Correlation for Security Manager |
Release Notes |
Date Published: September, 2010 |
|
Correlation for Security Manager provides out-of-the-box event correlation for its supported products and supports creating correlation rules for all platforms that Security Manager supports. Correlation rules allow you to monitor and analyze a stream of real-time events to look for patterns that indicate a security breach. Rather than detecting a single event, a correlation rule detects multiple events and identifies patterns using the elapsed time, the number of events, the event ID, matching event parameters, or the order in which the events occurred. Correlation for Security Manager correlates events in the following categories:
Additional out-of-the-box correlation rules are available for other platforms. For more information, see the module documentation for the platform. Supported ProductsThis release supports the following products:
Why Install This Module?Correlation for Security Manager provides an important new capability. This version of Correlation for Security Manager includes new technology for dynamically updating Security Manager modules. Improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. Correlation Rules Moved From NetIQ Change Guardian for Active DirectoryIn this version, the Change Guardian for Active Directory correlation rules have been moved from the NetIQ Change Guardian for Active Directory product to the Correlation for Security Manager. If you want to correlate events or alerts generated by Change Guardian for Active Directory, ensure you install Change Guardian for Active Directory version 1.8 or later. System RequirementsThe following table lists additional requirements for a Windows agent acting as the proxy agent for Correlation. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.
Installing This ModuleInstall the Correlation for Security Manager module using the Module Installer utility. If this is the first time you have installed the module, ensure you also add a license. For more information about installing modules, see the Installation Guide for NetIQ Security Manager. Known IssuesNetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support. Correlation Events not AlertingSecurity Manager cannot guarantee delivery of correlation alerts when correlated events and correlation processing expires due to the following situations:
This issue is not typically a problem unless you specify to stop alerting on correlated alerts. Stopping correlated alerts replaces multiple alerts with a single correlation alert. Ensure that the times for all computers and firewalls are synchronized regularly. ISS RealSecure Events not AlertingBy default, Security Manager collects ISS RealSecure events from the ISS RealSecure database every five minutes. To work around this issue, increase the value in the Evaluate events after ___ seconds field in the Correlation Global Settings to more than 300 seconds. Global Settings are located in the Configuration snap-in in the Monitor and Development Consoles. For more information about the Configuration snap-in, see the Help. Forwarded Correlation Alerts Do Not Include All Correlated EventsIf you configured alert forwarding, correlation alerts from zone configuration groups do not list all of the correlated events that caused the alerts. Security Manager does not save all the correlated events associated with forwarded correlation alerts in the master configuration group database. However, Security Manager saves all the associated correlated events in the zone configuration group database. Empty Processing Rule Group after Correlation InstallIf you previously installed Change Guardian for Active Directory version 1.7 and upgrade to the latest version of Correlation for Security Manager, the Development Console displays an empty processing rule group called Deprecated Correlation Support (Do Not Use). This processing rule group is left over from a previous version of the Correlation for Security Manager module and is no longer functional. Do not use any of the rules in the deprecated processing rule group. Removal of Monitoring GuidesSince monitoring information for updated Security Manager modules is now available in the module release notes, monitoring guides have been discontinued. However, a known issue exists where Security Manager cannot remove old monitoring guides when installing updated modules. To reduce the risk of users referencing outdated monitoring guides, Security Manager now replaces the old monitoring guide in the default documentation folder with a blank monitoring guide. Monitoring guides are installed by default in the \Program Files\NetIQ Security Manager\OnePoint\Documentation\Monitoring Guides folder on the central computer, but may have been moved or copied to a different location in your environment. After installing an updated module, you should manually delete any outdated monitoring guides that were copied or moved to other folders. Contact InformationPlease contact us with your questions and comments. We look forward to hearing from you. For detailed contact information, see the Support Contact Information Web site. Legal NoticeTHIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. © 2008 NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, Aegis, AppAnalyzer, AppManager, the cube logo design, Change Administrator, Change Guardian, Compliance Suite, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, the NetIQ Partner Network design, Patch Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Risk and Compliance Center, Secure Configuration Manager, Security Administration Suite, Security Analyzer, Security Manager, Server Consolidator, VigilEnt, Vivinet, Vulnerability Manager, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. |