Correlation for Security Manager

Release Notes

Date Published: September, 2010



Correlation for Security Manager provides out-of-the-box event correlation for its supported products and supports creating correlation rules for all platforms that Security Manager supports. Correlation rules allow you to monitor and analyze a stream of real-time events to look for patterns that indicate a security breach. Rather than detecting a single event, a correlation rule detects multiple events and identifies patterns using the elapsed time, the number of events, the event ID, matching event parameters, or the order in which the events occurred.

Correlation for Security Manager correlates events in the following categories:

  • Denial of service
  • Attacks
  • Suspicious activity

Additional out-of-the-box correlation rules are available for other platforms. For more information, see the module documentation for the platform.

Supported Products

This release supports the following products:

  • Change Guardian for Active Directory (CGAD)
  • Cisco Intrusion Detection System (IDS)
  • Cisco Internetwork Operating System (IOS)
  • Cisco Secure PIX Firewalls
  • Cisco Adaptive Security Appliances (ASA)
  • Internet Information Server (IIS)
  • Internet Security System (ISS) RealSecure
  • Secure Computing Sidewinder Firewalls
  • Snort
  • Symantec Endpoint Protection
  • UNIX
  • Microsoft Windows

Return to Top

Why Install This Module?

Correlation for Security Manager provides an important new capability. This version of Correlation for Security Manager includes new technology for dynamically updating Security Manager modules.

Improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

Correlation Rules Moved From NetIQ Change Guardian for Active Directory

In this version, the Change Guardian for Active Directory correlation rules have been moved from the NetIQ Change Guardian for Active Directory product to the Correlation for Security Manager. If you want to correlate events or alerts generated by Change Guardian for Active Directory, ensure you install Change Guardian for Active Directory version 1.8 or later.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent acting as the proxy agent for Correlation. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors.
Operating System All supported Windows agent platforms.
  • Ensure you have Security Manager version 6.0 or later installed.
  • Ensure you have Security Manager Self-monitoring version or later installed.

Return to Top

Installing This Module

Install the Correlation for Security Manager module using the Module Installer utility. If this is the first time you have installed the module, ensure you also add a license. For more information about installing modules, see the Installation Guide for NetIQ Security Manager.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Correlation Events not Alerting

Security Manager cannot guarantee delivery of correlation alerts when correlated events and correlation processing expires due to the following situations:

  • NetIQ Security Manager service restarts
  • Correlation queue backs up
  • Events or alerts are too old to evaluate
  • Times on the agent or monitored computer and Correlation Server are not synchronized

This issue is not typically a problem unless you specify to stop alerting on correlated alerts. Stopping correlated alerts replaces multiple alerts with a single correlation alert. Ensure that the times for all computers and firewalls are synchronized regularly.

ISS RealSecure Events not Alerting

By default, Security Manager collects ISS RealSecure events from the ISS RealSecure database every five minutes.

To work around this issue, increase the value in the Evaluate events after ___ seconds field in the Correlation Global Settings to more than 300 seconds. Global Settings are located in the Configuration snap-in in the Monitor and Development Consoles. For more information about the Configuration snap-in, see the Help.

Forwarded Correlation Alerts Do Not Include All Correlated Events

If you configured alert forwarding, correlation alerts from zone configuration groups do not list all of the correlated events that caused the alerts. Security Manager does not save all the correlated events associated with forwarded correlation alerts in the master configuration group database. However, Security Manager saves all the associated correlated events in the zone configuration group database.

Empty Processing Rule Group after Correlation Install

If you previously installed Change Guardian for Active Directory version 1.7 and upgrade to the latest version of Correlation for Security Manager, the Development Console displays an empty processing rule group called Deprecated Correlation Support (Do Not Use). This processing rule group is left over from a previous version of the Correlation for Security Manager module and is no longer functional. Do not use any of the rules in the deprecated processing rule group.

Removal of Monitoring Guides

Since monitoring information for updated Security Manager modules is now available in the module release notes, monitoring guides have been discontinued. However, a known issue exists where Security Manager cannot remove old monitoring guides when installing updated modules. To reduce the risk of users referencing outdated monitoring guides, Security Manager now replaces the old monitoring guide in the default documentation folder with a blank monitoring guide. Monitoring guides are installed by default in the \Program Files\NetIQ Security Manager\OnePoint\Documentation\Monitoring Guides folder on the central computer, but may have been moved or copied to a different location in your environment. After installing an updated module, you should manually delete any outdated monitoring guides that were copied or moved to other folders.

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

Return to Top

Legal Notice

Return to Top