click on “Archive” to see the corresponding details of the archived Alert..

Alert Events

Once an Alert is triggered, the total counts of events which meet the Policy settings are displayed on the Unacknowledged events column in the main Alert window. Here are the points entailing the use and scope of Alert events:

1. If the Alert is triggered, click on the count displayed in Unacknowledged Events column to open the Alert Events window.

2. The Alert Events window displays the Alert Name along with the associated list of Archived events in a timestamp format on the left pane.

3. Select a triggered Archived Event to view it’s corresponding event details like – device/host type, device/host ID, Interface, Priority, event code, event type, event category, on the right pane.

4. Click on the Acknowledge button to take notice of a particular event. With every archived event you acknowledge the event count reduces simultaneously on the main Alert window.

5. If you don’t foresee any threat associated with the triggered alert, then you can acknowledge all the triggered events at once by clicking on the Acknowledge All button.

6. Click the Clear button to remove the selected archived triggered event.

7. To remove the entire list of archived triggered events at one go Click Clear All.

Note: You can access workbench from any event by double clicking on it.

Topology of Triggered Archived Events

The lower half of the right pane (Topology pane) depicts the graphical representation of the network topology of Devices and Hosts configured to SecCenter A1000.

Archived Alert Events Screen

Mark all events in Topology

Select an archived event from the archived timestamp events list on the left pane or from the event row on the right pane. Click on the Mark all events in Topology. The topology pane illustrates the flow of the chosen event—the source and the destination of the event.

Click on any node on the Topology pane to get further details on its Name, Type, Model and Location. The View Events option takes you to the Event Viewer (Monitoring Center) where the similar events are displayed. Right click on any node to enable the following actions for it:

v Center

v Add

v Collapse

v Expand all

v Hide all details

v Hide Unlicensed

v Hide non-participating nodes

Alert Archive

Once an Alert is triggered, SecCenter A1000 archives the event that was triggered last, based on the timestamp of the event. If there is more than one event triggered with the same timestamp, all are archived. Here are the points entailing the use and scope of Alert Archive:

1. If the Alert is triggered, click on the Archive in Last Archive column to open the Alert Archive window.

2. The Alert Archive window displays last event (s) occurred in the Alert based on the timestamp of the event on the upper half of the window.

3. The details of the last event on the triggered alert like – device/host type, device/host ID, interface, priority, event code, event type, and event category and so on... are displayed on the window.

4. The bottom half of the window displays the Topology of the network along with all the configured nodes on SecCenter A1000.

5. Click on the Mark all events in Topology. The topology pane illustrates the flow of the last event archived—the source and the destination of the event.

Click on any node on the Topology pane to get further details of Name, Type, Model and Location of the node. The View Events option takes you to the Event Viewer (Monitoring Center) where the similar events are displayed.

Right click on any node to enable the following actions for it:

v Center

v Add

v Collapse

v Expand all

v Hide all details

v Hide Unlicensed

v Hide non-participating nodes

Alert Archive Screen

Note: You can access workbench from any event by double clicking on it.

Policies

In simple words a Policy is a systematic set of statements to govern the upcoming decisions and actions of the user.
In SecCenter A1000 a policy is a formal set of rules to define the course of action that the user needs to take under specific circumstances. A rule can dictate— which devices or hosts to consider, what event type to filter or negate, which entities with what values to add and so on. The user can associate a severity level to the Policy created. A policy is created on the customized device and/or host based rules or the existing rule templates. On implementation of a policy the user can choose to — trigger an alert notification, or simply classify the Policy under an Event class by associating it to a report query. A user can add, edit, copy or delete a Policy.

The main menu bar of the Policy window contains the buttons to add a New Policy, Edit Policy, Copy Policy and Delete Policy. It also includes a button to create Rule Templates. The default Policy templates are also listed on the main Policy window.

As and when you create and save a Policy, the related details are listed on the main screen of this window. The following bottom line information is displayed in the columns:

1. Name of the Policy.

2. The Description of the Policy as entered by the user while creating it.

3. The type of Action to take on implementation of the Policy as prescribed by the user.

4. The Event Class details.

5. The Severity level associated with the Policy, as marked by the user while creating it.

6. The Regular Expression, depicting the Rule(s) and how they are associated with the Policy through operators.

Create Policy

1. Click New Policy from the Policies main window, the Create Policy window opens.

2. Enter a Policy Name.

3. Enter a short Description of the Policy for future reference.

4. Associate a Severity level to the Policy. The severity level is reflected in the main Policy window, once you create and save the Policy. The options available are as follows:

v Low

v Medium

v High

5. The Policies are dependant on rules. You can assign rules to a policy from two different sources, they are as follows:

v Load Rule from the template.

v Create New Rule (Based on Device(s)/Host(s)/Mirapoint Devices)

7. Before creating a Policy, define what mode of action to take on it’s implementation. The Type of Actions that a user can take are as follows:

v Trigger Alert: Select this option to notify the successful execution of this Policy through e-mail or SNMP trap. Click on the Alert Delivery button to configure the e-mail options.

v Event Class: An Event Class represents one type of events used by SecCenter A1000 for alerting and reporting purposes. You can classify the events based on specific network areas (DMZ, internal or external networks), operating systems, IDS or IPS systems, or any other specific host (for example- Internal hosts to SQL Server) by grouping them under one Event Class.
Here is how to set Event Class:

§ Select Event Class.

§ Enter a unique Event Class name.

§ Click the Configure button. The Configure window opens.
Select the Threat level and furnish the threat level from the in-built list. The available options are:

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Info

v Debug

§ Select the Update Database for Selected Categories option to save the matching events in the Database. Select the event categories that you want to send to the database.

§ Press Ctrl + Select the category(s) that you want to send to the database under the created Event Class.

§ Click Save to save the Event Class, else Close the window.

Note:

v Selection of Database correlation will increase database size because all the matched events are saved in the database.

v By Configuring the Event Class on a Policy you can generate Reports, both complete and selective as defined in the Event Class settings

v An Alert action is based on the Rule expression; where as the Event Class is independent of it.

You can combine/negate/select the Rule(s) and apply to a Policy by using the following operators:

v Negation: Use this operator to negate or exclude a particular Rule and apply the rest to the Policy. The negated Rule appears prefixed with an exclamation symbol -"!" in the existing rules list.

v And: Use the "And" operator to select and combine more than one Rule to apply in conjunction to the Policy.

§ Select a Rule from the existing rules list. For example - Select RULE 1.

§ Click the "And" operator.

§ Select the supplementary Rule from the existing rules list. For example-select RULE 2.

§ Click Finish.

§ The Operator settings appear in the Summary text box. In this case - (RULE1&&RULE2). Now both the rules are combined and will be executed in conjunction.

§ The "And" operator is denoted by an ampersand symbol (&&)

9. Click Clear to undo the Operator settings.

v Or: Use the "Or" operator to select two Rules and apply one of them to the Policy.

§ Select a Rule from the existing rules list. For example - Select RULE 1.

§ Click the "Or" operator.

§ Select the complementary Rule from the existing rules list. For example-select RULE 2.

§ Click Finish.

10. The Operator settings appear in the Summary text box. In this case - (RULE1||RULE2). Now both the rules are combined and the one which meets the criteria first will be executed and the other stands void.

The "Or" operator is denoted by a pipe (vertical bar) symbol (||)

11. Click Clear to undo the Operator settings.

Press the Ctrl key and select more than one Rule at a time from the existing Rules list and click the operator you want to apply from the available operators except the negate filter, as the Negate operator works on one filter at a time.

By default the "Or" Operator is applied to the filter.

v Set Precedence: Use Set Precedence to establish an order of importance to execute the rules. This will set the priority on the rules in a descending order. Follow the steps given below to set precedence on the Rules :

§ Select a Rule that is of utmost importance to be considered in the Policy. Let’s say RULE 1 and then Set Precedence on it.

§ Subsequently, after RULE1 if your want to consider either RULE3 or RULE4. Apply a "Or" operator on RULE3 and RULE4. Select RULE3|RULE4 from the existing rules and Set Precedence on that.

§ Next, Lets assume you set Precedence on RULE2.

§ The Set Precedence feature will establish an order of importance to execute these selected rules. The order is summarized in the Precedence Order text box. In this case the Precedence Order will appear as:

§ RULE1, RULE3|RULE4, RULE2

§ The importance associated is in a descending order:

§ RULE1 > RULE3|RULE4 > RULE2

12.

Note: you can set on the Rules even after applying the operators.

13. Set an Alert Correlation Interval between Rules.

Note: When the Rule patterns or the data is complex, the Correlation Interval might timeout while executing these Rules.

14. Click the Finish button to end the Rules setting on your Policy.

15. The Summary box displays the Rules and the respective operators applied.

Note: The expressions on Rules which appear in the summary box can be as complex as you want them to be, in order to get down to the crux of the Rules for the Policy.

For Example:

RULE1: Based on Device Destination Port and IP range

((Destination Port= [306,] &&Destination IP= [10.00.79.01-10.00.79.15,])

RULE2: Based on only Device Destination port

(Destination Port= [402,])
RULE3: Based on Device Source IP

(Source IP= [10.78.00.97,])

Now you can set an expression like the following where you negate RULE1 and add RULE2 or negate RULE3.
((! RULE1&&RULE2) ||! RULE3)

16. To undo the Rules settings click the Clear button. This will clear the Summary details and you can apply new settings.

17. Click Save. The saved Policy is populated in the Policy main window along with its allied details like-- Description, Action, Event Class, Severity and Regular Expression.

18. Else, Click Cancel to abort the task.

Loading a Rule from the template

1. Click the Load Rule from Templates button from the Create Policy window.

2. The list of Rule Templates appears.

3. Select the Rule Template from the list that you want to load. To load more than one templates press the Ctrl key and select the Rule templates.

4. Click Finish to complete loading the rule template to the Policy or click Close to abort the task.

5. The Loaded Rule finally appears in the Create Policy window and is available to use in the Policy.

Creating a New Rule

v Device Based Rule

v Host Based Rule

v Mirapoint Based Rule

Editing a Policy

1. Select the Policy that you want to edit from the Policy list from the main Policies window.

2. Click on the Edit Policy button.

3. The Create Policy window opens.

4. The Policy name is non-editable.

5. You can edit the description of the Policy.

6. Make the necessary changes-- you can edit all the Rules created in the list and also load/delete rules from the templates.

7. You can change the way the operators are working on the sets of filters.

8. You can also edit the type of action to take on implementation of this Policy.

9. Edit the Event Class and the associated queries if needed.

10. Click Save to save the edited Policy.

11. Click Previous to revert to the earlier screen to alter or recheck the filter settings.

12. Click Cancel to abort the task.

Making a Copy of the Policy

1. Select the Policy to make a copy of, from the Policy list on the main Policies window.

2. Click on the Copy Policy button from the main Policies menu bar.

3. The copy of the Policy is saved with a prefix "Copy_of_" followed by its original name in the main Policies window.

4. You can edit the name of the Copy of the Policy created.

5. You can edit the Rules and the settings of the Copy of Policy created.

Deleting a Policy

1. Select the Policy to delete from the main Policies window.

2. Click the Delete Policy button on the main menu bar.

3. The dialog box prompts you for a confirmation. Click Yes to delete, Cancel to abort the task.

4. The Policy is permanently deleted from the SecCenter A1000.

Creating a device based rule

1. On the Create Policy window, click Create Rule button.

2. The Create Rule window opens, select Device as the Rule Criteria.

3. Enter an appropriate Rule Name.

4. Enter a short but apt description about the rule in the Rule Description box.

5. A comprehensive Device based Filter List is available on the left hand side column of the Create Rule window. The list comprises of the following filters:

v Shun

v Spam Destination Email

v Spam Source Email

v Spam Type

6. Select a Filter to apply to the rule, from the Filter List.

7. If you want to negate the selected filter, select the Negation check box.

8. Fill in all the details pertaining to the selected filter. The gist of the filter settings appear on the box on the right-hand side.

9. Click on the Save Filter button to save the settings, or click Delete Filter to cancel the filter settings.

10. Repeat the above steps to add more filters to the rule.

11. An executive summary of the filters created appears on a horizontal bottom box displaying the Filter names and their respective Values.

12. Click the Next button to continue with the Filter settings or click Cancel to abort the task.

13. The Next screen displays all the created filters available to apply to the rule.

14. You can use the operators "And" and "Or" to select the filters in combinations or to choose any one of them. Press Ctrl and select the filters and then specify the operator.

The "And" operator is denoted by an ampersand symbol (&&) in the filter expressions.

The "Or" operator is denoted by a vertical bar (pipe) symbol (||) in the expressions.

By default the "Or" Operator is applied to the filter.

15. The Filter Expression summary is displayed in the bottom most horizontal box. The summary displays the way the operators are applied on the filters using the "&" and "|" symbols.

Note: The filter expressions on Rules can be as complex as you want them to be, in order to get down to the crux of the Rules.

For Example: You can negate a Destination Port and a Destination IP Range or particular source IP. The filter expression in this case will be as follows:

! ((Destination Port= [402,] &&Destination IP= [10.00.79.01-10.00.79.15,]) ||Source IP= [125.99.78.90,])

16. Use the Negate expression to exclude the set filter expression on the rule. The negated filter expression is prefixed with an exclamation mark-“!”

17. Use the Clear button to undo the operator settings on the filter expressions.

18. Click Finish to accept the Filter Expression.

19. Click the Previous button to revert back to the earlier page to add or modify the filter settings.

20. Click Save to save the rule under the newly created Rules.

21. Click Save As Template to save the rule as a template to load in future policies.

The Rule created is in the disabled state, therefore it is imperative to enable it first from the Configure Rule option from the Create Policy window.

22. Click the Cancel button to abort the task.

Applying Filters to a Rule

As described above there is an in-built list of device filters available to apply on the rule. Let us consider each filter at a time and figure out how they can be applied to the Rule.

Action

1. Select either Allowed or Denied to filter events that are allowed or denied in a device/host.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Source IP

1. Enter the Source IP/Name of the device you want to filter and report on only those events originating from the specified source.

2. To filter on events originating simultaneously from a series of devices, specify the IP Range by selecting the Source IP Range check box.

3. Select the option Any to consider all the source IP addresses.

4. Add the Source IP/Name by clicking the Add button.

5. Click the Save Filter button. The filter is added to the Filter list.

6. Click the Delete Filter button to clear the settings.

Destination IP

1. Enter the Destination IP/Name of the device you want to filter and report on only those events having the specified Destination IP/Name.

2. To filter on events from a series of devices at a time, provide the IP Range by selecting the Destination IP Range check box.

3. Add the Destination IP/Name of the device or the range by clicking the Add button.

4. Select the option Any to consider all the destination IP addresses.

5. Click the Save Filter button. The filter is added to the Filter list.

6. Click the Delete Filter button to clear the settings.

Destination Port

1. Enter the destination port number you want to filter for an event displayed in the Event Viewer console.

2. To filter on events from a series of devices at a time, provide the IP Range by selecting the Destination Port Range check box.

3. Click Add, and the port number you entered is added to the list.

4. Select the option Any to consider all the destination ports.

5. Click the Save Filter button. The filter is added to the Filter list.

6. Click the Delete Filter button to clear the settings.

Protocols

1. Select the protocols you want to filter and click to move them into the Selected Protocols list. You can also add new protocols.

2. You can add a new protocol by clicking on the Add button.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Events Severity

1. Select the Event Severity from the following list:

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Information

v Debug

2. Select the Event Severities you want to filter and click to move them into the Selected Event Severities list.

3. You can also add a new severity by clicking on the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Events Type

1. Select the Event Types from the following list:

v TRAFFIC

v IPSEC

v DROP

v BLOCKED

v IDS

v VPN

v SYSTEM

2. Select the event types you want to filter and click to move them into the selected event type list.

3. You can also add a new event type by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Event ID

1. Select the Event IDs from the available list.

2. Select the event IDs you want to filter and click to move them into the selected ID list.

3. You can also add a new event ID by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Event Category

If you have selected Event Category, follow the steps described below:

1. Enter the event category you want to monitor.

2. Click Add to add the event category to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Attack Type

1. Select the Attack Types from the available list.

2. Select the attack type you want to filter and click to move them into the Selected Attack Type list.

3. You can also add a new attack type by clicking on the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Attack ID

1. Select the Attack IDs from the available list.

2. Select the attack IDs you want to filter and click to move them into the selected Attack ID list.

3. You can also add a new attack ID by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Virus Type

1. Select the Virus Types from the available list.

2. Select the virus types you want to filter and click to move them into the selected virus type list.

3. You can also add a new virus type by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Virus ID

1. Select the Virus IDs from the available list.

2. Select the virus IDs you want to filter and click to move them into the selected Virus ID list.

3. You can also add a new virus ID by clicking on the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

URL

1. Enter the URLs you want to filter

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Rule

1. Select the Rules from the Available Rule list.

2. Select the rules you want to filter and click to move them into the Selected Rule list.

3. You can also add a new rule by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Content Category

1. Enter the content category that you want to filter in the Content Category text box.

2. You can also add a new content category by clicking the Add button.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Flow

1. Select either Inbound or Outbound to filter.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Set your device interfaces correctly from the Devices/Groups user interface for this filter to work properly.

Event Description

1. Enter the event description you want to filter in the Event Description box. You can also use wild card '*' to filter any specific word or sentence in the description.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Attack Details

1. Enter the details of the attack to filter in the Attack Details box. You can also use wild card '*' to filter any common string in the description.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Shun

1. Select Yes to filter Shun events or No to ignore shun events occurring on the device(s).

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Spam Destination Email

1. Enter the email address of the Spam Destination in the Spam Destination Email text box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Spam Source Email

1. Enter the email address of the Spam Source in the Spam source Email text box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Spam Type

1. Select the Spam Types from the available list.

2. Select the Spam types to filter from the available entities list and click to move them into the selected entities list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Editing a Device based Rule

1. Select the Rule that you want to edit from the Rule list populated on the Create Policy window. The column Base identifies whether the Rule is based on a Device or a Host.

2. Click on the Edit Rule button from the Create Policy menu bar.

3. If you have selected a Device based rule to edit, the corresponding window opens.

4. The Rule name is non-editable.

5. You can edit the description of the Rule.

6. Make the necessary changes-- you can edit the settings on all the filters available in the list and also add new filters.

7. Click the Next button to proceed with editing process, else click the Cancel button to abort the task.

8. On the next screen if needed, you can change the way the operators are working on the sets of filters.

9. Click Save to save the edited Rule on the Create Policy window

10. Click Save As Template to save the edited rule as a template in the Rule Templates repository accessible from the Policies main window.

11. Click Previous to revert to the earlier screen to alter or recheck the filter settings.

12. Click Cancel to abort the task.

Making a Copy of the Device based rule

1. Select the Device Rule to make a copy of, from the Rule list populated on the Create Policy window. The column Base identifies whether the Rule is based on a Device or a Host.

2. Click on the Copy Rule button from the Create Policy menu bar.

3. A copy of the selected rule is created.

4. The copy of the Device Rule is saved with a prefix "Copy_of_" followed by its original name.

5. You can edit the name and the description of the copy of the Device Rule.

6. You can edit any or all the Device filter settings followed by the operator settings pertaining to the original Device Rule and can also add new Device filters.

7. Click Save to save the Copy of the Device Rule on the Create Policy window

8. Click Save As Template to save the Copy of the Device Rule as a template in the Rule Templates repository accessible from the Policies main window.

9. Click Previous to revert to the earlier screen to alter or recheck the Device filter settings.

10. Click Cancel to abort the task.

Deleting a Device based Rule

1. Select the Rule to delete from the Rule list populated on the Create Policy window.

2. Click the Delete Rule button from the Create Policy menu bar.

3. The dialog box prompts you for a confirmation. Click Yes to delete, Cancel to abort the task.

4. The Rule will be permanently deleted from the Policy.

Configuring a Device based rule

The Rule is created in a disabled state, therefore you ought to enable it first in order to apply it to the Policy.

1. Select the Device Rule that is in disabled state, from the Rule list populated on the Create Policy window.

2. Click on the Configure Rule button on the Create Policy menu bar.

3. The Configure Rule window opens.

4. The window displays the name of the Device Rule along with all the Devices licensed to the SecCenter A1000 application.

5. From the complete list of Licensed Devices, select a Device(s) to configure the rule on.

6. Set a Threshold value on the Rule.

7. Set the Refresh interval by selecting a value from the drop-down list.

8. Select Correlation to establish correlation between the selected Device(s).

9. Click Set Correlation button, the Set Correlation window opens.

10. Select the Devices(s) to correlate to the Device selected on the previous window.

11. Enter a Correlation Threshold value.

12. Click Save to save the correlation settings, else click Cancel to abort the task.

13. The Created Device Rule is now configured and is ready to apply on the Policy.

Creating a Host based rule

1. On the Create Policy window, click Create Rule button.

2. The Create Rule window opens, select Host as the Rule Criteria.

3. Enter an appropriate Rule Name.

4. Enter a short but apt description about the rule in the Rule Description box.

5. A comprehensive Host based Filter List is available on the left hand side column of the Create Rule window. The list comprises of the following filters:

v Caller User

v Source

v Target Machine

v Target User

6. Select a Filter to apply to the rule.

7. If you want to negate the selected filter, select the Negation check box.

8. Fill in all the details pertaining to the selected filter. The gist of the filter settings appear on the right hand corner box.

9. Click on the Save Filter button to save the settings, or click Delete Filter to cancel the filter settings.

10. Repeat the above steps to add more filters to the rule.

11. An executive summary of the filters created appears on a horizontal bottom box displaying the Filter names and their respective values.

12. Click the Next button to continue with the Filter settings or click Cancel to abort the task.

13. The Next screen displays all the created filters available to apply to the rule.

14. You can use the operators "And" and "Or" to select the filters in combinations or to choose one of the selected two. Press Ctrl and select the filters and then specify the operator.

The "And" operator is denoted by an ampersand symbol (&&) in the filter expressions.

The "Or" operator is denoted by a vertical bar (pipe) symbol (||) in the expressions.

15. By default the "Or" Operator is applied to the filter.

16. The Filter Expression summary is displayed in the bottom most horizontal box. The summary displays the way the operators are applied on the filters using the "&" and "|" symbols.

Note: The filter expressions on Rules can be as complex as you want them to be, in order to get down to the crux of the Rules.

17. Use the Negate expression to exclude the set filter expression on the rule. The negated filter expression is prefixed with an exclamation mark-"!"

18. Use the Clear button to undo the operator settings on the filter expressions.

19. Click Finish to accept the Filter Expression.

20. Click the Previous button to revert back to the earlier page to add or modify filter settings.

21. Click Save to save the rule under the newly created Rules.

22. Click Save As Template to save the rule as a template to load in future policies.

The Rule created is in the disabled state, therefore it is imperative to enable it first from the Configure Rule option from the Create Policy window.

23. Click the Cancel button to abort the task.

Applying Host based Filters to a rule

As described above there is an in-built list of filters available to apply on the rule. Let us consider each filter at a time and figure out how they can be applied to the Rule.

Caller user

1. Enter the account name of the Caller User to filter in Add a New Caller User text box.

2. Click Add to add it to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Event Type

1. Select the Event Type that you want to filter from the Available Event Type list and click to move them into the Selected Event Type list.

2. The available Event Types are:

v error

v failure

v warning

v info

v success

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Event Identifier

1. Select the identifiers you want to filter and click to move them into the Selected Identifiers list. You can also add new Event Identifier.

2. You can add a new Event Identifier by clicking the Add button.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Event Description

1. Enter the event description you want to filter in the Event Description box. You can also use wild card '*' to filter any specific word or sentence in the description.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings. .

Facility

1. Select from the facilities you want to filter and click to move them into the Selected Facilities list.

v System

v Security

v Application

v DNS Server

v Directory Service

v File Replication

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Source

1. Select the sources you want to filter and click to move them into the Selected Sources list. You can also add a new source.

2. You can add a new source by clicking the Add button.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Event Severity

1. Select from the event severities you want to filter and click to move them into the Selected Event Severities list.

2. The available event severities are:

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Info

v Debug

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

User Name

1. Enter the name of the user to filter, in the User Name box. You can also use wild card '*' to filter user names containing common characters.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Event Category

1. Enter the category of the event to filter, in the Event Category box. You can also use wild card '*' to filter any specific word or sentence in the category.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings

v Error

v Warning

v Notice

v Info

v Debug

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Target Machine

1. Enter the host name of the Target Machine to filter in Add a New Target Machine text box.

2. Click Add to add it to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Target User

Enter the name of the Target User to filter in Add a New Target User text box.

1. Click Add to add it to the list.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Editing a Host based rule

1. Select the Host Rule that you want to edit from the Rule list populated on the Create Policy window. The column Base identifies whether the Rule is based on a Device or a Host.

2. Click on the Edit Rule button from the Create Policy menu bar.

3. The Rule name is non-editable.

4. You can edit the description of the Rule.

5. Make the necessary changes-- you can edit the settings on all the Host filters available in the list and also add new Host filters from the list.

6. Click the next button to proceed with editing process, else click the Cancel button to abort the task.

7. On the next screen if needed, you can change the way the operators are working on the sets of filters.

8. Click Save to save the edited Rule on the Create Policy window

9. Click Save As Template to save the edited rule as a template in the Rule Templates repository accessible from the Policies main window.

10. Click Previous to revert to the earlier screen to alter or recheck the filter settings.

11. Click Cancel to abort the task.

Making a Copy of the Host based rule

1. Select the Host Rule to make a copy of, from the Rule list populated on the Create Policy window. The column Base identifies whether the Rule is based on a Device or a Host.

2. Click on the Copy Rule button from the Create Policy menu bar.

3. A copy of the selected rule is created.

4. The copy of the Host Rule is saved with a prefix "Copy_of_" followed by its original name.

5. You can edit the name and the description of the copy of the Host Rule.

6. You can edit any or all the Host filter settings followed by the operator settings pertaining to the original Host Rule and can also add new Host filters.

7. Click Save to save the Copy of the Host Rule on the Create Policy window

8. Click Save As Template to save the Copy of the Host Rule as a template in the Rule Templates repository accessible from the Policies main window.

9. Click Previous to revert back to the earlier screen to alter or recheck the Host filters settings.

10. Click Cancel to abort the task.

Deleting a Host based rule

1. Select the Host Rule to delete from the Rule list populated on the Create Policy window.

2. Click the Delete Rule button from the Create Policy menu bar.

3. The dialog box prompts you for a confirmation. Click Yes to delete, Cancel to abort the task.

4. The Host Rule will be permanently deleted from the Policy.

Configuring a Host based rule

The Rule is created in a disabled state, therefore you ought to enable it first in order to apply it to the Policy.

1. Select the Rule that is in disabled state, from the Rule list populated on the Create Policy window.

2. Click on the Configure Rule button on the Create Policy menu bar.

3. The Configure Rule window opens.

4. The window displays the name of the Host Rule along with all the licensed Hosts available with the SecCenter A1000 application.

5. From the complete list of licensed hosts select a Host(s) to configure the rule on.

6. Set a Threshold value on the Rule.

7. Set the Refresh interval by selecting a value from the drop-down list.

8. Select Correlation to establish correlation between the selected Host(s).

9. Click Set Correlation button, the Set Correlation window opens.

10. Select the Hosts(s) to correlate to the Host selected on the previous window.

11. Enter a Correlation Threshold value.

12. Click Save to save the correlation settings, else click cancel to abort the task.

13. The Created Host Rule is now configured and is ready to apply on the Policy.

Creating a Mirapoint Device based rule

1. On the Create Policy window, click Create Rule button.

2. The Create Rule window opens.

3. Enter an appropriate Rule Name.

4. Enter a short but apt description about the rule in the Rule Description box.

5. Select Mirapoint Device to create a Rule based on the Mirapoint device.

6. A comprehensive Filter List based in the Mirapoint device is available on the left hand side column of the Create Rule window. The list comprises of the following filters:

v Action

v Event ID

v Filter Action

v MailBox

v Mail Header

v Recipient Email

v Score

v Sender Email

v Sender IP

v Spam

v Transport Type

v Virus

1. Select a Filter to apply to the rule.

2. If you want to negate the selected filter, select the Negation check box.

3. Fill in all the details pertaining to the selected filter. The gist of the filter settings appear on the right hand corner box.

4. Click on the Save Filter button to save the settings, or click Delete Filter to cancel the filter settings.

5. Repeat the above steps to add more filters to the rule.

6. An executive summary of the filters created appears on bottom rows displaying the Filter names and their respective values.

7. Click the Next button to continue with the Filter settings or click Cancel to abort the task.

8. The Next screen displays all the created filters available to apply to the rule.

9. You can use the operators "And" and "Or" to select the filters in combinations or to choose one of the selected two. Press Ctrl and select the filters and then specify the operator.

The "And" operator is denoted by an ampersand symbol (&&) in the filter expressions.

The "Or" operator is denoted by a vertical bar (pipe) symbol (||) in the expressions.

By default the "Or" Operator is applied to the filter.

The Filter Expression summary is displayed in the bottom most horizontal box. The summary displays the way the operators are applied on the filters using the "&" and "|" symbols.

Note: The filter expressions on Rules can be as complex as you want them to be, in order to get down to the crux of the Rules.

Use the Negate expression to exclude the set filter expression on the rule. The negated filter expression is prefixed with an exclamation mark-"!".

10. Use the Clear button to undo the operator settings on the filter expressions. Click Finish to accept the Filter Expression.

11. Click the Previous button to revert back to the earlier page to add or modify filter settings.

12. Click Save to save the rule under the newly created Rules.

13. Click Save As Template to save the rule as a template to load in future policies.

The Rule created is in the disabled state, therefore it is imperative to enable it first from the Configure Rule option from the Create Policy window.

14. Click the Cancel button to abort the task.

Applying Mirapoint Device based Filters to a Rule

As described above there is an in-built list of filters available to apply on the rule. Let us consider each filter at a time and figure out how they can be applied to the Rule.

v Action

v MailBox

v Score

v Spam

v Virus

Action

15. The Action details include the Allowed or Denied events.

1. Select an Action from the action details to filter.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Event ID

1. Select the event IDs to filter and click to move them into the selected ID list.

2. You can also add a new event ID by clicking the Add button.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Filter Action

1. Enter the Filter Action to filter, in the Filter Action text box. You can also use wild card '*' to filter any specific word or sentence in the description.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Mail Box

1. Select the Mail Box from the available list.

2. Select from the available entities and click to move them into the selected entities list, to filter.

3. You can also add a new Mail box entity by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Mail Header

1. Enter the Mail Header to filter, in the Mail Header text box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Recipient E-mail

1. Enter the e-mail address of the recipient to filter, in the Recipient E-Mail text box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Score

1. Select Any to filter any encountered junk mail irrespective of the score.

2. Enter the Score of the junk mail intensity to filter, in the Score text box.

3. You can alternatively specify a Score range of junk mail intensity to filter.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Sender Email

1. Enter the e-mail address of the sender that you want to filter, in the Sender E-mail box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Sender IP

1. Enter the IP address of the sender that you want to filter, in the Sender IP box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Spam

1. Select the Spam from the available list.

2. Select a spam from the available entities and click to move them into the selected entities list, to filter.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Transport Type

1. Enter the type of transport protocol of the mail server that you want to filter, in the Transport Type box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Virus

1. Select the Viruses from the available list.

2. Select the Viruses to filter and click to move them into the selected Virus list.

3. You can also add a new Virus by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Editing a Mirapoint Device Rule

Select the Mirapoint Device Rule that you want to edit from the Rule list populated on the Create Policy window.

1. Click on the Edit Rule button from the Create Policy menu bar.

2. The Rule name is non-editable.

3. You can edit the description of the Rule.

4. Make the necessary changes— you can edit the settings on all the Mirapoint Device filters available in the list and also add new Mirapoint device filters from the list.

5. Click the Next button to proceed with editing process, else click the Cancel button to abort the task.

6. On the next screen if needed, you can change the way the operators are working on the sets of filters.

7. Click Save to save the edited Rule on the Create Policy window

8. Click Save As Template to save the edited rule as a template in the Rule Templates repository accessible from the Policies main window.

9. Click Previous to revert to the earlier screen to alter or recheck the filter settings.

10. Click Cancel to abort the task.

Making a Copy of the Mirapoint Device Rule

Select the Mirapoint Device Rule to make a copy of, from the Rule list populated on the Create Policy window.

1. Click on the Copy Rule button from the Create Policy menu bar.

2. The copy of the Mirapoint Device Rule is saved with a prefix "Copy_of_" followed by its original name.

3. You can edit the name and the description of the copy of the Mirapoint Device Rule.

4. You can edit any or all the Mirapoint Device filter settings followed by the operator settings pertaining to the original Mirapoint Device Rule and can also add new Mirapoint Device filters.

5. Click Save to save the Copy of the Mirapoint Device Rule on the Create Policy window

6. Click Save As Template to save the Copy of the Mirapoint Device Rule as a template in the Rule Templates repository accessible from the Policies main window.

7. Click Previous to revert to the earlier screen to alter or recheck the Mirapoint Device filters settings.

8. Click Cancel to abort the task.

Deleting a Mirapoint Device Rule

Select the Mirapoint Device Rule to delete from the Rule list populated on the Create Policy window.

1. Click the Delete Rule button from the Create Policy menu bar.

2. The dialog box prompts you for a confirmation. Click Yes to delete, Cancel to abort the task. The Mirapoint Device Rule will be permanently deleted from the Policy.

Configure a Rule

The Rule is created in a disabled state; therefore you ought to enable it first in order to apply it to the Policy.

1. Select the Rule that is in disabled state, from the Rule list populated on the Create Policy window.

2. Click on the Configure Rule button on the Create Policy menu bar. The Configure Rule window opens.

3. The window displays the name of the Mirapoint Device Rule along with all the licensed Mirapoint Devices available with the SecCenter A1000 application.

4. From the complete list of Licensed Devices select a Mirapoint Device(s) to configure the rule on.

5. Set a Threshold value on the Rule.

6. Set the Refresh interval by selecting a value from the drop-down list.

7. Select Correlation to establish correlation between the selected licensed device(s)/mail servers.

8. Click Set Correlation button, the Set Correlation window opens.

9. Select the Mirapoint Device(s) to correlate to the Mirapoint Device selected on the previous window.

10. Enter a Correlation Threshold value.

11. Click Save to save the correlation settings, else click Cancel to abort the task. The Created Mirapoint Device Rule is now configured and is ready to apply on the Policy.

Alert Delivery

When an alert is generated, you can view it straight away on the Alert Manager by leaving the Alert Notification check box clear in the Configure Alert window or alternatively have it delivered by using any one or both the ways of notification, they are:

v E-mail

v SNMP Trap

The Alert Delivery Screen

E-mail Notification

Select the E-mail check box for receiving alerts via e-mail. You can either choose not to include events in the generated alert or can include events in the body of the e-mail or as an attachment. The alert details will be attached as an HTML file.

Select any one of the options given below:

v Do Not Include Events

v Include Events In Body

v Include Events as Attachment

If you leave the check box clear, the alerts notified through e-mail will contain only the time, alert name, alert description, and a message.

An alert message can be configured to be sent in either HTML or Text format.

E-mail Details

You can set a time period and if an alert is generated within that time period, it will be notified to a specific e-mail address.

Follow the steps described below to add an e-mail recipient:

1. Enter the time From to time To in the hh:mm format and the recipient's e-mail address. If an alert is generated within the specified time bounds, the alert message will be sent to the specified recipient.

2. Click the Add button. The e-mail ID is added to the recipient list.

3. Enter the subject and the message that should appended to the alert notification.

4. Enter the threshold figure for the number of e-mails that you want to receive in an hour. For receiving e-mails first configure the SMTP server.

5. To configure the SMTP server, click the Configure SMTP button which will take you to the E-Mail tab in the Options window.

6. Specify the SMTP (Simple Mail Transfer Protocol) mail server name and user ID for SecCenter A1000 to send an e-mail alert whenever a specified event type or attack activity is detected or if the total number of attack attempts exceeds a specified value. Click here for more details.

7. Finally, click Save.

SNMP Trap

SNMP (Simple Network Management Protocol) allows you to instantiate a trap-directed alert notification called the SNMP Trap. Trap-directed notification can help you save network and agent resources by eliminating the need for SNMP requests.

To configure SecCenter A1000 to send traps to the SNMP server, follow the steps described below:

1. Select the SNMP Trap check box

2. Enter the appropriate details of the SNMP server IP/Name, SNMP Port, and Community Name.

The idea behind trap-directed notification is as follows: if a large number of devices are configured to send alerts, and each device has a large number of objects, it is impractical to poll or request information from every object on every device. The solution is for each agent on the managed device to notify the Alert Manager without solicitation. It does this by sending a message known as a trap. After receiving the event, the Alert Manager may choose to take an action based on the threshold set for the event.

Rule Template

A Policy is based on Rules. You can create and save Rules as templates in one common repository. Every time you want to apply a Rule to the Policy you can select from the pre-designed Rule templates. The Rule Templates can be applied in combinations, across all the policies.

Creating Rule Templates

1. On the main Policies window, click Rule Templates button.

2. The Rule Template window opens.

3. From here you can either select the preformatted templates or create new Device(s)/Host(s)/Mirapoint Devices(s) based template.

4. Click on the New Template button and the Create Rule window opens where you can create templates based on:

v Device(s)

v Host(s)

v Mirapoint Devices(s)

Editing a Template

1. Select the Rule template that you want to edit from the Rule template list from the Rule Templates window.

2. Click on the Edit Template button.

3. Depending on the Rule criteria, the corresponding window opens. Foe example, if you have selected a Device based rule to edit, the corresponding device rule window opens.

4. The Rule name is non-editable.

5. You can edit the description of the Rule.

6. Make the necessary changes— you can edit the settings on all the filters available in the list and also add new filters.

7. Click the Next button to proceed with editing process, else click the Cancel button to abort the task.

8. On the next screen if needed, you can change the operator Settings on the filters.

9. Click Save to save the edited Rule Template.

10. Click Previous to revert to the earlier screen to alter or recheck the filter settings.

11. Click Cancel to abort the task.

Deleting a Rule Template

1. Select the Rule template to delete from the list on the Rule Template window.

2. Click the Delete Rule button.

3. The dialog box prompts you for a confirmation. Click Yes to delete, Cancel to abort the task.

4. The Rule Template will be permanently deleted from the repository.

Set Threat Levels

A potential adverse event that is malicious by nature or is incidental and that can put the network and system assets at stake can be classified as a threat to the network security of an enterprise.

Event Logs from vendor specific devices come with pre-assigned severity levels depending upon the potential or incidental degree of associated threat. Each severity level is depicted in a different color, which is again vendor specific.

There are eight Threat levels, each identified by a different color. From lowest to highest, the levels and colors are:

v Debug = Violet

v Info = Cyan

v Notice = Green

v Warning = Orange

v Error = Yellow

v Critical = Blue

v Alert = Pink

v Emergency = Red

Now, SecCenter A1000 gives the flexibility to the Admin User to change the threat level associated with a class of events and set it according to his perception of the threat. For example, if the severity level of an Event Class is ‘Emergency’ and is depicted in red in the vendor logs, but the administrator does not consider them as high level threat events, he can use the Set Threat Level option and change the threat from ‘Emergency’ to say ‘Warning’. Henceforth, the severity of events which belong to this Event Class will be marked as Warning and will be depicted in orange. The altered threat level is updated in Event Viewer for real-time monitoring and is also reflected in all graph types and reports.

Change threat levels

1. Select the Event Class on which you want to change the threat level.

2. Click on the select Threat Level icon to select any of the threat levels that you want to apply to an event class.

3. Click Save.

Profiles

A profile is a set of instructions stating, how the data must be accessed, the method followed to analyze data, how IP addresses must be resolved, and customization of reports. Profiles also facilitate you to choose filters that help you to narrow down your data to the information you need most, which can save time and resources. Profiles can be created using the New Profile wizard.

The Profile Manager main window contains the New Profile, Edit Profile, Copy Profile, and Delete Profile buttons.

The Profile Manager Screen

Creating a New Profile

A profile is a group of settings configured to complete a specific task. Once configured, you can use it repeatedly to generate reports whenever necessary. You can also edit or delete a profile as necessary. The first step towards creating a new profile is to assign a unique name. To do this, carry out the following steps.

To create a profile, follow these steps:

1. On the main Profile Manager window, click New Profile. The New Profile wizard opens.

2. Enter a name in the Profile Name text box.

3. Select from the following sources; the input for the profile to be created:

v Select SCA Database if the SecCenter A1000 syslog server or a DB agent has been configured to collect log file data and store it in the built-in database. OR

v Select File to migrate log file data to the database and generate a report.

4. Specify the Date Range to configure the Profile to consider data of specified dates only.

5. Select the devices/hosts you want to report on and click Next.

6. The DNS Lookup screen opens. Select a resolution option and click Next.

7. Add the filter template you want to apply, schedule the tasks and click Next. The Report type window opens.

8. Specify the Report Type and Report Style format. Enter the report format, specify template from the drop-down list, the table format (for MS-Word reports only), the organization name and the logo file to use and click Next. The Customize Reports window opens

9. To use a pre-defined report, select a customized report from the list. To create a custom report, click New Report and furnish the required details and click Next. The Save Report window opens.

10. You can apply the Grammar settings to save the report with a customized naming convention. To e-mail your report, select the Mail To check box and specify the recipient addresses in the text box. To upload your report to a remote site, select the FTP check box, specify host name, user name, and password and click Finish.

Note:

v SecCenter A1000 supports McAfee Intrushield logs collected by the syslog Server and not from the Log File as source option.

v Creating File based profiles on a Central Server is possible only when it has at least one syslog server configured/reporting to it.

v A Power user cannot create profiles based on File option.

v Once a profile is created, the Profile Name and the log source (SecCenter A1000 Database/File) cannot be edited.

v SecCenter A1000 receives log data once every 30 minutes (from the SecCenter A1000 syslog server) and the database is updated once every hour. So a user cannot generate any report within the first hour.

v Use the File option instead of SecCenter A1000 syslog Server to generate reports. In this case, the report is generated immediately.

SCA Syslog as Source Input

Select this option if SecCenter A1000 syslog server is collecting the log data from the Devices/Hosts.

File as Source Input

Select this option if you want to move log data to SecCenter A1000 database and generate a report. Use this if SecCenter A1000 server is not configured to collect the log data.

Generic File Names

SecCenter A1000 provides a generic method for specifying input and output file names in the profile. You can enter generic file names directly in name text box or you can use the Grammar Syntax feature to specify input and output file names. This feature is useful in scheduling repetitive tasks for which the log file name is structured on a timestamp format.

File Specification Grammar Macros

*File Specification Grammar Macros*
Macro (Code)	Description	Format
%b%	Abbreviated month name	(Jan-Dec)
%B%	Full month name	(January-December)
%m%	Month	(01 – 12)
%d%	Day of month	(01 – 31)
%H%	Hour in 24-hour format	(00 – 23)
%y%	Year without century	(00..99)
%Y%	Year with century	(2000-2099)

SecCenter A1000 allows you to use wild card specification in the file name specification, and understands standard DOS directory wild cards (i.e., *). You can specify the relative day, week, month or year by decreasing or increasing the specific value. The same syntax is used to specify file names for output reports.

Grammar Syntax Examples

*Generic Naming – Grammar Syntax Examples*
File Name Specification	Sample File Name+	Represents
SCA%m%%d%%y%.log	SCA062005.log	June 20, 2005
SCA%m%%d%%Y%.log	SCA06202005.log	June 20, 2005
SCA%Y%%d%%B%.log	SCA200520June.log	June 20, 2005
SCA*%m%%y%.log++	SCA*0605.log	June 20, 2005
⁺ Assuming current date is June 20^th, 2005 ⁺ ⁺ In this example, all files created in June 2005 that are in the specified directory will be processed by the scheduler. This is because of the wild card specification * in the File Name. Note that SecCenter A1000 will not limit itself to files with only the day of the month. The wild card is a system wild card, and as in the DOS directory command, it will pick up all files with any matching string in place of the asterisk.

To specify file names using the Grammar syntax, follow the steps below:

1. Click New Profile and select File to migrate log file data to the SecCenter A1000 database and generate a report. Click Next.

1. Click Grammar to display the Grammar screen.

2. Click Browse and go to the location where generic log files are stored.

3. Select the timestamp format for the generically named files. Based on the log file naming convention of your log file, select the appropriate date format from the Date Format drop down list. You can add an alphabetical prefix to the format and select from different file extensions in the suffix box.

4. In the Add/Subtract text box (Year, Month, and Day/Weeks) specify the time stamped log file that you want to use as the input. For example, to attach to yesterday’s log file, enter –1 in the Day text box with respect to the current system date.

Selecting Groups Devices and Hosts

This screen lists all the devices/hosts that are licensed and you can select the ones that you want to report on. A device/host can be added and configured from the Devices and Hosts tabs. If your devices are configured to write log data into a single log file, you can select only those licensed devices that you want to report on.

The Devices/Hosts Selection Screen

This icon represents a configured licensed host.

This icon represents a configured licensed device.

Follow the steps described below to select the devices/hosts you want to report on from amongst the licensed network devices:

1. To report on all network devices logging data into the log file, select the all. OR select a group or device/host from the list.

2. Click Next.

DNS Lookup

SecCenter A1000 can resolve the IP address found in the collected log data into meaningful host names using Domain Name System (DNS) resolution. Each IP address can be resolved (if defined in the DNS of the owner of the IP number) into a domain name, which is easier to remember and makes the SecCenter A1000 reports more readable. Should the domain name not be defined for a specific IP address, the resolution will fail and only return the IP number to SecCenter A1000, which is displayed in the report.

It is a good idea to increase the size of the DNS cache that is built into SecCenter A1000 should the number of unique IP numbers grow. Select the size of cache file from the drop-down list in the New/Edit Profile à DNS Lookup tab if you want SecCenter A1000 to consider previously resolved IP addresses stored in the cache. An important consideration is that if a cache is very large and never reaches the point of being filled, very old lookup information may be used in the reports.

The working order for DNS lookup in SecCenter A1000-

v Is the IP number defined as an intranet address?

v If not, check the DNS cache if it has been resolved earlier and is still stored.

v If not found in the DNS cache, the lookup will then call the DNS for resolution.

The lookup of IP numbers is based on all of the IP numbers that will be visible in report tables, should a report table contain 100 IP numbers, and these are the ones that will be resolved.

The DNS Lookup Screen

Components on the DNS Lookup Screen

v Do not resolve IP addresses: Select this button if you do not want to resolve numeric IP addresses into host names. This will speed up the processing of log files. By default, this option is selected.

v Resolve the unresolved IP addresses into fully qualified host names: Select this button if you want to resolve numeric IP addresses into domain names.

v Perform resolution of IP addresses: Select this button if you want to perform resolution i.e., from domain names to IP addresses and IP addresses to domain names using cache.

v Click Next.

Filter Templates

Profiles look at the results based on the filters you have defined, and ignore everything else. If you want to filter specific information, add a filter template according to your requirement. You cannot use more than one filter template for a profile. You can create, manage and use filter “templates” that can be used across your profiles.

To define a new filter template click on the Add button, this will direct you to the Filter Template screen, where new filter templates can be created.

The Filter Templates Screen

You can choose to apply only one filter template on a profile.

From the list of available filter templates, select the filter template you want to apply on the created profile.

Make sure that the selected filter template contains all the filter definitions you want to apply on the profile.

Click Next.

Creating a New Filter Template

SecCenter A1000 provides complex, multi-level filters to sift what data to analyze and present in reports. These filters let you focus on only the data you need and ignore the rest. For instance, if you want to generate a report on how many visits a particular group of IPs made to your website between two given dates, you can create a filter that limits your report to the IPs for the dates of interest.

This section provides you the information on how to create and set up filter templates for Profiles.

1. Type a descriptive name in the Template Name text box. Make sure this name is easy to remember and descriptive of the data you are trying to filter.

2. Select the Filter from the available list of filters.

3. Select the Include Filter button if you want to include the data pertaining to this filter.

4. Select the Exclude Filter button if you want to Exclude this filter data pertaining to this filter

5. Furnish the required details for the filter settings, Click Add.

6. Click Save Filter. The filter created is listed below along with its respective value. Click Delete Filter to clear the filter setting.

7. Set all the filters that you want to assign to the Template.

8. Click Save to save the Filter Template, else Click Cancel to abort the task.

Filter Elements

The following section provides detailed information on each of the filter elements that can be used to create a filter, and describes how to configure them.

SecCenter A1000 provides you with the following filter elements:

v Action

v Authentication

v Event/AttackID

v Events

v Facilities

v IP/Host Name

v Protocol

v Severities

v Sender E-mail

v Recipient E-mail

v Score

Each of the elements is discussed in the following sections.

Action

This filter lets you include/exclude information based on the action details which are logged by the devices. SecCenter A1000 will generate reports including/excluding information for the selected Action, which are as follows:

v Keep

v Redirect

v Quarantine

v Discard

1. Select the actions to be included in the filter template and move them to the selected entities list by clicking the icon.

1. Click the Save Filter button. The filter is added to the Filter list.

2. Click the Delete Filter button to clear the settings.

3. Press the Save button to save the filter template.

The Protocol Filter

This filter element assists you to include or exclude information based on the protocols selected. If it is used as an Include filter, SecCenter A1000 will include data based on the protocols selected and exclude information pertaining to all other protocols. For instance, if you want to include all device activity based on the HTTP protocol in a report, SecCenter A1000 will include all information based on this protocol and exclude all other information. If used as an Exclude filter, data based on the selected protocols will be excluded and all the other protocols will be included. Follow the steps given below to configure the Protocol filter:

1. Enter a name for the filter template in the Filter Name box.

The Protocol Filter Screen

2. From the Filters list, select Protocol. The Protocol screen opens in the right pane.

3. Select the protocols you want to filter from the Available Protocols box.

4. Click to move the selected protocols into to the Selected Protocols box. Use Ctrl+Click to select multiple protocols.

5. Click Save Filter to save the filter else click Delete Filter.

The IP/Host Name Filter

This filter assists you to include or exclude information based on the IP addresses you specify. For instance, if you want to exclude information pertaining to a group of IP addresses, create an Exclude filter and specify the IP addresses in sequence as shown in the figure to exclude them from the report. If used as an Include filter, this element will include data pertaining to the specified IP(s).

The IP/Host Name Filter Screen

Follow the steps given below to add the IP/Host Name filter:

1. IP/Host Name: Select this option if you want to add a single IP address or use wild cards. Ex 192.168.100.* to add all devices starting with the given input.

2. Click Add to add the IP addresses. To delete an IP Address, select and click Delete.

3. Click Save Filter to save the filter else click Delete Filter.

The Events Filter

This filter assists you to include or exclude information based on the event types you select. For instance, if you want to include information pertaining to only the Warning, Critical, and Security events, just create an Exclude filter and select the events as shown in the figure to include them in the report. If used as an Exclude filter, this element will exclude data pertaining to selected event types.

The Events Filter Screen

Follow the steps given below to add the Events filter:

1. Enter a name for the filter template in the Template Name text box.

2. Select the Events filter.

3. Select the events you want to filter from the Available Events box.

4. Click to move the selected event types into the Selected Events box. Use Ctrl+Click to select multiple events.

5. Click Save Filter to save the filter else click Delete Filter.

The Authentication Filter

This filter assists you to include or exclude information based on the authenticated users you specify. This filter is useful if you have a secure website. If used as an Exclude filter, this element will exclude data pertaining to the specified authenticated users.

Authentication Filter Screen

Follow the steps given below to add an authentication filter:

1. Type in a name for the filter template in the Template Name box.

2. Select the Authentication filter from the list.

3. Enter an authenticated username in the Authentication box. Click Add.

4. This user is added to the list of authenticated users.

5. Click Save Filter to save the filter else click Delete Filter..

Facilities

This filter allows you to specify event types based on which SecCenter A1000 will process log file data and generate reports. Select the event types for which you want logging included/excluded in your reports. Different types of events with unique code number present in the logs will be analyzed according to severity of the event.

1. Select the Facilities filter and click Next.

2. Select the facilities from the Available Entities list and move them to the Selected Entities list.

3. Click Save Filter to save the filter else click Delete Filter.

Severities

This filter allows you to specify event severities based on which SecCenter A1000 will process log file data and generate reports. Select the severities for which you want logging included/excluded in your reports.

1. Select the Severities filter.

2. Select the event types from the Available Entities list and move them to the Selected Entities list.

3. Click Save Filter to save the filter else click Delete Filter.

Event ID/Attack ID

This filter allows you to specify event or attack ID(s) based on which SecCenter A1000 will process log file data and generate reports. Select the event IDs for which you want logging included/excluded in your reports.

1. Select the Event ID/Attack ID filter.

2. To add a new ID, specify the event/attack ID in the Event ID/Attack ID box and click Add.

3. Click Save Filter to save the filter else click Delete Filter.

Sender E-mail

The Sender E-mail filter allows you to specify the email id of the sender which SecCenter A1000 will filter through the log file data and generate reports. Use the include/exclude check box to consider or negate the Sender Email filter. To specify the Sender E-mail filter settings, follow the steps given below:

1. Enter the e-mail address of the sender that you want to filter, in the Sender E-mail box.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Recipient E-mail

The Recipient E-mail filter allows you to specify the email id of the recipient which SecCenter A1000 will filter through the log file data and generate reports. Use the include/exclude check box to consider or negate the Recipient E-mail filter. To specify the Sender E-mail filter settings, follow the steps given below:

1. Enter the e-mail address of the recipient to filter, in the Recipient E-Mail text box.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Score

The Score filter allows you to specify the score of encountered junk mail based on which SecCenter A1000 will process log file data and generate reports. Use the include/exclude check box to consider or negate the score filter. To specify the Score filter settings, follow the steps given below:

1. Enter the Score of the junk mail intensity to filter, in the Score text box.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Scheduler

The Scheduler provides a visual interface to schedule reporting. You can schedule to run profiles automatically at specific date and times, which is particularly advantageous when you are running reports at regular intervals. Using the Scheduler, you can schedule tasks to run on specific dates and at specific times.

Scheduling a Profile

In the new profile wizard, the Scheduler screen opens. The list box contains all the scheduled tasks. Click the Add button to schedule a new task or select an existing task to edit.

Add Task

To schedule a task for a profile to generate reports at regular intervals, create a task using the Add Task wizard.

1. Click Add. The Add Task wizard opens.

2. Enter a name in the Task Name box.

3. Select the frequency of the task, i.e., how frequently you want the task to be executed.

4. Click Next.

The Add Task Screen

Only those profiles created by selecting the SecCenter A1000 syslog Server or File with grammar as the input source can be scheduled.

Scheduling Task by Hour

To schedule the task on an hourly basis select the Hour button and specify the interval.

Schedule by Hour Screen

1. The Start Time indicates the time when you want the scheduled task to start. The current time is displayed in the hh:mm:ss by default. To change it, just specify a different time value. For example, 13:49:37.

2. The Start Date indicates the day when you want the scheduled task to start. Use the Calendar button to select the start date or enter a date in the mm/dd/yyyy format.

3. The After Every indicates the interval at which you want the scheduled task to start. The intervals are 1, 3, 6, and 12 hours.

4. Click Finish.

Scheduling Task by Day

To schedule the task on a daily basis, select the Daily button and specify the time. You can also choose to schedule your tasks either every day or on weekdays only.

Schedule by Day Screen

Follow the steps described below to schedule a task by day:

1. Select the Everyday button to schedule the daily task and click Next.

2. Enter the start time to indicate the time when you want the scheduled task to start. For example, 18:24:30,

3. The Start Date indicates the day you want the scheduled task to start. Use the calendar to select the start date, or type in a date.

4. Click Finish to save your settings.

Scheduling Task by Week

Select the Weekly button and click Next to bring up a dialog box where you can select the days of the week and the start time. This will result in the scheduled job being performed on the selected days of the week. The start time is specified in the Start Time edit box. The scheduled reports will not be generated before this time. Enter the time at which you want the scheduler to begin scheduling your tasks.

Add Weekly Task Screen

Follow the steps described below to schedule a weekly task:

1. Select the Weekly button to schedule a weekly task and click Next.

2. Enter the start time to indicate the time when you want the scheduled task to start. For example, 18:24:30.

3. The Start Date indicates the day you want the scheduled task to start. Use the calendar to select the start date.

4. Select the days of the week on which you want to run the tasks.

5. Click Finish to save your settings.

Scheduling Task by Month

Select the Monthly button and click Next to bring up a dialog box where you can select the month, start date, and the day of each month when you want to generate the report. You can also generate the report of a specific day of the week of each month.

Add Monthly Task

Follow the steps described below to schedule a monthly task:

1. Enter the Start Time to indicate the time when you want the task to start.

2. Enter the Start Date to indicate the date on which you want the task to start.

3. Click the Day button to choose the day of the selected months on which you want the task to run or the Every button to choose the day of the week of the selected months on which you want the task to run.

4. Select the months of the year when you want the task to run and click Finish.

Scheduling One-Time Tasks

Select One Time Only button and click Next to bring up a dialog box where you can select the start time and start date when you want to generate the report.

Add One-time Task Screen

Follow the steps described below to create a one-time task:

1. The Start Time indicates the time when you want the scheduled task to run.

2. The Start Date indicates the day you want the scheduled task to start. Use the calendar push button to specify the start date or enter a date.

3. Click Finish to save your settings.

Report Type

You can generate a report either for a single device or for all the devices using the SecCenter A1000.

v A single combined report for all selected devices.

v Individual reports for each selected device

v Group based report

v Interface-based report

The Report Type Screen

Single combined report: You can generate a single combined report for all the devices that you have selected in the profile by selecting this Report Type.

Individual reports for each device: You can generate an individual report for each device that you selected in the profile. Using this option, you can obtain the list of events and individually monitor the occurrence of events on each device and scrutinize the performance of each device..

The individual reports are:

v Generated/stored in separate folders under the Profile. The folder name will be the device IP or host name.

v The report name will have the suffix ‘_IP or host name’ of the device.

Group based report: Using this option, you can generate a report for the entire group just by creating a profile with the group selected.

Interface based report: Using this option, you can enable reporting only on interfaces and devices and not virtual devices.

If you select your report to be a combination of options other than single combined report, only one report is displayed in the report view and all the reports for other devices are stored in a user-specified location.

Query By

Use the Query By option to generate reports classified By Device/Host, By Group, By Day or By Event Class.

Device/Host: Select this option to generate a report with an additional column displaying the details of the selected Devices/Hosts.

Group: Select this option to generate a report to query on the Group to which the selected device/host belongs. For example, if you select two different devices present in more than one group then the report is generated with an additional column—Group. This appended column gives the Group details of the selected devices. This query is particularly useful when the administrator assigns privileges for the Non-admin users to access only a few Devices/Hosts configured on the application.

Day: Select this option to generate a report to query on the Day. This report appends a Day column that gives the details of the day when that particular data occurred.

Event Class: Select this option to generate a report to query on the Event Class. The drop down box lists the event classes created in policies module, Select the event class on which you want to query and generate a report.

Note: You can query by the above options in the reports from the security center also.

Report Style

You can customize the look and feel of reports as per your choice by selecting from 11 different templates and 10 table formats. You can also choose from HTML, MHTML, MS Word, MS Excel, PDF, and Text reports formats and choose from eight different languages.

v Format — Includes HTML, MHTML, Microsoft Word, Microsoft Excel, PDF, and generic text file formats into which the content of the report will be generated.

Internet browser settings for opening different formats of Reports after you generate them:

PDF reports: Go to Internet Options -> Advanced Settings -> Security and leave the check box Do not save encrypted pages to disk clear for the PDF reports to open upon generating them.

MS-Word and Excel reports: Go to Internet Options -> Security -> Security Settings. Click on the Custom Level Button and Enable the "Automatic prompting for File Downloads" under Downloads.

Note: MS-Office must be installed before you try to generate reports in WORD or EXCEL formats. Use Adobe Acrobat Reader 6.0 and above to view the report in PDF format.

v Template — You can determine the basic structure of the report. The drop-down box allows you to select from a number of pre-configured report styles that have different fonts and colors. They are Cool, Vintage, Cascade, Serene Arcade, Sand Ribbon, Wise Monk, Capri Blue, Glass Block, Trendy, Standard, and Orange Spice.

v Table Format — Select the format of the tables to be used to display tabular data in Microsoft Word reports. The table formats are Simple, Colorful, Columns, Grid, Classic Grid, List, Classic List, Contemporary, Elegant, and Professional.

v Organization — This field allows you to select the company name as it will appear in the reports. Typically, this field is used to present the name of the company creating the report.

v Logo File — The user can specify the logo that will be displayed in reports. The default logo is picked from the folder [Installation Directory]\xhtmlfiles\logo.gif. To display your company logo, replace this image with your logo in this folder, or specify the absolute path to your logo file is in a different location. For example if your logo file is mylogo.gif and is in a folder named "images" in drive D:, then the absolute path to the file would be D:\images\mylogo.gif.

Important: To open MHTML report in a Firefox/Mozilla browser, download and install the IE Tab add-on/extension from the following location: https://addons.mozilla.org/firefox/1419/

Specifying Report Styles

To specify the format of reports, follow these steps:

1. In the reports style dialog, click on the Create template button. The new template window opens.

2. Enter the template name. Click to select the background, query font, and node font colors.

3. Click Save.

Customizing Reports

SecCenter A1000 offers the flexibility to customize the reports by offering a comprehensive list of in-built reports. You can generate customized reports on Devices, Hosts, Mirapoint Devices and Databases by selecting the respective report title. The list also includes customized Compliance and Quarantine report titles. To include quarantine data in the reports, select Include Quarantine Reports box. The quarantine data is shown in the reports only if it is available in the log files.

The Report Customization Screen

A custom report can be created by including only selected queries that meet your specific requirements. This helps you focus on only the data you need most.

Customize Table and Graph Settings

When SecCenter A1000 generates Profile based Reports, by default the report output might either not show the entire data or show excessive data. Therefore, it is a good idea to customize the number of records in the Table and Graph settings to obtain the reports with the desired information.

Table Details:

Enter the number of records that should appear in the profile based tabular report. You can opt to display any number of records from 10 to 5000.

Enter the number of sub-records records that should appear in the profile based tabular report. You can opt to display any number of sub-records from 1 to 500.

Graph Details:

Enter the number of records that should appear in the profile based graphical report. You can display up to 24 records.

Enter the number of sub-records records that should appear in the profile based graphical report. You can display up to 10 sub-records.

New Report

A custom new report can be created by including only selected queries that meet your specific requirements. This helps you focus on only the required data. To create a new report, follow the steps below:

1. Enter the name by which you want the report known in the Report Name text box.

2. Select the queries you want to include in the report from the available report query list.

3. Click Save to save the custom report. This report is saved and is displayed in the Report List. To generate this report, just select it from the report list.

Editing a Report

To edit the settings for a report, follow the steps given below:

1. Select a report and click Edit. The Edit Report screen opens.

2. After making the changes, click Save.

Any changes made will be reflected in the report, the next time it is generated.

Default reports like Complete Report, Bandwidth Report, Protocol Report, Event Report, Intranet Report, and Device Report cannot be edited or deleted.

Deleting a Report

To delete a report, follow the steps given below:

1. Select a report from the report list and click Delete.

2. Click OK to confirm the deletion.

Save Report

Use this screen to specify the report name, the e-mail addresses to which the reports can be e-mailed automatically, and the remote FTP location to which your report can be uploaded. By default, the generated report is saved on the machine where SecCenter A1000 is installed.

It is recommended that you do not use mapped network drives to store generated reports. Instead use only your local drives to store the reports.

Reports can be delivered in the following three ways:

v Saved on a local system or network neighborhood

v E-mailed to one or more recipients

v Uploaded via FTP to a remote location

The following sections explain how to specify the output and delivery of reports in each of these three ways.

The Save Report Screen

Saving Reports

By default SecCenter A1000 saves a generated report in the machine where SecCenter A1000 is installed. Enter a name for the report in the Save As text box.

Using Generic Names for Reports

SecCenter A1000 follows a generic method for specifying input and output file names in the profile. You can enter generic file names directly in name text box or you can use the Grammar Syntax feature to specify input and output file names. This feature is useful in scheduling repetitive tasks as the log file name is constructed on a timestamp format.

Grammar Settings

File Specification Grammar Macro
Macro (Code)	Description	Format
%b%	Abbreviated month name	(Jan-Dec)
%B%	Full month name	(January-December)
%m%	Month	(01 – 12)
%d%	Day of month	(01 – 31)
%H%	Hour in 24-hour format	(00 – 23)
%y%	Year without century	(00..99)
%Y%	Year with century	(2000-2099)

SecCenter A1000 provides the option of using wild card specification in the file name and understands standard DOS directory wild cards (i.e., *). You can specify the relative hour, day, month or year by decreasing or increasing the specific value. The same syntax is used to specify file names for output reports also.

*Generic Naming – Grammar Syntax Examples*
File Name Specification	Sample File Name	Represents
SCAReport%m%%d%%y%.htm	SCAReport062005.htm	June 20, 2005
SCAReport%m%%d%%Y%.htm	SCAReport06202005.htm	June 20, 2005
SCAReport%Y%%d%%B%.htm	SCAReport200520June.htm	June 20, 2005
SCAReport%d%%m%%y%.htm	SCAReport200605.htm	June 20, 2005

To specify file names using the Grammar syntax feature, follow the steps given below:

1. Click Grammar. The Grammar dialog box is displayed.

2. In the Grammar dialog box, click Browse and go to the location where generic log files are stored.

3. Define the timestamp format for the generically named files. Based on the log file naming convention of your log file, specify the appropriate date format in the Date Format text box. Note that you can add an alphabetical prefix to the format and select from several different file extensions in the suffix box.

4. In the Add/Subtract text box (Hour, Day, Month and Year) specify which time stamped log file is the input. For example, to attach to yesterday’s log file, enter –1 in the Day text box with respect to the current system date.

E-mailing Reports

SecCenter A1000 allows you to e-mail your reports to the specified recipients. You can enter multiple e-mail addresses separated by semi-colons. Follow the steps given below to e-mail your reports:

1. Select the Mail To check box and enter the e-mail address in the text box. To e-mail to multiple recipients, use semi-colon to separate the e-mail addresses.

2. You can enter multiple e-mail addresses separated by semi-colons and send a copy of the report to other users (cc:) if required.

3. Enter the subject in the Subject box.

This feature will work only if your SMTP server is configured.

FTP Reports

You can also choose to upload your report to a remote FTP location. Follow the steps given below to upload your reports:

1. Select the FTP check box and enter the host name to send the file, user name, and password to configure FTP. The machine that is to receive the reports must be running an FTP service.

2. Select the Passive Mode check box if you want SecCenter A1000 to use "passive FTP" to initiate FTP connections.

3. Passive FTP connections provide more security for the network that hosts the FTP server to which SecCenter A1000 will connect. Clients that use passive FTP send a PASV command, which allows the server to specify which data port it wants to use, rather than sending a standard POST command to specify a control channel and data channel port.

Edit Profile

You can edit or delete a profile as required. To edit a profile, follow the steps described below:

1. From the menu bar, click Edit Profile.

2. On the Edit Profile wizard you can edit the configuration settings made in Device, DNS Lookup, Filter Templates and Reports tab respectively.

The Edit Screen

3. Click Save to save the settings.

Copy Profile

If you want to create profiles that are similar, use the copy profile option.

1. To create a copy of a profile, select an existing profile and click the Copy Profile button on the main screen.

2. The Copy Profile window opens displaying the newly created profile.

3. The profile created is identical with the former except the profile name.

Delete Profile

If you want to delete a profile, select an existing profile and click the Delete Profile button on the main window of Profile Manager.

Forensics

Forensics analysis involves capturing and analyzing of network events in order to discover the source of security attacks or other problem incidents.

It involves recording of all data packets passing through a certain traffic point and written onto a storage area (file archive) with analysis being done subsequently in batch mode. This approach requires large amounts of memory storage (SAN or NAS), involving a file system.

SecCenter A1000's forensics analysis uses this approach to perform the forensics analysis and involves a major concern for privacy as all packet information including user data is captured. SecCenter A1000 addresses this issue by using a secure communication channel to collect forensics logs from the specified devices.

The Forensics analysis feature helps you to look up a metadata index for specific information across devices up to several years. This metadata index contains reference information about each log file such as the device ID and time range. This enables SecCenter A1000 to quickly refer log files that contain the device ID and time range applicable to the search.

A configured search has the following columns associated with it.

v Search Name

v Report Generated

v Archive

v Generate Report

The Forensics Manager Screen

You can edit, copy, or delete a defined Search operation.

Report Generated: Click the link under the Report Generated column to view the report. You can also customize the report view by including only those fields you want to view.

The Forensic Report Page

Use the following options to customize your report view:

v From-To - To specify records within a range.

v Export Report - To save your search result in either HTML/Text formats.
Note: Values in a report saved in text format are separated by a comma separator.

Note: Forensics analysis stops if the available disk space is less than 20% of the total disk space. Once the disk space falls below this level, the following message appears: Stopped Forensics searching due to unavailability of free disk space.

Export Report:

You can export the forensic report to a specific location in HTML or Text format. To customize the view of the exported report, select the fields you want to include in the report that is being exported.

Follow the steps described below to export a report:

1. Click Export Report. The Export Report screen opens.

2. Select the Report Type from Html and Text format options to specify the format of the reports to be exported.

3. Select the fields you want to view from the Available Fields list and click the arrow button to move them into the Selected Fields list.

4. Select the range of records that you want to export from the generated forensic report.

5. Click Export.

Export Report - Single Query

You can export the forensic report based on a single query selected from the forensic TOC to a specific location in HTML, Text or CSV format.

1. Click Export Report for the selected single query report. The Export Report screen opens.

2. Select the Report Type you want it to be exported in:

v Html

v Text

v CSV*

The CSV* (comma-separated values) file format contains the values in a table as a series of ASCII text lines where each column value is separated by a comma from the next column's value and each row starts a new line.

Export Forensic Report of Top Events

3. Browse to the location where you want to export the Forensic Report based on a single query selected from the forensic TOC.

4. Click OK to export or Cancel to abort the task.

Display Type: You can select the Top Events to be depicted in any one of the display types:

v Table

v Pie

v Bar

v Tape

v Horizontal

Note: In Forensics reporting, number of records displayed in graphs is limited to 11.

Archive: This column displays the details of the latest results of the configured search. Once a new update for this search is triggered, search results for this search are transferred to the archives.

Generate Report: This column displays the report icon. Click to generate a report for the configured search.

The following sections explain how to configure a forensics search.

New Search

Follow the steps described below to add an alert:

1. On the Forensics main window, click New Search. The New Search wizard opens.

2. Enter a name and description for the search in the Name and Search box respectively.

3. Select the criteria (source)—Device, Host or Mirapoint Device, on which you want to perform the forensic search.

4. Select from one of the following log sources you want to search from:

v Log Files from Selected Devices

v Archived Search Data

5. Once all the fields in the window are filled in, click Next.

New Search Screen

Archived Search Data

If you want to use the Archived Search Data as the log source, then your search is confined to the data present in the previously generated forensic reports. This helps you to save time as you need not search the entire log database again.

6. Browse to the location where previous reports are archived to search for the required data and click Next.

If no report is generated prior to this search, archived data is disabled

Browse Server

1. Click Browse and the Browse Server Window opens.

2. This window gives you the directory hierarchy of the machine where the SecCenter A1000 Server is installed.

3. You can select a folder by double-clicking on any item or by Selecting the folders under icon and click Open Folder to view the files within the folder in the Files list.

4. Similarly, you can select and add a file within a selected folder by double-clicking it or by clicking the Add File button.

5. Selected files will be listed under Selected Files section.

6. To remove a selected file, click Remove File button.

7. You can see the path of your selected file or folder in the Selected Files section and click OK.

The Browse Server Screen

Log Files from Selected Devices

If this option is selected as the log source for your search, click Next and follow the steps described below.

Date & Time Range

You can configure your search in a specified time period. Follow the steps described below:

1. Click the calendar icon and enter the Date From to Date To in the appropriate text area provided.

2. Select the time of the day from the drop-down list available.

3. Click Next.

The Date & Time Range Screen

Scheduling Forensics Search

The Scheduler facilitates you to run the forensics search reports automatically at specific times, which is particularly advantageous when you are running reports at regular intervals.

The list box under the Scheduled Tasks section contains all the tasks that are previously scheduled. Click the Add button to schedule a new task or select an existing task to Edit.

Add Task

1. Click the Add button. The Scheduler screen opens.

2. On this screen, you can select the frequency at which you want the forensics report to generate.

3. Specify a unique name for the task in the Task Name box. This name is subsequently displayed in the Scheduler Main Window under the column Scheduled Tasks.

4. Select the frequency from the options given below:

v Daily

v Weekly

v One Time Only

5. The created scheduled task is added to the list of scheduled tasks.

Note: Hourly and Monthly tasks configured in the earlier versions are no longer supported after the upgrade and need to be edited to work properly.

New Search (Device-based)

You can select Devices, Hosts or Mirapoint devices and analyze their logs. Whatever is the criterion selected in the opening screen of new forensic search screen, the corresponding window opens. For example, if your chosen criterion is Device, the corresponding window displays all the devices licensed with SecCenter A1000.

1. Select a device (s) from the list of licensed devices.

2. Click Next.

The Device Group

Search Filters

You can select the filters you want to apply on your search from here. The following are the available filters:

v Source

v Destination

v Destination Port

v Rule

v Protocol

v Event ID

v Expression

v Severity

Source Filter

If you have selected Source filter, follow the steps described below:

1. Enter the Source IP/Name of the device you want to filter from the rest and report on only those events originating from the specified source.

2. To filter events originating simultaneously from a series of devices, specify the IP Range by selecting the Source IP Range check box.

3. Add the Source IP/Name by clicking the Add button.

4. Click Save Filter.

Destination Filter

If you have selected Destination in the Search Filters window, follow the steps described below:

1. Enter the Destination IP/Name of the device you want to filter from the rest and report on only those events having the specified Destination IP/Name.

2. If you want to filter events from a series of devices at one time then provide the destination IP Range by selecting the Range option.

3. Add the Destination IP/Name of the device or the range by clicking the Add button.

4. Click Save Filter.

Destination Port Filter

If you have selected Destination Port in the Search Filters window, follow the steps described below:

1. Enter the Destination Port number in a device that you want to filter and report only on the events that end up at the specified port.

2. Add the port number by clicking the Add button.

3. Click Save Filter.

Rule Filter

If you have selected Rule in the Search Filters window, follow the steps described below:

1. Select the Rule you want to filter from the Available Rule list and click to move them into the Selected Rule list. You can also add new Rules.

2. Click Save Filter.

Protocol Filter

If you have selected Protocol in the Search Filters window, follow the steps described below:

1. Select the protocols you want to filter and click to move them into the Selected Protocol list. You can also add new protocols.

2. Click Save Filter.

Event ID

If you have selected Event ID in the Search Filters window, follow the steps described below:

1. Select the Event IDs you want to filter from the Event Filter List.

1. Click the Add button to add a new event ID to the list, it opens the New Event ID screen.

v Enter an appropriate Template Name and the Event ID of a new event you want to add to the list.

v Click the Add button and click Save filter. The new event ID is added to the list of existing event IDs.

2. Click Next.

Expression Filter

You can search for any string containing a specific word or phrase from the database on this screen.

1. Select Use Word to search for the specified words in the database. You can apply the conditional operators AND/OR on the words as index for your search.

2. Select Use Phrase to search for a given phrase from the log files in the database.

3. Click Add and then click Save filter.

Severity Filter

1. Select the severity types to filter in your search, from this screen.

2. Available severity types are:

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Information

v Debug

3. Select from the Available Severity types and click to move them into the Selected Severity types list.

4. Click Next.

Report Output

Follow the steps described below to choose the fields that you want to include in the report:

1. Select the fields you want to include from the Available Fields and click to move them into the Selected Fields list.

2. To include a column in the forensics report for including the native log, select the check box Append a column in the forensics report for including the native log.

3. Click Next.

Report Output Screen

Save Report

Forensics Reports for devices can be saved in the following two ways:

v E-mailed to one or more recipients

v Uploaded via FTP to a remote location

The report can be saved to the specified location either in Text or HTML formats. Follow the steps given below to e-mail your forensic reports:

1. Select the Mail To check box and enter the e-mail address in the text box. To e-mail to multiple recipients, use comma to separate the e-mail addresses.

2. You can enter multiple e-mail addresses separated by comma and send a copy of the report to other users (Cc:) if required.

3. Enter the subject of the mail.

4. Enter a message, not more than 100 characters to be appended to the mail.

Follow the steps given below to FTP your forensic reports:

Select the FTP check box and enter the Host name to send the file, User Name, and password to configure FTP. The host machine should have FTP service running in it.

Select the Passive Mode check box if you want SecCenter A1000 to use "passive FTP" to initiate FTP connections.

Note: Take caution in using Mail To and/or FTP options for saving the forensic report as the report can be voluminous.

Host Based New Search

The following sections explain how to configure a host based forensics search.

New/Edit Search

Follow the steps described below to configure/edit a forensics search:

1. Enter a name and description for the search in the Name and Search box respectively. While editing, you can only change the description.

2. On the Forensics main window, Select Host as the New Search criteria. To edit a forensics search, select a configured search and click Edit Search.

3. Select one of the following log sources you want to search from:

v Log Files from Selected Devices

v Archived Search Data

4. Once all the fields in the window are filled in, click Next.

Archived Search Data

If you have selected this option as the source for your search, your search is confined to the data present in the previously generated forensic reports. This helps you to save time as you need not search the entire log database again.

Follow the steps described below to perform an archived search:

Browse to the location where previous forensic reports containing the required data are archived and click Next.

If no report is generated prior to this search, this option is diabled.

Host Group

You can select Group/Host and analyze the logs from them on this screen.

1. Select the host name/IP.

2. Click Next.

Search Filters

You can select the filters that you want to apply on your search from this screen. The list of available filters is:

v Expression

v Event Source

v Event ID

v Facility

v Severity

Event Source Filter

Select Event Source in the Search Filters window and follow the steps described below:

1. Enter the details of the event source from where the event is originating in the Event Source box.

2. Add the Event Source by clicking the Add button.

3. Save Filter and Click Next.

Event ID

Select Event ID in the Search Filters window and follow the steps described below:

1. Select the Event IDs you want to filter from the available list.

2. Click Add button to add a new event ID to the list or select any existing ID from the list to edit.

3. Click Add to open the New Event ID screen.

4. Enter an appropriate name and the ID of a new event you want to add to the list.

5. Click the Add button and click Save. The new event ID is added to the list of existing event IDs. Click Next.

Facility

You can select a facility that you want to search from the database from this screen.

1. Select from the Available Facility types and click to move them into the Selected Facility list.

2. Save filter and Click Next.

Severity Filter

You can select the severity types which you want to filter in your search.

1. Available severity types are:

v Success

v Error

v Warning

v Information

v Failure

2. Select from the Available Severity list and click to move them into the Selected Severity list.

3. Save filter and Click Next.

Expression Filter

You can search for any string containing a specific word or phrase from the database.

1. Select Use words to search for the specified words in the database. You can apply the conditional operators AND and OR on the words specified as index for your search.

2. Select Use phrase to search for a given phrase from the log files in the database.

3. Click Add, save the filter and click Next.

Report Output

Follow the steps described below to choose the fields you want to include in the report:

1. Select the fields you want to include from the Available Fields and click to move them into the Selected Fields list.

2. Click Next.

Save Report

Forensics Reports for hosts can be saved in the following two ways:

v E-mailed to one or more recipients

v Uploaded via FTP to a remote location

The report can be saved to the specified location either in Text or HTML formats. Follow the steps given below to e-mail your forensic reports:

1. Select the Mail To check box and enter the e-mail address in the text box. To e-mail to multiple recipients, use comma to separate the e-mail addresses.

2. You can enter multiple e-mail addresses separated by comma and send a copy of the report to other users (cc:) if required.

3. Enter the subject of the mail.

4. Enter a message, not more than 100 characters to be appended to the mail.

Follow the steps given below to FTP your forensic reports:

Select the FTP check box and enter the Host name to send the file, User Name, and password to configure FTP. The host machine should have FTP service running in it.

Select the Passive Mode check box if you want SecCenter A1000 to use "passive FTP" to initiate FTP connections.

Note: Take caution in using Mail To and/or FTP options for saving the forensic report as the report can be voluminous.

Defining Forensics Search on Mirapoint Device

If you have selected Mirapoint Device as your search criteria to analyze logs, SecCenter A1000 displays the list of all the licensed Mirapoint device(s) and their Groups.

1. Select the Mirapoint Device(s) to define the Forensic search.

2. Click Next.

3. The next window displays the comprehensive list of search filters available to apply on the Mirapoint Device.

4. The next section explains the Mirapoint Device search filters in detail.

Search Filters

You can select the filters to apply on your search from the available filters list. If you want to negate a particular filter on the search, select the Negation check box on the corresponding filter window.

The list of available filters is:

v Action

v Domain

v Event ID

v MailBox

v Mail Header

v Message ID

v QID

v Recipient Email

v Score

v Sender Email

v Sender IP

v Spam

v Virus

Action

1. Select the Action Details of the events to filter and report on only desired events. Select the actions to be included in the Rule and move them to the selected entities list by clicking the icon, the actions available are:

v Virus Quarantined

v Virus Scan Failure

v Virus Cleaned

v Virus Found

v Virus Deleted

2. Select an Action from the action details and click to move them into the selected entities list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Source Domain

1. Enter the Source Domain name to filter, in the Domain text box.

2. Click the Add button to move it to the Domain list box.

3. You can add multiple Domains to filter.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Note: All Sender and Recipient e-mails containing the respective domain will be considered for the search.

Event ID

1. Select the Event IDs from the available list.

2. Select the event IDs to filter.

3. You can also add a new event ID by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

QID

1. Enter the QID (Queue Identifier) to filter, in the Queue Identifier text box.

2. Click the Add button to move it to the QID list box.

3. You can add multiple QIDs to filter.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Mail Box

1. Enter the Mail box name to filter, in the Mail Box text box.

2. Click the Add button to move it to the Mail Box list box.

3. Once you finish adding the desired mail boxes, select the ones you want to filter from the available entities and click to move them into the selected entities list.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Mail Header

1. Enter the Mail Header to filter, in the Mail Header text box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Message ID

1. Enter the name of the message ID that you want to filter, in the Message ID text box.

2. Click the Add button to move it to the Message ID list box.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Recipient E-mail

1. Enter the e-mail address of the recipient to filter, in the Recipient E-Mail text box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Score

1. Select Any to filter encountered any junk mail irrespective of the score.

2. Enter the Score of the junk mail intensity to filter, in the Score text box.

3. You can alternatively specify a Score Range of junk mail intensity to filter.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Sender Email

1. Enter the e-mail address of the sender that you want to filter, in the Sender E-mail box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Sender IP

1. Enter the IP address of the sender that you want to filter, in the Sender IP box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Spam

1. Select the Spam from the available list.

2. Select a spam from the available entities and click to move them into the selected entities list, to filter.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Virus

1. Enter the name of the virus that you want to filter, in the Add New Virus text box.

2. Click the Add button to move it to the Mail Box list box.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Forensics Options

With the Forensics options you can specify the path where you want to store the forensics logs. You can choose to be alerted whenever your secondary storage device falls below the specified level.

Disk Space Alert: Forensics analysis may stop due to unavailability of free disk space. To restart it, free up the disk space or specify a different location from the Forensics à Options tab.

Forensics analysis will stop if the available disk space is less than 20%.

Follow the steps described below to set your options for forensics analysis:

1. On the main screen, click Options. The Options dialog box opens. Select the Forensics tab.

2. Specify the Path where you want to store the forensic logs.

3. Click Browse. The Browse Folder window opens.

4. Select the folder where log files are stored and click OK.

5. Select the Disk Space Alert check box to raise an e-mail alert if the memory available is less than what you specify from the in-built list.

6. Enter the recipient e-mail address in the Mail To box. To add a copy, enter an e-mail address in the Cc box. Use comma to separate multiple e-mail addresses.

7. Click Save.

To be able to send an e-mail alert, your SMTP server must be configured. For detailed instructions on how to configure your SMTP server, click here.

To see the mapped network drives created by the user, change the service logon properties from Local System account to this account with a valid username and password from the Service Control Manager.

Edit Search

Follow the steps described below to edit a configured search:

1. Click a search under the column Search Name. The Edit Search window displays.

2. Make the necessary changes and click Next.

3. Verify the altered settings and click Finish.

Copy Search

To create a copy of an already existing search, use the Copy Search option. Follow the steps described below to create a copy:

1. To create a copy of a search, select an existing search and click the Copy Search button on the main screen.

2. The Copy Search window opens displaying the newly created search.

The search just created is identical to the former except the search name.

Delete Search

To delete a search, select an existing search and click the Delete Search button on the main Forensics window.

Managing Devices/Hosts and Groups

This section describes how to manage your device/hosts and SecCenter A1000 syslog server. Once the syslog server is configured, SecCenter A1000 will access device logs using the syslog service for processing and storage. Log file data is stored either in the built-in database or an enterprise database. An enterprise database can be configured from the Options à General tab. You can add as many devices and hosts as permitted by your license.

To manage the Devices/hosts, the following three tabs can be used which are present on the main menu:

v Groups

v Devices

v Hosts

Once any Device/host gets associated with SecCenter A1000 it is assigned a unique symbol for easy identification. The following table gives the details of the symbols used in the Groups/Devices/Host screen display:

	Represents a configured licensed device.
	Represents a configured licensed device that is inactive.
	Represents group or a regional server.
	Represents an active syslog server.
	Represents a syslog server that is not in the network.
	Represents a configured licensed host that is inactive.
	Represents a configured licensed host.

The Groups Screen

The Groups screen displays the list of groups you created and the devices under each group. You can view details of each device like Status, Type, Location, Host Name, Internal and External IP, Device ID and information on Groups on this screen. You can also add or delete groups from this screen.

The Groups Screen

In this screen, you can view all the configured regional servers. To view all the groups created on it, just select a regional server from the Regional drop-down list. A list containing all the groups is displayed.

The Global Group

When a new device/host is added, it is automatically placed under the Default Group of SecCenter A1000 regional. To group devices configured on the SecCenter A1000 Central via the regional syslog server, you can group them under a predefined group called the Global in a distributed setup.

Default Group:

The default group is automatically created by the SecCenter A1000. You can also create new group and allocate devices/hosts under that group. If you delete a group, all the devices/hosts in that group are automatically shifted to the default group.

Adding a Group

Follow the steps described below to add a group:

1. On the Groups screen, click Add. The Add Group screen opens.

2. Enter a name for the group in the Group Name box.

3. Select the parent group from the Sub-Group drop-down list.

4. Select the Importance, Importance Factor, and the Severity Factor from the corresponding drop-down lists.

5. Select the devices/hosts you want to add to the group and click Create Group.

Editing a Group

Follow the steps described below to edit a group:

1. On the Groups screen, click the group you want to edit. The Edit Group screen opens.

2. Edit the values in the Importance, Importance Factor, and the Severity Factor lists as required.

3. Select the devices/hosts you want to add or remove from the existing group and click Save.

Moving a Device/Host from Default Group

When you add a new device/host, it is placed under the Default Group. You can move the added device from the default group to any other existing group by following the steps described below:

1. Select the Groups tab.

2. Click on the group to which you want to move the device or the host. A screen that lists all the devices/hosts is displayed.

3. Now select the device/host you want to move under the selected group.

4. Click Save.

Regional and Group drop-down lists

On SecCenter A1000 Central, you can view all the configured regional servers. Select a regional server from the Regional drop-down list to view all the groups existing on that regional.

The Devices Screen

The Devices screen lists the syslog servers, configured/unconfigured and manually added devices. You also can add or delete an unconfigured device/virtual device from this screen.

Devices Screen

Adding a Device

Follow the steps described below to add a device:

1. On the Devices screen, click Add Device. The Add Device wizard opens.

2. Select an identifier by which you want your device to be identified. A device can be identified either by its external IP address, internal IP address, or device ID.

3. Enter the device name in the Device box.

4. Select the device type from the Device Type drop-down list.

5. Enter the location in the Location box and click Save.

To display an unconfigured device in the Add Device window, click on the IP of the device under the syslog server or under the Manually Added Devices and click Save.

Important: If the device is of type Intrushield, you need to perform the following configuration changes to obtain reports from the Intrushield device.

Configuring the Intrushield devices:

To enable SecCenter A1000 Server to generate reports on the log events streamed from the Intrushield devices, edit the intrushield.ext file found in the application path (Apppath ...\SCASyslog\Syslog) folder.

3. The file has the following information:

Format of the IntruShield device log columns must be semicolon separated and each column Identifier would begin and end with $.

Edit the device IP column with the IP address of the Intrushield device, which is streaming data to the SecCenter A1000 Server via the syslog. For example 192.168.1.99 is the Intrushield device IP address that you want to report upon, uncomment <device IP> tag and provide the respective IP address as <192.168.1.99> with respective columns in the intrushield.ext.

To report on more intrushield devices, append the intrushield.ext file with the device IP and respective Intrushield columns to be included in the report.

SecCenter A1000 supports McAfee Intrushield logs collected by the syslog server and not from the Log File as the data source option.

Adding a Virtual Device or Interface

Follow the steps described below to add a virtual device:

1. Select a primary device from the devices regional server list and click Add Interface/VD.

2. To add a virtual device or interface, select any one of the available options:

v Virtual Device

v Interface

3. Select Virtual Device and enter the IP address of the virtual device and click Save.

A primary device must be selected to monitor its virtual device or an interface.

Follow the steps described below to add an Interface:

1. Select a primary device from the devices regional server list and click Add Interface/VD.

2. To add a virtual device or interface, select any one of the available options:

v Virtual Device

v Interface

3. Select Interface and specify the Interface Direction.

v Internal

v External

4. Enter the IP address of the Interface and click Save.

Note: Interface name will have the prefix as Iface-.

Deleting a Device

Follow the steps to delete a device:

1. Select the device/s that you want to delete.

Note: By default, all devices that are not configured on the SecCenter A1000 syslog server are selected.

2. Click Delete to delete the list of devices.

Deleting a device will also remove data pertaining to that device from the database.

3. This device is now displayed under the category Unconfigured Devices.

The ability to dynamically add or delete a device is important for MSSPs who often keep adding and deleting devices.

Configure Devices

While using the trial license, all the devices are configured automatically.

Under a permanent license, the Devices added from the add device wizard, appear under Manually Added Device. And the devices that are auto detected by the Device manager are displayed as UnknownDeviceID. These manually added and unknown devices can be configured from the Configure Devices screen.

On the Configure Devices screen you can enter the Location Name where you want to associate all the devices.

Configure Devices

The Configure Devices screen displays information about the following:

v Internal IP/Name: This column displays information about the Internal IP/Name of the added devices.

v External IP/Name: This column displays information about the IP addresses of the added devices.

v Device Id: This column displays information about the Device Id of the added devices.

1. Select the any one of the above three options for the devices you want to configure and click OK.

2. All the manually added and unknown devices can now be licensed from the license manager or from the pop-up screen displaying the unlicensed devices.

Licensing Criteria

If the Device Manager identifies a new device ID in the log file, it adds the device ID under the syslog server as UnknownDeviceId. And if you add a device using the Add Device Wizard, it is displayed under Manually Added Devices.

To specify the licensing criteria for the newly associated devices click the UnknownDeviceId/Manually Added Device link, the Licensing Criteria dialog opens. Specify the criteria based on which this device must be licensed.

A device can be identified by any of the following three identifiers:

v Internal IP/Name

v External IP/Name

v Device ID

Select any one of the identifiers and click Save. You are prompted to license the device either Now, Later, or Never. If you select Now, the device is immediately displayed as licensed on the Devices screen.

Note: The Devices are automatically licensed under a Trial License.

A device can be reported on only if it is licensed. Once the device is deleted the License can be reused for another device. Click here to know how.

Policies

SecCenter A1000 offers a visual interface to enforce collection policies. If your SecCenter A1000 is installed as the Central Server, select the regional servers from the Regional drop-down list and enforce the policies. Policy defined on the Central server will be reflected back to a regional server.

Important: Policies defined in the policy Manager are not applicable to ISA and AV devices.

Collection Policy

This window displays the list of collection policy names. You can also Add, Edit and Delete a policy.

By default the application provides you with the following policies:

v Default

v Collect All

v No Collection

You cannot edit/delete the default policies.

Add Collection Policy

1. To add a collection policy, click Add button. The Add Collection Policy window opens.

2. Specify a name for the collection policy.

3. Select a group/device under syslog server/Device column and choose specific devices in that group on which you want to enforce the policy.

4. Click Next.

5. In the Event Collection section, you can specify the severity of events to write into the delta files, specify the severity of events that are to be streamed to the monitoring console and the storing of the logs with respect to different activities occurring on the devices.

Important: By default the Monitoring option is unchecked. Only if you select this option, log events are considered for monitoring.

The Event Collection Screen

1. To enable the streaming of events to the Event Viewer or to specify events that should be considered to write into the delta file, select the respective event severities from the drop-down list. To view all events or to write all events in the delta file, select Debug. The available severity types are:

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Information

v Debug

2. Append Raw Log in Delta: In this section you can specify to append the native or raw logs to deltas up to the selected severity level from the drop-down list. Other events that do not come under the selection will not be considered.

Note: Raw logs would be appended only for those devices that can stream their logs to SecCenter A1000 syslog server.

3. You can specify to store Severity events, Attack events and Virus events. The severity level can be specified from the in-built list containing:

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Information

4. Finally, click OK.

Edit Collection Policy

You can edit a policy by changing the selection of Group Name/Device and can choose different devices to enforce the policy. Edit your preferences for collection policy as required and click Save.

The Hosts Screen

The hosts’ window provides a graphical interface to manage, configure and see the status of the hosts that are configured to SecCenter A1000. You can also create policies for collecting data from the licensed hosts, on this screen.

Hosts Screen

Add Host

When you add a host, you identify the host type, location, authentication, event types to be processed, and the alert settings.

Add Host selection screen

Add Host/Range

Select this option to add a single host or a range of hosts that are in a sequential order. This option is useful when the user only has the IP address of the host. Multiple hosts can be added by specifying the range.

Add Host IP/Range

Follow the steps described below to add a host:

1. Enter the IP of the host from where the SecCenter A1000 will collect the Event data. You can add either single or multiple hosts in a range. Click Next.

2. Select the checkbox For all Hosts if you use a common user name and password to authenticate all or selected hosts.

3. To authenticate the selected/added hosts, select the respective host and provide user name and password credentials. Click Apply.

Domain View

Select this option to add hosts according to the hierarchy of the existing network. This feature allows you to add hosts of a particular work group or a domain in the network. This option facilitates the administrators to logically organize the hierarchy of the network.

Add Host – Domain View

To Add a Host in the Domain view:

1. Select the hosts from where the SecCenter A1000 will collect the log data.

2. Select the checkbox For all Hosts if you use a common user name and password to authenticate all or the selected hosts.

3. To authenticate the selected/added hosts individually, select the respective host and provide user name and password credentials. Click Apply.

From CSV

Select this option to add hosts whose details are present in the CSV file, which includes the information about Hostip, HostName, Domain\Username or MachineName\User, Password, HostType, and Criticality.

From CSV

In the .CSV file you must mention the HostType and Criticality with integer values. For HostType you must enter '0' for a Windows host and '1' for host with UNIX operating system. To mention Business Criticality you must enter '0' for Low and '1' for Medium and '2' for host with High criticality.

To add a host from CSV, follow the steps below:

1. Browse to the location of the .csv file.

2. The host can be added to an existing group or a new group. Further, you can specify the syslog collector for the host.

3. Click Save.

Adding a UNIX Host

From the Add Host page, while adding a UNIX host from any of the available three options to add a host, you need to manually enter/select the Host Type as UNIX operating system.

Before adding a UNIX host, you need to configure the syslog service on the host to send event logs to SecCenter A1000 syslog server.

Configuring the Syslog Service on a UNIX Host

1. Login as root user and edit the syslog.conf file in the /etc directory.

2. Append *.*@<server_name> at the end, where <server_name> is the name of the machine on which SecCenter A1000 syslog server is running.

3. Save the configuration and exit the editor.

4. Edit the services file in the /etc directory to stream UNIX syslog events directly to the user defined port numbers.
By default syslog collector listens on port number 10888.

Note: Syslog collector can be configured to listen for UNIX events on any other port added under Ports used to collect from hosts section of the Syslog Configuration -> Syslog Ports screen.

5. Save the file and exit the editor.

6. Restart the syslog service on the host using the command: /etc/init.d/syslog restart

Licensing Criteria

When a new Host is added, it is listed under the syslog server as UnknownHostId.

Licensing Criteria for Hosts

1. To specify the licensing criteria to license the added host, click the UnknownHostId link. The Licensing Criteria window opens.

2. SecCenter A1000 identifies the hosts by any one of the following two identifiers. Select any one from the following:

v Host IP

v Host Name

3. Specify the location of the host you are about to configure and license.

4. Select one of the options to license the host Now, Later, or Never.

5. To license a host immediately, select Now. The host is licensed and then displayed as licensed.

6. Click OK.

A host can be reported on only if it is licensed. Once a Host is deleted its License can be reused by another host. Click here to know how.

Edit Host

When you edit a host, you modify the set of instructions identifying the host type, location, authentication, event types to be processed, and the alert settings.

The Edit Host window shows the details of an existing configured host that you have selected for editing. You will see the Host IP/Name, User Name, Password, Confirm Password, syslog collector and System Type associated with the host.

Only users with administrative privileges can edit the information in the following fields

v User Name

v Password

v Syslog Collector

v System Type

Delete Host

To delete a host, select the host and click Delete.

Configure

With the Configure button you can configure multiple devices at one time. This is useful when you have a large number of devices streaming logs to the syslog server. Click here for instructions to configure hosts.

Policy Manager

The Policy Manager enables you to enforce collection policies for the devices/hosts.

Regional and Host drop-down lists

On SecCenter A1000 Central, you can view all the configured regional servers. Select a regional server from the Regional drop-down list to view all the hosts configured to send event data to it.

Selecting Regional Servers from the Central Policy Manager:

Host Authentication

1. Specify the hosts in the add host options and click Next.

2. The Add Host wizard opens where you can see the details of the Regional Server where SecCenter A1000 is installed and the corresponding syslog collector.

3. To add the host under a different syslog collector, specify the details of the new syslog collector in the New Syslog Collector box and click the Add button. The host will now be assigned to the new syslog collector. Click Next.

4. Enter the user name and password for the Selected / Added Host(s).

Host Authentication screen

5. Select the checkbox For all Hosts to log into all or selected hosts through a common User name and Password.

Note: User Name should be in the following format: Domain\User or Machine Name\User.

To be able to add all hosts from one single user authentication, create a common user with administrator privileges on all the hosts.

6. Specify the type of host you are adding from the System Type list box. Available options are

v Windows

v UNIX

7. After the credentials are provided, click Apply and click Next to finish the add host operation.

8. You will be notified that the add host operation is successful. Click the Close button.

Configure Hosts

On the Configure Hosts screen you can see and select all the hosts added from the add host wizard.

Configure Hosts

You can enter the Location Name where you want to associate all the hosts on the Configure Hosts screen.

1. Host IP: This column displays information about the IP addresses of the added hosts.

2. Host Name: This column displays information about the Names of the added hosts.

3. Select the IP addresses or the Names of the hosts you want to configure and click OK.

4. All the configured hosts can be licensed from the license manager.

Policy Manager

SecCenter A1000 provides a visual interface to enforce the collection and compliance policies.

If your SecCenter A1000 is installed as the Central Server, select the regional servers from the Regional drop-down list and enforce the policies. Policy defined on the Central server will be reflected back to a regional server.

Collection Policy

This window displays information about the Policy Name and the Hosts associated with that Policy. You can also Add, Edit and Delete a Policy.

Add Collection Policy Window

By default, the application provides the following two policies:

v Collect All

v No Collection

You cannot delete the default policies but can edit them.

Add Collection Policy

1. Specify the name of the policy.

2. Select a Group Name/Host and choose specific hosts in that group on which you want to enforce the policy.

3. Specify the time interval for SecCenter A1000 to get the events from the selected devices.

4. Get latest events after every: This is the frequency with which you want the syslog service to retrieve logs from the host. By default, the minimum time required for retrieving logs is 15 minutes. These settings can be specified in hours or minutes.

5. Select the event types to be monitored. The syslog collection policy wizard has the facility to monitor events separately for Windows and UNIX systems.

Important: By default the Monitor hosts every option is unchecked. Only if you select this option, log events from the hosts are considered for monitoring.

6. Event types to be monitored for Windows System:

The events in the log are classified into six categories. They are System, Security, Application, DNS Server, Directory Service, and File Replication. Application events further can be classified as Exchange Server, MSSQL Server, ISA Server, and Anti-Virus events. Each of these categories is further divided into six event severity types. They are:

v Success

v Error

v Warning

v Information

v Audit Success

v Audit Failure

7. Select the appropriate events as required to be included in the report in their respective category.

Add Collection Policy screen for Windows host

8. Event Collection Mechanism: Specify the mechanism using which SecCenter A1000 can collect the information from the windows hosts. You can choose to

v Use WMI or

v Use API

For window hosts it is recommended to run Windows Management Instrumentation (WMI) service on that machine, to help getting a complete description of all the events generated.

Event types to be monitored for UNIX System

The events in the log are classified into facilities Kernel, User, Mail, Daemon, Auth, syslog, Lpr, News, UUCP, Cron, Authpriv, Ftp, Local0 through Local7 and Mark. Each of these categories is further divided into eight severity types. They are

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Information

v Debug

9. Select events to include in the report in their categories.

Add Collection Policy screen for UNIX host

Edit Collection Policy

Select a Group Name/Host and choose the specific hosts in that group on which you want to enforce the policy. Edit your preferences for collection policy as required and click Save.

Advanced

SecCenter A1000 provides a visual interface to define account lockout policy for the configured hosts.

Setting the Account Lockout Policy: Select the option Set Account Lockout Policy to set the lockout policy for the hosts.

v Account Lockout Threshold: Specify a value for failed logon attempts exceeding which the account is locked.

v Logon Attempt Interval minutes: Specify the time frame for failed logon attempts.

If there were n number of login failures in the specified time frame, the Account Lockout Policy is invoked.

Test WMI

SecCenter A1000 provides a utility option-- Test WMI on the UI to verify that the events are being collected from the configured host using the WMI service.

Follow the steps given below, on the Hosts window to verify that the event collection from a host is being done using the WMI service:

1. Select a configured host.

2. Click on Test WMI from the host main window.

3. If SecCenter A1000 is successfully collecting events from the selected host by using the WMI service the following test result is displayed:

SecCenter A1000 uses WMI services to collect events from the windows hosts as it supports configuration of security settings, setting and changing system properties, setting and changing permissions for authorized users and user groups, assigning and changing drive labels, scheduling processes to run at specific times, backing up the object repository, and enabling or disabling error logging.

Options

You can specify global settings on all the profiles you create or on individual profiles by using the Options tab. This helps you to control the way SecCenter A1000 operates and optimize its functionality. Following are the tabs in the options window:

v General

v Admin Alerts

v Monitoring

v Protocol

v E-mail

v Advanced

A Power User can only access the E-mail and Advanced tabs.

General Settings

By default, the built-in database is used for storing the device log data.

Disable Pinging: You can enable or disable pinging activity from the syslog server which at times occurs frequently and hence makes the network busy. By disabling pinging, you can keep a check on the ping operation performed by the syslog server to identify the status of devices configured to syslog server.

The General Settings Tab

Check for new device(s) every: Select this check box to check for the unconfigured devices every:

v 1 min

v 10 min

v 30 min

v 1 hour

Based on the interval selected, a pop-up window Unlicensed Devices is displayed whenever a new device is found, and you are prompted to configure and license it.

Monitoring Options

Click on the link here and the Set Monitoring Options window opens where you can set the monitoring options.

You can set the monitoring based on the following:

v Maximum number of records for a Monitor

v Maximum number of records for Event Viewer

Maximum number of records for a Monitor: This option lets you specify the maximum number of records to be considered for a monitor at a given instance of time. If more alert events are generated then all of the events occurring within the time period and exceeding the specified Maximum Number of records are dropped.

Maximum number of records for Event Viewer: Use this option to specify the maximum number of records that you want the event viewer to display.

Note: Restart the SecCenter A1000 server for the changes to take effect.

Manage DB Collection Agent(s)

Using this option you can manage all the DB collection agents configured to SecCenter A1000. The Manage DB Collection Agents window provides information Agent Type, DSN and Interval (min) for data collection from the associated DB agents.

You can Add, Edit or Delete a collection agent from this window. Following are the available DB agent types:

v Internet Scanner

v Retina

v CSA

v MSSQL Audit Agent

v Oracle Agent

v STAT Guardian

Manage DB Agents Screen

Adding Internet Scanner or Retina or CSA DB agent: Configure a new DB agent for the vulnerability scanners so that SecCenter A1000 can connect and fetch the data from the respective scanner types for DSN based profiles. Before creating a profile, respective scanner devices should be manually added from the Devices -> Add Device. And select the device type as Vulnerability Scanner.

1. Agent Type: From the list, select either Internet Scanner or Retina or CSA agent to which you want to connect using the above credentials.

2. DSN Name: Enter the DSN name in the DSN Name box.

3. User Name: Enter the user name in the User Name box.

4. Password: Enter the password using which you can connect to the DSN in the Password box.

Note: While configuring eEye's Retina Network Security Scanner, the user credentials are not required as the Data Source connectivity is un-authenticated.

5. Select a Collection Interval from the drop-down list for the selected DB agent to fetch data from the Database server.

6. Click Save to configure the above settings on the DB agent, else Cancel to abort the task.

Add MSSQL Audit Agent

To report on Database activity, configure a MSSQL Audit agent to collect all the information about database activity, like— new users, OLEDB errors, SQL Transaction events, changes to DB schema and permissions. MSSQL audit agent operates at the data level, and captures all methods of direct database access and this information collected by the Audit Agent is used to generate reports based on the Database activity.

Add MSSQL Agent Screen

Here is how to configure the MSSQL Audit agent to collect Database information:

1. Agent Type: From the list, select MSSQL Audit Agent.

2. Select the ID of the SQL server Host (All the licensed hosts are populated in this in-built list).

3. Specify the DSN (Data Source Name) to connect to that particular database.

4. Enter the Table Name where the SQL profiler has captured all SQL Server events.

5. Select a Collection Interval from the drop-down list for the MSSQL Audit Agent to fetch data from the Database server.

6. Click Save to configure the above settings on the MSSQL Audit Agent, else Cancel to abort the task.

Note: To enable SecCenter A1000 to fetch all the audit data from a SQL table, go to the Trace Properties in MSSQL server and select all the data columns and events for capturing and tracing.

1. Start >> Programs>>MS SQL>> Profiler>> File>>Trace

2. Connect to the SQL server and go to the Trace Properties.

3. Click on the Events tab and select the following SQL server Event Classes:

v Error & Warning

v Object

v Security Audit

v Sessions

v Transactions

v TSQL

4. Similarly, Click on the Data Columns tab and select all Data Columns.

Add Oracle Audit or STAT Guardian Agent:

To report on either Oracle Database activity or STAT Guardian vulnerability scanner, configure the respective agent from the Agent Type drop-down list.

An Oracle Audit Agent will collect the information about database activity, like Database Accessing at unusual hours, users sharing database logons and Non-existent users Login Attempts and so on. The Oracle Audit Agent operates at the data level, and captures all methods of direct database access and this information collected by the agent is used to generate reports based on the Database activity.

Similarly a STAT Guardian agent will collect scanner activity, like STAT Guardian Vulnerabilities, Services, Ports, Users and also the Alternate Vulnerabilities.

Here is how to configure the Oracle agent to collect information from Oracle database:

1. Agent Type: From the list, select Agent type that you want to connect to.

2. Select the ID of the Oracle Host (All the licensed hosts are populated in this in-built list).

3. Specify the DSN (Data Source Name) to connect to that particular database.
Note: ODBC settings use Oracle 8.0 by default. You need to modify the registry settings to identify oracle version on the remote machine if Oracle8 is not being used.

v HKLM\\Software\\Microsoft\\MSDTC\\OracleXaLib - from oraclient8.dll to oraclientx.dll(oraclient10.dll).

v HKLM\\Software\\Microsoft\\MSDTC\\OracleSqlLib - from orasql8.dll to orasqlx.dll(orasql10.dll)

4. Select a Collection Interval from the drop-down list for the Oracle agent to fetch data from the Database server.

5. Click Save to configure the above settings on the Oracle agent, else Cancel to abort the task.

Follow the procedure given below to configure the STAT Guardian agent to collect information from the STAT Guardian vulnerability scanner:

1. Agent Type: From the list, select Agent type that you want to connect to.

2. Select the ID of the STAT Guardian scanner (All the licensed scanners are populated in this in-built list).

3. Specify the DSN (Data Source Name) to connect to that particular scanner database.

4. Select a Collection Interval from the drop-down list for the agent to fetch data from the scanner Database.

5. Click Save to configure the above settings on the STAT Guardian agent, else Cancel to abort the task.

Admin Alerts

Use the Admin Alerts screen to select the criterion on which you want to be alerted.

Admin Alerts

Add Admin Alert

1. On the Alerts main screen, click the Add button. The Configure Admin Alerts window opens.

2. Enter the alert details (Alert Name and Alert Description) in the Alert Details section.

3. To specify the alert criteria, select any one of the following criterion:

v Alert when user account is locked.

v Alert when the specified device or devices are down.

v Alert when the event count from specified devices exceeds a specified threshold.

v Alert when storage space is less than the specified disk space. You can set either Warning or Critical e-mail alerts based on the availability of the storage space.

4. Select the devices on which you want to generate admin alerts. Click Next.

Alert Notification

1. Enter details of the method by which you want to be notified. Click Add to add a mail recipient.

2. Enter the time From to time To in the hh:mm format and the recipient's e-mail address. If an alert is generated within the specified time bounds, the alert message will be sent to the specified recipient.

3. Click the Add button. The e-mail ID is added to the recipient list.

4. Enter the subject and the message that should appended to the alert notification.

5. To configure your SMTP server, go to the E-mail dialog box in the Options tab. Click Save.

6. Click Finish.

Protocol Setting

The Protocols and Services list box displays all the protocols that will be analyzed and reported on by SecCenter A1000 according to the groups in which they are categorized. For instance, the protocols POP3, SMTP, and IMAP4 are all assigned to the group ‘E-mail’ since they deal with sending and receiving e-mail. You can add additional protocols and assign them to existing or new groups, and generate a report on the protocol usage in which the protocols are categorized according to the groups.

The Protocol Settings Tab

A protocol is a set of rules for transferring data over the Internet. Some common protocols used are HTTP, FTP, SMTP, and TCP/IP. SecCenter A1000 reports on activity by protocol and on protocol families, which are groups of related protocols.

To add a protocol: Click Add. Enter the name of the protocol and the type of traffic the protocol represents. For example, the protocol POP3 could be categorized under e-mail since it is a protocol used to send and receive e-mail.

v Protocol/Port: Enter the name of the protocol.

v Enter the alias name in the Alias box.

v Group: Enter the name of the protocol group to which the protocol belongs.

v Click Save.

You can see the protocol populated in the protocol list.

The Add Protocol Screen

To edit a protocol: Default protocols cannot be edited but user-defined protocols are editable. Make the changes in the protocol name as needed.

To delete a protocol: Select a protocol from the list and click Delete. This will remove the protocol from the list.

Click Save.

E-mail Settings

Enter the required information for your SMTP mail server in the appropriate boxes.

The E-mail Settings Tab

v SMTP: Simple Mail Transfer Protocol is a protocol for sending e-mail messages between servers. An e-mail client using either POP or IMAP can then retrieve the messages.

v Server: Domain name of the e-mail server supporting the SMTP protocol.

v User ID: Enter the user name of the authorized administrator user ID.

v SMTP Server Requires Authentication: If your SMTP server requires authentication, select the SMTP server requires authentication check box and enter the server name and user ID in the text spaces provided.

v Test SMTP: To verify your SMTP settings, you can send a test mail. To do this, enter the intended recipient’s e-mail ID in the Recipient's mail ID box and click the Send Test Mail button.

The E-mail Settings Screen

Follow the steps described below to specify the e-mail settings:

1. Specify the authentication type to login to the SMTP server from the Type drop-down list.

2. Enter the User name and Password.

3. Specify the SMTP port number in the SMTP Port box.

4. Click Save.

Monitoring

Forward: Select this option to forward all events to the SecCenter A1000 Central. When you do this, events are monitored at both the regional and Central server. While on the Central, all events forwarded by the regional are monitored, whereas on the regional, all events above the selected severity level are monitored.

Forward Only Mode: Select this option to turn off monitoring on the regional. All events are then monitored only on the Central.

Click Save.

This option is available only on SecCenter A1000 regional server.

Advanced Settings

Some organizations separate their local networks from the rest of the Internet by installing a device or "gateway”. A device is a system or software that is configured to prevent particular types of access or information from entering the network. Most devices block the flow into the local area network, but allow individuals to access most resources outside the network.

SecCenter A1000 lets you enter details of a device in the Device Configuration screen, which you can use later to connect to an FTP site from behind that device. You can configure the device once, and then assign that device configuration to those sites that require it.

The following table lists all the conventional device types and the information about each that you will need to procure and enter into SecCenter A1000.

The Advanced Settings Tab

Select the authentication type from the Authentication Type drop-down list.

Type of Device	Information you must specify
Site	Host Name (or Address), User Name (ID)
User after logon	Host Name (or Address), User Name (ID), Password
Proxy	Host Name (or Address)
Transparent	User Name (ID), Password
User with no logon	Host Name (or Address)
User FwID@remoteHost	Host Name (or Address), User Name (ID), Password
User RID@HostFwID	Host Name (or Address), User Name (ID), Password
User RID@FwID@Host	Host Name (or Address), User Name (ID), Password

1. Enter the Host Name in the text box.

2. Enter the User Name and the Password.

3. Click Save.

To enter device information, get information about your device from your administrator.

App Status

The App Status (Application Status) screen displays information on various components that are important to manage and keep the SecCenter A1000 up and running. You can view information about the delta files. It also provides you with information on the status of log files, device IPs, log file names, last updated date and time, file sizes, components required by SecCenter A1000 for the installation, and scheduled tasks.

Syslog Statistics

This tab displays details of the syslog server on a regional SecCenter A1000 server that includes:

Syslog Statistics

v Regional IP: Displays the IP address of the regional SecCenter A1000 server on which the syslog server is installed.

v Syslog IP: Displays the IP address of the syslog server for which the statistics are being displayed.

v Device IP: Displays the IP address of the device configured under a specific Syslog IP.

v Start Time: Displays the start time of the refresh interval.

v End Time: Displays the end time of the refresh interval.

v Total Count: Displays the total number of events parsed.

v Error Count: Displays the total number of events that could not be parsed.

Use the Refresh button to update the status of statistics displayed for the syslog server.

Monitoring Statistics

This tab displays details of the monitoring statistics by a regional server that includes:

Monitoring Statistics

v Regional IP: Displays the IP address of the device on which the SecCenter A1000 Regional is installed.

v Start Time: Displays the start time when monitoring began.

v End Time: Displays the end time when the monitoring has finished.

v Time in Seconds: Displays the total time in seconds, for which these statistics are displayed.

v Total Events: Displays the total number of events monitored in a given time period.

v Success Events: Displays the total number of events successfully monitored in a given time period.

v Drop Events: Displays the total number of events dropped in a given time period.

Use the Refresh button to update the status of statistics displayed for Monitoring module of the regional server.

Tracking Logs

This tab displays information on the delta log files successfully received by SecCenter A1000 from a syslog server and updated to the database. If a single delta file saves records of multiple devices, corresponding device names are displayed. The following information can be viewed on the App Status screen:

v Event Time: Timestamp of when the status “event” occurred.

v Log File Name: The name of the log files.

v Log Collection Method: Displays the File collection method for example syslog Delta, FTP, Local File etc.

v Log Collection Status: Informs you the status of log collection for example:
Started collecting from ftp://ftp.mysite.comCompleted etc.,

v Size: This is the total size (in Kilobytes) of the file that was collected or fetched.

v Parser: The status of parsing activity is shown here as Started, Completed, or Failed.

v Log Lines: Displays the total number of lines in the log file.

v Lines Parsed: Displays the Total number of lines that were successfully parsed. The number of lines that could not be parsed can be calculated from the Log Lines minus Lines Parsed.

v Database Update: The status of Update is displayed as Started, Completed, and Failed.

Use the Clear Log Events button to delete content about old log files so that the details of updated log files can be displayed.

Tracking Log Status

Scheduler

This tab provides information on the status of the regularly scheduled tasks configured for different profiles. The Scheduler records a history of how an event fares when it runs — whether it runs successfully or not, what errors, if any, occur and related information. It provides you with an overview of the tasks and their schedules. It contains a list of all the reports scheduled to run, the profiles they are associated with, and their status. Use the Clear Scheduler Events button to delete all the old events and display only the latest events created by the Scheduler tasks.

The Scheduler Tab

v Event Time: Lists the date and time on which the scheduled report generation started.

v Task Name: Lists the name of the task generating the report.

v Profile Name: Lists the profile name associated with the task.

v Status: Reports whether the task ran successfully or with errors. The error messages will explain any problems that the scheduled events encountered. This column also reports whether the scheduled report has been mailed and/or uploaded to ftp site.

Only Administrators and Normal users have access to App Status information.

System Info

This tab displays details of the following:

System Information

v Date Time: Displays the timestamp of when the System Info was fetched.

v Regional IP: Displays the IP addresses of the regional to which this device is configured to.

v Host Name: Displays the hostname of the system.

v Build Info: Displays the build number of the SecCenter A1000 which is currently installed on the system.

v Server Type: Displays if the server type is of Central, Regional, or a Standalone.

v Hard Disk: Displays the information of total disk space and available disk space for each drive on the system and also the type of file system existing on this drive.

v OS: Displays the operating system of the system running SecCenter A1000 server.

v RAM: Displays the value for size of RAM on the system.

v CPU Usage: Displays the value for percentage of CPU resources used for accomplishing a given task.

v Install Path: Displays the path where the SecCenter A1000 server is installed on the system.

Use the Refresh button to update on any changes in the system information.

Users

You can create users with different access rights through the User Manager. This helps you manage and ensure security of your profiles and associated policy settings.

Important: Only an admin user can access User Manager

User Manager UI in SecCenter A1000 mainly comprises of the following 3 categories

v Users

v Groups

v Policies

User Manager Main Screen

Users

An administrator can create Administrator, User and Power User accounts. If you are an admin user, only then you have the access to all the modules of the application. A Power user can access all the other functionalities except Devices, Groups, Hosts, Users, Licenses, Alerts, AppStatus and Topology. But his scope is defined by the administrator. A User (Report user) can only run and view all/some of instant reporting sections as specified by the administrator.

You can add new user accounts to SecCenter A1000 by the following ways:

v Create a new user

v Import Windows System Users

v Add Active Directory User

v Import Active Directory users

Create a New User

SecCenter A1000 provides three levels of access rights: Administrator, Power User, and Report User.

Each of the user types and the rights it enjoys is discussed below:

v Administrator: Users in this group have total control and can create, delete or edit any user with any right (administrator or normal), edit configuration settings, modify schedules, and add or delete licenses.

v Power User: Users in this group can create, edit, delete, view profiles, schedule tasks and generate reports. A Power User is also allowed to access the settings in the Options dialog. However, this user is restricted from Groups, Devices, Hosts, Users, Licenses, Alerts and Topology.

v User: User accounts in this group can only generate all or some instant reports sections according to the assigned privileges in the policy to which the user is associated to. While creating a policy, you can specify the report categories of devices and hosts accessible to the users associated with the policy. Note that there are separate reporting sections for devices/hosts.

Follow the steps described below to add a user:

1. On the main screen, click Users. The User Manager screen opens.

2. Select the Users option and click Add. The Add User dialog opens.

3. Specify a login name for the user in the User Name in the text box.

4. Specify the description for the user account you want to add.

5. Enter the corresponding password in the Password text box and re-enter it again in the Verify Password text box.

6. Specify the valid e-mail ID of the user.

7. From the user Groups drop-down list, select a group that defines the privileges for the user.

If you are creating a Power user then you need to specify the device groups and devices that he should be able to access and report on, and for a report User you need to specify the device groups and the report categories that he will be able to generate reports on.

8. Click Save.

Note: Any Normal User account carried forward from previous versions of SecCenter A1000 is categorized as Power User which is non editable and cannot be deleted.

Option to customize the Report and Monitoring view

Users have the option to change the look and feel of Security Center.

Follow the steps described below to customize:

1. Browse to select the top image you want to be present on the Security Center.

2. Define the text and link colors to be used in Security Center UI, by specifying the Text/Link color from the available drop-down lists for the following:

v Background: To set the Background color for the Security center tree.

v Foreground: To set the colors of the Text.

v Link: To select the color the Link should change to on a mouse hover.

v Selection BG: To set the color of the background when a tree node is selected.

3. Click Save.

Editing a User

While editing a user on the Edit User screen, you can change all of the available fields except the User Name.

Import Windows System Users

Native OS user authentication allows you to leverage single sign-on thereby eliminating the need to maintain separate security credentials.

Note: You can only import the user accounts present in the windows operating system.

So to create and import a new windows user account into SecCenter A1000, define a new user for Windows operating system from Control Panelà Administrative Tools à Computer Management àSystem Tools à Local Users and Groups.
The user account that you have just created is displayed in the Add User window and can be imported into the SecCenter A1000 application.

Importing User Accounts from Windows Operating System

1. Select Import Windows System Users from the Add User wizard. Click Next.

2. A window is opened displaying all the existing user accounts from the windows operating system.

3. Select the User accounts that you want to import into SecCenter A1000 and into which Group.

4. Configure at least one device for the user on which he can monitor or report on.

5. Click icon to move the user into the assigned user list.

6. Click Finish.

Note: By default users cannot report on any devices. Administrator must grant them the privilege to access device and report sections.

Add Active Directory User

SecCenter A1000 has the Facility to add a new domain user in the specific groups. In this case no domain privileges are necessary and you can directly add a new user with the domain account credentials.

Add Active Directory User:

1. Select Add Active Directory User wizard. Click Next.

2. A window is opened where you need to enter the active directory server details.

3. Specify the name of the Domain and the Server Name/IP of the domain.

4. Enter the Active Directory Port for the server. By default port 389 is used in connecting to AD server.

5. Optional Settings: Specify the User Name and Password for the new user account using which the respective user would login into the SecCenter A1000 application. Click Validate User.

6. Click Next.

Import Active Directory Users

SecCenter A1000 supports the use of an external LDAP-enabled directory to authenticate and authorize users on a per group basis.

LDAP group-based authentication for the SecCenter A1000 Appliance can be configured to support Microsoft Active Directory by keeping the authentication centralized on your directory, a security administrator can always know who is accessing network resources and can define user/group-based policies to control access.

Active Directory natively supports a fully integrated public key infrastructure and Internet secure protocols, such as LDAP over SSL, to let the extranet users’ access information beyond their firewall.

Important: Configure your Active directory Server details before you import its user accounts to SecCenter A1000.

Importing Active Directory Server User Accounts:

1. Select Importing Active Directory Server Users from the Add User wizard. Click Next.

2. A window is opened displaying all the existing user accounts from the Active Directory server.

3. Select the user accounts that you want to import into SecCenter A1000 and into which Group.

4. Click icon to move the user into the assigned user list.

5. Click Finish.

User Sessions

Click View User Sessions to open the User Sessions screen. This screen records a history of users accessing SecCenter A1000 and provides you an overall view of the user activity. It enlists all the users who logged on to SecCenter A1000, the client machine name and the data and time they logged in. The admin user who has currently logged in can clear all the recorded user sessions by clicking the Clear Sessions button.

v Status: This reports the operation (login or logout) that the user performed.

v User Name: This lists the user name with which the user logged on to SecCenter A1000.

v System: This lists the client machine from which the user logged on to SecCenter A1000.

v Date: This lists the date and time on which the operation was performed.

Groups

Using the Groups option, an administrator can create and define policy bound users who will be a part of the group. You can even select to define a policy from the Groups option which subsequently can be associated with the users who belong to the selected group.

Add Group

Using the Add Group wizard, an administrator can create a group, add existing users to the group and also associate policies.

1. Specify a Group Name that you want to define and give an appropriate Group Description.

2. Add Group window lists all the existing user accounts added in the application.

3. Select the users whom you want to make part of this group.

4. Select a policy you want to associate with from the Policies drop-down list or define a new policy for the group.

5. Click Save.

Policies

Using the policies option, an administrator can define the criteria on granting permission to use the Monitoring and Reporting modules.

1. Specify a Policy Name that you want to define and give an appropriate Policy Description.

2. Select the modules which a user can access if associated with this policy. Modules available for the user are:

v Access Using Portal

v Monitoring

v Reporting

v Access Using Console

3. Access Using Portal: If Reporting module is selected, click Next and the query selection screen opens.

4. Select the query sections, a user associated with this policy could report on.

5. Access Using Console: If this module is selected, you need to select a user from the drop-down list whose sole responsibility is to monitor the alerts of the target user.

6. Finally, click Finish.

Audit Triggered Alerts

Using this option, admin user has the option to create a user account whose sole priority is to monitor the alerts generated for a specific user.

How to create and assign privileges to an Audit User?

1. Create a Power user account from the user manager.

2. Create another user account (Audit User) that is only created to monitor/audit the alerts triggered for the policies created by the sample user.

3. While assigning a policy for the audit user, select Access using Console module and select the Audit user (created in step 2) from the drop-down list, which will monitor and acknowledge the triggered alerts for the Sample user.

4. Create a group for the Audit user and assign the Audit user policy.

5. When the Audit User (created in step 2) logins to the application, he would be able to audit and acknowledge the alerts triggered by the policies created by the Sample user.

Alerts UI for the Audit User

Licenses

This chapter provides information on how to license your copy of SecCenter A1000 and the devices/hosts you want to report on. It also explains how to manage your licenses.

In a distributed setup, licensing a device/host is only possible from the SecCenter A1000 Central Server.

Licensing Devices Identified by SecCenter A1000 Syslog Server

When a new device ID streamed by the syslog server is detected, it is added under the syslog server as UnknownDeviceId. Click the UnknownDeviceId link and specify the criteria based on which you want this device licensed.

Note: In case you are evaluating the trial copy of SecCenter A1000, streaming devices are automatically licensed.

A device can be identified by any of the following three identifiers:

v Internal IP

v External IP

v Device ID

Select an identifier and click Save. The device can be licensed immediately, later or can be chosen not to be licensed for ever.

If you select the option to license it Now, the device is immediately licensed. But if your SecCenter A1000 installation is of type Regional, the device identified by the syslog can only be added. Licensing all such devices is only possible from the SecCenter A1000 Central server.

Only licensed devices can be reported on.

Licensing an Unconfigured Device

Follow the steps described below to license an unconfigured device:

1. Identify the IP address in the log file and add it in the Devices/Groups.

2. On the License Manager screen, select the Licenses tab.

3. Select a license key and click Manage.

4. Click Add Device. The Add Device screen opens. Select the device you want to license and click Save.

The specified ID that is either internal/external IP or device ID must match the one provided by the device in the log files.

The License Manager Screen

The License Manager comprises of three tabs, each of which is explained in the sections below:

v Licenses

v Licensed Devices

v Options

Licenses

On this screen, you can add, manage, update, or delete a license. It also displays the following information:

v License Key

v Devices (Used/Remaining Licenses)

v Host (Used/Remaining Licenses)

v Type

The Licenses Screen

Adding a License

You can add a new license on this screen. A license can be added in any of the two following ways:

v Select file

v Enter Manually

Follow the steps described below to add a license:

1. Click Add. The Add License screen appears.

2. If you have selected the Select file option, browse to the path where the .lic file is located.

3. If you have selected the Enter manually option, enter the license and the corresponding signature key in the text area.

4. Click Add.

Before licensing a device, make sure it is configured.

Add License Screen

Managing a License

You can manage an existing license key from here. You can also view the count of devices that have been licensed and also those yet to be licensed.

Manage License

To manage license key, select the license key and click the Manage button available in the License Manager à Licenses tab.

Adding a Device

Follow the steps described below to add a device:

1. Click Add Device. The Add Device screen appears.

2. Select the device that you want to license from the list of unconfigured devices.

3. Click Save.

Adding a Host

Follow the steps described below to add a host:

1. Click Add Host. The Add Host screen appears.

2. Select the hosts that you want to license from the list of hosts.

3. Click Save.

Editing a Device

You can replace an existing device with a new device. Before doing this, make sure that the device that you want in place of the existing device is added in the Devices/Groups and available in the License Manager as an Unconfigured device.

Follow the steps described below to edit a device:

1. In the Manage License window, select a device and click Edit.

2. Enter the IP address of the device you want in place of the existing device.

3. Click OK to confirm.

You can edit a primary device license not more than twice.

Editing a Host

You can replace an existing host with a new host. Before doing this, make sure that the host that you want in place of the existing host is configured and available in the License Manager.

1. Follow the steps described below to edit a host:

1. In the Manage License window, select a host and click Edit.

2. Enter the IP address of the host you want in place of the existing host.

3. Click OK to confirm.

You can edit a primary host license not more than twice.

Updating a License

On the Update License screen you can update the current license with a new one. You can update a license in two ways:

v Select file

v Enter manually

Update License

Follow the steps described below to update a license:

1. In the License tab, select a license and click Update.

2. If you have selected the Select file option, browse to the path where the .lic file is located.

3. If you have selected the Enter manually option, enter the license and the corresponding signature key in the text area.

4. Click Update.

Licensed Devices

This screen displays all the licensed devices, and number of days left before the license for each device expires.

Licensed Devices

v Click Close to close the Licensed Devices screen.

Options

This section describes the options available on your license.

Licensing Options

Export Identifier

Click this button to save the Network Identifier to a text file. The Export Identifier file is located in the SecCenter A1000 installation directory. The identifier is exported to C:\Program Files\SecCenterA\SCASystemIdentifier.txt. To generate the license key, you must export this file to H3C manually.

Security Center

On the GUI of the SecCenter A1000, you have the Security Center button which will take you to the Monitoring and Reporting portals.

Reporting: This feature allows you to configure and generate reports. In addition to default reports that are non-editable, you can create custom reports tailored to meet your unique requirement. You can drill-down and obtain additional details for a selected top-level query.

Monitoring: This feature allows you to monitor predefined criteria and giving insight into essential system events. You can create your own views to monitor recent viruses detected, attack detections, emergency events, alert events, warning events, average events per second, port activity, protocol activity, and more.

Security Center- Reporting

The Security Center is the platform where you can create and generate a report to view a single query on the fly without creating a profile. This is helpful when you want to quickly view data for a single query.

Reports generated on a Central machine will contain information about only the top records for each query type from all the Regional servers.

Access to the Security Center depends on the login privileges of the user. Click here for information on the types of users and privileges associated with each user type.

If you have logged in as a Power User or User account, you are allowed to report on only those devices/reporting sections you have permissions for.

The Reporting Portal

There are seven distinct time periods for which you can generate a Security Center report:

v Most recent completed hour

v Cyclic aggregate by the 24 hours of the day

v Most recent completed day

v Cyclic aggregate by the seven days of the week

v Most recent completed week

v Most recent completed month

v Longer sequences of months.

When you click on report link, the top-level report in the main section of the Security Center is replaced by a new report. An Instant Report generated by Security Center consists of three major sections:

v The calendar frame, from where you can specify the time period.

v The table of contents frame, which controls the report or the dashboard being viewed.

v The report frame, which displays the results.

Calendar Frame

The icon on the top left corner of the Reporting window is the toggle switch to access the complete Calendar Frame, which can be used to apply time filters across the available reports. The different buttons on the Calendar facilitate selection of different time periods. With the Month Selector button you can change the month that appears in the Calendar. Along the right-hand side of the calendar are the Select Week buttons. Clicking one of these buttons selects the corresponding week. There are three buttons along the bottom of the calendar. These buttons are View Month, View Quarter and View All.

By using the Calendar you can select custom date ranges. To select a contiguous date range, hold down the Shift key and click the desired days. To select non-contiguous days, hold down the Ctrl key and select the desired days.

Table of Contents Frame

The Table of Contents displays a list of the available Report Chapters. To expand or collapse a Chapter, click the arrow to the left of the Chapter name. Some Chapters contain sub-Chapters. Sub-chapters can also be expanded and collapsed by clicking on the corresponding arrow. Click the Report Name to view the report.

All the queries that come under a common category are grouped under a single section. Now, you can see all the related queries under the required category and can obtain more precise information from the log data.

e.g. - All the queries related to Attacks and Attackers are shown under one single section - Attacks.

A few Attack Queries:

v Attacks

v Attacks Allowed and Denied

v By Port

v By Rule

v By Target

v By URL

v External Attacks By Source

v Internal Attacks by Source

v Overall Attacks

v Overall Attacks Per Application

v Top Allowed Attackers

v Top Attacked Destinations by Day

v Top Attacked Destinations by Device

v Top Attacked Ports by Day

v Top Attacked Ports by Device

v Top Attacked Protocols by Day

v Top Attacked Protocols by Device

v Top Attackers

v Top Attackers by Hour of the Day

Note: For the Queries based on Hour of the day the number of Records is fixed to 24 and the number of Sub-records to 10, hence the customization of records option is not functional while generating a report based on these queries.

Global show/hide Graphs

Click on the Global Show/Hide toggle switch depicted by icon to hide graphs for all the reports available in the reporting center. You can also select to hide graphs for individual queries from the hide graph option local to that report.

Report

The report frame on the right side of the Desktop displays either the report or dashboard chosen in the Table of Contents for the time frame chosen in the calendar. The default item to appear in the report frame is usually the dashboard for the default template.

Use the Calendar, the Table of Contents, or click on the title of a graph or table in the Dashboard to navigate to the content you want to view.

Drill down

Instant Reports provide the ability to drill down into a report to obtain further details. This is extremely useful when you want to study the behavior of a specific user or find out what contributed to the numbers present in the reports.

How to drill-down?

From the instant report, right-click on any value in the table for opening the Workbench view.

Select the attribute(s) for which you want to narrow your scope to excavate finer details, click the Drill-down button and resultant information based on your selection is displayed in a different window.

Report Frame

The report frame on the left hand-side of the screen displays either the report or dashboard chosen in the table of contents for the time frame chosen in the calendar. The default item to appear in the report frame is usually the dashboard for the default template.

Use the Calendar, the Table of Contents, or click on the title of a graph or table in the Dashboard to navigate to the content you want to view.

Exporting a Report

You can export each instant report to a PDF file by clicking found at the top right-hand corner of the report frame.

The Back button is especially useful to perform drill-down function. (See the Additional Function Bar).

Reading a Report

All reports consist of a title, a short description, and a table of results. In most reports, each table and graph is color-coded to help you relate items in the table to items in the graph if there are more results than that can be displayed in the table or graph. Each report has a unique help card, which you can view from the top of the report by clicking the Help button on the report title bar. The help card contains information to help you interpret and make use of the information displayed in the report.

Utility Options

In the upper right-hand corner of the Reporting Portal, you can find the commonly used utility options of the reporting center. They are

v Manage Views

v Options

v Export Report

Additional options available on the reporting center:

Refresh: Click the Refresh button to show the current available data on the Reporting Window.

Help: The Help icon brings up a Help window with additional information about the Reporting center.

Pane Options

Query By: Click on the Query By button to change the selected query to generate report classified By Day or By Device By Group or By Event Class. Please note that some queries are classified only by device. If you have created an Event Class to bring together a set of events containing common variable(s) through a Policy , you can Query by that Event Class and generate a report on the same from the reporting center.

Note: The Event Classes created in the Policies module are subsequently populated in the Query By drop down list on the reporting center and an exclusive report can be generated on the selected Event Class.

Query By Day option cannot be applied in conjunction with View Quarter or View Year date filters from calendar.

Snap: With the snap icon you can maximize the view of the pane.

Note: This icon is visible only when filters are applied on this query. Click on it to show/hide the applied filters.

Print: With the print icon the user can print the displayed report.

Filters: With the filter icon the user can narrow the scope of the displayed report, expand the number of records displayed and also change the graph type.

Export to PDF: You can export each instant report to a PDF file by clicking the PDF icon found at the top right-hand corner of the selected pane.

Hide Graph: By default the Reporting Pane is divided into two horizontal halves. The Graph type Report is displayed on the upper half and the table type Report is displayed on the lower half of the Reporting Pane. Click on the Hide Bar toggle switch depicted by icon to hide the Graph and get a better view of the associated tabular report.

Graph Type: By default the graph type displayed is the 2D BAR graph. You can select to view the graph type in the following formats:

v 2D_BAR

v 3D_BAR

v 2D_PIE

v 3D_PIE

v 2D_TAPE

v 3D_TAPE

v 2D_HORIZONTAL

v 3D_HORIZONTAL

v 2D_AREA

v 3D_AREA

The type of graph is dependant on the kind of data available for that Query.

Graph Legends, which are a key to the data plotted on the graph are shown on the reporting center depending on the graph type and associated number of records. For Pie-charts, the graph legend is shown on the reporting center only if the numbers of records present in the selected query are not more than 24. Whereas for other graph types the graph legend is shown only if the number of entries of data elements related to the selected query are not more than 12.

For single row data, only line graph will be displayed irrespective of the graph option selected.

Graph Criteria: You can select to view the graphs based on event count or by bytes transferred for each query selected.

v Count

v Bytes

Most of the queries support only the count criteria. Queries based on Data transfer support both Count and Bytes graph criteria.

No. Records & Sub-Records: From here you can specify the number of records and sub records that you want to view in your selected report.

Manage Views

In Security Center of SecCenter A1000 you can create your own customized views. By default, Manage Views window show the queries of the default view.

Creating a Custom View

Follow the steps described below to create your own view by selecting the queries you want to view:

1. Click Manage Views from the main screen. The Manage Views window opens.

2. It will show the default views available with the application and the corresponding queries for the selected view.

3. To define a new view, click New. The Create View window opens.

4. Enter a name for the view in the View Name box. Select the number of queries you want to assign to this view from the drop-down list.

5. Select the required queries from the list and click OK.

6. To make this view as your default view, Select the view from the Views drop-down list on the Security Center and click Set as my default.

7. Click Restore default to revert back to dashboard views.

Note: Only user-defined views can be edited or deleted.

Export Report

To export a report, select the queries and a rendering format from the available options and click Generate Report. The report based on the selected queries is generated and it subsequently opens in the application associated with the format rendered. For example, choosing PDF opens the report in Adobe Acrobat Reader.

Follow the steps described below to export a report by selecting the queries to report on:

1. Click Export Report from the main window. The Export Report window opens.

2. In the reporting sections available in the application and the corresponding queries for the selected section are listed in the Export Report window.

3. Use the Query By option to generate reports classified By Device/Host, By Group, By Day and By Event Class. Click here for detailed information.

4. The selected reports can be exported to either HTML or PDF formats.
Note: Go to Internet Options -> Advanced Settings -> Security and leave the check box Do not save encrypted pages to disk clear for the PDF reports to open upon exporting them.

5. Select the queries to export and generate report for and click Generate Report.

Note: Power User and user are not allowed to define/apply the Global Filters.

6. A comprehensive report is compiled based on all the selected queries and is exported to the specified format.

Export Report Filters

Export Report Filters can be used to apply filters uniformly across the selected queries from the Export Report window. The global filters will be applied to the reports, which are to be exported to either HTML or PDF formats. You can narrow down the scope of report, specify the number of records to be displayed and even change the graph type in the report by applying these filters.

Follow the steps below to configure Global Filter settings.

1. Click on the Filters button in the Export Report window. The Filters dialog box is displayed.

2. Specify under Max # of records to display, details for Number of Records and Number of SubRecords.

3. To filter unique or a range of Client Name/IP addresses, specify the details in the Range and IP/Name fields and click Add button to enlist them.

4. To save the filter settings, click OK.

Filters

Use Filters to narrow down the scope of the report, increase the number of records displayed, and change the graph type. The sections of the filter vary depending on the selected report.

Follow the steps below to configure filter settings.

1. Select a query from the list displayed on the left pane, click on the filter icon on the right pane and the Security Center Filters window is displayed for the selected query.

2. On this window, you can select the devices you want to report on and the filters that can be applied on the selected query.
Define the Filters, Number of Records and Sub Records to display for the selected report.

3. Specify the Client Details. Click Next, give the domain details and save the filter.

4. Add more domains if required and Click save.

5. Similarly all the queries have corresponding filters to generate custom reports.

Note: Not all reports are associated with graphs.

Report Options

Use the report Options to change the DNS settings and logged in non-admin user password settings.

Report Options screen

The DNS Lookup settings affect the reports that display IP address. The default setting is not to resolve IP addresses. The second option is to always resolve IP addresses into fully qualified host names by looking up values from the local DNS server. The third option is to perform the IP resolution from a DNS cache that is built and maintained locally. For performance reasons, this is the recommended setting if DNS resolution is needed.

Note: Since the results from DNS resolution are not stored in the database, you will not find any resolved names when applying a host name filter or any other filter on the resolved IP addresses.

The Change Password option allows the Non-Admin users to change their login password.

Follow the steps described below to define a new password:

1. Select the Change Password check box. The new password field is enabled.

2. Enter a new password for the user currently logged in.

3. Click Set Options.

Make sure you provide the same password when you login into the application next time.

Quarantine Reports

In network security, Quarantine is a term for blockading or denying systematic access of suspicious elements into a resource. Some devices while logging make the decision to grant or deny access to the events into the network. If the event is deemed infected or suspicious it is quarantined or isolated.

SecCenter A1000 comes with a Quarantine feature where you can isolate the events that satisfied the rules specified in the pre-defined quarantine policies. For example, you can isolate all events pertaining to Successful Logon Activity by host and generate a quarantine report on it, which gives insight into the users that logged in to the host, for how long, what was the authentication mode and so on. The administrator can then use his discretion to remediate the isolated or quarantined events.

The reporting section of Security Center displays the reports based on the queries listed in the TOC on the left hand side. You can drill-down and narrow your scope to excavate further details of any event attribute that is displayed in the Report.

1. From the report, right/double-click on any event. If the quarantine policy is met for the selected query a pop up pointing to workbench and quarantine reports is displayed.

2. Click on the Quarantine Report tab to view the complete quarantine report.

Report Generated:

You can also customize the report by including only those fields you want to view. Use the following options to customize the report view:

From-To - Specify records within a range. The specified range cannot exceed more than 1000 records.

Export Report - To save your search result in either HTML/Text formats. Values in a report saved in text format are separated by a comma separator.

Note: A profile based Quarantine report shows only 25 records by default. Follow the steps given below to customize the number of records in the Quarantine report:

1. Stop running the SecCenter A1000 Service from the Services window.

2. Locate the quarantine.ext in the installation path:
C:\Program Files\SecCenter A\reports\quarantine.ext

3. Open the quarantine.ext in a text editor. Each query listed in that file will be of the pattern: <title><query id.>^<record count>,<sub-record count>. Change the <record count> field to the desired number.

4. If you want to see all the records pertaining to a query then replace the record count with "-1".

5. Restart the SecCenter A1000 Service from the services window for the settings to take effect.

Quarantine Report Drill-down:

You can perform a drill down on events displayed in the Quarantine report to excavate granular details.

Right-click on any row attribute from the Quarantine report. The details associated with the selected event are subsequently displayed in the Workbench dialog box.

Quarantine Report- Workbench

Export Report:

You can export the Quarantine report to a specific location and in HTML or Text format. To customize the view of the exported report, select the fields you want to include in the report that is being exported.

Quarantine Export Report screen

Follow the steps described below to export a Quarantine report:

1. Click Export Report. The Export Report screen opens.

2. Select the Report Type you want it to be exported to - HTML or Text format.

3. Select the fields you want to view from the Available Entities list and click to move them into the Selected Entities list.

4. Select the range of records that you want to export from the generated Quarantine report.

5. Click Export.

Drill down

If the Workbench is accessed from the attributes on Instant Reports, you can access complete quarantine report from Quarantine Report button along with the Drill down button, which provides the ability to drill down into a report to obtain further details. This is extremely useful when you want to study the behavior of a specific user or find out what contributed to the numbers present in the reports.

Security Center - Monitoring

The real-time monitoring feature of SecCenter A1000 facilitates monitoring on predefined criteria. This gives you an insight into the essential system events. You can also set filters on some predefined performance metrics and proactively act to prevent problems.

Note: Graphs displayed in the Monitoring portal are seen as 2D by default. To change them to view as 3D images, override the property MON_Use3D=no to MON_Use3D=yes in the GraphOptions.ext found in the (Apppath ...\SecCenter A\SCA).

Views

A view is a custom defined portion of the monitoring window where you can create your own view.

By default you have the following views available in the application.

v DashBoard

v EventViewerView

v AllSysEvents

v DBAuditHostView

v AttacksView

v Events Activity

v MiscView

v NetStreamView

v Performance Counters

v Protocol View

v Ports

v Source Activity View

The default view is the dashboard view which comprises of:

v Recent Alerts triggered

v Port Activity

v Source Destination Port Activity

v Activity Per Protocol

v Event Viewer

Note: Data displayed in the Event Viewer depends primarily on selecting Enable Monitoring option while defining a Collection Policy and later on the applied Event Viewer Filters.

Save As: Follow the steps described below to associate an alias name to save the selected view with a different name.

1. Select any of the existing views from the list and click Save As button.

2. Enter a name in the View Name box.

3. Click OK.

A view is added to the list with the name you have just added, which is a replica of the view which was your primary selection.

Creating a Custom View

Follow the steps described below to create your own view by selecting only those monitors that you want to view:

1. Click Manage Views from the main menu of the Monitoring Center. The View Manager window opens.

2. To define a new view, click New. The Add View window opens.

3. Enter a name for the view. Select the number of monitors you want to assign to this view from the drop-down list.

4. To select the monitors from the list, select the monitors and click to move them into selected list. Click Save.

5. To make this view as your default view, select the view from the Select view drop-down list and click Set this as my default view.

6. Click Restore default view to revert to the dashboard view.

Note: The number of monitors should be exactly equal to number of monitors assigned in this view. User-defined views can be edited and deleted.

Monitors

On the TOC pane of the Monitoring center, you can see the list of default and user-defined monitors.

Select a monitor from the list and click on it to see its details.

If you want to configure and add a new monitor, click Manage Monitors from the main menu of monitoring center. The Monitor Manager screen opens from where you can add monitors.

Adding a Monitor

This section provides instructions on how to add a monitor.

Data from the entities to be monitored can be enabled/disabled by checking the corresponding status button.

The Add Monitor Wizard

Follow the steps described below to add a monitor:

1. From the Security Center main menu, click Monitoring. The Monitoring Center screen opens.

2. Click Manage Monitors button. The Monitor Manager window opens. Click New.

3. Enter a name for the monitor in the Monitor Name box.

4. Enter a title for the monitor in the Title box.

5. In the add monitor screen you can select the type of monitor you are about to add/define. Following are monitor types that you can choose to add:

v Devices

v Hosts

v Performance Counter

v NetStream

v DB Audit

v Mirapoint

6. There are two ways displaying information in the monitor. They are

v Table

v Graph

7. To customize the view, under the section Display Type, specify the graph type and number of graph items to associate with it.

8. Click Next.

Pie charts can be generated only if the monitor is created for a single entity.

Adding a Device Based Monitor

To add a Device based Monitor, select the entities to monitor from the in-built list and move them from the available entities list to the selected entities list. Click Next.

If all the available entities are selected, the monitor does not display any information even if any of one of the selected entity does not have data.

Selecting Device Based Entities

SecCenter A1000 provides a comprehensive list of event entities that can be selected to be viewed in the monitors. They are:

v Action

v Event Class

v Virus

v Event Description

v Attack Details

v Virus Details

v Spam Destination Email

v Spam Source Email

v Bytes Sent

v Bytes Received

v Shun

Definable Event Entities:

In the logs, the value of some event entities may vary in different events depending on the external or internal factors. You can specify a desired value or parameter and restrict the monitor and view only those events that satisfy the specified value or parameter of the entity. The following filters can be defined with a specific value or parameter from the UI:

v Destination IP

v Destination Port

v Event Id

v Event Category

v Event Type

v Flow

v Protocol

v Rule

v Severity

v Source IP

v Spam Type

v Virus

v Device IP

Device Based Entities

The following sections explain how to select device-based entities to monitor.

Device IP

You can select the Group Name/Device IP - Device Type for which you want to create a monitor.

1. Select the devices you want to create a monitor for. You can select all devices at a time or individual groups and devices.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Destination IP

If you have selected Destination IP, follow the steps described below:

1. Enter the Destination IP of the device you want to monitor.

2. To monitor events from a series of devices at a time, select the Range check box and enter the IP Range.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Destination Port

5. If you have selected Destination Port, follow the steps described below:

1. Enter the Destination Port number you want to monitor.

2. Click Add to add the port number to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Protocol

If you have selected Protocol, follow the steps described below:

1. Enter the Protocol you want to monitor.

2. Click Add to add the protocol to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Severity

If you have selected Severity, follow the steps described below:

1. Select the severity you want to associate with the monitor from the Available Severities list.

v Emergency

v Error

v Critical

v Alert

v Warning

2. Click to transfer the selected severity to the Selected Severities list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Virus

If you have selected Virus, follow the steps described below:

1. Enter the Virus Name you want to associate with this monitor.

2. Click Add to add the virus to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Virus Details

If you have selected Virus, follow the steps described below:

1. Enter the Virus Details you want to associate with this monitor.

2. Click Add to add the virus to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Attacks

If you have selected Attacks, follow the steps described below:

1. Select the Attacks you want to associate with the monitor from the Available Attack list.

2. Click to transfer the selected attack types to the Selected Attacks list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Attack Details

If you have selected Attack Details, follow the steps described below:

1. Select the attacks details you want to associate with the monitor from the Available Attack list.

2. Click to transfer the selected attack types to the Selected Attacks list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Event ID

If you have selected Event ID, follow the steps described below:

1. Enter the Event ID you want to monitor.

2. Click Add to add the event ID to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Event Category

If you have selected Event Category, follow the steps described below:

1. Enter the Event Category you want to monitor.

2. Click Add to add the event category to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Event Types

If you have selected Event Types, follow the steps described below:

1. Select the Event Types you want to associate with the monitor from the Available Event Types list.

2. Click to transfer the event types to the Selected Event Types list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Rule

If you have selected Rule, follow the steps described below:

1. Select the rules you want to monitor from the list.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Flow

If you have selected Flow, follow the steps described below:

1. Select from the following

v Allowed

v Denied

2. Select Allowed if you want monitor only allowed events.

3. Select Denied if you want monitor only denied events.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Spam Type

If you have selected Spam, follow the steps described below:

1. Select the Spam Types you want to monitor from the predefined spam list.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Adding a Mirapoint Device Based Monitor

To add a Mirapoint Device based Monitor, select the entities to monitor from the in-built list and move them from the available entities list to the selected entities list. Click Next.

If all the available entities are selected, the monitor does not display any information even if any of one of the selected entity does not have data.

Selecting Mirapoint Device Based Entities

The list of available filters is:

v Action

v Event ID

v Filter Action

v MailBox

v Mail Header

v Recipient Email

v Score

v Sender Email

v Sender IP

v Spam

v Transport Type

v Virus

v Device IP

Action

The Action details include the Allowed or Denied events.

1. Select an Action from the action details to filter.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete button to clear the settings.

Event ID

1. Select the Event IDs from the available list.

2. Select the event IDs to filter and click to move them into the selected ID list.

3. You can also add a new event ID by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Filter Action

1. Enter the Filter Action to filter, in the Filter Action text box. You can also use wild card '*' to filter any specific word or sentence in the description.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Mail Box

1. Select the Mail Box from the available list.

2. Select from the available entities and click to move them into the selected entities list, to filter.

3. You can also add a new Mail box entity by clicking the Add button.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Mail Header

1. Enter the Mail Header to filter, in the Mail Header text box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Recipient E-mail

1. Enter the e-mail address of the recipient to filter, in the Recipient E-Mail text box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Score

1. Select Any to filter any encountered junk mail irrespective of the score.

2. Enter the Score of the junk mail intensity to filter, in the Score text box.

3. You can alternatively specify a Score range of junk mail intensity to filter.

4. Click the Save Filter button. The filter is added to the Filter list.

5. Click the Delete Filter button to clear the settings.

Sender Email

1. Enter the e-mail address of the sender that you want to filter, in the Sender E-mail box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Sender IP

1. Enter the IP address of the sender that you want to filter, in the Sender IP box. You can also use wild card '*' to filter any common string.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Spam

1. Select Spam from the available list.

2. Select a spam from the available entities and click to move them into the selected entities list to filter.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Transport Type

1. Enter the type of transport protocol of the mail server that you want to filter, in the Transport Type box. You can also use wild card '*' to filter common strings.

2. Click the Save Filter button. The filter is added to the Filter list.

3. Click the Delete Filter button to clear the settings.

Device IP

1. All the licensed Mirapoint device(s) are displayed on this window.

2. Select the Device IP for which you want to create a monitor.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

Host Based Entities

The following are the list of host based entities. User Interface is seen only for the last four entities.

v Caller Domain

v Caller Machine

v Caller User

v Event Category

v Event Class

v Source

v Target Domain

v Target Machine

v Target User

v User

v Event Id

v Event Type

v Facility

v Host IP

Host IP

If you have selected Host IP, follow the steps described below:

1. Select devices/hosts from the column Group Name / Host IP - Device Type.

2. Click Next.

Event ID

If you have selected Event ID, follow the steps described below:

1. Enter the Event ID you want to monitor.

2. Click Add to add the Event ID to the list and click Next.

Event Type

If you have selected Event Types, follow the steps described below:

1. Select the Event Types you want to associate with the monitor from the Available Event Types list.

2. Available event types are:

v Success

v Warning

v Info

v Error

v Audit Success

v Audit Failure

3. Click to transfer the event types to the Selected Event Types list.

4. Click Next.

Facility

1. If you have selected Facility, follow the steps described below:

2. Select the Facility that you want to monitor from the list of available Facilities.

3. Click Save Filter to save the filter settings.

Selecting Performance Counters Based Entities

If you want to create a monitor based on performance counters, select the Host IP on which you want to create a monitor. Click Next.

All the available entities that can be monitored to know the performance metrics of the selected Host IPs will be displayed in this window.

Selecting NetStream Based Entities

If you want to create a monitor based on NetStream events, select the Device Type on which you want to create a monitor for. Click Next.

Only licensed H3C devices that support NetStream and Juniper devices that in turn support CFlow are listed here.

Select the entities you want to monitor from the list of available entity types.

Event Viewer Filters

Filters help you to filter the view on the Event Viewer console. You can select the entities you need as columns in the display. Click the Filters in the Event Viewer screen to select the entities you want to filter.

Selecting Entities to Filter

In the Event Viewer console, all events are displayed with color code based on its severity. Event Viewer filters allows you to select specific severity types from the Select at least one severity check box.

The available severity types are:

v Emergency

v Alert

v Critical

v Error

v Warning

v Notice

v Information

v Debug

To select the entities you want to filter, follow the steps described below:

1. Select the entities you want to filter from the list of available entities:

2. Click on to move the selected entities into the selected list. Click Next to enter details for the selected filters.

Devices/Hosts

Select the Group Name/Host IP - Device Type for which you want to create a filter on this screen.

1. Select the Devices/Hosts you want to create a filter for.

2. Select all the available devices/hosts in one go by selecting the Group Name/ Device/Host IP check box.

3. Click Next to go to the next screen or Finish to complete the process.

Device Type

If you have selected Device Type, follow the steps described below:

1. All the configured device types whose logs are available with SecCenter A1000 server to filter will be displayed in the list.

2. Select the device type you want to filter.
Note: If no device types are selected, all available event types will be monitored.

3. Click Next or Finish to complete the process.

Protocol

If you have selected Protocol, follow the steps described below:

1. Select the protocols you want to filter.

2. Click to move the selected protocols to the Selected Protocols list.

3. Click Next to go to the next screen or Finish to complete the process.

Event ID

If you have selected Event ID, follow the steps described below:

1. Enter the event ID you want to filter in the Event ID box and click Add. Repeat the procedure to add more event IDs.

2. Click Next to go to the next screen or Finish to complete the process.

Event Category

If you have selected Event Category, follow the steps described below:

1. Enter the event category you want to monitor.

2. Click Add to add the event category to the list.

3. Click the Save Filter button. The filter is added to the Filter list.

4. Click the Delete Filter button to clear the settings.

5. Click Finish to complete the process.

Source IP

If you have selected Source IP, follow the steps described below:

1. Select the Source IP option and enter the source IP address you want to filter. To specify a range of source IP addresses, select the Source IP Range option and enter the IP range.

2. Add the source IP or the range by clicking the Add button.

3. Click Next to go to the next screen or Finish to complete the process.

Destination IP

If you have selected Destination IP, follow the steps described below:

1. Select the Destination IP button and enter the source IP you want to filter. To specify a range of destination IPs, select the Destination IP Range option and enter the IP range.

2. Add the destination IP or the range by clicking the Add button.

3. Click Next to go to the next screen or Finish to complete the process.

Destination Port

If you have selected Destination Port, follow the steps described below:

1. Enter the destination port number you want to filter in the Destination Port box.

2. Click Add to add the port number to the list.

3. Click Next to go to the next screen or Finish to complete the process..

BII

By using the BII filter you can focus and prioritize on events that have the most business impact when there is a large number of EPS (Events per Second) from several devices.

1. Enter the range for BII you want to associate with the filter in the following input areas.

v Greater than

v Less than

2. Click Next to go to the next screen or Finish to complete the process.

Rule

3. If you have selected Rule, follow the steps described below:

1. Select the rules you want to associate with this filter.

2. Click Add to apply the rules to the filter you created.

3. Click Next to go to the next screen or Finish to complete the process.

Drill-down Reporting

How to drill-down?

In order to drill-down, right-click on the values in the table to open the Workbench view for the instant report.

Topology

The topology is a schematic description of the arrangement of a network, including its nodes and connecting lines.

SecCenter A1000 enables the administrator to view a graphical representation of the network topology and how the devices and hosts in the network are connected to each other.

Topology View

On the Topology main screen, you have the following utility options:

Component Selection Controls

The following are the controls for selecting various components you want to view:

v Type

v Model

v Devices

You can select the type, model and the devices you want to view the topology of, from the respective drop-down lists in the screen and click on the Show button to view the result.

Action

The drop-down list provides you with the following controls:

Reset Event Count

Select this option to reset the event count of selected devices or all the devices in the network.

1. Click Run. The Reset Event Count window opens.

2. Select the devices for which you want to reset the event count and click Reset Event Count. The event count will start from zero again.

Remap Nodes

Select this option to remap the nodes in your network.

1. Click Run. The Remap Nodes window opens.

2. Select the devices for which you want to remap the nodes and click Remap Nodes.

Reset Position

Select this option to reset the positions of the nodes in your network. You can drag and drop to change the position of a node in the topology view. This facility is provided to change the positions of the nodes and thus avoiding visual clutter.

1. After selection, click Run.

2. Changes made to the node positions are reverted and the original topology view is restored.

Flush Nodes

Select this option to flush the information of all the nodes present with the topology server. After this, the topology server once again attempts to fetch the details of all the nodes in network.

Update Event Count

From this drop-down list you can select the time intervals at which the topology server must update the event count for all licensed devices/hosts present in the network topology.

Mouse Right-click and Left-click options

Use the right-click and left-click options to control the topology view.

The following image illustrates the various actions that you can perform on the topology view.

Mouse Options on Topology View

Right-click the mouse on a node to see the following:

v Center: Use this option to bring the selected node to the center.

v Add: Use this option to add a child to the selected node.

v Click Add. The Topology Add Device window opens.

v Enter the Node IP/Name of the device/host you want to add.

v Click Save.

v Expand/Collapse: Use this option to expand and view details of all the child nodes connected to a node or collapse the associated child nodes.

v Expand All: Use this option to expand all the nodes.

v Show/Hide Details: Use this option to view/hide details like IP addresses, Device/Host Name of the node.

v Hide/Show Unlicensed: Use this option to identify all the unlicensed devices in the network. Click on this option to view all the unlicensed devices in the network.

The options Expand All, Show/Hide Details, and Hide/Show Unlicensed can also be seen by performing a normal right-click on the topology window.

Left-click the mouse on a node to view the following:

v IP addresses of the selected node.

v Name of the device/host in the domain.

v Model of the node that you have entered while configuring a device/host. For example, Windows or UNIX for a host and CISCO or FortiGate for a device.

v Location that you specified while configuring a device/host.

v Events: This option is available only for the licensed nodes and gives you details of the number of generated events for each severity.

v View Events: Use this option to view events occurring on the selected node in the monitoring view.

Topology Options

The General tab provides the controls to select the methodology and the protocol by which you want SecCenter A1000 to collect topology information from the devices/hosts in the network.

General

The following are the options on the general screen:

v Use SNMP to get information about device/host.

v ICMP-based TraceRoute

v TCP-based TraceRoute

Use SNMP to get information about device/host: Select this option to enable SecCenter A1000 get device/host information using the Simple Network Management Protocol (SNMP), an application layer protocol that facilitates the exchange of information between the devices/hosts in the network.

To probe the topology of large scale public networks, many topology discovery systems rely on TraceRoute. TraceRoute sends a series of hop-limited UDP packets to a known destination and uses ICMP responses generated by intermediate routers to obtain the path between the source and the destination.

ICMP-based TraceRoute: Also known as TRACERT. When this option is selected, SecCenter A1000 sends ICMP Echo Request packets requesting for information, and expects the host to reply with an ICMP Echo Reply packet.

TCP based TraceRoute: Select this option apart from the ICMP-based TraceRoute as it uses TCP-SYN-Packets. It is helpful for tracing information as the probe using TCP based TraceRoute often gets behind firewalls when the probe fails or ICMP-Packets are blocked.

SNMP Communities

An SNMP community defines an access environment for a group of NMS's. NMS's (Network Management Systems) within the community are said to exist within the same administrative domain. Community names serve as a weak form of authentication because devices that do not know the proper community name are precluded from SNMP operations. An SNMP device or agent running the SecCenter A1000 server may belong to more than one SNMP community.

An NMS executes applications that monitor and control managed devices. It provides resources for bulk processing and large memory required for network management.

Devices/Hosts will respond to requests from other devices that belong to one of its communities. SNMP default communities are Private with write permissions and Public with Read permissions.

SecCenter A1000 by default uses the Public community to read details of a device/host. You can add different community in the SNMP Communities if you want your Network Management System to perform SNMP operations on that device/host to fetch the details for SecCenter A1000.

TCP Ports

Enter the TCP ports that SecCenter A1000 uses to probe and get the trace path information using TCP based TraceRoute on this screen.

By default, SecCenter A1000 has four TCP ports added using which it probes to get the trace path.

Customizing Topology Server

You can customize the topology server for tracing devices/hosts with specific adapter and gateway information.

Adapters

Virtual Network Adapters: Adapters that have no hardware component but rather consist of software are called Virtual Network Adapters. These adapters are commonly found in virtual private networks (VPNs).

To trace path a device/host by the SecCenter A1000 topology service, it needs the real (Physical adapter) information.

To facilitate the SecCenter A1000 topology service identify devices/hosts whose Physical adapter is wrapped under a Virtual adapter, you have to perform the following steps so that SecCenter A1000 can obtain the Physical adapter information.

Steps:

1. Open regedit

2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}

3. Search for a real adapter when there are multiple adapters or when a virtual adapter is wrapping the physical adapters.

4. Take the root from Linkage under specific adapter. {9EEFCC33-4DCF-4FEA-8868-846048320065} and put it in defAdapter.txt file created in the location (Apppath ...\SecCenter A1000\SecCenter A1000).

5. Now the topology server will access only the physical adapter (real) information given in the defAdapter.txt file.

Gateways

Gateways: The firewall is the most crucial component of our network and it acts like a gateway for all the devices/hosts within the local network.

To enable the SecCenter A1000 topology service to consider a specific device to be the default gateway, you have to perform the following steps so that SecCenter A1000 can obtain the gateway information.

Steps:

1. Create a text file with name defGateway.txt in the location (Apppath ...\SecCenter A\SCA).

2. Provide the IP address of the gateway that you want the topology server to consider and save the file.

3. Now the topology server will access only the IP address from the defGateway.txt file for gateway information.

Appendix

Backing up SecCenter A1000

Although SecCenter A1000 has file replication (auto backup) when running in a distributed mode it is still a good idea to backup your data.

Backing Up Data from an SecCenter A1000 Server

To backup data from an SecCenter A1000 standalone or distributed environment, follow the instructions below.

1. Logon to your SecCenter A1000 Server. If you have a distributed environment you will need to follow step 2 for all regional and central servers.

2. The default install path for SecCenter A1000 is Root://Program Files/SecCenter A1000/SecCenter A1000. If you did not install SecCenter A1000 in the default path then you will need to change the path to the appropriate location. You will need to backup the following files and directories from the SecCenter A1000 directory:

§ Database

§ DBAudit

§ ForensicLogs

§ Profiles

§ Userprofiles

§ Devices.xml (Only if you have devices)

§ Groups.xml

§ Hosts.xml (Only if you have hosts)

Backing Up Data from an SecCenter A1000 Syslog Server

1. The SecCenter A1000 syslog server may be installed on the same physical server as the SecCenter A1000 Server or it may be installed on a separate server. Please be sure to backup all instances of the SecCenter A1000 syslog server within your environment.

2. The default install path for the SecCenter A1000 syslog is Root://Program Files/SCASyslog/Syslog. If you did not install the SecCenter A1000 syslog server in the default path then you will need to change the path to the appropriate location. You will need to backup the following files and directories from the syslog directory.

§ Logs

§ DeviceLicInfo.txt

§ FirewallList.txt (Only if you have network devices)

§ Host.txt (Only if you have hosts)

§ Leafirewalls.txt (Only if you have Check Point Firewalls)

§ RDEPDevices.txt (Only if you have RDEP Devices)

§ UnixPorts.txt (Only if you have Unix or Linux hosts)

§ UDPPorts.txt (for NetStream devices)

顶端

目录

手册下载

配套手册

H3C SECCENTER A1000 USER GUIDE(V1.01)

Starting SecCenter A1000

Syslog Server

Events Graph

Destination Port

Event Cache for Devices and Hosts

Creating a device based rule

Action

Source IP

Destination IP

Destination Port

Protocols

Events Severity

Events Type

Event ID

Event Category

Attack Type

Attack ID

Virus Type

Virus ID

URL

Rule

Content Category

Flow

Event Description

Attack Details

Shun

Spam Destination Email

Spam Source Email

Spam Type

Making a Copy of the Device based rule

Configuring a Device based rule

Creating a Host based rule

Applying Host based Filters to a rule

Event Identifier

Event Description

Facility

Source

Event Severity

Target Machine

Target User

Creating a Mirapoint Device based rule

Action

Event ID

Filter Action

Mail Box

Mail Header

Recipient E-mail

Score

Sender Email

Sender IP

Spam

Transport Type

Virus

SNMP Trap

Rule Template

Profiles

Action

The Protocol Filter

The IP/Host Name Filter

The Events Filter

The Authentication Filter

Facilities

Severities

Event ID/Attack ID

Sender E-mail

Recipient E-mail

Score

Scheduling Task by Hour

Scheduling Task by Day