Event Manager

NOTE: Event Manager was formerly called Powertech Event Manager.

April 2024

Version 6.9.0

April 30, 2024

New Features
  • A new option has been made available for closing automatically generated controlled events while editing a Security Control. This option can be used to notify about specific events without the need to investigate further.

  • Any error in monitors collecting events is now reported in the self monitoring section of the product. The error informs about the affected Devices and/or Applications.

  • Any error in the daily data maintenance process will now be reported as an issue in the self monitoring section of the product.

  • A new option that uses the SQL Server Audit recollection mode for security events has been made available for SQL Server 2019 or newer versions.

Enhancements
  • A new column, "Object Name" has been added to the list of "Associated Events" shown on the controlled event details page.

  • Windows Server 2022 has been added as a valid Asset Type for an audited asset.

  • Add, Change, and Remove subsystem routing entry is now audited for IBM i systems.

  • ODBC drivers for Athena SQL Database are now supported on a "Custom Database Reader" DataSource in Event Manager.

  • Event Manager now stores the IFS object path in column 'Object Name' for "SIEM Agent for IBM i" events of type "Object Deletion". This requires the Event Description Text for "TDO All delete operations on the system" to be modified, replacing &DOOLIB&/&DOONAM& with &DOPNM&.

Fixes
  • On installation, the test button to validate the database connection did not work properly for SQL Server 2012R2. This has been fixed.

  • Events from Powertech Exit Point Manager (previously known as Network Security) on IBM i, sent with CEF format output, and using an old version of SIEM Agent (3.10), were not displaying the correct IP address. This issue has been fixed.

  • Grant/Revoke Permissions on Authorization List events for IBM i systems were incorrectly classified as general Grant/Revoke Permissions events. This issue has been fixed.

  • Events from Powertech Exit Point Manager, running on IBM i OS version 7.1, were not displaying the Operator field. This issue has been fixed.

  • False tampering alerts could be generated for the Archive Database (if the database had old events generated from an old installation of Event Manager not supporting Tampering proof checks). This issue has been fixed.

  • The report, "System i - User Profiles - Created, Changed and Deleted" did not return "Deleted" events if you selected 'Delete' for parameter 'Include Actions'. This has been fixed.

  • Product self audit events (generated when any asset was created, modified, deleted,...) were reporting INVALID_SESSION_DATA for Operator Name/Domain and User Name/Domain fields if logged in a User that did not have an "Administrator" security role. This issue has been fixed.

  • Licenses generated for an specific system (MAC address) could not be correctly validated. This issue has been fixed.

  • Security Controls, with Regulations selected, did not work because no assets were included in the "Events selection" rules. This issue has been fixed.

  • If a Custom Database reader DataSource was reading record fields with CRLF line breaks, the subaction regex expression filter and complete message parsing regex may not work. Therefore, these events were not audited. This issue has been fixed.

  • Excluding values in more than one column within the Event Manager or Forensic Analysis timeline did not work. as only one of the column exclusions were taken into account. This issue has been fixed.

  • A false tampered event alert, generated when an event was actually read from a log file (typically using a Custom Log Reader on Event Manager), had an invalid character for the collation of Event Manager events within SQL Server database. This issue has been fixed.

  • A false tampered event alert was generated when an annotation text for a controlled event in Event Manager contained a single quote. This includes the annotations created when closing a controlled event. This issue has been fixed.

  • Event Manager event grids (within both Forensic Analysis and Event Manager) did not answer due to the "HelpSystems - Events Control Service" service hanging. This issue has been fixed.

  • Events collected for standard DataSource "SIEM Agent for IBM i" did not report correct values for source and destination machines. This issue has been fixed.

  • The issue with the "Events Control Service" being blocked after consuming a lot of memory has been fixed.

  • SQL server events for the following subactions: "Grant/Revoke Permission to statement" and "Grant/Revoke Permission to schema" were not reporting the complete message to the affected user. This issue has been fixed.

  • There were minor differences between the regex filter validator results in LogReader DataSources and the actual events returned. This issue has been fixed.

  • If SmartConsole read more messages than it was able to process, an "out of memory" error was generated and the processing crashed. This issue has been fixed.

  • For SQL Server 2000 assets, the Object Creation/Object Restore and Object Backup/Object Backup Action/SubActions were available in error. This issue has been fixed.

December 2022

Version 6.8.0

December 21, 2022

New Features
  • A new "Data Maintenance Check" view has been added to allow the review of the daily data maintenance process status and a summary event will be sent.

  • A new Security Control "Failed Maintenance Check (Standard)" has been added to allow the configuration of notifications for failed events.

  • A new view "Syslog DataSources with no event received since start" has been added. This view includes events about active DataSources of Assets which should receive events by syslog but are not.

  • Event Manager can now be installed on Windows Server 2022.

Enhancements
  • You are now prompted for a specific "Source" (folder path) for the installation of IIS features and the enabling of features is now retried rather than cancelled.

  • During installation some IIS features are enabled. If this step failed, no description of the error was shown. Now, the exact error is detailed and the options to correct it are displayed.

  • Event Manager will now store the IFS object path in column Object Name for "SIEM Agent for IBMi" events of type "Object Access - Access Denied" if Event Description Text for "TAF All authority failures" is modified to report field &AFPNM& at the end of the text.

  • The product now works on email servers that only support TLS 1.2.

Fixes
  • Using the AS_SetSecAdmin tool could fail if some of the AccessServer.xml files in the product had an invalid XML format. Now, the error is logged and the AS_SetSecAdmin tool completes successfully for the remaining valid AccessServer.xml files.

  • Error "Violation of PRIMARY KEY constraint 'PK_T4SECEVTANN'" could happen during daily database maintenance if setting "Automatically close controlled events" was enabled. This has now been fixed.

  • While using product in Spanish, the button "Planificar Reportes" could disappear at page "Gestor de Eventos > Cronologia". This issue has been fixed.

  • Fixed the issue that only allowed a search in the first accessed field.

  • Fixed the scroll action within complete message variables categories toggle.

  • The errors; starting ThinkServer configurator "Error getting DataSource list. Communications error..." and Locallog.log as "... [ERROR] Could not retrieve list of monitors from... Error message: An exception occurred parsing XML..." have been fixed.

  • In forensic analysis overview, selecting a custom action in the actions chart did not trigger filtering by the selected custom action. This issue has been fixed.

  • When expanding the complete message categories, the page was incorrectly scrolled to the top. This issue has been fixed.

  • Some installations using remote database servers could receive an error message during the installation process indicating it could not connect to SmartConsole. This issue has been fixed.

  • During data maintenance, errors "Connection is busy with results for another command" could be generated in the T4BDLog* log files. This issue has been fixed.

  • Translations for subactions in charts have been fixed in this release.

  • Some events were not saved if, for any unexpected situation, folder ThinkServer\transient was filled with lots of files (several hundredths or thousands). This issue has been fixed.

  • In any part of the product where you can search for assets, if the filter condition contained a special character, unexpected results were received. This issue has been fixed.

  • An issue when multiple alarms had to send an email at the same time has been resolved.

  • The Archive Database, if defined within "HelpSystems Settings Configurator", could grow quicker than expected after installing release 6.7, causing disk space problems. This issue has been fixed.

  • If product data maintenance failed (due to any reason), false missing alerts were received in the "Tampering proof Data integrity check" view. This issue has been fixed.

  • A Tampering proof - Data Integrity false alert "All relation(s) missing on Event Manager" could previously be generated. This issue has now been fixed.

  • Saving an asset DataSource with an attribute having about 4000 characters may result in this attribute being truncated. This issue has been fixed.

  • Windows User Inactivity DataSource monitors may have previously reported a processing error after installing or upgrading to release 6.7. This issue has been fixed.

  • A test database connection, actioned during installation, failed if only TLS 1.2 protocol was enabled on installation server. This issue has been fixed.

  • Events collected for standard DataSource "Exit Point Manager for IBMi" did not report correct values for source and destination machines. This issue has been fixed.

  • Express Setup installation could fail during SQL Server express installation due to "long path" errors depending on installation server configuration and the path from where setup was started. Now, this potential problem is checked in advance and solutions are suggested.

  • The Product Installer will now alert the user if the registry cannot be edited before installation.

  • Fixed a bug that did not allow navigation between Event Manager pages after accessing the details of an event.

July 2022

Version 6.7.0

July 12, 2022

New Features
  • A new Events Manager overview graphical Dashboard has been made available from directly within Event Manager. This was previously only accessible through Insite.

  • A new Forensic Analysis overview graphical Dashboard has been made available from directly within Event Manager. This was previously only accessible through Insite,

  • A new setting "Automatically close controlled events" for Short Term Database of Security DataSources has been made available within the HelpSystems Settings Configurator.

  • An 'out-of-the-box' template has been added to integrate the events from the Beyond Security beSECURE vulnerability scanner.

  • DataSources collecting information by syslog now allow the use of a list of IPs to match with source address of events.

  • Database reader monitors can now use an "Indexed" Incremental condition with a "back" ID number, to avoid reading the whole database each time a datasource is stopped/started.

  • Event Manager now has the ability to run daily tampering and data integrity checks to verify if any asset has had information modified or deleted, with alerts sent if the check fails.

Enhancements
  • Any user or group added with correspondent roles in the product, can now also access a secondary web SmartConsole without requiring any additional configuration.

  • CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-4104 log4j2 vulnerabilities have been removed.

  • IBM i audited assets with "Exit Point Manager for IBM i" DataSource now reports a real user as an operator for collected events.

  • Improvements have been made to Product Audit to retain previous values of amended information.

  • It is now possible to change the type of installation during the installation process.

  • ODBC drivers for SAP HANA Database are now supported on a "Custom Database Reader" DataSource in Event Manager.

  • Privileged Users SYSDBA/SYSOPER (Unix) Standard Datasource for Oracle assets can now select different connection types and use the sudo command for some of them within data collections.

  • Product Audit events regarding asset changes are now more specific about what has changed in each asset.

  • SQL Server versions 2019 and 2022 are now in the list of available "Asset Types" when creating or editing an asset to Audit.

  • Scheduling reports now works even if only https access is enabled for the Reports website.

Fixes
  • "Send Event Assigned to Syslog (CEF)" or "Send Security Alert Event to Syslog (CEF)" alarms when integrating Event Manager notified events with 3rd party tools could fail if log files reached their maximum size. This issue has been fixed.

  • A Handle leak in process T04ORCSRV.exe, "HelpSystems - Orchestrator" windows service has been fixed.

  • A timeout parameter called "Request Timeout Seconds" has been added to Microsoft365 Datasources to prevent communication blocks when Microsoft365 did not respond.

  • Alerts for Assets with no event in the last 3 days are now generated.

  • An invalid "Not Categorized" Action has been removed from the SAP ASE default datasource.

  • Assets created from Orchestrator interface of type Exchange Online, Azure Active Directory or Microsoft Teams are now created as expected.

  • Audited SQL Server 2000 assets of type SQL Server 2000 no longer generate errors following a product upgrade.

  • Breadcrumb controls on some pages were displayed on separated lines due to a lack of space. This issue has been fixed.

  • Changing or migrating to a newer configuration database could previously cause the software to become unstable. This issue has been fixed.

  • Colors for health status, highlighted/threat/incident events and other displays have been changed to adopt the HelpSystems standard.

  • Controls have been added to ensure sure that specific users do not have permissions to modify or write windows service executables or have Full Control permission to any directories that contain service executables.

  • Daily maintenance now checks if indexes are disabled and re-enables them.

  • DataSources with the "TimeZone" attribute as "Inherited from Asset" now correctly use the "TimeZone" configured at the asset level.

  • Event Manager and Forensic Analysis scheduled reports no longer fail with "Internal Orchestrator error - bad lexical cast: source type value could not be interpreted as target." in the Reports log.

  • Events from the Historical Database within Forensic Analysis may show incorrect data. This issue has been fixed.

  • Events from the Windows User Inactivity DataSource now report the logon name the same as other Windows DataSources.

  • Events from the Windows User Inactivity DataSource no longer report an incorrect user domain name.

  • Excluding values from columns drop down filters within Event Manager and Forensic Analysis now works as expected.

  • Following a product upgrade, some pages could have different types of javascript errors. This issue has been fixed.

  • For Windows Server audited assets DataSource "Windows User Inactivity" failed if settings "Ignored Disabled User Accounts" or "Ignored Disabled Computer Accounts" were false. This issue has been fixed.

  • Forensic Analysis and Events Manager sections could show incorrect values for counters and list of events if more than one user is logged into the Event Manager application and some of the users have specific permissions configured. This issue has been fixed.

  • Grant and Revoke Object events have been added to the Oracle Databases audit.

  • HelpSystems - Orchestrator service frequently crashed due to a memory leak when automatically discovered actions for a Custom Syslog CEF DataSource were active. This issue has been fixed.

  • IBM i audited assets within the "Exit Point Manager for IBMi" DataSource did not audit some of the "Network Access Rejected" events. This issue has been fixed.

  • If a database from SmartConsole module (usually HS_APPSEC_SmartConsole) was cleaned or was empty for any reason, SmartConsoles froze during start. This issue has been fixed.

  • If an asset with character "." was selected at Assets list the footer message was not displayed correctly. This issue has been fixed.

  • If the IDX.jar file had been manually modified or replaced, subsequent product upgrades did not install the latest version. This issue has been fixed.

  • In rare circumstances due to internal configuration, the SmartConsole service could crash due to a memory leak after running for several hours . This issue has been fixed.

  • In some instances, scheduled reports from Forensic Analysis would not show charts if groups were selected. This issue has been fixed.

  • In very rare cases, some events were automatically closed after upgrading the product. This issue has been fixed.

  • Inspector\bin\config\Inspector.cfg file has an attribute ColumnCacheCapacity, which shipped with a default value of 250000. But if this attribute was not explicitly declared in Inspector.cfg, the default value was far greater. Now, the default value if the attribute is not explicitly declared is also set to 250000.

  • It is no longer possible to add the same value twice to column filtering within the "Add XX to list" option.

  • It was not possible to login to the application because HelpSystems AccessServer module could get locked if the database was not made available during part of the initialization phase. This issue has been fixed.

  • Product web services did not work after installation, if IIS (Microsoft Internet Information Server) did not have "IIS-ServerSideIncludes" and "IIS-StaticContent" enabled. This issue has been fixed.

  • Removing a mapping variable while editing a DataSource, and confirming the change resulted in the confirmation window being constantly displayed. This issue has been fixed.

  • Self-monitoring reported some issues with errors: ".. WMI: Invalid class..." . This issue has been fixed.

  • Service "HelpSystems - Orchestrator" could fail with an unrecoverable error when calling SOAP function in Index Service, meaning the application was unavailable. This issue has been fixed.

  • Sometimes "flag icon" links within issue details were not shown, despite the source IP address being resolved. This issue has been fixed.

  • Syslog CEF DataSources now displays the list of available CEF variables.

  • The "Controls" filter within the Event Manager list of events now works as expected.

  • The Attribute Instance Name is now correctly displayed within Assets filter help.

  • The DataSources "Privileged Users SYSDBA/SYSOPR for Unix" and "Privileged Users SYSDBA/SYSOPR for windows" for Oracle Database Server assets have been amended so they are now visually distinguishable in the "Actions to Audit" tab.

  • The ExecutionMode parameter in Event Manager Custom Database Reader Datasources has been removed because it is not used anymore.

  • The IDXServiceWrapperConfig.xml file is now updated correctly after a product upgrade.

  • The PMDB service that purges old data for Forensic Analysis and Events Manager Overview charts has been improved for performance.

  • The Product Security Administrator user is now allowed to use passwords with blank spaces.

  • The Regulations filter drop-down is now correctly displayed in a typical laptop resolution (1366x768).

  • The pipe character is now valid within the the user name credential.

  • The unused file; sqljdbc.jar, has been removed from product.

  • Trying to filter with a text value containing the "=" character in Event Manager or Forensic Analysis columns drop-down filters resulted in a blue screen and an exception error. This issue has been fixed.

  • Update patches for out of the box auditing for some asset types within Event Manager were not being applied immediately. This issue has been fixed.

  • Users for credentials could not contain the # character. This issue has been fixed.

  • When auditing an IBM i asset with DataSource "SIEM Agent for IBMi" some events could have been lost. This issue has been fixed.

  • When auditing an IBM i asset with DataSource "SIEM Agent for IBMi" the events for Actions "Password Modification" and "Password Reset" were collected as "User Modification". This issue has been fixed.

  • When editing an Event Manager view and selecting a "User column" within "User Variables Mapping", the window was automatically scrolled up without any user intervention.

  • When logging in with a user not explicitly authorized in "Users and Groups management", but included in a group which is authorized resulted in an internal lock with the login causing a "timeout error". This issue has been fixed.

  • When using column filtering in Forensic Analysis or Event Manager pages and clicking on "Select All" , sometimes left value "(Blanks)" unselected. This issue has been fixed.

  • Windows File Monitoring DataSource for a Windows asset did not have the correct text for parameter label "Lookup Account SID". This issue has been fixed.

  • Within Event Manager and Forensic Analysis, column headers disappeared when horizontal scroll at the bottom of the page was used. This issue has been fixed.

June 2021

Version 6.6.0.30000

June 30, 2021

New Features
  • New actions have been added for the Windows template in Event Manager to detect persistent threats for security-disabled groups management.

  • New actions have been added to the Windows template in Event Manager to detect persistent threats in the creation of unknown/unapproved services or processes.

  • New actions have been added to the Windows template in Event Manager to detect persistent threats for Scheduled Tasks management.

  • Response time in Event Manager and Forensic Analysis grids have been reduced when using assets filtering in the security tab configuration.

Enhancements
  • A new logo for Event Manager and Security Auditor has been applied.

  • Added support for the new Powertech SIEM Agent 4.4 release.

  • New events have been added to Fortigate Assets.

  • “Group by Asset” option added as an Issues Analysis report parameter when scheduling.

  • Refresh Time, Latency and Time Zone default values have been changed for the Amazon Web Services template.

  • Event Manager has improved the throughput of deleting old records during its maintenance process.

  • Installation improved check: If IIS (Internet Information Server) is not installed and we are not able to install it, installation is canceled to avoid unexpected problems.

  • Object Creation, Deletion and Modification actions for objects of type; Function, Index, Stored Procedure, Trigger and View have been added to the Oracle template in Event Manager.

  • User Statements (SQL delete, insert, update) actions have been added to the Oracle template in Event Manager. These require an specific audit activation.

  • It is now possible to create/define assets with newer Oracle versions (12, 18, 19).

Fixes
  • Creating an asset in Event Manager with the same name as where it is installed, but in a different case, is now listed correctly in Events Manager and Forensic analysis grids in the Audited system column.

  • The Azure Active Directory Operator is now mapped using the UserId from the original Event instead of the UserKey.

  • Missing translations (English and Spanish) for some event Action/SubAction names in reports have now been added.

  • Within Forensic Analysis, deselecting a "Blanks" value from the Security Control columns; "Security Control Name", "Selection Rule" and "Classification Rule", did not work. This issue has been fixed.

  • A parsing issue with IBMi Authority Failure (AF) for the SIEM Agent integration out-of-the-box template has been resolved.

  • Update Statistics for Orchestrator Engine scheduled every night did not actually update indexes statistics. This has been resolved and a summary is now logged in folder Orchestrator\Orchestrator Engine\logs.

  • Invalid email address was used as the default for the technical contact email in Reports. This issue has been fixed.

  • If Domain or User/Group was changed while editing an User or Group configuration, notifications for this user or group stopped working forever. This issue has now been fixed.

  • Manually created monitors within ThinkServer Configurator for an Advance Database Reader DataSource configured as "Incremental Policy: Indexed" did not retrieve any data. This issue has been fixed.

  • Events Manager Custom DataSources EventLog and DatabaseReader did not retrieve events for an specific subaction if "SubAction Complete Message Parsing" was defined and "Variables Mapping" used a variable with a case different from the one in the regex expression. This issue has been fixed.

  • While using several search boxes there were some "invalid" characters, which caused an error. This issue has been fixed.

  • Sometimes, upgrading could leave Web.config with invalid content in the "staticContent" tag rendering the software unavailable. This issue has been fixed.

  • When saving an alarm or action set, the editing tab is now maintained.

  • It is no longer permitted to change the application Security Administrator during an upgrade and installation only continues if the security administrator password has been verified.

  • Regular expressions and default time format parameters in SWIFT applications Datasources were incorrect. These have been fixed in this release.

  • Objects Action Auditing based reports couldn't be opened when there was only one registry result. This issue has been fixed.

  • Monitoring assets could stop receiving health updates and issues information due to a lock in Smart Console Publisher. This issue has been fixed.

  • Infrequently, Inspector Service could become inaccessible after starting. This issue has been fixed.

  • If Event Manager and Vityl & IT Business Monitoring collects syslog events, the L2Launcher Syslog process could crash due too much memory usage. This issue has been fixed.

  • Some of the oldest scheduled reports were not being correctly launched. This issue has now been fixed.

  • DSNs created for SQL Server Express 2019 now work as expected.

  • Installation or upgrade could sometimes generate an incorrect Web.config resulting in it being unavailable. This has been fixed.

  • An issue with single sign-on has been addressed and now all the applications work without a new login.

  • Security Controls with specific Regulations selected did not use these selections after a refresh. This has been fixed.

  • The SubAction Regular Expression Filter in Database Reader and Windows Event Log Custom Datasource was inaccessible leaving an incomplete configuration. This has been fixed.

  • Using Microsoft 365 Datasources with "Actions and subactions automatic discovery" enabled no longer causes an Event Manager unavailability problem.

  • Security Controls that are loaded during “Orchestrator” service start and fail (due to an unexpected error) result in the “Orchestrator” service not starting. This issue has been fixed.

  • When using Internet Explorer v11, badly aligned check boxes in the Investigate tab for an event have now been repositioned.

  • When editing a “Subaction regular expression filter”, any invalid regular expressions or variables mapping are now detected.

  • Forensic Analysis or Events Manager grids could generate an "Error executing Indexator query embedded in where clause. Details: AccessServer error: Invalid session." error, resulting in the event counts not being displayed. This has been fixed.

  • An error recollecting events in a named instance of an SQLServer with credentials of type User/Password has been fixed.

December 2020

Version 6.5.0.30000

December 21, 2020

New Features
  • All possible values for columns Action, SubAction, Operator Category, User Category and Object Category are now displayed for column filters in the Event Manager and Forensic Analysis grids. Previously you would see only values from existing security events.

  • An 'out-of-the-box' template for Azure Active Directory has been made available.

  • An 'out-of-the-box' template for Azure Exchange Online has been made available.

  • An 'out-of-the-box' template for Microsoft Teams has been made available.

  • Event Manager now provides security and compliance monitoring for data hosted in the Microsoft 365 environment.

  • This release adds the ability to monitor file integrity for Windows, adding this capability to those already available for Unix, Linux, AIX and IBM i.

Enhancements
  • An 'out-of-the-box' template to audit SAP Adaptive Server Enterprise (formerly Sybase) has been made available.

  • Backup and Restore databases actions have been added to the SQL Server 'out-of-the-box' template.

  • Trace improvements have been made to detect necessary attributes not found when triggering application errors.

  • Fixed a bug that did not allow the pasting of contact mail in notifications configuration.

  • Windows User inactivity detection has been improved with 'Expired account' information.

  • It is now possible to use long passwords in credentials.

  • The Axis2 library versions 1.5 and 1.6.1 have been upgraded to version 1.7.9. This library is used in HelpSystems - Orchestrator Idx and HelpSystems - ThinkServer Java System i Server modules.

  • The full Job Name is now displayed in Additional Info 2 on IBM i Audit events coming from VMC.

  • Event Manager now provides the ability to group events using multiple variables and add summary charts to make it easier to detect anomalies or threats.

  • It is no longer possible to delete an asset with non-templatized monitors (manually created from ThinkServer configurator).

  • It is no longer required to input the user password while scheduling reports.

  • It is now possible to assign an event to "Me" without the need of having this user explicitly created in the product.

  • It is now possible to choose whether to use an encrypted connection to the product databases during the installation process.

  • JSON events are now formatted when displayed in the Event Details- Event Manager page.

  • Outbound alert integrations with Solarwinds Web Help Desk and Dynatrace have been made available.

  • Reorganizing of indexes, included in the maintenance process, will only be executed at weekends to avoid affecting production hours.

  • The Events Maintenance process is now five times faster.

  • The product now uses an OpenJDK JRE version.

  • This release provides the ability to manually add values to the grids (Event Manager and Forensic Analysis) columns possible values list on the column headers.

Fixes
  • Some configuration changes in Vityl It and Business Monitoring took too much time to apply because there were an internal #RECOVERY_OPERATIONS_FULL_SYNCHRO# request in process. This has been fixed.

  • Syslog messages without priority were not being correctly parsed. This has been fixed.

  • An error where some syslog messages from CEF monitors that had non-English characters couldn't be correctly parsed has been fixed.

  • After upgrading to v6.4, there were some cases where the Scheduler Service couldn't start. This has been fixed.

  • After upgrading to version 6.4 from previous versions some old files could remain forever in ThinkServer\transient folder and errors "invalid vector<T> subscript" could appear in ThinkServer\logs\T4BDSR.log. This has been fixed in this release.

  • ThinkServer module monitors remained in Unknown status instead of returning proper health status if there were multiple "MaxThreads" DataSources of the same Type. This has been fixed.

  • Multiple scroll bars were shown when switching rapidly between monitors. This has been fixed.

  • The installation process has been improved to force a restart if it is pending after an automatic Windows Update.

  • Fixed a memory leak in the SmartConsole Module.

  • Fixed access to category rules in environment with custom types.

  • The number of events was not properly displayed in the 'By control' summary in Event Manager. This has been fixed.

  • Custom DataSource Subaction Regular Expression Filters were case sensitive. This has been fixed.

  • Event Manager Inspector module crashed (and generated a dump) when connection with DB was lost. This has been fixed.

  • Incorrect active users were appearing when there were multiple domain controllers in the same domain and last logon date was not synchronized. This has been fixed.

  • SQL Server Datasource Configuration now allows an empty path for traces directory.

  • It is now possible to create new calendar range sets with the required name.

  • AccessServer maintenance could report an error when trying to resolve extremes. This has been fixed.

  • Windows "Logon failed" events due to an account lockout were not correctly reported: the reason (account lockout) was missing. This has been fixed.

  • Charts could have missing data for current intervals if lots of errors "Query timeout expired" were returned to HelpSystems - PMB service from SQL Server. These errors were located in PMDB log files. This has been fixed.

  • There was a problem when trying to change AccessServer service port number. This has been fixed.

  • If you changed your tenant name monitors from Event Manager, audited assets still saved events with old tenant name. This has been fixed.

  • The ability to exclude groups from requests when creating file ServiceExcluded.ndx in folder \YellowPages\bin\cache with the same format as Service.ndx file has been added to prevent the User Directory Service from crashing.

  • Event Manager User Account Inactivity events sometimes did not retrieve the user domain. This has been fixed.

  • SelfMonitoring monitor for "SmartConsole Outdated" Assets control could fail with monitoring error "...Parsing regular expression ...". This has been fixed in this release but if upgrading from v6.4 to this release, a manual fix is required.

  • The C++ vulnerability has been fixed in this release (CVE-2-12-6151).

  • The 'Improper Restriction of Rendered UI Layers or Frames' vulnerability has been corrected. Clickjacking attacks are now prevented (CWE-1021).

  • Exposure of Sensitive Information to an Unauthorized Actor vulnerability has been fixed. The detailed version information exposure has been turned off (CWE-200).

  • The 'Generation of Error Message Containing Sensitive Information' vulnerability has been fixed. The stack trace has been removed from all the product error messages (CWE-209).

  • The 'URL Redirection to Untrusted Site' ('Open Redirect') vulnerability has been fixed (CWE-601).

  • Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability has been fixed. Secure flag has been set with all sensitive cookies (CWE-614).

  • Improper neutralization of HTTP Headers for Scripting Syntax vulnerability has been fixed. Secure Headers have been added to all the http responses following the OWASP directives (CWE-644).

  • The 'Improper Neutralization of Input During Web Page Generation' ('Cross-site Scripting') vulnerability has been fixed (CWE-79).

  • Every character from user input is now validated to avoid potential problems.

  • HelpSystems SmartConsole Messenger module had a handles leak. This has been fixed.

  • Insite Event Manager - Events Analysis could show inconsistent data across different charts. This issue has been fixed.

  • Maintenance for Historical or Archive Events Database could fail if database tables were deleted manually without restarting "HelpSystems - Database Maintenance" windows service. Tables are now recreated before the Maintenance for Events Database is run.

  • Maintenance performance has been improved when you have many annotations and other considerations.

  • Multiple OpenSSL vulnerabilities have been fixed in this release.

  • Renaming a Tenant to a previously existing name generates an error: "Tenant name already exists". This has been fixed.

  • ThinkServer module could have a large consumption of memory if the monitors generated messages of large size which would eventually lead to a ThinkServer module crash. This has been fixed.

  • Users or Groups with blank spaces in their name were not supported. Some features, for example, Security User Permissions, did not work properly. This has been fixed.

May 2020

Version 6.4.0.30000

May 11, 2020

New Features
  • Event Manager now provides event notification on a wide range of popular business applications. You can now create a ticket in servicenow or JIRA, an alert on Opsgenie or send a message to Microsoft Teams, Slack, and Telegram.
  • Powertech Antivirus for IBM i events integration is now available using Powertech SIEM Agent for IBM i (only from version 4.0+).
  • This version of Event Manager allows the provision of your own names to the custom variables used in the product in order to map your real business concepts on the views and reports.
  • Event Manager now provides the ability to be notified that an event has occurred on which a user must act. Security Analysts are then able to react rapidly whenever a security alert is triggered, to remove the potential threat as soon as possible.
  • To comply with the California Consumer Privacy Act 2018, Event Manager provides 'out-of-the-box' views and reports to help you defend against data breaches, and ensure your customers' personal information remains secure.
Enhancements
  • If a link is configured on the control treatment instructions, it is also now available from the event details screen.
  • Assets with a delayed event collection issue are now detected from within Event Manager.
  • Changing a Security Control name in Event Manager that is not immediately applied, now generates a message which is sent to Events Control Services logs (typically in installation folder \Inspector\bin\logs) with the detailed error.
  • Event Manager notifications now includes Action, SubAction, Object and Application fields as variables.
  • Installation process improvements have been made to improve reliability and resilience.
  • New validation routines have been added during the upgrade process to ensure that the product security administrator is correctly configured.
  • The monitoring configuration database is now optimized, by rebuilding or reorganizing indexes and updating statistics, each day in a nightly batch process.
  • Performance has been improved when collecting "Powertech Database Monitor for IBM i" events as it is now possible to use numeric date and time table columns without special castings on the "Incremental field".
  • Calendars are no longer refreshed if no modifications have been made.
  • SPARE1 and SPARE2 are now retrieved on the Oracle Standard datasource and are mapped to Additional Info 1 and 2 fields.
  • New attributes of Environment, Customer, Facility Name and Facility Type have been added to assets to make categorization easier.
  • Email notifications now use HTML format to make them easier to understand on the initial reading.
Fixes
  • Self monitoring assets no longer have false critical errors if the "Select SmartConsole" option is chosen to monitor an 'Application or Connectivity Group' for a self monitoring application.
  • VMWare (vCenter) security events are now stored in local monitoring node time instead of UTC.
  • The timeout for Dynatrace API webservice checks has been modified to 30 seconds instead of 10 seconds.
  • Variables mapping in custom datasources no longer displays false positives in the validation.
  • Filters in Subactions using fields 'Operator Category', 'User Category' or 'Object Category' now work as expected.
  • Event Manager now stores security events created on February 29th with the correct date.
  • Event Manager now has the ability to retrieve Windows event log events from systems having EventRecordNumbers greater than 4,294,967,296.
  • Column values in Forensic Analysis and Event Manager are now displayed correctly when lots of different values exist.
  • Performance metrics database queries have been improved with the addition of a new index.
  • If SmartConsole stops due to an unexpected error, the recovery procedure is now a lot faster than previously, thus reducing the outage time.
  • A fix has been applied to prevent high memory usage on the Events Control Service when a lot of different values exist on the ColumnCacheCapacity.
  • The product can now recover when PMDB encounters "The transaction log for database ... is full due to" and "The server failed to resume the transaction" monitoring errors.
  • Using VAR01 to VAR99 in Security Control filters for Event Manager no longer causes the Events Control Service to crash.
  • The non-existing user in Active Directory error generated when creating a user has been fixed in this release.
  • The daily self-cleaning of metrics data now includes the "Shrinking Transaction Log" step for SQL server database.
  • The Memory usage of the Events Manager T4MonManagerService.exe process has been reduced in this release.
  • The PMDB service accessed from Event Manager and/or Vityl IT and Business Monitoring now recovers from a Microsoft ODBC Driver 13 for SQL Server restart error.
  • Event Manager syslog agent now discards messages if memory increases due to a bottleneck in syslog message handling.
  • The Performance bottleneck that arose when saving Event Manager events to DB has been corrected in this release.
  • T4MonManagerService.exe process memory was too high when viewing the list of assets in Event Manager. This has been fixed in this release.
  • Event Manager DataSources for Windows that do not have proper credentials now report a Monitoring error.
  • A fix has been applied so that Activity calendars are now discovered by ThinkServer following an update.
  • Event Repetition selection rules for Event Manager Security Controls now take into account variables "Variable 01" to "Variable 99" for the "Use a custom set of fields to find repetitions" parameter.
  • Data is now displayed as expected when selecting a Database that is different from ShortTerm in Event Manager Forensic Analysis.
  • When more than one monitor queries the same table, Database Reader Monitors no longer return an error when updating the database cache.
  • In order to reduce the maintenance process time for events data, improvements to queries have been made.
  • Asset credentials, or some of its datasources, can now be used when manually setting credentials at monitor level.
  • Although improved reports generation performance is included in this release, user notification has been added to inform users that the generation of reports that cover a long time range could cause a decrease in performance.
  • Scheduled reports could fail with error "Invalid AccessServer session". This has been fixed in this release.
  • The Chronological Data Changes report display no longer shows an error when no data is returned.
  • The default domain is now correctly saved and displayed on the login screen.
  • Monitors were not working if an invalid datetime format was configured in Database Datasources. This has been fixed in this release.
  • When some User Account Names contained non-English characters, some monitors were reporting encoding errors. This has been fixed in this release.
  • Event Manager now receives events from Cisco Router switches as expected.
  • The problem in DataSource configuration where some fields were not saved has been fixed in this release.
  • The IBM i - User Profiles report now returns the correct information for deleted users.
  • Collection errors on User/Computer account inactivity have been corrected in this release.
  • The Internal error "database disk image is malformed" that could occur in both "ThinkServer" and "Events Control Service" has been fixed in this release.
  • Previous Value and Current value columns on Forensic Analysis now correctly display all changes on audit policy modification for Event ID 4719.
  • If SmartConsole has connections to both an IBM i and PC systems, events from Agent Code AUD are now received once SmartConsole is restarted.
  • When creating a Tenant, the default configuration was not created until the next restart of the Orchestrator service. This has been fixed in this release.
  • Following installation, Security Control events of a particular tenant could be created with events that were actually from other tenants. This has been fixed in this release.
  • Autodiscovery was failing if it was unable to retrieve the model of a specific device. This has been fixed in this release.
  • Event Manager events which should be excluded by SubAction filters are no longer audited in error.
  • .NET connections are now being forced to TLS 1.2 in order to avoid security issues.
  • Processing a large number of events in Vityl IT and Business Monitoring is now run in the correct order within SmartConsole Business View so that the correct asset health status is displayed.
  • User Directory Service (also called YellowPages) had a deadlock, which produced a memory steady rise and eventually the process could crash. This has been fixed in this release.
  • The Complete Message for an Event Pattern Rule in a Security Control is now correct by replacing the variables in the message template as expected.
  • The "Out of Memory" error in Windows service "SmartConsole Publisher" has been fixed in this release.
  • Using characters ' or " within Name or Alias in Vityl Assets, is now allowed.

 

Back to Core Security Products