This section contains the following topics:
Actionable Alerts: CA IT PAM Integration
Actionable Alerts: SNMP Integration with NSM Products
Identity and Asset Relevance: CA IT PAM Integration
Extended Direct Log Collection by Default Agent
Automated Update Schedules for Subscription Clients
CA User Activity Reporting Module allows you to use API calls to access data from the event repository using the query and report mechanism, and display it in a web browser. You can also use the API to embed CA User Activity Reporting Module queries or reports in a CA or third-party product interface.
CA User Activity Reporting Module API features include:
Through scheduled alerts that query volumes of log records, CA User Activity Reporting Module detects potential control violations and suspicious IT activity. CA User Activity Reporting Module notifies the IT security staff who investigates each alert to determine whether remediation action is required. Typical investigation activities are often routine and well-suited for automation. Through a tight integration between CA User Activity Reporting Module and CA IT PAM, these routine response actions can be performed automatically. IT security staff are free from repetitious tasks to focus on only the most important issues.
CA IT PAM integration lets you create requests in CA Service Desk by running a predefined CA IT PAM event/alert output process from alerts. You can also run custom IT PAM event/alert output processes from CA User Activity Reporting Module that automate other responses to suspicious events.
Alerts are generated when scheduled queries retrieve events indicating suspicious activity. You can automate the sending of such alerts as SNMP traps to network security monitoring (NSM) products such as CA Spectrum or CA NSM. You prepare the destination products to receive and interpret SNMP traps from CA User Activity Reporting Module, configure the destination locations, then specify the event information to send.
CA User Activity Reporting Module allows read-only access to collected event log information using ODBC and JDBC. You can use this access to do things like the following:
The ODBC and JDBC access features use a client that you install on an appropriate server in your network. The CA User Activity Reporting Module server automatically installs its server-side components during subscription update and installation processing.
CA IT PAM integration lets you maintain updated values for a given key by running a CA IT PAM dynamic values process. A dynamic values process is one that retrieves the current values from repositories that store current data. If you create a process that retrieves values for critical assets from your assets file or database, you can update the Critical_Assets key in predefined reports and queries with the click of a button.
At the CA User Activity Reporting Module installation, the Syslog listener, named Syslog_Connector, is deployed on the default agent to enable the collection of syslog events. The Linux_localsyslog integration, with the associated connector, Linux_localsyslog_Connector, is also available to collect syslog events.
The default agent can now directly collect more than syslog events. Using the WinRm connector, the default agent can collect events from products running on Microsoft Windows platforms, such as Active Directory Certificate Services and Microsoft Office Communication Server. Using the ODBC connector, the default agent can collect events from multiple databases such as Oracle9i and SQL Server 2005, and applications that store their events in these databases.
When you install your first CA User Activity Reporting Module server, you configure global settings for all services, including subscription. For subscription purposes, the first server you install is the default subscription proxy. You configure the update start time and the frequency with which this proxy checks the CA Subscription Server for updates. When you install additional servers, they are installed as subscription clients, by default. When you configure additional servers, you do so at the local level. Configuration at the local level is done by selecting the name of the server to configure and then overriding selected global configurations.
By default, the update start time of subscription clients is inherited from the global setting. When the inherited setting is not overridden manually to force a delay, problems arise. To prevent this problem, the update schedule for clients is now automated with a 15 minute delay. The update schedule for subscription clients no longer requires manual configuration.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|