Implementation Guide › Configuring Services › Configuring the Correlation Service

Configuring the Correlation Service

The correlation service controls how and where correlation rules are applied in your environment. When configuring the correlation service, you should consider:

• Whether or not you plan to deploy a dedicated correlation server.
• The names and locations of the collection servers that supply events for correlation.
• Types and specific names of the correlation rules you want to apply in your environment.
• Notification destinations you have created for your environment.

Apply Correlation Rules and Incident Notifications

You must apply correlation rules in order for them to take effect in your environment. When you apply correlation rules, you can also associate notification destinations for each rule.

To apply correlation rules and set notification destinations

1. Click Adminstration, then the Services subtab, and expand the Correlation Service node.
2. Select the CA User Activity Reporting Module server on which you want to apply correlation rules.

   Correlation Server details appear in the right pane.

3. Click Add.

   A rule and version dialog appears.

4. Select the check box beside rule category or rule you want to apply. You can select entire category folders, individual rules, or any combination.
5. Select the rule version you want for each rule you select to apply.
6. (Optional) Select a notification destination for any rule you have selected to apply. If you do not select a destination, the rule will have no automatic notification. You can still manually set a notification for incidents generated by any rule.
7. Select collection servers to route events for correlation from the available list of servers. You must select all the servers you want to send events for correlation. If no servers are selected, no events will be forwarded for correlation.
8. Click OK, or Apply.

Using Pre-Defined Correlation Rules

CA User Activity Reporting Module provides a large number of pre-defined correlation rules for use in your environment, organized by type or regulatory requirement. For example, in the Correlation rules folder of the Library interface, you can see a folder titled PCI, containing rules for various PCI requirements. You can also see a folder titled Identity, which contains general-purpose rules on authorization and authentication.

There are three main types of rules, any or all of which may be included in each category. This topic gives an example of choosing and applying one of each type.

Example - Select and Apply a Simple Rule

Simple correlation rules detect the presence of one state or occurrence. For example, you can apply a rule that alerts you to account creation activity outside normal office hours. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

To select and apply the Account Creation Outside Normal Office Hours rule

1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
2. Expand the PCI folder, then the Requirement 8 folder, and select the Account Creation Outside Normal Office Hours rule.

   The rule details appear in the right pane.

3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the filters define the account creation action, and set the normal business hours by time and day of the week.
4. (Optional) Click Edit at the top on the pane to modify the filter settings, if required. For example, you could change the normal work hours to fit your local specifications.

   The Manage Rule wizard opens, populated with the rule details.

5. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
6. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
7. Click the Services subtab, and expand the Correlation Service node.
8. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
9. Click Apply in the Rule Configuration area, and select the new version of the Account Creation Outside Normal Business Hours rule, along with the Notification Destination you want associated with it.
10. Click OK to close the dialog and activate the rule.

Example - Select and Apply a Counting Rule

Counting correlation rules identify a series of identical states or occurrences. For example, you can apply a rule that alerts you to five or more failed logins by an Administrator account. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

To select and apply the 5 Failed Logins by Administrator Account rule

1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
2. Expand the Threat Management folder, then the Suspicious Account and Login Activity folder, and select the 5 Failed Logins by Administrator Account rule.

   The rule details appear in the right pane.

3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the filters define an Administrator account as a username belonging to the 'Administrators' keyed list, and sets the count threshold to 5 events in 60 minutes.
4. (Optional) Click Edit at the top on the pane to modify the filter settings, if required. For example, you could change the time threshold to 3 events in 30 minutes.

   The Manage Rule wizard opens, populated with the rule details.

5. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
6. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
7. Click the Services subtab, and expand the Correlation Service node.
8. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
9. Click Apply in the Rule Configuration area, and select the new version of the 5 Failed Logins by Administrator Account rule, along with the Notification Destination you want associated with it.
10. Click OK to close the dialog and activate the rule.

Example - Select and Apply a State Transition Rule

State transition correlation rules identify a series of states or occurrences in turn. For example, you can apply a rule that alerts you to failed logins followed by a successful login from the same user account. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
2. Expand the Identity folder, then the Authentication folder, and select the Failed Logins Followed by Success rule.

   The rule details appear in the right pane.

3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the details pane displays the two states that the rule tracks. The first is five or more failed logins by the same user account or identity. The second is a successful login by that same user or identity.
4. (Optional) Click Edit at the top on the pane to modify the state settings, if required.

   The Manage Rule wizard opens, displaying the two states that make up the rule.

5. Double-click any state you want to change.

   The State Definition wizard appears, displaying the details of the state.

6. Make any state changes you want to the state you selected., and click Save and Close to return to the Manage Rule wizard. For example, the first state checks for 5 failed logins in 10 minutes. You could change the failed login threshold, or the time, or both.
7. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
8. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
9. Click the Services subtab, and expand the Correlation Service node.
10. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
11. Click Apply in the Rule Configuration area, and select the new version of the Failed Logins Followed by Success rule, along with the Notification Destination you want associated with it.
12. Click OK to close the dialog and activate the rule.

Set Collection Servers

You can set collection servers to route events for correlation in a multiserver environment. Setting collection servers allows you to administer and run correlation rules on one server, whether it is a dedicated correlation server, or one with shared roles. You can then view incidents from all the selected collection servers.

To set collection servers

1. Click Administration, then the Services subtab, and expand the Correlation Service node.
2. Select the CA User Activity Reporting Module server to which you want route events for correlation. If you have a dedicated correlation server, select that server name.

   Correlation Server details appear in the right pane.

3. Use the Collection Servers shuttle control to select the servers you want. Ensure that all the servers that are collecting events for correlation are in the Selected column.

How to Design and Apply Incident Notifications

You can set up notifications for your correlation rules. Notifications allow you to pass key information on detected incidents to the staff you specify, or create CA IT PAM service desk tickets automatically.

Use the following process to design and set up notifications in your environment:

1. Plan and create notification destinations.
2. Select the pre-defined correlation rules, or create custom rules you want to use in your environment.
3. Add notification details to the rules for which you want to set notifications.
4. Apply correlation rules to CA User Activity Reporting Module servers, and assign notification destinations.

More information:

About Correlation Rules

Set Notification Defaults

How to Create a Notification Destination

Correlation Service Considerations

Apply Correlation Rules and Incident Notifications

How to Create a Notification Destination

You can create notification destination objects for use in correlation rules. Destinations allow you to apply common delivery settings to various rules; one destination can be assigned to multiple rules, as needed. They can be assigned during correlation rule application or after an incident is created.

You create a notification destination object using the following process:

1. Open the Manage Notification Destinations wizard and set a destination name and description.
2. Set parameters for the destination types you want:
   1. Emails
   2. CA IT PAM processes
   3. SNMP traps

   A notification destination object can have multiple notification types.

More information:

Open the Manage Notification Destination Wizard

Set Email Destinations

Set a Process Destination

Set SNMP Destinations

Open the Manage Notification Destination Wizard

To create a notification destination you must open the wizard.

To open the manage notification destination wizard

1. Click the Administration tab, the Library subtab, and the Notification Destinations folder.
2. Click New Notification.

   The Manage Notification wizard opens.

More information:

Set Email Destinations

Set a Process Destination

Set SNMP Destinations

Set Email Destinations

You can set email destinations for notifications, to help inform proper personnel of incidents relating to their job role or responsibility.

To set email destinations

1. Open the Manage Notification Destination wizard.
2. Set the identification details, and advance to the Notifications step.
3. Click the email tab, and select Enable email notification.
4. Enter at least one recipient email address. You can enter multiple addresses separated by commas.
5. (Optional) Enter From email address.
6. Add any other destinations you want, or click Save and Close.

More information:

Set Notification Defaults

Set a Process Destination

You can set an IT PAM Process as a notification destination. The notification passes CA User Activity Reporting Module incident information to CA ServiceDesk or third party applications using IT PAM. You set a process destination by identifying a valid IT PAM process. You define the incident information you want to make up the process parameters using notification details.

For additional information on IT PAM processes, see the CA User Activity Reporting Module Administration Guide.

To set process destinations

1. Open the Manage Notification Destinations wizard, set identification details, and advance to the Notifications step.
2. Click the Process tab and select Enable Process Automation.
3. Enter the name of an IT PAM process to which you want to pass incident information, such as:

   /CA_ELM/EventAlertOutput
   

4. Add any other destinations you want, or click Save and Close.

More information:

Working with CA IT PAM Event/Alert Output Processes

Set Notification Defaults

Set SNMP Destinations

You can set SNMP destinations, allowing you to use SNMP traps to send incident information to third-party management systems. For additional information on SNMP traps, see the CA User Activity Reporting Module Administration Guide.

To set SNMP destinations

1. Open the Manage Notification Destinations wizard, set the identification details, and advance to the Notifications step.
2. Click the SNMP tab, and select Enable SNMP Trap.
3. (Optional) To send the alert using SNMP v3, select SNMP Version 3. SNMP Version 2 is the default.
4. (Optional) If you select SNMP Version 3, click the V3 Security button to set authentication or encryption in the Security Parameters dialog.
5. Enter Destination Server and Destination Port information to identify the target of your SNMP-transmitted events.
6. (Optional) Select another Destination Server/Destination Port row, and enter another pair of server/port values.
7. Add any other destinations you want, or click Save and Close.

More information:

Working with SNMP Traps

Set Notification Defaults

Incident Service Considerations

You can control the way in which the incident service stores events and creates incidents for a selected CA User Activity Reporting Module server. You can set the following values:

Expiration Time

Specifies how long in days the service retains incidents in the incident database. If the value is 0, events are never deleted. Expired incidents are not displayed.

Incident Generation Limit values

Specifies how often a single correlation rule can create incidents, allowing you to reduce unwanted multiple incidents. For the purposes of incident generation limits, different versions of a rule are considered separate rules. So if you have applied multiple versions of a rule in your environment, they are limited separately. Limit values include:

Enabled

Indicates whether incident generation limits are applied.

Count

Sets a threshold for the number of incidents generated by a single rule. This value works with the Time value, if that value is above 0. After these numbers are reached, the incident service applies the Blocked Time limit. So if you set Count to 3, and the Time to 10, the limit applies after a single rule generates more than 3 incidents in 10 seconds.

Time

Sets a threshold, in seconds, for the number of incidents generated by a single rule. This value works with the Count value, if that value is above 0. After these numbers are reached, the incident service applies the Blocked Time limit. So if you set Count to 3, and the Time to 10, the limit applies after a single rule generates more than 3 incidents in 10 seconds.

Blocked Time

Specifies an interval in seconds, when a rule is blocked from creating further incidents. When this limit is reached, the rule creates no incidents until the time expires.

ODBC Server Considerations

You can install an ODBC client or a JDBC client to access the CA User Activity Reporting Module event log store from an external application like SAP BusinessObjects Crystal Reports.

You can perform the following tasks from this configuration area:

• Enable or disable ODBC and JDBC access to the event log store.
• Set the service port used for communications between the ODBC or JDBC client and CA User Activity Reporting Module server.
• Specify whether communications between ODBC or JDBC client and CA User Activity Reporting Module server are encrypted.

The field descriptions are as follows:

Enable Service

Indicates whether the ODBC and JDBC clients can access data in the event log store. Select this check box to enable external access to events. Clear the check box to disable external access.

The ODBC service is not currently FIPS-compatible. Clear this check box to prevent ODBC and JDBC access if you intend to run in FIPS mode. This prevents non-compliant access to event data. If you intend to disable the ODBC and JDBC service for FIPS mode operations, ensure that you set this value for each server in a federation.

Server Listening Port

Specifies the port number used by the ODBC or JDBC services. The default value is 17002. The CA User Activity Reporting Module server refuses connection attempts when a different value is specified in the Windows Data Source or the JDBC URL string.

Encrypted (SSL)

Indicates whether to use encryption for communications between the ODBC client and the CA User Activity Reporting Module server. The CA User Activity Reporting Module server refuses connection attempts when the corresponding value in the Windows Data Source or JDBC URL does not match this setting.

Session Timeout (minutes)

Specifies the number of minutes to keep an idle session open before it is closed automatically.

Log Level

Defines the type and level of detail recorded in the logging file. The drop-down list is arranged in order of detail, with the first choice providing least detail.

Apply to all loggers

Controls whether the Log Level setting overrides all log settings from the properties file of the log. This setting only applies when the Log Level setting is lower (showing more detail) than the default setting.