Maintaining Insight on

Working with alerts

Mon, 01 Jan 0001 00:00:00 +0000

Viewing alerts

Generated alerts are displayed on the Audit Store Dashboards. View and acknowledge the alerts from the alerting dashboard by navigating to OpenSearch Plugins > Alerting > Alerts. The alerting dashboard is shown in the following figure.

Destinations for alerts are moved to channels in Notifications. For more information about working with Monitors, Alerts, and Notifications, refer to the section Monitors in https://opensearch.org/docs/2.18/dashboards/.

Creating notifications

Create notification channels to receive alerts as per individual requirements. The alerts are sent to the destination specified in the channel.

Index lifecycle management (ILM)

Mon, 01 Jan 0001 00:00:00 +0000

In the earlier versions of the ESA, the UI for Index Lifecycle Management was named as Information Lifecycle Management.

The following figure shows the ILM system components and the workflow.

The ILM log repository is divided into the following parts:

Active logs that may be required for immediate reporting. These logs are accessed regularly for high frequency reporting.
Logs that are pushed to Short Term Archive (STA). These logs are accessed occasionally for moderate reporting frequency.
Logs that are pushed to Long Term Archive (LTA). These logs are accessed rarely for low reporting frequency. The logs are stored where they can be backed up by the backup mechanism used by the enterprise.

The ILM feature in Protegrity Analytics is used to archive the log entries from the index. The logs generated for the ILM operations appear on this page. Only logs generated by ILM operation on the ESA v9.2.0.0 and above appear on the page after upgrading to the latest version of the ESA. For ILM logs generated on an earlier version of the ESA, navigate to Audit Store > Dashboard > Open in new tab, select Discover from the menu, select the time period, and search for the ILM logs using keywords for the additional_info.procedure field, such as, export, process_post_export_log, or scroll_index_for_export.

Viewing policy reports

Mon, 01 Jan 0001 00:00:00 +0000

If a report is present where policies were not modified, then a breach might have occurred. These instances can be further analyzed to find and patch security issues. A new policy report is generated when this reporting agent is first installed on the ESA. This ensures that the initial state of all the policies on all the data stores in the ESA. A user can then use the Protegrity Analytics to list all the reports that were saved over time and select the required reports.

Verifying signatures

Mon, 01 Jan 0001 00:00:00 +0000

The log entries having checksums are identified. These entries are then processed using the signature key and the checksum received in the log entry from the protector is checked. If both the checksum values match, then the log entry has not been tampered with. If a mismatch is found, then it might be possible that the log entry was tampered or there is an issue receiving logs from a protector. These can be viewed on the Discover screen by using the following search criteria.

Using the scheduler

Mon, 01 Jan 0001 00:00:00 +0000

To view the list of tasks that are scheduled, from the Analytics screen, navigate to Scheduler > Tasks. The viewer role user or a user with the viewer role can only view logs and history related to the Scheduler. You need admin rights to create or modify schedules.

The following tasks are available by default:

Task	Description
Export Troubleshooting Indices	Scheduled task for exporting logs from the troubleshooting index.
Export Policy Log Indices	Scheduled task for exporting logs from the policy index.
Export Protectors Status Indices	Scheduled task for exporting logs from the protector status index.
Delete Miscellaneous Indices	Scheduled task for deleting old versions of the miscellaneous index that are rolled over.
Delete DSG Error Indices	Scheduled task for deleting old versions of the DSG error index that are rolled over.
Delete DSG Usage Indices	Scheduled task for deleting old versions of the DSG usage matrix index that are rolled over.
Delete DSG Transaction Indices	Scheduled task for deleting old versions of the DSG transaction matrix index that are rolled over.
Signature Verification	Scheduled task for performing signature verification of log entries.
Export Audit Indices	Scheduled task for exporting logs from the audit index.
Rollover Index	Scheduled task for performing an index rollover.

Ensure that the scheduled tasks are disabled on all the nodes before upgrading the ESA.