Juniper networks SECURITY THREAT RESPONSE MANAGER 2008.2 R2 User Manual
Security Threat Response Manager
STRM Log Management Users Guide
Release 2008.2 R2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-027300-01, Revision 1
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
STRM Log Management Users Guide
Release 2008.2 R2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
September 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
2
CONTENTS
ABOUT THIS GUIDE
Conventions 1
Technical Documentation 1
Contacting Customer Support 1
1 ABOUT STRM LOG MANAGEMENT SLIM
Logging In to STRM Log Management 3
Dashboard 4
Event Viewer 5
Reports 5
Using STRM Log Management 6
Sorting Results 6
Refreshing the Interface 6
Pausing the Interface 6
Investigating IP Addresses 6
STRM Log Management Time 7
Accessing On-line Help 7
STRM Log Management Administration Console 8
2 USING THE DASHBOARD
About the Dashboard 9
Using the Dashboard 10
Event Viewer 10
Events Over Time 10
Events By Severity 11
Top Devices 11
Reports 12
System Summary 12
Adding Items 13
3 USING THE EVENT VIEWER
Using the Event Viewer Interface 16
Using the Toolbar 16
Using the Right-Click Menu Options 16
Viewing Events 17
Viewing Normalized Events 17
Viewing Raw Events 20
Viewing Aggregate Normalized Events 21
Using the Search 27
Searching Events 27
Deleting Saved Searches 30
Modifying Event Mapping 31
Exporting Events 33
4 CONFIGURING RULES
Viewing Rules 36
Enabling/Disabling Rules 37
Creating a Rule 37
Event Rule Tests 47
Copying a Rule 52
Deleting a Rule 53
Grouping Rules 53
Viewing Groups 53
Creating a Group 54
Editing a Group 55
Copying an Item to Another Group(s) 56
Deleting an Item from a Group 57
Assigning an Item to a Group 58
Editing Building Blocks 58
5 MANAGING REPORTS
Using the Reports Interface 62
Using the Navigation Menu 62
Using the Toolbar 63
Viewing Reports 63
Grouping Reports 64
Creating a Group 65
Editing a Group 66
Copying a Template to Another Group 66
Deleting a Template From a Group 67
Assigning a Report to a Group 68
Creating a Report 68
Creating a Template 69
Configuring Charts 76
Selecting a Graph Type 85
Using Default Report Templates 86
Generating a Report 87
Duplicating a Report 87
Sharing a Report 88
Branding Your Report 88
A DEFAULT RULES AND BUILDING BLOCKS
Default Rules 91
Default Building Blocks 101
A GLOSSARY
INDEX
ABOUT THIS GUIDE
The STRM Log Management Users Guide provides information on managing
STRM Log Management including the Dashboard, Reports, and Event Viewer
interfaces.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
Technical Documentation
You can access technical documentation, technical notes, and release notes
directly from the Juniper Networks support web site at https://juniper.net/support.
Once you access the Juniper Networks support web site, locate the product and
software release for which you require documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Juniper Networks documentation to:
documentation@juniper.com.
Include the following information with your comments:
• Document title
• Page number
STRM Log Management Users Guide
2 ABOUT THIS GUIDE
Contacting Customer Support
To help you resolve any issues that you may encounter when installing or
maintaining STRM Log Management, you can contact Customer Support as
follows:
• Log a support request 24/7: https://juniper.net/support
For access to the Juniper Networks support web site, please contact Customer
Support.
• Access Juniper Networks support and Self-Service support using e-mail:
support@juniper.net
• Telephone assistance: 1-800-638-8296.
STRM Log Management Users Guide
1
ABOUT STRM LOG MANAGEMENT
STRM Log Management is a network security management platform that provides
situational awareness and compliance support through security event correlation,
analysis, and reporting. This chapter provides an overview of the STRM Log
Management interface including:
• Logging In to STRM Log Management
• Dashboard
• Event Viewer
• Reports
• Using STRM Log Management
• STRM Log Management Administration Console
Note: When navigating STRM Log Management, do not use the browser Back
button. Use the navigation options available with STRM Log Management to
navigate the interface.
Logging In to STRM Log Management
Step 1 Open your web browser.
Step 2 Log in to STRM Log Management:
Step 3 Click Login To STRM Log Management.
To login to STRM Log Management:
https://<
Where <
The default values are:
Username: admin
Password: <root password>
Where
during the installation process. For more information, see the STRM Log
Management Installation Guide.
For your STRM Log Management Console, a default license key provides you
access to the interface for 5 weeks. A window appears providing the date that the
IP Address>
IP Address> is the IP address of the STRM Log Management system.
<root password> is the password assigned to STRM Log Management
STRM Log Management Users Guide
4 ABOUT STRM LOG MANAGEMENT
temporary license key will expire. For information on installing a permanent license
key, see the STRM Log Management Administration Guide.
Dashboard The Dashboard tab is the default interface that appears when you log in to STRM
Log Management. The Dashboard tab provides summary and detailed information
on events occurring on your network. The Dashboard is customizable on a per
user basis to focus on individual user’s security or network operations
responsibilities.
Note: For more information on using the Dashboard, see Chapter 2 Using the
Dashboard.
STRM Log Management Users Guide
Event Viewer 5
Event Viewer The Event Viewer allows you to view event logs being sent to STRM Log
Management in real-time, or through searches. The Event Viewer is a powerful
tool for performing in-depth investigations on event data.
Note: For more information, see Chapter 3 Using the Event Viewer.
Reports Reports is a flexible and robust reporting package that allows you to create,
distribute, and manage reports for any data within STRM Log Management.
Reports allows you to create customized reports for operational and executive use
by combining any combination of information into a single report. You can also use
the many pre-installed report templates included with STRM Log Management.
The Reports tab also allows you to brand your reports with your customized logos
enabling you to support various unique logos for each report. This is beneficial for
distributing reporting to different audiences.
Note: For more information on Reports, see Chapter 5 Managing Reports.
STRM Log Management Users Guide
6 ABOUT STRM LOG MANAGEMENT
Using STRM Log
Management
Sorting Results In the Event Viewer tab you can sort the resulting tables by clicking on a column
Using STRM Log Management, you can:
• Sort the results. See Sorting Results.
• Refresh the interface. See Refreshing the Interface.
• Pause the current display. See Pausing the Interface.
• Further investigate an IP address. See Investigating IP Addresses.
• View the time of the STRM Log Management Console. See STRM Log
Management Time.
• View the STRM Log Management on-line Help. See Accessing On-line Help
heading. A single click of the desired column sorts the results in descending order
and a second click on the heading sorts the results in ascending order. An arrow at
the top of the column indicates the direction of the sort.
For example, if you wish to sort the events by Name, click the Name heading. An
arrow appears in the column heading to indicate the results are sorted in
descending order.
Click the Name column heading again if you wish to sort the information in
ascending order.
Refreshing the
Interface
The Event Viewer and the Dashboard allow you to refresh the interface. This
refresh option is located in the right corner of the interface. The timer indicates the
amount of time since the interface was refreshed. To refresh the interface, click the
refresh icon.
Pausing the Interface You can use the refresh timer, located on the right, to pause the current display. To
pause the interface, click the pause icon . The timer flashes red to indicate the
current display is paused. Click the icon again to restart the timer.
Investigating IP
Addresses
You can use the right-mouse button (right-click) on any IP address to access
additional menus, which allow you to further investigate that IP address. The menu
options include:
Note: For information on customizing the right-click menu, see the Customizing
the Right-Click Menu Technical Note.
STRM Log Management Users Guide
Using STRM Log Management 7
Table 1- 1 Additional Options
Menu Sub-Menu Description
Information DNS Lookup Searches for DNS entries based on the IP
address.
WHOIS Lookup Searches for the registered owner of a
remote IP address (Default system server:
whois.crsnic.net.)
Port Scan Performs a NMAP scan of the selected IP
address. This option is only available if
NMAP is installed on your system. For more
information on installing NMAP, see your
vendor documentation.
STRM Log
Management Time
Accessing On-line
Help
The right corner of the STRM Log Management interface displays STRM Log
Management time, which is the time of the STRM Log Management Console. The
STRM Log Management Console time synchronizes all STRM Log Management
appliances within the STRM Log Management deployment, and is used to
determine the time events were received from other devices for proper time sync
correlation.
You can access the STRM Log Management on-line Help through the main STRM
Log Management interface. To access the on-line Help, click Help > Help
Contents. The Help interface appears.
STRM Log Management Users Guide
8 ABOUT STRM LOG MANAGEMENT
STRM Log Management Administration Console
The STRM Log Management Administration Console is a client-based application
that provides administrative users access to administrative functionality including:
• System Configuration - Allows you configure system wide STRM Log
Management settings including, users, thresholds, system settings, backup and
recovery, license keys, network hierarchy, authentication, or automatic
updates.
• Access the deployment editor - Allows you to manage the individual
components of your STRM Log Management deployment.
• Configure sensor devices - Allows you to configure sensor devices, which
provide events to your deployment through DSMs.
All configuration updates using the Administration Console are saved to a staging
area. Once all changes are complete, you can deploy the configuration changes or
all configuration settings to the remainder of your deployment.
For more information regarding the STRM Log Management Administration
Console, see the STRM Log Management Administration Guide.
STRM Log Management Users Guide
2
USING THE DASHBOARD
The Dashboard allows you to create a customized portal to monitor any data
STRM Log Management collects, to which you have access. The Dashboard is the
default view when you log in to STRM Log Management and allows you to monitor
several areas of your network at the same time. Normal activity and suspicious
behaviors can be investigated directly from the Dashboard. Also, you can detach
an item and monitor the item directly from your desktop.
This chapter includes:
• About the Dashboard
• Event Viewer
• Reports
• System Summary
• Adding Items
About the Dashboard
The Dashboard allows you to monitor your security event behavior. By default, for
non-administrative users, the Dashboard is empty. For administrative users, the
Dashboard displays the following:
• System Summary
• Events - Average Events Per Second
• Events By Severity
• Most Recent Reports
• Top Devices
Note: The items that appear on your Dashboard depends on the access you have
been granted. For more information on user roles, see the STRM Log
Management Administration Guide.
The content that appears on the Dashboard is user-specific. You can design the
Dashboard as you wish, as the changes made within a STRM Log Management
session affect only your system. The next time you log in, STRM Log Management
reflects your last Dashboard configuration.
STRM Log Management Users Guide
10 USING THE DASHBOARD
You can move and position items to meet your requirements. You can stack items
in one panel or distribute them evenly within the three panels. When positioning
items, each item automatically resizes in proportion to the panel. The Dashboard
interface refreshes regularly to display the most recent information.
Using the Dashboard You can add, remove, or detach items on the Dashboard. Once added, each item
appears with a titlebar. Using the Dashboard, you can:
• Adding Items - Provides the list of items that you can add to your Dashboard.
You can monitor the following items:
- Event Viewer
- Reports
- System Summary
• Removing an Item - To remove an item from the Dashboard, click the red icon
located in the upper right corner of the item.
A confirmation window appears before an item is removed. Removing an item
does not remove the item from STRM Log Management. Removing an item
clears the item from the Dashboard. You can add the item again at any time.
• Detaching an Item - To detach an item from the Dashboard, click the green
icon located in the upper right of the item. Detaching an item does not remove
the item from STRM Log Management; detaching an item duplicates the data in
a new window.
Detaching an item allows you to temporarily monitor one or more particular
items on your desktop. You can detach the item then remove the item from the
Dashboard - the detached window remains open and refreshes during
scheduled intervals. If you close the STRM Log Management application, the
detached window remains open for monitoring and continues to refresh until
you manually close the window or shut down your computer system.
Note: STRM Log Management does not save the status of a detached Dashboard
item when you end your STRM Log Management session.
Event Viewer You can add several Event Viewer items to your Dashboard. The Event Viewer
allows you to monitor and investigate events in real-time. Event Viewer options
include:
• Events Over Time
• Events By Severity
• Top Devices
Events Over Time The Events Over Time option displays events received over the last 8 hours in 15
minute intervals, categorized by the event category.
STRM Log Management Users Guide
Event Viewer 11
Note: You must have the required permissions to access Event Viewer items.
To customize your display:
• Period of Time - Using the drop-down list box, select the period of time you
wish the Dashboard graph to display.
• Chart Type - You can display the data using a Time Series (default), Line
Chart, or Pie Chart. To change the chart type, click Time Series, Line Chart or
Pie Chart at the top of the graph.
Events By Severity The Events By Severity item displays a pie chart that specifies the number of
active events grouped by severity. This item allows you to see the number of
events that are being received by the level of severity that has been assigned.
Severity indicates the amount of threat an attacker poses in relation to how
prepared the target is for the attack. The range of severity is 0 (low) to 10 (high).
Top Devices The Top Devices item displays a pie chart that specifies the top 10 devices that
sent events to STRM Log Management within the last 15 minutes. The number of
events sent from the specified device is indicated in the pie chart. This item allows
STRM Log Management Users Guide
12 USING THE DASHBOARD
you to view potential changes in behavior, for example, if a firewall device that is
typically not in the top 10 list is now contributing to a large percentage of the
overall message count, you should investigate this occurrence.
Reports The Reports option allows you to display the top recently generated reports. The
display provides the report title, the time and date the report was generated, and
the format of the report.
System Summary The Summary item provides a high-level summary of activity within the past 24
hours. Within the summary item, you can view the following information:
• Current Events Per Second - Specifies the number of current events per
second.
• New Events (Past 24 Hours) - Specifies the total number of new events
received within the last 24 hours.
STRM Log Management Users Guide
Adding Items 13
Adding Items You can add multiple displays to the Dashboard interface. To add an item to the
Dashboard:
Step 1 Click the Dashboard tab.
The Dashboard interface appears.
Step 2 From the toolbar, click Add Item.
A list of menu items appears.
Step 3 Navigate through the categories, options include:
• Event Viewer
• Reports
• System Summary
Each panel highlights as you pass an item over the panel signalling an item can be
dropped into that panel. If the item titlebar is above the titlebar of an existing item,
the new item assumes position above the existing item.
STRM Log Management Users Guide
3
USING THE EVENT VIEWER
An event is an action that occurs on a network or a host. The Event Viewer allows
you to monitor and investigate events in real-time or perform advanced searches.
You must have permission to view the Event Viewer interface. For more
information on assigning roles, see the STRM Log Management Administration
Guide.
This chapter provides information on using the Event Viewer including:
• Using the Event Viewer Interface
• Viewing Events
• Using the Search
• Modifying Event Mapping
• Exporting Events
Note: When STRM Log Management normalizes events, the system normalizes
names as well. Therefore, the name that appears in the Event Viewer may not
match the name that appears in the event.
STRM Log Management Users Guide
16 USING THE EVENT VIEWER
Using the Event Viewer Interface
This section provides information on using the Event Viewer interface including:
• Using the Toolbar
• Using the Right-Click Menu Options
Using the Toolbar Using the toolbar, you can access the following options:
Table 3-1 Toolbar Options
Option Description
Allows you to perform advanced searches on events including:
• Edit Search - Allows you to perform a search.
• Quick Searches - Allows you to perform previously saved
searches. This option only appears when you have saved
search criteria.
For more information, see
Allows you to save the current search criteria.
Allows you to configure custom event rules to detect a single event
(within certain properties) or event sequences. For information on
rules, see
Allows you to perform the following actions:
• Show All - Removes all filters on search criteria and presents
all events.
• Print - Allows you to print the events displayed in the window.
• Export to XML - Allows you to export events in XML format.
See
• Export to CSV - Allows you to export events in CSV format.
See
Allows you to display events grouped by criteria specified in the
drop-down list box.
Chapter 4 Configuring Rules.
Exporting Events.
Exporting Events.
Using the Search.
Using the Right-Click
Menu Options
Using the right mouse button (right-click), you can access the Filter menu options,
which allows you to filter on the selected event, depending on the selected item in
the event. For example, if you right-click on a Category of IP Protocol Anomaly, the
following filter options appear:
Filter on Category is IP Protocol Anomaly
Filter on Category is not IP Protocol Anomaly
STRM Log Management Users Guide
Viewing Events 17
Viewing Events By default, the Event Viewer interface displays normalized events. Initially, the
Event Viewer displays events that occurred during the previous minute and the
interface refreshes each minute.
You can sort the resulting tables by clicking on a column heading. A single click of
the desired column sorts the results in descending order and a second click on the
heading sorts the results in ascending order. An arrow at the top of the column
indicates the direction of the sort.
You can also view events using the following options:
• Viewing Normalized Events
• Viewing Raw Events
• Viewing Aggregate Normalized Events
Viewing Normalized
Events
Step 1 Click the Event Viewer tab.
Step 2 From the Display drop-down list box, select None.
To view normalized events:
The Event Viewer window appears.
Table 3- 2 Event Viewer
Parameter Description
Current Filters The top of the table displays the details of the filter applied to the
search results. To clear these filter values, click Clear Filter.
Event Name Specifies the normalized name of the event.
Device Specifies the device that sent the event to STRM Log
Management.
STRM Log Management Users Guide
18 USING THE EVENT VIEWER
Table 3-2 Event Viewer (continued)
Parameter Description
Event Count Specifies the total number of bundled events that constitute this
normalized event. Events are bundled when many of the same
type of event for the same source and destination IP address are
seen within a short period of time.
Time Specifies the date and time that STRM Log Management
received the event.
Low Level
Category
Specifies the low-level category associated to this event. For
more information on event categories, see the Event Category
Correlation Reference Guide.
Source IP Specifies the source IP address of the event.
Source Port Specifies the source port of the event.
Destination IP Specifies the destination IP address of the event.
Destination Port Specifies the destination port of the event.
Username Specifies the username associated with this event. Usernames
are often available in authentication related events. For all other
types of events where the username is not available, this field is
empty.
Magnitude Specifies the magnitude of this event. Variables include
credibility, relevance, and severity. Point your mouse to the
magnitude bar to display values and the calculated magnitude.
Step 3 Double-click the event you wish to view in greater detail.
The event details window appears.
The details results provides the following information:
STRM Log Management Users Guide
Viewing Events 19
Table 3- 3 Event Details
Parameter Description
Event Name Specifies the normalized name of the event.
Low Level
Category
Specifies the low-level category of this event.
For more information on categories, see the Event Category
Correlation Reference Guide.
Event Description Specifies a description of the event, if available.
Severity Specifies the severity of this event.
Credibility Specifies the credibility of this event.
Relevance Specifies the relevance of this event.
Magnitude Specifies the magnitude for this event.
Source IP Specifies the source IP address of the event.
Source Port Specifies the source port of this event.
Destination IP Specifies the destination IP address of the event.
Destination Port Specifies the destination port of this event.
Pre NAT Source IPNetwork Address Translation (NAT) translates an IP address in
one network to a different IP address in another network. For a
firewall or another device capable of NAT, this parameter
indicates the source IP address before the NAT values were
applied.
Pre NAT Source
Port
Pre NAT
Destination IP
For a firewall or another device capable of NAT, this parameter
indicates the source port before the NAT values were applied.
For a firewall or another device capable of NAT, this parameter
indicates the destination IP address before the NAT values were
applied.
Pre NAT
Destination Port
For a firewall or another device capable of NAT, this parameter
indicates the destination port before the NAT values were
applied.
Post NAT Source IPFor a firewall or another device capable of NAT, this parameter
indicates the source IP address after the NAT values were
applied.
Post NAT Source
Port
Post NAT
Destination IP
For a firewall or another device capable of NAT, this parameter
indicates the source port after the NAT values were applied.
For a firewall or another device capable of NAT, this parameter
indicates the destination IP address after the NAT values were
applied.
Post NAT
Destination Port
For a firewall or another device capable of NAT, this parameter
indicates the destination port after the NAT values were applied.
Protocol Specifies the protocol associated with this event.
Username Specifies the username associated with this event, if available.
QID Specifies the STRM Log Management identifier for this event.
Each event has a unique QID. For information on mapping a QID,
see
Modifying Event Mapping.
STRM Log Management Users Guide
20 USING THE EVENT VIEWER
Table 3-3 Event Details (continued)
Parameter Description
Device Specifies the device that sent the event to STRM Log
Management.
Event Count Specifies the total number of bundled events that constitute this
normalized event. Events are bundled when many of the same
type of event for the same source and destination IP address are
seen within a short period of time.
Start Time Specifies the time of the first event, as reported to STRM Log
Management by the device.
End Time Specifies the end time of the last event, as reported to STRM Log
Management by the device.
Device Time Specifies the system time of the device.
Payload Specifies payload content from the event. To view the payload in
Hex, click Hex. To view the payload in UTF, click UTF. To view in
Base64, click Base64.
Matched Custom
Rules
Specifies custom rules that have matched to this event. For more
information on rules, see the STRM Log Management
Administration Guide.
Annotations Specifies the annotation or notes for this event.
The event details provides the following functions:
Table 3-4 Event Details Toolbar
Icon Function
Viewing Raw Events To view raw event data:
Step 1 Click the Event Viewer tab.
The Event Viewer window appears.
Step 2 From the Display drop-down list box, select Raw Events.
Raw event data appears
Allows you to return to the list of events.
Allows you to edit the event mapping. For more information,
see
Modifying Event Mapping.
Allows you to print the event details.
STRM Log Management Users Guide
Viewing Events 21
The raw events window results provides the following information:
Table 3- 5 Raw Events Parameters
Viewing Aggregate Normalized Events
Parameter Description
Current Filters The top of the table displays the details of the filter applied to the
search results. To clear these filter values, click Clear Filter.
Start Time Specifies the time of the first event, as reported to STRM Log
Management by the device.
Device Specifies the device that originated the event.
Payload Specifies the original event payload information in UTF-8 format.
Using the Event Viewer, you can view events aggregated (grouped) by various
options.
Table 3- 6 Aggregate Normalized Events
Aggregate Option Description
Event Name Displays a summarized list of events grouped by the
normalized name of the event.
Source IP Displays a summarized list of events grouped by the source
IP address of the event.
Destination IP Displays a summarized list of events grouped by the
destination IP address of the event.
Source Port Displays a summarized list of events grouped by the source
port address of the event.
Destination Port Displays a summarized list of events grouped by the
destination port address of the event.
STRM Log Management Users Guide
22 USING THE EVENT VIEWER
Table 3-6 Aggregate Normalized Events (continued)
Aggregate Option Description
High Level Category Displays a summarized list of events grouped by the
high-level category of the event.
For more information on categories, see the Event Category
Correlation Reference Guide.
Low Level Category Displays a summarized list of events grouped by the
low-level category of the event.
For more information on categories, see the Event Category
Correlation Reference Guide.
Magnitude Displays a summarized list of events grouped by the
magnitude for this event. The variables used to calculate
magnitude include credibility, relevance, and severity.
Credibility Credibility indicates the integrity of an event as determined
by the credibility rating from source devices. Credibility
increases as the multiple sources results grouped by the
credibility of the event. This aggregate option displays a
summarized list of events grouped by the credibility of the
event.
Severity Severity indicates the amount of threat an attacker poses in
relation to how prepared the target is for the attack. This
value is mapped to an event category that is correlated to
the offense. This aggregate option displays a summarized
list of events grouped by the severity of the event.
Relevance Relevance indicates the significance of an event. This option
displays a summarized list of events grouped by the
relevance of the event.
Username Displays a summarized list of events grouped by the
username associated with the events.
Device Displays a summarized list of events grouped by the devices
that sent the event to STRM Log Management.
Device Type Device Type indicates the type of device that originated the
event. This aggregate option displays a summarized list of
events grouped by device type.
Device Group Displays a summarized list of events grouped by device
group.
Network Displays a summarized list of events grouped by the network
associated with the event.
Src IP/ Dst IP / Dst
Port/ User
Displays a summarized list of events grouped by the source
IP address, destination IP address, destination port, and the
user.
Src IP/ Dst IP / Dst
Port/ Event Name
Displays a summarized list of events grouped by the source
IP address, destination IP address, destination port, and the
name of the event.
Src IP/ Event Name/
User
Displays a summarized list of events grouped by the source
IP address, event name, and user.
STRM Log Management Users Guide
Viewing Events 23
Table 3- 6 Aggregate Normalized Events (continued)
Aggregate Option Description
Src IP/ Dst IP/ Event
Name/ User
Displays a summarized list of events grouped by the source
IP address, destination IP address, event name, and user.
Src IP/ Dst IP/ User Displays a summarized list of events grouped by the source
IP address, destination IP address , and the username
associated with the event.
Src IP / Dst IP Displays a summarized list of events grouped by traffic from
the source IP address to destination IP address.
Dst IP/ Port Displays a summarized list of events grouped by destination
IP address and port.
Event Name/ Device Displays a summarized list of events grouped by the event
name and the device that sent the event to STRM Log
Management.
Device/ High Level Cat Displays a summarized list of events grouped by the device
that sent the event to STRM Log Management and the
high-level category.
For more information on categories, see the Event Category
Correlation Reference Guide.
Device/ High Level
Cat./ Low Level Cat.
Displays a summarized list of events grouped by the device
that sent the event to STRM Log Management and the high
and low-level categories.
Matched Custom Rule Displays a summarized list of events grouped by the
associated custom rule.
Event Name/ Device
Group
Device Group/ High
Level Cat
Displays a summarized list of events grouped by the event
name and the device group.
Displays a summarized list of events grouped by the device
group and the high-level category.
For more information on categories, see the Event Category
Correlation Reference Guide.
Device Group/ High
Level Cat/ Low Level
Cat
Displays a summarized list of events grouped by the device
group and the low-level category.
For more information on categories, see the Event Category
Correlation Reference Guide.
Src IP/ MAC Displays a summarized list of events grouped by the source
IP address and the source MAC address.
Src NAT/ Dst NAT Network Address Translation (NAT) translates an IP address
in one network to a different IP address in another network.
The list of events that appears includes a summarized list of
events grouped by the source and destination information
(IP address and port) before and after NAT was applied.
Src IP/ High Level Cat Displays a summarized list of events grouped by the source
IP address and the high-level category. The aggregate
results provides a list of source IP addresses.
For more information on categories, see the Event Category
Correlation Reference Guide.
STRM Log Management Users Guide
24 USING THE EVENT VIEWER
Table 3-6 Aggregate Normalized Events (continued)
Aggregate Option Description
Src IP/ Low Level Cat Displays a summarized list of events grouped by the source
IP address and the low-level category.
For more information on categories, see the Event Category
Correlation Reference Guide.
Dst IP/ High Level Cat Displays a summarized list of events grouped by the
destination IP address and the high-level category.
For more information on categories, see the Event Category
Correlation Reference Guide.
Dst IP/ Low Level Cat Displays a summarized list of events grouped by the
destination IP address and the low-level category.
For more information on categories, see the Event Category
Correlation Reference Guide.
Src IP / Dst IP/ High
Level Cat
Displays a summarized list of events grouped by the source
IP address to destination IP addresses and the high-level
category.
For more information on categories, see the Event Category
Correlation Reference Guide.
Src IP / Dst IP/ Low
Level Cat
Displays a summarized list of events grouped by the source
IP address to destination IP addresses and the low-level
category.
For more information on categories, see the Event Category
Correlation Reference Guide.
To view aggregate normalized events:
Step 1 Click the Event Viewer tab.
The Event Viewer window appears.
Step 2 From the Display drop-down list box, select the desired option. For more
information, see Table 3-6 Aggregate Normalized Events.
The event information appears.
Note: The column layout of the data depends on the chosen display option.
STRM Log Management Users Guide
Loading...