Guide to Templates Event Manager 6.6 Copyright Terms and Conditions
Copyright Help/Systems LLC and its group of companies. The content in this document is protected by the Copyright Laws of the United States of America and other countries worldwide. The unauthorized use and/or duplication of this material without express and written permission from HelpSystems is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to HelpSystems with appropriate and specific direction to the original content. HelpSystems and its trademarks are properties of the HelpSystems group of companies. All other marks are property of their respective owners. 202109160702 Table of Contents
SQL Server Audit 20 Event Manager - Overview 1 Overview 20 What is Event Manager? 1 SQL Server Template System What does it do? 1 Requirements 21 How does it work? 1 Minimum User Profile Requirements 21 Ease of use 2 Grant Rights to Log On as a Batch Job 23 Which security protocols can be checked for compliance? 3 Enabling the xp_cmdshell Stored Procedure - SQL Server 2005 23 Supported OS Versions 3 Enabling the xp_cmdshell Stored Windows Audit 4 Procedure - SQL Server 2008 (and higher) 24 Overview 4 Deleting Traces 24 Minimum Requirements 4 Deleting Traces in SQL Server 2005 Windows Administrative Tools 5 and 2008 (and higher) 26 Types of Audit Policies 7 Real-Time Events 26 How to Enable Windows File System Linux Audit 27 Auditing 8 Overview 27 IBM i Audit 14 System Pre-requisites 27 Overview 14 Minimum Requirements 27 IBM i Security Auditing 16 Linux SSH-based Event Manager IBM i Auditing Issues 16 collection technology 27 IBM i Auditing Planning 16 Linux Syslog-based Event Manager Action Auditing 16 collection technology 28 Object Auditing 17 Audit Daemon Installation 28 IBM i Template System Requirements 17 Activating the auditd daemon 28 IBM i Security Intrusion Detection Server Configuration 29 Audit 18 AIX Audit 33 Overview 18 Overview 33 Configuration 18 Configuring AIX Syslog 33 IBM i Custom Application Audit 19 Check Configuration 34 Overview 19 AIX Security Audit Configuration 35 Example IBM i Custom Application 19
Guide to Templates www.helpsystems.com page: iii Table of Contents
Solaris Audit 39 A Supported VMware Host 58 Overview 39 AWS CloudTrail Audit 58 Audit Classes Overview 41 Overview 58 Configuring System and User Audit 41 System Requirements 58 Configuring Audit Policies 42 Microsoft Office 365 Audit 59 User Permissions 43 Overview 59 User Permissions For Solaris Registering Event Manager with installations v11 and later 44 Microsoft Azure 59 Enabling Auditing on Solaris BSM (pre Certificates and secrets 61 v11) 44 API Permissions 62 User Permissions For Solaris BSM installations (pre v11) 45 Content types 62 Oracle Database Audit 45 Subscriptions 63 Overview 45 Cisco PIX/ASA logging configuration 63 Oracle Audit 45 Configure Firewall Logging 63 Enabling Auditing in Oracle 9i (and Entering Privileged Mode 63 higher) 45 Entering Configuration Mode 63 Restarting the Database 48 Enabling Logging 64 Audit Options 49 Configuring Syslog Logging Output 64 Auditing Examples 51 Adding Timestamp to Messages 65 Current Audit Status 52 Adding Device ID to Messages 65 Permissions 53 Viewing Logging Configuration 65 Ports 53 Logging Queue 66 Monitor Permissions 53 Filtering Messages Using Message ID66 Connection Client/Server 53 Filtering Messages Using Message System configuration ODBC DSN for Class 67 Oracle 53 Defining Custom Messages List 68 TNSNames.ora 56 Further Information 69 Environment Variables 57 Cisco Routers and Switches Audit 69 VMware Audit 58 Overview 69 Overview 58 Enable logging of the command line 69
Guide to Templates www.helpsystems.com page: iv Table of Contents
Configure sending to syslog 70 Overview 75 Messages by severity level 70 Configuring the logs to send events to Event Manager 76 Filter messages 70 SWIFT Audit 76 Hidekeys (Important!) 71 Overview 76 Filter messages (optional) 71 Processing events from SWIFT into FortiGate Firewall Audit 71 Event Manager 76 Enabling Syslog Events Forwarding in Electronic Means of Payment FortiGate 71 (MEP) Audit 76 Configuring through the FortiGate Overview 76 Firewall Network Interface 72 Configuring and Exporting the MEP Juniper Firewall and VPN Gateway logs for use in Event Manager 77 Audit 72 Powertech Exit Point Manager For Overview 72 IBM i Audit 77 firewalld Audit 73 Overview 77 Overview 73 Powertech SIEM Agent For IBM i Audit 78 Imperva Web Application Firewall Overview 78 (WAF) Audit 73 Real-time processing of events 78 Overview 73 Network Security Events 78 Barracuda Web Application Firewall (WAF) Audit 73 Configuring System Values 79 Configuring and Exporting the Powertech Authority Broker For IBM Barracuda WAF logs for use in Event iAudit 81 Manager 74 Overview 81 Palo Alto Firewall Audit 74 Authority Broker For IBM i Events 81 Overview 74 Powertech Identity and Access Configuring and Exporting the Palo Manager (BoKS) Audit 82 Alto Firewall logs for use in Event Manager 74 Overview 82 Check Point Firewall Audit 75 Security 82 Overview 75 Compliance 82 Configuration 75 Efficiency 83 SIOPEL Audit 75 Powertech Security Auditor Audit 83 Overview 83
Guide to Templates www.helpsystems.com page: v Table of Contents
Configuring syslog 84 Templates 92 Powertech Anti-Virus for AIX/Linux What are Templates? 92 Audit 85 How are templates applied? 93 Overview 85 ‘Out of the Box’ templates 93 Powertech Anti-Virus for AIX/Linux Features 85 Built-in Integrations 95 System Pre-requisites 85 Custom Collectors 99 AIX Syslog Configuration 85 Filters 99 Logging levels 86 Template Assignment 99 Linux Syslog Configuration 86 Windows Templates 101 Logging levels 86 Windows Templates 101 Possible Syslog Messages 87 Tested OS Versions 101 Powertech Antivirus For IBM i Audit 88 Pre-configured Datasources 101 Overview 88 IBM i Template 108 Configuration on the IBM i 88 Tested OS Versions 108 Network Insight Audit 89 IBM i Controls (Powertech SIEM Agent for IBM i) 108 Overview 89 IBM i Controls (VMC) 110 Processing events from Network Insight into Event Manager 89 IBM i Security Intrusion Detection Template 113 Intermapper Audit 89 SQL Server Template 114 Overview 89 Tested SQL Versions 114 Syslog Notifier 90 SQL Server Controls 114 Web Server 90 Linux Template 116 DB2 for i Audit 90 Using the Linux Audit Datasource 116 Overview 90 Using the Linux Syslog Datasource 117 Powertech Database Monitor for IBM i 90 AIX Template 119 VISUAL Message Center Data Monitor 91 Tested AIX Versions 119 VISUAL Message Center Interactive SQL Monitor 91 AIX Controls 119 Custom Datasources 91 Solaris Template 120 Overview 91 Tested Solaris Versions 120
Guide to Templates www.helpsystems.com page: vi Table of Contents
Solaris Controls 120 Using the Application Status Datasource 157 Oracle Template 121 Using the Rejected Transactions Tested Oracle Versions 121 Datasource 157 Oracle Controls 121 Imperva (WAF) Template 157 VMware Template 124 Using the Standard Datasource 157 VMware Controls 124 Variable Selections and Mapping 158 AWS CloudTrail Template 126 Barracuda (WAF) Template 158 AWS CloudTrail Standard Using the Access Log Events 158 Datasource 126 Access Log Events Variable Azure Active Directory Template 128 Selections and Mapping 158 Azure Active Directory (Standard Using the Audit Logs 160 Datasource) 128 Audit Logs Variable Selections and Microsoft Exchange Online Template 132 Mapping 161 Exchange Online (Standard Using the Network Firewall Logs 162 Datasource) 132 Network Firewall Logs Variable Microsoft Teams Template 146 Selections and Mapping 162 Microsoft Teams (Standard Using the System Logs 163 Datasource) Controls 146 System Logs Variable Selections Cisco PIX/ASA Template 148 and Mapping 163 Tested Cisco PIX/ASA Versions 148 Using the Web Firewall Logs 164 Cisco PIX/ASA Controls 148 Web Firewall Logs Variable Cisco Routers and Switches Template 152 Selections and Mapping 164 Tested Cisco Versions 152 Palo Alto Firewall Template 165 Cisco Routers and Switches Using the Standard Datasource Controls 152 Events 165 FortiGate Firewall Template 154 Standard Datasource Events Variable Selections and Mapping 167 Juniper Firewall and VPN Gateway Template 156 Check Point Firewall Template 170 Juniper Firewall and VPN Gateway Using the Standard Datasource Controls 156 Events 170 firewalld Template 157 Standard Datasource Events Variable Selections and Mapping 171
Guide to Templates www.helpsystems.com page: vii Table of Contents
Apache Web Server Template 172 Network Insight Template 187 Apache Web Server Controls 172 Network Insight Controls 187 SIOPEL Template 173 Intermapper Template 190 SIOPEL Controls 173 Assets Discovery Datasource 190 SWIFT Template 175 Intermapper Notifications Datasource 190 SWIFT Controls 175 DB2 for i Template 191 Electronic Means of Payment (MEP) Template 176 DB2 for i Controls 191 MEP Controls 176 Powertech Exit Point ManagerTemplate 178 Powertech Exit Point Manager Controls 178 Powertech Authority Broker Template 179 Powertech Authority Broker Controls 179 Powertech Identity and Access Manager (BoKS) Template 179 Powertech Identity and Access Manager (BoKS) Controls 179 Policy Minder Template 181 Policy Minder Controls 181 Powertech Anti-Virus for AIX/Linux Template 182 Requirements 182 Powertech Anti-Virus for AIX/Linux Controls 182 Powertech Anti-Virus For IBM i Template 182 Powertech Anti-Virus for IBM i Controls 182 SAP ASE (Sybase) Template 184
Guide to Templates www.helpsystems.com page: viii Event Manager - Overview / What is Event Manager?
Event Manager - Overview Online businesses have to deal with an ever increasing number of security threats and a lot of regulations. Nowadays more and more systems and applications have to comply with several compliance regulations or best practices from certification authorities or governments such as PCI, SOX, Cobit, ISO and so on. The compliance or noncompliance of systems and applications with these regulations also has effects on business services. Even though a business service is available from the IT point of view, it may have security issues, such as unauthorized access. Event Manager keeps track of many different points of system access, activity and events and notifies the appropriate security personnel or system administrators so that action can be taken before the business is impacted. Because it gathers audit information from multiple operating systems, applications, and devices, it keeps all of your security monitoring in a single location. What is Event Manager? Event Manager allows companies to establish this relationship between the security compliance and the business services and processes as well as providing an innovative tool for managing the projects to the Information Security departments, for audits and key indicators. Event Manager is different from the other modules rather than monitoring business processes, services and applications, the configuration provides the auditing and verification of security protocols that need to be enforced across your business environment assets and a wide range of operating systems. What does it do? Event Manager bridges the gap between the system administrator(s) and the automated everyday processes within your business to ensure that the correct procedures and policies are followed. It does this by deploying an extensive range of collectors across key servers or points of system access and applying rules to key points of access and control within your systems so that security personnel are promptly notified of any possible issues. How does it work? There are three areas of configuration within Event Manager that combine to produce your ‘defense mechanism’ against security threats that originate from many different sources. That is the key to using the software. All of your information, regardless of platform, can be viewed in one place in the same standardized format, reducing the skills and training expense associated with multiple systems.
l Assets: These are the servers, applications, devices or anything from which audit data can be retrieved can be configured for security monitoring purposes. l Actions: Defines what happens in the event of, for example, unexpected system logons, deletion of critical system data, or repetitive or suspicious activity on a system.
Guide to Templates www.helpsystems.com page: 1 Event Manager - Overview / Ease of use
l Controls: Defines the criteria and rules by which the actions are generated and allows you to determine what is relevant and what is irrelevant from the thousands of security related events that are generated everyday across your network enterprise. By using the three configuration areas above you can determine:
l Threats: Helps you identify the real security risks to the health of your business. Events that are unexpected or unusual such as someone creating a user login in the middle-of-the- night or out of normal working hours. l Highlighted Events: These are events that you are expecting, such as a system administrator creating and deleting user profiles, which you still want to keep a check on. l Incidents: These are events that indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed. It should be manually categorized by the Security Analyst during the revision process.
Ease of use Event Manager can be quickly deployed by implementing pre-defined templates, available across the major operating platforms used by many businesses. The templates allow you to apply an ‘out-of-the-box’ solution that can then be fine-tuned to your specific business requirements and operating environment.
Guide to Templates www.helpsystems.com page: 2 Event Manager - Overview / Which security protocols can be checked for compliance?
Which security protocols can be checked for compliance? Event Manager is capable of auditing / checking compliance with the following security protocols:
l BCRA - Banco Central de la Republica Argentina l C-TPAT - Customs Trade Partnership Against Terrorism l COBIT - Control Objectives for Information and Related Technology l COPPA - Childrens Online Privacy Protection Act l DCGK - Deutsche (German) Corporate Governance Kodex l EFTA - Electronic Fund Transfer Act l FACTA - Fair and Accurate Credit Transactions Act l FAST - Free And Secure Trade Program l FISMA - Federal Information Security Management Act l FRCP - Federal Rules of Civil Procedure l GDPR - EU General Data Protection Regulation l GLB - Gramm-Leach-Bliley Act l HIPAA - Healthcare Insurance Portability and Accountability Act l HITECH - Health Information Technology for Economic and Clinical Health l ISO - Security Regulation l LOPD - Ley Orgánica de Protección de Datos l LSF - Loi de Sécurité Financière l MaRisk - Security Regulation l NERC - North American Electric Reliability Corporation l PCI DSS - Payment Card industry Data Security Standard l PSQIA - Patient Safety and Quality Improvement Act l SOX - Sarbanes Oxley l Internal Regulation - Bespoke Internal Compliance Requirement Any security protocol that applies to the asset can be applied through the Security Attributes setting. Supported OS Versions This product does not ensure the correct auditing of software versions that are not currently supported by the manufacturers.
Guide to Templates www.helpsystems.com page: 3 Windows Audit / Overview Windows Audit Overview Event Manager utilizes the features of Windows Audit in order to provide information regarding Windows security events.
NOTE: The following section assumes an installation of Windows Server 2012. Screens and options may be different in later versions. Please refer to your Windows documentation or your systems administrator for more information.
Minimum Requirements
l Event Manager Windows Template requires a minimum of Windows Server 2008 or higher. l Permission to remotely read the eventlog (see below). Windows Event Log The Event Log system service logs event messages that are generated by programs and by the Windows operating system. Event log reports contain information that you can use to diagnose problems. You view reports in Event Viewer. The Event Log service writes events that are sent to log files by programs, by services, and by the operating system. The events contain diagnostic information in addition to errors that are specific to the source program, the service, or the component. The logs can be viewed programmatically through the event log APIs or through the Event Viewer in an MMC snap-in.
Application protocol Protocol Ports RPC/named pipes(NP) TCP 139 RPC/NP TCP 445 RCP/NP UDP 137 RPC/NP UDP 138
NOTE: The Event Log service uses RPC over named pipes. This service has the same firewall requirements as the "File and Printer Sharing" feature.
Additional Configuration Configuration is required to be able to use the User Inactivity Datasource on Windows servers.
IMPORTANT: If you use this datasource for a Windows 2008 Server it is necessary to upgrade to a Powershell version 3 or greater in the remote Windows 2008 machine.
Guide to Templates www.helpsystems.com page: 4 Windows Audit / Windows Administrative Tools
Windows systems Validate access to administrative shares in the Remote Host Administrative shares are a special feature of Windows NT servers that allow access to local drives as “hidden” shared resources by default, but they are limited only to administrative accounts. And for security policies, sometimes administrative shares are disabled. The remote command execution actions need access to the ADMIN$ share, which represents the Windows installation path on the remote machine (by default it is C:\Windows). To check if the administrative share is enabled, try to log on to the remote admin folder from the Event Manager host using Windows Explorer.
Validate Remote Service Manager Access in the Remote Host The Service Manager of the remote host needs to be accessed from the Event Manager host. To check if the remote Service Manager is accessible, just open your local service manager from the Event Manager host (you can do this by running the services.msc command), then right click on the services tree and select “connect to another computer”. After entering the credentials, you should be able to see the services tree of the remote machine. Windows Administrative Tools When logged onto the Windows Server as an administrator, select the Administrative Tools option. From the pop-up menu, select Group Policy Management.
You can now view the individual security policies by expanding the Forest option and selecting a domain. This provides access to the Default Domain Policy.
Guide to Templates www.helpsystems.com page: 5 Windows Audit / Windows Administrative Tools
There are two options available for Security Policies on the Domain Controller.
l Domain Controller Security Policy l Domain Security Policy This is because the Server shown in the example is a Domain Controller Server (DC Server). If you were on a Member Server, only the category called Local Security Policy. Both show the same Audit categories as those in the screen shot below:
Guide to Templates www.helpsystems.com page: 6 Windows Audit / Types of Audit Policies
Types of Audit Policies Local Security Policy MMC This interface is used to configure security settings that apply only to the local computer. It is accessed via the Administrative Tools menu in the Control Panel. Local settings include: password policy, account lookout policy, audit policy, IPsec policy, user rights assignment as well as others. Local Security Policy is not used on domain controllers; they are governed by the Domain Controller Security Policy. Default Domain Security Settings This interface is used to set security policies for all computers in a domain. These settings override the Local Computer Policy settings for domain members if there is a conflict between the two. This interface is accessed via the Group Policy tab in the Properties of the domain node in Active Directory Users and Computers (administrative Tools menu). Domain Controller Security Settings This interface is used to configure security settings for the domain controllers in the domain. These settings take precedent over the Domain Security Policy for DCs. This interface is accessed by logging onto the domain controller as an admin user and selecting Domain Controller Security Policy from the Administrative Tools menu. Regardless of the scope of the policy, the Audit Policy is the branch of the tree which allows the enabling of all the categories to be logged in the Event Log. For Event Manager to be fully operational, you will only need to enable certain audit policies on all DCs and on each important member server, such as a sensitive File Server.
Guide to Templates www.helpsystems.com page: 7 Windows Audit / Types of Audit Policies
These audit policies are:
l Audit Account Management: Success/Failure l Audit Logon Events: Success/Failure l Audit Policy Change: Success/Failure l Audit System Events: Success/Failure
WARNING: There are two policies that Event Manager does not use. However, in order to get Windows to generate audit policy change events correctly, you must set these policies to NO AUDITING, leaving Audit Privilege Use and Audit Process Tracking set to Not Defined Windows will inform you that these categories are enabled for both, success and failure, when an audit policy change event is generated.
How to Enable Windows File System Auditing Step 1: Enable the Audit Policy 1. On the required Windows server, open the Domain Controller (DC) and update the Group Policy (GPO) to enable file auditing.
2. Right click on the Group Policy you want to update or create a new GPO for file auditing. In the right-click menu, select edit to go to the Group Policy Editor. 3. In the Group Policy editor, click through to Computer Configuration > Policies > Windows Settings > Local Policies. Click on Audit Policy.
Guide to Templates www.helpsystems.com page: 8 Windows Audit / Types of Audit Policies
You can add many auditing options to your Windows Event Log. The option for file auditing is the Audit object access option. 4. Double-click Audit object access and set it to both success and failure.
Guide to Templates www.helpsystems.com page: 9 Windows Audit / Types of Audit Policies
5. To enable your new GPO, go to a command line and run ‘gpupdate /force’.
6. Verify that your policy is set correctly with the command ‘gpresult /r’ on the computer that you want to audit.
Guide to Templates www.helpsystems.com page: 10 Windows Audit / Types of Audit Policies
Step 2: Apply Audit Policy to Files and/or Folders You now need to tell Windows exactly which files and/or folders that you want to audit. Here is the procedure to set auditing up for your folders. 1. Right-click the file or folder in Windows Explorer. Select Properties.
Guide to Templates www.helpsystems.com page: 11 Windows Audit / Types of Audit Policies
2. Change to the Security tab and click Advanced.
Guide to Templates www.helpsystems.com page: 12 Windows Audit / Types of Audit Policies
3. Click the Auditing tab and then Continue. 4. Add the Users or Groups that you want to audit and check all of the appropriate boxes.
Guide to Templates www.helpsystems.com page: 13 IBM i Audit / Overview
Step 3: Open Event Viewer Once you have enabled the Auditing GPO and set the file/folder auditing, you will see audit events in the Security Event Log in Windows Event Viewer.
The events can now be monitored with the appropriate Event Manager Windows templates.
IBM i Audit Overview Usually, security policies are implemented using the in-built IBM i tools, the most important of these being the embedded, object-based authorization system. Granting or revoking object access to certain users can secure the system but nevertheless, there are many different ways in which the user can circumnavigate the authorization system. Here are some examples:
l The application can have undetected holes within its security authorization scheme l Programs may inherit access privileges that are higher than the individual user l A user can get access to an unsecured command that can grant them more privileges l A password for a powerful user profile can be obtained or left in use on an unattended terminal
Guide to Templates www.helpsystems.com page: 14 IBM i Audit / Overview
l A programmer may use an unauthorized interface as a Data File Utility (DFU) to modify a sensitive file No matter how well designed and deployed you believe your security auditing schema to be, you must verify that nothing can compromise it. For example, something a simple as a system value change may render your security schema useless. Modern hackers use various techniques to pose as employees, system administrators or help desk personnel to get user names and passwords from innocent users. Also, consider the case of the dissatisfied employee who may be tempted to delete application objects or copy confidential data and publish it on a website. The Event Manager IBM i template uses IBM auditing mechanisms to provide you with real-time and historical system auditing and detects any activity that you consider you be suspicious. You can set customized policies at a very detailed level, receive real-time alerts and automatically execute actions when a problem arises (such as disabling access for a particular user). This helps you continuously evaluate your security planning and policies, identify weaknesses and cover limitations, specifically:
l Ensure that your security policy adequately protects your company’s resources l Detect unauthorized attempts to access your system and your company’s confidential data l Detect attempted security violations and application problems relating to authorizations l Reduce average time for problem resolution l Detect system vulnerabilities l Plan migration to a higher security level l Monitor the use of sensitive objects, such as confidential files
Guide to Templates www.helpsystems.com page: 15 IBM i Audit / IBM i Security Auditing
IBM i Security Auditing IBM i can log security events that occur on your system. These are recorded in special objects called journal receivers. The security auditing function is optional so you must take specific steps to set it up. Please refer to your IBM i documentation for guidance on how to do this. System values and specific commands control which events are logged. IBM i Auditing Issues The configuration of IBM i auditing is not an easy task. There are many commands, system values, and interrelations that need to be taken into consideration. Also, due to a lack of filter support, there is a large amount of raw data to deal with. There is also a lack of in-built real-time monitoring with only reporting being readily available and this only at a periodic frequency of daily for the most up-to-date information. As auditing is not directly linked to any actions, it is often too late to resolve any problems once they have occurred. Using the Event Manager IBM i template removes the complexities of configuration, allows for corrective actions to be taken in near real-time and provides an easy-to-use interface for working with IBM i auditing. The template provides:
l Filter options thus reducing the amount of data collected. l Enrichment of auditing messages to provide more detailed information to system operators/administrators. l Integration with the message console. IBM i Auditing Planning When planning on what to audit on your IBM i, you can use two different areas:
l Action auditing. l Object auditing. Action Auditing Action auditing is the action to log system-wide, security-relevant events. Action auditing is available at system-level and/or user-level. Examples include:
l User profile changed. l User profile created. l Object restore. l Actions to spooled files.
Guide to Templates www.helpsystems.com page: 16 IBM i Audit / IBM i Template System Requirements
Object Auditing Object auditing is the action to log specific object-related, security-relevant events. Object auditing is also available at system level and/or user-level. Examples include:
l Only for Object Changes. l All Accesses to Object. IBM i Template System Requirements The following system requirements must be place in order for the Event Manager IBM i template to operate correctly: Either:
l Powertech SIEM Agent for IBM i installed or
l VMC IBM i Security Agent installed and the User Inactivity Monitors running. The minimum IBM i module entries to be configured are:
Entry Condition Filter Expression Type Type
CA *INCLUDE TRIM(COPY(&JRNSTRING,21,8)) IN {‘*AUTL’}
CO *INCLUDE TRIM(COPY(&JRNSTRING,21,8)) IN {‘*AUTL’}
CP *NONE No Filter
DO *INCLUDE TRIM(COPY(&JRNSTRING,21,8)) IN {‘*AUTL’,’*USRPRF’}
DS *NONE No Filter
(TRIM(COPY(&JRNSTRING,2,1)) = ‘I’) AND (TRIM(COPY JS *INCLUDE (&JRNSTRING,1,1)) IN {‘S’,‘E’,’I’}
NA *NONE No Filter
PA *NONE No Filter
PW *NONE No Filter
RP *NONE No Filter
ST *NONE No Filter
SV *NONE No Filter
Guide to Templates www.helpsystems.com page: 17 IBM i Security Intrusion Detection Audit / Overview
l Client Access (32-bit) installed at the Event Manager Monitoring Node l ODBC access to the IBM i l A user profile with permissions to query the B_DETECTOR/BDHST02X must be available IBM i Security Intrusion Detection Audit Overview The intrusion detection and prevention system (IDS) notifies you of attempts to hack into, disrupt, or deny service to the system. IDS also monitors for potential extrusions, where your system might be used as the source of the attack. These potential intrusions and extrusions are logged as intrusion monitor audit records in the security audit journal and displayed as intrusion events in the Intrusion Detection System graphical user interface (GUI). You can configure IDS to prevent intrusions and extrusions from occurring. IDS does not monitor for viruses, Trojan horse programs, or malicious e-mail attachments. Configuration For more information regarding IBM i Security Intrusion Detection and configuration, please see: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzaub/rzaubpdf.pdf
Guide to Templates www.helpsystems.com page: 18 IBM i Custom Application Audit / Overview
IBM i Custom Application Audit Overview The Powertech SIEM (Security Information and Event Management) Agent can be used to retrieve information from any message queue, journal or custom journal and deliver it to Event Manager. Example IBM i Custom Application Creating the Event Source (*MSGQ) 1. Open an instance of Powertech SIEM Agent on the IBM i. 2. Select option 1=Work with Event Sources. 3. Press F6 to create a new Event Source. 4. Enter the Name as CUSTOMAPP. 5. Enter a Description of Custom Application. 6. Choose a Type depending on the type of event being monitored, 7. Enter a Facility of 1 to identify the source as defined by the Common Event Format (CEF) specification. 8. Press Enter. Please refer to the following for further guidance in creating an event source: https://static.helpsystems.com/powertech/help/siem-agent/4_1/content/create-event-source- panel.htm Creating the Output Type This creates a new format of CEF which is used by the SIEM Agent to pass the information to Event Manager. 1. From the Powertech SIEM Agent main menu, select option 3=Work with Outputs. 2. Press F6 to create a new Output Type. 3. Enter a Name that identifies the new output type, such as [machine-id]CEF. 4. Enter a Description by which the new Output Type can be identified. 5. Type 1 to ensure that the Output Type is Active. 6. Enter the Format as *MODERN.
NOTE: See: https://static.helpsystems.com/powertech/help/siem-agent/4_1/content/create- format-panel.htm for more information regarding the *MODERN Format.
7. Enter the Type as *NETWORK.
Guide to Templates www.helpsystems.com page: 19 SQL Server Audit / Overview
NOTE: See: https://static.helpsystems.com/powertech/help/siem-agent/4_1/content/create- output-panel.htm for more information regarding the *NETWORK type and additional fields that appear as a result of this selection. These entries control the location of the instance of Event Managerto which you are connecting.
8. Press Enter. Using the Output in the Event Source 1. From the Powertech SIEM Agent select, option 1=Work with Event Sources. 2. Take option 2=Change against the CUSTOMAPP Event Source (created earlier). 3. From the Change Event Source display, use F8=Maintain Outputs. 4. From the Work with Attached Outputs display, use F6=Attach to open the Select Output Target display. 5. Type 1 against the previously created Output Type. 6. Press Enter. The *MODERN (CEF) output type is now attached to the Event Source ready to process information in CEF format to Event Manager. SQL Server Audit Overview This chapter explains how the SQL Server auditing process works and how the ThinkServer module retrieves the auditing information.
TIP: We strongly recommend that you upgrade to the latest SQL Server Service Pack(s) before getting started.
The first requirement is to create a datasource for the SQL Audit. This is from where the audit data is retrieved. When the datasource is created, an auditing process (trace) is created on the server. Once you have created a datasource, you can reduce the amount of audited data by applying filters. You can configure filters at monitor level and set conditions for setting health levels and assigning actions to invoke. Please note that:
l The auditing process runs on the server, whether the ThinkServer service is running or not. l The retrieved auditing events are stored in temporary files on the server. l In SQL Server 2000 servers and later, data is stored in binary files in a system folder. l The process created on a server receives events from the entire server, not just from specific database. If you only need to audit a specific database set Datasource filters on DatabaseName or DatabaseID variables.
Guide to Templates www.helpsystems.com page: 20 SQL Server Audit / SQL Server Template System Requirements
l Auditing an SQL Server can have important effects on a server system. The input/output operations can increase to dangerous levels if the appropriate filters are not defined. Note that a simple query could generate 30 events that are written to a file or database. So it is very important to decide which users, databases, and types of query you need to audit. l Retrieving a large amount of events may lead to storage problems on the server. If ThinkServer is not running or if the speed at which new events are generated is greater than the speed at which the ThinkServer reads the events, storage problems are likely to occur. l Auditing events from the temporary files are retrieved from the datasource collection process using SQL queries.
NOTE: Audit processes on the server will run until the Datasource is removed, whether the ThinkServer service is running or not.
SQL Server Template System Requirements
l SQL Server 2005 or higher Minimum User Profile Requirements
l ODBC connection from the monitoring node to the database server using an SQL Server Native driver. l User connection with permissions to connect via ODBC and ALTER TRACE. l A folder created in the server where the traces will be stored. It can be manually created or: l OPTIONAL: If you want the folder to be automatically created, the use the sysadmin user and have xp_cmdshell enabled. l OPTIONAL: Even if the traces rotate and no data is ever accumulated, the files cannot be deleted unless the user is sysadmin and has xp_cmdshell enabled. l By default, Execute permissions are granted to members of the fixed server role sysadmin for: l xp_trace_addnewqueue l xp_trace_setqueuedestination l xp_trace_restartqueue l xp_trace_pausequeue l xp_trace_destroyqueue l xp_trace_enumqueuehandles l xp_trace_getqueuedestination These permissions can also be granted to other users as the need arises.
Guide to Templates www.helpsystems.com page: 21 SQL Server Audit / Minimum User Profile Requirements
l To perform select and delete queries on the table where event information is stored you need either a user belonging to the sysadmin server role, or the user that created the trace by calling xp_trace_setqueuedestination extended store procedure (i.e. the owner of the trace). l To create a startup for a stored procedure you must be logged in as a member of the sysadmin fixed server role and create the stored procedure in the master database. l To create the table tango_traces, the user must be granted CREATE TABLE permission. By default, this permission is granted to the members of the db_owner and db_ddladmin fixed database roles. Members of the db_owner fixed database and members of the sysadmin fixed server role can transfer CREATE TABLE permission to other users. l To perform delete queries to table tango_traces, DELETE permission must be granted. This permission is granted by default to members of the sysadmin fixed server role, the fixed database roles db_owner and db_datawriter, and the table owner. Members of the sysadmin, db_owner, and the db_securityadmin roles, in addition to the table owner, can transfer permissions to other users. In SQL Server, the server must permit the use of the stored procedure xp_cmdshell. This stored procedure is disabled by default and must by enabled using the SQL Server Surface Area Configuration. See Enabling the xp_cmdshell Stored Procedure - SQL Server 2005 or Enabling the xp_cmdshell Stored Procedure - SQL Server 2008 (and higher) for further details. Unlike SQL Server 2000, later versions of SQL do not have a strictly required sysadmin account which allows restriction of the given permissions to the DSN user. It is also possible to restrict the direct execution of the xp_cmdshell stored procedure. Using xp_cmdshell directly with a proxy user To use this option, assign privileges to users or login names manually. These privileges are granted by default to members of the sysadmin fixed server role and can be granted to other users with the following commands: USE [master] GRANT ALTER ON SCHEMA :: [dbo] TO [helpsystems_user] GRANT SELECT ON SCHEMA :: [dbo] TO [helpsystems_user] GRANT INSERT ON SCHEMA :: [dbo] TO [helpsystems_user] GRANT UPDATE ON SCHEMA :: [dbo} TO [helpsystems_user] GRANT DELETE ON SCHEMA :: [dbo] TO [helpsystems_user] GRANT EXECUTE ON [master].[sys].[xp_cmdshell] TO [helpsystems_user] GRANT EXECUTE ON [master].[dbo].[sp_trace_setfilter] TO [helpsystems_ user] GRANT EXECUTE ON [master].[dbo].[sp_trace_create] TO [helpsystems_user] GRANT EXECUTE ON [master].[dbo].[sp_trace_setevent] TO [helpsystems_ user] GRANT_EXECUTE ON [master].[dbo].[sp_trace_setstatus] TO [helpsystems_ user]
Guide to Templates www.helpsystems.com page: 22 SQL Server Audit / Minimum User Profile Requirements
GRANT_EXECUTE ON [master].[dbo].[xp_fileexist] TO [helpsystems_user] GRANT CREATE PROCEDURE TO [helpsystems_user] GRANT CREATE TABLE TO [helpsystems_user] GRANT ALTER TRACE TO [helpsystems_login] When xp_cmdshell is called by a user who is not a member of the sysadmin fixed server role. It connects to the operating system by using the account name and password stored in the credential named ##xp_cmdshell_proxy_account##. If this proxy credential does not exist, xp_cmdshell fails. Create the proxy account credential by executing the following command. CREATE CREDENTIAL [##xp_cmdshell_proxy_account##] WITH IDENTITY = N’DOMAIN\USER’, SECRET = N’PASSWORD’ This user must have log on as a batch job rights, permission to act as part of the operating system, to increase quotas, to replace process level token as well as full control permissions in the directory where the traces are stored. See Grant Rights to Log On as a Batch Job. SQL Audit collection technology also performs operations to check whether a file exists on the system and delete old temporary files where events were stored. This is done by executing advanced stored procedures xp_cmdshell, permission for which is granted by default to members of the sysadmin fixed server role but can be granted to other users. It is important to note that when using a Windows NT account that is not a member of the local administrator's group for the MSSQLServer service, users who are not members of the sysadmin fixed server role cannot execute xp_cmdshell. Grant Rights to Log On as a Batch Job It is necessary to add some permissions for the (new, non-fixed server role) user you assigned to the proxy account so that the user is able to log on as a batch job. This is done in the local security settings of the machine you wish to monitor.
To give the user “Log on as a batch job” privileges: 1. Open the target SQL server. 2. Click Security Settings, select Local Policies and click User Rights Assignment. 3. Open Log on as a batch job and add the user that you assigned to the ##xp_cmdshell_ proxy_account##. Click Apply and then OK. Enabling the xp_cmdshell Stored Procedure - SQL Server 2005 In SQL Server 2005, users are forbidden from running the xp_cmdshell stored procedure. The SQL Server Security Agent uses this procedure and it must therefore be enabled.
Guide to Templates www.helpsystems.com page: 23 SQL Server Audit / Deleting Traces
To enable the xp_cmdshell stored procedure: 1. On the task bar, click the Start menu, select All Programs > Microsoft SQL Server 2005 > Configuration Tools, and then click SQL Server Surface Area Configuration to launch the Surface Area Configuration utility. Detailed instructions are available at: http://msdn2.microsoft.com/en- us/library/ms173748.aspx 2. Click the Surface Area Configuration for Features option. Further information is available at: http://msdn2.microsoft.com/en- us/library/ms183753.aspx 3. Select xp_cmdshell and click the Enable xp_cmdshell check box. Enabling the xp_cmdshell Stored Procedure - SQL Server 2008 (and higher) In order to enable the xp_cmdshell procedure in SQL Server 2008 (and higher), you must run the following:
To allow advanced options to be configured: EXEC sp_configure ‘show advanced options’, 1 GO To update the currently configured value for advanced options:
RECONFIGURE GO To enable the feature:
EXEC sp_configure ‘xp_cmdshell’, 1 GO To update the currently configured value for this feature:
RECONFIGURE GO Deleting Traces There are many situations in which a trace continues to run and where it is not possible to delete it from the ThinkServer. For example, when the ThinkServer is uninstalled from the client host or an error occurs when deleting the datasource; the trace may continue to run while the user is left with no normal means of deleting it. To ensure traces do not continue to run on the system, two
Guide to Templates www.helpsystems.com page: 24 SQL Server Audit / Deleting Traces
Event Managercollection agents have been added to check which traces are running on the server. Use the following instructions to delete unwanted traces and prevent them from restarting the next time the SQL Server starts.
NOTE: The following queries should only be run in emergency situations. It is important to maintain the consistency between the datasources on the ThinkServer and the traces running on the server.
Guide to Templates www.helpsystems.com page: 25 SQL Server Audit / Real-Time Events
Deleting Traces in SQL Server 2005 and 2008 (and higher) 1. Retrieve the list of traces running on SQL Server by executing the query: SELECT *FROM ::fn_trace_getinfo(default) where property = 2. Run the following queries on each trace identifier to pause and delete the traces running on the server EXEC master..sp_trace_setstatus TraceIdentifier, 0
EXEC master..sp_trace_setstatus TraceIdentifier, 2 3. This query displays the information of the traces that are restarted when SQL Server restarts. SELECT tracename, traceid FROM tango_traces 4. Delete the information of the traces that shouldn’t restart from table tango_traces DELETE from tango_traces where traceid =TraceIdentifier Real-Time Events SQL Audit collection technology in Powetech Event Manager receives events to which they are subscribed in the order that the events are generated. If there are many events left on the server to be processed it could take a long time for an event to reach ThinkServer and to be able to activate an alarm. This underlines the importance of configuring accurate filters in the datasource as well as the monitor. If the ThinkServer’s capacity to read events is lower than the SQL Server’s capacity to generate events, there will be an increasing time-lag in processing the events, which may end in the collapse of Server storage capacity. In SQL Server 2000, where events are stored in an SQL Server memory buffer before they are stored in the files used by ThinkServer for processing, problems may arise if only very few events are generated. In this case it might take a long time for the buffer to fill, releasing the events to the ThinkServer files for processing. When the ThinkServer detects that no data has been retrieved in ten consecutive iterations, it forces the SQL Server buffer to write to the file, so that the ThinkServer can process the events. Note that by default, this delay is only 10 minutes (10 iterations with a refresh time of 60 seconds). This delay changes according to your configuration of the refresh time in a datasource.
Guide to Templates www.helpsystems.com page: 26 Linux Audit / Overview Linux Audit Overview The Linux Security collection technology in Event Manager works with GNU/Linux based operating systems, retrieving logical security events for almost every distribution. SSH-based Event Manager collectors retrieve security events by using Secure Shell connections to each host, implementing a more secure connection and avoiding the possible loss of data. Syslog collectors perform the same function as the SSH-based collectors but require the syslog trail to be configured to the collection nodes. The main features of this collection technology with Event Manager are:
l Only one datasource needed for each server l Automatic parsing of audit events System Pre-requisites The Linux collection technology in Event Manager relies on the Linux Audit daemon, or the Linux audit module. Before using the Event Manager collectors you must ensure that your Linux host is configured correctly and meets the minimum requirements. Minimum Requirements Linux SSH-based Event Manager collection technology In order to use the Event Manager collection technology, you need to provide a user profile that has the following permissions:
l A Linux kernel capable of audit syscalls. This is supported by default on Kernels 2.6.x, but some distributions might disable the feature for custom purposes, although most modern distributions come with this enabled. Please refer to your Linux vendor documentation in order to check if auditing is supported. l A Linux package called audit is required. This tool allows you to configure audit rules and query the audit logs with some powerful features such as fine grained filtering. The Linux Audit collectors depend directly on just one application that comes with this package: ausearch, so it is a requirement to have it properly installed on the Linux host. Another application called auditctl is required to create your audit data. l A remote connection from ThinkServer by using SSH or TELNET (not recommended).
Guide to Templates www.helpsystems.com page: 27 Linux Audit / Minimum Requirements
Connections Type The Connection Type option allows you to define the protocol you want to use to connect to the remote Linux/UNIX host. At this moment, SSHv2 and TELNET are supported. TELNET is provided as a compatibility option for legacy systems, although it’s not recommended because it’s not secure and it is very slow compared to SSH. Private Key The Private Key option gives you the possibility to use the private key authentication method available in OpenSSH-based daemons. This kind of authentication uses a public and private key pair of files that are used when connecting to the server. You only need the private one, as the public is “deduced” in runtime by the connections engine. Once you have your private key stored in Event Manager server, put the full path to the file inside the PKI field into the SSH (public key) credential. The private key must be a cryptographic RSA or DSA key that’s compatible with OpenSSH and associated with the remote host. There are several tools for generating and associating key pairs for authentication. The most common one is ssh-keygen, which should be available in your remote host. If you have a private key in .ppk format (from the popular tool PuTTY), you can export it to OpenSSH format by using the PuTTY Key Generator. Remember that private key authentication is just an option, not a requirement for the data retrieval. Linux Syslog-based Event Manager collection technology Syslog-based collection technology within Event Manager requires the syslog trail to be re- directed to the Event Manager collection node. See Configuring_Remote_Syslog_-_Unix_and_BSD-OSX for information on how to configure this setting. Audit Daemon Installation The following Audit Daemons can be used with Event Manager. Use the instructions to install the daemon of your choice:
l Debian/Ubuntu - apt-get install auditd audispd-plugins l Red Hat/Cent OS/Fedora: usually already installed (package: audit and audit-libs) Activating the auditd daemon Enabling System Call auditing for one session only: Enable with auditctl -e 1 and disable with auditctl -e 0. These settings are not persistent, so they will not survive a system reboot.
Guide to Templates www.helpsystems.com page: 28 Linux Audit / Minimum Requirements
Server Configuration The configuration of the audit daemon is covered by two files, one for the daemon itself (auditd.conf) and one for the rules used by the auditctl tool (audit.rules). Auditd.conf The file audit.conf configures the Linux audit daemon (auditd) with focus on where and how it should log events. It also defines how to deal with full disks, log rotation and the number of log files to be kept. The configuration of the audit daemon is specified in the /etc/audit/auditd.conf configuration file. Each Linux distribution comes with its own default configuration. For example, SUSE Linux uses the following configuration by default: log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority boost = 4 flush = INCREMENTAL freq = 20 num logs = 4 disp_qps lossy dispatcher = /usr/sbin/audispd name_format = NONE # name = mydomain max log_file = 5 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND #tcp_listen_port = tcp_listen_queue =5 #tcp_client_ports = 1024.65535 tcp_client_max_idle = 0
Guide to Templates www.helpsystems.com page: 29 Linux Audit / Minimum Requirements
Most of the settings in this file concern the audit log files and how the logging is completed. The most important settings concern the actions the daemon should take when encountering certain critical conditions or errors (system low on disk space, system out of disk space, or disk error) and when to warn the administrator about these conditions. Usually, the default configuration will be appropriate for most systems. Audit.rules Audit rules are used to specify which components of your system are audited. There are three basic types of audit rules:
l Basic audit system parameters l File and directory watches l System call audits Before creating an audit rule set and prior to rolling it out to the system, carefully determine which components to audit. Extensive auditing causes a substantial logging load. Make sure that your system provides enough disk space to store large audit logs and test your audit rules set extensively before rolling it out to a production system. Audit rules can be either passed to the audit system by the command line using auditctl or bundled into a rules file located under /etc/audit/audit.rules that is read during the start of the audit daemon: # basic audit system parameters
-D -b 8192 -f 1 -e 1
# some file and directory watches-w /var/log/audit/
-w /etc/audit/auditd.coni -p rxwa -w /etc/audit/audit.rules -p rxwa -w /etc/passwd -p rwxa -w /etc/sysconfig/
# an example system call rule
-a entry,always -5 mkdir -5 rmdir The basic audit system parameters include a rule to delete any pre-existing rules (-D) to avoid clashes with the new rules, a rule that sets the number of outstanding audit buffers (-b), the failure flag (-f), and the enable flag (-e):
l -b: depending on the audit load of your system, increase or decrease the number of outstanding audit buffers. If there are no more buffers left, the kernel checks the failure flag for action. l -f: the failure flag controls the kernel’s reaction to critical errors. Possible values are 0 (silent), 1 (print a failure message), and 2 (panic, bring the system down - no clean shutdown and risk of data loss or corruption).
Guide to Templates www.helpsystems.com page: 30 Linux Audit / Minimum Requirements
l -e: if set to 1, this enables audit and audit contexts for system calls. Setting it to 2 does the same, but also locks down the configuration. Set to 0, audit is disabled. This flag is used to enable or disable audit temporarily. File system watches can be added whenever you want to track files or directories for unauthorized access. Typical examples would include watching the audit configuration, logs, user and security databases. Use permission filtering to focus on those system calls requesting the permissions in which you are interested: -w /etc/audit/audit,rules -p rxwa The -p flag enables permission filtering. This example has permission filtering turned on for read, write, execute and attribute change permissions. Note the following limitations to file system watches:
l Directory watches produce less verbose logs than exact file watches. When in need of detailed file-related records, enable separate file watches for all files of interest. l Pathname globbing of any kind is not supported by audit. Always use the exact pathnames. l Auditing can only be performed on existing files. Any files added while the audit daemon is already running are ignored until the audit rule set is updated to watch the new files. To configure what events should be audited, the audit framework uses a rules file named audit.rules. Use a clean start and without any loaded rules. Active rules can be determined by running auditctl with the -l parameter: [root@host ~]# auditctl -l
No rules In case any rules are loaded, remove them with auditctl and the -D parameter.
Guide to Templates www.helpsystems.com page: 31 Linux Audit / Minimum Requirements
Examples of Audit monitoring in Linux Monitoring the creation and deletion of directories with the Linux Directory Created/Deleted Collector:
auditctl -a entry,always -S mkdir -S rmdir Monitoring the file attributes operations with the Linux File/Directory Attribute Accessed/Modified Collector:
Auditctl -a entry,always -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 -S lchown -S lchown32 Monitoring the file link and rename operations with the Linux File/Directory Linked/Renamed Collectors:
auditctl -a entry,always -S unlink -S rename -S link -S symlink Monitoring the mount/unmount operations with the Linux Device mounted/unmounted Collector:
auditctl -a entry,always -S mount -S unmount -S unmount2 Adding watches to individual files and directories to be used with the Linux File Content Accessed/Modified Collector:
auditctl -w /var/log/audit
auditctl -w /var/log/audit/audit.log
auditctl -w /etc/audit.rules -p wa
auditctl -w /etc/libaudit.conf -p wa
auditctl -w /etc/sysconfig/auditd -p wa For an example of how the monitoring works, we can use the /etc/passwd file. We can put a ‘watch’ on the file by defining the path and permissions to look out for:
auditctl -a exit,always -F path=/etc/passwd -F perm=wa By defining the path option, we instruct the audit framework what directory or file to watch for. The permissions determine what kind of access will trigger an event. Although these look similar to file permissions, note that there is an important difference between the two. The four options are:
l r=read l w=write l x=execute l a-attribute change
Guide to Templates www.helpsystems.com page: 32 AIX Audit / Overview
1. To audit all the actions required for the Event Manager actions collection, execute the following commands: sudo pico /etc/sudoers
Add the following line at the end of the file:
my_user_name ALL=(ALL:ALL) NOPASSWD:ALL 2. Execute: auditctl -a exit;always -S execve
service auditd restart 3. To audit the changes on the test file in /home/helpsystems folder auditctl -w /home/helpsystems -p wa -k test
service auditd restart 4. To audit the permissions changes in the files of the folder /home/helpsystems auditctl -a exit, always -S fchmodat -S chmod -S fchmod
auditctl -w /home/helpsystems/test -p a
service auditd restart AIX Audit Overview The following is an overview of how to enable the security audit on an AIX server so that the Event Manager “out-of the box” security template can retrieve security-based information. The Event Manager “out-of-the-box” security template can greatly improve the security of AIX to integrate, in real-time, security audit information so that you can take proactive action to prevent security breaches and respond immediately should an issue arise. Configuring AIX Syslog AIX servers automatically generate events that are stored in the syslog. You can use the stored security audit events to audit the AIX/UNIX server using the Event Manager “out-of-the-box” security template. To audit AIX Syslog records you need to modify the host file and syslog configuration file. 1. Set the IP address of the server running Event Manager Monitoring Node in the Hosts file. The host file is in the folder /etc/hosts. Add the following entry to the hosts file: IP Address serverhelpsystems
Guide to Templates www.helpsystems.com page: 33 AIX Audit / Check Configuration
For example:
192.168.0.5 serverhelpsystems
Indicate which messages should be sent to ThinkServer adding the following lines to the syslog configuration file located in /etc/syslog.conf.
*.info @serverhelpsystems *.alert @serverhelpsystems *.notice @serverhelpsystems *.debug @serverhelpsystems *.err @serverhelpsystems *.crit @serverhelpsystems *.emerg @serverhelpsystems
This tells the AIX server where to send each message type.
NOTE: The value @serverhelpsystems must be defined in the hosts file as described in step 1.
NOTE: Unlike Linux, AIX does not support *.*
2. Refresh the syslog daemon using the following commands: stopsrc -s syslogd startsrc -s syslogd
TIP: To stop and start in a single command, use refresh -s syslogd.
Once you have completed this step, all syslog records are sent to the IP address defined in step 1 of this process. Machine serverhelpsystems, where Event Manager is installed, is running the “out-of-the-box” security template from which the syslog retrieves AIX information and stores it in the Event Manager database. Check Configuration To check that the configuration is working as expected, run the following command: logger -p info ‘TEST’ This command adds a record to syslog information with the message content ‘TEST’. You cannot find this message in the syslog file so review your settings to find errors.
NOTE: Use the following command to view new lines in the syslog file: tail -f /var/syslog.out
We recommend that you do not store the syslog.out file in your /tmp folder.
Guide to Templates www.helpsystems.com page: 34 AIX Audit / AIX Security Audit Configuration
AIX Security Audit Configuration To ensure that the Event Manager AIX “out-of-the-box” template can retrieve information from the AIX security audit, you must set the following files to the AIX server to be monitored.
l streamcmds l config l events l objects The specific configuration for each file is shown in the following sections:. 1. Set the file streamcmds: Default security audit AIX information is sent to a binary file. However ThinkServer needs the information in a different format. To change the format, process audit information with the following script:
send_syslog.
Create the file named send_syslog in the folder /etc/helpsystems.
Then copy the AWK script file:
awk '{
u = match ($ 0, / helpsystems /) if (u ==0) { if (vari ==" ") vari = $ 0
else vari= vari $0} else {vari= vari $0 print van | "logger -p info" close ( "logger -p info") vari =""} }'
Give the script file send_syslog sufficient permissions to run.
Finally, change the file contents streamcmd, located in /etc/security/audit/streamcmds, with the following line:
/Usr/sbin/auditstream | auditpr -helRtcr -v | /Etc/helpsystems/send_syslog & 2. Set the config file: This is the config file that details which users will be audited and to what extent:
/Etc/security/audit/config
Guide to Templates www.helpsystems.com page: 35 AIX Audit / AIX Security Audit Configuration
We recommend auditing the following:
Creation, deletion and modification of users, roles and groups
Password changes
Use of privileges
Operations (creating, deleting, renaming, etc.) of files and directories
Changes to permits
Changes in the system settings (time, audit settings, communications, etc.)
Guide to Templates www.helpsystems.com page: 36 AIX Audit / AIX Security Audit Configuration
Example audit entries categorized in the config file
Audited =
USER_Create, USER_Remove, USER_Change, USER_SU, USER_Logout, USER_LOGIN, USER_Shell, ROLE_Create, ROLE_Change, ROLE_Remove FILE_Unilnk, FILE_Owner, FILE_Mode, FILE_Rename, FS_Rmdlr, FS_Mkdir, PASSWORD_Change, GROUP_Remove, GROUP_Change, GROUP_Create, AUD_It,AUD_Events, AUD_Objects, AUD_Proc, AUD_Bin_Def
The config file also needs to define which custom audit category applies to each audited user. For example:
users: root = Audited
This indicates that the root user is audited as defined in the category Audited. You can add more users to this file if required. 3. Events configuration file: The events file contains the definition of syslog record formats.
/Etc/security/audit/events
For each audited event that occurs in the AIX system, several events are stored in the AIX syslog file. As a result, ThinkServer receives multiple messages for a single audit event. Further configuration needs to be applied to reduce this to a single message for each event.
This can be done by use of the AWK script send_syslog defined in the file streamcmds (see Step 1). This script concatenates the lines in the syslog file until it finds the text string helpsystems. At this point it knows the end of the message has been reached and sends the concatenated message to ThinkServer.
In order for the script to work as intended, helpsystems must be added to the end of each line in the event file.
Section event file with changes marked in red
auditpr:
"proc kernel events
" fork () PROC_CREATE = print forked child process% d helpsystems
" exit () PROC_Delete = print child process exited% d helpsystems
" exec () PROC_Execute = print euid.% d egid:% d epriv.% x:% x name% s
Guide to Templates www.helpsystems.com page: 37 AIX Audit / AIX Security Audit Configuration
helpsystems
" setuidx () PROC_REALUID = printf real uid:% d helpsystems PROC_AuditID = print login uid:% d helpsystems
In most files described in this document the functions associated with a command are used. You can also use the events file for which solutions are launched by a particular command. For example, the function user_create can be associated with the command mkuser as shown below:
File events section showing the link between the command and role mkuser_create
" mkuser
User_create = printf %s% s helpsystems
4. Objects configuration file: This is the default security audit on the AIX server audit level actions such as login failures or other actions not related to a specific object. It can also audit at object level. To do this you must edit the Objects file. This file details which files are audited and whether they will be audited for:
Scripts only
Read only
Read and write to any file in the directory.
/etc/security/audit/objects
Add any files you want to audit object level and indicate when you want to audit them. See the following examples:
Example of a file to audit object level for scripts
To audit each time a user writes in the user file located in /etc/security/user create the following entry:
/etc/security/user
w = S_USER_WRITE
Example of a file to audit object level readings
To audit each time a user reads the group file located in /etc/security/group create the following entry:
/etc/security/group
Guide to Templates www.helpsystems.com page: 38 Solaris Audit / Overview
r="S_GROUP_READ"
5. Start the audit: Once setup is complete, run the following command to start the audit:
audit start
6. Check the audit: To verify the audit is working properly run the following command from the command line:
/usr/sbin/auditstream | auditpr -helRtcr -v
The display changes to Wait mode.
Open another terminal window with an audited user and run the command:
mkuser test
If the audit is functioning properly, the Wait mode screen displays the command executed:
mkuser test
If the command does not appear, you can turn off the audit and verify the configuration. 7. Turn off the audit: If you need to stop auditing, run the command:
audit shutdown Solaris Audit Overview The Solaris Security “out-of-the-box” template collection technology depends directly on the Solaris audit system in order to retrieve the audit data stored on the audit trail files from any Solaris host that has the auditid daemon configured and running. It uses remote SSH connections with user authentication. The complete audit trail can be retrieved or the most relevant data can be extracted using filters. The recommended practice is to analyze the requirements for the monitoring environment and filter only the information that is critical to your organization. Connections Type The Connection Type option allows you to define the protocol you want to use to connect to the remote Solaris host. At this moment, SSHv2 and TELNET are supported. TELNET is provided as a
Guide to Templates www.helpsystems.com page: 39 Solaris Audit / Overview
compatibility option for legacy systems, although it’s not recommended because it’s not secure and it is very slow compared to SSH. Private Key The Private Key option gives you the possibility to use the private key authentication method available in OpenSSH-based daemons. This kind of authentication uses a public and private key pair of files that are used when connecting to the server. You only need the private one, as the public is “deduced” in runtime by the connections engine. Once you have your private key stored in Event Manager server, put the full path to the file inside the PKI field into the SSH (public key) credential. The private key must be a cryptographic RSA or DSA key that’s compatible with OpenSSH and associated with the remote host. There are several tools for generating and associating key pairs for authentication. The most common one is ssh-keygen, which should be available in your remote host. If you have a private key in .ppk format (from the popular tool Putty), you can export it to OpenSSH format by using the Putty Key Generator. Remember that private key authentication is just an option, not a requirement for the data retrieval. Template Usage Before using the template, you must ensure that your Solaris host has the auditing system configured and running. The main features of the Solaris Event Manager collection technology are:
l Only one datasource needed for each server l Three levels of filters (low, medium and high). Use a high level of filtering to avoid performance issues. l Automatic parsing of audit events, allow the conversion of timestamps and other complex values into a ThinkServer-like value. l Support for audit trail concentrators. If one server is storing audit trails from several other servers you can create one datasource for the concentrator and the parser detects the real host. l Incremental reading system. You may stop the monitors for several hours and retrieve all the historic data when the monitoring is resumed. l Time-limited block size for queries, avoiding performance issues when retrieving a large amount of data.
Guide to Templates www.helpsystems.com page: 40 Solaris Audit / Audit Classes Overview
Audit Classes Overview The following audit classes information is taken from the Sun Solaris System Administration Guide: Security Services. Security-relevant system actions can be audited. These auditable actions are defined as audit events. Audit events are listed in the /etc/security/audit_event file. Each audit event is defined in the file by an event number, a symbolic name, a short description, and the set of audit classes to which the event belongs. Each audit event belongs to an audit class or classes. Audit classes are convenient containers for large numbers of audit events. When you preselect a class to be audited, you specify that all the events in that class should be recorded in the audit trail. You can preselect for event on a system and for events initiated by a particular user. After the auditing service is running, you can dynamically add or remove audit classes from the preselected classes. "System-wide preselection: specify system-wide defaults for auditing in the flags, naflags and plugin lines in the audit_control file.
"User-specific preselection: specify additions to the system-wide auditing defaults for individual users in the audit_user database. The audit preselection mask determines which classes of events are audited for a user.
"Dynamic presentation: specify audit classes as arguments to the auditconfig command to add or remove those audit classes from a process or session. A post-selection command, auditreduce, enables you to select records from the preselected audit records. This is the method used by the Solaris Security collector in Event Manager to retrieve the records from the audit trail. Audit classes are defined in the /etc/security/audit_class file. Each entry contains the audit mask for the class, the name for the class and a descriptive name for the class. For example, the ps and na class definitions appear in the audit_class file as follows: 0x00100000:ps:process start/stop
0x00000400:na:non-attribute Configuring System and User Audit Once the bsmconv script has been run, you can set the basic audit parameters by modifying the /etc/security/audit_control file. # audit_control file dir: /var/audit flags:lo minfree:20 naflags:lo This is a sample audit_control file, with the default values. There are two parameters that are very important for the Solaris Audit collectors with Event Manager.
Guide to Templates www.helpsystems.com page: 41 Solaris Audit / Configuring Audit Policies
l flags: defines which classes of attributable events are audited for all users on the system. The classes are separated by commas and white space is allowed. In this example, the events in the lo class are audited for all users. l naflags: this is exactly the same as flags, but for non attributable events. It is normally only used for the lo class. In the dir. line you set the path to where you want the audit trail files to be stored. It can be on the localhost, or on any remote mounted file system by using NFS. Once you have defined the default audit parameters for the system, you may also specify some extra parameters at a user level by modifying the /etc/security/audit_user file. These definitions modify, for the specified user, the preselected classes in the audit_control file. username:always-audit:never-audit # audit_user file jsmith:ex:no root:lo,ex.fc.fd.fr.fm:no margaret:lo operator:ex:lo For the previous audit_user sample file there are some user-specific audit parameters:
l For the user jsmith the ex class is enabled l for root, several other classes are enabled l for margaret, only the lo class is enabled l for operator, ex has been enabled and any event coming from the lo class has been disabled Depending on your requirements, you may want to enable certain classes at a system-wide level and certain others at a user-specific level.
NOTE: Each Solaris Security Audit collector within Event Manager needs to have some specific classes enabled in order to work properly.
Configuring Audit Policies Audit policy determines the characteristics of the audit records for the local system. The policy options are set by a startup script. The bsmconv script, which enables the auditing service, creates the /etc/security/audit_startup script. The audit_startup script executes the auditconfig command to establish audit policy. Most audit policy options are disabled by default to minimize storage requirements and processing demands. You can dynamically enable and disable audit policy options with the auditconfig command. You can permanently enable and disable the policy options by using the audit_startup script. #! /bin/sh /usr/bin/echo Starting BSM services /usr/sbin/auditconfig -setpolicy +cnt /usr/sbin/auditconfig -conf /use/sbin/auditconfig -acon
Guide to Templates www.helpsystems.com page: 42 Solaris Audit / User Permissions
This is a sample /etc/security/audit_startup file with default values created by bsmconv. With this configuration most Solaris Audit collectors in Event Manager will be able to retrieve some basic information, except for the Solaris Programs Executed and the Solaris Management Console collectors. In order, to get these agents working properly you need to add a new line to this file: /usr/sbin/auditconfig -setpolicy +argv, arge Without this line inserted, it is not possible to retrieve information about command executions and Solaris management console operations. The argv policy stores the arguments for each executed command and the arge policy stores all the environment variables of any executed program. This policy may produce a larger size in the audit trails. If you don’t need the Solaris Management Console collector in Event Manager, you can just enable argv. User Permissions In order to let the Solaris Security collectors in Event Manager retrieve the audit records, you need to provide a special user for the remote SSH connection. The user doesn’t need to be a superuser, but the user will need full read access to the audit trail directory and any file contained within. You may check the path where audit trails are being saved by examining the dir line of the /etc/security/audit_control file. The default path is /var/audit/. The Solaris Security Event Manager Datasource stores a file pointer into a specified path, so you must also guarantee full write permissions under that path. This can be the user’s home directory, the same /var/audit/ directory, or any other path. In summary, the user requirements are:
l Remote access permissions with SSH or Telnet l Full read permissions to the path where the audit trails are stored and every file inside it. l Full write permissions to the path where you want to save the file pointer for the incremental queries.
Guide to Templates www.helpsystems.com page: 43 Solaris Audit / Enabling Auditing on Solaris BSM (pre v11)
User Permissions For Solaris installations v11 and later To see how to set user permissions on Solaris versions earlier than v11, please see User Permissions For Solaris BSM installations (pre v11). 1. Add the “myuser” user to the sudoers list. (Ensure you have added Sudo permissions to the defined user). sudo nano /etc/sudoers 2. Add the following line to the end of the file myuser ALL=(ALL) NOPASSWD: ALL 3. Execute the following commands to configure the audit of all the actions To disable the audit service:
root@solaris11pz: /home/myuser# Audit -t
To set the flags to audit everything:
root@solaris11pz: /home/myuser# auditconfig -setflags all
To restart the audit device:
root@solaris11pz: /home/myuser# audit -s
To check if the audit service is running:
root@solaris11pz: /home/myuser# auditconfig -getcond
audit condition = auditing Enabling Auditing on Solaris BSM (pre v11) BSM Audit is not enabled by default on Solaris, so you first have to check if it already working on the system. In order to do this, execute the command; svcs auditd. Prior to configuring the BSM audit module for the first time, you must run the /etc/security/bsmconv script as a superuser on the system. This script enables BSM auditing and sets default parameters. After the script has been run, you must reboot the server. This can be done at any time but auditing will not be active until the next reboot. If you want to disable auditing, you can do it at any time by calling the /etc/security/bsmunconv script.
Guide to Templates www.helpsystems.com page: 44 Oracle Database Audit / Overview
User Permissions For Solaris BSM installations (pre v11) It is possible use the sudo command in order to avoid giving an administrative role to the user. To do this, follow these steps: 1. Install the sudo utility in the Solaris host 2. Add the following line to the /etc/sudoers file: username ALL=NOPASSWD: /usr/sbin/auditreduce, /usr/sbin/praudit 3. Add the sudo command into the Pre Command datasource parameter
NOTE: auditreduce command allows you to select or merge records from audit trail files. Audit files can be from one or more machines.
praudit is available to display audit records in an ‘easy-read’ format. The combination of both commands allows the extraction of information from the audit trail in a user friendly way.
Oracle Database Audit Overview The following is an overview of how to activate and extract audit information from an ORACLE database so that the Event Manager“out-of the box” security template can retrieve security- based information. Oracle Audit The following sections explain how to enable Oracle Auditing in Oracle 8i and Oracle 9i (or higher) Enabling Auditing in Oracle 9i (and higher) To enable auditing in Oracle 9i (and higher) you must change the startup parameter ‘AUDIT_ TRAIL’ in the SPFILE startup parameters file. This must be done using SQL Statements as the file is binary. Use, for example, SQLPlus, to perform the following queries. Check the current status of the audit
Guide to Templates www.helpsystems.com page: 45 Oracle Database Audit / Oracle Audit
SQL > Select name, value from v $ parameter where name = ‘audit_ trail’ Running this statement returns one of three alternative results:
l NONE - The audit is not active l DB - The audit is active and saves the events in a system table (SYS.AUD $) l OS - The audit is active and logs events in the eventlog Windows applications Changing the parameters within SPFILE For the Windows environment - Applications EventLog The audit must be saved in the 3rd option above (OS), so run the following command: SQL>alter system set spfile audit_trail = OS scope For the Database -- Table SYS.AUD $ UNIX environment It is necessary that the audit is stored in the 2nd option above (DB), so run the following command: SQL>alter system set spfile scope audit_trail = DB; This modifies the startup parameter binary file.
Guide to Templates www.helpsystems.com page: 46 Oracle Database Audit / Oracle Audit
It is also possible to audit user SYS in the same way. To query the current value use command: SQL>SELECT name, value FROM v $ parameter WHERE name = ‘audit_sys_ operations’; To modify this entry use command: SQL>alter system set spfile scope audit_sys_operations = TRUE; Windows Environment - Auditing Superusers The activity of SYS (SYSDBA or SYSOPA) users in an Oracle database are recorded in Windows EventLog. The following screen shot shows the possible event properties that can be recorded.
These types of events can be audited by an agent eventlog, requiring read access through Windows WMI events within the required Oracle database. Unix Environment - Auditing Superusers The activity of SYS (SYSDBA or SYSOPER) users in an Oracle on UNIX system are recorded in a log file, which by default is located in a path similar to the following: $ ORACLE_BASE / admin / $ DB_UNIQUE_NAME / adump For example: /app/oracle/admin/PROD/adump/ora_446678.aud
(where ora_446678.aud is the name of the log file) The rotation policy of these logs is defined by the DBA of the system. This is configured with the audit_sys_operations command. To read more about this command, please reference:
Guide to Templates www.helpsystems.com page: 47 Oracle Database Audit / Oracle Audit
http://docs.oracle.com/cd/B28359_01/server.111/b28320/initparams015.htm The following is an example of the log format:
For these events to be audited by an agent File Reader, read access via SFTP protocol to the corresponding log file path is required.
WARNING: The audit user profile should not have any restriction for session duration or the number of logins (UNLIMITED by default). Normally the DEFAULT profile should be sufficient but in some companies, it is changed and some restrictions are applied. If this is the case, a new user is required to retrieve the audit events.
Restarting the Database For the required changes to take effect it is necessary to log off the Oracle database and back on again. You must then run the following commands: SQL > SHUTDOWN IMMEDIATE followed by SQL > STARTUP Upon completion of these commands, further events can be audited using the Application Event Log.
Guide to Templates www.helpsystems.com page: 48 Oracle Database Audit / Oracle Audit
Audit Options Options are specified using the AUDIT statement. Oracle allows you to configure auditing on three levels:
l JUDGEMENTS: Audit specific SQL statements or groups of statements that affect a particular type of object database. For example AUDIT TABLE (audits Create Table, Truncate Table, Delete from Table and so on). l PRIVILIGES: SQL statements that are audited by authorized system privileges. For example AUDIT CREATE ANY TRIGGER (audited statements using the system privilege Create Any Trigger). l OBJECTS: Audit specific statements on specific objects. For example AIUDIT ALTER TABLE on the EMP table. In order to use the AUDIT statement, you must have the system privilege AUDIT SYSTEM. To use it to audit objects you should be either the object owner or have the system privilege AUDIT ANY. By auditing sentences or privileges, you can include a BY clause (to limit the scope of the audit).
l BY SESSION: Oracle writes a single record for all SQL statements of the same type executed in the same session. l By ACCESS: A registration is written for each access,. (if audit_trail = OS is used, multiple events of the same type are written as Oracle can write to the OS file bu cannot read from it) To determine whether the audit result is a success or a failure:
l WHENEVER SUCCESSFUL - include only the sentences that were successfully audited l WHENEVER NOT SUCCESSFUL - only include statements that fail or result in an error What events can be audited? Some examples of what can be audited from the Oracle database are shown in the table below:
SDL Group Statements Audited Commands
CLUSTER All statements regarding clusters
DATABASE LINK All statements regarding database links
All sentences are completed because an object EXISTS already exists in the database
INDEX All statements regarding indexes
All sentences are completed because a specific NOT EXISTS object does not exist
PROCEDURE All statements regarding procedures
Guide to Templates www.helpsystems.com page: 49 Oracle Database Audit / Oracle Audit
SDL Group Statements Audited Commands
PROFILE All statements regarding profiles
PUBLIC DATABASE LINK All statements regarding public database links
PUBLIC SYNONYM All statements regarding public synonyms
ROLE All statements regarding roles
SDL Group Statements Audited Commands
ROLLBACK SEGMENT All statements regarding rollback segments
SEQUENCE All statements regarding sequences
SESSION All database logins
SYNONYM All statements regarding synonyms
SYSTEM AUDIT All statements AUDIT and NOAUDIT
All GRANT and REVOKE commands that affect roles GRANT SYSTEM and system privileges
TABLE All statements regarding tables
TABLESPACE All statements regarding tablespaces
All statements regarding triggers, including ALTER TRIGGER TABLE commands that enable or disable triggers
USER All statements regarding user accounts
VIEW All statements regarding views
Guide to Templates www.helpsystems.com page: 50 Oracle Database Audit / Oracle Audit
Auditing Examples The following are example statements that can be run to audit specific events: To audit logins and logoff for each user, you should run (as user SYS) the following statement: SQL>AUDIT SESSION To disable this audit, run: SQL>NOAUDIT SESSION To audit a specific user: SQL>AUDIT SESSION BY SCOTT BY ACCESS (where SCOTT is the username) To omit a specific user from the audit: SQL>NOAUDIT SESSION BY SCOTT (where SCOTT is the username)
NOTE: You must exit the system for the statement to take effect.
To cover all categories in Oracle, the following statements can be executed to indicate the start of the audit. For Management Profiles: SQL>AUDIT PROFILE BY ACCESS; For Management Roles: SQL>AUDIT ROLE BY ACCESS; For User Management: SQL>AUDIT BY USER ACCESS; For Grant and Revoke Roles and Privileges System: SQL>GRANT AUDIT SYSTEM BY ACCESS; For User Logon and Logoff: SQL>AUDIT SESSION; For Judgements on Tables: SQL>AUDIT TABLE;
SQL> ALTER TABLE AUDIT; For Audit Changes: SQL>AUDIT SYSTEM AUDIT;
SQL>ALTER SYSTEM AUDIT;
Guide to Templates www.helpsystems.com page: 51 Oracle Database Audit / Oracle Audit
Per user for required user monitoring (in these examples, the user profile is SCOTT) SQL>AUDIT DELETE TABLE BY ACCESS BY SCOTT;
SQL>AUDIT INSERT TABLE ACCESS BY SCOTT;
SQL>SELECT TABLE BY SCOTT AUDIT BY ACCESS;
SQL>AUDIT UPDATE TABLE BY ACCESS BY SCOTT; After these steps, the audit events should start writing in the eventlog or audit table as appropriate.
NOTE: You do not need to restart the database after executing the AUDIT statements, since changes are dynamic.
Current Audit Status It is possible to see the current status of the audit by running a SELECT command to see all the configured values.
View Description
Describes current audit options for the system and DBA_STMT_AUDIT_OPS user
Describes the system privileges being audited, for DBA_PRIV_AUDIT_OPS the entire system and user
DBA_OBJ_AUDIT_OPTS Describes auditing options on all objects. With USER, objects in which the owner is the user of the USER_OBJ_AUDIT_OPTS session are described
Contains the description of the codes for all options AUDIT_ACTIONS audit actions
Guide to Templates www.helpsystems.com page: 52 Oracle Database Audit / Permissions
Permissions Ports The ports used by the Oracle monitor are determined by the Oracle Client. oracle Client uses ports to access the database and retrieve data. The initial port is 1521, and then dynamically allocated ports are assigned. Monitor Permissions
EXAMPLE: 1 - CREATE USER IDENTIFIED BY DEFAULT PROFILE BARCELONA BARCELONA DEFAULT TABLESPACE USERS ACCOUNT UNLOCK;
Connection Client/Server System configuration ODBC DSN for Oracle IMPORTANT: The driver to be installed must be 32-bit as ThinkServer runs under this version. 1. Open Control Panel > Management Tools > Data Sources (ODBC)
Guide to Templates www.helpsystems.com page: 53 Oracle Database Audit / Connection Client/Server
2. Select Oracle in OraClient11g_home1 (or the version you have installed). The Oracle ODBC Driver Configuration dialog is displayed.
3. With the Application tab selected, enter the Data Source Name and the TNS Service Name. 4. Click the Oracle tab.
5. Enter the Fetch Buffer Size as 64000. 6. Click the Workarounds tab
Guide to Templates www.helpsystems.com page: 54 Oracle Database Audit / Connection Client/Server
7. Ensure that the Disable Microsoft Transaction Server option is not enabled. 8. Click the SQL Server Migration tab
9. Ensure that the Enable EXEC Syntax option is not enabled. 10. Click Test Connection. 11. When prompted enter the required User Name and associated Password details and click OK.
Guide to Templates www.helpsystems.com page: 55 Oracle Database Audit / Connection Client/Server
Check the following sections if you experience connectivity problems. TNSNames.ora The TNSNames.ora file is located on the client and contains the name of the network service, assigned to descriptors through which access is granted. This file can normally be found in: C:\Product\11.1.0\Client_2\network\admin There should be just a single TNSNames.ora file per server, no matter how many instances are contained within it. If you have connection problems it is advisable to check the configuration of this file and verify that the data is correct. An example configuration is shown below:
ORACLE = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) (HOST = 192.168.1.52) (PORT = 1521)) ) (CONNECT_DATA = (SERVICE_NAME = PROJECT) ) )
NOTE: It is important to retain the syntax and structure of this file.
File parameters:
l HOST: The IP Address of the server to which you want to connect l PORT: The port number on which the database listens l SERVICE_NAME: The name of the database service to which you want to connect l Connect descriptor: In this case the connect descriptor is CNNORASITE You can check whether the connection is correct by using the TNSPING command: $ TNSPING nb_descriptor_de_red If the ODBC server-side connection is successful, no further configuration of the TNSNames.ora file is required.
Guide to Templates www.helpsystems.com page: 56 Oracle Database Audit / Connection Client/Server
Environment Variables If there is a problem connecting to Oracle, it is good practice to check environment variables PATH, TSN_ADMIN and ORA_HOME. This verifies accessing system properties on the client server.
l Edit the system variable Path and add content at the end of the directory path where the dll odbc is installed, for example: C:\Oracle\instantclient11. l If the tnsnames.ora file is used to connect to Oracle instances, you must also create the system variable ‘TNS-ADMIN’. The value is the path where tnsnames.ora file is located, for example, C:\product\11.1.0\Client_2\product\client_3\network\admin. l Finally, you can set the ORACLE_HOME environment variable, which references the path where the driver is installed, for example, C:\Oracle\instantclient11. l If the following error is received: “ORA-12560: TNS: protocol adapter error”, you must also set the ORACLE_SID variable on the Oracle server. The value should be the name of the service to which you want to connect.
Guide to Templates www.helpsystems.com page: 57 VMware Audit / Overview VMware Audit Overview There are three requirements to get the ThinAgents working:
l A supported VMware host, with the vSphere Web service listening l A valid user to connect to that host, with enough permission to see Security events l Network access to the Web service IP and port A Supported VMware Host Currently, the supported VMware hosts are:
l VMware vCenter 2.5 and above: This is the recommended option. All the ESX/ESXi hosts are integrated into a unique concentrator, and the Web service allows us to retrieve all the Security events from this unique instance. If you’re monitoring a vCenter, you don’t need to monitor the individual ESX/ESXi hosts. An advantage to monitoring a vCenter server is that you only have to create one data source to monitor your entire infrastructure. Also, historical events are preserved for a much longer time than by the ESX/ESXi hosts, so in case you turn off the ThinAgents for a while, you’ll be able to retrieve all the events that happened in the idle period. AWS CloudTrail Audit Overview AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. System Requirements
l Requires a user having an access key to make secure REST or HTTP Query protocol requests to AWS service APIs.
Guide to Templates www.helpsystems.com page: 58 Microsoft Office 365 Audit / Overview Microsoft Office 365 Audit Overview Microsoft provides a single pane of glass for all Office 365 tasks through the Office 365 management APIs. This includes service communications, security, compliance, reporting and auditing related events. Event Manager can provide an assessment of all the data contained in these events by analyzing it and alerting based on custom rules. Registering Event Manager with Microsoft Azure To authenticate with the Microsoft identity platform endpoint you need to register an app in your Microsoft Azure portal app registrations section. Click New registration.
Type Event Manager as the name of the app, choose the desired account type and click Register.
Guide to Templates www.helpsystems.com page: 59 Microsoft Office 365 Audit / Overview
The app is now registered and you can see information about it in the overview section.
Guide to Templates www.helpsystems.com page: 60 Microsoft Office 365 Audit / Overview
Make a note of the client and tenant IDs as you will need them later on. Certificates and secrets You can generate a password to use during the authentication process. Go to Certificates & secrets and click New client secret:
Guide to Templates www.helpsystems.com page: 61 Microsoft Office 365 Audit / Overview
IMPORTANT: Ensure you make a note of the password and store it in a secure place as the UI won’t let you copy it later.
API Permissions The application needs specific API permissions to be able to request the Office 365 activity events. In this case you are looking for permissions related to the https://manage.office.com resource. To configure the application permissions go to the API permissions page, choose Add a permission, then select the Office 365 Management APIs and click on Application permissions.
You need to add the following permissions under the ActivityFeed group:
l ActivityFeed.Read: Reads activity data for your organization. l ActivityFeed.ReadDlp: Reads DLP policy events including detected sensitive data. Content types The Office 365 management activity API aggregates actions and events into tenant-specific content blobs. There are five categories depending on the type and source of the content:
l Audit.AzureActiveDirectory: User identity management. l Audit.Exchange: Mail and calendaring server. l Audit.SharePoint: Web-based collaborative platform. l Audit.General: Includes all other workloads not included in the previous content types. l DLP.All: Data loss prevention workloads. You can find more details about the events and their properties associated with these here.
Guide to Templates www.helpsystems.com page: 62 Cisco PIX/ASA logging configuration / Configure Firewall Logging
Subscriptions In order to ensure that event data is received and correctly processed for each event, you can start a subscription to the specified content type. A subscription to a content type allows you to:
l Update the properties of an active webhook. l Enable a webhook that was disabled because of excessive failed notifications. l Re-enable an expired webhook by specifying a later or null expiration date. l Remove a webhook. You can find more details about the starting a subscription here.
Cisco PIX/ASA logging configuration Cisco PIX/ASA firewalls have a logging feature. There are different types of logging output, but we will only need to enable the logging output to syslog. In this chapter we will introduce some of the most commonly used commands. Configure Firewall Logging Configuring the firewall logging is made up of three important steps: 1. Enter configuration mode. 2. Enable logging. 3. Enable and configure the syslog output. Additionally you can configure other settings, such as create filtering conditions or custom message lists, change facility settings, etc. However, these additional settings are not a requirement for using the Cisco PIX/ASA Security ThinAgent. Entering Privileged Mode To enter the privileged mode, run the enable command as per the following example: firewall> enable
Password: *******
firewall# After running the command, the command prompt will change from > to #. Entering Configuration Mode To enter the configuration mode you must already be in privileged mode and run the configure terminal command:
Guide to Templates www.helpsystems.com page: 63 Cisco PIX/ASA logging configuration / Configure Firewall Logging
firewall# configure terminal After running this command, the command prompt will change from >to (config): firewall(config)# Enabling Logging To enable logging on the Cisco Firewall enter privileged mode and run the logging enable command: firewall(config)# logging enable To disable logging run the no logging enable command: firewall(config)# no logging enable Configuring Syslog Logging Output To enable logging output to syslog the following actions have to be performed: 1. Set logging level by running the logging trap command: firewall(config)# logging trap informational
NOTE: Available levels for syslog logging output are as follows:
0 - emergencies - System is unusable
1 - alerts - Immediate action is needed
2 - critical - Critical conditions exist
3 - errors - Error conditions exist
4 - warnings - Warning conditions exist
5 - notification - Normal, but significant, conditions exist
6 - informational - Informational messages
7 - debugging - Debugging messages
If a particular syslog level is set, all lower levels are also included. So if you were to set the level in step one as informational, levels 0-5 would also be included.
2. Configure the host to which messages will be sent. firewall(config)# logging host inside 10.1.1.2 3. Set the facility number for syslog messages. This step is optional. firewall(config)# logging facility 16
Guide to Templates www.helpsystems.com page: 64 Cisco PIX/ASA logging configuration / Configure Firewall Logging
The default facility used to send messages is set to 20.
NOTE: The keyword to enable the syslog output is trap as shown in the first command.
By default, port 514 is used to send messages to the syslog server. The port can be changed by using this syntax: logging host interface_name ip_address [tcp[/port] | udp[/port]]
To disable the syslog logging output, run: firewall(config)# no logging trap Adding Timestamp to Messages Adding a timestamp to messages is very useful to know the exact moment an event occurs on the firewall device. Although this is an optional step, it is highly recommended. To add the timestamp to messages run the following command: firewall(config)# logging timestamp Adding Device ID to Messages If you are monitoring several devices it might be useful to add the device ID to messages. This helps to determine the host name of the firewall on each message. Although this is an optional step, it is highly recommended. To add the device id to messages run the following command: firewall(config)# logging device-id hostname You could also set other kind of device id instead of the name. For example you could set any other word as device id by running this: firewall(config)# logging device-id string MyPIXFirewall The example above defines MyPIXFirewall as device id. Viewing Logging Configuration To see the whole logging configuration you can run the show logging command: pixfirewall(config)# show logging An example output can be seen below: Syslog logging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Deny Conn when Queue Full: disabled Console logging: disabled
Guide to Templates www.helpsystems.com page: 65 Cisco PIX/ASA logging configuration / Configure Firewall Logging
Monitor logging: disabled Buffer logging: disabled Trap logging: level informational, facility 20, 96 messages logged Logging to inside 10.1.1.2 errors: 2 dropped: 5 History logging: disabled Device ID: hostname "firewall" Mail logging: disabled ASDM logging: level informational, 96 messages logged As you can see, the output gives you all the details about each logging configuration. Logging Queue Another very important parameter is logging queue. Although this is an optional step, it is highly recommended. The default value for the logging queue is 512 messages. The queue size can be checked by running the show logging queue command: firewall# show logging queue An example output can be seen below: Logging Queue length limit : 512 msg(s) 0 msg(s) discarded due to queue overflow 0 msg(s) discarded due to memory allocation failure Current 0 msg on queue, 23 msgs most on queue In this example the average number of messages generated by the system is 23 and there is no problem sending them. However, if the value of xxx msgs most on queue is equal or higher than 512, that means the firewall will have dropped some messages. You can adjust the queue size manually by running the following command: firewall(config)# logging queue 1024 The queue size can range from 0 to 8192 messages. Setting this parameter to 0 means the queue size has no limit (up to available memory).
WARNING: If messages are generated faster than they are sent to the syslog server, the firewall starts dropping messages. In order to avoid this the logging queue should be adjusted to a higher value.
Filtering Messages Using Message ID This is an optional configuration in case you know which messages you want to exclude from syslog logging. Although the ThinAgent has a filtering configuration which is carried out in the firewall device, so messages don’t ever appear in the syslog. Using this filtering feature could substantially reduce the syslog traffic and ThinAgent resources usage. In order to filter for specific messages run the no logging message msg_number command: firewall(config)# no logging message msg_number
Guide to Templates www.helpsystems.com page: 66 Cisco PIX/ASA logging configuration / Configure Firewall Logging
To check if a specific message is being logged you can run the following command: firewall(config)# show logging message msg_number
NOTE: This filtering configuration will exclude the message from all logging outputs, not just the syslog output. If you want to filter a particular message from syslog output but log it in another output, you’ll have to use the Cisco Security Package filter options.
Filtering Messages Using Message Class Besides filtering by message ID number, you can use the message classes as filters. Message classes group several ID numbers together, so if you exclude a class you’ll be excluding all message IDs in it. Successfully implementing this filtering method can substantially reduce syslog traffic resulting in better ThinAgent performance and resource usage. The classes are all defined in Cisco’s documentation. This step is not required for the general configuration. For example, classes for software version 8.1 are:
Message ID (that start with Class Definition these digits)
auth User Authentication 109, 113
bridge Transparent Firewall 110, 220
PKI Certification ca 717 Authority
config Command Interface 111, 112, 208, 308
dap Dynamic Access Policies 734
e-mail E-mail Proxy 719
High Availability 101, 102, 103, 104, 210, 211, ha (Failover) 709
Ip IP Stack 209, 215, 313, 317, 408
Intrusion Protection Ips 400, 401, 415 Service
np Network Processor 319
npssl NP SSL 725
ospf OSPF Routing 318, 409, 503, 613
rip RIP Routing 107, 312
rm Resource Manager 321
Guide to Templates www.helpsystems.com page: 67 Cisco PIX/ASA logging configuration / Configure Firewall Logging
Message ID (that start with Class Definition these digits)
106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, session User Session 407, 500, 502, 607, 608, 609, 616, 620, 703, 710
snmp SNMP 212
199, 211, 214, 216, 306, 307, sys System 315, 414, 604, 605, 606, 610, 612, 614, 615, 701, 711
vpdn PPTP and L2TP Sessions 213, 403, 603
316, 320, 402, 404, 501, 602, vpn IKE and IPSEC 702, 713, 714, 715
vpnc VPN Client 611
vpnfo VPN Failover 720
vpnlb VPN Load Balancing 718
webvpn Web-based VPN 716
Please review the Cisco documentation for your particular software version, since some classes may be different between software versions. In order to filter a particular message class run the following command: firewall(config)# no logging class msg_class Defining Custom Messages List To define a list, for example to include all messages with severity 3 (error), and also messages from 611101 to 611323, run the following commands: firewall(config)# logging list my_message_list level 3
firewall(config)# logging list my_message_list message 611101- 611323 To send your custom list to syslog output, run the following command: firewall(config)# logging trap my_message_list This step is not required for the general configuration.
NOTE: The logging list command is only available in software versions 7.2 and later.
Guide to Templates www.helpsystems.com page: 68 Cisco Routers and Switches Audit / Overview
Further Information This chapter is not intended to be a full firewall logging configuration guide. For further information about logging configuration please consult the Cisco documentation for your particular device or software version:
l Cisco Security Appliance System Log Messages, Version 7.0 - Configuring Logging on the Security Appliance: http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logconf.html
l Cisco Security Appliance System Log Messages, Version 7.1 - Configuring Logging on the Security Appliance: http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logconf.html
l Cisco Security Appliance System Log Messages, Version 7.2 - Configuring Logging and SNMP: http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logconf.html
l Cisco Security Appliance Command Line Configuration Guide, Version 8.0 - Monitoring the Security Appliance: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html
l Cisco Security Appliance Command Line Configuration Guide, Version 8.1 - Monitoring the Security Appliance: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html
l PIX/ASA 7.x and later with Syslog Configuration Example (Cisco Document ID: 63884): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_ example09186a00805a2e04.shtml
Cisco Routers and Switches Audit Overview The following is a list of commands required to activate the log of messages and send them via syslog. These commands have been tested with Cisco IOS version 12. Enable logging of the command line
Router # configure terminal
Router (config) #archive
Guide to Templates www.helpsystems.com page: 69 Cisco Routers and Switches Audit / Overview
Router (config-archive) # log config
Router (config-archive) # logging enable
Router (config-archive) # logging size 200
Router (config-archive) # notify syslog Configure sending to syslog
Router # configure terminal
Router (config) #logging host
Router (config) #end Messages by severity level If you want to limit the sending of only a few messages (by severity level) you can use the trap command: Router # configure terminal Enter configuration commands, one per line. End with CNTL /Z. Router (config) #logging trap informational
Router (config) #end
NOTE: It is important that the level is set to informational as the command audit arrives using this severity.
Filter messages As of version 12.4 of IOS, access can be audited without having a centralized authentication server (for example RADIUS). Depending on the type of logon that needs to be audited, it can be activated by executing the following configuration commands: Router (config) # login on-success log
Router (config) # login on-failure log
NOTE: In some devices, it has been found that, despite the arrival of the log on event, the user name arrives blank. The cause of this issue is still to be determined.
Guide to Templates www.helpsystems.com page: 70 FortiGate Firewall Audit / Enabling Syslog Events Forwarding in FortiGate
Hidekeys (Important!) To avoid displaying a password written in a command, when creating a user for example, it is necessary to activate it with the hidekeys command to hide the password via encryption. Router # configure terminal
Router (config) # archive
Router (config-archive) # log config
Router (config-archive-log-config) # hidekeys
Router (config-archive-log-config) # end Filter messages (optional) You can filter certain messages, the event link up/down interface is not critical. Router # configure terminal
Router (config) #interface Serial 0/0
Router (config-if) #no logging event link-status
Router (config-if) #no logging event dlci-status-change
Router (config-if) #no logging event subif-link-status
Router (config-if) #exit
Router (config) #end FortiGate Firewall Audit Enabling Syslog Events Forwarding in FortiGate Access the firewall console and execute the following: config log syslogd setting set status enable set server
Guide to Templates www.helpsystems.com page: 71 Juniper Firewall and VPN Gateway Audit / Overview
Configuring through the FortiGate Firewall Network Interface The FortiGate Firewall can also be configured using the FortiGate Firewall Network Interface as shown in the image below.
IMPORTANT: The IP Address/FQSN setting should be that of the device on which Event Manager is installed:
Juniper Firewall and VPN Gateway Audit Overview A VPN provides a means by which remote computers communicate securely across a public WAN such as the Internet. A VPN connection can link two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows between these two points passes through shared resources such as routers, switches, and other network equipment that make up the public WAN. To secure VPN communication while passing through the WAN, the two participants create an IP Security (IPsec) tunnel.
Guide to Templates www.helpsystems.com page: 72 firewalld Audit / Overview
NOTE: The term tunnel does not denote tunnel mode. Instead, it refers to the IPsec connection.
IPsec is a suite of related protocols for cryptographically securing communications at the IP Packet Layer. IPsec also provides methods for the manual and automatic negotiation of security associations (SAs) and key distribution, all the attributes for which are gathered in a domain of interpretation (DOI). The IPsec DOI is a document containing definitions for all the security parameters required for the successful negotiation of a VPN tunnel—essentially, all the attributes required for SA and IKE negotiations. firewalld Audit Overview firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings. The log from firewalld must be re-routed through syslog to the Event Manager monitoring node.
NOTE: See https://firewalld.org/documentation/ for more information on how to configure this option. Imperva Web Application Firewall (WAF) Audit Overview Web application attacks deny services and steal sensitive data. Imperva Web Application Firewall (WAF) analyzes and inspects requests coming in to applications and stops these attacks. Imperva WAF protects against the most critical web application security risks: SQL injection, cross-site scripting, illegal resource access, remote file inclusion, and other OWASP Top 10 and Automated Top 20 threats. Imperva security researchers continually monitor the threat landscape and update Imperva WAF with the latest threat data. Barracuda Web Application Firewall (WAF) Audit The Barracuda Web Application Firewall protects applications, APIs, and mobile app backends against a variety of attacks including the Open Web Application Security Project (OWASP) Top
Guide to Templates www.helpsystems.com page: 73 Palo Alto Firewall Audit / Configuring and Exporting the Barracuda WAF logs for use in Event Manager
10, zero-day threats, data leakage, and application-layer denial of service (DoS) attacks. By combining both positive signature-based policies with robust anomaly detection capabilities, Barracuda WAF can defeat today’s most sophisticated attacks targeting web applications. The Barracuda Web Application Firewall provides comprehensive security and availability for API’s. It can secure both XML and JSON API’s against all types of attacks, including API farming and scraping. The Barracuda WAF also secures the XML and JSON parsers, all while providing complete, granular access control. The Event Manager template logs security events from Access Log Events, Audit Logs, Network Firewall Logs, System Logs and Web Firewall Logs using CEF Syslog Receiver to parse the data. Configuring and Exporting the Barracuda WAF logs for use in Event Manager The information on how to configure and export the Barracuda Web Application Firewall logs into Event Manager can be accessed at: https://campus.barracuda.com/product/webapplicationfirewall/doc/46206175/how-to-export- logs-to-arcsight-siem-devices/. Palo Alto Firewall Audit Overview Palo Alto Networks next-generation firewalls detect known and unknown threats, including in encrypted traffic, using intelligence generated across many thousands of customer deployments. That means they reduce risks and prevent a broad range of attacks. For example, they enable users to access data and applications based on business requirements as well as stop credential theft and an attacker’s ability to use stolen credentials. Configuring and Exporting the Palo Alto Firewall logs for use in Event Manager The information on how to configure and export the Palo Alto Firewall logs into Event Manager can be accessed https://docs.paloaltonetworks.com/resources/cef. Use the relevant guide available on this link to configure your Palo Alto Networks next-generation firewall for HP ArcSight CEF-formatted syslog events collection.
Guide to Templates www.helpsystems.com page: 74 Check Point Firewall Audit / Overview Check Point Firewall Audit Overview Firewalls control the traffic between the internal and external networks and are the core of a strong network security policy. Check Point Software Blades are a set of security features that makes sure that the Security Gateway or Security Management Server gives the correct functionality and performance. The Check Point Firewall is part of the Software Blade architecture that supplies "next-generation" firewall features, including:
l VPN and mobile device connectivity l Identity and computer awareness l Internet access and filtering l Application control l Intrusion and threat prevention l Data Loss Prevention Configuration Please refer to the following documentation and specifically the CEF format: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_ doGoviewsolutiondetails=&solutionid=sk122323 SIOPEL Audit Overview SIOPEL is software which allows the remote processing of all kinds of products in an agile, transparent, equitable and safe manner. According to the needs of each market, SIOPEL has several transfer methodologies, so that the software cam be deployed in Stock Exchanges, Financial Markets, Central Banks, Brokers, Product Markets, Goods and Services. All the behavior of the software is parametric, supported in tables that regulate its functions and its configuration. The system administrator can define which of the options (which are updated online) will be used and how they should behave.
Guide to Templates www.helpsystems.com page: 75 SWIFT Audit / Overview
Configuring the logs to send events to Event Manager Please refer to the information accessed from this page for details on how to configure SIOPEL logs to send events to Event Manager.
NOTE: This page is currently in Spanish with no translation available. SWIFT Audit Overview SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services. SWIFT’s messaging services are trusted and used by more than 11,000 financial institutions in more than 200 countries and territories around the world. Providing reliable, secure and efficient messaging services to our community of users, SWIFT is the backbone of global financial communication. Processing events from SWIFT into Event Manager Events from SWIFT are stored in database log files. The following path is used to process information from these files:
l Folder Path: C:/SWIFT/ l File: swift.*\.csv For more information regarding auditing SWIFT for use with Event Manager see: https://static.helpsystems.com/tango/web-manuals-help/auditing-swift-v7.pdf. Electronic Means of Payment (MEP) Audit Overview This system was developed and implemented in 1997 by the Banco Central De La República Argentina (BCRA), the area in which it is managed and operated. Basically, it allows the
Guide to Templates www.helpsystems.com page: 76 Powertech Exit Point Manager For IBM i Audit / Overview
participants to carry out real-time gross transfers through the current accounts that they maintain in that institution throughout a prolonged operational cycle (from 8 to 20 hours). More information about MEP can be found here: https://www.bcra.gob.ar/MediosPago/Medio_ electronico_de_pagos.asp
WARNING: The above provides a link to a page of the BCRA website which is written in Spanish and currently has no translated equivalent.
Configuring and Exporting the MEP logs for use in Event Manager The information on how to configure and export the MEP logs into Event Manager (Spanish version) and can be accessed here. A English version of this document can be accessed at: https://static.helpsystems.com/tango/web-manuals-help/how-to-save-mep-logs-for-integration- with-event-manager.pdf Powertech Exit Point Manager For IBM i Audit Overview Powertech Exit Point Manager For IBM i interfaces directly with IBM i network access points to control and audit network access requests. The ability to audit and control network access allows Powertech Exit Point Manager For IBM i to provide Intrusion Detection, and to alert the system administrator when someone attempts unauthorized access through the network. Powertech Exit Point Manager For IBM i lets the system administrator easily configure all network access rules, including what users can perform what functions. For example, "Can Joan in Accounting download the Payroll Master file?," or more generically, "Can Joan use the file download function at all?" Powertech Exit Point Manager For IBM i also allows you to easily manage remote access by specifying which SNA device or IP address, or range of IP addresses, can perform critical functions, such as FTP. Its Switch Profile feature allows system administrators to customize levels of network access control for a user or a group of users. Using native IBM i security, Switch Profiles lets the administrator decrease, or even increase, a user's authority to data or services. Increasing a user's authority is critical when IBM i is configured to allow "Application Only" access in which all data files are restricted from view by all users. Powertech Exit Point Manager For IBM i does all this without the need to change your existing IBM i security scheme, saving valuable time and effort.
Guide to Templates www.helpsystems.com page: 77 Powertech SIEM Agent For IBM i Audit / Overview
Powertech Exit Point Manager For i uses a secure audit journal to log all unauthorized attempts to gain access to IBM i data and services. This allows system administrators to receive alerts in real time when any unauthorized access is attempted. Powertech SIEM Agent For IBM i Audit Overview Powertech SIEM Agent for IBM i participates in cross-platform monitoring of security events by reporting IBM i security events to your enterprise security console. Powertech SIEM Agent for IBM i sends events to either the RealSecure® SiteProtector™ console from Internet Security Systems (ISS), or to a syslog server. Together, RealSecure SiteProtector and Powertech Exit Point Manager For IBM i offer a dynamic protection solution that will detect, prevent, and respond to IBM i security threats. The ISS Site Protector gets events via an intermediate log file on a Windows server system. Powertech SIEM Agent for IBM i uses a socket communication over TCP/IP to send events to Site Protector via the Windows log file. Powertech SIEM Agent for IBM i also provides Broker/Agent communication for Syslog servers and event message formatting for Syslog event messages. Syslog events are sent over UDP. Real-time processing of events Journal entries and messages are processed in real-time. Powertech SIEM Agent for IBM i processes the recording of the event as it is written to the audit journal. The IBM system value QAUDFRCLVL is used by the operating system to indicate the number of journal entries collected for QAUDJRN before they are written to auxiliary storage. For more information on how this system value might affect data integrity and performance, refer to the QAUDFRCLVL system value help text and your IBM Security Reference Guide. Network Security Events Understanding the MSG ID For Network Security events, message IDs are numbered according to the following scheme:
The first letter in the message ID: U = Powertech user defined journal entries from QAUDJRN which are from Network Security.
The second two letters in the message ID: Corresponds to the two letter audit journal code (e.g., NA= Network Security Allow).
Guide to Templates www.helpsystems.com page: 78 Powertech SIEM Agent For IBM i Audit / Overview
The four-digit number at the end of the message ID: The first two digits corresponds to the server(e.g. 03 = *DDM). The last two digits correspond to the function (e.g. 16 = Open). The following illustrates the message numbering of common Network Security event messages:
Message ID MSG UNA0801 Network Security Allow(Session initialization) UNR0801 Network Security Reject(Session initialization)
For a full list of Network Security event messages that can be monitored, please see: https://static.helpsystems.com/powertech/help/siem-agent/4_1/siem-agent-user-guide.pdf and search for Network Security Events Configuring System Values In order to send messages, Powertech SIEM Agent For IBM i needs to know the format of the events to be sent to the host server. When you begin using Powertech SIEM Agent For IBM i, it's also a good idea to assign a message queue to log all messages sent by the software. This will allow you to confirm which messages have been sent. Both of these settings are configured in Powertech SIEM Agent For IBM i - Work with System Values screen.
To configure System Values 1. At a command line on the IBM i, enter the following command to display the Powertech Main Menu.
powertech 2. Select option 6 SIEM Agent. 3. Select option 2 Work with Formats. 4. Type 2 next to SYSLOG and press Enter. 5. In the Message Style field, type *SYSLOG. 6. In the Header specification field type RFC3164. 7. Ensure that Use Header Format Compatibility is set to 'Y' and save the configuration.
8. Press F3 twice to return to the Main Menu, then choose option 3 Work with Outputs. 9. Press F6 to create a new output.
Guide to Templates www.helpsystems.com page: 79 Powertech SIEM Agent For IBM i Audit / Overview
10. Enter the following options: l Name: EVENTMGR l Description: Event Manager Server Output (or Install) l Active: 1 l Format: SYSLOG l Type: *NETWORK
11. Press Enter. 12. Now enter these options on the subsequent screen: l Location: Enter the IP Address of the machine on which Event Manager is installed l Port: 514 l Protocol: UDP l Recovery limit: 100 l Time limit: 10 l ArcSight compatibility: 0
13. Press Enter to save changes, then press F12 to close the window.
Guide to Templates www.helpsystems.com page: 80 Powertech Authority Broker For IBM iAudit / Overview Powertech Authority Broker For IBM iAudit Overview With Authority Broker For IBM i, System Administrators have the ability to limit access to powerful user profiles and control access to sensitive databases and programs. Users can be granted temporary authority that is either more or less powerful than their usual settings, and in cases where the user needs higher authority, they can temporarily change to that authority if the administrator has granted them sufficient privileges. In cases where a user would be safer operating under less authority, they can again temporarily change to that authority with the system administrator's advance approval. Authority Broker For IBM i, which can be called from command line or batch processes, is similar to the "su" capability of UNIX. But unlike "su", Authority Broker For IBM i provides additional capabilities such as full auditing and reporting of all changes to authority, as well as comprehensive auditing of the actions the user performs under the assumed authority. Authority Broker For IBM i Events Understanding the MSG ID For Authority Broker For IBM i events, message IDs are numbered according to the following scheme:
The first letter in the message ID: U = Powertech user defined journal entries from QAUDJRN which are from Authority Broker For IBM i.
The second two letters in the message ID: BG = Begin swap BH = User profile swap logging EN = End profile swap ER = Authority Broker action logged FC = FireCall logged FL = Action failure JA= Timed switch performed
The four-digit number at the end of the message ID: All Authority Broker For IBM i message IDs currently use '0001'.
Guide to Templates www.helpsystems.com page: 81 Powertech Identity and Access Manager (BoKS) Audit / Overview
Below is a compilation of Authority Broker For IBM i events.
MSGID MSG UBG0001 Begin Swap UBH0001 User Profile swap logging UEN0001 End Profile swap UER0001 Authority Broker For IBM i action logged UFC0001 FireCall logged UFL0001 Action Failure UJA0001 Timed Switch Performed Powertech Identity and Access Manager (BoKS) Audit Overview Powertech Identity & Access Manager (BoKS) transforms multi-vendor Linux and UNIX server environments into one centrally managed security domain. It simplifies an organization’s ability to enforce security policies, and control access to critical systems and information. Security
l Centralized management of accounts, access, and privilege to better control entire security landscape l Defaults to least privilege to protect systems from the start l Granular access control over who, when, where, and how someone can access systems l Support for 3rd party 2-factor authentication l Integration with sources of identity (LDAPS, Active Directory) l Break-glass critical account access Compliance
l Recording of all input and output of command ran on a Linux/UNIX system including raw input (including anything not actually shown on a screen) l Supports access/authorization control regulations (HIPPA, PCI DSS, SOX, GLBA, FISMA, BASEL III, European Data Protection Directives) l Provides Role-based Access Control (RBAC) l Audit trail of ALL user sessions, and automated reporting
Guide to Templates www.helpsystems.com page: 82 Powertech Security Auditor Audit / Overview
Efficiency
l Centralizes administration tasks for increased efficiency, and reduction in overhead costs l Automates reporting for audit and compliance l Reduce impact (50%) of exposure to reported CVEs for OpenSSH l Deploys rapidly, is reliable, and scales easily with growing enterprise Powertech Security Auditor Audit Overview Powertech Security Auditor is a product that automates security administration and policy compliance tasks and reporting. With Security Auditor you can:
l Check compliance and configuration of user accounts, directories, files, configuration settings, daemons, exported directories and more. l Check compliance on a single server with a Private Policy, or check several servers against the same policy using a Group Policy. l Monitor for changes to ownership, permissions and attributes for a specific set of files or directories. l Deploy and run custom scripts to managed servers through the integrated cron function. l Report the compliance status of running user-written scripts using the Security Auditor reporting function. l Monitor for changes to the contents of critical application, configuration or server files. l Use the Export/Import function to: l enforce the same policy requirements across multiple servers. l copy the required settings to new servers and configuring them using FixIt to set them to your required settings. l Email exception-based compliance reports, policy, FixIt or Message log reports to yourself and others. l Document your security implementation with unique templates that reflect your security policy requirements. l Use “Fix-It” to return out of compliance items to your security policy specifications.
Help for Managing your Compliance Requirements and your Servers Security Auditor is a tool to help you reduce the cost of attaining and staying in compliance with your security policy requirements. In addition, many organizations are using Security Auditor to address - not only compliance - but security administration issues as well. Here are some of the ways Security Auditor is being used:
Guide to Templates www.helpsystems.com page: 83 Powertech Security Auditor Audit / Overview
NOTE: Most of our clients performed many of the following processes “manually” before implementing Security Auditor to replace them. By automating such procedures, they reduced the time and resources it took them to ensure that their systems remain in compliance, resulting in measurable cost savings.
l Discover files with either the SUID or SGID bit set then monitor them for changes to their ownership, permissions or attributes. l Discover when the sudoers file has been changed by using the checksum function. l Ensure key system files are not world-writable. l Schedule a cron job to run regular compliance checks on the daemons category to find when a daemon has been activated that shouldn't have been. Schedule the FixIt function to set the daemons to the appropriate value (turn them on or off as appropriate). l Upload your user-written scripts to run customized compliance checks and FixIt scripts. l Ensure all user accounts have been created - and remain - with the appropriate attributes. l Discover new admin accounts. l Discover user accounts with UID of 0 (root being the allowed exception, of course!) l Discover user account with non-unique UIDs. l Ensure all files for an application have the appropriate owner, group and permissions. Receive a detailed report specifying any files not figured correctly. Run FixIt to change the settings. l Discover and manage inactive user accounts. l Ensure that the exported directories that are required for your servers remain along with their appropriate settings. l Aid with auditor and compliance requirements by ensuring password rules are set appropriately - both for the global settings and at the user level. l Easily set-up new servers by defining file and user account templates, daemon and configuration settings, exporting the policies to the new server and running FixIt to set the configuration. l Use the integrated cron function to setup regular compliance checks and immediate FixIt tasks to keep your servers in compliance. l Document policy exceptions along with the policy then print the policy when the auditor appears - no more scrambling to find previous years' documentation or writing up the exception in the middles of your audit. Configuring syslog The syslog option within Security Auditor needs to be configured to send events to Event Manager. This is done via the Manage Logging screen. This screen is used to set the logging level for Security Auditor log packages and set syslog options. 1. Choose Admin Tasks > Manage Logs. 2. Click the Syslog Tab 3. In the syslog Host field, enter the IP Address of the server on which Event Manager is running.
Guide to Templates www.helpsystems.com page: 84 Powertech Anti-Virus for AIX/Linux Audit / Overview
4. In the syslog Port field, leave the default port setting of 514. This is the port used to communicate with the syslog server. 5. Check Enabled to enable syslog messaging. 6. Click Save to save the configuration and close the screen. Powertech Anti-Virus for AIX/Linux Audit Overview Powertech Anti-Virus for AIX/Linux provides all of the power and protection of the industry leading McAfee scanning engine. Powertech Anti-Virus is easy to use and a breeze to keep current with the latest virus definitions directly from McAfee and software updates from Powertech. With Powertech Anti-Virus for AIX/Linux you have the essential tools to ensure that your AIX and Linux servers is protected from the threats of viruses, worms, and malware. Powertech Anti-Virus for AIX/Linux Features The major product features are:
l On-Access scanning. Powertech Anti-Virus' On-Access virus scanner has been integrated with the scanning software to ease installation and management. l Simplified virus scanning. A single command, avscan, allows you to scan all or part of the system manually or at scheduled times. l Accessible virus definitions. Having the latest virus definitions from McAfee ensures the best possible protection against current virus threats. A simple command can be used to acquire the latest virus definitions. l Network-friendly. Powertech Anti-Virus for AIX can retrieve virus definitions and program updates from either an FTP server or a shared network path. This allows you to use one AIX server to download the virus definitions (from McAfee’s FTP server) and the remaining servers can retrieve their virus definition files from the shared network path or local FTP server. l Powered by McAfee, the leading provider of network security and availability technology. System Pre-requisites Syslog Events must be forwarded to the Event Manager machine. AIX Syslog Configuration Use the following information to configure Powertech Anti-Virus syslog logging for AIX.
Guide to Templates www.helpsystems.com page: 85 Powertech Anti-Virus for AIX/Linux Audit / Linux Syslog Configuration
For information about the Zlog configuration file, see https://hardysimpson.github.io/zlog/UsersGuide-EN.html. Log files are created in the/opt/sgav/log folder. If they are not, verify the following:
l The zlog.conf file exists l The zlog.conf file can be read by the user l The zlog.conf file doesn’t contain typos that could cause the file to not be read correctly
NOTE: /var/adm/ras/errlog also stores output from avscan and avupdate, and is also controlled within zlog.conf.
Logging levels The following severity levels are used.
ERROR Serious messages that cause the product to fail or stop working WARN Important messages that should be looked at (virus infections, quarantine etc.) NOTICE General startup and shutdown activity, completion messages INFO Detailed messages, files not scanned, etc.
Each level includes all messages from the previous level unless preceded by '=' sign. Linux Syslog Configuration Use the following information to configure Stand Guard Anti-Virus syslog logging. Powertech Anti-Virus uses Zlog to send log messages to local logs and to mirror them to syslog. For information about the Zlog configuration file, see https://hardysimpson.github.io/zlog/UsersGuide-EN.html. Log files are created in the/opt/sgav/log folder. If they are not, verify the following:
l The zlog.conf and zlog-avsvc.conf files exists l The zlog.conf and zlog-avsvc.conf files can be read by the user l The zlog.conf and zlog-avsvc.conf files do not contain typos that could cause the file to not be read correctly
NOTE: The destination for the syslog messages depends on the syslog configuration of the host. By default, it may be /var/log/messages or /var/log/syslog.
Logging levels The following severity levels are used by Powertech Anti-Virus:
Guide to Templates www.helpsystems.com page: 86 Powertech Anti-Virus for AIX/Linux Audit / Linux Syslog Configuration
FATAL Fatal conditions that will cause the product to stop running. ERROR Serious messages that will cause the product to stop running. WARN Important messages that should be looked at (e.g. virus infections, quarantine). NOTICE General startup and shutdown activity, completion messages. INFO Detailed messages, files not scanned, etc. DEBUG Debug trace
You can set the syslog log level names to which these messages are sent in the zlog configuration files. By default:
l FATAL and ERROR messages are sent to syslog at level LOG_LOCAL3. l WARN messages are sent to LOG_LOCAL4. l NOTICE messages are sent to LOG_LOCAL5. l INFO and DEBUG messages are not mirrored to syslog. Zlog configuration for the avupdate and avscan tools are defined by the avupdate and avscan rules in zlog.conf. Changes will take effect the next time these tools are run. The avsvc server uses the avsvc rules in zlog-avsvc .conf. Changes will take effect the next time the server is started or configuration is reloaded (“avsvcctl reload”). Possible Syslog Messages Please refer to the following manuals and search for Possible Syslog Messages that may be generated by each operating platform: AIX https://static.helpsystems.com/powertech/help/stand_guard_anti_virus_aix/4_1_ 3/StandGuardAntivirusforAIXHelp.pdf Linux https://static.helpsystems.com/powertech/help/stand_guard_anti_virus_linux/4_ 2/StandGuardAntivirusforLinuxHelp.pdf
Guide to Templates www.helpsystems.com page: 87 Powertech Antivirus For IBM i Audit / Overview Powertech Antivirus For IBM i Audit Overview Designed specifically for the file systems used by IBM i, Powertech Antivirus provides native file system scanning allowing you to scan the operating system’s structures not found on other platforms, such as recursive links, in order to uncover viruses and malicious code wherever they may be found. In addition to understanding recursive links, Powertech Antivirus for IBM i allows you to scan IBM i objects for modified digital signatures (a sign of tampering). Configuration on the IBM i Powertech Antivirus for IBM i is set up using the Powertech SIEM agent. Log on to the IBM i for which antivirus events will be received by Event Manager, with a User ID with sufficient authority to be able to create new event sources. Create a new Event Source 1. Create a new Event Source with the following configuration:
l Name: PTAV l Description: Powertech Antivirus for IBM i l Type: *MSGQ l Facility: 4 l Active: 1 l Default Output: Use F8=Maintain Outputs to open the Work with Attached Outputs display and select the machine on which Event Manager is running and to which the antivirus events will be sent. The format used must be SYSLOG. Use F6 to attach the required machine if it does not already exist in this display. Message Queue Section
l Object: AVMSGQ l Library: STANDGUARD l ASP Group: *SYSBAS
2. Press Enter to create the new Event Source.
NOTE: The full instructions to create a new Event Source in the Powertech SIEM Agent can be found here: https://static.helpsystems.com/powertech/help/siem-agent/4_1/content/create-event- source-panel.htm
Guide to Templates www.helpsystems.com page: 88 Network Insight Audit / Overview
Adding Event Descriptions to the Event Source 1. From the Work With Event Sources display, use option 9=Event Descriptions against the PTAV event source. The Work with Event Descriptions display opens. 2. Add the following five entries using F6=Create for each:
Name Description Active Event Class ID Severity Class Extension Virus Definition Update AVC0202 1 AVC0202 1 AUD None 2 Virus Definition Update AVC0204 1 AVC0204 1 AUD None 1 AVE0131 Virus Detection 1 AVE0131 1 AUD None AVE0139 Virus Scan 1 AVE0139 1 AUD None AVI0135 File Quarantined 1 AVI0135 1 AUD None Network Insight Audit Overview Network Insight is an automatic breach defense system that detects successful infections with certainty, terminates their activity and gives responders the ammunition needed to rapidly prevent loss. Network Insight delivers actionable information about known and unknown threats regardless of the infection’s source, entry vector or OS of the device. It arms responders with definitive evidence so they can rapidly prevent loss on high-risk devices while blocking activity on the rest. Processing events from Network Insight into Event Manager Details on how to process events from Network Insight into Event Manager are provided in the Common Event Format (CEF) Configuration Guide available from Core Security. Intermapper Audit Overview Event Manager can be used to discover and receive notifications from Intermapper Assets. The following configuration needs to be made:
Guide to Templates www.helpsystems.com page: 89 DB2 for i Audit / Overview
Syslog Notifier Within Intermapper the Syslog Notifier needs to be configured to send the events to Event Manager. The message that is forwarded from Intermapper needs to be in the following format so that is recognized by Event Manager. Intermapper|
NOTE: Further information on configuring the Syslog Notifier in Intermapper can be found in the Intermapper User Guide.
Web Server In order for the auto-discovery of assets to work as intended Intermapper must be configured to act as a web server.
NOTE: Further information on configuring this within Intermapper can be found in the Intermapper User Guide. DB2 for i Audit Overview DB2 for i within Event Manager is handled by Powertech Database Monitor for IBM i and Visual Message Center Data Monitor and Interactive SQL Monitor data sources. Powertech Database Monitor for IBM i Formally known as Data Thread, Powertech Database Monitor for IBM i is a high-performance database monitor that helps you automate and centralize monitoring and user activity reporting for your IBM i servers. When a user accesses a database file, Database Monitor tracks what they see, where they go, and what they do, including changes they make to sensitive information like payroll files. You can use Database Monitor to:
l Automatically maintain a complete audit record of all database adds, updates, changes, reads, and deletes. l Apply electronic signatures to database changes based on your specifications. l Send notifications to users when changes are made based on custom criteria. l Create workflow scenarios for routing and approval of changes. l Collect records and eSignatures in a secured file outside of the primary database.
Guide to Templates www.helpsystems.com page: 90 Custom Datasources / VISUAL Message Center Data Monitor
Read more about Powertech Database Monitor for IBM i here. VISUAL Message Center Data Monitor Data Monitor is an iSeries auditing tool that efficiently collects data from journals and monitors data at field-level, is based on dynamic policies, and is capable of monitoring data in real-time and in multiple database files simultaneously. With Data Monitor you can monitor, for example, unexpected access, malicious modifications and changes that compromise data integrity. Use Data Monitor to audit your iSeries and make sure you comply with laws regarding data access and protection, such as Sarbanes-Oxley (SOX), and Payment Card Industry (PCI) Data Security Standard. Read more about VISUAL Message Center Data Monitor here. VISUAL Message Center Interactive SQL Monitor The VISUAL Message Center Interactive SQL Monitor provides a means to make the security of your relational database residing on IBM i systems much tighter, by capturing all the SQL statements executed on your systems and partitions. SQL Monitor only monitors access executed using SQL. It does not monitor accesses performed using native technology. Read more about VISUAL Message Center Interactive SQL Monitor here.
Custom Datasources Overview Custom datasources allow you to apply Event Manager to in-house applications, third party software or connected devices, providing a full audit trail and real-time monitoring for non- mainstream applications that still provide access to your critical systems. Unlike the ‘out-of-the’ box templates that are pre-supplied with Event Manager, custom datasources require manual configuration by the end user.
NOTE: In order to configure the custom datasources correctly, an advanced knowledge of what source data is available from the originating device or application and how it can be applied to provide audit information.
There following different types of custom datasource available:
Guide to Templates www.helpsystems.com page: 91 Templates / What are Templates?
l Database Reader l Log Reader l Microsoft 365 l SNMP Traps l Syslog l Syslog CEF l Windows Event Log Providing your application or device generates activity information into one of these datasources, Event Manager can interpret the data and provide an audit trail. Each type of custom datasource has its own criteria that must be completed in order for the required audit data to be correctly retrieved and processed by Event Manager. For more information regarding custom datasources see the Event Manager Configuration Guide.
Templates Event Manager is designed to be implemented in your business environment as quickly as possible and with minimum disruption. To achieve this, a series of ‘out-of-the-box’ pre-configured templates for each supported operating system are provided. What are Templates? Templates are collections of plug-in configurations, that can be deployed across the most frequently used operating platforms and allow you to apply the best and commonest security auditing practices to your network. The following diagram shows the templates that are currently available in Event Manager.
Guide to Templates www.helpsystems.com page: 92 Templates / How are templates applied?
Templates available to monitor Business Security on a range of operating platforms and stand alone applications How are templates applied? Templates are applied in Event Manager when an asset is created. Once the asset is created the applicable operating platform template containing the relevant auditing controls is applied. You can then configure the individual security protocols and controls that you want to apply to the asset. Once the asset is enabled the template begins collecting auditing data. ‘Out of the Box’ templates Once the asset has been defined within Event Manager, you can view the assignment of the actions to be audited.
NOTE: Please refer to the Event Manager Configuration Guide for more information on how to define and configure the auditing of the assets.
With the asset selected from the list of available assets, select Actions to Audit from the top secondary menu panel.
Guide to Templates www.helpsystems.com page: 93 Templates / ‘Out of the Box’ templates
A navigational menu is displayed on the left-hand of the displays, the contents being dependent on the operating platform on which the selected asset is running. Each template is a pre-configured datasource designed specifically to include the commonest auditing functions. These are prepared to collect all of the typical actions from standard assets. All you need to do is enable the datasource collection against each identified audit control. For example, if applying a pre-configured datasource for a Windows asset, the default datasources for Windows Standard and Additional controls are automatically defined. When you use a pre-configured datasource, you have three options:
l Keep the full default collection settings as supplied l Customize the default collection settings l Disable the default settings completely and create your own custom collection using the provided custom datasources.
NOTE: Please refer to the Appendices to view the full auditing controls that are supplied with each pre-configured datasource.
Guide to Templates www.helpsystems.com page: 94 Templates / Built-in Integrations
Built-in Integrations Pre-configured templates for streamlined implementation with minimum disruption.
ABAP-Experts Fidelis Cybersecurity XPS Powertech Identity & SecurityBridge Access Manager (BoKS) Absolute Computrace FireEye CM Series Powertech Security Auditor Absolute Data and FireEye (iSIGHT) ThreatScape Qosmos DeepFlow Device Security (DDS) API Probes Acalvio Technologies FireEye Malware Protection QualysGuard ShadowNet System (MPS) AgileSI FireEye Mandiant Intelligent Radware Inflight Response AhnLab Malware Firewalld Recorded Future Threat Defense System (MDS) Intelligence Platform AhnLabs MDS ForeScout CounterACT RedSeal Network and Vulnerability Advisor Anomali’s ThreatStream Fortinet FortiGate Reservoir Labs R-Scope OPTIC Aqua Security General Dynamics CIRT Resolves Systems Arcsight Gigamon ReversingLabs N1000 GigaVUE/GigaSECURE Appliance Aruba ClearPass GTB Technologies Inspector RSA NetWitness Arxan GuardIT Gurucul Analytics Platform RSA Web Threat Detection Atalla IPC Hexadite AIRS SailPoint IdentityIQ Atalla Network Security HPE NonStop servers (XYGATE Seculert Automated Processor (NSP) Merged Audit) (XMA) Attack Detection Platform ATAR Labs IBM InfoSphere Guardium Securonix Risk and Threat Intelligence (RTI) Attivo Networks Illumio Policy Compute Engine ServiceNow (PCE)
Guide to Templates www.helpsystems.com page: 95 Templates / Built-in Integrations
Avigilon Access Control Illusive Networks Sistema de Operaciones Manager (ACM) Electrónicas (SIOPEL) Ayehu eyeShare Imperva SecureSphere Slack Balabit Shell Control Box Imperva WAF SOC Prime Integration Framework Barracuda Networks NG Indegy Industrial Cyber Security Symantec Blue Coat Firewall Platform (Elastica) CloudSOC Belden (Tripwire InQuest Symantec System Enterprise) Recovery BeyondTrust’s Intel (McAfee) Email and Web Sysorex Zone Defense PowerBroker Security Appliance Bit9 + Carbon Black Intel (McAfee) Sentrigo TaaSera TaaS Security Platform Hedgehog (Enterprise and NetAnaylzer vPatch) Bloombase StoreSafe Intel (McAfee) StoneSoft Telegram StoneGate Firewall Bomgar Privileged Access Intermapper ThreatConnect Threat Management Intelligence Platform Bricata ProAccel Intralinks VIA ThreatQuotient Brinqa Risk Analytics Ionic Security Thycotic Secret Server Bromium Advanced iT-CUBE agileSI SAP TrapX DeceptionGrid Endpoint Security CA Technologies Ixia ThreatARMOR TrendMicro SecureSpan/CloudSpan CloudControl Gateway Jira Trend Micro Deep Security CA Technologies Juniper Firewall and VPN Trend Micro Privileged Access Gateway (TippingPoint) Next- Management Generation Firewall (NGFW) Carbon Black Security Juniper Networks Altor Trustwave Application Platform Networks Virtual Firewall Security DbProtect Check Point Lancope StealthWatch Type80 SMA_RT Cilasoft QJRN/400 Lastline Enterprise Anti- vArmour Analytics Malware Solution Platform
Guide to Templates www.helpsystems.com page: 96 Templates / Built-in Integrations
Cisco Firepower Lieberman Software ERPM Varonis DatAdvantage Management Center CloudPassage LightCyber Magna Platform Vectra Networks X- Series Comilion CloudPassage LookingGlass Cyber Solutions Veriato 360 (Spector HaloInstance ScoutVision 360) Core Network Insight Lookout Verodin Security Instrumentation Platform CorreLog Syslog Lumeta Enterprise Situational Vormetric Data Security Defender Intelligence (ESI) Manager Corvil Network Data Lumeta IPsonar Votiro Cybersec Analytics Platform CounterTack Active Medio Electrónico de Pagos Webroot BrightCloud Defense (formerly (MEP) ManTech) CounterTack Sentinel Microsoft (Adallom) Cloud Zettaset BDEncrypt (Event Horizon) Access Security Broker CrowdStrike Falcon Host Microsoft Azure NSG flow Zscaler Nanolog Streaming Service (NSS) CyberArk Privileged Microsoft Teams Account Security Management (PSM) Suite CyberArk Privileged Mojo Networks AirTight Threat Analytics (PTA) Management Console Cybersponse NetScout Systems nGenius Performance Manager Db2 for i Netwrix Auditor D3 Security Nexthink Engine Digital Guardian Niara Security Intelligence E8 Security Behavioral NIKSUN NetDetector Intelligence Platform Application EclecticIQ ObserveIT Enterprise Edge Technologies Opsgenie AppBoard and enPortal
Guide to Templates www.helpsystems.com page: 97 Templates / Built-in Integrations
Elastic Palerra LORIC Endgame Palo Alto Networks PAN-OS Ergon Informatik Penta Security WAPPLES ERPScan Security PhishMe Intelligence Monitoring Suite for SAP ESNC Security Suite- PhishMe Triage Enterprise Threat Monitoring F5 Big-IP Advanced Portnox Network Security Firewall Manager (AFM) FairWarning Powertech Antivirus FFRI FFR yarai Powertech Exit Point Manager for IBM i
NOTE: Any device or application using the CEF format can be integrated into Event Manager.
For more information see the Syslog (CEF) Custom Datasource section of the Event Manager Configuration Guide.
Guide to Templates www.helpsystems.com page: 98 Template Assignment / Custom Collectors
Custom Collectors You can also use the Event Manager Custom datasources if there's not a pre-installed datasource for the asset or if you need to extend its functionality from what is available in the pre-configured datasource by retrieving new events. By using custom collectors you can check nearly any user or automated activity that is recorded within the system and leaves an audit trail. The custom collectors are operating system dependent. For example, for an asset operating on the Windows platform, the following custom collectors can be defined.
l Database Reader l Log Reader l Microsoft 365 l SNMP Traps l Syslog l Syslog CEF l Windows Event Log Custom Collectors are configured from the same navigational panel as the ‘Out-of-the-box’ templates.
NOTE: Please refer to the Event Manager Configuration Guide for more information on how to define and configure the custom collectors for each operating platform.
Filters Filters allow you to determine when a security issue has been raised by including or excluding specific security information relating to an event that has been raised as a potential issue. This means that you can keep the information precise and relevant to your needs so that you do not become overwhelmed by unnecessary details. When you create a filter against a specific item within the pre-supplied datasource template you can select additional audit events to include or exclude from raising an issue so that security analysts and system administrators are only alerted when absolutely necessary.
NOTE: Please refer to the Event Manager Configuration Guide for more information on how to define and configure the filters for each operating platform. Template Assignment The following 'out-of-the-box' templates are currently available within Event Manager.
l Windows l IBM i l IBM i Security Intrusion Detection
Guide to Templates www.helpsystems.com page: 99 Template Assignment / Filters
l SQL Server l Linux l AIX l Solaris l Oracle l VMWare l AWS Cloud Trail l Azure Active Directory l Microsoft Azure Server (Exchange Online) l Microsoft Teams l Cisco PIX/ASA l Cisco Routers and Switches l Fortigate Firewall l Juniper Firewall and VPN Gateway l firewalld l Imperva (WAF) l Barracuda (WAF) l Palo Alto Firewall l Check Point Firewall l Apache Web Server l SIOPEL l SWIFT l Electronic Means of Payment (MEP) l Powertech Exit Point Manager For IBM i l Powertech Authority Broker For IBM i l Powertech Identity and Access Manager (BoKS) l Powertech Security Auditor l Powertech Antivirus for AIX/Linux l Powertech Antivirus for IBM i l SAP ASE (Sybase) l Network Insight l Intermapper l DB2 for i
Guide to Templates www.helpsystems.com page: 100 Template Assignment / Windows Templates
Windows Templates Windows Templates Tested OS Versions This software has been tested on the following Windows versions:
l Windows Server 2003 l Windows Server 2008 R2 l Windows Server 2012 l Windows Server 2012 R2 l Windows Server 2016 l Windows Server 2019 Pre-configured Datasources The pre-configured datasources that can be applied to Windows servers are: Windows Additional Controls and Windows Standard Controls
Guide to Templates www.helpsystems.com page: 101 Template Assignment / Windows Templates
Windows Additional Controls The following User Activity controls can be applied to Windows servers from within the Windows Additional Controls pre-configured datasource:
Action Subaction Event ID Description
Logoff Non-Interactive 4634 Records whenever a user has logged off or initiated a force stop without using Logoff the proper logoff procedure.
Successful Login Network Login 4624 Records all successful network logins by users of this Windows Server
Non-Interactive 4624 Records all successful noninteractive logins by users of this Windows Server. Login Noninteractive authentication can only be used after an interactive authentication has taken place. During noninteractive authentication, the user does not input logon data, instead, previously established credentials are used. Noninteractive authentication is performed when an application uses the Security Support Provider Interface (SSPI) and a security package to establish a secure network connection. Noninteractive authentication is the mechanism at work when a user connects to multiple machines on a network without having to re-enter logon information for each machine.
Windows File Monitoring The following System Management controls can be applied to Windows servers from within the Windows File Monitoring pre-configured datasource:
Action Subaction Event ID Description
Object Deletion Object Deletion 4663 An object was deleted
Object Modification File Modification 4670 Permissions on an object were changed
Registry Key 4657 A registry value was modified Modification
The following User Activity controls can be applied to Windows servers from within the Windows File Monitoring pre-configured datasource:
Action Subaction Event ID Description
Object Access Object access 4663 An attempt was made to access an object attempt
Object handle 4658 The handle to an object was closed closed
Object handle 4656 A handle to an object was requested request
Guide to Templates www.helpsystems.com page: 102 Template Assignment / Windows Templates
Windows Standard Controls The following System Management controls can be applied to Windows servers from within the Windows Standard Controls pre-configured datasource:
Action Subaction Event ID Description
Audit Log Deletion Audit Log Deletion 1102 Records whenever the Windows Audit Log has been deleted.
Audit Log Modification Audit Log Full 1104 Records when the Windows Audit Log is full. When the log is full, no further data can be written to it until it is cleared.
Audit Log Loss 4612 Records when there is a loss of data from the audit log. This can happen if resources designed to handle this data have been exhausted.
Audit Modification Audit Log 4719 Records when the Windows Audit Log has been modified. Modification
Audit Modification 4912 Records when the Windows Audit Log has been modified on a per user basis. per User
Configuration Rule Trusted 4706 A domain trust is a useful way to allow users from a trusted domain to access Modification Relationship services in a trusting domain. This records when a trusted relationship 4707 Between Domains between domains has been modified for any reason, for instance, turning on Modification transitivity. Applies to trusted and trusting trust relationships.
Datetime Modification Datetime 4616 Records whenever a Windows date-time modification has been applied. Modification
Policy Rule Modification Policy Rule 4739 Security settings policies are rules that you can configure on a computer, or Modification multiple computers, for the purpose of protecting resources on a computer or network. This records whenever a policy rule on this Windows server is modified.
System Shutdown System Shutdown 4609 Records whenever the Windows server to which this control is applied is shutdown.
System Start System Start 4608 Records whenever the Windows server to which this control is applied is started.
The following User Activity controls can be applied to Windows servers from within the Windows Standard Controls pre-configured datasource:
Action Subaction Event ID Description
This event is generated when a logoff is initiated but the token reference count Interactive Logoff 4634 is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. Logoff Records when a logoff has been initiated by disconnection. If you disconnect from a remote desktop without logging off, applications in the desktop remain Logoff Disconnect 4779 open. You can also disconnect from a server and leave remote applications running.
Guide to Templates www.helpsystems.com page: 103 Template Assignment / Windows Templates
Action Subaction Event ID Description
Records when a logon attempt to this Windows server fails for any of the following reasons: Unknown user name or bad password Account logon time restriction violation Account currently disabled The specified user account has expired Logon Failure Logon Failure 4625 User not allowed to logon to this computer User has not been granted the requested logon type at this machine Account locked out Specified account’s password has expired The NetLogon component is not active The logon attempt failed for other reasons
An interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services, in which case the logon is further qualified as remote interactive. After an interactive Successful Login Interactive Login 4624 logon, Windows runs applications on the user’s behalf and the user can interact with those applications. This records any interactive logins on this Windows server.
Windows logs this event when a user reconnects to a disconnected terminal Login Reconnect 4778 server session as opposed to a fresh logon. User Name and Domain identify the user of the remote desktop connection that was reconnected to.
Records whenever the Switch User option has been invoked on this Windows User Switch 4648 User Switch server.
The following Users’ Management controls can be applied to Windows servers from within the Windows Standard Controls pre-configured datasource:
Action Subaction Event ID Description
Grant System This event generates a record every time the local logon user right policy is Security Access to 4717 changed and logon right was granted to an account. Account Grant Permissions This event documents a change to user right assignments on this Windows User Right server. Rights, like most other security settings, are defined in group policy 4705 Assignment objects and applied by the computer. Therefore this event will normally show the Assigned By user as the system itself.
Records whenever a global group, role or profile is created on this Windows Global Group 4727 server. Groups with global scope are used to manage directory objects that Creation require daily maintenance, such as user and computer accounts.
Records whenever a local group, role or profile is created on this Windows Local Group Group/Role/Profile 4731 server. Groups with local scope help you define and manage access to Creation Creation resources within a single domain.
Records whenever a universal group, role or profile is created on this Universal Group 4754 Windows server. Groups with universal scope are used to consolidate Creation groups that span domains.
Guide to Templates www.helpsystems.com page: 104 Template Assignment / Windows Templates
Action Subaction Event ID Description
Global Group Records whenever a global group, role or profile is deleted from this 4730 Deletion Windows server.
Group/Role/Profile Local Group Records whenever a local group, role or profile is deleted from this Windows 4734 Deletion Deletion server.
Universal Group Records whenever a universal group, role or profile is deleted from this 4758 Deletion Windows server.
Global Group Records whenever a global group, role or profile is modified on this 4737 Modification Windows server.
Group/Role/Profile Local Group Records whenever a local group, role or profile is modified on this Windows 4735 Modification Modification server.
Universal Group Records whenever a universal group, role or profile is modified on this 4755 Modification Windows server.
Password Records whenever a user on this Windows server has their password Password Modification 4723 Modification changed.
Password Reset Password Reset 4724 Records whenever a user on this Windows server has their password reset
Revoke System This event documents the revocation of logon rights such as "Access this Security Access to 4718 computer from the network" or "Logon as a service". Account Revoke Permission This event documents a change to user right assignments on this computer. User Right 4705 Rights, like most other security settings, are defined in group policy objects Removal and applied by the computer.
User Addition to Records whenever a user is added to a global group, role or profile on this 4728 Global Group Windows server.
User Addition to Records whenever a user is added to a local group, role or profile on this User Addition to 4732 Group/Role/Profile Local Group Windows server.
User Addition to Records whenever a user is added to a universal group, role or profile on this 4756 Universal Group Windows server.
Machine Account Records the user and logon session that performed the action, whenever a 4741 Creation computer account is created on this Windows server. User Creation Records the user and logon session that performed the action, whenever a User Creation 4720 user account is created on this Windows server.
Machine User Records the user and logon session that performed the action, whenever a 4743 Deletion computer account is deleted on this Windows server. User Deletion Records the user and logon session that performed the action, whenever a User Deletion 4726 user account is deleted on this Windows server.
Machine Account Records the user and logon session that performed the action, whenever a 4725 Disabling computer account is disabled on this Windows server. User Disabling Records the user and logon session that performed the action, whenever a User Disabling 4725 user account is disabled on this Windows server.
Machine Account Records the user and logon session that performed the action, whenever a 4722 Enabling computer account is enabled on this Windows server. User Enabling Records the user and logon session that performed the action, whenever a User Enabling 4722 user account is enabled on this Windows server.
Guide to Templates www.helpsystems.com page: 105 Template Assignment / Windows Templates
Action Subaction Event ID Description
Records whenever the "Target" user account was locked out because of User Lock User Lock 4740 consecutive failed logon attempts exceeding lockout policy of this Windows server.
Records whenever a user account on this Windows server has been User Modification 4738 changed. User Modification Records whenever a user account on this Windows server has been User Renaming 4781 renamed.
User Removal Records whenever a user is removed from a global group, role or profile on from Global 4729 this Windows server. Groups with global scope are used to manage directory Group objects that require daily maintenance, such as user and computer accounts.
Records whenever a user is removed from a local group, role or profile on User Removal From User Removal 4733 this Windows server. Groups with local scope help you define and manage Group/Role/Profile from Local Group access to resources within a single domain.
User Removal Records whenever a user is removed from a universal group, role or profile from Universal 4757 on this Windows server. Groups with universal scope are used to Group consolidate groups that span domains.
Records whenever a user account, which is currently in a locked status, is User Unlock User Unlock 4767 unlocked on this Windows server.
The following Scheduled Tasks Management controls can be applied to Windows servers from within the Windows Standard Controls pre-configured datasource:
Action Subaction Event ID Description
Object Creation Scheduled Task Creation 4698 The user indicated in Subject: just created a new scheduled task (Start menu\Accessories\System Tools\Task Scheduler) identified by Task Name:.
Object Creation Scheduled Task Deletion 4699 The user indicated in Subject: just deleted the scheduled task (Start menu\Accessories\System Tools\Task Scheduler) identified by Task Name:.
Object Modification Scheduled Task Enabling 4700 The user indicated in Subject: just enabled the scheduled task (Start menu\Accessories\System Tools\Task Scheduler) identified by Task Name.
Object Modification Scheduled Task Disabling 4701 The user indicated in Subject: just disabled the scheduled task (Start menu\Accessories\System Tools\Task Scheduler) identified by Task Name:.
Object Modification Scheduled Task Modification 4702 The user indicated in Subject: just updated the scheduled task (Start menu\Accessories\System Tools\Task Scheduler) identified by Task Name:.
The following Unknown/unapproved services and processes controls can be applied to Windows servers from within the Windows Standard Controls pre-configured datasource:
Action Subaction Event ID Description
Object Creation Service Creation 4697 A new service was installed by the user indicated in the subject. Subject often identifies the local system (SYSTEM) for services installed as part of native Windows components and therefore you can't determine who actually initiated the installation. The minimum Windows version required is Server 2016 or Windows 10.
Object Creation Process Creation 4688 This documents each program that is executed, who the program ran as and the process that started this process.
Guide to Templates www.helpsystems.com page: 106 Template Assignment / Windows Templates
The following Security-disabled groups management controls can be applied to Windows servers from within the Windows Standard Controls pre-configured datasource:
Action Subaction Event ID Description
Group/Role/Profile Creation Security-Disabled Local Group 4744 The user in Subject: created a Local Distribution group Creation identified in New Group. This event is only logged on domain controllers.
Group/Role/Profile Creation Security-Disabled Global Group 4749 The user in Subject: created a Global Distribution group Creation identified in New Group. This event is only logged on domain controllers.
Group/Role/Profile Creation Security-Disabled Universal Group 4759 The user in Subject: created a Universal Distribution group Creation identified in New Group. This event is only logged on domain controllers.
Group/Role /Profile Security-Disabled Local Group 4745 The user in Subject: changed the Local Distribution group Modification Modification identified in Group:. This event is only logged on domain controllers.
Group/Role/ Profile Security-Disabled Global Group 4750 The user in Subject: changed the Global Distribution group Modification Modification identified in Group:. This event is only logged on domain controllers.
Group/Role/Profile Security-Disabled Universal Group 4760 The user in Subject: changed the Universal Distribution Modification Modification group identified in Group:. This event is only logged on domain controllers.
User Addition to Group/Role User Addition to Security-Disabled 4746 The user in Subject: added the user/group/computer in Profile Local Group Member: to the Local Distribution group in Group:. This event is only logged on domain controllers.
User Addition to Group/Role User Addition to Security-Disabled 4751 The user in Subject: added the user/group/computer in Profile Global Group Member: to the Global Distribution group in Group:. This event is only logged on domain controllers.
User Addition to Group/Role User Addition to Security-Disabled 4761 The user in Subject: added the user/group/computer in Profile Universal Group Member: to the Universal Distribution group in Group:. This event is only logged on domain controllers.
User Removal from User Removal from Security- 4747 The user in Subject: removed the user/group/computer in Group/Role Profile Disabled Local Group Member: to the Local Distribution group in Group:. This event is only logged on domain controllers.
User Removal from User Removal from Security- 4752 The user in Subject: removed the user/group/computer in Group/Role Profile Disabled Global Group Member: from the Global Distribution group in Group:. This event is only logged on domain controllers.
User Removal from User Removal from Security- 4762 The user in Subject: removed the user/group/computer in Group/Role Profile Disabled Universal Group Member: from the Universal Distribution group in Group:. This event is only logged on domain controllers.
Group/Role/Profile Deletion Security-Disabled Local Group 4748 The user in Subject: deleted the Local Distribution group Deletion identified in Deleted Group. This event is only logged on domain controllers.
Group/Role/Profile Deletion Security-Disabled Global Group 4753 The user in Subject: deleted the Global Distribution group Deletion identified in Deleted Group. This event is only logged on domain controllers.
Group/Role/Profile Deletion Security-Disabled Universal Group 4763 The user in Subject: deleted the Universal Distribution Deletion group identified in Deleted Group. This event is only logged on domain controllers.
Guide to Templates www.helpsystems.com page: 107 Template Assignment / IBM i Template
IBM i Template Tested OS Versions This software has been tested on the following IBM i versions:
l V7R1 IBM i Controls (Powertech SIEM Agent for IBM i) The following table shows the IBM i audit entry, condition, action and sub-action on which the template can be used to control the information that is received and actioned in your security schema.
Journal Action Subaction Condition Description Entry
Alter Audit Alter Audit AD No Condition Auditing Changes
Access Object Access Denied AF No Condition Authority Failure
substr (BDMDTN,67,3) in (‘GRT’, ‘RPL’, USR’) and Grant Permission Grant Permission CA Authority Changes &JRNSTRING, 22,8=’*AUTL’
Revoke Permission Revoke Permission CA ELSE Authority Changes
Grant Permission (AC Grant Permission CA ELSE Authority Changes Input)
User Statement Command CD No Condition Command String Audit
Var01=’R’ and Alter Object Replacement CO &JRNSTRING, Create Object 21,8=’*AUTL’
Var01=’N’and Create Object Creation CO &JRNSTRING, Create Object 21,8=’*AUTL’
Create Object Replacement CO ELSE Create Object
Var04=’*USRPRF’ Var05=’CHG’ User profile changed, created or Alter User Alter User CP Var29 not in (ENABLED. restored DISBALED)
Var04=’*USRPRF’ User profile changed, created or Create User Create User CP Var05=’CRT’ restored
Var04=’*USRPRF’ User profile changed, created or Disable User Disable User CP Var05=’CHG’ Var29=’DISABLED’ restored
Guide to Templates www.helpsystems.com page: 108 Template Assignment / IBM i Template
Journal Action Subaction Condition Description Entry
Var04=’*USRPRF’ User profile changed, created or Enable User Enable User CP Var05=’CHG’ Var29=’ENABLED’ restored
Var04=’*USRPRF’ User profile changed, created or Reset Password Reset Password CP Var05=’CHG’ Var06=’Y’ restored
Drop Object Drop Object DO Var04=’*AUTL’ Delete Object
Drop User Drop Object DO Var04=’*USRPRF’ Delete Object
Drop Object Drop Object DO ELSE Delete Object
Alter Configuration Alter DST Security DS No Condition DST Security password reset Rule Password
Var01=’S’ Successful Logon Logon Successful JS Actions that affect jobs Var02=’I’
Var01 in (‘E’, ‘I’) Logoff Logoff JS Actions that affect jobs Var02=’I’
Alter Job Alter Job JS ELSE Actions that affect jobs
Alter Object Move Object OM Var01='M' Object move or rename
Alter Object Rename Object OM Var01=’R’ Object move or rename
Alter Object Replace Object OR Var01=’N’ Object restore
Alter Object Replace Object OR Var01=’E’ Object restore
Alter Object Alter Ownership OW No Condition Object ownership changed
Alter Configuration Alter Program to Adopt Program changed to adopt PA No Condition Rule Authority authority
Switch User Switch User PS No Condition Profile Swap
Logon Failed Logon Failed PW No Condition Invalid Password
Authority Change Revoke Permission RA No Condition Authority Change during restore During Restore
Restore Job Alter Configuration Restoring job description with user Description with User RJ No Condition Rule profile specified Profile
Change of object owner during Alter Object Alter Ownership RO No Condition restore
Alter Configuration Restore Adopted Restoring adopted authority RP No Condition Rule Authority Program program
Alter Configuration Alter System Tools ST No Condition Use of service tools Rule
Alter Alter Configuration SV NOT(Var02 like ‘QAUD*’ System Value Changes Configuration Rule Rule
Alter System Value Change SV Var02 like 'QAUD*' System Value Changes Configuration Rule
Guide to Templates www.helpsystems.com page: 109 Template Assignment / IBM i Template
Journal Action Subaction Condition Description Entry
Alter Date_Time Alter Date_Time SV Var02 in (QDATE,QTIME) System Value Changes
Alter Object Alter Object ZC No Condition Change to object
Read Object Read Object ZR No Condition Read of Object
IBM i Controls (VMC) The following table shows the IBM i audit entry, condition, action and sub-action on which the template can be used to control the information that is received and actioned in your security schema.
Journal Event Manager Auditing Action Subaction Condition Description Entry Queue Name Category
Auditing Alter Audit Alter Audit AD No Condition *AUDCHANGE *SECCFG Changes
*AUTFAIL, Authority Access Object Access Denied AF No Condition *AUTFAIL *PGMFAIL Failure
Obtaining Temporary READ_ User Statement AP No Condition *ADOPTING adopted Privilege Usage OBJECT authority
substr (BDMDTN,67,3) in (‘GRT’, ‘RPL’, USR’) and Authority Grant Permission Grant Permission CA *AUTCHANGE *SECRUN &JRNSTRING, Changes 22,8=’*AUTL’
substr (BDMDTN,67,3) =’RVK and Authority Revoke Permission Revoke Permission CA *AUTCHANGE *SECRUN &JRNSTRING,22,8=’*AUT Changes L’
Grant Permission Authority Grant Permission CA ELSE *AUTCHANGE *SECRUN (AC Input) Changes
Command User Statement Command CD No Condition *COMMAND *CMD String Audit
Var01=’R’ and Alter Object Replacement CO &JRNSTRING, *CREATEOBJ3 *CREATE Create Object 21,8=’*AUTL’
Var01=’N’and Create Object Creation CO &JRNSTRING, *CREATEOBJ3 *CREATE Create Object 21,8=’*AUTL’
Create Object Replacement CO ELSE *CREATEOBJ3 *CREATE Create Object
Var04=’*USRPRF’ User profile Var05=’CHG’ changed, Alter User Alter User CP *USRPRFCHG *SECCFG Var29 not in (ENABLED. created or DISBALED) restored
User profile Var04=’*USRPRF’ changed, Create User Create User CP *USRPRFCHG *SECCFG Var05=’CRT’ created or restored
Guide to Templates www.helpsystems.com page: 110 Template Assignment / IBM i Template
Journal Event Manager Auditing Action Subaction Condition Description Entry Queue Name Category
User profile Var04=’*USRPRF’ changed, Disable User Disable User CP Var05=’CHG’ *USRPRFCHG *SECCFG Var29=’DISABLED’ created or restored
User profile Var04=’*USRPRF’ changed, Enable User Enable User CP Var05=’CHG’ *USRPRFCHG *SECCFG Var29=’ENABLED’ created or restored
User profile Var04=’*USRPRF’ changed, Reset Password Reset Password CP Var05=’CHG’ *USRPRFCHG *SECCFG Var06=’Y’ created or restored
*DELETE, Drop Object Drop Object DO Var04=’*AUTL’ *DELETEOBJ Delete Object *SECCFG
*DELETE, Drop User Drop User DO Var04=’*USRPRF’ *DELETEOBJ Delete Object *SECCFG
*DELETE, Drop Object Drop Object DO ELSE *DELETEOBJ Delete Object *SECCFG
DST Security Alter Configuration Alter DST Security DS No Condition *DSTPWD *SECCFG password Rule Password reset
Alter Configuration Alter Generic *AUTFAIL, Generic GR No Condition *GENREC Rule Record *SECCFG Record
Change to Alter Job Alter Configuration user Description JD No Condition *JOFDCHG *SECCFG Rule parameter of a Parameter job description
Var01=’S’ Actions that Successful Logon Logon Successful JS *JOBACTION *JOBDTA Var02=’I’ affect jobs
Var01 in (‘E’, ‘I’) Actions that Logoff Logoff JS *JOBACTION *JOBDTA Var02=’I’ affect jobs
Actions that Alter Job Alter Job JS ELSE *JOBACTION *JOBDTA affect jobs
Network Alter Configuration Alter Network NA No Condition *NETATRCHG *SECCFG Attribute Rule Attribute changed
Object move Alter Object Move Object OM Var01='M' *OBJMOVE *OBJMGT or rename
Object move Alter Object Rename Object OM Var01='R' *OBJMOVE *OBJMGT or rename
Alter Object Replace Object OR Var01='N' *OBJRST *SAVRST Object restore
Alter Object Replace Object OR Var01='E' *OBJRST *SAVRST Object restore
Object Alter Object Alter Ownership OW No Condition *OBJOWNCHG *SECRUN ownership changed
Program Alter Configuration Alter Program to changed to PA No Condition *PGMADP *SECCFG Rule Adopt Authority adopt authority
Guide to Templates www.helpsystems.com page: 111 Template Assignment / IBM i Template
Journal Event Manager Auditing Action Subaction Condition Description Entry Queue Name Category
Change of an Alter Object Grant Permission PG No Condition *OBJPGPCHG *SECRUN object’s Primary Group primary group
Switch User Switch User PS No Condition *PRFSWAP *SECVFY Profile Swap
Invalid Logon Failed Logon Failed PW No Condition *INVPWD *AUTFAIL Password
Authority Authority Change Revoke Permission RA No Condition *AUTCHANGE *SAVRST Change during During Restore restore
Restoring job Restore Job description Alter Configuration Description with RJ No Condition *RSTUSRJBD *AUTFAIL with user Rule User Profile profile specified
Change of Alter Object Alter Ownership RO No Condition *OBJOWNCHG *SAVRST object owner during restore
Restoring Alter Configuration Restore Adopted adopted RP No Condition *RSTPGMADP *SAVRST Rule Authority Program authority program
Restoring user Restore User Grant Permission RU No Condition *RSTUSPAUT *SAVRST profile Profile Authority authority
Alter Object Changing a Grant Permission Primary Group RZ No Condition *RSTPGPCHG *SAVRST primary group During Restore during restore
Actions to Alter Object Alter Spooled File SF Var01=’H’, ‘R’, ‘U’ or ‘V’ *SPOOLFILE *SPLFDTA spooled files
Create Spooled Actions to Create Object SF Var01='C' or 'I' *SPOOLFILE *SPLFDTA File spooled files
Actions to Access Object Read Spooled File SF Var01='A' *SPOOLFILE *SPLFDTA spooled files
Delete Spooled Actions to Drop Object SF Var01='D' *SPOOLFILE *SPLFDTA File spooled files
System Alter Configuration Alter System SM No Condition *SYSMGTCHG *SYSMGT management Rule Management changes
Alter Configuration Use of service Alter System Tools ST No Condition *SERVTOOLS *SERVICE Rule tools
Alter Alter System Value SV NOT(Var02 like ‘QAUD*’ *SYSVALCHG *SECCFG Configuration Rule Configuration Rule Changes
Alter System Value System Value SV Var02 like ‘QAUD*’ *SYSVALCHG *SECCFG Configuration Rule Change Changes
System Value Alter Date_Time Alter Date_Time SV Var02 in (QDATE, QTIME) *SYSVALCHG *SECCFG Changes
DLO Object Alter Object Alter Object YC No Condition *DLOOBJCHG *CHANGE accessed (Change)
Guide to Templates www.helpsystems.com page: 112 Template Assignment / IBM i Security Intrusion Detection Template
Journal Event Manager Auditing Action Subaction Condition Description Entry Queue Name Category
DLO Object Access Object Read Object YR No Condition *DLOOBJRD *ALL accessed (read)
Change to Alter Object Alter Object ZC No Condition *OBJCHANGE *CHANGE object
Read Object Read Object ZR No Condition *OBJREAD *ALL Read of Object
IBM i Security Intrusion Detection Template Tested OS Versions: The IBM i Security Intrusion Detection template has been tested on:
l V7R1 l V7R2 l V7R3 IBM i Security Intrusion Detection Controls The following table shows the IBM i audit entry, condition, action and sub-action on which the template can be used to control the information that is received and actioned in your security schema.
Journal Action Subaction Condition Description Entry
Probe Type ID in Attack action detected event or Threat Evidence Attack Detection IM (ATTACK, XATTACK) possible extrusion attack
Scan event action detected event, Probe Type ID in (SCANE, or Scan global action detected Threat Evidence Scan Detection IM SCANG, XSCAN) event or Outbound scan event detected
Traffic Regulation action detected Probe Type ID in (TR-TCP, Threat Evidence TCP Connection IM event over TCP or Outbound TR XTRTCP) detected event (TCP)
Traffic Regulation action detected Probe Type ID in (TR- Threat Eveidence UDP Cpnnection IM event over UDP or Outbound TR UDP, XTRUDP) detected event (UDP)
Guide to Templates www.helpsystems.com page: 113 Template Assignment / SQL Server Template
SQL Server Template Tested SQL Versions This software has been tested on the following SQL versions:
l SQL Server 2008 l SQL Server 2012 l SQL Server 2014 SQL Server Controls The following table shows the SQL Server security audit details on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Description
Create User User Creation Records whenever a user is created
Delete User User Deletion Records whenever a user is deleted
User Password Reset Password Reset Records whenever a password is reset
User Password Changed Password Modification Records whenever a password is changed
User Successful Login Successful Login Records whenever a successful login is detected
User Failed Login Logon Failure Records whenever a failed login is detected
User Granted Permission Grant Permission To User Records whenever a user is granted additional permissions
User Revoke Permission Revoke Permission To User Records whenever a users has permissions revoked
Records whenever a user has permission granted to an SQL Grant Permission To Statement Statement Grant Permission Statement
Revoke Permission To Records whenever a user has permission revoked to an SQL Statement Revoke Permission Statement Statement
Records whenever a user has permission granted to a collection of Grant Permission To Schema Schema Grant Permission SQL objects (table)
Records whenever a user has permission revoked to a collection of Revoke Permission To Schema Schema Revoke Permission SQL objects (table)
Records whenever a user is added to a Group Role profile on a Login Addition To Server Role User Added to Server Role Server
Login Removal From Server Records whenever a user is removed from a Group Role profile on a User Removed from Server Role Role Server
Login Addition To Database Records whenever a user is added to a Group Role profile on a SQL User Added to Database Role Role database
Login Removal From Database Records whenever a user is removed from a Group Role profile on a User Removed from Database Role SQL database
Guide to Templates www.helpsystems.com page: 114 Template Assignment / SQL Server Template
Action Subaction Description
User Created on Database Database Role Creation Records whenever a Group Role profile is created on a SQL database
Records whenever a Group Role profile is dropped from a SQL Database Role Deletion User Removed from Database database
Object created in Database Object Creation Records whenever an object is created in a SQL database
Object altered in Database Object Modification Records whenever an object is amended in a SQL database
Object removed from Database Object Deletion Records whenever an object is removed from a SQL database.
Object created in Stored Procedure Stored Procedure Creation Records whenever an object is created in a Stored Procedure
Object altered in Stored Procedure Stored Procedure Modification Records whenever an object is amended in a Stored Procedure
Object removed from Stored Stored Procedure Deletion Records whenever an object is removed from a stored procedure Procedure
Object created in Object View View Creation Records whenever an object is created in an Object View
Object altered in Object View View Modification Records whenever an object is amended in an Object View
Object removed from Object View View Deletion Records whenever an object is removed from an Object View
Object created in Object Function Function Creation Records whenever an object is created in an Object Function
Object altered in Object Function Function Modification Records whenever an object is removed from an Object Function
Object removed from Object Function Deletion Records whenever an object is removed from an Object Function Function
Guide to Templates www.helpsystems.com page: 115 Template Assignment / Linux Template
Linux Template Using the Linux Audit Datasource The following table shows the Linux security audit details on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition Description
System Management
Object LinuxAuditCategory = Records whenever an audited Object Modification Modification 'LINUXAUDIT.FILESYSTEM.WRITE.FILE.CONTENT' file is modified.
Records whenever an object Object Ownership Object Modification AuditEvent_ExecutedCommand = ‘chown’ has had a change of Modification ownership
User Activity
Records whenever a user logs Logoff Logoff LinuxAuditCategory = ‘LINUXAUDIT.LOGOUT.SSH’ off the system
Records whenever an logon Logon Failed Logon Failure attempt fails for an administrator user
Records whenever a logon LinuxAuditCategory = Logon Failed Logon Failure attempt by a common user ‘LINUXAUDIT.LOGON.SSH.FAILURE’ fails
LinuxAuditCategory = Records whenever a logon Logon Failed Logon Failure ‘LINUXAUDIT.LOGON.SSH.FAILURE’ attempt fails for a special user
Records whenever a logon or LinuxAuditCategory = logoff attempt by an Logon Successful Successful Login ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ administrator user is successful
Records whenever a logon or LinuxAuditCategory = Logon Successful Successful Login logoff attempt by a special ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ user is successful
Records whenever a logon or LinuxAuditCategory = Logon_Successful, Logoff Successful Login logoff attempt by a common ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ user is successful
Temporary AuditEvent_exe = ‘usr/bin/sudo’ Temp Privilege Usage Privilege Usage
Records whenever a user LinuxAuditCategory = User Switch User Switch profile swap to a super user is ‘LINUXAUDIT.LOGON.SU.SUCCESS initiated successfully
Users' Management
Records whenever a there is a Grant Permission Grant Permission AuditEvent_ExecutedCommand = ‘chmod’ change in object permissions.
Guide to Templates www.helpsystems.com page: 116 Template Assignment / Linux Template
Action Subaction Condition Description
Records whenever a group is Create Group Role Group Creation AuditEvent_exe = ‘usr/sbin/groupadd’ Profile created
Records whenever a group is Group Deletion AuditEvent_exe = ‘usr/sbin/groupdel’ Drop Group Role Profile deleted
Records whenever a group is Group Role Modified Group Modification AuditEvent_exe = ‘usr/sbin/groupmod’ changed
Password AuditEvent_exe = ‘/usr/bin/passwd’ and AuditEvent_ Records whenever a user Password Changed Modification Operator <> AuditEvent_AffectedAccount password is changed
AuditEvent_exe = ‘/usr/bin/passwd’ and AuditEvent_ Records whenever a user Password Reset Password Reset Operator <> AuditEvent_AffectedAccount password is reset
Records whenever a user User Creation AuditEvent_exe = ‘ /usr/sbin/useradd’ Create User account is created
Records whenever a user User Deletion AuditEvent_exe = ‘ /usr/sbin/userdel’ DropUser account is deleted
Records whenever a user User Modification AuditEvent_exe = ‘ /usr/sbin/usermod’ User Amended account is changed
Using the Linux Syslog Datasource The following table shows the Linux Syslog details on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition Description
User Activity
LinuxAuditCategory = Records whenever a user logs off the Logoff Logoff ‘LINUXAUDIT.LOGOUT.SSH’ system
Records whenever an logon attempt Logon Failed Logon Failure fails for an administrator user
LinuxAuditCategory = Records whenever a logon attempt by a Logon Failed Logon Failure ‘LINUXAUDIT.LOGON.SSH.FAILURE’ common user fails
LinuxAuditCategory = Records whenever a logon attempt fails Logon Failed Logon Failure ‘LINUXAUDIT.LOGON.SSH.FAILURE’ for a special user
Records whenever a logon or logoff LinuxAuditCategory = Logon Successful Successful Login attempt by an administrator user is ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ successful
LinuxAuditCategory = Records whenever a logon or logoff Logon Successful Successful Login ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ attempt by a special user is successful
Logon_Successful, LinuxAuditCategory = Records whenever a logon or logoff Successful Login Logoff ‘LINUXAUDIT.LOGON.SSH.SUCCESS’ attempt by a common user is successful
Records whenever a program is run Command Execution User Statement AuditEvent_exe = ‘usr/bin/sudo’ with the security privileges of another (SUDO) user (by default, as the superuser)
Guide to Templates www.helpsystems.com page: 117 Template Assignment / Linux Template
Action Subaction Condition Description
LinuxAuditCategory = Records whenever a user profile swap User Switch User Switch ‘LINUXAUDIT.LOGON.SU.SUCCESS to a super user is initiated successfully
Users' Management
Create Group Role Group Creation AuditEvent_exe = ‘usr/sbin/groupadd’ Records whenever a group is created Profile
Drop Group Role Group Deletion AuditEvent_exe = ‘usr/sbin/groupdel’ Records whenever a group is deleted Profile
Group Role Modified Group Modification AuditEvent_exe = ‘usr/sbin/groupmod’ Records whenever a group is changed
AuditEvent_exe = ‘/usr/bin/passwd’ and Password Records whenever a user password is AuditEvent_Operator <> AuditEvent_ Password Changed Modification changed AffectedAccount
Records whenever a user account is User Creation AuditEvent_exe = ‘ /usr/sbin/useradd’ Create User created
Records whenever a user account is User Deletion AuditEvent_exe = ‘ /usr/sbin/userdel’ DropUser deleted
Records whenever a user account is User Modification AuditEvent_exe = ‘ /usr/sbin/usermod’ User Amended changed
Guide to Templates www.helpsystems.com page: 118 Template Assignment / AIX Template
AIX Template Tested AIX Versions This software has been tested on the following AIX versions:
l AIX 7.1 l AIX 7.2 AIX Controls The following table shows the AIX audit details on which the template can be used to control the information that is received and actioned in your security schema.
Action Description
Create User Records whenever a new user profile is created
Drop User Records whenever an existing user profile is deleted
Alter User Records whenever a user profile is amended
Password Changed Records whenever a user profile password is changed
Create Group Role Profile Records whenever a group role profile is created
Drop Group Role Profile Records whenever a group role profile is deleted
Alter Group Role Profile Records whenever a group role profile is amended
Alter Audit Records whenever the audit file is amended
Alter Configuration File Records whenever the AIX configuration file is amended
Logon Failed Records whenever a logon to the AIX System by an administrator user fails
Records whenever a logon to the AIX system by an administrator user Logon Successful succeeds
Logon Failed Records whenever a logon to the AIX System by a special user fails
Logon Successful Records whenever a logon to the AIX system by a special user succeeds
Logon Successful Logoff Records whenever a logon or logoff attempt by a common user is successful
Logon Failed Records whenever a logon to the AIX system by a common user fails
User Statement Records whenever a user profile swap is actioned
Guide to Templates www.helpsystems.com page: 119 Template Assignment / Solaris Template
Solaris Template Tested Solaris Versions This software has been tested on the following Solaris versions:
l Solaris 10 l Solaris 11 Solaris Controls The following table shows the Solaris security audit details on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction BSMCategory Description
Records whenever a user account is User Creation ’BSM.ACCOUNT.CREATE.USER' Create User created
Records whenever a user account is User Deletion ’BSM.ACCOUNT.DELETE.USER’ Delete User deleted
User Records whenever a user account is ‘BSM.ACCOUNT.MODIFY.USER' User Modified Modification changed
User Account Password ‘BSM.ACCOUNT.MODIFY.USER.PASSWD’ AND Records whenever a user password is Password Changed Modification (AUDITEVENT_ACCOUNT= NULL or EMPTY) changed
‘BSM.ACCOUNT.MODIFY.USER’ AND IT IS NOT User Account Password Reset Records whenever a user password is reset Password Reset THE ABOVE'
Group Role Profile Role Creation ‘BSM.ACCOUNT.CREATE.ROLE’ Records whenever a role is created Created
Group Role Profile Role Deletion ‘BSM.ACCOUNT.DELETE.ROLE’ Records whenever a role is deleted Deleted
Group Role Profile Role Modification ‘BSM.ACCOUNT.MODIFY.ROLE’ Records whenever a role is changed Modified
Records whenever a Group profile is Profile Creation Group Profile Created ‘BSM.ACCOUNT.CREATE.GROUP' created
Records whenever a Group profile is Profile Deletion ‘BSM.ACCOUNT.DELETE.GROUP' Group Profile Deleted deleted
Profile Records whenever a Group profile is ‘BSM.ACCOUNT.MODIFY.GROUP' Group Profile Modified Modification changed
LIKE ‘BSM.LOGON.*’ AND AuditEvent_ Logon Failure Records whenever a logon attempt fails Logon Failure ErrorValue=’failure’
LIKE ‘BSM.LOGON.*’ AND AuditEvent_ Records whenever a logon attempt Successful Login Logon ErrorValue=’success’ succeeds
Records whenever a user logoffs the Logoff LIKE ‘BSM.LOGOUT.*’ Logout system
SU - Switch User Records whenever a user profile swap is SU-Substitute User LIKE ‘BSM.LOGON.SU’ profile to root to Root actioned
Guide to Templates www.helpsystems.com page: 120 Template Assignment / Oracle Template
Oracle Template Tested Oracle Versions This software has been tested on the following AIX versions:
l Oracle 11 on Windows Server 2012 l Oracle 11 on Red Hat Linux Oracle Controls The following table shows the Oracle security audit details on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition Description
ACTION# = 100 and Records whenever a logon to the Oracle Successful Login Successful Login RETURNCODE = 0 system succeeds
ACTION# = 100 and Records whenever a logon to the Oracle Logon Failure Logon Failure RETURNCODE <> 0 system fails
ACTION# = 101 | 102 and Records whenever a user logs off the Oracle Logoff Logoff RETURNCODE = 0 system
Records whenever a new user profile is User Creation User Creation ACTION# = 51 created
User Deletion User Deletion ACTION# = 53 Records whenever a user profile is deleted
User Modification User Modification ACTION# = 43 Records whenver a user profile is changed
Group/Role/Profile Creation Role Creation ACTION# = 52 Records whenever a role profile is created
Records whenever a database profile is Group/Role/Profile Creation DB Profile Creation ACTION# = 65 created
Group/Role/Profile Deletion Role Deletion ACTION# = 54 Records whenever a role profile is deleted
Records whenever a database profile is Group/Role/Profile Deletion Database Profile Deletion ACTION# = 66 deleted
Group/Role/Profile Role Modification ACTION# = 79 Records whenever a role profile is changed Modification
Group/Role/Profile Records whenever a database profile is DB Profile Modification ACTION#= 67 Modification changed
Audit Log Deletion Audit Log Deletion ACTION# = 105 Records whenever the audit log is deleted
Audit Log Modification Audit Log Modification ACTION# = 104 Records whenever the audit log is changed
User Addition to Records whenever a user profile is created Member Addition to User/Role ACTION# = 114 Group/Role/Profile in a group role
User Removal from Member Removal fom Records whenever a user profile is deleted ACTION# = 115 Group/Role/Profile User/Role from a group role
Guide to Templates www.helpsystems.com page: 121 Template Assignment / Tested Oracle Versions
Action Subaction Condition Description
Records whenever a user profile is granted Grant Permission System Privilege Assignment ACTION# = 108 permission to system privileges
Records whenever a user proifile has Revoke Permission System Privilege Removal ACTION# = 109 permission to system privileges removed
Records whenever space is created in the Object Creation Table Space Creation ACTION# = 39 Oracle database
Object Creation Function Creation ACTION# = 91 Records whenever a function is created
Object Creation Index Creation ACTION# = 9 Records whenever an index is created
Records whenever a stored procedure is Object Creation Stored Procedure Creation ACTION# = 24 created
Object Creation Trigger Creation ACTION# = 59 Records when a trigger is created
Object Creation View Creation ACTION# = 21 Records when a view is created
Records whenever space is deleted from the Object Deletion Table Space Deletion ACTION# = 41 Oracle database
Object Deletion Function Deletion ACTION# = 93 Records whenever a function is deleted
Object Deletion Index Deletion ACTION# = 10 Records whenever an index is deleted
Records whenever a stored procedure is Object Deletion Stored Procedure Deletion ACTION# = 68 deleted
Object Deletion Trigger Deletion ACTION# = 61 Records whenever a trigger is deleted
Object Deletion View Deletion ACTION# = 22 Records whenever a view is deleted
Object Modification Tablespace Modification ACTION# = 40 Records whenever an object is changed
Object Modification All Triggers Disabling ACTION# = 121 Records whenever all triggers are disabled
Object Modification All Triggers Enabling ACTION# = 120 Records whenever all triggers are enabled
Object Modification Function Modification ACTION# = 92 Records whenever a function is modified
Object Modification Index Modification ACTION# = 11 Records whenever an index is modified
Records whenever a stored procedure is Object Modification Stored Procedure Modification ACTION# = 25 modified
Object Modification Trigger Disabling ACTION# = 119 Records whenever a trigger is disabled
Object Modification Trigger Enabling ACTION# = 118 Records whenever a trigger is enabled
Object Modification Trigger Modification ACTION# = 60 Records whenever a trigger is modified
ACTION# = 7 OR ACTION# Records whenever a truncate table User Statement Delete Statement = 103* statement is executed
ACTION# = 2 OR ACTION# Records whenever a truncate table User Statement Insert Statement = 103* statement is executed
Records whenever a truncate table User Statement Truncate Statement ACTION# = 85 statement is executed
ACTION# = 6 OR ACTION# Records whenever a truncate table User Statement Update Statement = 103* statement is executed
Guide to Templates www.helpsystems.com page: 122 Template Assignment / Tested Oracle Versions
* To audit action 103, the session audit per user should be enabled. That is done executing the following commands:
l audit insert table by Admin by access l shutdown l startup For Linux installations, the 3 events audit should be enabled at the same time.
Guide to Templates www.helpsystems.com page: 123 Template Assignment / VMware Template
VMware Template VMware Controls
Action Subaction Description
Successful Login Successful Login Records whenever a successful login to the Virtual Machine occurs.
Logoff Logoff Records whenever a logoff occurs from the Virtual Machine.
Logon Failure Logon Failure Records whenever a logon attempt to the Virtual Machine fails.
Datastores are logical containers, analogous to file systems, that hide specifics of each storage device and provide a uniform model Configuration Rule Modification Datastore Modification for storing virtual machine files. Records whenever a datastore has been modified.
Records whenever a change has been made to the host connection Configuration Rule Modification Host Connection of the virtual machine.
Configuration Rule Modification Virtual Machine Modification Records whenever a modification is made to the virtual machne
Configuration Rule Modification Virtual Machine Renaming Records whenever the virtual machine is renamed.
Records whenever the virtual machine has been moved to another Configuration Rule Modification Virtual Machine Relocation device.
Records whenever the host of the virtual machine has been Configuration Rule Deletion Host Deletion deleted.
Configuration Rule Deletion Datastore Deletion Records whenever the virtual machine datastore has been deleted.
Configuration Rule Deletion Virtual Machine Disconnection Records whenever the virtual machine is disconnected
Configuration Rule Deletion Virtual Machine Removal Records whenever the virtual machine has been removed
Records whenever another host machine has been added to the Configuration Rule Creation Host Addition virtual machine.
Configuration Rule Creation Virtual Machine Creation Records whenever a new virtual machine is created.
Records whenever a new connection is made to the virtual Configuration Rule Creation Virtual Machine Connection machine.
Group/Role/Profile Creation Role Creation Records whenever a new role for the virtual machine is created.
Group/Role/Profile Deletion Role Deletion
Group/Role/Profile Creation Profile Creation Records whenever a new profile is created on the virtual machine.
Group/Role/Profile Modification Profile Modification Records whenever a profile is modified on the virtual machine.
Group/Role/Profile Deletion Profile Deletion Records whenever a profile is deleted from the virtual machine.
System Start Virtual Machine Power On Records whenever the virtual machine is powered on.
System Start System Start Records whenever the virtual machine system is started.
System Shutdown Virtual Machine Power Off Records whenever the virtual machine is powered off.
Guide to Templates www.helpsystems.com page: 124 Template Assignment / VMware Template
Action Subaction Description
System Shutdown Virtual Machine Stopped Records whenever the virtual machine is stopped.
System Shutdown Virtual Machine Suspended Records whenever the virtual machine is suspended.
Guide to Templates www.helpsystems.com page: 125 Template Assignment / AWS CloudTrail Template
AWS CloudTrail Template AWS CloudTrail Standard Datasource The following controls can be applied to SWIFT software from within the Standard pre- configured datasource:
Action Subaction Condition
System Management
Virtual Machine Alter Virtual Machine EventName=ModifyInstanceAttribute Modification Configuration
Authentication Creation Create Authentication EventName=CreateAccessKey
Bucket Creation Create Bucket EventName=CreateBucket
Authentication Deletion Drop Authentication EventName=DeleteAccessKey
Bucket Deletion Drop Bucket EventName=DeleteBucket
Authentication Alter Authentication EventName=UpdateAccessKey Modification
Policy Rule Creation Create Policy Rule EventName=Createpolicy
Policy Rule Deletion Drop Policy Rule EventName=DeletePolicy
Virtual Machine Power Off Virtual Machine power Off EventName=TerminateInstances
Virtual Machine Stopped Virtual Machine Stopped EventName=StopInstances
Virtual Machine Power On Virtual Machine Power On EventName=RunInstances
Virtual Machine Rebooted Virtual Machine Rebooted EventName=RebootInstances
Virtual Machine Started Virtual Machine Started EventName=StartInstances
User Activity
Interactive Logon Failure Logon Failed Interactive EventName=ConsoleLogin and responseElements['ConsoleLogin']=Failure
Interactive Login Logon Successful Interactive EventName=ConsoleLogin and responseElements['ConsoleLogin']=Success
Users' Management
Create Login Profile Grant Permission LoginProfile EventName=CreateLoginProfile
Grant Permission To User Grant Permission User EventName=AttachUserPolicy
Group Right Assignment Grant Permission Group EventName=AttachGroupPolicy
Create Group Role Profile Group Creation EventName=CreateGroup Group
Guide to Templates www.helpsystems.com page: 126 Template Assignment / AWS CloudTrail Template
Action Subaction Condition
Create Group Role Profile Role Creation EventName=CreateRole Role
Role Right Assignment Grant Permission Role EventName=AttachRolePolicy
Drop Group Role Profile Group Deletion EventName=DeleteGroup Group
Role Deletion Drop Group Role Profile Role EventName=DeleteRole
Alter Group Role Profile Group Modification EventName=UpdateGroup Group
Role Modification Alter Group Role Profile Role EventName=UpdateRole
Update Assume Role Policy Alter Group Role Profile EventName=UpdateAssumeRolePolicy Update Assume Role Poilcy
Password Modification Password Changed EventName=ChangePassword
Alter Persmission Update Login Profile EventName=UpdateLoginProfile Login Profile
Revoke Permission Delete Login Profile EventName=DeleteLoginProfile LoginProfile
Revoke Group Permission Revoke Permission Group EventName=DetachGroupPolicy
Revoke Permission To User Revoke Permission User EventName=DetachUserPolicy
Revoke Role Permission Revoke Permission Role EventName=DetachRolePolicy
Add to Group Role Profile User Addition To Group EventName=AddUserToGroup Group
Cloud Service Account Create Cloud Service Account EventName=CreateUser Creation
Cloud Service Account Drop Cloud Service Account EventName=DeleteUser Deletion
Remove From Group Role User Removal From Group EventName=RemoveUserFromGroup Profile Group
Guide to Templates www.helpsystems.com page: 127 Template Assignment / Azure Active Directory Template
Azure Active Directory Template Azure Active Directory (Standard Datasource)
Action Original Name Description Operation Name
System Activity
Verified that your organization Check It Domain Verification Verify domain is the owner of a domain
Used email verification to verify Check It Email Domain Verification that your organization is the Verify email verified domain owner of a domain
A device is non-compliant with Check It Non-compliant Policy defined device compliance Device no longer compliant policy settings
System Management
Configuration Rule A device is no longer managed Device no longer managed Device no longer managed Modification in Azure AD
OAuth2PermissionGrant was Configuration Rule Add OAuthPermissionGrant created for an application in Add OAuth2PermissionGrant Modification Azure AD
Company-level contact Configuration Rule Set company contact preferences for the Office 365 Set company contact information Modification information organization were updated
Company information for an Configuration Rule Set Company information Office 365 organization was Set company information Modification updated
An authentication permission Configuration Rule Set Delegation entry was updated for an application Set delegation entry Modification in Azure AD
Configuration Rule Set DirSyncEnabled flag on Set the property that enables a Set DirSyncEnabled flag on company Modification company directory for Azure AD Sync
Changed the domain Configuration Rule Set domain authentication authentication setting for an Set domain authentication Modification Office 365 organization
Changed the federation Configuration Rule Updated the federation settings (external sharing) settings for an Set federation settings on domain Modification for a domain Office 365 organization
Authentication permission was Object Creation Add delegation entry created/granted to an Add delegation entry application in Azure AD
A domain was added to an Object Creation Add domain to company Add domain to company Office 365 organization
An application was registered in Object Creation Add service principal Add service principal Azure AD
Guide to Templates www.helpsystems.com page: 128 Template Assignment / Azure Active Directory Template
Action Original Name Description Operation Name
Added credentials to a service Credentials were added to a Added credentials to a service Object Creation principal service principal in Azure AD principal
A new application was Object Creation Application Creation Add application registered in Azure AD
An Office 365 organization was Object Creation Company Creation Create company created
An Office 365 organization Object Creation Company Settings Creation Create company settings settings were created
A device was registered with Object Creation Device Addition Add device Azure AD
A partner (delegated Object Creation Partner Addition administrator) was added to an Add partner to company Office 365 organization
Service principal credentials Credentials were added to a Object Creation Add service principal credentials addiction service principal in Azure AD
An application was removed Object Deletion Application Deletion ^Delete application from Azure AD
An application was permanently Object Deletion Application Hard Deletion Hard Delete application removed from Azure AD
Object Deletion Device Deletion A device was deleted from ^Delete device Azure AD
An authentication permission Object Deletion Remove delegation entry was removed from an Remove delegation entry application in Azure AD
A domain was removed from an Object Deletion Remove domain from company Remove domain from company Office 365 organization
A partner (delegated Object Deletion Remove partner from company administrator) was removed Remove partner from company from an Office 365 organization
An application was Object Deletion Remove service principal deleted/unregistered from Remove service principal Azure AD
Remove service principal Credentials were removed from Object Deletion Remove service principal credentials credentials a service principal in Azure AD
Configuration options of an Object Modification Application Modification application were changed in Update application Azure AD
A device was enabled/disabled Object Modification Device Modification Update device in Azure AD
Updated the settings of a Object Modification Domain Modification domain in an Office 365 Update domain organization
License properties were set for a Object Modification License Modification Set license properties user in Azure AD
Properties of a service principal Object Modification Service Principal Modification Update service principal were updated
Guide to Templates www.helpsystems.com page: 129 Template Assignment / Azure Active Directory Template
Action Original Name Description Operation Name
Updated StsRefreshTokenValidFrom Update StsRefreshTokenValidFrom Object Modification StsRefreshTokenValidFrom Timestamp Modification Timestamp Timestamp
Secrets for external-facing Object Modification Update external secrets Update external secrets services were updated
Changed the length and character constraints for user Policy Rule Modification Set password policy Set password policy passwords in an Office 365 organization
User Activity
Logon Failure Logon Failure User Login Failed UserLogin Failed
Successful Login Successful Login User logged In Successfully UserLoggedIn
Users' Management
Admin consent was granted to Grant Permission Grant Permission to Admin Consent to application an enterprise app in Azure AD
A user manager was set in Azure Grant Permission Set user manager Set user manager AD
Group/Role/Profile Creation Group Creation A group was created Add group\.?
Group/Role/Profile Deletion Group Deletion A group was deleted ^Delete group
A group was deleted from the Group/Role/Profile Deletion Hard Delete group Hard Delete group recycle bin
Group/Role/Profile A property of a group was Group Modification Update group Modification changed
Administrator changed the Password Modification Password Modification Change user password password for a user
Administrator set the property Password Modification Set force change user password that forces a user to change Set force change user password their password on next sign in
Administrator reset the Password Reset Password Reset Reset user password password for a user
User Addition to A registered owner was added Add registered owner to device Add registered owner to device Grouup/Role/Profile to a device in Azure AD
User Addition to A registered user was added to a Add registered users to device Add registered users to device Group/Role/Profile device in Azure AD
User Addition to Added app role assignment to An app role was assigned to a Add app role assignment to service Group/Role/Profile service principal user in Azure AD principal
User Addition to Member Addition to Directory A user was added to an admin Add role member to role Group/Role/Profile Role role in Office 365
User Addition to Member added to a role in Member addition to User/Role Add member to role Group/Role/Profile AzureAD
User Addition to An owner was added to an Owner Addition to Application Add owner to application Group/Role/Profile application in Azure AD
Guide to Templates www.helpsystems.com page: 130 Template Assignment / Azure Active Directory Template
Action Original Name Description Operation Name
User Addition to An owner was added to a policy Owner Addition to Policy Add owner to policy Group/Role/Profile in Azure AD
User Addition to User Addition to Service An owner was added to a Add owner to service principal Group/Role/Profile Principal service principal in Azure AD
User Addition to User Addition to An app role was assigned to a Add app role assignment grant to user Group/Role/Profile Application Role user in Azure AD
User Addition to User Addition to Group A member was added to a group Add member to group Group/Role/Profile
An Office 365 user account was User Creation User Creation Add user created
A deleted user account was User Creation User Restore Restore user restored
A user was permanently deleted User Deletion Hard Delete user Hard Delete user from Azure AD
A user was deleted from Azure User Deletion User Deletion ^Delete user AD
An application password was User Modification Application Password Creation Create application password for user created for a user in Azure AD
The license assigned to a user User Modification Change user license Change user license was changed
A strong authentication method User Modification Enable Strong Authentication was enabled for a user in Azure Enable Strong Authentication AD
Administrator changed one or User Modification User Modification more properties of a user Update user account
User Removal From Member Removal from A user was removed from an Remove role member from role Group/Role/Profile Directory Role admin role in Office 365
User Removal Member Removal from Member removed from a role in Remove member from role From Group/Role/Profile User/Role AzureAD
User Removal From An owner was removed from a Owner Removal from Group Remove owner from group Group/Role/Profile group
A member was removed from a User Removal from Group User Removal from Group Remove member from group group
Guide to Templates www.helpsystems.com page: 131 Template Assignment / Microsoft Exchange Online Template
Microsoft Exchange Online Template Exchange Online (Standard Datasource)
Action Subaction Description Operation Name
Microsoft365 Integrated
Use the Add- MailboxFolderPermission cmdlet Add-MailboxFolderPermission Add-MailboxFolderPermission Add-MailboxFolderPermission to add folder-level permissions for users in mailboxes.
Use the Add-MailboxPermission cmdlet to add permissions to a Add-MailboxPermsision Add-MailboxPermission mailbox or to an Exchange Server Add-MailboxPermission 2016, Exchange Server 2019, or Exchange Online mail user.
Use the Add-RecipientPermission cmdlet to add SendAs permission Add-RecipientPermission Add-RecipientPermission Add-RecipientPermission to users in a cloud-based organization.
ApplyRecord ApplyRecord An item is labeled as a record. ApplyRecord
An item is copied to another Copy Copy Copy folder.
An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for Create Create Create example, a new meeting request is created. Note that message or folder creation isn't audited.
Use the Disable-App cmdlet to Disable-App Disable-App disable (turn off) a specific app Disable-App for a specific user.
Use the Disable-InboxRule Disable-InboxRule Disable-InboxRule cmdlet to disable existing Inbox Disable-InboxRule rules in mailboxes.
Use the Disable-Mailbox cmdlet to disable the mailbox of existing users who already have mailboxes. For this cmdlet, a user could also be a public folder Disable-Mailbox Disable-Mailbox Disable-Mailbox mailbox or an InetOrgPerson object. The user account that's associated with the mailbox remains, but it's no longer associated with a mailbox.
Guide to Templates www.helpsystems.com page: 132 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Disable- ServiceEmailChannel cmdlet to disable the .NET service channel for a specific user. The .NET service channel enables Disable-ServiceEmailChannel Disable-ServiceEmailChannel Disable-ServiceEmailChannel Microsoft Exchange to store information that it later forwards to applications or devices that aren't permanently connected to the server running Exchange.
Use the Disable-SweepRule Disable-SweepRule Disable-SweepRule cmdlet to disable Sweep rules in Disable-SweepRule mailboxes.
Use the Enable-App cmdlet to Enable-App Enable-App enable (turn on) a specific app for Enable-App a specific user.
Use the Enable-InboxRule cmdlet to enable an Inbox rule. Inbox rules are used to process messages in the Inbox based on Enable-InboxRule Enable-InboxRule Enable-InboxRule conditions specified and take actions such as moving a message to a specified folder or deleting a message.
Use the Enable-Mailbox cmdlet to create mailboxes for existing users who don't already have Enable-Mailbox Enable-Mailbox Enable-Mailbox mailboxes. You can also use this cmdlet to create In-Place archives for existing mailboxes.
Use the Enable-SweepRule Enable-SweepRule Enable-SweepRule cmdlet to enable Sweep rules in Enable-SweepRule mailboxes.
Use the Export- MailboxDiagnosticLogs cmdlet to Export-MailboxDiagnosticLogs Export-MailboxDiagnosticLogs export diagnostic data from user Export-MailboxDiagnosticLogs and system mailboxes in your organization.
Folder-Bind Folder-Bind A mailbox folder was accessed. Folder-Bind
Use the Get-App cmdlet to view Get-App Get-App Get-App installed apps.
Use the Get- CalendarDiagnosticAnalysis cmdlet to troubleshoot calendar- related reliability issues. You can use this cmdlet to analyze Get-CalendarDiagnosticAnalysis Get-CalendarDiagnosticAnalysis calendar item data that's Get-CalendarDiagnosticAnalysis recorded in the Calendar Diagnostic logs. You provide the calendar item data to this cmdlet by using the Get- CalendarDiagnosticLog cmdlet.
Guide to Templates www.helpsystems.com page: 133 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Get- CalendarDiagnosticLog cmdlet to collect a range of calendar logs. The Calendar Diagnostic logs Get-CalendarDiagnosticLog Get-CalendarDiagnosticLog track all calendar items and Get-CalendarDiagnosticLog meeting requests in mailboxes. You can use this information to troubleshoot calendar issues that occur in mailboxes.
Use the Get- CalendarDiagnosticObjects cmdlet to collect a range of calendar logs. The calendar diagnostic logs track important Get-CalendarDiagnosticObjects Get-CalendarDiagnosticObjects calendar-related event data for Get-CalendarDiagnosticObjects each mailbox, and can be used to troubleshoot calendar issues that occur in mailboxes. The logs track all calendar items and meeting messages.
Use the Get- CalendarNotification cmdlet to Get-CalendarNotification Get-CalendarNotification Get-CalendarNotification return a list of all calendar notification settings for a user.
Use the Get-CalendarProcessing cmdlet to view the calendar processing options for resource mailboxes, which include the Calendar Attendant, resource Get-CalendarProcessing Get-CalendarProcessing Get-CalendarProcessing booking assistant and calendar configuration. Note that the settings returned by this cmdlet are editable only on resource mailboxes.
Use the Get-Clutter cmdlet to Get-Clutter Get-Clutter view Clutter settings for Get-Clutter mailboxes in your organization.
Use the Get- EventsFromEmailConfiguration cmdlet to view the events from email settings on a mailbox. Get- Get- These settings define whether Get- EventsFromEmailConfiguration EventsFromEmailConfiguration Outlook or Outlook on the web EventsFromEmailConfiguration (formerly known as Outlook Web App) automatically discovers events from email messages and adds them to the user's calendar.
Use the Get-FocusedInbox cmdlet to view the Focused Get-FocusedInbox Get-FocusedInbox Get-FocusedInbox Inbox configuration for mailboxes in your organization.
Use the Get-InboxRule cmdlet to view Inbox rule properties. Inbox rules are used to process messages in the Inbox based on Get-InboxRule Get-InboxRule Get-InboxRule conditions specified and take actions such as moving a message to a specified folder or deleting a message.
Guide to Templates www.helpsystems.com page: 134 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Get-Mailbox cmdlet to view mailbox objects and Get-Mailbox Get-Mailbox attributes, populate property Get-Mailbox pages, or supply mailbox information to other tasks.
Use the Get- MailboxAutoReplyConfiguration Get- Get- Get- cmdlet to retrieve Automatic MailboxAutoReplyConfiguration MailboxAutoReplyConfiguration MailboxAutoReplyConfiguration Replies settings for a specific mailbox.
Use the Get- MailboxCalendarFolder cmdlet to Get-MailboxCalendarFolder Get-MailboxCalendarFolder retrieve the publishing or sharing Get-MailboxCalendarFolder settings for a specified mailbox calendar folder.
Use the Get- MailboxExportRequest cmdlet to view the detailed status of an Get-MailboxExportRequest Get-MailboxExportRequest Get-MailboxExportRequest ongoing export request that was initiated by using the New- MailboxExportRequest cmdlet.
Use the Get- MailboxExportRequestStatistics Get- Get- Get- cmdlet to view detailed MailboxExportRequestStatistics MailboxExportRequestStatistics MailboxExportRequestStatistics information about export requests.
Use the Get-MailboxFolder cmdlet to view folders in your own mailbox. Administrators Get-MailboxFolder Get-MailboxFolder can't use this cmdlet to view Get-MailboxFolder folders in other mailboxes (the cmdlet is available only from the MyBaseOptions user role).
Use the Get- MailboxFolderPermission cmdlet Get-MailboxFolderPermission Get-MailboxFolderPermission Get-MailboxFolderPermission to view folder-level permissions in mailboxes.
Use the Get- MailboxFolderStatistics cmdlet to retrieve information about the folders in a specified mailbox, Get-MailboxFolderStatistics Get-MailboxFolderStatistics Get-MailboxFolderStatistics including the number and size of items in the folder, the folder name and ID, and other information.
Use the Get- MailboxImportRequest cmdlet to view the detailed status of an Get-MailboxImportRequest Get-MailboxImportRequest Get-MailboxImportRequest ongoing import request that was initiated using the New- MailboxImportRequest cmdlet.
Use the Get- MailboxImportRequestStatistics Get- Get- Get- cmdlet to view detailed MailboxImportRequestStatistics MailboxImportRequestStatistics MailboxImportRequestStatistics information about import requests.
Use the Get-MailboxLocation Get-MailboxLocation Get-MailboxLocation cmdlet to view mailbox location Get-MailboxLocation information in Exchange Online.
Guide to Templates www.helpsystems.com page: 135 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Get-MailboxPermission Get-MailboxPermission Get-MailboxPermission cmdlet to retrieve permissions on Get-MailboxPermission a mailbox.
Use the Get-MailboxPlan cmdlet to view information about Get-MailboxPlan Get-MailboxPlan Get-MailboxPlan mailbox plans in the cloud-based service.
Use the Get- MailboxRestoreRequest cmdlet to view detailed status of an Get-MailboxRestoreRequest Get-MailboxRestoreRequest Get-MailboxRestoreRequest ongoing restore request that was initiated by using the New- MailboxRestoreRequest cmdlet.
Use the Get- MailboxRestoreRequestStatistics Get- Get- Get- cmdlet to view detailed MailboxRestoreRequestStatistics MailboxRestoreRequestStatistics MailboxRestoreRequestStatistics information about restore requests.
Use the Get- Get- Get- MailboxSentItemsConfiguration Get- MailboxSentItemsConfiguration MailboxSentItemsConfiguration cmdlet to view the Sent Items MailboxSentItemsConfiguration settings on mailboxes.
Use the Get-MailboxStatistics cmdlet to return information about a mailbox, such as the size of the mailbox, the number of Get-MailboxStatistics Get-MailboxStatistics messages it contains, and the last Get-MailboxStatistics time it was accessed. In addition, you can get the move history or a move report of a completed move request.
Use the Get- MailboxUserConfiguration Get-MailboxUserConfiguration Get-MailboxUserConfiguration Get-MailboxUserConfiguration cmdlet to view user configuration items in mailboxes.
Use the Get-MessageCategory cmdlet to retrieve a message Get-MessageCategory Get-MessageCategory Get-MessageCategory category from the specified mailbox.
Use the Get-Place cmdlet to view the additional metadata that was configured on room mailboxes by Get-Place Get-Place using the Set-Place cmdlet. The Get-Place additional metadata provides a better search and room suggestion experience.
Use the Get-RecipientPermission cmdlet to view information about Get-RecipientPermission Get-RecipientPermission SendAs permissions that are Get-RecipientPermission configured for users in a cloud- based organization.
Use the Get-RecoverableItems items cmdlet to view deleted items in mailboxes. After you find Get-RecoverableItems Get-RecoverableItems Get-RecoverableItems the deleted items, you use the Restore-RecoverableItems cmdlet to restore them.
Guide to Templates www.helpsystems.com page: 136 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Get-ResourceConfig cmdlet to view custom room and Get-ResourceConfig Get-ResourceConfig equipment mailbox properties Get-ResourceConfig that you've configured by using the Set-ResourceConfig cmdlet.
Use the Get-SweepRule cmdlet to view Sweep rules in mailboxes. Get-SweepRule Get-SweepRule Sweep rules run a regular Get-SweepRule intervals to help keep your Inbox clean.
Use the Get-UserPhoto cmdlet to view information about the user photos feature that allows users to associate a picture with their Get-UserPhoto Get-UserPhoto account. User photos appear in Get-UserPhoto on-premises and cloud-based client applications, such as Outlook on the web, Lync, Skype for Business and SharePoint.
A message was purged from the HardDelete HardDelete HardDelete Recoverable Items folder.
Use the Import-ContactList cmdlet and a .csv file to import a user's mail contacts to a cloud- based mailbox. Users can use an Import-ContactList Import-ContactList Import-ContactList email client to export their contacts to a .csv file that is formatted for Microsoft Office Outlook.
Use the Import- RecipientDataProperty cmdlet to add a picture or an audio file of a spoken name to a mailbox or contact. The picture and audio Import-RecipientDataProperty Import-RecipientDataProperty Import-RecipientDataProperty files display on the Global Address List property dialog box, contact card, reading pane, and meeting requests in Microsoft Outlook and Outlook on the web.
Mail data is accessed by mail protocols and clients. This value MailItemsAccessed MailItemsAccessed is only available for E5 or E5 MailItemsAccessed Compliance add-on subscription users.
The user signed into their MailboxLogin MailboxLogin MailboxLogin mailbox.
A message was viewed in the preview pane or opened by an admin. Note: Although this value MessageBind MessageBind MessageBind is accepted as a mailbox action, these actions are no longer logged.
Note: Although this value is accepted as a mailbox action, it's already included in the ModifyFolderPermissions ModifyFolderPermissions ModifyFolderPermissions UpdateFolderPermissions action and isn't audited separately. In other words, don't use this value.
A message was moved to another Move Move Move folder.
Guide to Templates www.helpsystems.com page: 137 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
A message was moved to the MoveToDeletedItems MoveToDeletedItems MoveToDeletedItems Deleted Items folder.
Use the New-App cmdlet to New-App New-App New-App install apps for Outlook.
Use the New-InboxRule cmdlet to create Inbox rules in mailboxes. Inbox rules process messages in the Inbox based on New-InboxRule New-InboxRule New-InboxRule conditions and take actions such as moving a message to a specified folder or deleting a message.
Use the New-MailMessage cmdlet to create an email message for the specified user New-MailMessage New-MailMessage New-MailMessage mailbox and place the email message in the Drafts folder of the user's mailbox.
Use the New-Mailbox cmdlet to New-Mailbox New-Mailbox create mailboxes and user New-Mailbox accounts at the same time.
Use the New- MailboxExportRequest cmdlet to New-MailboxExportRequest New-MailboxExportRequest begin the process of exporting New-MailboxExportRequest contents of a primary mailbox or archive to a .pst file.
Use the New-MailboxFolder cmdlet to create folders in your own mailbox. Administrators New-MailboxFolder New-MailboxFolder can't use this cmdlet to create New-MailboxFolder folders in other mailboxes (the cmdlet is available only from the MyBaseOptions user role).
Use the New- MailboxImportRequest cmdlet to New-MailboxImportRequest New-MailboxImportRequest New-MailboxImportRequest begin the process of importing a .pst file to a mailbox or archive.
Use the New- MailboxRestoreRequest cmdlet to restore a soft-deleted or disconnected mailbox. This cmdlet starts the process of New-MailboxRestoreRequest New-MailboxRestoreRequest moving content from the soft- New-MailboxRestoreRequest deleted mailbox, disabled mailbox, or any mailbox in a recovery database into a connected primary or archive mailbox.
The New-SiteMailbox cmdlet is used by the Microsoft SharePoint and Microsoft Exchange user interfaces to create site mailboxes. We recommend that New-SiteMailbox New-SiteMailbox New-SiteMailbox you don't use this cmdlet; instead use SharePoint to create the site mailbox. This cmdlet should only be used for diagnostic and troubleshooting purposes.
Guide to Templates www.helpsystems.com page: 138 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the New-SweepRule cmdlet to create Sweep rules in New-SweepRule New-SweepRule mailboxes. Sweep rules run a New-SweepRule regular intervals to help keep your Inbox clean.
An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items RecordDelete RecordDelete labeled as records can't be RecordDelete permanently deleted (purged from the Recoverable Items folder).
Use the Remove-App cmdlet to Remove-App Remove-App Remove-App uninstall an app.
Use the Remove-CalendarEvents cmdlet to cancel future meetings in user or resource mailboxes. Cancelling future meetings Remove-CalendarEvents Remove-CalendarEvents removes them from attendee and Remove-CalendarEvents resource calendars (for example, you're going to remove the mailbox, or the user is going on a leave of absence).
Use the Remove-InboxRule Remove-InboxRule Remove-InboxRule Remove-InboxRule cmdlet to remove an Inbox rule.
Use the Remove-Mailbox cmdlet Remove-Mailbox Remove-Mailbox to delete mailboxes and the Remove-Mailbox associated user accounts.
Use the Remove- MailboxExportRequest cmdlet to remove fully or partially completed export requests. You can create multiple export Remove-MailboxExportRequest Remove-MailboxExportRequest requests for a specified mailbox Remove-MailboxExportRequest provided that you specify a distinct name. Completed export requests aren't cleared automatically; they need to be removed by using this cmdlet.
Use the Remove- MailboxFolderPermission cmdlet Remove- Remove- Remove- to remove folder-level MailboxFolderPermission MailboxFolderPermission MailboxFolderPermission permissions for users in mailboxes.
Use the Remove- MailboxImportRequest cmdlet to remove fully or partially completed import requests. Completed import requests aren't automatically cleared. Remove-MailboxImportRequest Remove-MailboxImportRequest Requests need to be removed by Remove-MailboxImportRequest using the Remove- MailboxImportRequest cmdlet. Multiple import requests can exist against the same mailbox if you provide a distinct import request name.
Guide to Templates www.helpsystems.com page: 139 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Remove- MailboxPermission cmdlet to remove permissions from a user's Remove-MailboxPermission Remove-MailboxPermission mailbox or from an Exchange Remove-MailboxPermission Server 2016, Exchange Server 2019 or Exchange Online mail user.
Use the Remove- MailboxRestoreRequest cmdlet Remove-MailboxRestoreRequest Remove-MailboxRestoreRequest Remove-MailboxRestoreRequest to remove fully or partially completed restore requests.
Use the Remove- MailboxUserConfiguration cmdlet to remove user configuration items from Remove- Remove- Remove- mailboxes. Typically, after you MailboxUserConfiguration MailboxUserConfiguration MailboxUserConfiguration delete a user configuration item, it's automatically recreated the next time the user uses that feature in their mailbox.
Use the Remove- RecipientPermission cmdlet to Remove-RecipientPermission Remove-RecipientPermission remove SendAs permission from Remove-RecipientPermission users in a cloud-based organization.
Use the Remove-SweepRule Remove-SweepRule Remove-SweepRule cmdlet to remove Sweep rules Remove-SweepRule from mailboxes.
Use the Remove-UserPhoto cmdlet to delete the photo associated with a user's account. The user photo feature allows users to associate a picture with Remove-UserPhoto Remove-UserPhoto Remove-UserPhoto their account. User photos appear in on-premises and cloud- based client applications, such as Outlook on the web, Lync, Skype for Business and SharePoint.
Note: Although this value is accepted as a mailbox action, it's already included in the RemoveFolderPermissions RemoveFolderPermissions RemoveFolderPermissions UpdateFolderPermissions action and isn't audited separately. In other words, don't use this value.
Use the Restore-Mailbox cmdlet Restore-Mailbox Restore-Mailbox to extract mailbox content from a Restore-Mailbox restored database.
Use the Restore- RecoverableItems items cmdlet to restore deleted items in Restore-RecoverableItems Restore-RecoverableItems Restore-RecoverableItems mailboxes. You use the Get- RecoverableItems cmdlet to find the deleted items to recover.
Use the Resume- MailboxExportRequest cmdlet to Resume-MailboxExportRequest Resume-MailboxExportRequest Resume-MailboxExportRequest resume an export request that was suspended or failed.
Guide to Templates www.helpsystems.com page: 140 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Resume- MailboxImportRequest cmdlet to Resume-MailboxImportRequest Resume-MailboxImportRequest Resume-MailboxImportRequest resume an import request that was suspended or failed.
Use the Resume- Resume-Mailbox-Restore Resume-Mailbox-Restore MailboxRestoreRequest cmdlet Resume-Mailbox-Restore Request Request to resume a restore request that Request was suspended or failed.
Use the Search-Mailbox cmdlet to search a mailbox and copy the Search Mailbox Search Mailbox results to a specified target Search Mailbox mailbox, delete messages from the source mailbox, or both.
A message was sent using SendAs permission. This means SendAs SendAs another user sent the message as SendAs though it came from the mailbox owner.
A message was sent using SendOnBehalf permission. This means another user sent the message on behalf of the mailbox SendOnBehalf SendOnBehalf SendOnBehalf owner. The message will indicate to the recipient who the message was sent on behalf of and who actually sent the message.
Use the Set-App cmdlet to Set-App Set-App modify the availability of Set-App organization apps.
The Set-CalendarNotification cmdlet allows users to set text message notification options for calendar events in their own calendar. By default, the Set-CalendarNotification Set-CalendarNotification Set-CalendarNotification MyTextMessaging end-user role gives access to this cmdlet, so admins can't configure text messaging notification for calendar events in user calendars.
Use the Set-CalendarProcessing cmdlet to modify calendar processing options for resource mailboxes, which include the Set-CalendarProcessing Set-CalendarProcessing Calendar Attendant, resource Set-CalendarProcessing booking assistant, and calendar configuration. Note that this cmdlet is effective only on resource mailboxes.
Use the Set-Clutter cmdlet to Set-Clutter Set-Clutter configure Clutter settings for Set-Clutter mailboxes in your organization.
Guide to Templates www.helpsystems.com page: 141 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Set- EventsFromEmailConfiguration cmdlet to modify the events from email settings on a mailbox. on Outlook clients and Outlook on Set- Set- the web. These settings define Set- EventsFromEmailConfiguration EventsFromEmailConfiguration whether Outlook or Outlook on EventsFromEmailConfiguration the web (formerly known as Outlook Web App) automatically discovers events from email messages and adds them to the user's calendar.
Use the Set-FocusedInbox cmdlet to enable or disable Set-FocussedInbox Set-FocussedInbox Set-FocussedInbox Focused Inbox for mailboxes in your organization.
Use the Set-InboxRule cmdlet to modify existing Inbox rules in mailboxes. Inbox rules process messages in the Inbox based on Set-InboxRule Set-InboxRule Set-InboxRule conditions specified and take actions such as moving a message to a specified folder or deleting a message.
Use the Set-Mailbox cmdlet to Set-Mailbox Set-Mailbox modify the settings of existing Set-Mailbox mailboxes.
Use the Set- MailboxAutoReplyConfiguration Set- Set- Set- cmdlet to configure Automatic MailboxAutoReplyConfiguration MailboxAutoReplyConfiguration MailboxAutoReplyConfiguration Replies settings for a specific mailbox.
Use the Set- MailboxCalendarFolder cmdlet to configure calendar publishing or sharing settings on a mailbox for the visibility of calendar information to external users. To Set-MailboxCalendarFolder Set-MailboxCalendarFolder Set-MailboxCalendarFolder add or modify the permissions so internal users can access the calendar, use the Add- MailboxFolderPermission or Set- MailboxFolderPermission cmdlets.
Use the Set- MailboxExportRequest cmdlet to change export request options after the request has been Set-MailboxExportRequest Set-MailboxExportRequest Set-MailboxExportRequest created. You can use the Set- MailboxExportRequest cmdlet to recover from failed export requests.
Guide to Templates www.helpsystems.com page: 142 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
Use the Set- MailboxFolderPermission cmdlet to modify folder-level permissions for users in mailboxes. This cmdlet differs from the Add- MailboxFolderPermission cmdlet Set-MailboxFolderPermission Set-MailboxFolderPermission Set-MailboxFolderPermission in that it modifies existing permission entries. To configure calendar publishing or sharing settings for a mailbox so calendar information is visible to external users, use the Set- MailboxCalendarFolder cmdlet.
Use the Set- MailboxImportRequest cmdlet to change import request options after the request has been Set-MailboxImportRequest Set-MailboxImportRequest Set-MailboxImportRequest created. You can use the Set- MailboxImportRequest cmdlet to recover from failed import requests.
Use the Set-MailboxPlan cmdlet Set-MailboxPlan Set-MailboxPlan to modify the settings of mailbox Set-MailboxPlan plans in the cloud-based service.
Use the Set- MailboxRestoreRequest cmdlet to change restore request Set-MailboxRestoreRequest Set-MailboxRestoreRequest options after the request has Set-MailboxRestoreRequest been created. You can use this cmdlet to recover from failed restore requests.
Use the Set- MailboxSentItemsConfiguration Set- Set-MailboxRestoreRequest cmdlet to modify the Sent Items Set-MailboxRestoreRequest MailboxSentItemsConfiguration settings for mailboxes in your organization.
Use the Set-Place cmdlet to update room mailboxes with Set-Place Set-Place additional metadata, which Set-Place provides a better search and room suggestion experience.
Use the Set-ResourceConfig cmdlet to create custom resource Set-ResourceConfig Set-ResourceConfig Set-ResourceConfig properties that you can add to room and equipment mailboxes.
Use the Set-SweepRule cmdlet to Set-SweepRule Set-SweepRule Set-SweepRule modify Sweep rules in mailboxes.
Use the Set-TransportConfig cmdlet to modify the transport Set-TransportConfig Set-TransportConfig Set-TransportConfig configuration settings for the whole Exchange organization.
Use the Set-UserPhoto cmdlet to configure the user photos feature that allows users to associate a picture with their account. User Set-UserPhoto Set-UserPhoto photos appear in on-premises Set-UserPhoto and cloud-based client applications, such as Outlook on the web, Lync, Skype for Business, and SharePoint.
Guide to Templates www.helpsystems.com page: 143 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
A message was deleted from the SoftDelete SoftDelete SoftDelete Deleted Items folder.
Use the Suspend- MailboxExportRequest cmdlet to suspend an export request any time after the request was Suspend-MailboxExportRequest Suspend-MailboxExportRequest created, but before the request Suspend-MailboxExportRequest reaches the status of Completed. You can resume the request by using the Resume- MailboxExportRequest cmdlet.
Use the Suspend- MailboxImportRequest cmdlet to suspend an import request any time after the request was Suspend-MailboxImportRequest Suspend-MailboxImportRequest created, but before the request Suspend-MailboxImportRequest reaches the status of Completed. You can resume the move request by using the Resume- MailboxImportRequest cmdlet.
Use the Suspend- MailboxRestoreRequest cmdlet to suspend a restore request any time after the request was Suspend-MailboxRestoreRequest Suspend-MailboxRestoreRequest created, but before the request Suspend-MailboxRestoreRequest reaches the status of Completed. You can resume the restore request by using the Resume- MailboxRestoreRequest cmdlet.
Use the Test-MapiConnectivity cmdlet to verify server functionality by logging on to the mailbox that you specify. If you Test-MapiConnectivity Test-MapiConnectivity Test-MapiConnectivity don't specify a mailbox, the cmdlet logs on to the SystemMailbox on the database that you specify.
Use the Undo- SoftDeletedMailbox cmdlet to recover a mailbox that has been Undo-SoftDeletedMailbox Undo-SoftDeletedMailbox Undo-SoftDeletedMailbox deleted. Mailboxes can be recovered within 30 days of being deleted.
Update Update A message was changed. Update
A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in UpdateCalendarDelegation UpdateCalendarDelegation UpdateCalendarDelegation the same organization permissions to manage the mailbox owner's calendar.
A different retention label is applied to a mail item (an item UpdateComplianceTag UpdateComplianceTag UpdateComplianceTag can only have one retention label assigned to it).
A folder permission was changed. Folder permissions control which users in your organization can UpdateFolderPermissions UpdateFolderPermissions UpdateFolderPermissions access folders in a mailbox and the messages located in those folders.
Guide to Templates www.helpsystems.com page: 144 Template Assignment / Microsoft Exchange Online Template
Action Subaction Description Operation Name
An inbox rule was added, removed, or changed. Inbox rules are used to process messages in the user's Inbox based on the UpdateInboxRules UpdateInboxRules specified conditions and take UpdateInboxRules actions when the conditions of a rule are met, such as moving a message to a specified folder or deleting a message.
For information about the parameter sets, see Exchange cmdlet syntax.
Guide to Templates www.helpsystems.com page: 145 Template Assignment / Microsoft Teams Template
Microsoft Teams Template Microsoft Teams (Standard Datasource) Controls
Action Subaction Description Operation Name
System Management
A global admin changed Configuration Rule Changed organization organization-wide TeamsTenantSettingChanged Modification setting Microsoft Teams settings
Application An app was added to Object Creation AppPublishedToCatalog Publication in Catalog the catalog
A user added a channel Object Creation Channel Creation ChannelAdded to a team
A user created a new Object Creation Team Creation TeamCreated team
A user deleted a Object Deletion Channel Deletion ChannelDeleted channel from a team
A team owner deleted a Object Deletion Team Deletion TeamDeleted team
Application Addition Object Modification An app was installed AppInstalled to Channel
Application An app was updated in Object Modification Modification in AppUpdatedInCatalog the catalog Catalog
Application Removal Object Modification An app was uninstalled AppUninstalled from Channel
An app was upgraded Object Modification Application Upgraded to its latest version in AppUpgraded the catalog
A user added a bot to a Object Modification Bot Addition to Team BotAddedToTeam team
Bot removal from A user removed a bot Object Modification BotRemovedFromTeam Team from a team
A team member changed the name or Object Modification Channel Modification ChannelSettingChanged description of a team channel
Connector addition to A user added a Object Modification ConnectorAdded Channel connector to a channel
Guide to Templates www.helpsystems.com page: 146 Template Assignment / Microsoft Teams Template
Action Subaction Description Operation Name
Connector A user modified a Object Modification Modification in ConnectorUpdated connector in a channel Channel
A user removed a Connector removal Object Modification connector from a ConnectorRemoved from Channel channel
Tab Addition to A user added a tab to a Object Modification TabAdded Channel channel
Tab Modification in A user modified a tab in Object Modification TabUpdated Channel a channel
Tab Removal from A user removed a tab Object Modification TabRemoved Channel from a channel
A team owner changed the name or description of a team, team's access Object Modification Team Modification TeamSettingChanged type or information classification, or any of the team settings
User Activity
A user signed in to a Successful Login Successful Login TeamsSessionStarted Microsoft Teams client
Users' Management
User Addition to Member Addition to A team owner added MemberAdded Group/Role/Profile Team member(s) to a team
A team owner changed Grant Permission User Right Assignment the role of member(s) in Member Role Changed a team
User Removal Member Removal A team owner removed MemberRemoved from Group/Role/Profile from Team member(s) from a team
Guide to Templates www.helpsystems.com page: 147 Template Assignment / Cisco PIX/ASA Template
Cisco PIX/ASA Template Tested Cisco PIX/ASA Versions This software has been tested on the following AIX versions:
l ASA OS 8.1 Cisco PIX/ASA Controls
Action Subaction Condition Description
This message appears when a user is Successful Login Interactive Login EventID=605005 authenticated successfully and a management session starts.
The AAA transaction for a user associated with an IPSec or WebVPN connection was Successful Login Successful AAA Login EventID=113008 completed successfully. The user is the username associated with the connection.
The user associated with a IPSec or WebVPN connection has been successfully authenticated Successful Login Successful AAA Login EventID=113012 to the local user database. user is the username associated with the connection.
This message indicates that the remote access Successful Login Successful VPN Login EventID=713052 user was authenticated.
The WebVPN session has started for the user in this group at the specified IP address. When the Successful Login Successful VPN Login EventID=716001 user logs in via the WebVPN login page, the WebVPN session starts.
The WebVPN user has been successfully Successful Login Successful VPN Login EventID=716055 authenticated to the SSO server.
This message appears when the username is Successful Login Successful BVPN Login EventID=719022 authenticated by the AAA server. The vpnuser is the WebVPN username.
This message indicates that an administrator has been authenticated successfully and a ASDM Successful Login Succesful ASDM Login EventID=606001 | 606003 session was started. | An ASDM logging connection is started by a remote management client.
This message appears after an incorrect login attempt or a failed login to the security appliance. For all logins, three attempts are allowed per session, and the session is terminated after three incorrect attempts. For Logon Failure Interactive Login Failure EventID=605004 SSH and TELNET logins, this message is generated after the third failed attempt or if the TCP session is terminated after one or more failed attempts. For other types of management sessions, this message is generated after every failed attempt.
Guide to Templates www.helpsystems.com page: 148 Template Assignment / Cisco PIX/ASA Template
Action Subaction Condition Description
This message appears after an SSH session completes. If a user enters quit or exit, the Logon Failure Interactive Login Failure EventID=315011 terminated normally message displays. If the session disconnected for another reason, the text describes the reason.
A request for authentication to the local user database for a user associated with an IPSec or WebVPN connection has been rejected. Details Logon Failure AAA Logo Failure EventID=113015 of why the request was rejected are provided in the reason field. user is the username associated with the connection.
This is an indication that either an authentication or authorization request for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the Logon Failure AAA Logon Failure EventID=113005 reason field. server_IP_address is the IP address of the relevant AAA server. user is the user name associated with the connection. aaa_ operation is either authentication or authorization.
The AAA transaction for a user associated with an IPSec or WebVPN connection has failed due to an error or has been rejected due to a policy AAA Logon Failure EventID=113013 Logon Failure violation. Details are provided in the reason field. user is the username associated with the connection.
This is an indication that the AAA transaction for a user associated with an IPSec or WebVPN connection has failed due to an error or rejected due to a policy violation. Details are provided in Logon Failure Logon Failure EventID=113017 the reason field. This event only appears when the AAA transaction is with the local user database rather than with an external AAA server. user is the username associated with the connection.
This is a AAA message. This message is Logon Failure Logon Failure EventID=109006 displayed if the specified authentication request fails, possibly because of an incorrect password.
This is a AAA message. This message is displayed if a user is not authorized to access Logon Failure Logon Failure EventID=109008 the specified address, possibly because of an incorrect password.
This message is displayed when a user tries to authenticate to an NT Auth domain that was Logon Failure Logon Failure EventID=109031 configured for guest account access and the username is not a valid username on the NT server. The connection is denied.
The AAA transaction for a user associated with an IPSec or WebVPN connection has failed due to an error or rejected due to a policy violation. Logon Failure AAA Logon Failure EventID-113016 Details are provided in the reason field. server_ IP_address is the IP address of the relevant AAA server. user is the username associated with the connection.
This is a security appliance management message. This message is displayed after the Logon Failure AAA Logon Failure EventID=308001 specified number of times a user incorrectly types the password to enter privileged mode. The maximum is three attempts.
Guide to Templates www.helpsystems.com page: 149 Template Assignment / Cisco PIX/ASA Template
Action Subaction Condition Description
User authentication failed when attempting to Logon Failure Logon Failure EventID=611102 access the security appliance.
The security appliance server has sent the security appliance a message indicating that this user must be restricted. There are several reasons for this including security appliance software upgrades, changes in permissions, and Logon Failure Logon Failure EventID=713161 | 713162 so on. The security appliance server will transition the user back into full access mode as soon as the operation has been completed. | This message indicates that the security appliance server has rejected this user.
This message indicates that the hardware client has failed extended authentication. This is most likely a username/password problem or authentication server issue. | This message Logon Failure Logon Failure EventID=713166 | 713167 indicates that the remote user has failed to extend authentication. This is most likely a username or password problem or authentication server issue.
The client returned an invalid length username Logon Failure Logon Failure EventID=713185 and the tunnel was torn down.
Logon Failure Logon Failure EventID=713198 This event will contain a reason string
A user attempted to log in to a server via the Logon Failure Logon Failure EventID=716037 CIFS protocol but was not successful.
Before a WebVPN session starts, the user must be authenticated successfully by a local or remote server (for example, RADIUS or Logon Failure VPN Logon Failure EventID=716039 TACACS+). In this case, the user credentials (user name and password) either did not match or the user does not have permission to start a WebVPN session.
A user was unable to log in to WebVPN because Logon Failure Logon Failure EventID=716040 the system is in the process of rebooting.
The WebVPN user failed to authenticate to the Logon Failure Logon Failure EventID=716056 SSO server.
This message appears when the username is denied by the AAA server. The session will be Logon Failure VPN Logon Failure EventID=719023 aborted. The user is not allowed to access the e- mail account. The vpnuser is the WebVPN username.
A locally configured user is being locked out. This happens when a configured number of consecutive authentication failures have occurred for this user and indicates that all future authentication attempts by this user will Lock User Lock EventID=113006 be rejected until an administrator unlocks the user using the clear aaa local user lockout command. user is the user that is now locked and number is the consecutive failure threshold configured with the aaa local authentication attempts max-fail command.
A locally configured user that was locked out after exceeding the maximum number of consecutive authentication failures set by the Unlock User Unlock EventID=113007 aaa local authentication attempts max-fail command has been unlocked by the indicated administrator.
Guide to Templates www.helpsystems.com page: 150 Template Assignment / Cisco PIX/ASA Template
Action Subaction Condition Description
This message indicates that a ASDM session Logoff Logoff EventID=606002 ended.
Logoff Logoff EventID=606004
The user entered any command, with the User Statement Command Execution EventID=111008 exception of a show command.
This message is displayed when you enter the write command to store your configuration on a device (either floppy, Flash memory, TFTP, the Configuration Rule Configuration Rule EventID=111001 failover standby unit, or the console terminal). Modification Modification The IP_address indicates whether the login was made at the console port or with a Telnet connection.
This is a management message. This message is displayed when you erase the contents of Flash Configuration Rule Configuration Rule memory by entering the write erase command EventID=111003 Modification Modification at the console. The IP_address value indicates whether the login was made at the console port or through a Telnet connection.
This message is displayed when you enter the reload or configure command to read in a configuration. The device text can be floppy, Configuration Rule Configuration Rule EventID=111007 memory, net, standby, or terminal. The IP_ Modification Modification address value indicates whether the login was made at the console port or through a Telnet connection.
This message is displayed when a request to Configuration Rule Configuration Rule EventID=112001 clear the module configuration is completed. Modification Modification The source file and line number are identified.
The group policy that is associated with the tunnel-group is being overridden with a user specific policy, policy_name. The policy_name is Configuration Rule Configuration Rule EventID=113003 specified using the username command when Modification Modification LOCAL authentication is configured or is returned in the RADIUS CLASS attribute when RADIUS authentication is configured.
An address translation slot was created. The slot translates the source address from the local side Configuration Rule Configuration Rule EventID=305009 to the global side. In reverse, the slot translates Modification Modification the destination address from the global side to the local side.
Configuration Rule Configuration Rule EventID=305010 The address translation slot was deleted. Modification Modification
Guide to Templates www.helpsystems.com page: 151 Template Assignment / Cisco Routers and Switches Template
Cisco Routers and Switches Template Tested Cisco Versions This software has been tested on the following IOS versions:
l IOS version 12 Cisco Routers and Switches Controls
Action Subaction Condition
.*(?:AUDIT-5-AUDIT_DISABLED|AUDIT-5- AUDIT_ENABLED|AUDIT-5-FILE_ Audit Modification Audit Modification ROLLOVER|AUDIT-3-NOFILE|AUDIT-3-FILE_ WRITE_ERR).*
Alter Configuration Rule Running Configuration Modification .*AUDIT-(?:1|5)-RUN_CONFIG.*
Alter Configuration Rule Startup Configuration Modification .*AUDIT-(?:1|5)-STARTUP_CONFIG.*
Alter Configuration Rule Version Modification .*AUDIT-(?:1|5)-RUN_VERSION.*
System Start System Reboot .*(?:SYS-5-RELOAD|SYS-5-RESTART):.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Creation Access Group Creation command:ip access-group.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Creation Access List Creation command:(?:ip\s)?access-list.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Creation Static Route Creation command:ip route.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Creation VLAN Creation command:vlan.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Deletion Access List Deletion command:no ip access-group.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Deletion Static Route Deletion command:no ip route.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Deletion Access Group Deletion command:no ip access-group.*
.*PARSER-5-CFGLOG_LOGGEDCMD:.*logged Object Deletion VLAN Deletion command:no vlan.*
Object Modification Interface Modification .*(?:LINK-3-UPDOWN|LINK-5-CHANGED):.*
Logoff Logoff .*SYS-6-LOGOUT:.*
Logon Failure Interactive Logon Failure .*SEC_LOGIN-4-LOGIN_FAILED:.*
.*SSLVPN-6-(?:CONTEXT_MAX_ Logon Failure VPN Logon Failure USERS|GLOBAL_MAX_USERS|GLOBAL_ADM_ CTRL)_LOGIN_DENIED.*
Guide to Templates www.helpsystems.com page: 152 Template Assignment / Cisco Routers and Switches Template
Action Subaction Condition
Successful Login Interactive Login .*SEC_LOGIN-5-LOGIN_SUCCESS:.*
.*SSLVPN-6-WEBVPN_(?:CSD_ADMIN_ Successful Login Successful VPN Login LOGIN|USER_LOGIN):.*
.*PARSER-5-CFGLOG_ User Creation User Creation LOGGEDCMD:.*ommand:\s?username.*
.*PARSER-5-CFGLOG_ User Deletion User Deletion LOGGEDCMD:.*ommand:\s?no\susername.*
Guide to Templates www.helpsystems.com page: 153 Template Assignment / FortiGate Firewall Template
FortiGate Firewall Template
Action Subaction Condition
Successful Login Interactive Login EventID == 32001
Successful Login Successful IPsec VPN Login EventID== 37138
Successful Login Successful VPN Login EventID == 39424
Logon Failure Interactive Logon Failure EventID == 32002
Logon Failure IPSec VPN logon Failure EventID == 37121
Logon Failure VPN Logon Failure EventID == 39426
Logoff Logoff EventID == 32003
Logoff IPSec VPN Logoff EventID == 37139
Logoff VPN Logoff EventID == 39425
User Creation User Creation EventID == 44547
User Modification User Modification EventID == 44547
User Modification User Renaming EventID == 44547
User Deletion User Deletion EventID == 44545
Group/Role/Profile Creation Group Creation EventID == 44547
Group/Role/Profile Modification Group Modification EventID == 44547
Group/Role/Profile Modification Group Renaming EventID == 44547
Group/Role/Profile Deletion Group Deletion EventID == 44545
Group/Role/Profile Creation Profile Creation EventID == 44547
Group/Role/Profile Modification Profile Modification EventID == 44547
Group/Role/Profile Modification Profile Renaming EventID == 44545
Group/Role/Profile Deletion Profile Deletion EventID == 44545
Object Creation Static Route Creation EventID == 44547
Object Creation Policy Route Creation EventID == 44547
Object Creation Interface Creation EventID == 44547
Create Policy Rule Policy Rule Creation EventID == 44547
Object Modification Static Route Modification EventID == 44547
Object Modification Policy Route Modification EventID == 44547
Object Creation Certificate Creation EventID == 44547
Object Modification Certificate Modification EventID == 44547
Guide to Templates www.helpsystems.com page: 154 Template Assignment / FortiGate Firewall Template
Action Subaction Condition
Object Deletion Certificate Deletion EventID == 44545
Object Modification Interface Modification EventID == 44547
Object Modification Policy Rule Modification EventID == 44547
Object Deletion Static Route Deletion EventID == 44545
Object Deletion Policy Route Deletion EventID == 44545
Object Deletion Interface Deletion EventID == 44545
Object Deletion Policy Rule Deletion EventID == 44545
Object Creation Authentication Creation EventID == 44547
Object Modification Authentication Modification EventID == 44547
Object Modification Authentication Renaming EventID ==44547
Object Deletion Authentication Deletion EventID == 44545
Audit Modification Audit Modification EventID == 44546
System Start System Reboot EventID == 32138
System Shutdown Systen Shutdown EventID == 32200
Configuration Rule Modification Restore Configuration EventID ==32095
Configuration Rule Modification Backup Configuration EventID == 32138
Configuration Rule Modification Factory Reset Configuration EventID == 32252
Guide to Templates www.helpsystems.com page: 155 Template Assignment / Juniper Firewall and VPN Gateway Template
Juniper Firewall and VPN Gateway Template Juniper Firewall and VPN Gateway Controls
Action Subaction Condition (Line Matching)
System Management
Audit Modification Audit Modification .*syslog\sservers.*
Audit Modification Audit Modification per user .*CLI\slogging.*(?:enabled|disabled).*
Configuration Rule Modification Running Configuration Modification .*System\sconfiguration.*erased.*
Audit Log Deletion Audit Log Deletion .*logged\sevents.*
Policy Rule Deletion Policy Rule Deletion .*syslog\smessage.*
System Start System Reboot .*System\swas\sreset.*
User Activity
Logoff Logoff .*logged out.*|.*log\sout.*
Logon Failure Logon Failure .*failed.*|.*rejected.*|.*login failures.*|.*refused.*
Successful Login Successful Login .*logged\son.*|.*accepted.*|.*authentication\ssuccessful.*
Users' Management
User Modification User Modification
User Modification User Renaming
User Creation User Creation
User Deletion User Deletion
Password Modification Password Modification
User Unlock User Unlock
Guide to Templates www.helpsystems.com page: 156 Template Assignment / firewalld Template
firewalld Template Using the Application Status Datasource The following table shows the Application Status on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
System Management
System Shutdown Application Shutdown .*Stopped.*
System Start Application Start .*Started.*
Using the Rejected Transactions Datasource The following table shows the Rejected Transactions on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
User Activity
Network Access Network Access Rejected .*FINAL_REJECT.*
Imperva (WAF) Template Using the Standard Datasource The following table shows the Notification Events on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
System Management
.*cat=Alert Software Notification Firewall Event .*cs3Label=Description
.*cat=Alert Software Notification Security Event .*cs3Label=ServiceName
Software Notification System Event .*cat=SystemEvent.*
Guide to Templates www.helpsystems.com page: 157 Template Assignment / Barracuda (WAF) Template
Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event timezone offset [Event.Event_timezone_offset]
Source Machine IP Address [CEF.src]
Destination Machine IP Address [CEF.dst]
Protocol [CEF.proto]
Complete Message [Event.Raw_Message]
User Name [CEF.duser]
Variable 01 [CEF.cs1Label] [CEF.cs1]
Variable 02 [CEF.cs2Label] [CEF.cs2]
Variable 03 [CEF.cs3Label] [CEF.cs3]
Variable 04 [CEF.cs4Label] [CEF.cs4]
Variable 05 [CEF.cs5Label] [CEF.cs5]
Barracuda (WAF) Template Using the Access Log Events The following table shows the Access Log Events on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
User Activity
Network Access Network Access Accepted .*
Access Log Events Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the
Guide to Templates www.helpsystems.com page: 158 Template Assignment / Barracuda (WAF) Template
"Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event timezone offset [Event.Event_timezone_offset]
Complete Message [Event.Raw_Message]
Operator Name [[CEF.duser]
User Name [CEF.suser]
Source Machine IP Address [CEF.src]
Destination Machine Name [CEF.dhost]
Session ID [CEF.suid]
Application [CEF.app]
Variable 01 Log type: [CEF.cat]
Variable 02 Service IP: [CEF.dvc]
Variable 03 Service Port: [CEF.cn1]
Variable 04 Client IP: [CEF.src]
Variable 05 Client Port: [CEF.spt]
Variable 06 Login: [CEF.suid]
Variable 07 Certificate User: [CEF.suser]
Variable 08 Method: [CEF.requestMethod]
Variable 09 Protocol: [CEF.app]
Variable 10 Host: [CEF.dhost]
Variable 11 Version: [CEF.flexString1]
Variable 12 HTTP status: [CEF.outcome]
Variable 13 Bytes sent: [CEF.in]
Variable 14 Bytes Received: [CEF.out]
Variable 15 Cache Hit: [CEF.cn2]
Variable 16 Time Taken (ms): [CEF.flexNumber2]
Variable 17 Server IP: [CEF.dst]
Variable 18 Server Port: [CEF.dpt]
Variable 19 Server Time (ms): [CEF.flexNumber1]
Variable 20 Session ID: [CEF.BarracudaWafSessionID]
Variable 21 Response Type: [CEF.BarracudaWafResponseType]
Variable 22 Profile Matched: [CEF.cs4]
Guide to Templates www.helpsystems.com page: 159 Template Assignment / Barracuda (WAF) Template
VARIABLE VALUE
Variable 23 Protected: [CEF.cs2]
Variable 24 WF Matched: [CEF.cs6]
Variable 25 URL: [CEF.request]
Variable 26 Query String: [CEF.msg]
Variable 27 Referrer: [CEF.requestContext]
Variable 28 Cookie: [CEF.requestCookies]
Variable 29 User Agent: [CEF.requestClientApplicat
Variable 30 Proxy IP: [CEF.cs3]
Variable 31 Proxy Port: [CEF.cn3]
Variable 32 Authenticated User: [CEF.duser]
Variable 33 Custom Header 1: [CEF.BarracudaWafCustomHeader1]
Variable 34 Custom Header 2: [CEF.BarracudaWafCustomHeader2]
Variable 35 Custom Header 3: [CEF.BarracudaWafCustomHeader3]
Using the Audit Logs The following table shows the Audit Logs on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
System Management
Configuration Rule Modification Configuration Rule Modifcation .*\|CONFIG\|.*outcome=SET.*
Configuration Rule Modification Restore Configuration .*\|(?:RESTORE|ROLLBACK)\|.*
.*\|(?:FIRMWARE UPDATE|ENERGIZE Configuration Rule Modification Version Modification UPDATE|FIRMWARE APPLY|FIRMWARE REVERT)\|.*
Configuration Rule Creation Configuration Rule Creation .*\|CONFIG\|.*outcome=ADD.*
Configuration Rule Deletion Configuration Rule Deletion .*\|CONFIG\|.*outcome=DELETE*
Object Creation Open Support Tunnel .*\|SUPPORT TUNNEL OPEN\|.*
Object Deletion Close Support Tunnel .*\|SUPPORT TUNNEL CLOSE\|.*
System Shutdown System Shutdown .*\|SHUTDOWN\|.*
System Start System Reboot .*\|REBOOT\|.*
Guide to Templates www.helpsystems.com page: 160 Template Assignment / Barracuda (WAF) Template
Action Subaction Condition (Line Matching)
User Activity
Logoff Logoff .*\|LOGOUT\|.*
Logon Failure Logon Failure .*\|UNSUCCESSFUL LOGIN\|.*
Successful Login Successful Login .*\|LOGIN\|.*
Network Access Network Access Rejected .*\|ADMIN ACCESS VIOLATION\|.*
User Statement Command Execution .*\|COMMAND\|.*
Audit Logs Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event timezone offset [Event.Event_timezone_offset]
Complete Message [Event.Raw_Message]
Variable 01 Unit Name: [CEF.dvchost]
Variable 02 Log Type: [CEF.cat]
Variable 03 Admin Name: [CEF.duser]
Variable 04 Client Type: [CEF.requestClientApplication]
Operator Name [CEF.duser]
Source Machine IP Address [CEF.src]
Event ID [CEF.cn1]
Object Name [CEF.fname]
Object Type [CEF.fileType]
Previous Value [CEF.cs2]
Current Value [CEF.cs1]
Application [CEF.deviceProcessName]
Variable 06 Client Port: [CEF.spt]
Variable 07 Service IP: [CEF.dst]
Variable 08 Service Port: [CEF.dpt]
Variable 09 Rule: [CEF.cs1]
Guide to Templates www.helpsystems.com page: 161 Template Assignment / Barracuda (WAF) Template
VARIABLE VALUE
Variable 17 Additional Data: [CEF.msg]
Variable 10 Change type: [CEF.outcome]
Variable 16 New Value: [CEF.cs1]
Variable 11 Object Type: [CEF.fileType]
Variable 15 Old Value: [CEF.cs2]
Variable 12 Object Name: [CEF.fname]
Variable 13 URL: [CEF.request]
Variable 14 Variable: [CEF.cs3]
Variable 05 Transaction Type: [CEF.Name]
Using the Network Firewall Logs The following table shows the Network Firewall Logs on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
User Activity
Network Access Network Access Accepted .*act=ALLOW.*
Network Access Network Access Rejected .*act=DENY.*
Network Firewall Logs Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event timezone offset [Event.Event_timezone_offset]
Complete Message [Event.Raw_Message]
Variable 01 Unit Name: [CEF.dvchost]
Variable 02 Log Type: [CEF.cat]
Variable 03 Protocol: [CEF.proto]
Guide to Templates www.helpsystems.com page: 162 Template Assignment / Barracuda (WAF) Template
VARIABLE VALUE
Variable 04 Source IP: [CEF.src]
Variable 05 Source Port: [CEF.spt]
Variable 06 Destination IP: [CEF.dst]
Variable 07 Destination Port: [CEF.dpt]
Variable 08 ACL Policy: [CEF.act]
Variable 09 Details: [CEF.cs1]
Protocol [CEF.proto]
Source Machine IP Address [CEF.src]
Destination Machine IP Address [CEF.dst]
Additional Information 1 [CEF.cs1]
Using the System Logs The following table shows the System Logs on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
User Activity
Network Access Network Access Monitored .*act=LOG.*
Network Access Network Access Suspected .*act=WARNING.*
Network Access Network Access Rejected .*act=DENY.*
System Logs Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event timezone offset [Event.Event_timezone_offset]
Complete Message [Event.Raw_Message]
Variable 01 Unit Name: [CEF.dvchost]
Variable 02 Log Type: [CEF.cat]
Event ID [CEF.externalId]
Guide to Templates www.helpsystems.com page: 163 Template Assignment / Barracuda (WAF) Template
VARIABLE VALUE
Additional Information 1 [CEF.msg]
Using the Web Firewall Logs The following table shows the Web Firewall Logs on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
User Activity
Network Access Network Access Monitored .*act=LOG.*
Network Access Network Access Suspected .*act=WARNING.*
Network Access Network Access Rejected .*act=DENY.*
Web Firewall Logs Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE DEFAULT VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event timezone offset [Event.Event_timezone_offset]
Complete Message [Event.Raw_Message]
Operator Name [CEF.duser]
Source Machine IP Address [CEF.src]
Application [CEF.app]
Variable 01 Unit Name: [CEF.dvchost]
Variable 02 Log Type: [CEF.cat]
Variable 03 Severity: [CEF.Severity]
Variable 04 Attack type: [CEF.cs4]
Variable 05 Client IP: [CEF.src]
Variable 22 Referrer: [CEF.requestContext]
Guide to Templates www.helpsystems.com page: 164 Template Assignment / Palo Alto Firewall Template
VARIABLE VALUE DEFAULT VALUE
Variable 20 Authenticated User: [CEF.duser]
Variable 19 Proxy Port: [CEF.cn2]
Variable 18 Proxy IP: [CEF.cs5]
Variable 17 User Agent: [CEF.requestClientApplication]
Variable 16 Session ID: [CEF.cs6]
Variable 15 Protocol: [CEF.app]
Variable 14 URL: [CEF.request]
Variable 13 Method: [CEF.requestMethod]
Variable 12 Attack details [CEF.msg]
Variable 11 Action; [CEF.act]
Variable 10 Rule Type: [CEF.cs3]
Variable 09 Rule: [CEF.cs1]
Variable 08 Service Port: [CEF.dpt]
Variable 07 Service IP: [CEF.dst]
Variable 06 Client Port: [CEF.spt]
Destination Machine IP Address [CEF.dst]
Object Name [CEF.cs4]
Object Type Attack
Palo Alto Firewall Template Using the Standard Datasource Events The following table shows the Standard Datasource Events on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
System Activity
Threat Evidence File Execution .*\|(?:file|data)\|THREAT\|.*
Guide to Templates www.helpsystems.com page: 165 Template Assignment / Palo Alto Firewall Template
Action Subaction Condition (Line Matching)
Threat Evidence Flood Detection .*\|flood\|THREAT\|.*
Threat Evidence HTTP Request .*\|url\|THREAT\|.*
Threat Evidence Vulnerability Detection .*\|vulnerability\|THREAT\|.*
Virus Detection Malware Detection .*\|spyware\|THREAT\|.*
.*\|(?:virus|wildfire- Virus Detection Virus Detection virus)\|THREAT\|.*
Virus Scan Virus Scan .*\|(?:scan|wildfire)\|THREAT\|.*
Systems Management
Configuration Rule Modification Configuration Rule Modification .*\|CONFIG\|.*
Software Notification Software Notification .*\|SYSTEM\|.*
User Activity
Successful Login Successful Login .*\|HIP-MATCH\|.*
Network Access Network Access Accepted .*\|Start\|TRAFFIC\|.*
Network Access Network Access Ended .*\|End\|TRAFFIC\|.*
Network Access Network Access Rejected .*\|(?:Drop|Deny)\|TRAFFIC\|.*
Action Subaction Condition (Line Matching) System Activity Threat Evidence File Execution .*\|(?:file|data)\|THREAT\|.* Threat Evidence Flood Detection .*\|flood\|THREAT\|.* Threat Evidence HTTP Request .*\|url\|THREAT\|.* Threat Evidence Vulnerability Detection .*\|vulnerability\|THREAT\|.* Virus Detection Malware Detection .*\|spyware\|THREAT\|.* Virus Detection Virus Detection .*\|(?:virus|wildfire- virus)\|THREAT\|.* Virus Scan Virus Scan .*\| (?:scan|wildfire)\|THREAT\|.* Systems Management Configuration Rule Configuration Rule .*\|CONFIG\|.* Modification Modification Software Notification Software Notification .*\|SYSTEM\|.*
Guide to Templates www.helpsystems.com page: 166 Template Assignment / Palo Alto Firewall Template
Action Subaction Condition (Line Matching) User Activity Successful Login Successful Login .*\|HIP-MATCH\|.* Network Access Network Access .*\|Start\|TRAFFIC\|.* Accepted Network Access Network Access Ended .*\|End\|TRAFFIC\|.* Network Access Network Access Rejected .*\|(?:Drop|Deny)\|TRAFFIC\|.*
Standard Datasource Events Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event Timezone Offset [Event.Event_timezone_offset]
Event ID [CEF.externalId]
Source Machine Name [CEF.shost]
Source Machine IP Address [CEF.src]
Destination Machine Name [CEF.dhost]
Destination Machine IP Address [CEF.dst]
Operator Name [CEF.suser]
User Name [CEF.suser]
Object Name [Event.Object_Name]
Object Type [Event.Object_Type]
Application [CEF.dproc]
Action Result [CEF.outcome]
Severity [CEF.Severity]
Session ID [CEF.suid]
NetService [CEF.proto]
Protocol [CEF.app]
Additional Information 1 [CEF.msg]
Additional Information 2 [CEF.reason]
Guide to Templates www.helpsystems.com page: 167 Template Assignment / Palo Alto Firewall Template
VARIABLE VALUE
Previous Value [CEF.oldFileName]
Current Value [CEF.fname]
User Group/Role [CEF.dpriv]
Complete Message [Event.Raw_Message]
Variable 01 [CEF.cfp1Label] [CEF.cfp1]
Variable 02 [CEF.cfp2Label] [CEF.cfp2]
Variable 03 [CEF.cfp3Label] [CEF.cfp3]
Variable 04 [CEF.cfp4Label] [CEF.cfp4]
Variable 05 [CEF.cn1Label] [CEF.cn1]
Variable 06 [CEF.cn2Label] [CEF.cn2]
Variable 07 [CEF.cn3Label] [CEF.cn3]
Variable 08 Event Count: [CEF.cnt]
Variable 09 [CEF.cs1Label] [CEF.cs1]
Variable 10 [CEF.cs2Label] [CEF.cs2]
Variable 11 [CEF.cs3Label] [CEF.cs3]
Variable 12 [CEF.cs4Label] [CEF.cs4]
Variable 13 [CEF.cs5Label] [CEF.cs5]
Variable 14 [CEF.cs6Label] [CEF.cs6]
Variable 15 Nat DST: [CEF.destinationTranslatedAddress]
Variable 16 Nat destination port: [CEF.destinationtranslatedPort]
Variable 17 Device ID: [CEF.deviceExternalId]
Variable 18 Inbound Interface: [CEF.deviceInboundInterface]
Variable 19 Outbound Interface: [CEF.deviceOutboundInterface]
Variable 20 FileType: [CEF.fileType]
Variable 21 [CEF.flexNumber1Label] [CEF.flexNumber1]
Variable 22 [CEF.flexNumber2Label] [CEF.flexNumber2]
Variable 23 [CEF.flexString1Label] [CEF.flexString1]
Variable 24 [CEF.flexString2Label] [CEF.flexString2]
Variable 25 Filename: [CEF.fname]
Variable 26 Filepath: [CEF.filePath]
Guide to Templates www.helpsystems.com page: 168 Template Assignment / Palo Alto Firewall Template
VARIABLE VALUE
Variable 27 File ID: [CEF.fileId]
Variable 28 File Hash: [CEF.fileHash]
Variable 29 Bytes IN: [CEF.in]
Variable 30 Bytes OUT: [CEF.out]
Variable 31 Request: [CEF.request]
Variable 32 Request client Application: [CEF.requestClientApplication]
Variable 33 Request context: [CEF.requestContext]
Variable 34 Request method: [CEF.requestMethod]
Variable 35 NAT source: [CEF.sourceTranslatedAddress]
Variable 36 NAT source port: [CEF.sourceTranslatedPort]
Variable 37 PAN OS Action Flags: [CEF.PanOSActionFlags]
Variable 38 PAN OS Content version: [CEF.PanOSContentVer]
Variable 39 PAN OS Desc: [CEF.PanOSDesc]
Variable 40 DG meta data: [CEF.PanOSDGl1] [CEF.PanOSDGl2] [CEF.PanOSDGl3] [CEF.PanOSDGl4]
Variable 41 PAN OS Dst UUID: [CEF.PanOSDstUUID]
Variable 42 PAN OS Monitor Tag: [CEF.PanOSMonitorTag]
Variable 43 Packets Received: [CEF.PanOSPacketsReceived]
Variable 44 Packets Sent: [CEF.PanOSPacketsSent]
Variable 45 Parent session ID: [CEF.PanOSParentSessionI
Variable 46 Parent tunnel session start: [CEF.PanOSParentStartTime]
Variable 47 PAN OS Referer: [CEF.PanOSReferer]
Variable 48 PAN OS Src UUID: [CEF.PanOSSrcUUID]
Variable 49 PAN OS Threat Category: [CEF.PanOSThreatCategory]
Variable 50 PAN OS dropped packets: [CEF.PanOSTunnelFragment]
Variable 51 PAN OS Tunnel type: [CEF.PanOSTunnelType
Variable 52 PAN OS Tunnel ID: [CEF.PanOSTunnelID]
Guide to Templates www.helpsystems.com page: 169 Template Assignment / Check Point Firewall Template
VARIABLE VALUE
Variable 53 Full virtual system name: [CEF.PanOSVsysName]
Variable 54 PAN OS Threat Category: [CEF.PanOSThreatCategory]
Variable 55 PAN OS X-Forwarder: [CEF.PanOSXforwarderfor]
Check Point Firewall Template Using the Standard Datasource Events The following table shows the Standard Datasource Events on which the template can be used to control the information that is received and actioned in your security schema.
Action Subaction Condition (Line Matching)
User Activity
Logoff Logoff
Successful Login Interactive Login
Successful Login Successful Login
Successful Login Successful VPN Login
Network Access Network Access Accepted
Network Access Network Access Blocked
Network Access Network Access Ended
Network Access Network Access Monitored
Network Access Network Access Quarantined
Network Access Network Access Suspended
Network Access Network Connection Decrypted
Network Access Network Connection Encrypted
Network Access Network Connection Routed
Network Access Traffic Bypass
Network Access Traffic Impact
Network Access Network Access Rejected
Guide to Templates www.helpsystems.com page: 170 Template Assignment / Check Point Firewall Template
Standard Datasource Events Variable Selections and Mapping These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
VARIABLE VALUE
Event Time (Source Timezone) [Event.Event_Time_(Source_Timezone)]
Event Timezone Offset [Event.Event_timezone_offset]
Complete Message [Event.Raw_Message]
Protocol [CEF.app]
Destination Machine Name [CEF.dhost]
User Name [CEF.duser]
Operator Name [CEF.suser]
Source Machine Name [CEF.shost]
Additional [CEF.msg] Information 1
User Group/Role [CEF.cs3]
Variable 01 [CEF.cs1Label]: [CEF.cs1]
Variable 02 [CEF.cs2Label]: [CEF.cs2]
Variable 03 [CEF.cs3Label]: [CEF.cs3]
Variable 04 [CEF.cs4Label]: [CEF.cs4]
Variable 05 [CEF.cs5Label]: [CEF.cs5]
Variable 06 [CEF.cs6Label]: [CEF.cs6]
Variable 07 [CEF.flexNumber1Label]: [CEF.flexNumber1]
Variable 08 [CEF.flexNumber2Label]: [CEF.flexNumber2]
Variable 09 [CEF.flexString1Label]: [CEF.flexString1]
Variable 10 [CEF.flexString2Label]: [CEF.flexString2]
Object Name [CEF.fname]
Additional Information 2 [CEF.reason]
Variable 11 [CEF.request]
Variable 12 [CEF.requestClientApplication]
Variable 13 [CEF.requestContext]
Guide to Templates www.helpsystems.com page: 171 Template Assignment / Apache Web Server Template
VARIABLE VALUE
Variable 14 [CEF.requestCookies]
Variable 15 [CEF.requestMethod]
Source Machine IP Address [CEF.src]
Destination Machine IP Address [CEF.dst]
Variable 16 Source Port: [CEF.spt]
Variable 17 Destination Port: [CEF.dpt]
Apache Web Server Template Apache Web Server Controls
Action Subaction Condition
User Activity
Network Access Accepted Network Access Accepted .*\s(?:10\d|20\d|30\d)\s\d+.*
Network Access Rejected Network Access Rejected .*\s(?:40\d|41\d|50\d)\s\d+.*
Guide to Templates www.helpsystems.com page: 172 Template Assignment / SIOPEL Template
SIOPEL Template SIOPEL Controls Additional Controls Datasource The following controls can be applied to SIOPEL software from within the Additional Controls pre-configured datasource:
Action Subaction Condition
Users' Management
Grant Permission Grant Permission .*
Standard Datasource
Action Subaction Line Matching
User Activity
Logoff Logoff .*Logout del Operador.*
Logon Failure Logon Failure .*Login del Operador con sec.*fallido.*
Successful Login Logon Failure .*Login del Operador con sec.*exitoso.*
User Statement Solicitud de Login .*Pedido Login del Operador con sec.*
Users' Management
Cambio de limites User Modification .*Aceptaci.+n de cambio de L.+mites de Agentes.* aceptado
Cambio de limites User Modification .*Rechazo al pedido de cambio de L.+mites.* rechazado
User Modification Cambio de permisos .*Pedido de cambio permisos.*
Password Modification Password Modification .*Pedido de cambio Clave de Operador con sec.*exitoso.*
Password Modification Cambio de Dias .*Cambio de Dias Password para el Operador.*
Modificación de Password Modification .*Pedido de cambio Clave de Operador con sec.*fallido.* contraseña fallida
Password Reset Password Reset .*Pedido de cambio Clave para Operador.*con sec.*
Guide to Templates www.helpsystems.com page: 173 Template Assignment / SIOPEL Template
User Creation and Deletion Datasource
Action Subaction Line Matching
Users' Management
User Creation User Creation .*Pedido de Alta de Operador.*
User Deletion User Deletion .*Pedido de Baja de Operador.*|.*Pedido de Baja de Perfil de Operador.*
Users Modifications Datasource
Action Subaction Line Matching
Users' Management
User Modification User Modification .*
Guide to Templates www.helpsystems.com page: 174 Template Assignment / SWIFT Template
SWIFT Template SWIFT Controls SWIFT Additional Events Datasource The following controls can be applied to SWIFT software from within the Additional Events pre- configured datasource:
Action Subaction Condition
System Management
Software Notification Software Notification .*
SWIFT Standard Datasource The following controls can be applied to SWIFT software from within the Standard pre- configured datasource:
Action Subaction Condition
System Management
Object Backup Object Backup .*Backup.*Restore.*
User Activity
Logoff Inactivity Timeout .*Inactivity Time out.*
Logoff Logoff .*Signoff.*
Logon Failure Logon Failure .*Invalid signon attempt.*
Successful Login Login Reconnect .*Login after timeout.*
Successful Login Successful Login .*Successful signon.*
Users' Management
User Disabling User Disabling .*Operator disabled.*
User Enabling User Enabling .*Operator enabled.*
Password Modification Password Modification .*Change password.*
Guide to Templates www.helpsystems.com page: 175 Template Assignment / Electronic Means of Payment (MEP) Template
Electronic Means of Payment (MEP) Template MEP Controls Administrator Activity Datasource The following controls can be applied to Electronic Means of Payment (MEP) software from within the Administrator Activity pre-configured datasource:
Action Subaction Matching Event ID
Systems Management
Object Modification Database Modification 31
Object Backup Object Backup 29
Object Creation Function Creation 28
Object Creation Object Creation 26
Audit Log Deletion Audit Log Deletion 11
Object Deletion Object Deletion 27
User Activity
Object Access Read Object 24
Logoff Logoff 03
Logoff Logoff Disconnect 30
Users' Management
User Modification User Modification 08
User Creation User Creation 07
User Disabling User Disabling 05, 10, 22
User Deletion User Deletion 06, 23
User Enabling User Enabling 04, 09, 21
Password Modification Password Modification 01
User Unlock User Unlock 02
Guide to Templates www.helpsystems.com page: 176 Template Assignment / Electronic Means of Payment (MEP) Template
User Activity Datasource The following controls can be applied to Electronic Means of Payment (MEP) software from within the User Activity pre-configured datasource:
User Activity
Successful Login Successful Login .*
Guide to Templates www.helpsystems.com page: 177 Template Assignment / Powertech Exit Point ManagerTemplate
Powertech Exit Point ManagerTemplate Powertech Exit Point Manager Controls
Action Subaction Condition
User Activity Network Access Accepted EventID=UNAXXXX
User Activity Network Access Rejected EventID=UNRXXXX
Guide to Templates www.helpsystems.com page: 178 Template Assignment / Powertech Authority Broker Template
Powertech Authority Broker Template Powertech Authority Broker Controls
Action Subaction Condition
User Activity User Switch EventID=UBG0001
User Activity User Switch End EventID=UEN0001
User Activity User Swap logging EventID=UBH0001
User Activity User Action logging EventID=UER0001
User Activity User Switch Firecall EventID=UFC0001
User Activity User Switch Failed EventID=UFL0001
Powertech Identity and Access Manager (BoKS) Template Powertech Identity and Access Manager (BoKS) Controls
Action Subaction Condition (Line Matching)
System Management
Configuration Rule Modification Attribute Modification .*bksdef\s*-\s*.*
Object Modification File Modification .*filmon_.*
System Shutdown Application Shutdown .*sysreplace_restore.*
User Activity
Logoff FCC Logoff .*bccas_logout.*
Logoff PWM Logoff .*pwm_logout.*
Logoff SSH Logoff .*sshd - logout.*
Logon Failure FCC Logon Failure .*bccas_login_fail.*
Logon Failure PWM Logon Failure .*pwm_login_fail.*
Logon Failure SSH Logon Failure .*sshlogin_.*fail.*
Guide to Templates www.helpsystems.com page: 179 Template Assignment / Powertech Identity and Access Manager (BoKS) Template
Action Subaction Condition (Line Matching)
Successful Login BCCPS Login .*bccas_login_ok.*
Successful Login PWM Login .*pwm_login_ok.*
Successful Login SSH Login .*sshlogin_ok[^\s]+.*
User Statement SSH CMD Exec .*ssh_runcmd.*
User Statement Temporary Privilege Usage .*suexec[^\s]+ok.*
User Switch User Switch .*su_ok.*
Users' Management
Group/Role/Profile Creation Group Creation .*\sadd_unix_group.*\s.*
Group/Role/Profile Creation User Class Creation .*\sprofile_added\s.*
Group/Role/Profile Deletion Group Deletion .*\sdelete_unix_group.*\s.*
Group/Role/Profile Deletion User Class Deletion .*profile_deleted\s.*
.*accessroute_ Group/Role/Profile Modification User Class Modification (add|mod|del).*type=\
User Addition to User Addition to User Class .*\suserclass_adduser[s]*\s.* Group/Role/Profile
User Creation User Creation .*\screated_user\s.*
User Deletion User Deletion .*\sremoved_user\s.*
.*\suser_blocked(_ User Lock User Lock comment)*\s.*
User Modification User Modification .*modbks.*
User Removal User Removal From User Class .*\suserclass_remuser[s]*\s.* From Group/Role/Profile
User Unlock User Unlock .*user_unblocked.*
Guide to Templates www.helpsystems.com page: 180 Template Assignment / Policy Minder Template
Policy Minder Template Policy Minder Controls
Action Subaction Condition
System Activity CHECK_IT_NON_COMPLIANT action="CheckIt".*are NOT compliant
action="CheckIt" System Activity CHECK_IT__BUCKET_NON_COMPLIANT type="AmazonS3Bucket"
System Management CREATE_BUCKET action=AddBucket
action=. System Management DROP_OBJECT (?:DeleteBucket|Checklist}.*deleted.*
Users Management CREATE_USER AWS Cloud Service Account. *added
Users Management DROP_USER DeleteAWSCloudServiceAccount
UsersManagement ALTER_USER AWS Cloud Service Account. *updated
Guide to Templates www.helpsystems.com page: 181 Template Assignment / Powertech Anti-Virus for AIX/Linux Template
Powertech Anti-Virus for AIX/Linux Template Requirements Syslog Events must be forwarded to the machine on which Event Manager is installed. Powertech Anti-Virus for AIX/Linux Controls
Action Subaction Condition Description
Virus Definition Not Records whenever the virus definition file System Management SGAV virus definitions are \d+ days old Updated has not been updated
SGAV\s(?:NOTICE DAT files updated Update Virus Records whenever the virus definition file System Management to|NOTICE DAT levels the same|ERROR Definition update fails DAT update failed)
Records whenever a file has been System Activity Quarantined File SGAV WARN quarantined file quarantined
(SGAV FATAL|SGAV NOTICE Stopping Records whenever a fatal shutdown of System Management Shutdown avsvc service) Stand Guard Anti-Virus occurs
Records whenever Stand Guard Anti-Virus System Management Startup SGAV NOTICE Starting is starting
Records whenever a virus infection is System Activity Virus Detected SGAV WARN VIRUS.*INFECTED detected
Records whenever a virus scan has been System Activity Virus Scan SGAV NOTICE avscan completed completed
SGAV ERROR and not SGAV ERROR Dat System Management Software Error Records whenever error update failed
Powertech Anti-Virus For IBM i Template Powertech Anti-Virus for IBM i Controls
Action Subaction Condition
System Activity
File Quarantined File Quarantined .*AVI0135.*
Virus Detection Virus Detection .*AVE0131.*
Virus Scan Virus Scan .*AVE0139.*
Guide to Templates www.helpsystems.com page: 182 Template Assignment / Powertech Anti-Virus For IBM i Template
Action Subaction Condition
System Management
Configuration Rule Virus Definition Update .*(?.AVC0204|AVC0202).* Modification
Guide to Templates www.helpsystems.com page: 183 Template Assignment / SAP ASE (Sybase) Template
SAP ASE (Sybase) Template SAP ASE (Sybase) Controls
Action Subaction Condition
System Activity
Fatal Errors User Switch EventID=36
Not Categorized Sybase .*
System shutdown/Started System shutdown EventID=51
System shutdown System started EventID=50
System Management
Audit Modification Audit disabled EventID=74
Audit Modification Audit enabled EventID=73
Audit Modification Audit option change EventID=78
Audit Modification Truncate audit table EventIID-58
Comandos (kill/terminate) Comandos (kill/terminate) EventID=89
Database Administration Alter Database EventID=2
Database Administration Alter Table EventID=3
Database Administration Create Database EventID=9
Database Administration Create Default EventID=14
Database Administration Create Index EventID=104
Database Administration Create Message EventID=15
Database Administration Create Procedure EventID=11
Database Administration Create Rule EventID=13
Database Administration Create SQLJ Function EventID=97
Database Administration Create Table EventID=10
Database Administration Create Trigger EventID=12
Database Administartion Create View EventID=16
Database Administration DBCC Command EventID-81
Database Administration Delete Table EventID-18
Database Administration Delete View EventID=19
Guide to Templates www.helpsystems.com page: 184 Template Assignment / SAP ASE (Sybase) Template
Action Subaction Condition
Database Administration Drop Database EventID=26
Database Administration Drop Default EventID=31
Database Admnistation Drop Index EventID=105
Database Administration Drop Message EventID=32
Database Administration Drop Procedure EventID=28
Database Administration Drop Rule EventID=30
Database Administration Drop SQLJ Function EventID=98
Database Administration Drop Table EventID=27
Database Administration Drop Trigger EventID=29
Database Administration Drop View EventID=33
Database Administration Dump Database EventID=34
Database Administration Dump Transaction EventID=35
Database Administration Insert Table EventID=41
Database Administration Insert View EventID=42
Database Administration Load Database EventID=43
Database Administration Load Transaction EventID=44
Database Administration Mount Database EventID=101
Database Administration Truncate Table EventID=64
Database Administration Unmount Database EventID=102
Database Administration Update View EventID=71
User Activity
Logon Failure Logon Failure EventID=41, EventMod=2
Succesful Login Successful Login EventID=45, EventMod=1
User Statement Cmdtext EventID=92
User Satement Exec procedures EventID=38
User Statement Exec trigger EventID=39
Users' Management
User addition to Group/Role/Profile User Addition to Role EventID=85. *grant role
Group/Role/Profile Modification ADD Exclusive membershio EventID=85.*ADD EXCLUSIVE
Group/Role/Profile/Modification Command/Object/Column Added EventID=40.*grant
Group/Role/Profile Modification Command/Object/Column Dropped EventID=47.*revoke
Guide to Templates www.helpsystems.com page: 185 Template Assignment / SAP ASE (Sybase) Template
Action Subaction Condition
Group/Role/Profile Modification DROP Exclusive membership EventID=85.*DROP EXCLUSIVE
User Modification Default Database eventID=38.*objname: sp_defaultdb
User Modification Max Failed Login EventID=38.*objname: sp_modifylogin.*max failed_login
EventID=38.*objname: sp_modifylogin.*min passwd User Modification Min Password Length length
EventID=38.*objname: sp_modifylogin.*passwd User Modification Password Expiration interval expiration
Group/Role/Profile Creation Role Creation EventID=85.*CREATE ROLE
User Creation User Creation EVentID=38.*objname: sp_addlogin
Group/Role/Profile Deletion Role Deletion EventID=85.*DROP ROLE
User Deletion User Deletion EventID=38.*objname: sp_droplogin
Password Rest Password Reset EventID=38.*objname: sp_password
User Removal From Group/Role/Profile User Removal from Role EventID=85.*revoke role
User Lock User Lock EventID=38.*objname: sp_locklogin.*, lock
User Unloack User Unlock EventID=38.*objname: sp_locklogin.*unlock
Guide to Templates www.helpsystems.com page: 186 Template Assignment / Network Insight Template
Network Insight Template Network Insight Controls Network Insight Asset Changes Datasource The following controls can be applied to Network Insight software from within the Asset Changes pre-configured datasource:
Action Subaction Condition
System Activity
Check it Asset Expired .*Asset\/Expired.*
Check it Asset Suspected .*Asset\/Suspected.*
Fix it Asset Remediated .*Asset\/Remediated.*
Virus detection Malware Detection .*Asset\/Infected.*
Network Insight Asset Evidence Datasource The following controls can be applied to Network Insight software from within the Asset Evidence pre-configured datasource:
Action Subaction Condition
System Activity
Threat Evidence DNS Lookup .*Evidence\/DNS_Lookup.*
File Download Status Threat Evidence .*Evidence\/File_Download_Status_Change.* Change
Threat Evidence File Download .*Evidence\/File_Download.*
Threat Evidence File Execution .*Evidence\/File_Execution.*
Threat Evidence File Status Change .*Evidence\/File_Status_Change.*
Threat Evidence HTTP Request .*Evidence\/HTTP_Request.*
Threat Evidence Proxy HTTP Request .*Evidence\/Proxy_HTTP_Request.*
Threat Evidence TCP Connection .*Evidence\/TCP_Connection.*
Threat Evidence UDP Connection .*Evidence\/UDP_Connection.*
Guide to Templates www.helpsystems.com page: 187 Template Assignment / Network Insight Template
Network Insight Healthchecks Datasource The following controls can be applied to Network Insight software from within the Healthchecks pre-configured datasource:
Action Subaction Condition
System Management
Software Notification NIC Down HealthCheck\/NIC_Down
Software Notification Sensor Down HealthCheck\/Sensor_Down
Network Insight System Management Datasource The following controls can be applied to Network Insight software from within the System Management pre-configured datasource:
Action Subaction Condition
System Management
Configuration Rule Configuration Rule .*msg=.*\s+changed \/global.*from.*to.* Modification Modification
Object Creation Object Creation .*\s+created custom threat.*
Object Modification Object Modification .*\s+changed custom threat.*
Network Insight User Activity Datasource The following controls can be applied to Network Insight software from within the User Activity pre-configured datasource:
Action Subaction Condition
System Management
Configuration Rule Threat Definition .*Threat Update.* Modification Update
User Activity
Logoff Interactive Logoff .*session.*has ended.*
Interactive Login Login Failure .*login failed.* Failure
Successful Login Interactive Login .*has logged in.*
Guide to Templates www.helpsystems.com page: 188 Template Assignment / Network Insight Template
Network Insight User Management Datasource The following controls can be applied to Network Insight software from within the User Management pre-configured datasource:
Action Subaction Condition
Users' Management
Password Modification Password Modification .*The password of user.* was changed by user.*
User Addition to Member Addition to .*The roles of user.*was changed from.* Group/Role/Profile User/Role
User Creation User Creation .*User.*created by.*
User Deletion User Deletion User.*deleted.*
User Disabling User Disabling .*The disabled of user.*was changed from false to true by user.*
User Enabling User Enabling .*The disabled of user.*was changed from true to false by user.*
User Modification User Modification .*The(?!disabled|password|roles).* of user*was changed from.* to.* by user.*
Guide to Templates www.helpsystems.com page: 189 Template Assignment / Intermapper Template
Intermapper Template The Intermapper template contains two datasources to determine the discovery of Intermapper assets and the receipt of Intermapper notifications. Assets Discovery Datasource The Assets Discovery datasource is used to automatically discover any Intermapper assets which, once discovered, can the be used to send notifications of events to Event Manager. Intermapper Notifications Datasource This datasource is used to receive any system notifications from the discovered Intermapper assets.
Action Subaction Condition
Software Software Notification .* Notification
Guide to Templates www.helpsystems.com page: 190 Template Assignment / DB2 for i Template
DB2 for i Template DB2 for i Controls Powertech Database Monitor For IBM i Controls The following User Activity controls can be applied to DB2 for IBM i Database software from within the Powertech Database Monitor for IBM i pre-configured datasource:
Action Subaction Condition
User Statement Delete Statement OPERATION TYPE=D
User Statement Insert Statement OPERATION TYPE=A
User Statement Select Statement OPERATION TYPE=R
User Statement Update Statement OPERATION TYPE=C
VMC DataMonitor (Delete-Clear Table-End Journaling action), (Insert-Update statements) and VMC Interactive SQL Monitor The following System Management and User Activity controls can be applied to DB2 for IBM i Database software from within the VMC DataMonitor (Delete-Clear Table-End Journaling action pre-configured datasource:
Datasource Control Action Subaction Condition
VMC DataMonitor System (Delete-Clear Table- Audit Modification End Journaling OPERATION TYPE=E Management End Journaling action)
Object Deletion Table Clear OPERATION TYPE=C
Object Deletion Table Deletion OPERATION TYPE=F
Delete User Activity User Statement OPERATION TYPE=D Statement
Select User Statement OPERATION TYPE=R Statement
VMC DataMonitor Insert (Insert-Update User Activity User Statement OPERATION TYPE=A Statement statements)
Update User Statement OPERATION TYPE=U Statement
Guide to Templates www.helpsystems.com page: 191 Template Assignment / DB2 for i Template
Datasource Control Action Subaction Condition
Failed VMC Interactive SQL User Activity User Statement Interactive SQL Message ID equals .*SQl9000.* Monitor Sentence
Successful User Statement Interactive SQL Message ID equals .*SQl8000.* Sentence
Guide to Templates www.helpsystems.com page: 192