Skip to Content

Using Association Monitor

(SPE2401)

The Association Monitor comes preconfigured with a set of associations that you can use to track the user logon messages generated by the BMC Defender Agent programs. This default configuration might be adequate for many locations. However, the software is intended to be a general-purpose tool for tracking a wide variety of different associations, and can be configured by the user to report these associations as follows:

  • Configuration of association detection—You can configure the Association Monitor to configure association monitors necessary to detect associations between items, by using a variety of parsing techniques.
  • Collection and browsing of association data—The association data is collected and stored on the system and viewed in a web interface.
  • Detection of association anomalies—The Association Monitor detects anomalies by reporting where new associations involving a possible change to user or system profiles, indicating a security problem. When anomalies are detected, the Association Monitor can create tickets.
  • Advanced association detection functions—The Association Monitor includes various techniques for performing automatic and advanced statistical analysis of association data and reports issues that might indicate a security problem.
  • (SPE2501)Association data from external message logs—The Association Monitor can generate association data from external message logs. You can save this data in the product against a specified date. For more information, see Generating-association-data-from-external-message-logs.

Related topics

Using-the-Correlation-tab

Navigating the Associations tab

To access the top-level Associations screen, select Correlations > Associations. All association features and functions are available on the Associations tab, as displayed in the following image:

navigatingAssociationsTab_SPE2410.png

(SPE2404)The Correlation > Association tab contains a list of Association Definitions available on the system. Each definition shows:

(SPE2410)

  • Association Definition name
  • Description hidden in a (question) tooltip
  • Disabled Association Definitions have a line indicating the disabled state.
  • Links to All Data, Field 1, and Field 2. The two field links will display the field labels for the Association Definition.
  • Data Columns–These columns will have data only if the Association Definition has data
  • Last Message–Date and time of the last message associated
  • Unique Associations–This is the count of unique Association Values that have been encountered. Two values are provided, one for Today and one for History (the total count since initial creation).
  • Associated Messages–This is the count of messages that have been associated with this definition across all Association Values. Two values are provided, one for Today and one for History (the total count since initial creation). 

The following default Association Definitions are provided and are configured to work with the BMC AMI Datastream programs:

(SPE2410)

  • Userid and DSN
  • Userid and LPAR Terminal
  • Userid and Time Logged In
  • Db2 - Userid and Db2 Grantor
  • Db2 - Userid and Db2 DBID
  • Userid and MQs
  • CICS - Userid and CICS Transactions
  • IMS - Userid and IMS ID
  • IMS - Userid and DBName
  • CICS - Userid and CICS File Name Access
  • SessMon - Userid and Appl ID
  • Userid and PII DSN
  • Userid and Honeypot DSN
  • Sensitive Dataset Member Accesses
  • Sensitive Dataset Accesses
  • ICSF - Userids and Jobnames
  • (SPE2501)Userids and Console Commands Issued
  • (SPE2501)Userid and Hour Logged In
  • Jobname and Datasets

Before SPE2410:

  • DB2_User And DB2_Grantor
  • Db2_Userid And Db2_DBID
  • IMSDBName And Userid
  • IMSID And Userid
  • User And DSN
  • User And LPAR Terminal
  • User And Terminal
  • Userid And Hour Logged In
  • Userid And Time_Logged_In
  • Users And CICS File Name Acces
  • Users And CICS Transactions
  • Users And MQs
  • (SPE2407) SessMon: Userid And Appl ID
Warning

Important

The default associations might be adequate for many applications; however, most users should create multiple association monitors to track the specific data items and associations of their enterprise.

To add new associations as an admin, select AddNew

To delete an existing Association Definition as an admin, click the Edit button (#nN) to the left of the Association Definition, and click Delete.

To edit an existing Association Definition as an admin, click the Edit button (#nN) to the left of the Association Definition, modify the parameters, and click Save.

If the following error message is displayed on the Associations tab, it means that the Association Definition is corrupted:

ERROR loading Association Definition.
Definition 'associationDefinition' is corrupted.

You cannot fix the corrupted Association Definition but can delete it. You can use it to create a valid definition. If the error message is displayed even after deleting the corrupted definition, contact BMC Support.

If an Association Definition is corrupted, in place of the corrupted field (under the Association Definition) ERROR is displayed.

Using the Association Monitor advanced features

The previous section provided an overview of operation that is typically sufficient to operate Association Monitor, including the ability to configure associations using both simple and advanced techniques. This section elaborates on this information, providing additional information on several advanced features (available using the Advanced option at the top of the screen).

These more advanced features allow the system to perform additional functions, such as automatic statistical analysis of associations for outliers and anomaly detection. These functions can also be useful for exporting data to a relational database for more analysis and reporting.

Warning

Important

Anomaly detection, described in this section, consists of comparing association data (in a fully automated fashion) to data as a whole, detecting when some aspect of the data (such as counts) exceeds several standard deviations of magnitude beyond the average. This might indicate a particularly strange association if:

  • You log into a platform more than typically expected.
  • You execute considerably more processes on the system.

These situations can automatically be detected by the software and can open BMC Defender tickets and trigger notifications.

This section provides a description of the advanced features of the system and the various configurable parameters. The information in this section should be of interest to advanced system users, as well as administrators looking for ways to further leverage the association data collected by BMC Defender.

To modify the advanced parameters

  1. Navigate to Correlation > Associations > Config > Edit.
    You must be an admin type user to access the advanced parameters. The following figure displays the advanced configuration parameters on the Associations tab.
    associationAdvanced_SPE2410.png

  2. Modify the following parameters:

    Parameter

    Description

    Max Associations

    (Deprecated from SPE2410 onwards) maximum number of associations available to the system. This is a read-only field and you cannot modify it.

    Drop Unreferenced Associations Older Than

    (Deprecated from SPE2410 onwards) duration of an association that has not been updated and is maintained by the product

    If you do not update an association within the duration specified by this parameter, the product removes the association and cleans the table, providing additional space for new entries.

    The default is 30-Days.

    Anomalous Number of Assoc / Notify Severity

    Indicates the severity of the message issued when an "anomalous number of associations" condition is detected on the system

    The default is disabled, which indicates that no message is sent.

    Number of Assoc Threshold

    Threshold for the anomalous number of associations. If the association count for any association item is more than the specified standard deviations away from the average number of associations, this condition is detected and reported.

    The default is 3-Stdev.

    Number of Assoc Marginal Pct

    A secondary threshold for the anomalous number of associations. The number of associations must exceed this percentage of the average (in addition to lying outside the threshold above).

    Anomalous Assoc Activity / Notify Severity

    Indicates the severity of the message issued when the number of messages associated with a particular association item is greater than the configured threshold

    The default is disabled, which indicates that no message is sent.

    Assoc Activity Threshold

    Threshold for the anomalous association activity. If the number of messages for any association item is more than the specified standard deviations away from the average number of messages, this condition is detected and reported.

    The default is 3-Stdev.

    Assoc Activity Marginal Pct

    A secondary threshold for the anomalous association activity. The number messages for an association must exceed this percentage of the average (in addition to lying outside the threshold above).

    The default is 20.

    Enable Association ODBC Output

    (Deprecated from SPE2410 onwards) determines whether to enable the automatic output of association data to a relational database table and ODBC Data Source, configured below

    This provides a simple method of exporting all association data to a relational database for further reporting and analysis.

    The default is No.

    ODBC Data Source Name

    (Deprecated from SPE2410 onwards) (Optional) an ODBC data source name (configured on the Reports > ODBC tab) that will receive the association data

    The user must configure the ODBC data source in the Windows control panel as a system DSN, and then configure the value in the Reports > ODBC tab for the data item to appear in this drop-down list.

    The default is None.

    Database Table Name

    (Deprecated from SPE2410 onwards) the database table name that receives the association data

    In order to update data into a relational database, you must perform the following steps:

    1. Enable the Association ODBC Output.
    2. Select the ODBC Data Source Name.
    3. Specify a valid Database Table Name in the field.
      The default is None and the maximum character limit is 20.
  3. Click Commit.

Detecting statistical anomalies

The statistical anomaly detection runs at midnight, so that is when any messages indicating an anomalous condition appear unless the facility is specifically bypassed by setting the message severity to disabled for the anomaly detection or setting the threshold to a very high value.

Warning

Important

The Advanced tab provisions two different and distinct types of anomalies and looks for two separate indicators of anomalous behavior.

Although these indicators appear similar, they are quite different:

  • Anomalous Number of Associations—This condition exists when any association item has more than the average number of associations for all items.
     

    Warning

    Important

    The number of associations for a particular item does not directly appear on any screen. The number of associations for any item is the total number of Data Item #2 values for each Data Item #1. Generally, this might indicate a security risk as a user has an unnaturally large number of associations; for instance, such as the user is logging into too many platforms of different types, or starts too many processes of different types.

  • Anomalous Association Item Activity—This condition exists when any association item has more messages than the average number of messages for any item. The message counts are displayed on various screens and indicate how often the association is actually updated on the system. Generally, this might indicate a security risk because the user is generating an exceptional number of messages, indicating a malicious or suspicious act.

When one of these conditions occurs, the system sends a message for each detected condition of the severity specified on the Advanced screen. The exact format of the message appears in Internal-messages.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Command Center for Security 6.2