Reviewing ticket information

With no special configuration, BMC Defender Server begins opening tickets on your system. These tickets consist of actionable data and represent the highest level of correlation on the system. As the program is executed, it learns about message counts and adjusts thresholds so that tickets become more pertinent over a period of time.

The most minimal level of attending to BMC Defender Server is to close tickets that are periodically opened. This activity serves as a good demonstration of regulatory compliance to auditors since it proves that security alerts are reviewed. Additionally, no specific knowledge of BMC Defender Server is actually necessary to review ticket information. You can be granted Ticket type access (using the System > Logins screen) that does not grant other access to security data. Hence, reviewing ticket information can be a group activity of various administrators and security officers. You can process and review tickets as follows:

  1. Log on to the BMC Defender Server system and click the Tickets tab at the top of the screen. This displays a list of tickets assigned to your login ID. (You can also use the Assigned To: menu item to view all tickets, including those assigned to other groups or organizational divisions.)
  2. For any ticket of interest, click the Related Messages hyperlink to view the messages that caused the ticket to be opened. This can provide an indication of the exact reason for the ticket.
  3. If the ticket appears to be the result of a threshold being set too low, click the Source Alert Definition hyperlink of the ticket to review the threshold and test interval for the alert that opened the ticket, and make adjustments accordingly.
  4. If the ticket appears to be the result of a true security breach, take external action for instance, to contact the user referenced in the related messages, or the administrator of the system or network related to the ticket.
  5. When the ticket has been resolved, click the Edit option and optionally provide a brief description of how the ticket was resolved, and close the ticket.

Rather than closing the ticket, you can elect to assign the ticket to another user, possibly escalating or demoting the ticket severity, and adding notes to the ticket. When a ticket is closed, it is retained in the Closed tab of the system.

The BMC Defender Server ticket system is described in detail within BMC-Defender-Server-tickets and includes various features such as the ability to connect e-mail (and other) notifications to ticket changes and to group close tickets on the system.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*