This section contains the following topics:
Improved Subscription Monitoring
CA User Activity Reporting Module Sizing Calculator
You can use event correlation rules to detect complex patterns of events that are associated with unusual or dangerous states, or with suspicious activity. CA User Activity Reporting Module provides numerous predefined correlation rules, and the ability to create custom rules or modify predefined ones.
You could deploy a prefined correlation rule to detect suspicious activity after a specified number of failed logins. For example you could use the "5 Failed Logins by a single account followed by excessive configuration management activity" rule. In this case, you could also customize the number of failed logins, or the definition of excessive activity.
You can view and respond to incidents generated by CA User Activity Reporting Module event correlation using the Incident Management system. You can investigate the events that make up an incident, routing incident notifications, or triggering automatic workflows.
For example, you can view current incidents in your environment. You could sort them by severity to see the most severe first, and view each in turn checking to see that the assigned severity is appropriate. You can then downgrade incidents not worthy of immediate attention, and assign any incidents to an appropriate resource, or view comments attached to that incident.
Compliance Dashboards let you quickly check the status of your environment with respect to specified states or regulations.
For example, you can open CA User Activity Reporting Module and view the PCI Incidents Dashboard. The dashboard shows you various high-level status displays, including:
You can check archived or recataloged data for tampering, helping to secure your archived data, and meet regulatory requirements. CA User Activity Reporting Module uses digital signatures to validate the databases. If the database is corrupted or if its signature is missing or corrupted, the data integrity check considers the database tampered.
You can schedule daily data integrity checks to occur at set times and on selected CA User Activity Reporting Module servers. Any tampered databases detected by a scheduled integrity check are automatically quarantined. You can view quarantined databases and decide whether to regenerate keys to make them queriable.
You can view the current subscription status of your global CA User Activity Reporting Module environment through the Subscription Dashboard. The Subscription Dashboard displays the progress of any updates currently being downloaded or installed by any CA User Activity Reporting Module server. For example, during a scheduled update to your global CA User Activity Reporting Module environment, you can use the Subscription Dashboard to monitor the update progress of each CA User Activity Reporting Module server, including which modules are currently downloading or installing, and the current state of the server. From the Subscription Dashboard, you can also see the state of any content updates currently in progress, as well as a list of all content updates previously installed.
You can view the current subscription status of a specific CA User Activity Reporting Module server through the global Subscription Dashboard, or through the server's local State window.
You can create custom nested category tags for queries and reports. Nested tags let you organize reports and queries into detailed subcategories.
For example, CA User Activity Reporting Module provides a report category tag named Event Categories. You could add custom tags based on event categories in your environment.
CA User Activity Reporting Module supports CA Access Control privileged user password management (PUPM). CA Access Control PUPM events include a check-out and check-in time, recording when a password is in use. These times are mapped to event_start_time_gmt and event_end_time_gmt in the updated CEG schema for this release.
You can use advanced drilldown to investigate user activity by choosing the new fields as advanced filters in your queries. For example, you could right-click on a user in a CA Access Control report panel, and apply a filter like the following to the report you drilling down into:
(event_time_gmt >= event_start_time_gmt) AND (event_time_gmt <= event_end_time_gmt)
This filter displays the check-out and check-in time from the selected user event.
You can set a query to search more than 5,000 event database rows, letting you make broader searches. In previous releases, the maximum number of events a query could return was 5,000.
When creating or editing a query, you can set a higher limit from the Result Conditions step of the query design wizard in either of the following ways:
Note: If a scheduled report includes a large query, you cannot publish it to PDF due to a limitation of the format.
The current release includes a sizing calculator which can help provide guidance for the number of CA User Activity Reporting Module servers required to meet the needs of your environment. You can input your hardware details, the various types of event sources you want to monitor, how long you must retain event data, and receive a suggested number of CA User Activity Reporting Module servers.
The calculator also includes expected event-per-second rates for all listed event sources. You can accept or adjust these default values.
The installation package includes the sizing calculator, which must be installed on Windows.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|