Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

BMC Defender Server tickets

The correlation functions organize the data into related groups and patterns. The raw message list is correlated into distinct threads and alerts.

This correlated data, while important, might not necessarily be actionable. That is, the data might be of interest to auditors and useful in forensic studies, but the data does not necessarily suggest a problem that requires manual intervention by a specific person.

The tickets function can be thought of as the highest level of correlation, where specific correlated patterns generate incident tickets that are assigned to specific users and groups. In many cases, these tickets represent the final output of the BMC Defender Server system, performing the final step of assigning a problem or incident to a specific user or department for analysis for corrective action. As such, one final item is correlated with the message data, that item being an incident assignee.

The tickets function is similar to traditional ticket systems. Incidents are automatically opened by the system and can be manually closed when a resolution for the incident is found.

Additionally, the ticket function can be interfaced to other ticketing systems to operate in a larger incident management strategy. BMC Defender Server integrates with a variety of third-party systems and common management databases by using a simple script interface detailed within this section.

Section summary and additional notes about BMC Defender Server tickets

  • Tickets provide the highest level of correlation on the system, associating a particular incident to an assignee for analysis.
  • Tickets are opened by the Alert facility, where an assignee for the ticket is specified. Not all alerts open tickets, but every ticket is opened by one alert.
  • Tickets can be assigned to any Log Server registered user. Additionally, you can assign tickets in the Ticket Groups screen.
  • Each ticket has a list of related messages (that caused the ticket to be opened.) You can view the list of related messages, or the source alert definition, by clicking hyperlinks supplied on the top-level ticket screen
  • The BMC Defender Server ticket system can interface to third-party systems by the Ticket > Actions facility.
  • You can configure regular actions (such as sending an e-mail) when tickets are opened, since the alert facility sends a syslog message whenever tickets are opened.
  • The Ticket Wizard, available by the AddNew option on the Ticket Groups screen enables you to quickly add a correlation rule and ticket group to the system.
  • The Auto-Learn function works with the Ticketing system, automatically adjusting alert thresholds based upon the number of opened tickets and automatically closing tickets when thresholds are automatically adjusted.
  • The OpenTicket.exe program can be used at a command prompt or within a script, to open a new ticket within BMC Defender Server.
  • The Max OpenTicket.exe per second setting, located on the Tickets > Config > Parms screen, allows you to safeguard against rapid executions of the program that might otherwise flood the ticket log with unwanted tickets.
  • The Map Ticket Gadget, available from the BMC Defender Server dashboard, allows an operator configure a graphic depiction of a geography, or schematic drawing, and then drag the state if ticket groups onto the display. This provides a mechanism for visualizing information based upon ticket states.

This section provides information about the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*