INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF

Similar documents
Manually Upgrading PostgreSQL 9.1 to PostgreSQL

HPE AppPulse Mobile. Software Version: 2.1. IT Operations Management Integration Guide

Wave IP 4.5. CRMLink Desktop User Guide

The screenshots/advice are based on upgrading Controller 10.1 RTM to 10.1 IF6 on Win2003

Sircon User Guide A Guide to Using the Vertafore Sircon Self-Service Portal

HP Universal CMDB. Software Version: Backup and Recovery Guide

File Share Navigator Online

Refreshing Axiom TEST with a Current Copy of Production Axiom EPM June 20, 2014

Planning, installing, and configuring IBM CMIS for Content Manager OnDemand

Table of Contents. WipeDrive Enterprise Logging, March Logging Settings... 3 Log Format Types Audit Log Destination Options...

ROCK-POND REPORTING 2.1

Element Creator for Enterprise Architect

Element Creator for Enterprise Architect

Adverse Action Letters

Manual for installation and usage of the module Secure-Connect

Installing AX Server with PostgreSQL

Please contact technical support if you have questions about the directory that your organization uses for user management.

CROWNPEAK DESKTOP CONNECTION (CDC) INSTALLATION GUIDE VERSION 2.0

OO Shell for Authoring (OOSHA) User Guide

Maximo Reporting: Maximo-Cognos Metadata

Oracle Universal Records Management Oracle Universal Records Manager Adapter for Documentum Installation Guide

Click Studios. Passwordstate. RSA SecurID Configuration

Universal CMDB. Software Version: Backup and Recovery Guide

Launching Xacta 360 Marketplace AMI Guide June 2017

CaseWare Working Papers. Data Store user guide

These tasks can now be performed by a special program called FTP clients.

Tips For Customising Configuration Wizards

Secure File Transfer Protocol (SFTP) Interface for Data Intake User Guide

AvePoint Perimeter Pro 1.9

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

TRAINING GUIDE. Overview of Lucity Spatial

Admin Report Kit for Exchange Server

STIDistrict AL Rollover Procedures

FTP Imports Playbook. Version 0.91

NiceLabel LMS. Installation Guide for Single Server Deployment. Rev-1702 NiceLabel

IMPORTING INFOSPHERE DATA ARCHITECT MODELS INFORMATION SERVER V8.7

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Single File Upload Guide

RISKMAN REFERENCE GUIDE TO USER MANAGEMENT (Non-Network Logins)

Dashboard Extension for Enterprise Architect

Deploy Your First Cloud Foundry App to Any Cloud Foundry Service Provider

Kaltura MediaSpace TM Enterprise 2.0 Requirements and Installation

Enterprise Installation

BANNER BASICS. What is Banner? Banner Environment. My Banner. Pages. What is it? What form do you use? Steps to create a personal menu

Upgrade Guide. Medtech Evolution Specialist. Version 1.11 Build (October 2018)

Uploading Files with Multiple Loans

Procurement Contract Portal. User Guide

Date: October User guide. Integration through ONVIF driver. Partner Self-test. Prepared By: Devices & Integrations Team, Milestone Systems

INTELLISNAP. TECHNOLOGY QUICK START GUIDE Pure Storage FlashArray. Publish Date: July 30, 2015 Distribution: Public Author: Jonathan Howard

ClassFlow Administrator User Guide

Network Rail ARMS - Asbestos Risk Management System. Training Guide for use of the Import Survey Template

IDEAL ADMINISTRATION 2018

AvePoint Discovery Tool 3.5. User Guide

OASIS SUBMISSIONS FOR FLORIDA: SYSTEM FUNCTIONS

Migrating iway Data Quality Server Plans and Components on Windows

Technical Paper. Installing and Configuring SAS Environment Manager in a SAS Grid Environment with a Shared Configuration Directory

Advanced and Customized Net Conference Powered by Cisco WebEx Technology

Proficy* SmartSignal 6.1 Installation Guide

Kaltura MediaSpace User Manual. Version: 3.0

Virtual Office

Campuses that access the SFS nvision Windows-based client need to allow outbound traffic to:

Repstor custodian. On Premise Pre-Requisites. Document Version 1.1 January 2017

AvePoint Meetings Pro 4.3 for SharePoint On-Premises. Installation and Configuration Guide

HW4 Software version 3. Device Manager and Data Logging LOG-RC Series Data Loggers

AvePoint Pipeline Pro 2.0 for Microsoft Dynamics CRM

2. When logging is used, which severity level indicates that a device is unusable?

WorldShip PRE-INSTALLATION INSTRUCTIONS: INSTALLATION INSTRUCTIONS: Window (if available) Install on a Single or Workgroup Workstation

Release Notes. Dell SonicWALL Security firmware is supported on the following appliances: Dell SonicWALL Security 200

Proper Document Usage and Document Distribution. TIP! How to Use the Guide. Managing the News Page

Enabling Your Personal Web Page on the SacLink

BMC Remedyforce Integration with Remote Support

INSTALLING CCRQINVOICE

Maintenance Release Notes Release Version: 9.5.5

Kaltura Video Extension for SharePoint 2013 Deployment Guide for Microsoft Office 365. Version: 1.0

Click Sign In button. Click Register Employer. Click Forgot Username and/or Password to Create a unique user ID and password.

Upgrade Guide. Medtech Evolution General Practice. Version 1.9 Build (March 2018)

Asset Panda Web Application Release 12.02

from DDS on Mac Workstations

Upgrading Kaltura MediaSpace TM Enterprise 1.0 to Kaltura MediaSpace TM Enterprise 2.0

1 Getting and Extracting the Upgrader

HP Service Manager. Software Version: 9.41 For the supported Windows and UNIX operating systems. Request Fulfillment help topics for printing

REFWORKS: STEP-BY-STEP HURST LIBRARY NORTHWEST UNIVERSITY

Managing Your Access To The Open Banking Directory How To Guide

Form Filing Instructions

Announcing Veco AuditMate from Eurolink Technology Ltd

DocAve 6 Service Pack 2 Control Panel

Reference Guide. Service Pack 3 Cumulative Update 2. Revision J Issued October DocAve 6: Control Panel

Renewal Reminder. User Guide. Copyright 2009 Data Springs Inc. All rights reserved.

Kaltura MediaSpace User Manual. Version: 4.0

Troubleshooting Citrix- Published Resources Configuration in VMware Identity Manager

GPA: Plugin for Prerequisite Checks With Solution Manager 7.1

EBSCOhost User Guide Print/ /Save. Print, , Save, Notetaking, Export, and Cite Your Search Results. support.ebsco.com

Medtech Evolution. Installation Guide

Stock Affiliate API workflow

DocAve 6 Content Manager

Dolby Conference Phone Support Frequently Asked Questions

Xilinx Answer Xilinx PCI Express DMA Drivers and Software Guide

DocAve 6 Control Panel

IBM SPSS Interviewer Setting up Data Entry Supervisor machines for Synchronization

Integrating QuickBooks with TimePro

Transcription:

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF Cntents 1 Abut This Dcument... 2 2 Overview... 2 3 Cnfiguring ObserveIT SIEM Integratin... 4 3.1 Cnfiguring Advanced Lg Settings... 5 4 Integrating the ObserveIT Lg File int ArcSight CEF... 6 5 Mapping ObserveIT Data t the ArcSight Data Fields... 9 5.1 ArcSight CEF Header Definitins... 9 5.2 Mapping User Activity Output... 10 5.3 Mapping DBA Activity Output... 11 5.4 Mapping Activity Alerts Output... 11 5.5 Mapping System Events Output... 12 5.6 Mapping In-App Elements Output... 12 5.7 Mapping Audit Activity Output... 13 6 ObserveIT Lg Data Dictinary f Terms... 14

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 2 1 Abut This Dcument The purpse f this dcument is t prvide instructins n hw t integrate ObserveIT lg data int the HP ArcSight SIEM prduct by using the Cmmn Event Frmat (CEF) pen lg management standard. 2 Overview Integratin with the HP ArcSight SIEM prduct enables the exprt f ObserveIT lg data t ArcSight CEF frmat. All lg files frm ObserveIT user activities, DBA activity, activity alerts, system events, In-App Elements, and auditing activities, can be exprted and integrated in the SIEM mnitring sftware. SIEM integratin parses these files based upn text strings that appear inside the lg. All ObserveIT lg data is stred in ne file; by default, "Observeit_activity_lg.cef". The ObserveIT data lg file must be lcated in a library t which the ObserveIT Ntificatin Service user has write permissins. By default, the lg file lcatin is "C:\Prgram Files(x86)\ObserveIT\NtificatinService\LgFiles\ArcSight". Nte: The user accunt used by the ObserveIT Ntificatin Service must have read and write permissins fr the path. If the user accunt des nt have sufficient permissins t create the directry r write t the lg file, a system event is generated. In additin, the lg file size is limited t a predefined size; if the file size exceeds the maximum defined size, a system event will be generated. Typical lg data that can be exprted t ArcSight CEF frmat fr the different data types includes: Data Type User Activity DBA Activity Alerts Activity System Events In-App Elements Audit Sessin Activity Audit Lgin Activity Audit Cnfiguratin Changes Activity Lg Data OS, Server Name, Dmain Name, Viewer URL, Cmmand (Unix nly), Lgin Name, User Name, Client Name, Client Address, Windw Title, Prcess Name, User Authenticatin, Applicatin Name OS, Server Name, Dmain Name, Viewer URL, Lgin Name, User Name, SQL Query, DB User Name, Client Name, Client Address, Windw Title, Prcess Name, User Authenticatin, Applicatin Name Severity, Rule Name, Alert ID, Alert Details, Alert Details URL, Viewer URL, Sessin identifiers accrding t the alert type: Activity alert - all user activity identifiers DBA alert - all DBA activity identifiers Server Name, Dmain Name, Event cde, Event Descriptin, Event Parameters, Surce, Categry, Lgin Name, User Name, User Authenticatin, Prcess Name StartTime (ScreenshtTime), SessinDay, SessinID, ScreenshtID, InAppElementName, InAppElementValue, InteractinIsClicked, InteractinIsDisplayed, IsMetadataOnly Audit Time, Cnsle User, Dmain Name, Client Address, Sessin ID Audit Time, Lgin Status, Lgin Status Descriptin, Cnsle User, Dmain Name, Client Address Audit Time, Cnsle User, Dmain Name, Client Address, Area, Item, Actin, Cnfiguratin Prperty Name, Cnfiguratin Actin, New Value Nte: Fr details f the ObserveIT t ArcSight field mapping definitins fr each data type, see Mapping ObserveIT Data t the ArcSight Data Fields.

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 3 The fllwing is an example f the cntents f a CEF lg file. The highlighted cntent shws the CEF definitins fr the user activity, DBA activity, and alerts activity data types. The fllwing screensht prvides an example f hw ObserveIT user activity and alert data is incrprated within ArcSight.

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 4 3 Cnfiguring ObserveIT SIEM Integratin T cnfigure ObserveIT SIEM lg integratin 1 In the ObserveIT Web Management Cnsle, pen the "SIEM Lg Integratin" tab by selecting "Cnfiguratin" > "Integrated SIEM" > "SIEM Lg Integratin". 2 Activate SIEM lg integratin by selecting the check bx "Enable exprt t ArcSight frmat". 3 In the "Lg data" sectin, select at least ne f the fllwing data types fr mnitring: Windws and Unix Activity (selected by default) Activity Alerts (selected by default) DBA Activity System Events In-App Elements Audit Audit Sessins Audit Lgins Audit Cnfiguratin Changes 4 Under "Lg file prperties": a. In the "Flder lcatin" field, accept the default lg file lcatin: "C:\Prgram Files(x86)\ObserveIT\NtificatinService\LgFiles\ArcSight" r specify a new path t the mnitr lg files. When changing the default lg flder lcatin, new sessin data will be stred in the new path; existing data will remain in the ld lcatin.

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 5 b. In the "File name" field, accept the default lg file name "Observeit_activity_lg.cef" r specify a new ne. 5 Under Lg file cleanup : a. Select the check bx t enable lg file cleanup. Nte: If yu deselect the check bx, make sure that yu have enugh disk space t stre the lgs. b. If lg file cleanup is selected, schedule the frequency fr clearing the lg file: Select Run daily at, and specify the required time f day fr the daily cleanup. -Or- Select Run every, and specify the required number f days, hurs, r minutes after which the lg file cleanup prcess will take place. 6 Click "Save" t save yur cnfiguratin. After a few minutes, the lg file will be generated. A new lg file will be created accrding t the scheduled cleanup frequency. Nte: If required, yu can cnfigure advanced lg settings by changing specific lg parameters in the ObserveIT Ntificatin Service cnfiguratin file, as described in the next sectin. 3.1 Cnfiguring Advanced Lg Settings If required, yu can change the cnfiguratin f specific lg file parameters in the ObserveIT Ntificatin Service cnfiguratin file. T cnfigure advanced lg settings 1 Open the ObserveIT.WinService.exe.cnfig cnfiguratin file under C:\Prgram Files (x86)\observeit\ntificatinservice\. 2 Lcate the <ArcSightSettingsGrup> sectin in the cnfiguratin file. <ArcSightSettingsGrup> <ArcSightSettings> <!--Supprted Size Units:GB,MB,KB,Bytes --> <add key="maximumfilesize" value="256gb" /> <add key="hideemptyandduplicatefields value="true"/> <add key="shwsyslgheader" value="true"/> <add key="expselabelednames" value="true"/> <!-- Hw many MINUTES t leave in lg file in Cleanup prcess, default 60 minutes--> <add key="remaininglgtime" value="60"/> <add key="selecteddatefrmat" value="mmm dd HH:mm:ss"/> <!--Supprted Date Frmats --> <!--add key="selecteddatefrmat" value="mmm dd HH:mm:ss" --> <!--add key="selecteddatefrmat" value="mmm dd HH:mm:ss.FFF zzz" --> <!--add key="selecteddatefrmat" value="mmm dd HH:mm:ss.FFF" --> <!--add key="selecteddatefrmat" value="mmm dd HH:mm:ss zzz" --> <!--add key="selecteddatefrmat" value="mmm dd yyyy HH:mm:ss" --> <!--add key="selecteddatefrmat" value="mmm dd yyyy HH:mm:ss.FFF zzz" --> <!--add key="selecteddatefrmat" value="mmm dd yyyy HH:mm:ss.FFF" --> <!--add key="selecteddatefrmat" value="mmm dd yyyy HH:mm:ss zzz" --> </ArcSightSettings> </ArcSightSettingsGrup> 3 Yu can change the default values f any f the fllwing parameters: MaximumFileSize: Specify the maximum size f the Observeit_activity_lg.cef file. If the file size reaches r exceeds the maximum defined size, a system event will be generated. Default size is 256 GB.

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 6 HideEmptyandDuplicateFields: By default, this value is true which means that empty ( null ) CEF field entries will be remved, as well as field names that are duplicated (fr example, they are nt relevant t ther than the current data type). Change the value t False if yu want all fields t be displayed, including empty and duplicated nes. ShwSyslgHeader: The syslg is displayed by default. If yu dn t want t display the syslg, change the value t False. ExpseLabeledNames: By default, names f CS CEF files are expsed (e.g., CS1AlertDetails ). Yu can change the value t False in rder nt t expse the file names (i.e., CS1 ). RemainingLgTime: Specify (in minutes) hw much f the lg shuld remain in the lg file after the cleanup prcess. SelectedDateFrmat: Replace the value with a new in the specified frmat. 4 Save and exit the ObserveIT.WinService.exe.cnfig cnfiguratin file. 5 Restart the ObserveIT Ntificatin Service. Nte: Changes will nly take effect after yu restart the Ntificatin Service. 4 Integrating the ObserveIT Lg File int ArcSight CEF Lg type data frm all ObserveIT user activities, DBA activity, auditing activity, activity alerts and system events, is exprted t ArcSight CEF frmat fr integratin in the SIEM mnitring sftware. All the selected lg type data is stred in ne file; by default, "Observeit_activity_lg.cef". The ObserveIT CEF lg file is sent t the ArcSight SmartCnnectr fr integratin in the SIEM mnitring sftware. T integrate the ObserveIT lg file int the ArcSight SmartCnnectr 1 In the ArcSight prtal, pen the ArcSight Smart Cnnectr Cnfiguratin Wizard. 2 Select ArcSight Manager as the destinatin type fr the SmartCnnectr. 3 Specify whether r nt the ArcSight Manager is using a dem SSL certificate. If yu are using a dem certificate, yu must first cpy the certificate file cacerts (apprx. 94 KB) and place the attached file in the <arcsight_hme>/current/jre/lib/security/ flder.

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 7 4 Specify the ArcSight Manager infrmatin in the fllwing screen. 5. Lgin as a user with the apprpriate privileges.

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 8 6. In the fllwing screen, select ArcSight Cmmn Event Frmat File as the SmartCnnectr t be installed. 7 In the fllwing screen, specify the lg file lcatin and CEF lg file name, as cnfigured in the ObserveIT SIEM lg integratin screen: "C:\Prgram Files(x86)\ObserveIT\NtificatinService\LgFiles\ArcSight\Observeit_activity_lg.cef". Nte: Yu can change the default lcatin and file name, if required. 8 Cnfigure a name fr the SmartCnnectr lcatin and specify lcatin parameters. After cmpleting the steps f the Smartcnnectr Cnfiguratin Wizard, the ObserveIT lg file will be integrated int ArcSight.

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 9 5 Mapping ObserveIT Data t the ArcSight Data Fields The ArcSight SmartCnnectr uplads the data frm the CEF lg file and maps it t the ArcSight data fields. This sectin describes hw the ObserveIT data fields are mapped t the ArcSight data field definitins fr each type f data. Fr a descriptin f the ObserveIT data fields, see the ObserveIT Lg Data Dictinary f Terms. Nte: The data fields that are displayed may depend n the cnfiguratin f specific lg file parameters in the ObserveIT Ntificatin Service cnfiguratin file, as described in Cnfiguring Advanced Lg Settings. 5.1 ArcSight CEF Header Definitins In the ArcSight CEF, a signature ID unique identifier is used fr each ObserveIT data type: User activity = 100 DBA activity = 200 System events = 300 Alerts activity = 400 Auditing activity = 500 In-App Elements = 600

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 10 5.2 Mapping User Activity Output The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the user activity data type: " hst CEF:0 ObserveIT ObserveIT Versin 100 ObserveITUserActivity 1 cat=useractivity OS Server Name Dmain Name Viewer URL Cmmand ObserveIT Lgin Name User Name Client Name Client Address Windw Title Prcess Name User Authenticatin Applicatin Name Prcess Name CEF Lg Definitin cs2os dhst dntdm cs3=viewurl cs4=cmmand, msg dprc duid duser, suser, suid dvchst, shst dvcpid, src msg rt, end, start sprc sntdm destinatinservicename deviceprcessname Fllwing is an example f user activity mapping data in ArcSight:

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 11 5.3 Mapping DBA Activity Output The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the DBA activity data type: hst CEF:0 ObserveIT ObserveIT Versin 200 ObserveITDBAActivity 1 cat=dbaactivity OS Server Name Dmain Name Viewer URL Cmmand ObserveIT Lgin Name UserName: UserName SQLUSER : SqlUserName Client Name Client Address Windw Title Prcess Name User Authenticatin Applicatin Name Prcess Name 5.4 Mapping Activity Alerts Output CEF Lg Definitins Cs2OS dhst dntdm cs3=viewurl Cs4=SQL dprc duid duser, suser, suid dvchst, shst dvcpid, src msg rt, end, start sprc sntdm destinatinservicename deviceprcessname The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the activity alerts data type: hst CEF:0 ObserveIT ObserveIT Versin 400 ObserveITAlert [ Alert Severity 6/8/10] cat=sql Alert ID Rule name Alert Rule details Alert URL OS Server Name Dmain Name Viewer URL ObserveIT Lgin Name User Name Client Name Client Address Windw Title Prcess Name User Authenticatin Applicatin Name Prcess Name CEF Lg Definitins reasn cn1ruledescriptin cs1alertdetails Cs5AlertDetailsURL Cs2OS dhst dntdm Cs3ViewURL dprc duid duser, suser, suid dvchst, shst dvcpid, src msg sprc, rt, end, start sntdm destinatinservicename deviceprcessname

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 12 5.5 Mapping System Events Output The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the system events data type: Event Time " hst CEF:0 ObserveIT ObserveIT Versin 300 ObserveITInternalEvents 1 cat= ObserveITInternalEvents Event Categry Event surce Server Name Dmain Name Event Cde Event Desc Event Parameters ObserveIT Lgin Name User Name User Authenticatin Prcess Name CEF Lg Definitins Cs1=Event Categry Cs2=Event Surce dhst dntdm Cs3=EventTypeCde Cs4=EventDesc, msg Cs5=EventParameters Nte: The frmat f the Event Parameters field was changed. In rder t avid ArcSight frmatting prblems, the list f key=value; pairs was changed t key:value; pairs. dprc duid duser, suser, suid rt, end, start sntdm deviceprcessname 5.6 Mapping In-App Elements Output The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the In-App Elements data type: " hst CEF:0 ObserveIT ObserveIT Versin 600 ObserveITInAppElements 1 cat=inappelements ObserveIT InAppElementName InAppElementText SessinDay SessinID ScreenshtID InteractinIsClicked InteractinIsDisplayed IsMetadataOnly CEF Lg Definitins dprc act msg rt surceservicename requestmethd Cs2InteractinIsClicked Cs3InteractinIsDisplayed Cs5IsMetadataOnly end, start

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 13 5.7 Mapping Audit Activity Output 5.7.1 Audit Sessin Activity The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the audit sessin activity data type: Audit Time " hst CEF:0 ObserveIT ObserveIT Versin 500 ObserveITSessinAudit 1 cat=sessinaudit LginStatus LginStatusDescriptin DmainName "ObserveIT" UserName AuditTime ClientAddress 5.7.2 Audit Lgin Activity CEF Lg Definitin Cs1 Cs2 dntdm dprc duser rt, end, start dvc The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the audit lgin activity data type: Audit Time " hst CEF:0 ObserveIT ObserveIT Versin 500 ObserveITLginAudit 1 cat=lginaudit SessinId OperatrDmainName "ObserveIT" OperatrUsername AuditTime IPAddress 5.7.3 Audit Cnfiguratin Changes Activity CEF Lg Definitin cs1 dntdm dprc duser rt, end, start dvc The fllwing table lists the mappings t the ArcSight CEF data field definitins frm the ObserveIT data fields fr the audit cnfiguratin changes activity data type: Audit Time " hst CEF:0 ObserveIT ObserveIT Versin 500 ObserveITCnfigChangesAudit 1 cat=cnfig ChangesAudit Area (WebCnsleItem) Item (CnfiguratinItem) UserDmainName Actin (TypeOfChange) CnfigPrprtyName (ParentCnfiguratinItem) TypeOfChangeStr NewValue Area:{0},Item:{1},Actin:{2},CnfigPrprtyName:{3},Type OfChangeStr:{4},NewValue:{5} UserLginName ClientIP AuditTime CEF Lg Definitin Cs1 Cs2 dntdm Cs3 Cs4 Cs5 Cs6 msg suser, suid dvc end, start

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 14 6 ObserveIT Lg Data Dictinary f Terms Definitin Date and time the activity ccurred: e.g., Aug 13 2014 15:25:48 OS Operating system (e.g., Windws, Unix) Server Name The server n which the activity ccurred: e.g., Q8-W08SQ08-2 Dmain Name The dmain name f the user. Viewer URL Link t the Sessin Player fr the recrded sessin. e.g., http://q8-w08sq08-2:4884/observeit/slideviewer... Cmmand SQL cmmand with the fllwing structure: DB=SqlDBName Query:SqlQueryText Fr example: DB=10.2.56.76/ObserveIT Query:select stime, s.sessinid, sht.ssid, s.clientname, ObserveIT ObserveIT Lgin Name Lgin name f the user wh ran the sessin in which the activity ccurred (e.g., bsqa8.lcal\administratr). User Name If cnfigured, secndary identificatin f the user wh ran the sessin in which the activity ccurred (bsqa8.lcal\administratr). Client Name Name f the client cmputer frm which the activity ccurred (e.g., OIT- JOHNS-LAP) Client Address IP address f the client cmputer frm which the activity ccurred (e.g., 10.2.56.76). Windw Title Prgram Manager Date and time f the activity ( e.g., Aug 13 2014 15:25:48) Prcess Name Name f the prcess currently running (e.g., iexplre) User Authenticatin Secndary authenticatin user lgin. Applicatin Name Name f the applicatin currently running (e.g.,windws Explrer) Alert ID Unique number that identifies the alert. Fr example: 10000001 Rule Name A unique name that describes the alert rule (e.g., Alert when using SQL management. Alert Rule Details What the user did t trigger the alert. Fr example: Executed SQL cmmand=select frm databasecnfiguratin Ran applicatin=ssms SQL Server Management Studi Alert URL Clicking the Alert ID in the link pens the Alert Activities UI page t shw the selected alert, in Shw: Full Details mde. Event Categry The categry t which an event belngs (e.g., Lgin, Health Check). Event Cde Event Surce Event Desc Event Parameters SessinDay InAppElementName InAppElementValue InteractinIsClicked InteractinIsDisplayed IsMetadataOnly AuditTime CnsleUser LginStatus LginStatusDescriptin Area A unique cde that identifies an event. Surce frm which an event is triggered (e.g., Identity theft, Ntificatin Service). Descriptin f an event (e.g., Ntificatin Service stpped). Additinal infrmatin related t an event (e.g., the name f the database). The that the In-App element was captured. Name f the In-App element captured by the Marking Tl. Value f the displayed element (e.g., Exprt Buttn). The element interactin type is Clicked. The element interactin type is Displayed. The In-App element has metadata nly. The time that an audit entry was created. Cnsle User that accessed the Web Cnsle. Indicatin f whether the user lgin was successful r failed. Descriptin f the reasn fr a failed lgin. Area in the Web Cnsle in which cnfiguratin changes were made (e.g., Server Plicy, Licensing, Sessin Privacy, Applicatin Server).

INTEGRATING OBSERVEIT WITH HP ARCSIGHT CEF 15 Item Actin CnfigPrpertyName CnfigActin NewValue Item in the Area f the Web Cnsle n which the cnfiguratin was changed (e.g., LDAP Target Dmain, Default Windws-based Plicy). Actin that was perfrmed n the cnfigured item (e.g., Changed, Remved, Added). The specific prperty f a cnfiguratin Item that was changed. Fr example, System Plicy Enabled keylgging refers t the prperty f a specified server plicy. The actin that was perfrmed n the cnfiguratin prperty item (e.g., Changed t) New value that was given t a changed cnfiguratin prperty item (e.g., Disabled).

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback