An action alert is a scheduled query job, which can be used to detect policy violations, usage trends, logon patterns, and other information that may require near-term attention. For example, it can detect when high-severity events occur and notify the configured person, product, or process. All alerts are added to an RSS Feed. If configured, the alert can notify users by email, run the configured CA IT PAM process, or send SNMP traps to a remote server.
Custom Alert Definition/Configuration
A systems administrator renamed the Windows Administrator account to TheMan, but this account is still required for certain administrative duties like installing new software on production servers. Under normal circumstances, this account should not be used, and usage is tightly regulated by an internal oversight committee. Login activity associated with this account is a potential policy violation and requires immediate notification. Because this account is not called Administrator, the out-of-the-box alerts do not recognize this account as a privileged account.
An Administrator adds the TheMan as a value for the keyed list Default_Accounts, then schedules an alert that runs the query Successful Login by Default Accounts in the last 24 hours. This query uses the keyed list Default_Accounts. An alert is generated when there is a successful login by TheMan or any other value for the Default_Accounts key.
Procedure |
More Information |
---|---|
For background information, see: For examples, see: Create an Action Alert for Low Disk Space |
Automated Alerting by Email
Administrators need to be notified when logs indicate improper access to resources such as critical servers, files, directories, URLs, and other IT resources. This kind of improper access is a potential policy violation that must be documented in compliance reports and also acted upon.
An Analyst configures CA User Activity Reporting Module to notify the Administrator through email (Blackberry) when control violations occur.
Procedure |
More Information |
---|---|
|
Automated Alerting via RSS
Administrators need to ensure that their organization remains compliant with PCI controls, or the company will face steep fines. If control violations occur, they need to act swiftly to return the organization to compliance. Three Administrators share responsibility for acting on these alerts at different times throughout the day. Each Administrator wants to receive alerts through a favorite RSS reader only while on call, rather than receiving all alerts at all times.
When on call, one Administrator configures SharpReader to receive alerts from CA User Activity Reporting Module though RSS when control violations occur. The other two Administrators run FeedReader for CA User Activity Reporting Module alert notifications when they are on call. Each receives alerts only when they are running their RSS client.
Procedure |
More Information |
---|---|
|
Automated Alerting of Help Desk through CA IT PAM
Many widely used systems are installed with vendor-supplied, default privileged accounts. For example, Windows operating systems are installed with an Administrator privileged account. Many organizations have a security policy stating that system administrators are not to use these privileged accounts without written approval prior to use. When such an account is used, the organization needs a way to alert their help desk as soon as possible so that help desk personnel can check whether approval was given and if not, follow through.
Consider a scenario where the help desk process is configured in CA IT PAM.
Help desk alerting is a good solution. After integration with CA IT PAM is configured, you can identify the query that captures each event involving the login with a privileged account, configure the keyed list with privileged account usernames that you want to restrict, and schedule an alert to notify CA IT PAM when CA User Activity Reporting Module detects a successful login performed with any privileged account. You can enter a description with CEG fields for variables that CA IT PAM can use to populate the help desk Description field for this help desk ticket. When the scheduled alert based on this query returns an event, CA User Activity Reporting Module automatically sends the event and its description to CA IT PAM. CA IT PAM process this information and creates the help desk ticket.
Manual Alerting of Help Desk through CA IT PAM
SOX requires organizations to track configuration changes and their approvals. Many organizations use CA Service Desk to track, monitor, and report on all problems and incidents, including policy violation investigations. Assume an analyst is investigating an incident and finds that privileged accounts were used out of office hours. This is shown by events returned by the Privileged User Sessions Detail query.
The analyst runs the IT PAM event/alert output process that creates a help desk ticket for the selected event. The summary and description statements describe what happened using CEG fields. The confirmation displays the request number created in CA Service Desk. The analyst logs into CA Service Desk, selects Requests and enters the request number. The analyst reviews the help desk ticket created from CA User Activity Reporting Module with the summary and description statements reflecting the actual data.
Procedure |
More Information |
---|---|
Example: Run an Event/Alert Output Process with Selected Query Results |
|
Automated Alerting of Network Operations Center through SNMP Traps
Network Operations Centers (NOCs) monitor the network for conditions that may require intervention to avert impact on service availability or network performance. A configuration change to a critical system is an example of a user initiated action that can affect service availability. Many organizations require administrators to get prior authorization before making such a configuration change. It is important for the NOC to be able to verify that such changes have been authorized as soon as possible after such a change is made.
Consider the scenario where a NOC uses CA Spectrum NFM to track system and service availability. Spectrum needs to be alerted when a configuration change is made.
SNMP alerting lets you solve this problem. Configuration changes create events that can be captured by CA User Activity Reporting Module queries. You can schedule alerts based on such queries. After integration with SNMP traps is configured, you can direct alerts to the NOC monitoring system, such as CA Spectrum. This example alert sends all configuration change events to Spectrum through SNMP, its standard input method. Upon receipt of an alert that a configuration change was made on a particular system, the Spectrum icon for that system changes color from green to yellow. NOC personnel can then check to see whether the change was authorized and take appropriate action if it was not.
Copyright © 2013 CA.
All rights reserved.
|
|