Administration Guide › Event Correlation and Incident Management

Event Correlation and Incident Management

This section contains the following topics:

Correlation Rule Tasks

Incident Management Tasks

View Incident Details

Correlation Rule Tasks

Correlation rules can report patterns of events, helping you to identify suspicious activities or dangerous conditions in your environment. Each time events match a correlation rule's criteria, CA User Activity Reporting Module creates an incident.

You can perform the following correlation rule tasks if you have the Administrator role:

• Create, edit, or delete a correlation rule
• Create a correlation rule group
• Import or export a correlation rule.
• Apply correlation rules and associate notification destinations in your environment.

About Correlation Rules

You can apply predefined correlation rules, use the correlation rule wizard to create custom correlation rules for your environment, or modify existing rules. Correlation rules allow you to identify groups of events that may indicate attacks or other security risks. You must have the Administrator role to create or edit correlation rules.

When you create a correlation rule, you must select which of the three types to create. The rule template controls what event or events are considered an incident. The following templates are available:

• Simple Filter - allows you to search for a single event or state. This templates creates an incident from a single event.
• Counting Template - allows you to search for a set of identical events. You can control how many events of the same type the rule searches for. Each time the rule detects the number of events you set, it triggers an incident.
• State Transition Template - allows you to search for a related series of events. When one specific event or state occurs, followed by one or more others, the rule creates an incident. You can define the states that the rule searches for, and set the number of states.

Note: Effective correlation requires a full view of incoming events. For this reason you should consider avoiding applying suppression or summarization rules at the agent level. Any events that are suppressed or summarized at the agent are not considered for correlation and incident creation.

Event correlation can result in significant network traffic. For this reason you may wish to consider assigning a dedicated Correlation Server.

If there too many incident messages for the correlation service to process, the correlation service maintains a queue of up to 10,000 messages. Any further messages are lost. CA User Activity Reporting Module generates a self-monitoring event if this occurs.

More information:

About Incident Notifications

Using Pre-Defined Correlation Rules

CA User Activity Reporting Module provides a large number of pre-defined correlation rules for use in your environment, organized by type or regulatory requirement. For example, in the Correlation rules folder of the Library interface, you can see a folder titled PCI, containing rules for various PCI requirements. You can also see a folder titled Identity, which contains general-purpose rules on authorization and authentication.

There are three main types of rules, any or all of which may be included in each category. This topic gives an example of choosing and applying one of each type.

Example - Select and Apply a Simple Rule

Simple correlation rules detect the presence of one state or occurrence. For example, you can apply a rule that alerts you to account creation activity outside normal office hours. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

To select and apply the Account Creation Outside Normal Office Hours rule

1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
2. Expand the PCI folder, then the Requirement 8 folder, and select the Account Creation Outside Normal Office Hours rule.

   The rule details appear in the right pane.

3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the filters define the account creation action, and set the normal business hours by time and day of the week.
4. (Optional) Click Edit at the top on the pane to modify the filter settings, if required. For example, you could change the normal work hours to fit your local specifications.

   The Manage Rule wizard opens, populated with the rule details.

5. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
6. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
7. Click the Services subtab, and expand the Correlation Service node.
8. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
9. Click Apply in the Rule Configuration area, and select the new version of the Account Creation Outside Normal Business Hours rule, along with the Notification Destination you want associated with it.
10. Click OK to close the dialog and activate the rule.

Example - Select and Apply a Counting Rule

Counting correlation rules identify a series of identical states or occurrences. For example, you can apply a rule that alerts you to five or more failed logins by an Administrator account. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

To select and apply the 5 Failed Logins by Administrator Account rule

1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
2. Expand the Threat Management folder, then the Suspicious Account and Login Activity folder, and select the 5 Failed Logins by Administrator Account rule.

   The rule details appear in the right pane.

3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the filters define an Administrator account as a username belonging to the 'Administrators' keyed list, and sets the count threshold to 5 events in 60 minutes.
4. (Optional) Click Edit at the top on the pane to modify the filter settings, if required. For example, you could change the time threshold to 3 events in 30 minutes.

   The Manage Rule wizard opens, populated with the rule details.

5. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
6. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
7. Click the Services subtab, and expand the Correlation Service node.
8. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
9. Click Apply in the Rule Configuration area, and select the new version of the 5 Failed Logins by Administrator Account rule, along with the Notification Destination you want associated with it.
10. Click OK to close the dialog and activate the rule.

Example - Select and Apply a State Transition Rule

State transition correlation rules identify a series of states or occurrences in turn. For example, you can apply a rule that alerts you to failed logins followed by a successful login from the same user account. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
2. Expand the Identity folder, then the Authentication folder, and select the Failed Logins Followed by Success rule.

   The rule details appear in the right pane.

3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the details pane displays the two states that the rule tracks. The first is five or more failed logins by the same user account or identity. The second is a successful login by that same user or identity.
4. (Optional) Click Edit at the top on the pane to modify the state settings, if required.

   The Manage Rule wizard opens, displaying the two states that make up the rule.

5. Double-click any state you want to change.

   The State Definition wizard appears, displaying the details of the state.

6. Make any state changes you want to the state you selected., and click Save and Close to return to the Manage Rule wizard. For example, the first state checks for 5 failed logins in 10 minutes. You could change the failed login threshold, or the time, or both.
7. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
8. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
9. Click the Services subtab, and expand the Correlation Service node.
10. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
11. Click Apply in the Rule Configuration area, and select the new version of the Failed Logins Followed by Success rule, along with the Notification Destination you want associated with it.
12. Click OK to close the dialog and activate the rule.

Using Keyed Lists with Correlation Rules

All correlation rules are built from one or more filters. Some predefined rule filters are designed to select all values from a given table where a certain attribute field contains a value used as criteria for compiling the list of key values.

You can use keyed lists in the creation or application or correlation rules to provide predefined or custom values to rule filters. You can also update the keyed value lists manually or automatically to keep the lists current. You can use keyed lists with correlation rules just as you do with reports.

More information:

Preparing to Use Reports with Keyed Lists

Creating Keyed Values for Predefined Reports

Approaches to Maintaining Keyed Lists

Example: Creating a CSV File for Testing

This example illustrates the creation of a CSV file for correlation rule testing. It is intended to test a rule that searches for 5 failed logins followed by a successful login from a single user.

To create a CSV file to test a failed login followed by success rule

1. Log in to CA User Activity Reporting Module as an Administrator, and click the Queries and Reports tab.
2. Search for the "Five Failed Logins by in Last 1 Hour by Performer" query.
3. Run it and view the results. If there are results, proceed to the next step. If not, create a dummy user, log out, and create failed logins using the new dummy user.
4. Export the query to CSV, and open the CSV file in Excel.
5. Add other user details as needed. For example, add information to reflect the sucessful login.
6. Save the CSV file when it has all the event information you need.
7. Open the rule you want to test in the Library Explorer, and click the Rule Test tab in the details pane.
8. Load the CSV file, and confirm that the proper incidents are created.

About Incident Notifications

You can set notifications, which pass information about an incident, to be triggered automatically when an incident is created, or launch them manually after viewing the incident. In either case you must first define the notification destinations you want to use in your environment.

You must create notifications in two parts:

1. Notification Destination, which can contain any combination of the available destination types. For example, a destination might contain email addresses, SNMP server credentials, and an IT PAM process name. Destinations can be assigned to multiple rules.
2. Notification Details, which are added to individual rules, and contain the information delivered by the notification; email subjects and text, SNMP data, IT PAM process parameters, for example.

Automatic notifications require a correlation rule with notification details, and an associated notification destination. If both components are present, each time the rule creates an incident, an automatic notification is sent to the specified destination or destinations. The combination of destinations and details allows you to set up modular notification. For example, you could route the same notification information to different regional service desks or IT personnel.

You can also assign destinations from existing incidents. When you open an incident and assign a Notification Destination, the notification details specified in the rule are sent immediately. The rule must include notifications in order to send manual notifications.

More information:

About Correlation Rules

Set Notification Defaults

How to Create a Notification Destination

Apply Correlation Rules and Incident Notifications

How to Design and Apply Incident Notifications

You can set up notifications for your correlation rules. Notifications allow you to pass key information on detected incidents to the staff you specify, or create CA IT PAM service desk tickets automatically.

Use the following process to design and set up notifications in your environment:

1. Plan and create notification destinations.
2. Select the pre-defined correlation rules, or create custom rules you want to use in your environment.
3. Add notification details to the rules for which you want to set notifications.
4. Apply correlation rules to CA User Activity Reporting Module servers, and assign notification destinations.

More information:

About Correlation Rules

Set Notification Defaults

How to Create a Notification Destination

Correlation Service Considerations

Apply Correlation Rules and Incident Notifications

Set Notification Defaults

You can set notification details in a rule, which specify notification content but not destinations. For example, you can set email subject line and content text, but not the delivery addresses, which are controlled by notification destinations. This system allows you to set up standard content (using details), which can be delivered to various recipients (using destinations).

You can include any combination of the available notification types in a single rule's notification details.

To set notification details

1. Open the correlation rule wizard, enter the required rule definitions, and advance to the Notification Details step.
2. Select the email tab and use the following steps to add email notification information:
   1. Enter a subject line for the notification email.
   2. (Optional) When entering text in either field of the email tab, you can use the Data Fields drop down list and the Add button to insert data field variables. For example you could choose agent_address and click Add.

      "%agent_address%" appears in the text field. When a rule generates an email, the value of the agent_address field is displayed in place of the variable.

   3. Enter message body for the notification email.

      Note: The message body is constructed in HTML, so all text you enter appears on one line. To create a break after a line, enter <BR/> at the end of the line of text.

3. Select the Process tab and use the following steps to add CA IT PAM process parameters:
   1. Enter the name of an IT PAM process to which you want to pass incident information, such as:

      /CA_ELM/EventAlertOutput
      

   2. Click Add Parameter to specify a parameter and its value.

      The Add Process Parameter dialog appears.

   3. Type a parameter name in the Name field, 'Severity' for example.
   4. Define a value by typing in the value area, or selecting a CEG field from the drop-down list and clicking Add data field. Event information from the CEG field you specify is passed to the named parameter. Continuing the example from the previous step, you could select 'event_severity' to present the value of the event_severity field as the IT PAM Severity parameter.
   5. Repeat Steps a-c to add additional parameters and values as needed.
   6. When you have added all the CEG fields you want for the current parameter, Click OK.

      Note: You can type, and add multiple CEG fields as needed to define a parameter. For example, if you want to define the Description parameter for a notification used with an account guessing rule, you could enter:

      This incident reports four failed logins by by %dest_identity_unique_name% on %dest_hostname% occurred within 10 minutes.
      

      The %value% structure is the result of selecting a CEG field and using the Add data field button as described in step b.

4. Select the SNMP tab and use the following steps to add SNMP trap settings:
   1. Adjust the Custom Trap ID as required by your SNMP transmission target.
   2. Enter the name of a CEG field that you want to send in the entry area. Typing in the field narrows available choices in the drop-down list as you type.
   3. Click Add.
   4. The CEG field name appears in the selected fields area. Any event information in that field is sent for rules using this notification template. You must specify at least one CEG field.
   5. Repeat steps b-c to send additional CEG fields.
5. Click the appropriate arrow to advance to the wizard step you want to complete next, or click Save and Close.

   If you click Save and Close, the new rule appears in the appropriate folder, otherwise the step you choose appears.

More information:

About Correlation Rules

How to Create a Notification Destination

About Incident Notifications

Incident Management Tasks

A CA User Activity Reporting Module incident is composed of one or more events, as identified and linked by a correlation rule. Each time a correlation rule detects an event or events that satisfy its criteria, CA User Activity Reporting Module creates an incident.

You can perform the following incident management tasks if you have the Administrator role:

• View the details of incidents created by the correlation rules in your environment.
• Filter the incident list, or set result conditions to locate particular incidents or types of incidents, or narrow your incident view.
• Apply notification destinations to existing incidents, controlling responses such as email notification.
• Export incident information.
• Schedule action alerts based on an incident.
• Merge existing incidents into one new incident.

Note: For detailed information on Incident Management tasks, see the CA User Activity Reporting Module Online Help.

View Incident Details

You can view details of incidents in your environment, including status, priority and history information. You can view only those incidents that are routed to the correlation server that you are logged in to. You can control how CA User Activity Reporting Module servers route events by configuring the Correlation Service.

To view incident details

1. Click the Incidents tab, select the incident you want to investigate, and double-click in the incident row.

   The Details dialog appears, displaying the basic details of the incident, including name, date and severity.

2. Change the Priority or Status settings using the appropriate drop-down menus.
3. (Optional) Click the History tab to view information such as number and and time of events added to the incident, or automatic notifications triggered.
4. Click OK or Apply.