Previous Topic: Compliance ReportsNext Topic: Scheduled Reports


Policy Violation Alerts

An action alert is a scheduled query job, which can be used to detect policy violations, usage trends, logon patterns, and other information that may require near-term attention. For example, it can detect when high-severity events occur and notify the configured person, product, or process. All alerts are added to an RSS Feed. If configured, the alert can notify users by email, run the configured CA IT PAM process, or send SNMP traps to a remote server.

Custom Alert Definition/Configuration

Problem:

A systems administrator renamed the Windows Administrator account to TheMan, but this account is still required for certain administrative duties like installing new software on production servers. Under normal circumstances, this account should not be used, and usage is tightly regulated by an internal oversight committee. Login activity associated with this account is a potential policy violation and requires immediate notification. Because this account is not called Administrator, the out-of-the-box alerts do not recognize this account as a privileged account.

Solution:

An Administrator adds the TheMan as a value for the keyed list Default_Accounts, then schedules an alert that runs the query Successful Login by Default Accounts in the last 24 hours. This query uses the keyed list Default_Accounts. An alert is generated when there is a successful login by TheMan or any other value for the Default_Accounts key.

Procedure

More Information

Customize Keyed Values

How to Create an Action Alert

Send an Alert that Runs an IT PAM Process Per Row

Customizing Queries for Action Alerts

For background information, see:

About Action Alerts

Action Alert Considerations

For examples, see:

Create an Action Alert for Low Disk Space

Create an Alert for a Self-Monitoring Event

Create an Alert for Business Critical Resources

Automated Alerting by Email

Problem:

Administrators need to be notified when logs indicate improper access to resources such as critical servers, files, directories, URLs, and other IT resources. This kind of improper access is a potential policy violation that must be documented in compliance reports and also acted upon.

Solution:

An Analyst configures CA User Activity Reporting Module to notify the Administrator through email (Blackberry) when control violations occur.

Procedure

More Information

Set Notification Destinations

Example: Email the Administrator when Event Flow Stops

 

Automated Alerting via RSS

Problem:

Administrators need to ensure that their organization remains compliant with PCI controls, or the company will face steep fines. If control violations occur, they need to act swiftly to return the organization to compliance. Three Administrators share responsibility for acting on these alerts at different times throughout the day. Each Administrator wants to receive alerts through a favorite RSS reader only while on call, rather than receiving all alerts at all times.

Solution:

When on call, one Administrator configures SharpReader to receive alerts from CA User Activity Reporting Module though RSS when control violations occur. The other two Administrators run FeedReader for CA User Activity Reporting Module alert notifications when they are on call. Each receives alerts only when they are running their RSS client.

Procedure

More Information

Action Alert Considerations

Example: Run PCI Reports

 

Automated Alerting of Help Desk through CA IT PAM

Problem:

Many widely used systems are installed with vendor-supplied, default privileged accounts. For example, Windows operating systems are installed with an Administrator privileged account. Many organizations have a security policy stating that system administrators are not to use these privileged accounts without written approval prior to use. When such an account is used, the organization needs a way to alert their help desk as soon as possible so that help desk personnel can check whether approval was given and if not, follow through.

Consider a scenario where the help desk process is configured in CA IT PAM.

Solution:

Help desk alerting is a good solution. After integration with CA IT PAM is configured, you can identify the query that captures each event involving the login with a privileged account, configure the keyed list with privileged account usernames that you want to restrict, and schedule an alert to notify CA IT PAM when CA User Activity Reporting Module detects a successful login performed with any privileged account. You can enter a description with CEG fields for variables that CA IT PAM can use to populate the help desk Description field for this help desk ticket. When the scheduled alert based on this query returns an event, CA User Activity Reporting Module automatically sends the event and its description to CA IT PAM. CA IT PAM process this information and creates the help desk ticket.

Procedure

More Information

Example: Run an Event/Alert Output Process with Selected Query Results

Example: Send an Alert that Runs an IT PAM Process Per Row

Example: Send an Alert that Runs an IT PAM Process Per Query

Process of Working with Event/Alert Output Processes

Import a Sample Process

Working with CA IT PAM Event/Alert Output Processes

Data Flow for Event/Alert Output Processing

Manual Alerting of Help Desk through CA IT PAM

Problem:

SOX requires organizations to track configuration changes and their approvals. Many organizations use CA Service Desk to track, monitor, and report on all problems and incidents, including policy violation investigations. Assume an analyst is investigating an incident and finds that privileged accounts were used out of office hours. This is shown by events returned by the Privileged User Sessions Detail query.

Solution:

The analyst runs the IT PAM event/alert output process that creates a help desk ticket for the selected event. The summary and description statements describe what happened using CEG fields. The confirmation displays the request number created in CA Service Desk. The analyst logs into CA Service Desk, selects Requests and enters the request number. The analyst reviews the help desk ticket created from CA User Activity Reporting Module with the summary and description statements reflecting the actual data.

Procedure

More Information

Example: Run an Event/Alert Output Process with Selected Query Results

 

Automated Alerting of Network Operations Center through SNMP Traps

Problem:

Network Operations Centers (NOCs) monitor the network for conditions that may require intervention to avert impact on service availability or network performance. A configuration change to a critical system is an example of a user initiated action that can affect service availability. Many organizations require administrators to get prior authorization before making such a configuration change. It is important for the NOC to be able to verify that such changes have been authorized as soon as possible after such a change is made.

Consider the scenario where a NOC uses CA Spectrum NFM to track system and service availability. Spectrum needs to be alerted when a configuration change is made.

Solution:

SNMP alerting lets you solve this problem. Configuration changes create events that can be captured by CA User Activity Reporting Module queries. You can schedule alerts based on such queries. After integration with SNMP traps is configured, you can direct alerts to the NOC monitoring system, such as CA Spectrum. This example alert sends all configuration change events to Spectrum through SNMP, its standard input method. Upon receipt of an alert that a configuration change was made on a particular system, the Spectrum icon for that system changes color from green to yellow. NOC personnel can then check to see whether the change was authorized and take appropriate action if it was not.

Procedure

More Information

Example: Alerting CA Spectrum of Configuration Changes

Example: Alerting CA NSM of Configuration Changes

Example: Create Custom MIB 33 for the Average CPU Load Trend Query

About SNMP Traps

Process of Working with SNMP Traps

Preparing to Send Traps to CA Spectrum

Preparing to Send Traps to CA NSM

Configure SNMP Integration

View SNMP Traps on CA Spectrum

View SNMP Traps on CA NSM