Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
2-44
HP ProCurve Network Immunity Manager Standalone Solution
Step 4: Analyze Events
Step 4: Analyze Events
This section helps you analyze the events that are detected on your network so you can refine
your NIM policies to better protect your network and reduce the chance of false positives.
These activities follow the “Analyze events” phase of the security management life cycle (see
Figure 2-1 on page 2-3), and they match up with the design steps discussed in Chapter 4:
“Design” in the HP ProCurve Threat Management Solution Design Guide. That is, if you are
following the steps in the design guide, this chapter will guide you through the activities that
accomplish the “Analyze events” step.
All Times Through the Process
Event analysis is the same, whether this is your first time or a subsequent time through the
process. To analyze the events that have occurred during this cycle, perform the tasks that
follow.
Use the information you gather in these tasks to plan refinements to your network immunity
policy. You might also wish to use this information for other purposes outside normal network
operation, such as general business process improvement or regulatory compliance reporting.
Task: Set up Reporting. Although you can generate many reports in PCM+, this section
describes only reports that are directly applicable to NIM. You can access many NIM-related
reports through these two menus and sub-menus:
Reports > Network Activity > Policy Activity
Reports > Threat Management > Policy Activity
1. Navigate to one of the sub-menus listed above and then select a report.
2. In the first dialog of the Report Wizard, select a group name or a particular device.
3. Specify other parameters in this and any following windows of the wizard to create the
report you want.
4. Click Finish to see the report. Optionally, print the report or save it to disk using the buttons
in the toolbar above the report.
Task: Use the NBAD Diagnostic Wizard. NIM features a tool designed to help you make
sense of and respond to NBAD events. You can use the NBAD Diagnostic Wizard to identify
the possible cause of an NBAD alert and determine possible solutions. This wizard is especially
helpful when you need to quickly resolve an attack detected by the NBAD engine.
The wizard will guide you through the following steps:
Identify the threat
Analyze the threat
Review suggested action(s)
Execute the action(s)
1. In the navigation tree, select a group or device and then click the Events tab in the right
panel.
2. Right-click any NBAD event with an origin of NIM and select NBAD Diagnostic Wizard.
3. When the NBAD Diagnostic Wizard opens, click Next to begin.