Enterprise IT Security CEF Configuration Guide

Summary:

This text appears to be a technical document detailing various types of events related to cybersecurity within a system, particularly how these events are mapped and handled by an ArcSight SmartConnector for better management and analysis. The content provides a comprehensive overview of the event categories, their associated codes, descriptions, and severity ratings, as well as specific examples of notable events such as DB2 Critical Events and MQSeries Critical Events. Additionally, it discusses the method used to map these events to ArcSight data fields for interoperability across different security systems. Overall, this document serves as a valuable resource for understanding and managing cybersecurity incidents within an organization's IT infrastructure.

Details:

The document titled "SF 2 ArcSight" Connection Kit, dated May 8, 2009, is a Configuration Guide for configuring the connector to collect syslog events from Enterprise-IT-Security's SF-Sherlock, SF-RiskSaver, and SF-NoEvasion solutions on z/OS platforms. The guide provides instructions for setting up the connection between these solutions and ArcSight, enhancing security monitoring for IBM mainframes by capturing detailed event data not typically logged in standard systems like syslog or SMF records. The connector supports comprehensive z/OS security and compliance monitoring to protect IBM's z mainframe platform from fraud, malicious activities, and unauthorized suppression of audit-relevant log data. It allows ArcSight to receive the most complete and accurate event data possible, thereby improving detection and protection measures for mainframes. The guide outlines that all configuration is done on the mainframe using ISPF Edit with specific control files (init-deck file), focusing on configuring SF-Sherlock and SF-NoEvasion components. The document outlines the process of installing, enabling, and configuring the ArcSight connection. Installation requires installing SMP/E user modifications (UMODARxx), while configuration involves extending standard event classifications with installation-defined events and patterns using EVENTIDT and EVENTMFT init-deck members. The technical note provides details about specific events categorized under different policies, rules, and alert levels, including examples like "Security_System_Attack" and "Resource_Access_Viol". These events are crucial for security monitoring and compliance in system attacks and unauthorized access scenarios. The provided text lists multiple event identifiers (EVT) related to security system attacks and parameter changes, along with some details about the events. Here is a summary of each entry:

• **EVT_0643**: "Security System Attack | Attempt To Misuse Another User" - Indicates an attempt to misuse resources or information belonging to another user in a system.

• **EVT_0644**: "Security System Attack | Possible Misuse Of User By Another" - This event suggests that there is suspicion of possible misuse of a user's account by someone else, which could be an unauthorized activity.

• **EVT_0645**: "Security System Attack | SF Sherlock Attack" - Indicates a specific type of attack (Sherlock) related to security system attacks, potentially indicating some form of suspicious or malicious activity within the system.

• **EVT_0646** and **EVT_0647**: These events are labeled as "UNIX_(OMVS)_Security" and involve critical file operations and deletion, suggesting potential unauthorized access or manipulation in the UNIX operating system environment.

• **EVT_0648**: "Security Parm Change | Integrated Crypto Facility Operation" - This indicates a change in security parameters related to an integrated cryptographic facility, which might suggest modifications to encryption settings or other security measures.

• **EVT_0649** and others: These events relate to Sherlock specialties and include violations of SHER-MONITOR (suspected misuse or unauthorized activity involving the SHER-MONITOR system) and file deletions, indicating potential security breaches.

• **EVT_0650**, **EVT_0651**, and **EVT_0652**: These events pertain to access violations related to external employees, developer accesses to production data, and unauthorized user access, respectively. They highlight issues with user permissions and authentication mechanisms.

• **EVT_0653**: "Security System Attack | Critical Sherlock File Update" - Indicates a critical update to a Sherlock file that might be associated with significant changes affecting security or operational functionality within the system.

• **EVT_0654** through **EVT_0659**: These events describe various forms of suspicious user activities, including hacking-like characteristics and emergency situations, suggesting ongoing efforts at unauthorized access or manipulation in the system environment.

• **EVT_0660**, **EVT_0661**: "Emergency User Activity" and "Rvary Monitoring" - These indicate urgent actions taken by users that require immediate attention to prevent potential security breaches or critical incidents within the system.

• **EVT_0662**: "Report Invalidated" - This suggests that a report generated for any of the above events has been invalidated, possibly due to inaccuracies or updates in the information indicating a need for further investigation and potentially rectifying some security measures.

• **EVT_0663** through **EVT_0669**: These events involve scanning or misuse related to database resources, such as resource class definition, user with an enveloped password, parameter settings, and missing SMF data, highlighting potential vulnerabilities in the system's security architecture.

• **EVT_0670**: This entry is cut off but appears to continue a pattern of events related to security scanning or misuse within database systems.

Overall, these event identifiers suggest that there are ongoing attempts to exploit or misconfigure various security mechanisms within the system, indicating potential vulnerabilities and highlighting the need for enhanced monitoring, access controls, and audit capabilities to prevent unauthorized activities. This is a list of event identifiers from various systems, each with a specific description and severity rating. Here's the summarized data in table format: | Event ID | System Type | Description | Severity Rating | |