Beruflich Dokumente
Kultur Dokumente
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
www.rsa.com
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation
in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation,
and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto
is hereby transferred. Any unauthorized use or reproduction of this software and the documentation
may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by
EMC.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed in the
thirdpartylicenses.pdf file.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import,
or export of encryption technologies, and current use, import, and export regulations should be
followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright 2012 EMC Corporation. All Rights Reserved. Published in the USA. Friday, October 31, 2014
RSAenVision Reports
Contents
About Reports
23
Class Reports
28
Compliance Reports
66
151
344
About Reports
The enVision Reports module has standard network security and traffic analysis reports
and graphs. You can copy and modify these reports, or create your own custom reports to
meet your specific reporting needs. For details, see the enVision Help.
The Reports module has standard network security and traffic analysis reports and
graphs. Reports are organized by device class. Reports are available for:
l Archer
l
Compliance
Correlated alerts
Windows Reports
If you have a multiple appliance site or a multiple site deployment, any customized
Task Triage reports (created from the Task Triage table) are only installed on the
primary A-SRV. You must run them from this A-SRV.
When you select a report, enVision displays the Run/Copy/Modify/Delete Report screen
from which you run the report and specify runtime parameters (if any).
RSAenVision Reports
Correlated Reports
RSAenVision has standard correlated reports.
Device Class
Reports
Correlated Alerts Details: lists all the alerts that caused a correlated alert.
Correlated Alerts List: lists all correlated alerts in a given time period.
Correlated Alerts Summary: graphs the top 20 correlated alerts in descending order.
Top 10 Source Addresses of Alarms
Top 10 Alarms
Top 10 Destinations of Alarms
Top 10 Requested URL/FTP Destinations
Top 20 Bandwidth Ports
Host Reports
RSA enVision has standard reports for Host event sources (devices).
l Host.Application Servers reports
l
Host.Mainframes reports
Host.Midrange reports
Host.Virtualization reports
Host.Windows reports
Device Class
Reports
System Configuration Changes/Configuration Changes
This report lists all the system configuration changes made.
General
Application
Servers
General
Microsoft Exchange
General
CA ACF2
CA ACF2 Reports
Overview of Events Details events from IBM Mainframe Integrated Cryptographic Service Facility.
Mail Servers
RSAenVision Reports
Device Class
Mainframes
Midrange
Reports
IBMiSeries
iSeries Reports
General
VMware View
AIX
AIX Reports
Apple Mac OS X
Mac OS X Reports
HP-UX / FreeBSD
Linux
Linux Reports
Solaris
Solaris Reports
General
Apache
Blue Coat
Juniper DX
Microsoft IIS
Virtualization
Unix Hosts
Web Logs
Device Class
Windows
Reports
NetCache
Nortel WebOS
Account Management
Application Errors
Logon / Logoff
Restarts / Shutdowns
Summary Reports
Trend Reports
User Activity
RSAenVision Reports
Network Reports
RSA enVision has standard reports for Network event sources (devices).
l Network.Application Delivery reports
l Network.Configuration Management reports
l Network.Configuration and Policy Management reports
l Network.Messaging reports
l Network.Routers reports
l Network.Switches reports
l Network.System reports:
Alerts
Audit
l Automatic Update
l DHCP
l Infoblox NIOS
l Statistics
Network.Wireless Devices reports
l
l
Device Class
Application
Delivery
Configuration
Management
Event Source
Reports
General
EMCIonix
LANDesk Management
Suite
List of Applications Installed on Devices:Displays a list of the LANDesk Management Suite devices and the applications installed on them.
Lumension Endpoint
Management and Security
Suite
Lumension EMSSReports
Safend Protector
CiscoWorks Network
Device Class
Event Source
Reports
Compliance Manager
Configuration and
Policy Management
Messaging
Routers
Switches
Audit Rule Results: Displays audit rule results from Policy Auditor.
Netscreen-Security
Management
Solsoft NP
Solsoft NP Reports
Tripwire Enterprise
General
Cisco Router
General
Switches Reports
Alcatel-Lucent OmniSwitch
Cisco Switch
Extreme Networks
ExtremeWare
Extreme Networks
ExtremeXOS
Foundry Switches
System
N/A
System DHCP
Microsoft DHCP
System -
IBMWebSphere
10
RSAenVision Reports
Device Class
Event Source
Reports
IBMWebSphere
DataPower
DataPower
System InfobloxNIOS
Infoblox NIOS
System Statistics
N/A
General Reports
Wireless
Devices
11
Security Reports
RSA enVision has standard reports for Security event sources (devices).
l Security.Access Control reports
l Security.Analysis reports
l Security.Antivirus reports
l Security.Application Firewall reports
l Security.Firewalls reports
l Security.VPN reports
l Security.DLP reports
l Security.Intrusion reports
l Security.Intrusion Detection Systems reports
l Security.Intrusion Prevention Systems reports
l Security.Vulnerability reports
Device Class
Event Source
General
ActivIdentity AAAServer
Cisco NAC
Cyber-Ark Enterprise Password Vault, InterBusiness Vault, and Sensitive Document Vault
F5 Big-IP APM
Access Control
Reports
RSAACEServer
12
RSAenVision Reports
Device Class
Event Source
General
Reports
General Access Control Reports
(Hosted) Reports
Analysis
Antivirus
Application Firewall
13
General
Cisco MARS
NetWitness NextGen
SafeStone DetectIT
SafeStone DetectITReports
SECUDESecurity Intelligence
SECUDESecurity Intelligence
Reports
General
Symantec AntiVirus
Trend Micro
General
General
Device Class
Firewalls
VPN
Event Source
Reports
General
Cisco ASA
Cisco IOS
Cisco PIX
Cyberguard Classic
Cyberguard Firewall
Fortinet FortiGate
Fortinet FortiGate
Microsoft ISAServer
Netscreen Firewall
General
Checkpoint VPN
Cisco ASAVPN
Cisco PIXVPN
Intel VPN
Juniper SSLVPN
14
RSAenVision Reports
Device Class
DLP
Intrusion
Event Source
General
General
General
General
Intrusion Detection
Systems
15
Reports
Checkpoint SmartDefense
Cisco ASA
Cisco IOS
Cisco PIX
Dragon IDS
Entercept
Entercept Reports
ISSREALSECURE
Intrushield
IntruShield Reports
Lancope StealthWatch
NFRSecurity NIDS
Netscreen
Device Class
Intrusion Prevention
Systems
Vulnerability
Event Source
Reports
General
Snort
SNORT Reports
Tipping Point
General
Arbor Peakflow X
Mazu Profiler
Netscreen IDP
NetscreenIDP Reports
General
16
RSAenVision Reports
Storage Reports
RSA enVision has standard reports for Storage event sources (devices).
l Storage.Content Management System Reports
l Storage.Database reports
l Storage.Document reports
l Storage.Storage reports
Device Class
Content Management
System
Database
Document
Storage
Event Source
Reports
Perforce
Overview of Actions: Details the actions logged to the audit log file on
Perforce. The actions captured here are SYNC, DIFF, REVERT,
ANNOTATE, INTEGRATE, RESOLVE, and PRINT.
Application Security
DbProtect
Documentum
GIT
Microsoft SQLServer
MySQL Enterprise
MYSQL Reports
Oracle Database
PostgreSQL
Sybase ASE
Sybase ASEReports
General
EMCVPLEX
Detailed Event Report:This report details all the commands that are
run across the VPLEX data store, which are collected from session
logs.
General
GECentricity Enterprise
Archive
17
Device Class
Event Source
Network Appliance Data
ONTAP
Reports
Network Appliance Data ONTAP Reports
18
RSAenVision Reports
l
l
l
l
19
Average Time to Close: depicts the average time to close a task in one hour intervals
over the previous 24 hour reporting period.
Closure Rate: depicts the task closure rate in one hour intervals over the previous 24
hour period.
Incident Rate: depicts the incident rate in one hour intervals over the previous 24 hour
reporting period.
Last Modified Tasks: depicts the most recently modified task entries.
Longest Open Tasks: depicts the tasks that have been open for the longest amount of
time.
Longest Unacknowledged Tasks: depicts the tasks that have been unacknowledged
for the longest amount of time.
Open Tasks by Owner: depicts the number of open tasks for each unique owner
contained in the Task Triage database.
Open Tasks by Priority: depicts the percentage of open tasks by priority level.
Tasks by Priority and Owner: depicts the number of open items by priority for a
specified user.
20
RSAenVision Reports
21
Most Vulnerable Assets By Business Rating: lists the assets in order of business rating
and the aggregate vulnerability severity score.
Most Vulnerable Assets By Count: lists the assets in order of the number of
vulnerabilities associated with an asset.
Most Vulnerable Assets By Severity: lists the assets in order of the aggregate
vulnerability severity score.
Vulnerability by Severities: depicts the detected vulnerabilities as a percentage of the
total organized by severity value.
22
RSAenVision Reports
Reports
Oracle WebLogic
VMware
23
24
RSAenVision Reports
25
26
RSAenVision Reports
27
Class Reports
RSA enVision includes reports that focus on specific event source classes, for example
Firewall reports.
Standard Reports Alerts
29
31
32
33
35
36
37
38
39
41
42
43
44
45
48
50
51
54
47
55
56
57
58
59
61
62
64
65
Class Reports
28
RSAenVision Reports
29
Class Reports
You must modify this report before running it. On the Create/Modify Report - Specify
Report Selection Criteria window, replace the text type viewname here with the name
of the view that you want to see displayed.
Class Reports
30
RSAenVision Reports
31
Class Reports
Class Reports
32
RSAenVision Reports
Top 20 Devices
Displays the top 20 event sources generating events during the selected time period.
33
Class Reports
Top 20 Events
Displays the top 20 event IDs collected during the selected time period.
Class Reports
34
RSAenVision Reports
35
Class Reports
Class Reports
36
RSAenVision Reports
37
Class Reports
Class Reports
38
RSAenVision Reports
Authentication Failures
Lists the user names with authentication failures and the corresponding reason.
Authentication Success
Lists successful authentications over a specific time period.
Key Generations
Lists events related to security or crypto key generations.
39
Class Reports
Class Reports
40
RSAenVision Reports
41
Class Reports
Top 20 Viruses
A summary report of the top 20 viruses affecting the systems.
Class Reports
42
RSAenVision Reports
Blocked E-mails
Lists e-mails that are blocked due to the threat of a virus, trojan, or worm, and by the
settings of the content filter. Also lists e-mails that are blocked because the sender is
unknown.
Clean E-mails
Lists e-mails that were successfully delivered.
43
Class Reports
Class Reports
44
RSAenVision Reports
Failed Logins
Displays the historical view of failed logons.
Login/Logout
Displays the historical overview of successful logons and logoffs.
Policy/Rule Changes
Displays the historical overview of policy or rule changes.
45
Class Reports
Class Reports
46
RSAenVision Reports
Overview of Actions
Details all audit actions over a specified period of time.
47
Class Reports
Alarm Levels
This graph displays the number of alarms for each alarm level.
Alarm Report
This report displays alarms based on signature names, sorted by alarms and signature
names.
Alarms by Hour
This graph displays the number of alarms by hour for a given time period.
Alarms by Sensor
This graph displays the alarm count for each sensor.
Top 20 Alarms
This report displays the top 20 alarms by signature ID.
Class Reports
48
RSAenVision Reports
49
Class Reports
Top 10 Attacks
This report provides a graph of the 10 most common attacks.
Class Reports
50
RSAenVision Reports
51
Class Reports
Class Reports
52
RSAenVision Reports
53
Class Reports
SMS Summary
This report summarizes all SMSmessages handled by the messaging server.
Class Reports
54
RSAenVision Reports
Configuration Changes
Displays all configuration changes on the Switches event sources.
Failed Logins
Displays all unsuccessful attempts to log on to the Switches event sources.
Successful Logins
Displays all successful logons to the Switches event sources.
System Error
Displays all system errors.
System Errors
Displays system errors.
Successful Login
Displays all successful logons to the Switches event sources.
Failed Login
Displays all unsuccessful attempts to log on to the Switches event sources.
Configuration Change
Displays all configuration changes on the Switches event sources.
55
Class Reports
Network Infrastructure
Displays network host system and service events.
Storage
Displays database events create, extend, remove, and configure.
Class Reports
56
RSAenVision Reports
57
Class Reports
Class Reports
58
RSAenVision Reports
Activity by Users
Displays configuration changes, policies, and rules made, and tracks web browsing
activity by the user accounts.
59
Class Reports
Virus Statistics
Details virus IDsand the corresponding sources of the viruses.
Class Reports
60
RSAenVision Reports
Admin Operations
This report enumerates all of the administrative events.
Authentication Succeeded/Failure
This report enumerates all of the Authentication events.
Rogue AP Detection
This report enumerates all of the Rogue Accesspoint detections.
61
Class Reports
Class Reports
62
RSAenVision Reports
63
Class Reports
Class Reports
64
RSAenVision Reports
Files Deleted
This report lists all the files deleted and the users who initiated the deletes.
65
Class Reports
Compliance Reports
RSA enVision has standard compliance reports for various compliance issues.
l Basel II
l
Bill 198
International Reports:
l
Basel II (Refreshed)
ISO27002
Memo 22 Reports
US Reports:
Compliance Reports
66
RSAenVision Reports
67
Compliance Reports
and object level auditing be enabled on the directories containing the Human Relations
data. This report is specific to monitored Windows systems, but provides a greater level
of detail than the standard Control of Human Resources Data report.
Compliance Reports
68
RSAenVision Reports
69
Compliance Reports
customization be contained within a device group, and object level auditing be enabled on
the directories containing the source code.
Compliance Reports
70
RSAenVision Reports
Accounts Created
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays user accounts
that have been created.
Accounts Deleted
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays user accounts
that have been deleted.
Accounts Modified
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays user accounts
that have been modified.
71
Compliance Reports
Group Management
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays log of events
containing information on changes to user groups.
Password Changes
Basel II: This report contains logs of the accounts with password changes.
Compliance Reports
72
RSAenVision Reports
73
Compliance Reports
Compliance Reports
74
RSAenVision Reports
contained within a device group, and object level auditing be enabled on the directories
containing the system test software, source data, and test results.
75
Compliance Reports
Compliance Reports
76
RSAenVision Reports
Accounts Created
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays user
accounts that have been created.
Accounts Deleted
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays user
accounts that have been deleted.
Accounts Modified
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays user
accounts that have been modified.
77
Compliance Reports
Group Management
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays log of
events containing information on changes to user groups.
Password Changes
Bill 198: This report contains logs of the accounts with password changes.
Compliance Reports
78
RSAenVision Reports
79
Compliance Reports
Compliance Reports
80
RSAenVision Reports
81
Compliance Reports
Compliance Reports
82
RSAenVision Reports
83
Compliance Reports
Compliance Reports
84
RSAenVision Reports
Access Enforcement
Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.
Account Management
Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.
Accounts Created
NIST 800-53 AC-2: Ensure proper user identification and authentication management for
nonconsumer users and administrators on all system components. This report contains
logs of the accounts that were created.
Accounts Deleted
NIST 800-53 AC-2: Ensure proper user identification and authentication management for
non-consumer users and administrators on all system components. This report contains
logs of the accounts that were deleted.
Accounts Modified
NIST 800-53 AC-2: Ensure proper user identification and authentication management for
non-consumer users and administrators on all system components. This report contains
logs of the accounts that were modified.
85
Compliance Reports
Collaborative Computing
For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.
Compliance Reports
86
RSAenVision Reports
Mobile Code
Details all uses of mobile code within the information system. This includes Java,
JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript.
Network Disconnects
Password Changes
NIST 800-53 IA-5: Ensure proper user identification and authentication management for
non-consumer users and administrators on all system components. This report contains
logs of the accounts with password changes.
87
Compliance Reports
Session Termination
Details all session terminations due to periods of inactivity.
Transmission Confidentiality
Details all encryption failures in transmission media configured to be encrypted.
Transmission Integrity
Details all successful encrypted transmissions.
Trusted Path
Compliance Reports
88
RSAenVision Reports
89
Compliance Reports
Restarts/Shutdown - Unix
Details all configuration changes made to monitored systems.
Restarts/Shutdown - Windows
Details all configuration changes made to monitored systems.
Compliance Reports
90
RSAenVision Reports
Logon/Logoff - Unix
Details all user accounts that have been manually terminated or disabled.
Logon/Logoff - Windows
Details all user accounts that have been manually terminated or disabled.
91
Compliance Reports
Compliance Reports
92
RSAenVision Reports
93
Compliance Reports
Compliance Reports
94
RSAenVision Reports
95
Compliance Reports
Configuration Changes
Lists all configuration and policy changes for devices in the "GLBA" device group.
Encryption Failures
Lists all cryptographic operations where use of the cryptography failed or was disabled
by the user.
Compliance Reports
96
RSAenVision Reports
97
Compliance Reports
Accounts Created
Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts that were created.
Accounts Deleted
Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts that were deleted.
Accounts Modified
Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts that were modified.
Compliance Reports
98
RSAenVision Reports
Encryption Failures
Note: This report supports the following event sources:Cisco PIX, Cisco ASA, Cisco
Router, and Juniper Networks NetScreen Firewall.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays the logs of encryption failures that have occurred.
Group Management
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays the log of events containing information on changes to user groups.
Note: This report supports the Microsoft Windows event source.
99
Compliance Reports
Password Changes
Note: This report supports the following event sources:Microsoft Windows, IBMAIX,
Hewlett-Packard UNIX, Linux, and Sun Solaris.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts with password changes.
Compliance Reports
100
RSAenVision Reports
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays logs which indicate successful use of encryptions.
101
Compliance Reports
Access Authorization
This report lists all login Events for monitored Windows, Unix, Linux and AIX
computers. The HIPAA device group should be selected when running this report. Only
For event ID 4624 in Microsoft Windows Server 2008, the column Primary Username
identifies the user that requested the logon while the column Logon Account Name
represents the user who logged on.
Compliance Reports
102
RSAenVision Reports
policy.
103
Compliance Reports
Compliance Reports
104
RSAenVision Reports
Accounts Created
This report shows detailed information about all HIPAA-related accounts that were
created.
Accounts Deleted
This report shows detailed information about all HIPAA-related accounts that have been
deleted.
Accounts Modified
This report shows detailed information about all HIPAA-related accounts that have been
changed.
Escalation of Privileges
This report displays log of events containing information on escalation of privileges of
accounts to perform administrative tasks.
Group Management
This report displays log of events containing information on changes to user groups
105
Compliance Reports
Password Changes
This report contains logs of the accounts that have password changes.
Compliance Reports
106
RSAenVision Reports
107
Compliance Reports
device group, and object level auditing be enabled on the directories containing the
Human Relations data. This report is specific to monitored Windows systems, but
provides a greater level of detail than the standard Control of Human Resources Data
report.
Compliance Reports
108
RSAenVision Reports
109
Compliance Reports
Compliance Reports
110
RSAenVision Reports
Accounts Created
ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report contains logs of the accounts that were
created.
Accounts Deleted
ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report contains logs of the accounts that were
deleted.
AccountsModified
ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report contains logs of the accounts that were
modified.
Encryption Failures
ISO 27002:2005 15.1.6: Cryptographic controls should be in compliance with all laws and
regulations. This report displays log of encryption failures occurred.
111
Compliance Reports
Escalation of Privileges
ISO 27002:2005 10.10.4: All activities by System Administrators and System Operators
should be logged. This report displays log of events containing information on escalation
of privileges of accounts to perform administrative tasks.
Compliance Reports
112
RSAenVision Reports
Password Changes
ISO 27002:2005 11.3.1: Passwords should be changed on a regular basis and when there
is an indication of compromise. This report contains logs of the accounts with password
changes.
113
Compliance Reports
Compliance Reports
114
RSAenVision Reports
Memo 22 Reports
Memo 22 is a risk management and accreditation of information system standard that
applies to all UK National Infrastructure Security systems. This standard defines major
security threats and the associated security requirements.
Logon/Logoff - Unix
Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.
Logon/Logoff - Windows
For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.
115
Compliance Reports
Restarts/Shutdown - Unix
Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.
Restarts/Shutdown - Windows
For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.
Compliance Reports
116
RSAenVision Reports
117
Compliance Reports
NERC CIPReports
The Reports module includes the following North American Electric Reliability
Corporation Compliance reports.
Output Inference
Output Inference
Compliance Reports
This report displays a list of all configuration changes to Critical Cyber Assets
(CCA).
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it
l
ObjectAttribute
118
RSAenVision Reports
Description
Output Inference
Description
Output Inference
MessageID
Fail Reason
This report displays all types of network and physical port configuration
changes in order to create a list for the same using data from the Cisco LAN
Management Solution (LMS) device.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it
l
Output Inference
119
Compliance Reports
Compliance Reports
120
RSAenVision Reports
Description
Output Inference
NERC CIP 005 R3.2 Account Access Monitoring for the Electronic
Security Perimeter
Description
Output Inference
121
This report identifies both successful and failed login attempts to the
Electronic Security Perimeter (ESP).
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it
l
DeviceID
SessionID
Fail Reason
EventCategoryName
Compliance Reports
Description
Output Inference
Output Inference
The Reports module includes the following North American Electric Reliability
Corporation Compliance reports.
Compliance Reports
122
RSAenVision Reports
123
Compliance Reports
individual user account access activity. This report displays count of successful logons.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.
Compliance Reports
124
RSAenVision Reports
125
Compliance Reports
Compliance Reports
126
RSAenVision Reports
127
Compliance Reports
Configuration Management
This report details all configuration changes made to monitored systems.
Compliance Reports
128
RSAenVision Reports
User ID Removal
This report details all user id removal events.
129
Compliance Reports
PCI - All Actions by Individuals with Root or Administrative Privileges - Unix &Linux
This report displays all actions taken by users logged in as 'root'. This report should be
modified to include any additional usernames that have been granted full administrative
privileges in your environment.
130
RSAenVision Reports
131
Compliance Reports
Compliance Reports
132
RSAenVision Reports
133
Compliance Reports
Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.
Compliance Reports
134
RSAenVision Reports
135
Compliance Reports
Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.
Compliance Reports
136
RSAenVision Reports
Note: Note:This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, and Sun Solaris.
137
Compliance Reports
Database access
Data transmissions
Application security
Product development
In addition, data center staff cannot access servers or data without a specific procedure.
All access and activity is logged and all physical access is highly controlled.
Compliance Reports
138
RSAenVision Reports
139
Compliance Reports
Compliance Reports
140
RSAenVision Reports
141
Compliance Reports
Compliance Reports
142
RSAenVision Reports
Lists all changes and object level access events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called "Rules for Evidence", and that object level auditing be enabled on these
directories. This report is specific to monitored Windows systems, but provides a greater
level of detail than the standard Control of Collected Evidence report.
143
Compliance Reports
This report is specific to Windows devices but provides more detail that the standard
Control of System Audit Data report.
Compliance Reports
144
RSAenVision Reports
145
Compliance Reports
Compliance Reports
146
RSAenVision Reports
147
Compliance Reports
This report displays all successful logons, and ensures that administrators are in the
administrative accounts watchlist.
Compliance Reports
148
RSAenVision Reports
149
Compliance Reports
Compliance Reports
150
RSAenVision Reports
151
Accepted Authentications
Lists all accepted user authentications.
Accounting Attributes
Lists the attribute set from the user account profile.
Privileged Operations
Lists the operational changes in the administrative audit log.
Rejected Authentications
Lists all rejected user authentications.
152
RSAenVision Reports
DOS Attacks
Gives a report of DOS attacks on the system with source IPinformation.
Failed Authentications
Gives a report of failed authentications.
Successful Authentications
Gives a report of all successful authentications for various remote connections like SSH,
TELNET, FTP, etc.
153
154
RSAenVision Reports
Successful Connections
Displays the successful connection information.
155
156
RSAenVision Reports
157
Detailed Alert
Lists detailed information for the last 100 alerts generated.
Events by Hour
Displays the number of events by hour for a given time period.
Top 10 Destinations
Displays the top 10 destinations of events detected.
Top 10 Sources
Displays the top 10 sources of events detected.
Top 10 Events
Displays the top 10 events detected.
158
RSAenVision Reports
Top 20 Categories
Displays the top 20 categories.
159
160
RSAenVision Reports
162
RSAenVision Reports
163
164
RSAenVision Reports
165
166
RSAenVision Reports
Bandwidth by Department
Displays bandwidth usage by department through FireWall-1 firewalls. Use this report to
quickly determine which departments are using large amounts of bandwidth.
167
Configuration Changes
Lists configuration change messages from FireWall-1 firewalls. Sorted by date and time
sequence.
E-mail Security
Lists e-mail security messages received from FireWall-1 firewalls. Sorted in date and
time sequence.
168
RSAenVision Reports
SiteTrack Detection
Lists network traffic through FireWall-1 firewalls that contained SiteTrack keywords.
Sorted by date and time. The keyword is enclosed in quotation marks.
169
170
RSAenVision Reports
171
Administration Audit
Displays an administrative report of all activity performed using the Cisco Secure ACS
HTML Management interface. Sorted by descendingtime.
CiscoACSPassed Authentications
Lists all of the Passed Authentications for Cisco Secure ACS Version 5.1 and above.
CiscoACS RADIUSDiagnostics
Gives diagonostic details on Radius protocol for Cisco Secure ACS Version 5.1 and
above.
Database Replication
Tracks ACS database replication activity. Sorted by descending time.
Failed Authentications
Displays a list of all failed logon attempts. Sorted by descending time.
Passed Authentications
Displays a list of all users that have successfully logged on. Sorted by descending time.
172
RSAenVision Reports
TACACS+ Accounting
Tracks all logon and logoff traffic.
Top 10 Users
Counts the number of successful logons (successful authentications) and sorts the top 10
users by user name.
173
174
RSAenVision Reports
No SSIDs Configured
Displays all wireless event sources that do not have an SSID configured. At least one
SSID needs to be configured for the radio to run.
175
Bandwidth Utilization
Displays the bandwidth utilization on the network in a combination of a graph and a
report.
176
RSAenVision Reports
Configuration Changes
Lists configuration change messages from Cisco ASA firewalls, sorted by date and time.
Monitors when configuration changes were made to Cisco ASA firewalls. Only ASA
firewalls with logging enabled are reported.
177
E-mail Security
Lists ASA MailGuard messages received from Cisco ASA firewalls. Sorted by date and
time. Use this report to quickly view possible e-mail security breach attempts that were
prevented by ASA firewalls. Only ASA firewalls with logging enabled are reported.
Failover Messages
Lists failover messages from Cisco ASA firewalls by date and time.
178
RSAenVision Reports
Displays FTP requests by each local address through Cisco ASA firewalls by local
address and number of requests.
179
180
RSAenVision Reports
users. Only ASA firewalls with logging enabled are reported. The system calculates
outbound Telnet traffic by summarizing all the 302002 traffic logged on foreign port 23.
SiteTrack Detection
Note: This report is not compatible with the Content 2.0 schema.
Lists network traffic through Cisco ASA firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified with parentheses ( ) preceding the
message in the Message column. The SiteTrack feature performs a text string comparison
of the DNS host name lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and ASA
firewall logging must be enabled. For information about SiteTrack, see the enVision
Online Help.
181
182
RSAenVision Reports
183
184
RSAenVision Reports
185
186
RSAenVision Reports
187
188
RSAenVision Reports
Down Links
Displays all messages associated with a down link in a given time period.
Reboots
Displays all messages associated with event source reboots in a given time period.
189
190
RSAenVision Reports
191
Cisco IOS
The Reports module includes the following standard reports for the Cisco IOS event
source.
192
RSAenVision Reports
Security Threats
Lists the security threat messages from Cisco IOS firewalls. Sorted by date and time.
Top Destinations
Summarizes the top destinations by users through Cisco IOS firewalls. Sorted by session
count.
193
194
RSAenVision Reports
Blocked URLs
Lists the blocked URLs along with the IPaddress that requested them and the reason why
they were blocked (the reason is given as URLcategory).
195
196
RSAenVision Reports
Endpoint Detail
Lists the recent network admission of each endpoint and provides details about each
event.
197
User Detail
Lists recent network admissions for each user and provides details about each event.
198
RSAenVision Reports
199
Bandwidth Utilization
Displays the bandwidth utilization on the network in a combination of a graph and a
report.
200
RSAenVision Reports
Configuration Changes
Lists configuration change messages from Cisco PIX firewalls, sorted by date and time.
Monitors when configuration changes were made to Cisco PIX Firewalls. Only PIX
firewalls with logging enabled are reported.
201
E-mail Security
Lists PIX MailGuard messages received from Cisco PIX firewalls. Sorted by date and
time. Use this report to quickly view possible e-mail security breach attempts that were
prevented by PIX firewalls. Only PIX firewalls with logging enabled are reported.
Failover Messages
Lists failover messages from Cisco PIX firewalls by date and time.
202
RSAenVision Reports
203
204
RSAenVision Reports
SiteTrack Detection
Note: This report is not compatible with the Content 2.0 schema.
Lists network traffic through Cisco PIX firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified with parentheses ( ) preceding the
message in the Message column. The SiteTrack feature performs a text string comparison
of the DNS host name lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and PIX
firewall logging must be enabled.
205
206
RSAenVision Reports
207
208
RSAenVision Reports
209
210
RSAenVision Reports
211
212
RSAenVision Reports
213
214
RSAenVision Reports
SiteTrack Detection
Lists packets that have been permitted or denied through Cisco routers with hostname
lookups that match any of the keywords entered in the SiteTrack keyword list. Sorted by
215
date and time. Keyword match is listed in the report with parentheses ( ) preceding the
message in the Message field. Keywords need to be entered in the SiteTrack, and its
DNS Resolver service must be enabled for this feature to function. The DNS Resolver
service performs a hostname lookup of both source and destination IP addresses in every
packet that it receives from Cisco routers.
216
RSAenVision Reports
217
Top 20 Alarms
Displays the top 20 alarms by signature ID that have been generated.
Alarm Report
Displays alarms based on signature names. Sorted by alarms and signature names.
Alarm Levels
Displays the number of alarms for each alarm level.
Alarms by Hour
Displays the number of alarms by hour for a given time period.
Alarms by Sensor
Displays the alarm count for each sensor.
218
RSAenVision Reports
219
220
RSAenVision Reports
221
Failed Authentications
Displays the total number of failed authentications during the specified time period.
Successful Authentications
Displays the total number of successful authentications during the specified time period.
222
RSAenVision Reports
223
Denied Connections
Displays the number of denied connections by VPN gateway.
224
RSAenVision Reports
225
Configuration Changes
Details all configuration changes to the Citrix Access Gateway event source.
226
RSAenVision Reports
227
Authentication Failures
Lists the users that failed to authenticate to the sensor.
Login Events
Lists the logon events.
228
RSAenVision Reports
229
All Vulnerabilities
Lists all vulnerabilities reported by eEye Retina Scanner.
230
RSAenVision Reports
231
232
RSAenVision Reports
233
234
RSAenVision Reports
Failed logins
Displays all failed logon attempts.
Successful logins
Displays all successful logon attempts.
235
Failed logins
Lists all failed logon attempts.
Successful logins
Lists all successful logon attempts.
236
RSAenVision Reports
237
Location for standard content: Reports > Ad Hoc Reports > Security > Firewalls >
Fortinet Antivirus Firewall > URL Blocks
Location for Content 2.0: Reports > Ad Hoc Reports > Host > Web Logs > Fortinet
> URL Blocks
If you update the event source to Content 2.0, you must run the report from this new
location.
Note: For backwards compatibility, the report continues to exist in its previous location.
However, once you update an event source to Content 2.0, the old report will not return
any data.
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Host.Web Logs
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
238
RSAenVision Reports
Security.Firewall
Security.Firewall
Security.Firewall
Security.DLP
Security.Firewall
Security.Firewall
Security.Firewall
Security.Intrusion
Security.Firewall
Security.Intrusion
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Network.Messaging
Security.Firewall
Host.Web Logs
Security.Firewall
Security.Antivirus
239
Hardware Failures
Displays the details of critical system hardware failures.
Privileged Logins
Lists all users that have exercised privileged logon rights.
240
RSAenVision Reports
241
242
RSAenVision Reports
243
Jobs by Systems
Displays the counts of jobs by systems.
Jobs by Users
Displays the counts of jobs by user names.
Programs by Systems
Displays the counts of programs by system.
Top 20 Jobs
Displays the 20 programs generating the highest number of events in the audit journal.
244
RSAenVision Reports
Top 20 Programs
Displays the 20 programs generating the highest number of events in the audit journal.
Top 20 Systems
Displays the 20 systems generating the highest number of events in the audit journal.
Top 20 Users
Displays the 20 users generating the highest number of events in the audit journal.
245
246
RSAenVision Reports
Authorization
Lists assignment or change of an authorization ID.
Bind Attempts
Lists the attempts for the bind of static and dynamic SQL statement for the types
INSERT, UPDATE, DELETE, CREATE VIEW, and LOCK TABLE.
Explicit GRANT
Lists the explicit GRANT statements and their results.
Read Accesses
Lists all read access to identified and audited tables.
247
248
RSAenVision Reports
249
250
RSAenVision Reports
Denied Connections
Displays the number of denied connections by VPN gateway.
251
252
RSAenVision Reports
Alarm Levels
Displays the number of alarms for each alarm level.
Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.
Alarms by Hour
Displays the number of alarms by hour for a given time period.
Alarms by Sensor
Lists the alarm count for each sensor.
Top 10 Alarms
Lists the top 10 alarms by signature name that have been generated.
253
254
RSAenVision Reports
255
Severe Attacks
Displays the severe attacks as recognized by the IDP event sources. A severe attack is
when the process field was set to DROP or CLOSE.
Top 25 Attacks
Displays the top 25 recognized attacks by number of occurrences.
Top 25 Policies
Displays the top 25 policies (policy names) by the number of attacks that they recognize.
256
RSAenVision Reports
Policy Events
Lists all events relating to any policy changes.
257
System Errors
Displays all error messages that occurred during the specified time frame.
258
RSAenVision Reports
Bandwidth by Department
Summarizes bandwidth usage by department for all traffic passing through NetScreen
firewalls. Sorted by total byte usage. Use this report to quickly assess which departments
are consuming the most bandwidth. Only NetScreen firewalls with debug level logging
enabled are reported.
Configuration Changes
Lists the configuration changes made to the NetScreen event source. Includes the date
and time of the change, the event source address, and the system message detailing the
259
change.
260
RSAenVision Reports
261
users use FTP most frequently in your company. Only NetScreen firewalls with logging
enabled are reported. The system calculates outbound FTP traffic by summarizing all the
302002 traffic logged on foreign ports 20 and 21.
SiteTrack Detection
Lists network traffic through NetScreen firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified by parentheses ( ) preceding the
message in the Message column. The SiteTrack feature performs a text string comparison
of the DNS hostname lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and
NetScreen firewall logging must be enabled. For information about SiteTrack, see the
enVision Help.
262
RSAenVision Reports
263
Zone Bindings
Queries the firewall security table and selects zone binding events. Displays the source
zone and the destination zone to which it is bound.
264
RSAenVision Reports
265
266
RSAenVision Reports
System Changes
Lists the system changes. Includes the message and VPN event source address.
267
Detailed Usage
Lists details of usage per user. Sorted by logon ID.
Failed Attempts
Lists failed attempts due to authorization failure, authentication failure, or bad requests
from the NAS.
268
RSAenVision Reports
Events by Hour
Displays the number of events by hour for a given time period.
Top 10 Destination
Displays the top 10 destinations of events detected.
Top 10 Events
Displays the top 10 events detected.
Top 10 Sources
Displays the top 10 sources of events detected.
269
270
RSAenVision Reports
EMSSSummary Report
A patch detail summary report ordered by end points.
271
Top 10 Destinations
Displays the top 10 destination IP addresses that have been targeted for attack. Due to
limitations in the data available from Mazu Profiler in host scan, port scan, and worm
events, these events do not contain addresses, ports, or services and therefore do not
contribute to this report.
Top 10 Events
Displays the number of events by hour for a given time period.
Top 10 Sources
Displays the top 10 source IP addresses that have generated the most events. Due to
limitations in the data available from Mazu Profiler in host scan, port scan, and worm
events, these events do not contain addresses, ports, or services and therefore do not
contribute to this report.
272
RSAenVision Reports
Alarm Levels
Displays the number of alarms for each alarm level.
Alarm Report
Lists alarms based on signature names. Sorted by alarms and signature names.
Alarms by Hour
Displays the number of alarms by hour for a given time period.
Alarms by Sensor
Lists the alarm count for each sensor.
Top 20 Alarms
Displays the top 20 alarms by signature ID that have been generated.
273
274
RSAenVision Reports
275
Alarm Levels
Displays the number of alarms for each alarm level.
Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.
Alarms by Hour
Displays the number of alarms by hour for a given time period.
Alarms by Sensor
Lists the alarm count for each sensor.
Alarms by Server
Displays the alarm count for each server.
276
RSAenVision Reports
277
278
RSAenVision Reports
Browser Versions
Displays the percentage of browser types to the sites selected.
279
280
RSAenVision Reports
If you update the event source to Content 2.0, you must run the report from its new
location.
281
Attacks
Note: For backwards compatibility, the report continues to exist in its previous location. However, once you update an event sou
Displays all of the attacks that were identified by the ISA Firewall Service.
Firewall Errors
Note: For backwards compatibility, the report continues to exist in its previous location. However, once you update an event sou
Displays the firewall error messages as recorded by the ISA Firewall Service.
282
RSAenVision Reports
283
284
RSAenVision Reports
285
286
RSAenVision Reports
Configuration changes
Displays configuration changes made to SQL Server systems.
Database backups
Displays backup events from SQL Server systems.
Failed Logons
Displays all failed logons events to SQL Server systems.
Fatal Errors
Displays fatal errors from SQL Server systems.
Insufficient resources
Displays insufficient resources events from SQL Server systems.
Logon/Logoff Events
Displays all logons and logoff events to SQL Server systems.
Object events
Displays object trace events from SQL Server systems.
287
288
RSAenVision Reports
289
290
RSAenVision Reports
Bad Blocks
Lists system events reporting bad blocks.
291
Access to Files
Lists all files accessed in folders monitored for access auditing.
Registry Access
Lists all accesses to registry files and keys.
292
RSAenVision Reports
293
Failed Logins
Lists all failed logon events including failure reason, user name, domain name, and
workstation.
Logins/Logouts by User
Lists all logon and logoff activities. Sorted by user name.
294
RSAenVision Reports
295
System Restarts/Shutdowns
Lists all system restarts and shutdowns.
296
RSAenVision Reports
297
298
RSAenVision Reports
Applications by Users
Lists applications running on computers over the network, sorted by user name.
299
300
RSAenVision Reports
System Errors
Lists system errors.
301
Overview of Performance
Displays events that concern the system performance of MYSQL Server.
Schema Changes
Displays all the schema changes done across the MYSQL Server.
302
RSAenVision Reports
Reboot Events
Displays all reboot events.
303
304
RSAenVision Reports
305
Top 10 Alerts
Displays the top 10 alerts.
306
RSAenVision Reports
Alarm Levels
Displays the number of alarms for each alarm level.
Alarm Report
Displays alarms based on signature names, sorted by alarms and signature names.
Alarms by Category
Displays the total events in the database grouped by signature category.
Alarms by Hour
Displays the number of alarms by hour for a given time period.
Top 20 Alarms
Displays the top 20 alarms by signature ID that have been generated.
307
Restart Events
Lists all system restart events.
Session Failures
Lists all source addresses with which the switch has experienced a session failure and
the reason for the failure.
308
RSAenVision Reports
309
310
RSAenVision Reports
311
312
RSAenVision Reports
Configuration Changes
Lists the configuration changes by event category.
313
Group Modifications
Displays any modifications to the existing groups in the database over a specified time
period.
314
RSAenVision Reports
User Modification
Displays any modifications to the existing users in the database over a specified time
period.
315
Cases Summary
This report summarizes the different types of cases, as reported by the RSA Adaptive
Auth (Hosted) event source.
316
RSAenVision Reports
317
Group Modifications
Displays any modifications to the existing groups in the database over a specified time
period.
User Modifications
Displays any modifications to the existing users in the database over a specified time
period.
318
RSAenVision Reports
319
320
RSAenVision Reports
Software Errors
Lists Software Errors logged by SECUDE SI.
System Alerts
Lists System Alerts that need to be investigated.
321
Configuration Changes
Lists configuration change messages. Sorted by date and time.
Failed Authentication
Lists failed authentication messages.
Hardware Failure
Lists hardware failure messages.
Software Failure
Lists software failure messages.
Successful Authentication
Lists successful authentication information.
Successful Connections
Lists successful connection information.
322
RSAenVision Reports
Alarm Levels
Displays the number of alarms for each alarm level.
Alarm Report
Lists alarms based on signature names. Sorted by alarms and signature names.
Alarms by Hour
Displays the number of alarms by hour for a given time period.
Alarms by Sensor
Lists the alarm count for each sensor.
323
324
RSAenVision Reports
Event Inventory
Lists all event types collected, sorted by count.
Kernel-Level Events
Lists all Kernel-Level events generated by system calls.
Note: This report is deprecated. Use the Kernel-Level Events by System report
instead.
Permission Changes
Lists all permission changes by a process or user.
Privileged Operations
Lists all privilege capabilities or role-based access control.
325
User-Level Events
Lists user-level events generated by application software.
326
RSAenVision Reports
Compliance Reports
The following compliance reports will yield different results if you apply the Content 2.0
update of the Sun Solaris event source:
327
328
RSAenVision Reports
329
FTP Destinations
Summarizes FTP activity to foreign addresses by the number of requests.
HTTP Destinations
Summarizes HTTP activity to foreign addresses by the number of requests.
330
RSAenVision Reports
Dropped Packets
Displays information about packets that were dropped by the gateway.
331
332
RSAenVision Reports
333
334
RSAenVision Reports
335
336
RSAenVision Reports
337
Summary Report
Lists all events by event time.
338
RSAenVision Reports
339
System Access
Lists user logons and logoffs.
340
RSAenVision Reports
341
Configuration Changes
Lists configuration change messages from VMware vShield.
Firewall Events
Lists the firewall events in VMware vShield.
342
RSAenVision Reports
Top 20 Categories
Displays the top 20 categories of web sites.
343
345
346
358
344
RSAenVision Reports
345
Database Reports
Unix Reports
These reports were collected for the following:
l Unix AIX
l
Mac OS X
HP-UX
Device Address IP address of the event source that sent the event to
enVision.
346
RSAenVision Reports
Device Address IP address of the event source that sent the event to
enVision.
Device Address IP address of the event source that sent the event to
enVision.
347
Device Address IP address of the event source that sent the event to
enVision.
Result Set
Device Address IP address of the event source that sent the event to
enVision.
Device Address IP address of the event source that sent the event to
enVision.
348
RSAenVision Reports
Device Address IP address of the event source that sent the event to
enVision.
Message ID
349
Device Address IP address of the event source that sent the event to
enVision.
MessageID
Action Performed
Input Parameters
Result Set
Device Address IP address of the event source that sent the event to
enVision.
Message ID
Device Address IP address of the event source that sent the event to
enVision.
Message ID
350
RSAenVision Reports
Device Address IP address of the event source that sent the event to
enVision.
Message ID
351
Device Address IP address of the event source that sent the event to
enVision.
Message ID
Information Information about the object accessed by the user after the
permission changes.
Device Address IP address of the event source that sent the event to
enVision.
Message ID
Device Address IP address of the event source that sent the event to
enVision.
Message ID
Device Address IP address of the event source that sent the event to
enVision.
Message ID
352
RSAenVision Reports
Device Address IP address of the event source that sent the event to
enVision.
Message ID
Database Reports
BIND Reports
These reports only work with Windows Server 2003 events collected by the following :
1. Oracle Database Audit Details Bind Report: This report binds the following Oracle
reports:
l
l
The bind report should be scheduled based on your environment using the Scheduled Reports
Tab under Reports in the RSA enVision user interface.
2. Sybase ASE Database Audit Details Bind Report: This report binds the following
Sybase ASEreports:
l
l
The bind report should be scheduled based on your environment using the Scheduled Reports
Tab under Reports in the RSA enVision user interface.
353
Result Set
Starting from hour Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.
Until hour Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.
Oracle Version
354
RSAenVision Reports
Result Set
355
Starting from hour - Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.
Until hour - Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.
Privilege
Oracle Version
Result Set
Starting from hour Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.
Until hour Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.
EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
LogonSid Server logon ID of the user who performed the audited event.
Roles
Object Owner
356
RSAenVision Reports
Result Set
357
Starting from hour Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.
Until hour Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.
EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
LogonSid Server logon ID of the user who performed the audited event.
Roles
Object Owner
Adiscon EventReporter
Refer to RSA SecurCare Online for the different versions of Windows currently
supported by RSA enVision.
Every report has its own set of input parameters that can be used to show only records
that meet a certain criteria. The input parameters fall into three categories:
l Time fields: Each report has two fields, Starting from hour and Until hour that help
define a time range for the result set. Possible values for these fields range from 0 to
23. For example, to find all failed logon attempts between 4:00 PM and 10 PM, enter
16 in the Starting from hour field and 22 in the Until hour field.
l
Test fields: For these fields, you can use wild cards to help you limit the result set to
show only records of interest. For example, to find all file access attempts by user
Administrator, you can enter Admin% or simply enter Administrator.
Note: A value of % will return all file access attempts by all users.
Drop-down lists: If you already have watch lists on your enVision server, then they
will be included in the drop-down lists. Otherwise, you need to create new ones based
on the report itself. For example, you may need to create a watch list for
administrative users that have values like: Admin or Administrator. For more
information on creating new watch lists or updating existing ones, refer to the enVision
Help.
358
RSAenVision Reports
Note: All Windows reports are found in the report, Windows - Run All Bind Report.
Input Parameters
Result Set
Meaning
359
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
Computer
Action
EventID
Event Type
Result Set
Meaning
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
Computer
Action
EventID
Event Type
Result Set
Meaning
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
Computer
Action
EventID
Event Type
Result Set
Starting from Hour: Show all records starting from this hour of the day
Until Hour: Show all records until this hour of the day
Date/Time
360
RSAenVision Reports
Meaning
Computer
Action
EventID
Event Type
Result Set
Meaning
Until Hour: Show all records until this hour of the day
Date/Time
Primary Domain Name: For Windows Server 2003, it will indicate the domain of the user when
the object is opened locally
Primary User Name: For Windows Server 2003, it will indicate the user when the object is
opened locally
Client Domain: For Windows Server 2003, it will indicate the domain of the user when the
object is opened remotely
Client User Name: For Windows Server 2003, it will indicate the user when the object is
opened remotely
Event Type
Accesses
Privileges
AdditionalInfo1
361
Until Hour: Show all records until this hour of the day
Date/Time
Event ID
Event
Primary Domain Name: For Windows Server 2003, it will indicate the domain of the user when
the changes are done locally
Primary User Name: For Windows Server 2003, it will indicate the user when changes are done
locally
Client Domain: For Windows Server 2003, it will indicate the domain of the user when changes
are done remotely
Client User Name: For Windows Server 2003, it will indicate the user when the changes are
done remotely
Accesses
Description
Input Parameters
Starting Hour: Show all records starting from this hour of the day
l
l
End Hour: Show all records until this hour of the day
Date/Time
Event Computer
User Name
Logon ID
Event ID
Logon Type
Workstation
Domain Name
Starting from Hour: Show all records starting from this hour of the day
362
RSAenVision Reports
Event ID
Event
Event User
Domain Name
User Name
Result Set
Meaning
Description
Input
Parameters
Result Set
Meaning
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
Event ID
Event
Event User
Domain Name
User Name
Result Set
Meaning
363
File Name Filter: File that has been accessed by the user
Starting From Hour: Show all records starting from this hour of the day
l
l
Event Type
Name
Accesses
Privileges
Object Type
Result Set
Meaning
Process Name Filter: Name of the process that has been launched by the user
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
Domain Name
User Name
Process ID
Process Name
Description
Result Set
Meaning
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
IP Address
364
RSAenVision Reports
Event Computer
User Account
Description
Until Hour: Show all records until this hour of the day
User Name
Date/Time
Process ID
Process
Domain Name
Result Set
Meaning
Input
Parameters
Result Set
Meaning
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
User
Date/Time
Process
Name
Domain Name
365
Input
Parameters
Result Set
Meaning
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
Description
Event ID
Privileges
366