W7 is a proprietary normalization process that "translates" logs from diverse applications, operating systems, and platforms into everyday business terms such as "who," "what," "where," and so on. The W7 attributes enable Tivoli® Security Information and Event Manager to describe security events in a consistent (normalized) manner.
This normalization makes it easy to see security events in the context of a business or organizational environment. These terms are called W7 attributes because they represent attributes of an event.
W7 normalizes an event record into the following W7 attributes:
- Who
- Which user, application, or process initiated the event?
- What
- What type of action does the event represent?
- When
- When did the event happen?
- On What
- What object was affected? An object could be any type of file, database, application, permissions, and so on, that was manipulated by the event.
- Where
- On which machine did the event happen?
- Where From
- Which system is the source of the event?
- Where To
- Which system is the target of the event?
For example, your security policy might consider system logins to certain systems during non-office hours to be a policy violation. Tivoli Security Information and Event Manager can generate policy exceptions alerting on these violations and can generate reports showing "what" happened (in this case, off-hour logins) "To What" systems (in this case, the restricted audited systems). Tivoli Security Information and Event Manager's reports can show "who" violated the policy by normalizing how different systems describe a user.
沒有留言:
張貼留言