Introduction to the BMC Defender Server interface

This section describes all of the major screens of theBMC Defender SIEM Correlation Server by major application function of the system. Screens are listed in the order they appear in BMC Defender Server. This section serves as a comprehensive site map for BMC Defender Server, and a reference that describing input fields, settings, screen functions, and screen values available to BMC Defender Server operators.

The BMC Defender SIEM Correlation Server is a compact software system, that listens for syslog and other messages within your enterprise. As these messages are received, they are logged, and cataloged into related groups of messages, and correlated to find meaning. The operator can search this information, and can take automatic action when security violations occur.

BMC Defender Server is a fully web-based system, that leverages the capabilities of web browsers, operating with or without client Java enabled. The program has an easy-to-navigate, tab-based interface consisting of different screens that are accessed through hyperlinks and buttons. The system is intended to be highly ergonomic, intuitive, and easy to operate.

The section provides screenshots and descriptive texts for all screens. Although, this provides usage information, it does not provide comprehensive operation instructions.

Screen overview

BMC Defender Server employs a web-based user interface that leverages the power of your web browser to configure and access data. The program uses standard browser features, and does not require client Java or JavaScript to fully operate. If Java is available to the client browser, it is used to implement minor and non-essential improvements to navigation.

The actual order of tabs is governed strictly by the ordering of programs within the sigma-web directory of the BMC Defender server root directory, as discussed in the BMC Defender Server Sigma Framework. Basic applications of BMC Defender Server appear in the top-level screens, as follows:

• Dashboard Screens—The Dashboard screen is the entry point to the BMC Defender Server dashboard facility, that permits the operator to display real-time data about various elements of the system, such as message rates, top devices, top users, and many other data items. The operator can create, modify, and delete dashboard configurations. The operator can make this the default login screen, and select a default dashboard, using the User Preferences screen of the system. Dashboards are discussed in BMC-Defender-Server-dashboard-screens.

• Message Group Screens—The BMC Defender Server messages application aggregates, processes and displays message data from network devices. This gives visibility into all received messages. The operator can search raw message data, view data catalogs, and configure filters and overrides. The Search screen employs a high-speed indexed search engine supporting advanced searches, and a keyword index that lists all keywords (and their counts) for all messages received. Messages Group screens are discussed in Message-screens and Message-Config-screens.

• Correlation Group Screens—The Correlation application processes the raw message data received by the Messages application. The correlation screens permits the operator to establish associations between messages by creating Threads, that consist of simple or complex match patterns, possibly controlled by Triggers. The counters of these threads can then be alarmed via the Alert facility (as described). These screens include a macro editor, address group editor, and a template capability, as well as an Action capability that can furnish automation and further data reduction based upon correlated data. Correlation Group screens are discussed in Correlation-screens.

• Alert Group Screens—The Alerts application continuously monitors BMC Defender Server counters, states, and opens Tickets on the system (as described). This group consists of several different facilities and screens, that can open tickets assigned to users. Alert Group screens are discussed in Alerts-screens. 

• Ticket Group Screens—The Tickets application furnishes the highest level of message correlation by creating actionable incidents in a traditional incident management framework. Tickets are automatically opened by the Alerts and Patterns facilities. Tickets are assigned to either registered BMC Defender Server users, or a operator defined ticket group. This application can be interfaced directly to a third-party enterprise ticketing system. Tickets Group screens are discussed in Ticket-screens. 

• Report Group Screens—The Reports application provides general utility in the reporting of both raw and correlated message information. These screens include a Query search utility, an Audit capability, graphing facility, as well as a comprehensive PDF reporting facility. In particular, the operator can define new reports to perform highly customized analytical functions and graphical depictions of data. Reports can be distributed to users via RSS, that can configure to publish daily, weekly, or monthly reports. Various report information can also be loaded into an ODBC compliant SQL database. Reports Group screens are discussed in Report-screens.

• System Group Screens—The System application screens provide various system functions, including support for user preferences, login management, scheduling of programs, and configuration of global parameters. Except for the user's preferences, these screens all require an admin type login to the BMC Defender Server system (as configured in the Login screen of this group). System Group screens are discussed in System-screens.

In addition to the preceding screens, various utility screens (accessed by clicking on hyperlinks located throughout BMC Defender Server) permit access to specialized data, details, and additional information. These utility screens are discussed in Utility-screens.

SIEM security correlation server screens are intended for use by operators, administrators, and program developers, and is written to be complete documentation for all primary BMC Defender Server screens. The documentation focuses on screen purposes and functions, and does not necessarily discuss specific application and operation of screens. Information about operation of the screens is available in other spaces in the BMC Defender Server documentation suite, accessible from the home screen of BMC Defender Server. 

This section provides information about the following topics: