Powertech Event Manager

NOTE: Powertech Event Manager was formerly called Alignia Online Business Security. As from May 2020 and Release 6.4, Event Manager has been re-branded as a Core Security product.

September 2019

New Features
  • Powertech Event Manager now integrates the issues detected by Vityl IT and Business Monitoring. This provides high visibility of the consequences of a suspicious event on the systems and application operations.
  • AWS standard CloudTrail events are now integrated into Powertech Event Manager.
  • System performance has been enhanced when retrieving events to show in Event Manager and Forensic Analysis grids.
  • System performance has been enhanced performance when retrieving possible values for the Events grid.
  • The process to retrieve possible grid column values has been improved.
  • A new control has been added to self-monitoring to control the expiration date of the licenses.
  • "Custom Event List" reports have been enhanced so that charts are sorted by occurrences and all group names are shown.
  • A new DataSource has been added to the IBMi 'out-of-the-box' template to retrieve the Powertech Exit Point Manager for IBMi events using the VMC technology.
  • Powertech Event Manager now provides the ability to consolidate your audit data from multiple time zones on a single, easy to-understand audit trail.
  • Express Setup is now available for a clean product installation. It includes an embedded version of SQL Server Express and the default configuration is now plug and play.
  • A new toggle has been added to Event Manager and Forensic Analysis to enable auto refresh on both grids.
  • A fix has been applied so that events with a valid Syslog CEF format are no longer lost.
  • EventLog Monitors no longer ignore a change in credential and now change the monitor status to error. Changing the DataSource/Monitor credential that was defined at point of creation, or assigning a new credential is no longer ignored. When a wrong user/password is defined because when using Automatic/Windows API recollection the monitor now errors as expected.
  • A fix has been applied to allow the export of the Event Manager or Forensic Analysis grid when filtering by a column containing values with non standard characters.
  • System performance has been enhanced when retrieving values of the Audited System column in the Event Manager and Forensic Analysis grids.
  • A fix has been applied to prevent an SQL error being produced when two or more monitored assets are deleted in the same operation.
  • When importing an asset, exported from a previous version of Event Manager, the default configuration (Standard DataSources) is immediately upgraded, and the changes applied to the asset monitoring.
  • Security controls created in a tenant no longer process events from a different tenant. Additionally, events generated from product auditing now have the correct Tenant applied.
  • A fix has been applied so that when auditing SQLServer 2000, an "[ODBC Driver] Dialog failed" error is no longer generated.
  • The correct report alignment is now displayed when exporting the "Security Assets Configuration Summary" report to Excel.
  • A fix has been applied so that regular expressions of MEP 'out-of-the-box' DataSources are correct. Also the capability to obtain events' date from the log file name has been implemented.
  • Source and Destination IP addresses of events could arrive with leading zeros which could affect comparisons. The code has been amended to compensate for this.
  • [ nicecfg.exe path has been added to the system path so SmartConsole alarms can now execute the AS400 alarm preview.
  • A fix has been applied in order that when rendering reports, all values are correctly translated.
  • Multiple white spaces are no longer displayed as a single white space in event columns.
  • The Windows process WMIPrvSE.exe, used to retrieve WMI information from the local Windows system, was consuming a high volume of CPU. The number of handles used in our processes has been reduced.
  • A fix has been applied so that Linux servers are now discovered automatically.
  • Creating an application such as an SQL server from a list of assets is now generated as expected and can be used in Vityl IT and Business Monitoring.

June 2019

New Features
  • An 'out-of-the-box' template for Db2 for i has been made available.
  • User inactivity controls have been added to the Windows 'out-of-the-box' template to help meet the PCI DSS 8.1.4 requirement. These controls remove/disable inactive user accounts within 90 days.
  • An 'out-of-the-box' template for Firewalld has been made available.
  • An 'out-of-the-box' template for Sistema de Operaciones Electrónicas (SIOPEL) has been made available.
  • An 'out-of-the-box' template for Medio Electrónico de Pagos (MEP) has been made available.
  • When entering Powertech Event Manager or Vityl IT and Business Monitoring with a domain/IP address different than the one configured for HelpSystems.Service, it is now redirected to use the domain/IP address configured for the service in order to avoid cross domain problems.
  • A new configuration option means False Positives and fatigued alerts are easier to detect and manage.
  • Improvements have been made to Powertech Event Manager's custom datasources allowing data integration from any in-house application. Parsing data has been made easier with a new data validation routine.
  • Powertech Event Manager provides 'out-of-the-box'. pre-built, compliance views for PCI, GDPR, SOX, ISO, and other regulations, based on security controls and events collected in the system.
  • Executed Programs event audit has been added to the Linux 'Out-of-the-box' template.
  • An 'out-of-the-box' template for Juniper Firewall and VPN Gateway has been made available.
  • 'Out-of-the-box' templates have been made available for the following CEF supported devices and Applications: Check Point, Barracuda WAF, Imperva WAF, Juniper and Palo Alto Networks.
  • An 'Asset Security Responsible' field has been added to assets to comply with the ISO 27001 A.8.1.2 Ownership of assets requirement.
  • An 'out-of-the-box' template for Intermapper has been made available.
  • A new Asset Configuration summary report has been made available.
  • Common Event Format (CEF) syslog events can be easily integrated into Powertech Event Manager using the new Custom Syslog CEF Datasource.
  • A new 'out-of-the-box' template has been made available for SWIFT.
  • A new custom datasource collector via SNMP has been created for Security events.
  • An 'out-of-the-box' template for Powertech Identity and Access Manager (BoKS) has been made available.
  • Asset attributes (Responsible, Criticality and Regulation) are now visible on the Event Details page.
  • Red Hat 8 is now supported in the 'out-of-the-box' Linux security template.
  • Linux Security Events can now be collected using the syslog protocol.
  • SUDO sentences are now audited on Linux systems.
  • Settings for the sending of emails can now be configured during the installation process.
  • Links present on event messages and variables are now clickable to allow easy access to the context information.
  • A link has been added into the landing page to connect to the HelpSystems solutions page displaying the full company portfolio. This informs the user of common issues that any HelpSystems products could potentially solve.
  • The look and feel of the installation software has been updated to use the new HelpSystems branding.
  • A fix has been applied so that it is now possible to select encoding on the Linux and AIX Security 'out-of-the-box' datasources.
  • The value "Me" has been made available in the Reviewer column of EventManager and ForensicAnalysis grid.
  • Event details pages can now be opened in a new tab to allow the opening of multiple events without losing focus.
  • The process of adding a new IP/DNS name to an asset during configuration has been improved to avoid errors arising during saving and updating.
  • The installation process has been improved allowing the unattended installation using the default recommended settings.
  • 99 new custom variables have been added to the events. These can be used on Custom Datasources and are visible on both the Event Manager and Forensic Analysis pages.
  • Support of DNS/IP filtering has now been made available on Syslog-based 'Out-of-the-box-templates' and Custom Datasources.
  • Defining an empty community in a trap credential now has the same properties as an entry of "*", which means 'any community'. In previous versions a credential with an empty community didn't match any trap.
  • Problems with Alev, that made reports containing Alev restrictions break, have been fixed in this release.
  • A fix has been applied so that the link to Security Control configuration in an Event Manager controlled event now works as expected.
  • L2Launcher processes are now automatically ended when the ThinkServer Service is stopped.
  • A memory leak in PMDB has been fixed in this release, where a mutex object was created when performing an aggregation but was subsequently never deleted.
  • A fix has been applied so that Rules in Security Controls now take into asset regulation into account when filtering assets.
  • A fix has been applied to prevent Orchestrator ending unexpectedly after a communication error with Database Server.
  • A fix has been applied in order that whenever the SQL Server database server is configured with a port different from the default setting, the created database server asset of self monitoring in Orchestrator now has the correct IP address.
  • A fix has been applied so that the server kind is now being selected correctly according to the saved value.
  • The self-monitoring dependency for the "NLKChild.exe" process for Monitoring Node has been deleted because this process doesn't need to be executed. The change is only applied to new monitoring nodes.
  • A fix has been applied to Reportng module so that the page break checkbox now works as expected.
  • A fix has been applied so that multiple connection errors with database server no longer cause the application to stop working.
  • A fix has been applied so that the HelpSystems - Orchestrator service now recovers from the temporary unavailability of SQL Server.
  • Desktop machines running Linux and Windows now have an 'out-of-the-box' template to audit their security.
  • A fix has been applied so that the Summarized Controlled Events report now shows all values.
  • A fix has been applied so that the l2launcher executing SNMP Trap monitors no longer fails after receiving an SNMP trap.
  • In Vityl IT and Business Monitoring and Powertech Event Manager, default ordering is no longer case-sensitive.
  • A fix has been applied so that the Reporting module now alerts when the scheduled tasks fail.
  • An attribute; DataSourceRetryEnabled has been added as required to various elements in order to prevent the self-monitoring errors that occurred within: "PMDB Queue Length".
  • A fix has been applied so that iSeries Monitors no longer hang when executed without credential.
  • A fix has been applied so that retention policies within Powertech Event Manager and Vityl IT and Business Monitoring no longer fail with errors: 'The DELETE statement conflicted with the REFERENCE constraint "FK_AggrValue_AggrValueDef" in PMDB module logs.
  • Vityl IT and Business Monitoring no longer stops calculating charts data, if the PMDB module communication with the database gets lots of "Communication link failure" errors.
  • Database Queries when SmartConsole starts are now protected and shutdown the SmartConsole should they occur.
  • Regular expression options in Syslog monitors have been changed so that they are now case insensitive.

December 2018

New Feature
  • From this release it will be possible to work with your highlighted events, threats and incidents or search for events in Event Manager pages and export the result into your favorite format (pdf, csv, word, xls). Additionally, it will be possible to schedule the reports that are needed to help provide security regulation compliance.
  • Event fields 'AddInfo_1' and 'AddInfo_2' are now included in the notification event as these fields are sometimes needed to perform the proper notification.
  • It is now possible to self-monitor dozens of metrics in the application itself, covering CPU, Memory, processes running, disk capacity and performance and much more.
  • Error messages in ThinkServer Configurator are now shown in the same color as the Monitoring Error icons, instead of using the Critical color. Debug and trace messages from monitors that were sent as "Unknown" are now shown as "Report". Report messages in Orchestrator are no longer shown as "Success" messages.
  • An asset type can now display if it has an 'out of the box' template applied when it is selected.
  • Suse can now be selected as a Linux model when selecting a type of Linux.
  • Reports module is now running in 64-bit mode and supports reports with more than 100,000 pages.
  • An improvement has been made to the retrieval of the Event Analysis page in Insite from all the main pages in the solution.
  • A new link from the Configuration page has been made available to be able to access any Scheduled reports that have been defined.
  • The Event Control Service (ECS) can now recover from a "Communication Link Failure" error without needing to re-start the service.
  • A new product home page has been created with the brand new HelpSystems design and a link to Powertech Security Auditor to increase Powertech Suite product integration.
  • The Maintenance process for SmartConsole and PMDB now includes some improvements for Indexes and Database performance.
  • A ten-fold performance improvement has been made to Windows Event log collection technology so that more than 1000 Windows Servers can be supported by the monitoring node.
  • All 'out-of-the-box' templates based on Database collector, Log Reader collector or Syslog collector have had a ten-fold performance improvement in Memory and CPU usage.
  • The SQL query used to perform free-format text search on the events database was not returning results quickly enough. This query has been improved so that it performs much faster.
  • A fix has been applied to manage memory under heavy event load and slow database insert conditions.
  • A fix has been applied so that when enabling/disabling the Security monitoring in some assets and then enabling/disabling a Business Process, the action is no longer audited twice.
  • The issue where new events were no longer received, caused by changing the DataSource for a Syslog Monitor, has been fixed.
  • A fix has been applied so that Database server downtime is now supported and data is calculated and updated as expected.
  • Product audit events are no longer saved in the database with wrong TimeGenerated values. Furthermore, the "HelpSystems" value has been added as a valid Platform value in the Web client. This provides the ability to be able to create categorization rules for these type of audit events.
  • A fix has been applied so that User Directory Service no longer stops working in some computers.
  • A fix has been applied to ensure that the correct user name is displayed in the Product Audit.
  • File ns.ini, needed to use the translation table in Nicelink, was installed in the wrong directory. This has been resolved.
  • A fix has been applied in this version to ensure that from a clean install, all Indexes are installed correctly.
  • For Windows Server 2008, the previous and current values in a datetime change event were not being displayed properly. This issue has now been resolved.
  • Some updates caused l2ProcessConfig file to become invalid. This has been retroactively corrected.
  • Security reports with hidden columns no longer fail during the generation process.
  • When using a search box filter, controlled events counters are no longer displayed.
  • Mail notifications for macros no longer fail when "Default credentials" is disabled.
  • A fix has been applied to the Events Manager grid so that if the user filters by every type of event by selecting them one by one instead of using the "Select All" option, the summary info is now available.
  • A fix has been applied so that an empty Events Manager grid, where no Event Type has been selected, now longer displays an error message.
  • A fix has been applied to prevent the "Credential Abuse" message (a session token being used more than once) being returned once AccessServer has been running uninterrupted for a period of 24 days.
  • With this release, the product now creates an entry in the log if the Report configuration backup has been executed.
  • A fix has been applied to resolve an issue in the event maintenance process where SQL Server ODBC Driver 13 caused DB connection problems.
  • A fix has been applied to ThinkServer to ensure the correct Categorization of any event of Powertech Event Manager.
  • Powertech Event Manager now starts when the jmx port 5555 is in use by other application.
  • A fix has been applied to prevent Powertech Event Manager starting in an inconsistent state should the database become temporarily unavailable when Orchestrator is starting.

August 2018

New Feature
  • Cross-platform Policy Minder events can now be integrated into Powertech Event Manager.
  • A new tool to create a zip file containing the logs and dump files from all components has been made available.
  • Stand Guard anti-virus for Linux and AIX events has been integrated into Powertech Event Manager.
  • Improvements have been made to the performance of Security Events Maintenance.
  • A new feature has been added to allow the filtering of an event when Operator=User/User=Operator in Security Controls at event collection level in Powertech Event Manager.
  • A low water-mark has been added to the ThinkServer queue of messages to be sent to PMDB, improving flow control when a large number of metrics is being written.
  • An enhancement has been made to provide the option to choose the control sub state (Availability, Performance, Errors) for WebSphere MQ Queue.
  • ThinkServer EventLog agent now allows the user to monitor the LocalHost computer using the new Windows Events API.
  • The event description within Security Events has been enhanced, improving the used icons so that they better describe the affected objects.
  • "Security Administrators" and "Special Users" categories have been updated in Powertech Event Manager with the correct pre-defined rules.
  • A new attribute has been added (Ignore Folders) to ignore the folders in the check and to take only the files into account. The affected controls are: Generic Folder Check (Old Files in Folder) and Generic Folder Check (Size of Files in Folder).
  • A fix has been applied so that a re-run of the Summarized Controlled Events report now works as expected if a previous run was canceled and the filters modified.
  • A fix has been applied so that column filters now work as expected when the number of possible values is very high.
  • A fix has been applied so that only suitable devices are displayed when configuring dependencies for stand alone applications.
  • A fix has been applied to prevent an access violation error when trying to access an invalid pointer in the ThinkServer Configurator.
  • A fixed has been applied so that the reports based on Custom Event List templates now accept 3 columns in the 'Group By' section.
  • An issue has been resolved so that reports based on Summarized Controlled Events now display the correct comment in the 'last comment' column.
  • When a Security event passed through two security controls being categorized as a Highlighted event and Threat respectively, accessing the event would sometimes lead to one of the two event types (Highlighted or Threat). A fix has been applied to prevent this.
  • A fix has been applied to ThinkServer so that importing a file that contains monitors with IDs that already exist, no longer causes the monitor to be deleted.
  • A fix has been applied so that when attempting to filter forensic analysis actions or sub-actions in a report, the value is now translated into the user language.
  • A fix has been applied so that new events stored by the Event Control Service in disk (in the \transient directory) are now automatically sent to the database without the need to restart Inspector.
  • Sometimes, a link to an event sent through an email notification didn't work properly and many error messages were shown in the page. This was due to the event being migrated to the Historical or Archive database. A fix has been applied so that the "Event not found" message is now displayed. Additionally, a link to the Historical and Archive versions of the same event are now offered to the user.
  • A fix has been applied so that the Orchestrator service now recovers from the temporary unavailability of SQL Server.
  • A bug that caused memory leaks when security controls configuration was reloaded has been fixed in this release.
  • The event filter names were not translated into English in the pre-installed Security controls selection rules. This issue has now been resolved.
  • A fix has been applied so that when a macro is selected twice, the Dynamic Range scale now changes accordingly.
  • A parsing error on SYBASE queries has been corrected.
  • A fix has been applied to prevent the failure of maintenance configuration when using Run then Save.
  • A fix has been applied so that user defined sub-action names are now properly displayed on Reports.
  • In some cases, the EventLog operations failed with an error code 6 (INVALID_SESSION_HANDLE) but processing continued. Now the processing operation is failed which forces a re-connection.
  • A fix has been applied so that monitors for 'Linux Programs Executed', no longer display the error message "Body does not match".
  • The issue whereby the grant/revoke permission on *AUTL was categorized as grant/revoke permission on IBM i out-of-the-box template, has been resolved.
  • A bug in the Event Control Service code that caused event selection conditions to be abnormally evaluated has been fixed in this release.
  • The Summarized Controlled Events template now filters by Audited System.
  • When creating Windows Security monitors for the first time, a warning message could appear saying there were some xml files missing. This issue has been fixed.
  • A help label indicating that the filter values are case insensitive has been added to assist the product administrator during the configuration process.
  • A fix has been applied within the Forensic Analysis display so that when column values are refreshed, all possible values are now displayed.
  • An issue with the date format on out-of-the-box templates for SQL Server 2005 and 2008, when the database language is Spanish, has been resolved.
  • The security reports were taking the summarized events as a single event. This issue has been resolved so that the graphics of the report now show the correct number of events including those that are summarized.
  • An issue that caused the Publisher to consume unnecessary connection resources when either the SmartConsole or the Publisher were not responding has been fixed.
  • A fix has been applied so that selecting 'No Credential ' on a monitor now allows the selection to be saved and displayed correctly.
  • A fix has been applied so that the Commander tool no longer fails if a monitor in the remote ThinkServer is in error status.
  • A fix has been applied to resolve an issue that caused calendar intervals to be calculated incorrectly if they were requested over an interval containing multiple days.

May 2018

New Feature
  • New actions have been added to the pre-supplied Oracle Database Management System security template to audit tables for Creation, (Update and Delete), System modifications, Role additions and User statements (Update, Insert, Delete).
  • A new interface to configure the user and object categorization rules used for event enrichment has been added.
  • It is now possible to specify application roles to different users.
  • Integration of monitoring metrics (CPU, Memory, Processes and Disks) collected through Dynatrace is included in this release.
  • The ability to monitor Visual Message Center Security Agent events is included in this release of Powertech Event Manager.
  • Powertech Authority Broker events can be monitored in this release of Powertech Event Manager.
  • The ability to restrict the visualization permissions to several assets per user has been added.
  • QAUDJRN events Integration with PowerTech Interact requires configuration on the IBM i on which Interact is installed. Syslog must be configured to send events to Powertech Event Manager ThinkServer Module using TCP. QAUDJRN should be configured with DLTRCV(*NO). Users should also manage scheduled backup/deletion of old receivers to avoid excessive disk usage. Run command: PTINTERACT/PLICHGAPP APPENDER(*CRLF) and restart the interact monitors.
  • Security events collection problems from the web interface can now be diagnosed, as full visibility of any issues is now provided.
  • A new licensing model has been added and a new screen is available where the user can check the current license status and request new keys.
  • 'Out-of-the-box' Security controls have been added to help companies with specific regulations compliance.
  • The option to export all the chart data as a csv file has been added to the zoom functionality.
  • The ability to monitor Cisco PIX/ASA events is included in this release of Powertech Event Manager.
  • Bulk security event management (such as comment, close, etc.) is available in this release.
  • Powertech Network Security events can be monitored in this release of Powertech Event Manager.
  • Product navigation has been improved to provide a friendlier user experience and better screen space usage.
  • A fix has been applied so that ThinkServer no longer has memory issues on starting when a lot of monitors exist.
  • It is now possible to view the process, channel, stage and task description from the Business Processes visualization page.
  • A new landing page has been created for Vityl IT and Business Monitoring configuration.
  • The No Activity Rule in Online Business Services has been changed to maintain the coherence with the configuration and the event messages.
  • Installation process improvements have been made that reduce the number of manual steps during the application setup. It includes automatic creation and configuration of the databases and DSN.
  • The SSL library used by the WebAgent has been updated to support the newest SSL protocols and ciphers.
  • The copy and pasting of different business processes elements (process, channel, stage, task and datasource) is now available.
  • Support for SQL Server 2000 is included in the new security collection agents.
  • The time required to update a credential has been reduced.
  • Asset types can now be modified from the user interface.
  • Support has been added for TLSv1.2 in the WAS Operations template and Java updated to version 8.0.
  • A fix has been applied so that stopping a monitor in Alignia no longer causes a 'Datasource could not be loaded' message to be displayed on the ThinkServer Configurator. The monitor is stopped as expected.
  • When exporting Hosts/Applications/Processes/OBS to XML, any calendars used by those entities and their dependencies are also exported to the XML, and are later imported together with the other entities.
  • Assets are now imported with the correct name, even if they have a UUID conflict with another asset in a different Tenant.
  • The syncronization of assets, no longer blocks importing processes.
  • OBS Availability report performance has been improved.
  • A fix has been applied so that having a badly configured cluster element as a dependency no longer causes a synchronization failure.
  • The issue that would sometimes cause import processes to fail when importing the same asset into several tenants has been resolved.
  • A fix has been applied to the EventLog L2Launcher so that it no longer crashes if invalid event data is recovered.
  • A fix has been applied to allow the insertion of events with a Complete Message longer than 100.000 characters.
  • Following an upgrade, monitoring of both Vityl IT and Business Monitoring and PowerTech Events Manager assets now works as expected.
  • A fix has been applied so that when an Online Business Service has a High Activity Calendar defined, without a normal calendar existing, the High Activity settings are no longer ignored.
  • A fix has been applied so that when the Raw event information is written to the Historical database, and then to the Archive database, the Controlled event information is also written to both databases.
  • A fix has been implemented so that L2Launchers are no longer duplicated in scenarios caused by high CPU usage.
  • A fix has been applied so that using the "Zoom" option in an Online Business Services chart with thresholds displayed and an interval with "Activity Calendar" selected, no longer causes Orchestrator to crash.
  • Taxonomic fields have been added into the Custom Event List - Summarized template so that the user may select or filter by them.
  • Reports inside macros are now rendered correctly.
  • A new option "Delete all elements of these type" has been made available to allow the deletion of all Database, WebModules or DataSources, except those ones being used as dependencies.
  • The method by which the repeated name validation of the security controls is undertaken, has been modified in order to improve performance when saving the control.
  • A fix has been applied so that prefixes and postfixes now work in the filters of Advance Database Reader monitors.
  • The issue that caused "Log Reader - Error Pattern" monitors not to recover from monitoring errors caused by an unsuccessful recollection, has been fixed.
  • The custom subactions are shown correctly in the reports.
  • The number of retries for Folder Availability Check has been changed to 3. This change has been made to avoid false positives due to micro network outages.
  • Upgrading from Alignia version 3.x to this release of Powertech Event Manager is permitted. 
  • The actions related with table management in SQL Server now propagate the variable "Object Name" with the correct information.
  • The Category and Subcategory columns in both Forensic Analysis and Events Manager are now correctly filtered.
  • An error when pressing "Run..." in a report based on the Custom Event List (Wide Layout) template has been resolved.
  • A new flag has been included in the DSBA configuration so that the user can now edit retention policies directly within SharedObjects instead of the DBSA panel.
  • Website availability monitors are now allowed to resolve the current machine name towards the localhost IP.
  • The character (’) is not allowed in the subaction regular expression filter from within the custom datasources.
  • A fix has been applied to resolve the HelpSystems PMDB windows service memory leak that occurred when requesting metrics charts information to be displayed.
  • A fix has been implemented to prevent errors in IBMi Job monitors being repeated on each execution of the monitor.
  • Several fixes have been applied to the process of importing an existing device into another Tenant.
  • Monitors that are stopped or which have had their configuration updated, now correctly notify the SmartConsole and ThinkServer Configurator.
  • All the devices and assets of a tenant are now deleted when the delete option is taken.
  • ThinkServer: Linux and Solaris Security Monitors now work with PKI credentials.
  • The ThinkServer memory leak that occurred when writing data to the PMDB Service has been fixed.