Event Manager

NOTE: Event Manager was formerly called Powertech Event Manager.

December 2020

Version 6.5.0.30000

Dec 21, 2020

New Features
  • All possible values for columns Action, SubAction, Operator Category, User Category and Object Category are now displayed for column filters in the Event Manager and Forensic Analysis grids. Previously you would see only values from existing security events.

  • An 'out-of-the-box' template for Azure Active Directory has been made available.

  • An 'out-of-the-box' template for Azure Exchange Online has been made available.

  • An 'out-of-the-box' template for Microsoft Teams has been made available.

  • Event Manager now provides security and compliance monitoring for data hosted in the Microsoft 365 environment.

  • This release adds the ability to monitor file integrity for Windows, adding this capability to those already available for Unix, Linux, AIX and IBM i.

Enhancements
  • An 'out-of-the-box' template to audit SAP Adaptive Server Enterprise (formerly Sybase) has been made available.

  • Backup and Restore databases actions have been added to the SQL Server 'out-of-the-box' template.

  • Trace improvements have been made to detect necessary attributes not found when triggering application errors.

  • Fixed a bug that did not allow the pasting of contact mail in notifications configuration.

  • Windows User inactivity detection has been improved with 'Expired account' information.

  • It is now possible to use long passwords in credentials.

  • The Axis2 library versions 1.5 and 1.6.1 have been upgraded to version 1.7.9. This library is used in HelpSystems - Orchestrator Idx and HelpSystems - ThinkServer Java System i Server modules.

  • The full Job Name is now displayed in Additional Info 2 on IBM i Audit events coming from VMC.

  • Event Manager now provides the ability to group events using multiple variables and add summary charts to make it easier to detect anomalies or threats.

  • It is no longer possible to delete an asset with non-templatized monitors (manually created from ThinkServer configurator).

  • It is no longer required to input the user password while scheduling reports.

  • It is now possible to assign an event to "Me" without the need of having this user explicitly created in the product.

  • It is now possible to choose whether to use an encrypted connection to the product databases during the installation process.

  • JSON events are now formatted when displayed in the Event Details- Event Manager page.

  • Outbound alert integrations with Solarwinds Web Help Desk and Dynatrace have been made available.

  • Reorganizing of indexes, included in the maintenance process, will only be executed at weekends to avoid affecting production hours.

  • The Events Maintenance process is now five times faster.

  • The product now uses an OpenJDK JRE version.

  • This release provides the ability to manually add values to the grids (Event Manager and Forensic Analysis) columns possible values list on the column headers.

Other Fixes
  • Some configuration changes in Vityl It and Business Monitoring took too much time to apply because there were an internal #RECOVERY_OPERATIONS_FULL_SYNCHRO# request in process. This has been fixed.

  • Syslog messages without priority were not being correctly parsed. This has been fixed.

  • An error where some syslog messages from CEF monitors that had non-English characters couldn't be correctly parsed has been fixed.

  • After upgrading to v6.4, there were some cases where the Scheduler Service couldn't start. This has been fixed.

  • After upgrading to version 6.4 from previous versions some old files could remain forever in ThinkServer\transient folder and errors "invalid vector<T> subscript" could appear in ThinkServer\logs\T4BDSR.log. This has been fixed in this release.

  • ThinkServer module monitors remained in Unknown status instead of returning proper health status if there were multiple "MaxThreads" DataSources of the same Type. This has been fixed.

  • Multiple scroll bars were shown when switching rapidly between monitors. This has been fixed.

  • The installation process has been improved to force a restart if it is pending after an automatic Windows Update.

  • Fixed a memory leak in the SmartConsole Module.

  • Fixed access to category rules in environment with custom types.

  • The number of events was not properly displayed in the 'By control' summary in Event Manager. This has been fixed.

  • Custom DataSource Subaction Regular Expression Filters were case sensitive. This has been fixed.

  • Event Manager Inspector module crashed (and generated a dump) when connection with DB was lost. This has been fixed.

  • Incorrect active users were appearing when there were multiple domain controllers in the same domain and last logon date was not synchronized. This has been fixed.

  • SQL Server Datasource Configuration now allows an empty path for traces directory.

  • It is now possible to create new calendar range sets with the required name.

  • AccessServer maintenance could report an error when trying to resolve extremes. This has been fixed.

  • Windows "Logon failed" events due to an account lockout were not correctly reported: the reason (account lockout) was missing. This has been fixed.

  • Charts could have missing data for current intervals if lots of errors "Query timeout expired" were returned to HelpSystems - PMB service from SQL Server. These errors were located in PMDB log files. This has been fixed.

  • There was a problem when trying to change AccessServer service port number. This has been fixed.

  • If you changed your tenant name monitors from Event Manager, audited assets still saved events with old tenant name. This has been fixed.

  • The ability to exclude groups from requests when creating file ServiceExcluded.ndx in folder \YellowPages\bin\cache with the same format as Service.ndx file has been added to prevent the User Directory Service from crashing.

  • Event Manager User Account Inactivity events sometimes did not retrieve the user domain. This has been fixed.

  • SelfMonitoring monitor for "SmartConsole Outdated" Assets control could fail with monitoring error "...Parsing regular expression ...". This has been fixed in this release but if upgrading from v6.4 to this release, a manual fix is required.

  • The C++ vulnerability has been fixed in this release (CVE-2-12-6151).

  • The 'Improper Restriction of Rendered UI Layers or Frames' vulnerability has been corrected. Clickjacking attacks are now prevented (CWE-1021).

  • Exposure of Sensitive Information to an Unauthorized Actor vulnerability has been fixed. The detailed version information exposure has been turned off (CWE-200).

  • The 'Generation of Error Message Containing Sensitive Information' vulnerability has been fixed. The stack trace has been removed from all the product error messages (CWE-209).

  • The 'URL Redirection to Untrusted Site' ('Open Redirect') vulnerability has been fixed (CWE-601).

  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability has been fixed. Secure flag has been set with all sensitive cookies (CWE-614).

  • Improper neutralization of HTTP Headers for Scripting Syntax vulnerability has been fixed. Secure Headers have been added to all the http responses following the OWASP directives (CWE-644).

  • The 'Improper Neutralization of Input During Web Page Generation' ('Cross-site Scripting') vulnerability has been fixed (CWE-79).

  • Every character from user input is now validated to avoid potential problems.

  • HelpSystems SmartConsole Messenger module had a handles leak. This has been fixed.

  • Insite Event Manager - Events Analysis could show inconsistent data across different charts. This issue has been fixed.

  • Maintenance for Historical or Archive Events Database could fail if database tables were deleted manually without restarting "HelpSystems - Database Maintenance" windows service. Tables are now recreated before the Maintenance for Events Database is run.

  • Maintenance performance has been improved when you have many annotations and other considerations.

  • Multiple OpenSSL vulnerabilities have been fixed in this release.

  • Renaming a Tenant to a previously existing name generates an error: "Tenant name already exists". This has been fixed.

  • ThinkServer module could have a large consumption of memory if the monitors generated messages of large size which would eventually lead to a ThinkServer module crash. This has been fixed.

  • Users or Groups with blank spaces in their name were not supported. Some features, for example, Security User Permissions, did not work properly. This has been fixed.

May 2020

Version 6.4.0.30000

May 11, 2020

New Features
  • Event Manager now provides event notification on a wide range of popular business applications. You can now create a ticket in servicenow or JIRA, an alert on Opsgenie or send a message to Microsoft Teams, Slack, and Telegram.
  • Powertech Antivirus for IBM i events integration is now available using Powertech SIEM Agent for IBM i (only from version 4.0+).
  • This version of Event Manager allows the provision of your own names to the custom variables used in the product in order to map your real business concepts on the views and reports.
  • Event Manager now provides the ability to be notified that an event has occurred on which a user must act. Security Analysts are then able to react rapidly whenever a security alert is triggered, to remove the potential threat as soon as possible.
  • To comply with the California Consumer Privacy Act 2018, Event Manager provides 'out-of-the-box' views and reports to help you defend against data breaches, and ensure your customers' personal information remains secure.
Enhancements
  • If a link is configured on the control treatment instructions, it is also now available from the event details screen.
  • Assets with a delayed event collection issue are now detected from within Event Manager.
  • Changing a Security Control name in Event Manager that is not immediately applied, now generates a message which is sent to Events Control Services logs (typically in installation folder \Inspector\bin\logs) with the detailed error.
  • Event Manager notifications now includes Action, SubAction, Object and Application fields as variables.
  • Installation process improvements have been made to improve reliability and resilience.
  • New validation routines have been added during the upgrade process to ensure that the product security administrator is correctly configured.
  • The monitoring configuration database is now optimized, by rebuilding or reorganizing indexes and updating statistics, each day in a nightly batch process.
  • Performance has been improved when collecting "Powertech Database Monitor for IBM i" events as it is now possible to use numeric date and time table columns without special castings on the "Incremental field".
  • Calendars are no longer refreshed if no modifications have been made.
  • SPARE1 and SPARE2 are now retrieved on the Oracle Standard datasource and are mapped to Additional Info 1 and 2 fields.
  • New attributes of Environment, Customer, Facility Name and Facility Type have been added to assets to make categorization easier.
  • Email notifications now use HTML format to make them easier to understand on the initial reading.
Other Fixes
  • Self monitoring assets no longer have false critical errors if the "Select SmartConsole" option is chosen to monitor an 'Application or Connectivity Group' for a self monitoring application.
  • VMWare (vCenter) security events are now stored in local monitoring node time instead of UTC.
  • The timeout for Dynatrace API webservice checks has been modified to 30 seconds instead of 10 seconds.
  • Variables mapping in custom datasources no longer displays false positives in the validation.
  • Filters in Subactions using fields 'Operator Category', 'User Category' or 'Object Category' now work as expected.
  • Event Manager now stores security events created on February 29th with the correct date.
  • Event Manager now has the ability to retrieve Windows event log events from systems having EventRecordNumbers greater than 4,294,967,296.
  • Column values in Forensic Analysis and Event Manager are now displayed correctly when lots of different values exist.
  • Performance metrics database queries have been improved with the addition of a new index.
  • If SmartConsole stops due to an unexpected error, the recovery procedure is now a lot faster than previously, thus reducing the outage time.
  • A fix has been applied to prevent high memory usage on the Events Control Service when a lot of different values exist on the ColumnCacheCapacity.
  • The product can now recover when PMDB encounters "The transaction log for database ... is full due to" and "The server failed to resume the transaction" monitoring errors.
  • Using VAR01 to VAR99 in Security Control filters for Event Manager no longer causes the Events Control Service to crash.
  • The non-existing user in Active Directory error generated when creating a user has been fixed in this release.
  • The daily self-cleaning of metrics data now includes the "Shrinking Transaction Log" step for SQL server database.
  • The Memory usage of the Events Manager T4MonManagerService.exe process has been reduced in this release.
  • The PMDB service accessed from Event Manager and/or Vityl IT and Business Monitoring now recovers from a Microsoft ODBC Driver 13 for SQL Server restart error.
  • Event Manager syslog agent now discards messages if memory increases due to a bottleneck in syslog message handling.
  • The Performance bottleneck that arose when saving Event Manager events to DB has been corrected in this release.
  • T4MonManagerService.exe process memory was too high when viewing the list of assets in Event Manager. This has been fixed in this release.
  • Event Manager DataSources for Windows that do not have proper credentials now report a Monitoring error.
  • A fix has been applied so that Activity calendars are now discovered by ThinkServer following an update.
  • Event Repetition selection rules for Event Manager Security Controls now take into account variables "Variable 01" to "Variable 99" for the "Use a custom set of fields to find repetitions" parameter.
  • Data is now displayed as expected when selecting a Database that is different from ShortTerm in Event Manager Forensic Analysis.
  • When more than one monitor queries the same table, Database Reader Monitors no longer return an error when updating the database cache.
  • In order to reduce the maintenance process time for events data, improvements to queries have been made.
  • Asset credentials, or some of its datasources, can now be used when manually setting credentials at monitor level.
  • Although improved reports generation performance is included in this release, user notification has been added to inform users that the generation of reports that cover a long time range could cause a decrease in performance.
  • Scheduled reports could fail with error "Invalid AccessServer session". This has been fixed in this release.
  • The Chronological Data Changes report display no longer shows an error when no data is returned.
  • The default domain is now correctly saved and displayed on the login screen.
  • Monitors were not working if an invalid datetime format was configured in Database Datasources. This has been fixed in this release.
  • When some User Account Names contained non-English characters, some monitors were reporting encoding errors. This has been fixed in this release.
  • Event Manager now receives events from Cisco Router switches as expected.
  • The problem in DataSource configuration where some fields were not saved has been fixed in this release.
  • The IBM i - User Profiles report now returns the correct information for deleted users.
  • Collection errors on User/Computer account inactivity have been corrected in this release.
  • The Internal error "database disk image is malformed" that could occur in both "ThinkServer" and "Events Control Service" has been fixed in this release.
  • Previous Value and Current value columns on Forensic Analysis now correctly display all changes on audit policy modification for Event ID 4719.
  • If SmartConsole has connections to both an IBM i and PC systems, events from Agent Code AUD are now received once SmartConsole is restarted.
  • When creating a Tenant, the default configuration was not created until the next restart of the Orchestrator service. This has been fixed in this release.
  • Following installation, Security Control events of a particular tenant could be created with events that were actually from other tenants. This has been fixed in this release.
  • Autodiscovery was failing if it was unable to retrieve the model of a specific device. This has been fixed in this release.
  • Event Manager events which should be excluded by SubAction filters are no longer audited in error.
  • .NET connections are now being forced to TLS 1.2 in order to avoid security issues.
  • Processing a large number of events in Vityl IT and Business Monitoring is now run in the correct order within SmartConsole Business View so that the correct asset health status is displayed.
  • User Directory Service (also called YellowPages) had a deadlock, which produced a memory steady rise and eventually the process could crash. This has been fixed in this release.
  • The Complete Message for an Event Pattern Rule in a Security Control is now correct by replacing the variables in the message template as expected.
  • The "Out of Memory" error in Windows service "SmartConsole Publisher" has been fixed in this release.
  • Using characters ' or " within Name or Alias in Vityl Assets, is now allowed.

 

Back to Core Security Products