Event Manager

NOTE: Event Manager was formerly called Powertech Event Manager.

June 2021

Version 6.6.0.30000

Jun 30, 2021

New Features
  • New actions have been added for the Windows template in Event Manager to detect persistent threats for security-disabled groups management.

  • New actions have been added to the Windows template in Event Manager to detect persistent threats in the creation of unknown/unapproved services or processes.

  • New actions have been added to the Windows template in Event Manager to detect persistent threats for Scheduled Tasks management.

  • Response time in Event Manager and Forensic Analysis grids have been reduced when using assets filtering in the security tab configuration.

Enhancements
  • A new logo for Event Manager and Security Auditor has been applied.

  • Added support for the new Powertech SIEM Agent 4.4 release.

  • New events have been added to Fortigate Assets.

  • “Group by Asset” option added as an Issues Analysis report parameter when scheduling.

  • Refresh Time, Latency and Time Zone default values have been changed for the Amazon Web Services template.

  • Event Manager has improved the throughput of deleting old records during its maintenance process.

  • Installation improved check: If IIS (Internet Information Server) is not installed and we are not able to install it, installation is canceled to avoid unexpected problems.

  • Object Creation, Deletion and Modification actions for objects of type; Function, Index, Stored Procedure, Trigger and View have been added to the Oracle template in Event Manager.

  • User Statements (SQL delete, insert, update) actions have been added to the Oracle template in Event Manager. These require an specific audit activation.

  • It is now possible to create/define assets with newer Oracle versions (12, 18, 19).

Other Fixes
  • Creating an asset in Event Manager with the same name as where it is installed, but in a different case, is now listed correctly in Events Manager and Forensic analysis grids in the Audited system column.

  • The Azure Active Directory Operator is now mapped using the UserId from the original Event instead of the UserKey.

  • Missing translations (English and Spanish) for some event Action/SubAction names in reports have now been added.

  • Within Forensic Analysis, deselecting a "Blanks" value from the Security Control columns; "Security Control Name", "Selection Rule" and "Classification Rule", did not work. This issue has been fixed.

  • A parsing issue with IBMi Authority Failure (AF) for the SIEM Agent integration out-of-the-box template has been resolved.

  • Update Statistics for Orchestrator Engine scheduled every night did not actually update indexes statistics. This has been resolved and a summary is now logged in folder Orchestrator\Orchestrator Engine\logs.

  • Invalid email address was used as the default for the technical contact email in Reports. This issue has been fixed.

  • If Domain or User/Group was changed while editing an User or Group configuration, notifications for this user or group stopped working forever. This issue has now been fixed.

  • Manually created monitors within ThinkServer Configurator for an Advance Database Reader DataSource configured as "Incremental Policy: Indexed" did not retrieve any data. This issue has been fixed.

  • Events Manager Custom DataSources EventLog and DatabaseReader did not retrieve events for an specific subaction if "SubAction Complete Message Parsing" was defined and "Variables Mapping" used a variable with a case different from the one in the regex expression. This issue has been fixed.

  • While using several search boxes there were some "invalid" characters, which caused an error. This issue has been fixed.

  • Sometimes, upgrading could leave Web.config with invalid content in the "staticContent" tag rendering the software unavailable. This issue has been fixed.

  • When saving an alarm or action set, the editing tab is now maintained.

  • It is no longer permitted to change the application Security Administrator during an upgrade and installation only continues if the security administrator password has been verified.

  • Regular expressions and default time format parameters in SWIFT applications Datasources were incorrect. These have been fixed in this release.

  • Objects Action Auditing based reports couldn't be opened when there was only one registry result. This issue has been fixed.

  • Monitoring assets could stop receiving health updates and issues information due to a lock in Smart Console Publisher. This issue has been fixed.

  • Infrequently, Inspector Service could become inaccessible after starting. This issue has been fixed.

  • If Event Manager and Vityl & IT Business Monitoring collects syslog events, the L2Launcher Syslog process could crash due too much memory usage. This issue has been fixed.

  • Some of the oldest scheduled reports were not being correctly launched. This issue has now been fixed.

  • DSNs created for SQL Server Express 2019 now work as expected.

  • Installation or upgrade could sometimes generate an incorrect Web.config resulting in it being unavailable. This has been fixed.

  • An issue with single sign-on has been addressed and now all the applications work without a new login.

  • Security Controls with specific Regulations selected did not use these selections after a refresh. This has been fixed.

  • The SubAction Regular Expression Filter in Database Reader and Windows Event Log Custom Datasource was inaccessible leaving an incomplete configuration. This has been fixed.

  • Using Microsoft 365 Datasources with "Actions and subactions automatic discovery" enabled no longer causes an Event Manager unavailability problem.

  • Security Controls that are loaded during “Orchestrator” service start and fail (due to an unexpected error) result in the “Orchestrator” service not starting. This issue has been fixed.

  • When using Internet Explorer v11, badly aligned check boxes in the Investigate tab for an event have now been repositioned.

  • When editing a “Subaction regular expression filter”, any invalid regular expressions or variables mapping are now detected.

  • Forensic Analysis or Events Manager grids could generate an "Error executing Indexator query embedded in where clause. Details: AccessServer error: Invalid session." error, resulting in the event counts not being displayed. This has been fixed.

  • An error recollecting events in a named instance of an SQLServer with credentials of type User/Password has been fixed.

December 2020

Version 6.5.0.30000

Dec 21, 2020

New Features
  • All possible values for columns Action, SubAction, Operator Category, User Category and Object Category are now displayed for column filters in the Event Manager and Forensic Analysis grids. Previously you would see only values from existing security events.

  • An 'out-of-the-box' template for Azure Active Directory has been made available.

  • An 'out-of-the-box' template for Azure Exchange Online has been made available.

  • An 'out-of-the-box' template for Microsoft Teams has been made available.

  • Event Manager now provides security and compliance monitoring for data hosted in the Microsoft 365 environment.

  • This release adds the ability to monitor file integrity for Windows, adding this capability to those already available for Unix, Linux, AIX and IBM i.

Enhancements
  • An 'out-of-the-box' template to audit SAP Adaptive Server Enterprise (formerly Sybase) has been made available.

  • Backup and Restore databases actions have been added to the SQL Server 'out-of-the-box' template.

  • Trace improvements have been made to detect necessary attributes not found when triggering application errors.

  • Fixed a bug that did not allow the pasting of contact mail in notifications configuration.

  • Windows User inactivity detection has been improved with 'Expired account' information.

  • It is now possible to use long passwords in credentials.

  • The Axis2 library versions 1.5 and 1.6.1 have been upgraded to version 1.7.9. This library is used in HelpSystems - Orchestrator Idx and HelpSystems - ThinkServer Java System i Server modules.

  • The full Job Name is now displayed in Additional Info 2 on IBM i Audit events coming from VMC.

  • Event Manager now provides the ability to group events using multiple variables and add summary charts to make it easier to detect anomalies or threats.

  • It is no longer possible to delete an asset with non-templatized monitors (manually created from ThinkServer configurator).

  • It is no longer required to input the user password while scheduling reports.

  • It is now possible to assign an event to "Me" without the need of having this user explicitly created in the product.

  • It is now possible to choose whether to use an encrypted connection to the product databases during the installation process.

  • JSON events are now formatted when displayed in the Event Details- Event Manager page.

  • Outbound alert integrations with Solarwinds Web Help Desk and Dynatrace have been made available.

  • Reorganizing of indexes, included in the maintenance process, will only be executed at weekends to avoid affecting production hours.

  • The Events Maintenance process is now five times faster.

  • The product now uses an OpenJDK JRE version.

  • This release provides the ability to manually add values to the grids (Event Manager and Forensic Analysis) columns possible values list on the column headers.

Other Fixes
  • Some configuration changes in Vityl It and Business Monitoring took too much time to apply because there were an internal #RECOVERY_OPERATIONS_FULL_SYNCHRO# request in process. This has been fixed.

  • Syslog messages without priority were not being correctly parsed. This has been fixed.

  • An error where some syslog messages from CEF monitors that had non-English characters couldn't be correctly parsed has been fixed.

  • After upgrading to v6.4, there were some cases where the Scheduler Service couldn't start. This has been fixed.

  • After upgrading to version 6.4 from previous versions some old files could remain forever in ThinkServer\transient folder and errors "invalid vector<T> subscript" could appear in ThinkServer\logs\T4BDSR.log. This has been fixed in this release.

  • ThinkServer module monitors remained in Unknown status instead of returning proper health status if there were multiple "MaxThreads" DataSources of the same Type. This has been fixed.

  • Multiple scroll bars were shown when switching rapidly between monitors. This has been fixed.

  • The installation process has been improved to force a restart if it is pending after an automatic Windows Update.

  • Fixed a memory leak in the SmartConsole Module.

  • Fixed access to category rules in environment with custom types.

  • The number of events was not properly displayed in the 'By control' summary in Event Manager. This has been fixed.

  • Custom DataSource Subaction Regular Expression Filters were case sensitive. This has been fixed.

  • Event Manager Inspector module crashed (and generated a dump) when connection with DB was lost. This has been fixed.

  • Incorrect active users were appearing when there were multiple domain controllers in the same domain and last logon date was not synchronized. This has been fixed.

  • SQL Server Datasource Configuration now allows an empty path for traces directory.

  • It is now possible to create new calendar range sets with the required name.

  • AccessServer maintenance could report an error when trying to resolve extremes. This has been fixed.

  • Windows "Logon failed" events due to an account lockout were not correctly reported: the reason (account lockout) was missing. This has been fixed.

  • Charts could have missing data for current intervals if lots of errors "Query timeout expired" were returned to HelpSystems - PMB service from SQL Server. These errors were located in PMDB log files. This has been fixed.

  • There was a problem when trying to change AccessServer service port number. This has been fixed.

  • If you changed your tenant name monitors from Event Manager, audited assets still saved events with old tenant name. This has been fixed.

  • The ability to exclude groups from requests when creating file ServiceExcluded.ndx in folder \YellowPages\bin\cache with the same format as Service.ndx file has been added to prevent the User Directory Service from crashing.

  • Event Manager User Account Inactivity events sometimes did not retrieve the user domain. This has been fixed.

  • SelfMonitoring monitor for "SmartConsole Outdated" Assets control could fail with monitoring error "...Parsing regular expression ...". This has been fixed in this release but if upgrading from v6.4 to this release, a manual fix is required.

  • The C++ vulnerability has been fixed in this release (CVE-2-12-6151).

  • The 'Improper Restriction of Rendered UI Layers or Frames' vulnerability has been corrected. Clickjacking attacks are now prevented (CWE-1021).

  • Exposure of Sensitive Information to an Unauthorized Actor vulnerability has been fixed. The detailed version information exposure has been turned off (CWE-200).

  • The 'Generation of Error Message Containing Sensitive Information' vulnerability has been fixed. The stack trace has been removed from all the product error messages (CWE-209).

  • The 'URL Redirection to Untrusted Site' ('Open Redirect') vulnerability has been fixed (CWE-601).

  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability has been fixed. Secure flag has been set with all sensitive cookies (CWE-614).

  • Improper neutralization of HTTP Headers for Scripting Syntax vulnerability has been fixed. Secure Headers have been added to all the http responses following the OWASP directives (CWE-644).

  • The 'Improper Neutralization of Input During Web Page Generation' ('Cross-site Scripting') vulnerability has been fixed (CWE-79).

  • Every character from user input is now validated to avoid potential problems.

  • HelpSystems SmartConsole Messenger module had a handles leak. This has been fixed.

  • Insite Event Manager - Events Analysis could show inconsistent data across different charts. This issue has been fixed.

  • Maintenance for Historical or Archive Events Database could fail if database tables were deleted manually without restarting "HelpSystems - Database Maintenance" windows service. Tables are now recreated before the Maintenance for Events Database is run.

  • Maintenance performance has been improved when you have many annotations and other considerations.

  • Multiple OpenSSL vulnerabilities have been fixed in this release.

  • Renaming a Tenant to a previously existing name generates an error: "Tenant name already exists". This has been fixed.

  • ThinkServer module could have a large consumption of memory if the monitors generated messages of large size which would eventually lead to a ThinkServer module crash. This has been fixed.

  • Users or Groups with blank spaces in their name were not supported. Some features, for example, Security User Permissions, did not work properly. This has been fixed.

May 2020

Version 6.4.0.30000

May 11, 2020

New Features
  • Event Manager now provides event notification on a wide range of popular business applications. You can now create a ticket in servicenow or JIRA, an alert on Opsgenie or send a message to Microsoft Teams, Slack, and Telegram.
  • Powertech Antivirus for IBM i events integration is now available using Powertech SIEM Agent for IBM i (only from version 4.0+).
  • This version of Event Manager allows the provision of your own names to the custom variables used in the product in order to map your real business concepts on the views and reports.
  • Event Manager now provides the ability to be notified that an event has occurred on which a user must act. Security Analysts are then able to react rapidly whenever a security alert is triggered, to remove the potential threat as soon as possible.
  • To comply with the California Consumer Privacy Act 2018, Event Manager provides 'out-of-the-box' views and reports to help you defend against data breaches, and ensure your customers' personal information remains secure.
Enhancements
  • If a link is configured on the control treatment instructions, it is also now available from the event details screen.
  • Assets with a delayed event collection issue are now detected from within Event Manager.
  • Changing a Security Control name in Event Manager that is not immediately applied, now generates a message which is sent to Events Control Services logs (typically in installation folder \Inspector\bin\logs) with the detailed error.
  • Event Manager notifications now includes Action, SubAction, Object and Application fields as variables.
  • Installation process improvements have been made to improve reliability and resilience.
  • New validation routines have been added during the upgrade process to ensure that the product security administrator is correctly configured.
  • The monitoring configuration database is now optimized, by rebuilding or reorganizing indexes and updating statistics, each day in a nightly batch process.
  • Performance has been improved when collecting "Powertech Database Monitor for IBM i" events as it is now possible to use numeric date and time table columns without special castings on the "Incremental field".
  • Calendars are no longer refreshed if no modifications have been made.
  • SPARE1 and SPARE2 are now retrieved on the Oracle Standard datasource and are mapped to Additional Info 1 and 2 fields.
  • New attributes of Environment, Customer, Facility Name and Facility Type have been added to assets to make categorization easier.
  • Email notifications now use HTML format to make them easier to understand on the initial reading.
Other Fixes
  • Self monitoring assets no longer have false critical errors if the "Select SmartConsole" option is chosen to monitor an 'Application or Connectivity Group' for a self monitoring application.
  • VMWare (vCenter) security events are now stored in local monitoring node time instead of UTC.
  • The timeout for Dynatrace API webservice checks has been modified to 30 seconds instead of 10 seconds.
  • Variables mapping in custom datasources no longer displays false positives in the validation.
  • Filters in Subactions using fields 'Operator Category', 'User Category' or 'Object Category' now work as expected.
  • Event Manager now stores security events created on February 29th with the correct date.
  • Event Manager now has the ability to retrieve Windows event log events from systems having EventRecordNumbers greater than 4,294,967,296.
  • Column values in Forensic Analysis and Event Manager are now displayed correctly when lots of different values exist.
  • Performance metrics database queries have been improved with the addition of a new index.
  • If SmartConsole stops due to an unexpected error, the recovery procedure is now a lot faster than previously, thus reducing the outage time.
  • A fix has been applied to prevent high memory usage on the Events Control Service when a lot of different values exist on the ColumnCacheCapacity.
  • The product can now recover when PMDB encounters "The transaction log for database ... is full due to" and "The server failed to resume the transaction" monitoring errors.
  • Using VAR01 to VAR99 in Security Control filters for Event Manager no longer causes the Events Control Service to crash.
  • The non-existing user in Active Directory error generated when creating a user has been fixed in this release.
  • The daily self-cleaning of metrics data now includes the "Shrinking Transaction Log" step for SQL server database.
  • The Memory usage of the Events Manager T4MonManagerService.exe process has been reduced in this release.
  • The PMDB service accessed from Event Manager and/or Vityl IT and Business Monitoring now recovers from a Microsoft ODBC Driver 13 for SQL Server restart error.
  • Event Manager syslog agent now discards messages if memory increases due to a bottleneck in syslog message handling.
  • The Performance bottleneck that arose when saving Event Manager events to DB has been corrected in this release.
  • T4MonManagerService.exe process memory was too high when viewing the list of assets in Event Manager. This has been fixed in this release.
  • Event Manager DataSources for Windows that do not have proper credentials now report a Monitoring error.
  • A fix has been applied so that Activity calendars are now discovered by ThinkServer following an update.
  • Event Repetition selection rules for Event Manager Security Controls now take into account variables "Variable 01" to "Variable 99" for the "Use a custom set of fields to find repetitions" parameter.
  • Data is now displayed as expected when selecting a Database that is different from ShortTerm in Event Manager Forensic Analysis.
  • When more than one monitor queries the same table, Database Reader Monitors no longer return an error when updating the database cache.
  • In order to reduce the maintenance process time for events data, improvements to queries have been made.
  • Asset credentials, or some of its datasources, can now be used when manually setting credentials at monitor level.
  • Although improved reports generation performance is included in this release, user notification has been added to inform users that the generation of reports that cover a long time range could cause a decrease in performance.
  • Scheduled reports could fail with error "Invalid AccessServer session". This has been fixed in this release.
  • The Chronological Data Changes report display no longer shows an error when no data is returned.
  • The default domain is now correctly saved and displayed on the login screen.
  • Monitors were not working if an invalid datetime format was configured in Database Datasources. This has been fixed in this release.
  • When some User Account Names contained non-English characters, some monitors were reporting encoding errors. This has been fixed in this release.
  • Event Manager now receives events from Cisco Router switches as expected.
  • The problem in DataSource configuration where some fields were not saved has been fixed in this release.
  • The IBM i - User Profiles report now returns the correct information for deleted users.
  • Collection errors on User/Computer account inactivity have been corrected in this release.
  • The Internal error "database disk image is malformed" that could occur in both "ThinkServer" and "Events Control Service" has been fixed in this release.
  • Previous Value and Current value columns on Forensic Analysis now correctly display all changes on audit policy modification for Event ID 4719.
  • If SmartConsole has connections to both an IBM i and PC systems, events from Agent Code AUD are now received once SmartConsole is restarted.
  • When creating a Tenant, the default configuration was not created until the next restart of the Orchestrator service. This has been fixed in this release.
  • Following installation, Security Control events of a particular tenant could be created with events that were actually from other tenants. This has been fixed in this release.
  • Autodiscovery was failing if it was unable to retrieve the model of a specific device. This has been fixed in this release.
  • Event Manager events which should be excluded by SubAction filters are no longer audited in error.
  • .NET connections are now being forced to TLS 1.2 in order to avoid security issues.
  • Processing a large number of events in Vityl IT and Business Monitoring is now run in the correct order within SmartConsole Business View so that the correct asset health status is displayed.
  • User Directory Service (also called YellowPages) had a deadlock, which produced a memory steady rise and eventually the process could crash. This has been fixed in this release.
  • The Complete Message for an Event Pattern Rule in a Security Control is now correct by replacing the variables in the message template as expected.
  • The "Out of Memory" error in Windows service "SmartConsole Publisher" has been fixed in this release.
  • Using characters ' or " within Name or Alias in Vityl Assets, is now allowed.

 

Back to Core Security Products