Common Management Database Database Definition & User Guide

Transcription

1 orrelog Common Management Database Database Definition & User Guide This guide provides brief information on the tables accompanying the Common Management Database (CMDB) Adapter of the CorreLog Server. This is optional software that can be installed into an existing copy of CorreLog to provide near real-time visibility to audit reports and ticket information, in particular to support the ASG EAMS system as well as other dashboard and reporting software. Background The CorreLog CMDB software supports various different SQL tables, accessed by an ODBC data source name. Prior to using the CMDB interface, the operator should configure a data source name (DSN) in the "Reports > ODBC" tab of the system, as described in the CorreLog User Manual (and elsewhere.) Once the ODBC data source is configured, the operator can click the "System > CMDB" tab to specify this name along with table names, update parameters, and other parameters. The CorreLog CMDB software automatically creates tables in the specified database. Information in these tables is reflected in other parts of CorreLog. Specifically, the data is also available via the "Reports > Audit" tab of the system, as well as the "Tickets" tab of the system. CorreLog updates tables with this information in real time. Additionally, the user can list this information in the reporting and ticket facility. (Unlike the reporting facility, data is updated in near real-time within the configured tables; in contrast, the reporting facility generates reports only on demand.) The table schemas for the CorreLog CMDB are designed to provide numerous functions related to both system security and performance. Except for the ODBC source and table names, these table schemas are not modifiable by the enduser. Each of these tables is described in detail within the sections that follow.

2 User Activity Table The "User Activity Table" reflects the data that is generated by the "Reports > Audit > User Activity" screen. This data provides information regarding each managed user discovered by CorreLog and existing in the "Messages > Users" tab of the system. By default, the name of this table is "User_Activity". (The precise name can be modified on the "System > CMDB" tab of the CorreLog system.) The table consists of the following specific columns: User_Name. This is the name of the managed user, also listed in the "Messages > Users" tab of the system. Any non-managed user is not listed. To add a new managed user to the system, the operator can click the "AddNew" button of the "Messages > Users" tab, but generally these user names will be automatically discovered by the system based upon the "User Discover Match Patterns" (accessed via the "Advanced" button on the "Messages > Users" tab.) Last_Workstations. This is an enumerated list of the self-identified last workstations for the user. The last five workstations are listed. The total number of workstations is provided in a separate column. Note that these are the non-authoritative workstation names parsed from messages, which may be different than the official domain names for the workstation. Total_Workstations. This integer value is the total number of workstations referenced by the user. If the value is less than five, then the complete list of workstations is shown in the "Last_Workstations" column. If the value is more than five, this value represents a general metric for how many workstations the user has accessed. The value is nominal, and may be more than the actual number of workstations accessed (if the user is rapidly changing workstations.) Last_Addresses. This is an enumerated list of the authoritative IP addresses that sent messages referencing the managed user. The last five IP addresses are listed, and the total number of addresses is provided in a separate column. These are the IP addresses of the various devices that sent messages referencing the user, such as the domain controller for the user, or the user's local workstation. Total_Addresses. This integer value is the total number of addresses that sent messages referencing the user. If the value is less than five, then the complete list of addresses is shown in the "Last_Addresses" column. If the value is more than five, this value represents a general metric for how many addresses referenced the user. CMDB Guide, Page - 2

3 Last_Logon_Time. This is the last known logon time for the user. If no logon has been detected for the user since the system started, the value may be the year This value is useful for determining how long a user has been on the system. Session_Count. This integer value is the number of user sessions, where a "session" is defined as a period of continuous activity for the user. This session time is variable, and can be configured by the administrator via the "Audit" facility. (The default session time is 300 seconds.) A new session does not necessarily imply that the user has logged of the system and logged on again, but only that the managed user ceased activity. Total_Active_Time. This integer value is the total number of seconds that the user has been active. This value, divided by the number of Total Sessions, yields the total average session time for a managed user since CorreLog system startup. Failed_Logons. This integer value is the total number of failed logons for the user since system startup. A high value for this number may indicate a break-in attempt using the specified user's logon name. Account_Lockouts. This integer value is the total number of account lockouts for the user since system startup. If there are multiple unexpected user lockouts, this may indicate a break-in attempt using a variety of managed user login names. Warnings. This integer value is the total number of messages for the user that are of "Warning" severity and higher since system startup. This value may be set by a variety of indicators associated with the CorreLog agent, or associated with LDAP and Active Directory. Activity_Metric. This integer value is the total activity for the user, which may (or may not) indicate the user's productivity or actions. The value does not necessarily indicate a security threat. Last_EvtID. This integer value is valid only for users of Windows workstations and servers, and indicates the last Event Log event ID for a message recorded by the User Activity report, mainly useful for debug and forensics. Last_Msg_Offset. This hexadecimal number is the offset of the last message received by the system for the user, mainly useful for debug and forensics. The value represents the offset into the current log file where the last message for the user starts. CMDB Guide, Page - 3

4 Device Activity Table The "Device Activity Table" reflects the data that is generated by the "Reports > Audit > Device Activity" screen. This data provides information regarding each managed device of CorreLog, existing in the "Messages > Devices" tab of the system. By default, the name of this table is "Device_Activity". (The precise name can be modified on the "System > CMDB" tab of the CorreLog system.) The table consists of the following specific columns: Device_Address. This is the IP address of the managed device. Usually, in the absence of any configured override, this will be the address of a device that sent CorreLog a message. Device_Name. This is the unofficial name of the device, configured in the "Device Info" screen of the system. This may be the DNS name, or may be some other name configured by the CorreLog operator for the IP address. Device_Type. This is the type of the device, configured in the "Device Info" screen of the system. The value is the first part of the device description. Note that the user can select a device type via the "Insert" button found on the "Device Info" screen, which may facilitate organization of the table data. Active_Secs. This integer value is the total number of seconds that the device has been active since system startup, i.e. the amount of time that the device has been continuously sending messages without significant cessation. Idle_Secs. This integer value is the total number of seconds that the device has been idle since system startup The particular time threshold that identifies the point at which a device becomes idle is configured via the "Advanced" button of the "Reports > Audit > Device Activity" screen, by default 300 seconds (five minutes.) Security_Msgs. This integer value is the total number of messages received from a "Security" log source of the manage device. In the case of Windows platforms, this represents the number of messages logged from the "Security" event log. For other platforms, this represents the number of "security", "auth", and "audit" facility messages. System_Msgs. This integer value is the total number of messages received from a "System" log source of the manage device. In the case of Windows platforms, this represents the number of messages logged from CMDB Guide, Page - 4

5 the "System" event log. For other platforms, this represents the number of "kernel", "system", "internal" and "lock" facility messages since system startup. App_Msgs. This integer value is the total number of messages received from an "Application" log source. In the case of Windows platforms, this represents the number of messages logged from the "Application" event log. For other platforms, this represents the number of messages not accounted for by the "Security" and "System" message counts (described above.) Info_Msgs. This integer value represents the number of "debug", "info" and "notice" severity messages for the managed device since system startup. Warning_Msgs. This integer value represents the number of "warning" severity messages for the managed device since system startup. Error_Msgs. This integer value represents the number of "error" severity messages for the managed device since system startup. Critical_Msgs. This integer value represents the number of "critical", "alert" and "emergency messages for the managed device since system startup. Total_Activity. This integer value represents the total message count for the manage device since system startup. CMDB Guide, Page - 5

6 Perimeter Table The "Perimeter Table" reflects the data that is generated by the "Reports > Audit > Perimeter" screen. This data provides information regarding external addresses detected by CorreLog in any message that contains both an internal and external IP address. Note that if this table does not contain any data, the system administrator has likely configured no peripheral devices (such as a router or firewall) to send messages to CorreLog. Because perimeter devices may not necessarily be managed devices, this situation is quite common, and the Perimeter table will be devoid of information. By default, the name of this table is "Perimeter". (The precise name can be modified on the "System > CMDB" tab of the CorreLog system.) The table consists of the following specific columns: External_Address. This value is an external IP address. The value will be an IP address associated with one or more internal addresses listed in the table row, parsed from a message received by CorreLog from the "Source_Addr" managed device. Country_Code. This value is the two letter country code associated with the external address, fetched from the CorreLog "Geo-IP" database. The list of country codes can be found in the "Geo-IP Lookup Tool", accessed via the "More" hyperlink in the upper right corner of the CorreLog web display. The special "ZZ" country code references an IP address that is not registered, or may indicate the Geo-IP database is out-of-date. Local_Addrs. This value is an enumerated list of local addresses that have been in communication with the external address. Only the first five local addresses are listed. The "Total_Local_Addrs" value indicates the total number of local addresses in communication with the external address. Total_Local_Addrs. This integer value is the total number of local addresses in communication with the external address. If the value is less than five, then the complete list of local addresses is shown in the "Local_Addrs" column. If the value is more than five, this value represents a general metric for how many local addresses have referenced the external address. The value is nominal, and may be more than the actual number of local addresses (if many users are accessing the external address.) CMDB Guide, Page - 6

7 Source_Addr, This value is the source IP address of the message that referenced the external address. This is typically the address of the firewall or router that generated the original message. Protocols. This value is an enumerated list of protocols that were used between the local addresses and external addresses. A heuristic algorithm is used to determine these protocols, which include common application protocols as well as TCP, UDP, and ICMP protocols. The list can also contain "Unknown" as a protocol value. Total_Protocols. This integer value is the total number of protocols identified by the external address.. The value is nominal, and may be more than the actual number of workstations accessed (if the user is rapidly changing workstations.) Info. This integer value represents the number of "debug", "info" and "notice" severity messages associated with the external address system startup. Warning. This integer value represents the number of "warning" severity messages associated with the external address system startup. Error. This integer value represents the number of "error" severity messages associated with the external address system startup. Critical. This integer value represents the number of "critical", "alert", and "emergency" severity messages associated with the external address system startup. Total_Activity. This integer value represents the total number of messages that referenced the external address. Last_Msg_Time. This value is the time of the last message referencing the external address received by the CorreLog system. Last_Msg_Offset. This hexadecimal number is the offset of the last message received by the system for the external address, mainly useful for debug and forensics. The value represents the offset into the current log file where the last message for the user starts. CMDB Guide, Page - 7

8 Account Management Table The "Account Management Table" reflects the data that is generated by the "Reports > Audit > Account Management" screen. This data provides information regarding user accounts that have been created, deleted, or modified. This information is listed in chronological order of occurrence, and is useful for tracking managed users (which is an essential part of PCI/DSS and other security standards.) Note that this table monitors account management functions ONLY for Windows platforms. For best results, the system administrator should install the Windows agent on one or more Domain Controllers (although this table also contains local account information for each managed platform.) If this table contains no data, the, the system administrator has likely configured no domain controllers as managed devices. By default, the name of this table is "Account_Management". (The precise name can be modified on the "System > CMDB" tab of the CorreLog system.) The table consists of the following specific columns: Event_Time. This value is the time of the account management change, i.e. the time that CorreLog received the account management message from the Source Address (below) Source_Addr. This value is the IP address of the device that sent the account management address. For local logins, it will be the IP address of a managed device. In other cases, it will be the IP address of the platform running active directory. EvtID. This is the Windows security event ID associated with this account management event, provided mainly for completeness and to support forensics. Oper_Type. This value is a text string indicating the operation type, either "Account Created", "Account Modified", "Account Deleted", "Group Created", "Group Modified", or "Group Deleted". Tgt_Type. This value is a text string that further describes the operation type (described above) by indicating the type of the target account. There are various possible values including "User Account", "Local Security Group", "Global Security Group", "Universal Security Group", "Application Security Group", and other text values. Admin_Domain. This value is the domain name of the administrator that made the change to the user account. CMDB Guide, Page - 8

9 Admin_Name. This value is the logon name of the administrator that made the change to the user account. Target_Domain. This value is the domain name of the user who's account was created, modified, or deleted. Target_Group. This value will be "None" for operations that are not group operations. Otherwise, this will be the group that was created, modified, or deleted by the administrator. Target_Names. This is an enumerated list of the account names that were affected by the change. (Note that a change can affect more than one user, hence this may contain more than one value.) The last five account names are listed, and the total number of names is provided in a separate column. Total_Names. This integer value is the total number of account names that were affected by a change. If the value is less than five, then the complete list of account names that were affected is shown in the "Target_Names" column. If the value is more than five, this value represents a general metric for how many accounts were affected.. Msg_Offset. This hexadecimal number is the offset of the last message received by the system for the account change, mainly useful for debug and forensics. The value represents the offset into the current log file where the last message for this change starts. CMDB Guide, Page - 9

10 Tickets Table The "Tickets Table" contains information related to the ticketing system. Unlike the other tables described above, this particular table does not exactly reflect the data of an Audit report. (The "Audit > Tickets" report does not have an associated table, and the "Tickets" table should not be confused with any CorreLog audit report.) The "Tickets" table summarizes tickets that have been opened on the system by ticket assignee, and includes metrics that describe how many tickets have been generated during normal operation during several different time intervals. Therefore, the "Tickets" table represents one of the central alerting mechanisms of the CMDB database structure, and contains information regarding site specific threats. By default, the name of this table is "Tickets". (The precise name can be modified on the "System > CMDB" tab of the CorreLog system.) The table consists of the following specific columns: Username. This is the name of the user that is assigned the ticket. Users are created by the System > Logins screen, or by the "Tickets > Config > Ticket Groups" screen, and are specified in the Alerts > Counters screen. One special user is the "All" user, which does not need to be added to the system. Description. This is the full name of the user that is specified "Username", configured on the System > Logins screen, and can be used as a label on any CMDB dashboard. CurrentCount. This is the total number of tickets opened for the user since the "CurrentCount" interval, by default 1 hour. HourCount. This is the total number of tickets opened for the user since the "HourCount" interval, by default 4 hours. DayCount. This is the total number of tickets opened for the user since midnight of the previous day. CurrentSeverity. This is the numeric severity of the worst-case ticket opened during the "CurrentCount interval. The value ranges from 100% to 0% or 0 to 7, depending upon the setting of the "Severity Display Mode" field, discussed previously. HourSeverity. This is the numeric severity of the worst-case ticket opened during the "HourCount interval. The value ranges from 100% to CMDB Guide, Page - 10

11 0% or 0 to 7, depending upon the setting of the "Severity Display Mode" field, discussed previously. DaySeverity. This is the numeric severity of the worst-case ticket opened since midnight of the previous day. The value ranges from 100% to 0% or 0 to 7, depending upon the setting of the "Severity Display Mode" field, discussed previously. PercentLoad. This is a percentage of tickets assigned to this user, with respect all tickets on the system. (The "All" user will have a value of 100%.) The above values permit a dashboard to be implemented to view the CMDB data, suitable for use by operations personnel. In particular, the table architecture permits indicator lights to reflect the status of each user group, reflecting current ticket status, recent ticket status, and daily ticket status. To affect the values, the user simply logs into CorreLog and closes tickets or changes ticket severities. A more complete description of the "Tickets" table, including information not provided herein, can be found in the CorreLog "User Manual", Section 7. The CorreLog "User Manual?" contains other information related to tickets, which may be necessary to fully configure and understand the usage of the CMDB "Tickets" table described here. CMDB Guide, Page - 11

12 Example Queries This section provides example queries that may be useful for fetching specific types of data from the CorreLog CMDB facility. Each query can be tested using the "Reports > ODBC" tool of the web interface. User Activity Example Queries Select the total number of managed users on the system. select count (User_Name) from User_Activity Select the number of users with more than three logon failures select count (*) from User_Activity where Failed_Logons > 3 Select the number of locked out users. select count (*) from User_Activity where Account_Lockouts > 0 Select the number of users with warnings. select count (*) from User_Activity where Warnings > 0 Select the number of users logged into more than five platforms. select count (*) from User_Activity where Total_Workstations > 5 Select the number of low activity users. select count (*) from User_Activity where Activity_Metric < 100 Select the number of high activity users. select count (*) from User_Activity where Activity_Metric > 2000 Select the number of users logged into machines called "Notebook". select count (*) from User_Activity Last_Workstations like '%LAPTOP%' or Last_Workstations like '%NOTEBOOK%' where CMDB Guide, Page - 12

13 Device Activity Example Queries Select the total number of managed devices. select count (*) from Device_Activity Select the number of devices with high warning counts. select count (*) from Device_Activity where Warning_Msgs > 1000 or Error_Msgs > 1000 or Critical_Msgs > 1000 Select the number of "Server" devices with high warning counts. select count (*) from Device_Activity where (Warning_Msgs > 1000 or Error_Msgs > 1000 or Critical_Msgs > 1000) And Device_Type like '%Server%' Select the number of low activity devices. select count (*) from Device_Activity where Total_Messages < 100 Select the number of high activity devices. select count (*) from Device_Activity where Total_Messages > Select devices where the % App message counts are greater than 60% select count(*) from Device_Activity where (Total_Activity > 0) and (100 * App_Msgs) / Total_Activity > 60 Select devices where the % warning messages counts are greater than 15% select count (*) from Device_Activity where (Total_Activity > 0) and (100 * (Warning_Msgs + Error_Msgs + Critical_Msgs))/ Total_Activity > 15 CMDB Guide, Page - 13

14 For Additional Help And Information Detailed specifications regarding the CorreLog Server, add-on components, and resources are available from our corporate website. Test software may be downloaded for immediate evaluation. Additionally, CorreLog is pleased to support proof-of-concepts, and provide technology proposals and demonstrations on request. CorreLog, Inc., a privately held corporation, has produced software and framework components used successfully by hundreds of government and private operations worldwide. We deliver security information and event management (SIEM) software, combined with deep correlation functions, and advanced security solutions. CorreLog markets its solutions directly and through partners. We are committed to advancing and redefining the state-of-art of system management, using open and standards-based protocols and methods. Visit our website today for more information. CorreLog, Inc. mailto:support@correlog.com CMDB Guide, Page - 14