Integration [464] - Event correlation and event pattern analysis (OMW - ArcSight Logger)

  • KM01695102
  • 11-Jun-2018
  • 11-Jun-2018

Summary

Integration Catalog

Reference

Event correlation and event pattern analysis (OMW - ArcSight Logger) - Catalog Id: 464

Description

Integration 1: Direction ArcSight Logger -> OMW

This integration correlates ArcSight Logger security events with infrastructure events in Operations Manager for Windows (OMW).

 

Filtered raw events from ArcSight Logger are sent via SNMP traps to OMW where they can be correlated with infrastructure availability and performance events. The environment status can be visualized in the OMW service tree, including the security status.

 

Integration 2: Direction OMW -> ArcSight Logger

This integration uses ArcSight Logger to analyze OMW event patterns and perform contextual search.

 

OMW event messages and history are archived via Web Service in ArcSight Logger. Logger is used for analysis of event patterns and performing contextual searches on the archived data to determine the root cause.

User story for integration 1: Direction ArcSight Logger -> OMW:

This integration correlates Logger security events with infrastructure events in OMW.

 

An operator noticed several attempts to intrude through the company firewall in the last days. In these occasions, Logger showed a certain repeating pattern of events. The operator sets up a filter to capture the pattern from Logger and forwards the respective messages to OMW, which is the operations center.

 

The next time the attack happens, the security event pattern is shown in the OMW console immediately. The operator can see the events in the OMW message browser or can view the status of the application in the service tree. Corrective actions can be taken from here.

 

User story for integration 2: Direction OMW -> ArcSight Logger:

Use ArcSight Logger to analyze OMW event patterns and perform contextual search.

 

The OMW server receives several events from a system hosting an application, which are immediately presented to the operator in the OMW UI.

 

The operator for the application's  incidents looks at the newly arrived events and recognizes that they seem to form a pattern, which the operator does not understand yet. Therefore, the operator opens the Logger GUI.

 

Logger continuously collects all acknowledged events from OMW. In the Logger UI, the operator switches to the event analysis tab, and tries to find the same sequence of events in the history messages.

 

The operator finds seven occurrences of the same pattern. In all cases, severe performance issues have followed some minutes after the first event pattern arrived.

 

The operator finds that a colleague has added an annotation to one of the performance events, which identifies the concurrent start of several heavy batch jobs as the root cause of the performance issues.

 

The operator uses another OMW tool to open the application's  admin UI and re-schedules some of the batch jobs and thus avoids the threatening performance decrease.

General

Leading Product:
Operations Manager for Windows


Secondary Product:
ArcSight Logger

4/14/2018

Documentation

Documentation for this integration can be found using the following link:
See the latest versions of:
+ Forwarding Connector Release Notes <latest version>
+ Forwarding Connector Configuration Guide <latest version>
+ ArcSight Logger Forwarding Connector for HP OM Release Notes <latest version>
+ ArcSight Logger Forwarding Connector for HP OM Configuration Guide <latest version>
+ ArcSight HP OM and HP OMi SNMP Interceptor Policy Readme <latest version>
 
If you do not have a Protect 724 account yet, please go to https://protect724.arcsight.com and click Register.
 

Information on how to register and how to view HP ArcSight product documentation can be found in the ArcSight_Doc_Pointer.pdf located under any product starting with ArcSight in the HP Software Product Manuals Web site.

Support Matrix

ArcSight Logger
Operations Manager for Windows
SupportedSupported (see comments)Not Supported

Generated: 6/11/2018 4:41:34 AM