Skip to Content

Basic ticketing concepts

It is possible for a ticket to correspond to a single targeted message. But more commonly, tickets correspond to multiple types of messages, possibly associated with various threads. The operator should not confuse a ticket with a specific message, but rather a specific pattern of messages that have occurred during a particular time interval. This greatly expands the ability of the ticketing system to identify specific threats and incidents.

Ticket generation is a direct function of the Alert facility, discussed previously. Alerts monitor various counters on the system, especially Thread counters. Alerts then generate syslog messages back into the system when thresholds are violated. Additionally, when a syslog message is generated, you can optionally assign the syslog message to an individual or group. This is configured on the Alert Editor screen, shown as follows:

image2019-3-22_2-53-53.png

The preceding screen is accessed by clicking the Alerts tab (to access the Alerts > Counters screen), and then the Edit (or the AddNew) option. You select a counter name, a compare function, a test interval, and specifies an alert message, facility and severity.

To cause the alert to additionally open a ticket, the operator configures the Assign Incident To User field to be the name of the ticket recipient. This causes the ticket (with the specified alert message) to be created for the user and to appear in the Tickets tab of the program as an open ticket. By default, the ticket assignee is the name of the user who created the alert, but the value can be any registered user of the BMC Defender Server system (configured in the System > Logins tab of the program.) The Ticket Assignee can also be a group, defined in the Tickets > Config > Ticket Groups screen.

Not all alerts will necessarily open tickets. The operator can configure the value of Assign Incident To User to be disabled, in that case no ticket is actually opened.

Information
Example

It might be desirable or necessary to have a series of alerts (feeding messages back into the syslog) to be further correlated, and a ticket opened only if the correlation yields a certain count.

In this case, various alerts may be disabled to prevent tickets from being opened due to intermediate correlation steps.

Ticket Assignee

The Ticket assignee receives the alert message, which appears on the Tickets tab as an open ticket. If you have set the Initial Ticket Group in your user preferences, the ticket is displayed at the top of the list, and only those tickets assigned to the user are displayed. (The operator can view other ticket groups via a pull down menu on the Tickets screen, including the special All group.)

Any BMC Defender Server user might be assigned a ticket. Additionally, assignees can be created via the Tickets > Config > Ticket Groups screen.

Information
Example

The tickets might be related to an operational group such as Routers, or Web Servers, where users with particular expertise in this group can collect and view ticket information.

The Ticket Assignee can be modified, and the ticket assigned to some other user. The operator edits the ticket via the Update # option, changes the ticket assignee, and then saves the ticket. The ticket is moved from the current ticket group to the new group, causing the ticket entry to disappear from the current Assigned To: group view.

Related topic

BMC-Defender-Server-tickets


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Command Center for Security 6.0