RSA Envision Reports

RSAenVision Reports
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
www.rsa.com
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation
in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation,
and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto
is hereby transferred. Any unauthorized use or reproduction of this software and the documentation
may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by
EMC.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed in the
thirdpartylicenses.pdf file.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import,
or export of encryption technologies, and current use, import, and export regulations should be
followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright 2012 EMC Corporation. All Rights Reserved. Published in the USA. Friday, October 31, 2014
RSAenVision Reports
Contents
About Reports
Archer Control Procedures Reports
23
Class Reports
28
Compliance Reports
66
Event Source Reports
151
Insider Threat Reports
344
RSA enVision Reports
About Reports
The enVision Reports module has standard network security and traffic analysis reports
and graphs. You can copy and modify these reports, or create your own custom reports to
meet your specific reporting needs. For details, see the enVision Help.
The Reports module has standard network security and traffic analysis reports and
graphs. Reports are organized by device class. Reports are available for:
l Archer
l
Compliance
Correlated alerts
Host Event Sources (Devices)
Insider Threat Mitigation Reports

o
Unix and Database Reports
Windows Reports
Network Event Sources (Devices)
Security Event Sources (Devices)
Storage Event Sources (Devices)
Task Triage, with the following limitations:

o
You cannot bind them.
You cannot specify device groups or a time range in the Run/Copy/Modify/Delete

Report window for them.
If you have a multiple appliance site or a multiple site deployment, any customized
Task Triage reports (created from the Task Triage table) are only installed on the
primary A-SRV. You must run them from this A-SRV.
Virtualization Infrastructure Security
Vulnerabilities and Asset Management (VAM), with the following limitations:

o
You cannot bind them.
You cannot specify device groups or a time range in the Run/Copy/Modify/Delete

Report window for them.
When you select a report, enVision displays the Run/Copy/Modify/Delete Report screen
from which you run the report and specify runtime parameters (if any).
RSAenVision Reports
Correlated Reports
RSAenVision has standard correlated reports.
Device Class
Reports
Correlated Alerts Details: lists all the alerts that caused a correlated alert.
Correlated Alerts Reports
Correlated Alerts List: lists all correlated alerts in a given time period.
Correlated Alerts Summary: graphs the top 20 correlated alerts in descending order.
Top 10 Source Addresses of Alarms
Top 10 Alarms
Top 10 Destinations of Alarms
Top 10 Requested URL/FTP Destinations
Top 20 Bandwidth Ports
Correlated Multi-Device Reports
Top 20 Bandwidth Users

Top 20 Connections by Address
Top 20 Connections by Port
Top 20 Denied Inbound by Address
Top 20 Denied Inbound by Port
Top 20 Denied Outbound by Address
Host Reports
RSA enVision has standard reports for Host event sources (devices).
l Host.Application Servers reports
l
Host.Mail Servers reports
Host.Mainframes reports
Host.Midrange reports
Host.Unix Hosts reports
Host.Virtualization reports
Host.Web Logs reports
Host.Windows reports
Device Class
Event Source / Category
Reports
System Configuration Changes/Configuration Changes
This report lists all the system configuration changes made.
General
Application
Servers
System Health/System Health Statistics This report lists

system normal conditions,unusual activity,errors,system
startup,system shutdown, and system license.
Note: The Configuration Changes and System

Health Statistics reports are updated reports. Content
2.0 event sources populate the data for these reports.
SAP ERP Central Component
Detailed Logon Failures This tabular report displays all the

log on failures in the time selected.
General
General Mail Server Reports
Microsoft Exchange
Microsoft Exchange Server Reports
General
General Mainframe Reports
CA ACF2
CA ACF2 Reports
IBM MainFrame ICSF
Overview of Events Details events from IBM Mainframe Integrated Cryptographic Service Facility.
Mail Servers
RSAenVision Reports
Device Class
Mainframes
Midrange
Reports
IBM MainFrame (RACF)
MainFrame (RACF) Reports
IBM MainFrame (Top Secret)
MainFrame (Top Secret) Reports
IBM MainFrame (SMA_RT)
MainFrame (SMA_RT) Reports
IBMiSeries
iSeries Reports
General
General Virtualization Reports
VMware View
VMware View Reports
AIX
AIX Reports
Apple Mac OS X
Mac OS X Reports
HP-UX / FreeBSD
Hewlett-Packard UNIX and FreeBSD Reports
Check Point IPSO
Check Point IPSOReports
Linux
Linux Reports
Solaris Basic Security Module
Solaris BSM Reports
Solaris
Solaris Reports
General
General Web Logs Reports
Apache
Apache HTTPServer Reports
Blue Coat
Blue Coat Systems CacheOS and SGOS Reports
Blue Coat ELFF
Blue Coat ELFF Reports
Cisco Content Engine
Cisco Content Engine Reports
Cisco Ironport WSA
Cisco IronPort WSAReports
Juniper DX
Juniper DX Application Accelerator Reports
Microsoft IIS
Microsoft IIS Reports
Virtualization
Unix Hosts
Web Logs
Device Class
Windows
Reports
Microsoft ISA Server
Microsoft ISA Server Reports
NetCache
Network Appliance NetCache Reports
Nortel WebOS
Nortel Alteon Switch Firewall Reports
Websense Web Security
Websense Web Security Suite Reports
Account Management
Windows Account Management Reports
Application Errors
Windows Application Error Reports
Disk and Memory
Windows Disk and Memory Reports
Files / Objects Access
Windows Files and Objects Access Reports
Logon / Logoff
Windows Logon and Logoff Reports
Policy Changes and Audit Logs
Windows Policy Changes and Audit Logs Reports
Restarts / Shutdowns
Windows Restart/Shutdown Reports
Summary Reports
Windows Summary Reports
Trend Reports
Windows Trend Reports
User Activity
Windows User Activity Reports
Windows Filtering Platform
Windows Filtering Platform Reports
Microsoft Audit Collection

Service
Microsoft Audit Collection Service Reports
RSAenVision Reports
Network Reports
RSA enVision has standard reports for Network event sources (devices).
l Network.Application Delivery reports
l Network.Configuration Management reports
l Network.Configuration and Policy Management reports
l Network.Messaging reports
l Network.Routers reports
l Network.Switches reports
l Network.System reports:
Alerts
Audit
l Automatic Update
l DHCP
l Infoblox NIOS
l Statistics
Network.Wireless Devices reports
l
l
Device Class
Application
Delivery
Configuration
Management
Event Source
Reports
Cisco Application Control

Engine
Cisco Application Control Engine Reports
General
Standard Configuration Management Reports
Cisco Unified Computing

System Manager
Cisco Unified Computing System Manager Reports
EMCIonix
EMC Ionix Reports
LANDesk Management
Suite
List of Applications Installed on Devices:Displays a list of the LANDesk Management Suite devices and the applications installed on them.
Lumension Endpoint
Management and Security
Suite
Lumension EMSSReports
Microsoft System Center

Configuration Manager
Microsoft System Center Configuration Manager Reports
Microsoft Windows Server

Update Service
Microsoft Windows Server Update Service Reports
Safend Protector
Safend Protector Reports
CiscoWorks Network
CiscoWorks Network Compliance Manager Reports
Device Class
Event Source
Reports
Compliance Manager
Configuration and
Policy Management
Messaging
Routers
Switches
McAfee Policy Auditor
Audit Rule Results: Displays audit rule results from Policy Auditor.
Netscreen-Security
Management
Juniper Networks NetScreen-Security Manager Reports
Solsoft NP
Solsoft NP Reports
Tripwire Enterprise
Tripwire Enterprise Reports
General
General Messaging Reports
Cisco Router
Cisco Router Reports
Juniper JUNOS Router
Juniper Networks JUNOS Router Reports
Nortel Passport 8600
Nortel Passport 8600 Routing Switch Reports
General
Switches Reports
Alcatel-Lucent OmniSwitch
Alcatel-Lucent OmniSwitch Reports
Cisco Content Switch
Cisco Content Switch Reports
Cisco Switch
Cisco Switch Reports
Extreme Networks
ExtremeWare
Extreme Networks ExtremeWare Switch Reports
Extreme Networks
ExtremeXOS
Extreme Networks ExtremeXOS Reports
Foundry Switches
Foundry Networks Switch Reports

System Reports
System
N/A
Alerts Reports (All Devices)

Audit Reports (All Devices)
Automatic Update Reports
System DHCP
Microsoft DHCP
DHCP Lease Change: Lists Host names leased to DHCP IP Addresses.
System -
IBMWebSphere
IBM Websphere DataPower - Summary Report: Summarizes the events
10
RSAenVision Reports
Device Class
Event Source
Reports
IBMWebSphere
DataPower
DataPower
captured on IBM Websphere DataPower in descending order.
System InfobloxNIOS
Infoblox NIOS
Infoblox NIOS Summary Report: Summarizes events captured on

Infoblox.
System Statistics
N/A
Statistics Reports (All Devices)
General Reports
General Wireless Device Reports
Cisco Aironet Access

Points
Cisco Aironet AP Reports
Cisco Mobility Services

Engine
Cisco MSE Rogue AP & Clients
Wireless
Devices
11
Security Reports
RSA enVision has standard reports for Security event sources (devices).
l Security.Access Control reports
l Security.Analysis reports
l Security.Antivirus reports
l Security.Application Firewall reports
l Security.Firewalls reports
l Security.VPN reports
l Security.DLP reports
l Security.Intrusion reports
l Security.Intrusion Detection Systems reports
l Security.Intrusion Prevention Systems reports
l Security.Vulnerability reports
Device Class
Event Source
General
General Access Control Reports
ActivIdentity AAAServer
ActivIdentity AAA Server Reports
Cisco NAC
Cisco NAC Reports
Cisco Secure ACS
Cisco Secure Access Control Server

Reports
Cyber-Ark Enterprise Password Vault, InterBusiness Vault, and Sensitive Document Vault
Cyber-Ark Enterprise Password Vault,

Inter-Business Vault, and Sensitive
Document Vault Reports
F5 Big-IP APM
Access Control
Reports
Big-IP APM - Most Frequent Sources

of Connections
Big-IP APM - Session Control
Information
Juniper Networks Infranet Controller 4500
Juniper Networks Infranet Controller

4500 Reports
Microsoft Network Access Protection
Microsoft Network Access Protection

Reports
Oracle Identity Manager
Oracle Identity Manager Reports
RSAACEServer
RSA Authentication Manager and

UCM Reports
RSAAdaptive Authentication (Hosted)
RSA Adaptive Authentication
12
RSAenVision Reports
Device Class
Event Source
General
Reports
(Hosted) Reports
Analysis
Antivirus
Application Firewall
13
RSAAdaptive Authentication (OnPrem)
RSA Adaptive Authentication

(OnPrem) Reports
Steel Belted Radius
Juniper Networks Steel Belted

Radius Reports
Top Layer Secure Edge Controller
Top Layer Secure Edge Controller

Reports
General
General Analysis Reports
Cisco MARS
Cisco MARS Reports
NetWitness NextGen
NetWitness NextGen Reports
SafeStone DetectIT
SafeStone DetectITReports
SECUDESecurity Intelligence
SECUDESecurity Intelligence
Reports
General
General Antivirus Reports
McAfee Virus Scan
McAfee Virus Scan Reports
McAfee ePolicy Orchestrator
McAfee ePolicy Orchestrator Reports
Symantec AntiVirus
Symantec AntiVirus Reports
Trend Micro
Trend Micro Reports
General
General Application Firewall Reports
Cisco Ironport ESA
Cisco Ironport ESA Reports
F5Big-IP Application Security Manager
F5 Big-IP Application Security

Manager Reports
Trend Micro Deep Security
Trend Micro Deep Security Reports
General
General Firewall Reports
Check Point Firewall-1
Check Point Firewall-1 Reports
Device Class
Firewalls
VPN
Event Source
Reports
General
Cisco ASA
Cisco ASA Reports
Cisco IOS
Cisco IOS Firewall Reports
Cisco PIX
Cisco PIX Reports
Cyberguard Classic
CyberGuard Classic Reports
Cyberguard Firewall
CyberGuard Firewall Reports
Fortinet FortiGate
Fortinet FortiGate
Microsoft ISAServer
Microsoft ISA Server Reports
Netscreen Firewall
Juniper Networks NetScreen Firewall

Reports
Palo Alto Networks Enterprise Firewall
Palo Alto Networks Enterprise

Firewall Reports
McAfee Firewall Enterprise (formerly named

Secure Computing Sidewinder G2 Security
Appliance)
McAfee Firewall Enterprise Reports
Symantec Enterprise Firewall
Symantec Enterprise Firewall Reports
General
General VPN Reports
Checkpoint VPN
Checkpoint VPN Reports
Cisco ASAVPN
Cisco ASA VPN Reports
Cisco PIXVPN
Cisco PIX VPN Reports
Cisco VPN3000 Concentrator
Cisco VPN 3000 Concentrator

Reports
Citrix Access Gateway
Citrix Access Gateway Reports
Intel VPN
Intel VPN Reports
Juniper SSLVPN
Juniper SSL VPN Reports
Nortel Contivity VPN
Nortel Contivity VPN Reports
14
RSAenVision Reports
Device Class
DLP
Intrusion
Event Source
General
Symantec Enterprise VPN
Symantec Enterprise VPN Reports
General
General DLP Reports
General
General Intrusion Reports
Trend Micro OSSEC
General
Intrusion Detection
Systems
15
Reports
Trend Micro OSSEC - List of All

Active-Responses: Lists all of the Active
Responses generated by OSSEC.
Trend Micro OSSEC - List of All
Alerts:Lists all of the alerts generated by
OSSEC.
IDS Top Alarms by Category
Top 20 IDS Categories
Checkpoint SmartDefense
Check Point SmartDefense Reports
Cisco ASA
Cisco ASA IDS Reports
Cisco IOS
Cisco IOS IDS Reports
Cisco PIX
Cisco PIX IDS Reports
Cisco Secure IDS
Cisco Secure IDS Reports
Dragon IDS
Enterasys Dragon IDS Reports
Entercept
Entercept Reports
eEye Retina Network Security Scanner
eEye Retina Network Security

Scanner Reports
ISSREALSECURE
ISS REALSECURE Reports
Intrushield
IntruShield Reports
Lancope StealthWatch
Lancope StealthWatch Reports
NFRSecurity NIDS
NFR Security NIDS Reports
Netscreen
Juniper Networks NetScreen (IDS)

Reports
Device Class
Intrusion Prevention
Systems
Vulnerability
Event Source
Reports
General
Snort
SNORT Reports
Symantec Intruder Alert
Symantec Intruder Alert Reports
Symantec Network Security
Symantec Network Security SNS

Reports
Tipping Point
Tipping Point Reports
General
General Intrusion Prevention

Systems Reports
Top Layer Attack Mitigator
Top Layer Attack Mitigator Reports
Arbor Peakflow SP5
Arbor Peakflow SP Reports
Arbor Peakflow X
Arbor Peakflow X Reports
Cisco Security Agent
Cisco Security Agent Reports
Mazu Profiler
Mazu Networks Profiler Reports
Netscreen IDP
NetscreenIDP Reports
General
General Vulnerability Reports
16
RSAenVision Reports
Storage Reports
RSA enVision has standard reports for Storage event sources (devices).
l Storage.Content Management System Reports
l Storage.Database reports
l Storage.Document reports
l Storage.Storage reports
Device Class
Content Management
System
Database
Document
Storage
Event Source
Reports
Perforce
Overview of Actions: Details the actions logged to the audit log file on
Perforce. The actions captured here are SYNC, DIFF, REVERT,
ANNOTATE, INTEGRATE, RESOLVE, and PRINT.
Application Security
DbProtect
Application Security DbProtect Reports
IBM DB2 UDB
IBM Mainframe DB2 UDB Reports
Documentum
EMC Documentum Reports
GIT
GIT- Overview of Actions: Details all users access to the repositories.
Microsoft SQLServer
Microsoft SQL Server Reports
MySQL Enterprise
MYSQL Reports
Oracle Database
Oracle Database Reports
PostgreSQL
PostgreSQL - Top Ten Sessions Based on Log Frequency

Activity
Sybase ASE
Sybase ASEReports
General
General Document Reports
EMCVPLEX
Detailed Event Report:This report details all the commands that are
run across the VPLEX data store, which are collected from session
logs.
General
Standard Storage Reports
GECentricity Enterprise
Archive
GECEA - Configuration Changes by User:This report details all the

configuration changes by a user logged on the GECentricity Enterprise
Archive console.
GECEA - Overview of ILM Events:This report details all the ILM
module activities performed on the GECentricity Enterprise Archive.
17
Device Class
Event Source
Network Appliance Data
ONTAP
Reports
Network Appliance Data ONTAP Reports
18
RSAenVision Reports
Task Triage Reports

RSAenVision has standard Task Triage reports.
l Average Time to Acknowledge: depicts the average time to acknowledge a task in
one hour intervals over the previous 24 hour reporting period.
l
l
l
l
l
19
Average Time to Close: depicts the average time to close a task in one hour intervals
over the previous 24 hour reporting period.
Closure Rate: depicts the task closure rate in one hour intervals over the previous 24
hour period.
Incident Rate: depicts the incident rate in one hour intervals over the previous 24 hour
reporting period.
Last Modified Tasks: depicts the most recently modified task entries.
Longest Open Tasks: depicts the tasks that have been open for the longest amount of
time.
Longest Unacknowledged Tasks: depicts the tasks that have been unacknowledged
for the longest amount of time.
Open Tasks by Owner: depicts the number of open tasks for each unique owner
contained in the Task Triage database.
Open Tasks by Priority: depicts the percentage of open tasks by priority level.
Tasks by Priority and Owner: depicts the number of open items by priority for a
specified user.
Virtualization Infrastructure Security Standard

Reports
The Reports module includes the following standard system reports for virtualization
infrastructure security.
Note: Unless otherwise specified, these virtualization infrastructure security reports can
only be used with the following event sources:Cisco Secure ACS, VMware ESX,
VMware vCenter, and Microsoft SQL Server.
Vblock - Accounts Created

This report contains logs of the accounts that were created.
Vblock - Accounts Deleted

This report contains logs of the accounts that were deleted.
Vblock - Accounts Modified

This report contains logs of the accounts that were modified.
Vblock - Administrator Access to Vblock Systems- Detail

This report focuses on all actions taken by any individual with root or administrative
privileges. This report displays all successful or failed logons.
Vblock - Configuration Changes

The purpose of this report is to follow change control processes and procedures for all the
changes to system components.
Vblock - Escalation of Privileges

This report displays log of events containing information on the escalation of privileges of
accounts to perform administrative tasks.
Vblock - Logon Failures - Detail

The purpose of this report is to monitor invalid logical access attempts. This report
contains the logs of all logon failures.
Vblock - Logon Failures - Summary

This report contains a count of all logon failures.
Vblock - Password Changes

This report contains logs of the accounts with password changes.
20
RSAenVision Reports
Vblock - User Access Revoked

This report lists all the rights removed from a user.
Vblock - User Access to Vblock Systems - Detail

The purpose of this report is to monitor valid logical access attempts. This report contains
the logs of all successful logons.
Vblock - User Account Management Bind Report

This bind report combines the following reports:
l Vblock - Accounts Created
l Vblock - Accounts Deleted
l Vblock - Accounts Modified
21
Vulnerability Assessment Management (VAM)Reports

RSAenVision has standard Vulnerability Assessment Management reports.
l Least Recently Scanned: lists assets in order of the longest duration since last scan.
l
Most Vulnerable Assets By Business Rating: lists the assets in order of business rating
and the aggregate vulnerability severity score.
Most Vulnerable Assets By Count: lists the assets in order of the number of
vulnerabilities associated with an asset.
Most Vulnerable Assets By Severity: lists the assets in order of the aggregate
vulnerability severity score.
Vulnerability by Severities: depicts the detected vulnerabilities as a percentage of the
total organized by severity value.
22
RSAenVision Reports

RSA enVision has control procedure reports for the following event sources (devices).
Event Source
Reports
Check Point Firewall-1
Check Point Firewall-1 Control Procedure Reports
Microsoft SharePoint Server
Microsoft SharePoint Server Control Procedure Reports
Oracle WebLogic
Oracle WebLogic Control Procedure Reports
VMware
VMware Control Procedure Reports
23
Archer Control Procedure Reports Check Point

The Reports module includes the following control procedure reports for the Check Point
FireWall-1 event source and the Security Suite.
CP-32029 Checkpoint Stealth Rule

Displays the alerts from the Stealth rule, which is a rule that drops traffic destined for a
firewall interface. The rule hides the firewall interfaces from the other network
resources.
Note: You must enter the Stealth rule number before running the report.
CP-32036 Checkpoint Drop Rule

Displays the alerts from the firewall that handles incoming connections. The Checkpoint
Drop rule uses the Drop option instead of Reject.
CP-32049 Checkpoint Authentication Failure

Displays the alerts from the Authentication Failure rule that logs failed authentication
attempts.
CP-32050 Checkpoint Cleanup Rule

Displays the alerts from the Cleanup rule. The firewall drops and logs all connections not
previously accepted by the firewall. You must add a default rule denying access to ANY
from ANY as the last rule in the rule set. You must also enable logging for this rule to
function.
Note: You must enter the Clean Up rule number before running the report.
24
RSAenVision Reports
Archer Control Procedure Reports Oracle WebLogic

The Reports module includes the following control procedure reports for the Oracle
WebLogic event source.
CP-31949 User Lockout Enabled

This report displays the amount of times that a user has tried to access an account and
whether they have reached the maximum threshold for allowed attempts. The account
lockout feature allows for disabling an account after a number of failed logon attempts.
General recommended guidelines suggest to lock out the account after 3 to 5 failed logon
attempts.
25
Archer Control Procedure Reports Microsoft

SharePoint Server 2007
The Reports module includes the following control procedure reports for the Microsoft
SharePoint Server 2007 event source.
CP-34177 SharePoint Administrator Logon

Displays the alerts from the Administrator Logon Rule. This rule restricts the local logon
to SharePoint servers to only Administrators.
CP-34181 SharePoint File Access Audit

This report allows administrators to be notified of who attempts to access the Microsoft
SharePoint Server. You must enable file access audit to SharePoint folders on the server
for this report to function.
26
RSAenVision Reports
Archer Control Procedure Reports VMware

The Reports module includes the following control procedure reports for the VMware
event source.
CP-34663 Inventory Deployed Virtual Machines

The inventory of deployed virtual machines should be compared against the approved
virtual environments in accordance with the approved documented procedure.
CP-34670 Logins to ESXServer

Checks for users logged into the ESX Server from unexpected hosts. Any suspicious
activity should be appropriately investigated.
CP-34687 ESXHost Restarts

System shutdowns and restarts on the ESX server should be monitored and any
unexpected shutdowns and restarts should be investigated.
27
Class Reports
RSA enVision includes reports that focus on specific event source classes, for example
Firewall reports.
Standard Reports Alerts
29
Standard Reports Firewall Device Categories
31
Standard Reports IDS Device Categories
32
Standard Reports Statistics
33
Standard Reports Configuration Management
35
Standard Reports Correlated Alerts
36
Standard Reports Correlated Multi-Device Reports
37
Standard Reports DHCP
38
39
41
42
43
General Automatic Update Reports
44
General DLP Reports
45
48
General Intrusion Prevention Systems Reports
50
51
54
47
General Switches Reports
55
56
General VPN Reports
57
58
59
General Wireless Devices Reports
61
Standard Reports Audit
62
Standard Reports System
64
Standard Reports Storage
65
Class Reports
28
RSAenVision Reports
Standard Reports Alerts

The Reports module includes the following standard system reports for alerts.
Alert Notes by Date and Time

Lists all alert notes in the database sorted by the time that they occurred.
Alert Notes by View

Lists all alert notes for a specific view. You must modify the report query to specify the
view that you want to see displayed.
Alerts per Hour

Displays the distribution of all alerts over time, in one-hour intervals.
Alerts Status Summary

Lists a count of alerts within a time range sorted by status, such as new alert, under
investigation, or resolved.
Alerts Under Investigation by Date/Time

Lists all alerts under investigation in the database sorted by the time that the alerts
occurred. Use this report to track alerts under investigation.
Alerts Under Investigation by View

Lists all alerts under investigation in the database for a specific view.
You must modify this report before running it. On the Create/Modify Report - Specify
Report Selection Criteria window, replace the text type viewname here with the name
of the view that you want to see displayed.
Available Alerts by Date/Time

Lists all alerts and the status of each alert in the database sorted by the time that the
alerts occurred.
New Alerts by Date/Time

Lists all new alerts in the database sorted by the time that the alerts occurred.
New Alerts by View

Lists all new alerts in the database for a specific view.
29
Class Reports
You must modify this report before running it. On the Create/Modify Report - Specify
Report Selection Criteria window, replace the text type viewname here with the name
of the view that you want to see displayed.
Percentages of Alerts by NIC Category

Displays the distribution of alerts by NIC category.
Percentages of Alerts by Alert Levels

Displays the distribution of alerts by alert levels.
Percentages of Alerts by Severity Levels

Displays the distribution of alerts by severity levels.
Resolved Alerts by Date/Time

Lists all resolved alerts in the database sorted by the time that the alerts occurred. Use
this report to identify the alerts that have been resolved.
Resolved Alerts by View

Lists all resolved alerts in the database for a specific view.
Top 20 Alert Categories

Displays the top 20 alert categories by number of alerts.
Class Reports
30
RSAenVision Reports
Standard Reports Firewall Device Categories

The Reports module includes the following standard reports for reporting on firewalls by
categories.
Firewalls - Top Events by Category

Displays the top events by category from all firewall event sources.
Top 20 Firewall Categories

Displays the 20 firewall categories that generate the highest number of events from all
firewall event sources.
31
Class Reports
Standard Reports IDS Device Categories

The Reports module includes the following standard reports for reporting on IDS event
sources by categories.
IDS Top Alarms by Category

Displays the top signatures by categories from all IDS event sources.
Top 20 IDS Categories

Displays the 20 IDS categories that generate the highest number of events from all IDS
event sources.
Class Reports
32
RSAenVision Reports
Standard Reports Statistics

The Reports module includes the following standard reports for statistics.
Important: To gather the data for these reports, you must start the Alerter Service.
Count of Messages Per Device

Counts messages collected per event source and event source type for a specific time
range. The order is ascending, which means that event sources that did not collect any
data will be listed first.
Daily Event Counts

Displays the total event counts by day.
Hourly Event Counts

Displays the total event counts by hour.
Percentage of Events by Device Class

Displays the percentage of the total number of events by event source class.
Percentage of Events by Device Type

Displays the percentage of the total number of events by event source type.
Percentage of Events by NIC Category

Displays the percentage of the total number of events by NIC category.
Syslog Collection Statistics

Summarizes the syslog message quantity and byte count on an hourly basis by logging
event sources. Assesses log host system and disk space requirements. Use this report to
identify the periods of highest activity.
Top 20 Devices
Displays the top 20 event sources generating events during the selected time period.
Top 20 Devices Generating Unknown Events

Displays the top 20 event sources generating unknown events during the selected time
period.
33
Class Reports
Top 20 Device Types Generating Unknown Events

Displays the top 20 event source types generating unknown events during the selected
time period.
Top 20 Event Categories

Displays the top 20 event categories during the selected time period.
Top 20 Events
Displays the top 20 event IDs collected during the selected time period.
Class Reports
34
RSAenVision Reports
Standard Reports Configuration Management

The Reports module includes the following standard Configuration Management reports.
Configuration Changes by Device

Lists configuration changes, grouped by event source.
Configuration Changes by Devices

A list of configuration changes done by the event sources.
Detailed Event Report

Contains the details of all events over a period of time.
Failed Attempts by User

Lists failed attempts made by all users.
Login and Logout

Lists events relating to logon and logoff.
Overview of Actions by Computer ID

This report lists the details of all the actions that are performed on the clients based on
the Computer ID. If the Computer ID is not specified, the report will list the details of the
actions performed on all the clients.
Overview of Detailed Events Report

A report with details of all events over a period of time.
Top 25 Triggered Policy Rules

Displays the top 25 triggered policy rules during auditing systems.
35
Class Reports
Standard Reports Correlated Alerts

The Reports module includes the following standard reports for correlated alerts.
Correlated Alerts Details

Lists all the alerts that caused a correlated alert.
Correlated Alerts List

Lists all correlated alerts triggered over a specific time period.
Correlated Alerts Summary

Displays the top 20 correlated alerts in descending order.
Class Reports
36
RSAenVision Reports
Standard Reports Correlated Multi-Device Reports

The Reports module includes the following standard reports for the multiple event source
reports.
IDS event sources - Top 10 Source Addresses of Alarms

Displays the top 10 source addresses of intrusion detection alarms.
IDS event sources - Top 10 Alarms

Displays the top 10 alarms by signature ID that have been generated.
IDS event sources - Top 10 Destinations of Alarms

Displays the top 10 destination IP addresses that have been targeted for attack.

Displays the top 10 URL or FTP destinations requested by internal users.

Displays the 20 ports with the most bandwidth usage.

Displays the top 20 bandwidth users.

Displays the top 20 users of connections.

Displays the 20 ports with the most connections.

Displays the top 20 foreign addresses that were denied inbound access.

Displays the 20 ports with the most denied connections.

Displays the top 20 local addresses that were denied outbound access.
37
Class Reports
Standard Reports DHCP

The Reports module includes the following standard system reports for DHCP
processing.
DHCP Lease Change

Lists the lease time of DHCP IP addresses.
Class Reports
38
RSAenVision Reports

The Reports module includes the following standard reports for the Access Control class.
Authentication Failures
Lists the user names with authentication failures and the corresponding reason.
Authentication Success
Lists successful authentications over a specific time period.
File Server Usage Summary Report

A summary report indicating the usage of all file servers.
Historical Overview of Allowed Network Access

Displays the systems that were allowed full access to network resources over a specific
time period.
Historical Overview of Blocked Network Access

Displays the systems that were denied full access to network resources over a specific
time period.
Key Generations
Lists events related to security or crypto key generations.
Login and Logout

Lists events related to logons and logoffs.
Top 10 Users Accessing File Servers

This report highlights the users performing the most read/write operations on a file system
governed by a File System access control tool.
Top 20 Malicious Systems

Displays the top 20 malicious systems in the network.
Error Types Overview

Lists all generated error event types, including event type name and count, over a specific
time period.
Historical Overview of Failed Logins

Lists the user names and actions that led to failed logons.
39
Class Reports
Historical Overview of Successful Login/Logout

Lists user names with successful logons or logoffs.
Informational and Configuration Messages

Lists user activity information and configuration changes.
Overview of Configuration Changes

Lists the configuration changes.
Overview of Failed Authentication Events

This report details failed authentication events.
Overview of Successful Authentication Events

This report details successful authentication events.
Top 10 Error Types

Lists the top 10 generated error event types, including event type name and count, over a
specific time period.
Top 10 Event Type View

Lists the top 10 generated event types over a specific time period.
User Deletion Event Statistics

Displays the number of user deletion event types over a specific time period.
User Enrollment Event Statistics

Displays the number of user enrollment event types over a specific time period.
Class Reports
40
RSAenVision Reports

The Reports module includes the following standard reports for the Analysis class.
List of Conversation Events

Lists conversational events over the network.
List of Network Security Events

Lists network security events including denial of service attacks and network connection
errors.
User Failed Logons

This report displays logon failure events.
User Login and Logouts

This report displays login and logout events.
41
Class Reports

The Reports module includes the following standard reports for the Antivirus class.
List of All Audit Events

Lists all audit events.
List of All System Alerts

Lists all system alerts.
Summary of Scanned Objects

This report gives a brief summary of all objects scanned by the Anti-Virus application.
Overview of Audit Events

An overview of audit events.
Overview of System Alerts

An overview of system alerts.
Overview of Viruses Found

A detailed list of viruses found.
Top 20 Processes Generating Virus Alerts

Lists the top 20 processes running that are trying to invoke files/processes affected by
virus.
Top 20 Viruses
A summary report of the top 20 viruses affecting the systems.
Virus Detection Details

Lists the details of viruses detected by the system.
List of Top 20 Viruses

A summary report of the top 20 viruses affecting the systems.
Overview of VirusDetection Details

Overviews the details of viruses detected by the system.
Class Reports
42
RSAenVision Reports

The Reports module includes the following standard reports for the General Application
Firewall event sources.
Alerts by Source IP Address

Lists application firewall alerts by source IP address.
Blocked E-mails
Lists e-mails that are blocked due to the threat of a virus, trojan, or worm, and by the
settings of the content filter. Also lists e-mails that are blocked because the sender is
unknown.
Clean E-mails
Lists e-mails that were successfully delivered.
E-mails Sent and Received

Lists e-mails that were sent and received by each user. This report also includes blocked
and undelivered e-mails.
High Severity Alerts

Lists the application firewall high severity alerts.
List of All Violations

Lists all violations associated with application firewall events.
Login and Logout Activity

A detailed report of all logon and logout events.
Overview of User Activities

Lists all commands executed by the user.
System Configuration Changes

A detailed report of all the system configuration changes.
43
Class Reports
General Automatic Update Reports

The Reports module includes the following standard reports for the Automatic Update
class.
Details by Package ID or Patch ID

This report is a detailed listing of actions executed for a given patch by Package ID/Patch
ID.
Failed Patches by Date Time

This report is a listing of patches that failed during installation over a specific time
period. Refer to autoupdatelog.log or the AutomaticUpdate - Details by Package ID or
Patch ID report for more details.
Successful Patches by Date Time

This report is a listing of all patches successfully installed over a specific time period.
Refer to autoupdatelog.log or the Automatic Update - Details by Package ID or Patch ID
report for more details.
Class Reports
44
RSAenVision Reports
General DLP Reports

The Reports module includes the following standard reports for the general DLP event
sources.
Data Leakage by Endpoint Computer

Displays the top 20 client computers where DLP incidents originate.
Data Leakage Summary

Displays the historical report of all DLP attacks detected.
Device Control Report

Displays the statistics of all removable event sources plugged in.
Failed Logins
Displays the historical view of failed logons.
Incidents by User Reports

Displays all DLP incidents associated with a particular user identifier.
Login/Logout
Displays the historical overview of successful logons and logoffs.
Most Frequent Policy Violations

Displays the most frequent policy violations.
Network Incidents by Protocol

Displays the number of DLP incidents by protocol.
Policy/Rule Changes
Displays the historical overview of policy or rule changes.
Regulatory Data Scan Report

Summarizes the number of files marked with DLP tags that indicate the presence of
regulatory or proprietary data. This report is generated after a data scan.
Top 20 Offending File Owners

Displays the top 20 owners of files where incidents originate.
45
Class Reports
Top 20 Offending Users

Displays the top 20 users logged on where DLP incidents originate.
Class Reports
46
RSAenVision Reports

The Reports module includes the following standard reports for the general Document
event sources.

Lists configuration changes by event source.

Details all events over a specified period of time.
Overview of Actions
Details all audit actions over a specified period of time.
Successful and Failed Authentications

Lists events relating to successful and failed authentications.
47
Class Reports

The Reports module includes the following standard reports for the general Intrusion
event sources.
Alarm Destination Report

This report displays alarms sorted by the Destination IP Address that generated the
alarm.
Alarm Levels
This graph displays the number of alarms for each alarm level.
Alarm Report
This report displays alarms based on signature names, sorted by alarms and signature
names.
Alarms by Hour
This graph displays the number of alarms by hour for a given time period.
Alarms by Sensor
This graph displays the alarm count for each sensor.
Alarms by Sensor Device

This report shows the total number of alarms generated by each sensor device. The report
is sorted by total number of alarms.
Top 10 Sources of Alarms

This graph displays the top 10 sources of alarms by source IP address.
Top 20 Alarms
This report displays the top 20 alarms by signature ID.
Top 20 Alarms by Port

This report displays the Top 20 alarms based on the destination port.

This report displays the top 20 destination IP addresses that have been targeted for attack.
Top 20 Source-Destination Pairs of Alarms

This report displays the 20 source-destination pairs that have generated the most alarms.
Class Reports
48
RSAenVision Reports

This report displays the 20 source IP addresses that have generated the most events and
alarms from the Cisco Secure IDS sensors.
49
Class Reports
General Intrusion Prevention Systems Reports

The Reports module includes the following standard reports for the general Intrusion
Prevention Systems event sources.
All Attacks Classified by Attack Category

This report classifies attacks by their attack category.
All Attacks Classified by Risk Types

This report classifies attacks by their level of risk.
High Risk Attacks

This report provides a list of all high level attacks.
List of User Activity

This report provides a list of all user activity.
List of Attacks over Time

This report provides a list of all attacks.
Low Risk Attacks

This report provides a list of all low-level attacks.
Medium Risk Attacks

This report provides a list of all medium-level attacks.
Top 10 Attacked Destinations

This report provides a graph of the 10 most commonly attacked destinations.
Top 10 Attacks
This report provides a graph of the 10 most common attacks.
Top 10 Sources of Attacks

This report provides a graph of the 10 most common sources of attacks.
Class Reports
50
RSAenVision Reports

The Reports module includes the following standard reports for the Mail Server class.
Exchange Error Condition

This report shows all error events.
Failed Logon Attempts to Mailboxes

This report shows all failed logons to mailboxes.
Internet Traffic by E-Mail Accounts

This report shows the inbound and outbound traffic for e-mail accounts.
Logons to Mailbox with Administrative Privileges

This report shows successful logons to mailboxes by users who have administrator
privileges on those mailboxes.
Mailboxes with the Most Logon Failures

This report shows users responsible for the greatest number of failed mailbox logons.
Non-Owner Mailbox Access

This report shows users who connect to mailboxes apart from their primary user
accounts.
Successful Logons to Mailboxes

This report shows successful logons to mailboxes.
Summary of Configuration Errors

This report shows all configuration errors and failures.
Top 10 E-Mail Accounts Mailing Most Outside the Organization

This report shows top 10 e-mail accounts responsible for the most email traffic to public
domains.
Top 10 E-Mail Accounts Receiving Messages

This report displays the 10 e-mail accounts that are receiving the most messages.
Top 10 E-Mail Accounts Receiving Messages Volume

This report displays the 10 e-mail accounts that are receiving the largest volume of
messages.
51
Class Reports
Top 10 E-Mail Accounts Sending Messages

This report displays the 10 e-mail accounts that are sending the most messages.
Top 10 E-Mail Accounts Sending Messages Volume

This report displays the 10 e-mail accounts that are sending the largest volume of
messages.
Top 10 Sender-Receiver Pairs

This report displays the top 10 sender-receiver pairs.
Top 10 Sender-Receiver Pairs Within the Organization

This report displays the top 10 sender-receiver pairs within the organization.
Use of Send Privileges

This report shows users who used their Send As privileges.
Class Reports
52
RSAenVision Reports
General Mainframe Reports

The Reports module includes the following standard reports for the Mainframe class.
Denial of Access to Resources

Details all messages regarding failed or violated access events.
Overview of Audit Events

Details all security events.
53
Class Reports

The Reports module includes the following standard reports for the general Messaging
event sources.
Phone Call Summary

This report summarizes all phone calls monitored by the messaging server.
PIN Messaging Summary

This report summarizes of all the PIN Messages handled by the messaging server.
PIN Transmission Errors

This report provides a summary of all the transmission errors during PIN messaging.
SMS Summary
This report summarizes all SMSmessages handled by the messaging server.
SMS Transmission Errors

This report lists SMSmessages that experienced transmission errors.
Class Reports
54
RSAenVision Reports
General Switches Reports

The Reports module includes the following standard reports for the general Switch event
sources.
Configuration Changes
Displays all configuration changes on the Switches event sources.
Failed Logins
Displays all unsuccessful attempts to log on to the Switches event sources.
Successful Logins
Displays all successful logons to the Switches event sources.
System Error
Displays all system errors.
System Errors
Displays system errors.
Successful Login
Displays all successful logons to the Switches event sources.
Failed Login
Displays all unsuccessful attempts to log on to the Switches event sources.
Configuration Change
Displays all configuration changes on the Switches event sources.
55
Class Reports

The Reports module includes the following standard reports for the general Virtualization
event sources.
Cluster and Resource Management

Displays cluster and resource management events.
Network Infrastructure
Displays network host system and service events.
Storage
Displays database events create, extend, remove, and configure.
User Groups and Permissions

Displays events for users, groups, permissions, authorization, and session.
Virtual Machine Operations

Displays virtual machine operation events like power on, power off, snapshot, migration,
creation, cloning, renaming, and so on.
Class Reports
56
RSAenVision Reports
General VPN Reports

The Reports module includes the following standard reports for the VPN class.
Failed Login Summary

This report details all the failed logins by each user.
Resource Access Details

This report details all attempts by remote clients to access internal resources.
Successful Login Details

This report details the successful logins.
Top 20 Failed Logons

This report lists all failed VPN logons.
Top 20 Successful Logons

This report lists all successful VPN logons.
57
Class Reports

The Reports module includes the following standard reports for the general vulnerability
event sources.

This report gives the details of the scans, actions or events preformed through
vulnerability event sources.
Scans Completed In the Past One Hour
This report displays all the scans completed in the past one hour.
Scans StartedIn the Past One Hour

This report displays all the scans started in the past one hour.
Class Reports
58
RSAenVision Reports

The Reports module includes the following standard reports for the general Web Logs
event sources.
Activity by Administrative Users

Displays web browsing activity with administrative user accounts as defined by a usercreated watchlist.
Activity by Users
Displays configuration changes, policies, and rules made, and tracks web browsing
activity by the user accounts.
Client Access Statistics

Displays reports of overall URLaccess by each client.
Historical Overview of Successful and Failed Logons

Displays successful and failed logons.
Historical Overview Of Successful URLAccess

Displays URLsaccessed by the host.
Historical Overview Of URL Blocked

Displays URLs blocked while users were accessing the web.
List of All User Requests

This report lists all http requests by users.
Number of Configuration Changes by each Configuration Module

Displays the number of configuration changes per configuration module.
Number of System/Network Errors

Lists the number of errors of each type, such as system errors, network errors, and
configuration errors.
Overview of Successful URL Access

Gives an overview of successful URLaccess events.
59
Class Reports
Top 20 IM Source Machines

Lists the top 20 client addresses generating IMtraffic. The report also includes the
corresponding IMuser ID.
Top 25 Client IPs by Connection Requests

Displays the 25 client IPaddresses with the most successful website connections.
Top 25 Client IPs by Total Bytes

Displays the 25 client IPaddresses with the largest amount of total bytes.
Total Connections by HTTP Status Code

Queries for connection counts and groups them by HTTPsuccess or failure code. The
Administrator can use this report to see, by code, how many connections were
successful, redirected, or failed.
URLs Containing Archive File Types

Displays URLs containing archive file types and the corresponding client IPaddresses
making the connection.
URLs Containing Executable File Types

Displays URLs containing executable file types and the corresponding client IPaddresses
making the connection.
Virus Statistics
Details virus IDsand the corresponding sources of the viruses.
Class Reports
60
RSAenVision Reports
General Wireless Devices Reports

The Reports module includes the following standard reports for the Wireless Device
class.
Admin Operations
This report enumerates all of the administrative events.
Authentication Succeeded/Failure
This report enumerates all of the Authentication events.
Rogue AP Detection
This report enumerates all of the Rogue Accesspoint detections.
61
Class Reports
Standard Reports Audit

The Reports module includes the following standard system reports for the system
auditing function.
Configuration Changes by Action

Lists all the configuration changes with the specified action.
Runtime parameters - Action.
Configuration Changes by Date/Time

Lists all configuration changes made to enVision.
Configuration Changes by Object Type

Lists all configuration changes made against the specified object.
Runtime parameters - Object Type.
Configuration Changes by User

Lists all configuration changes made by the specified user.
Runtime parameters - User ID.
Report Access Activity by Date/Time

Lists all reports that have been either e-mailed or viewed and by whom (user names).
Report Access Activity by User

List all reports that the specified user has e-mailed or viewed.
Report E-mailing Activity by Date/Time

Lists all reports that have been e-mailed and by whom (user names).
Report E-mailing Activity by User

Lists all reports that the specified user has e-mailed.
Report Viewing Activity by Date/Time

Lists all reports that have been viewed and by whom (user names).
Class Reports
62
RSAenVision Reports
Report Viewing Activity by User

List all reports that the specified user has viewed.
User Session Activity by Date/Time

Lists all the successful and failed enVision logon and logoff attempts.
User Session Activity by User

Lists all the successful and failed enVision logon and logoff attempts by the specified
user.
63
Class Reports
Standard Reports System

The Reports module includes the following standard NIC System reports.
Appliance Disk Errors

Lists all of the appliance disk errors.
Appliance Operating Environment Errors

Lists all of the appliance operating environment errors.
Failed Terminal Server Logins to the Appliance

Lists all failed terminal server logon attempts to the appliance.
Failed enVision Logins

Lists all failed attempts to log on to enVision.
Monitored Device Collection Errors

Lists all errors in collection of data from monitored event sources.
Class Reports
64
RSAenVision Reports
Standard Reports Storage

The Reports module includes the following standard reports for the Storage class.

Lists configuration changes, grouped by event source.

Lists all events over a period of time.
Failed Logon Details

This report lists all the failed logon attempts to the filer.
File Access Summary by User

This report summarizes all the file access events by user.
Files Deleted
This report lists all the files deleted and the users who initiated the deletes.
Successful Logon Details

This report details all the successful logons during a chosen period.
Successful and Failed Authentications

Lists events relating to successful and failed authentications.
65
Class Reports
Compliance Reports
RSA enVision has standard compliance reports for various compliance issues.
l Basel II
l
Bill 198
Federal Information Security Management Act of 2002 (FISMA)
Gramm-Leach-Bliley Act (GLBA)
Good Practice Guide (GPG) 13
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
International Reports:
l
Basel II (Refreshed)
ISO 27002 (Refreshed)
Payment Card Industry (PCI) Data Security
ISO27002
Memo 22 Reports
North American Electric Reliability Council (NERC)
National Industrial Security Program Operating Manual (NISPOM)
Payment Card Industry (PCI) Data Security
Statement on Auditing Standards (SAS) No. 70 (SAS 70)
Sarbanes-Oxley Act of 2002
UK Reports: GPG-13 (Refreshed)
US Reports:
Compliance Reports
Bill 198 (Refreshed)
Family Educational Rights and Privacy Act (FERPA)
Federal Financial Institutions Examination Council (FFIEC)
Gramm-Leach-Bliley Act (GLBA) (Refreshed)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)

(Refreshed)
North American Electric Reliability Council (NERC) (Refreshed)
Statement on Standards for Attestation Engagements (SSAE) No. 16 (SSAE 16)
Sarbanes-Oxley Act of 2002 (Refreshed)
66
RSAenVision Reports
Basel II - Compliance Reports

Basel II consists of recommendations by bank supervisors and central bankers to improve
the consistency of capital regulations internationally, make regulatory capital more risk
sensitive, and promote enhanced risk-management practices among international banking
organizations.
Computer Account Logon Activity

Lists all local and remote log on activity for all monitored Windows, HP- UX, AIX Unix,
Sun Solaris, Red Hat Linux, and Apple Mac OS X systems.
Computer Account Logon Activity - Windows Detail

Lists all log on activity for all monitored Windows domains and systems. This report is
specific to monitored Windows systems, but provides a greater level of detail than the
Computer Account Logon Activity report.
Computer Account Status by Account - Windows

Lists all log on activity for specific user accounts. The user accounts in question should
be listed as run time parameters.
Control ofCollected Evidence

Lists all changes and object level access Events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called "Rules for Evidence", and that object level auditing be enabled on these
directories.
Control ofCollected Evidence - Windows Detail

directories. This report is specific to monitored Windows systems, but provides a greater
level of detail than the standard Control of Collected Evidence report.
Control of Human Resources Data

Lists all changes and object level access Events to the device group "HR". This report
requires that all software and Human Relations data be contained within a device group,
and object level auditing be enabled on the directories containing the Human Relations
data.
Control of Human Resources Data - Windows Detail

67
Compliance Reports
data. This report is specific to monitored Windows systems, but provides a greater level
of detail than the standard Control of Human Resources Data report.
Control of Operational Software

Lists all changes and object level access Events to the device group "Operational
Software". This report requires that all Operational Software be contained within a
device group, and object level auditing be enabled on the directories containing the
Operational Software and data.
Control of Operational Software - Windows Detail

Lists all changes and object level access events to the device group "Operational
Operational Software and data. This report is specific to Windows devices but provides
more detail than the standard Control of Operational Software report.
Control of System Audit Data

Lists all changes and object level access Events to the software and data used to perform
system audits. This report requires that the software, source data and result data be
contained within a device group, and object level auditing be enabled on the containing
directories.
Control of System Audit Data - Windows Detail

Lists all changes and object level access events to the software and data used to perform
directories. This report is specific to Windows devices but provides more detail that the
standard Control of System Audit Data report.
Control of System Test Data

Lists all changes and object level access Events to the systems and data used in the
testing of Operational Software security. This report requires that all system test data be
contained within a device group, and object level auditing be enabled on the directories
containing the system test software, source data and test results.
Control of System Test Data - Windows Detail

Compliance Reports
68
RSAenVision Reports
External Contractors Report

Lists all changes and object level access Events to the device group "External Contractor
Access". This report requires that all computers, software, source data and result findings
be contained within a device group, and object level auditing be enabled on the
directories containing this data.
External Contractors Report - Windows Detail

Financial Data Access

Lists all successful and failed access attempts for all financial data. This report requires
that all financial data be contained within a device group, and object level auditing be
enabled on the directories containing the financial data.
Financial Data Access - Windows Detail

Malicious Software Activity

Lists all malicious software activity for all monitored event sources.
Operation Change Control Report

Lists all configuration and policy changes for the Financial Operational infrastructure.
Operation Change Control Report - Windows Detail

This report is restricted to only Windows devices, but delivers a greater level of detail
than the standard Operation Change Control Report.
Password Changes and Expirations

Lists all manual and automatic password change and expiration events. This includes
Windows, Sun Solaris, Red Hat Linux, HP-UX, AIX and Apple Mac OS X operating
systems.
Source Code Access

Lists all changes and object level access Events to the device group "Source Code". This
report requires that the source code for all custom software and commercial software
69
Compliance Reports
customization be contained within a device group, and object level auditing be enabled on
the directories containing the source code.
Source Code Access - Windows Detail

User Activity from External Domains - Windows

Lists all activities of non-domain authenticated users. All authenticated domains are
identified in run time parameters.
Compliance Reports
70
RSAenVision Reports
Basel II - Compliance Reports (Refreshed)

Basel II consists of recommendations by bank supervisors and central bankers to improve
the consistency of capital regulations internationally, make regulatory capital more risk
sensitive, and promote enhanced risk-management practices among international banking
organizations.
RSA has refreshed some compliance reports, and reorganized their location in the
RSAenVision UI. These refreshed reports are available in the following path:
Reports >Compliance > International >BASEL II
Note: Unless otherwise specified, these compliance reports can only be used with the
following event sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX,
Hewlett-Packard Open VMS, Linux, and Sun Solaris.
Accounts Created
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays user accounts
that have been created.
Accounts Deleted
that have been deleted.
Accounts Modified
that have been modified.
Administrative Access to Financial Systems - Detail

Basel II; ISO 27002 - 10.10.4: This report displays all successful logons.
Administrative Access to Financial Systems - Summary

Basel II; ISO 27002 - 10.10.4: This report displays count of successful logons.
Change in Audit Settings

Note: This report can only be used with the Microsoft Windows event source.
Basel II; ISO 15408-2: This report displays all events that describes the audit settings that
were enabled or disabled by users.
71
Compliance Reports
Financial Data Access - Detail

Basel II: This report displays logs related to files accessed by users. The file names
containing Financial data can be added in the watchlist for a filtered view.
Financial Data Access - Summary

Basel II: This report displays count of files accessed by users. The file names containing
Financial data can be added in the watchlist for a filtered view.
Group Management
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays log of events
containing information on changes to user groups.
Login Failures - Detail

Basel II; ISO 27002 - 11.5.1: This report displays all logon failures.
Login Failures - Summary

Basel II; ISO 27002 - 11.5.1: This report contains a count of all logon failures..
Password Changes
Basel II: This report contains logs of the accounts with password changes.
User Access Revoked

Basel II; ISO 27002 - 11.2.1: This report lists all rights removed from a user.
User Access to Financial Systems - Detail

Basel II; ISO 27002 -11.5.1: This report displays all successful logons.
User Access to Financial Systems - Summary

Basel II; ISO 27002 -11.5.1: This report displays count of successful logons.
User Account Management Bind Report

l Accounts Created
l Accounts Modified
l Accounts Deleted
Compliance Reports
72
RSAenVision Reports
Bill 198 - Compliance Reports

Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect
investors in public Canadian companies by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws.
Administrative Access to Financial Systems

Lists all log on and privileged access attempts by "administrator" or "SU" accounts.

Lists all local and remote log on activity for all monitored Windows, HP- UX, AIX Unix,
Sun Solaris, Red Hat Linux, and Apple Mac OS X systems.

Lists all log on activity for all monitored Windows domains and systems. This report is
specific to monitored Windows systems, but provides a greater level of detail than the
Computer Account Logon Activity report.

be listed as run time parameters, and multiple values can be specified by listing each
value in single quotes and separating them by commas.
Control ofCollected Evidence

directories.
Control ofCollected Evidence - Windows Detail


data.
73
Compliance Reports

data. This report is specific to monitored Windows systems, but provides a greater level
of detail than the standard Control of Human Resources Data report.

Lists all changes and object level access Events to the device group "Operational
Operational Software and data.

Lists all changes and object level access events to the device group "Operational
Operational Software and data. This report is specific to Windows devices but provides
more detail than the standard Control of Operational Software report.

Lists all changes and object level access Events to the software and data used to perform
directories.

directories. This report is specific to Windows devices but provides more detail that the
standard Control of System Audit Data report.

containing the system test software, source data, and test results.

Compliance Reports
74
RSAenVision Reports
containing the system test software, source data, and test results.
Disabled Accounts Report - Windows

Lists all user accounts that have been manually or automatically disabled in the requested
time period.


Financial Data Access

Financial Data Access - Windows Detail

Login and Authorization Failures

Lists all local and remote failed log on attempts to all monitored event sources in the
"Financial System" device group. This covers Windows, Sun Solaris, Red Hat Linux, HPUX, Apple Mac OS X, Nokia IPSO and IBM Mainframe (SMA_RT).

Lists all malicious software activity for all monitored event sources.

75
Compliance Reports

This report is restricted to only Windows devices, but delivers a greater level of detail
than the standard Operation Change Control Report.

systems.
Source Code Access



Lists all activities of non-domain authenticated users. All authenticated domains are
identified in run time parameters, and multiple domains can be contained within single
quotes and separated by commas..
Compliance Reports
76
RSAenVision Reports
Bill 198 - Compliance Reports (Refreshed)

Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect
investors in public Canadian companies by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws.
Reports >Compliance > CA >Bill 198
Accounts Created
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays user
accounts that have been created.
Accounts Deleted
accounts that have been deleted.
Accounts Modified
accounts that have been modified.
Administrative Access to Financial Systems - Detail

Bill 198; ISO 27002 - 10.10.4: All activities by System Administrators and System
Operators should be logged. This report displays all successful logons.
Administrative Access to Financial Systems - Summary

Bill 198; ISO 27002 - 10.10.4:Management assessment of internal controls. All activities
by System Administrators and System Operators should be logged. This report displays
count of successful logons.
77
Compliance Reports

Bill 198; ISO 15408-2: The system should ensure that security policy enforcement
functions succeed before functions are allowed to proceed. This report displays all events
that describes the audit settings that were enabled / disabled by users.
Financial Data Access - Detail

Bill 198: This report displays logs related to files accessed by users. The file names
containing Financial data can be added in the watchlist for a filtered view.
Financial Data Access - Summary

Bill 198:This report displays count of files accessed by users. The file names containing
Financial data can be added in the watchlist for a filtered view.
Group Management
Both logical and physical access controls should be used. This report displays log of
events containing information on changes to user groups.
Login Failures - Detail

Bill 198; ISO 27002 - 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays all logon failures.
Login Failures - Summary

Bill 198; ISO 27002 - 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report contains a count of all logon failures.
Password Changes
Bill 198: This report contains logs of the accounts with password changes.
User Access Revoked

Bill 198; ISO 27002 - 11.2.1: Users who have changed jobs or left the organization should
have their access rights removed immediately. This report lists all rights removed from a
user.
Compliance Reports
78
RSAenVision Reports
User Access to Financial Systems - Detail

Bill 198; ISO 27002 -11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays all successful logons.
User Access to Financial Systems - Summary

Bill 198; ISO 27002 -11.5.1: All successful and unsuccessful logon attempts should be
recorded.This report displays count of successful logons.

l Accounts Created
l Accounts Modified
l Accounts Deleted
79
Compliance Reports
Family Educational Rights and Privacy Act (FERPA) Compliance Reports

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR
Part 99) is a Federal law that protects the privacy of student education records. The law
applies to all schools that receive funds under an applicable program of the U.S.
Department of Education.
FERPA - Access to Student Records

This report displays logs related to files accessed by users. The file names containing
Student Record data can be added in the watchlist for a filtered view.
FERPA - Accounts Created

FERPA - Accounts Deleted

FERPA - Accounts Modified

FERPA - Administrative Access to FERPA Systems - Detail

This report displays all successful logons by administrators.
FERPA - Administrative Access to FERPA Systems - Summary

This report displays count of successful logons by administrators.
FERPA - Change in Audit Settings

This report displays all events that describes the audit settings that were enabled /
disabled by users.
FERPA - Escalation of Privileges

This report displays log of events containing information on escalation of privileges of
Compliance Reports
80
RSAenVision Reports
FERPA - Group Management

This report displays log of events containing information on changes to user groups.
FERPA - Logon Failures - Detail

This report contains log of all logon failures.
FERPA - Logon Failures - Summary

FERPA - Password Changes

FERPA - User Access Revoked

This report lists all rights removed from a user.
FERPA - User Access to FERPA Systems - Detail

This report displays all non-administrator successful logons.
FERPA - User Access to FERPA Systems - Summary

This report displays count of non-administrator successful logons.
FERPA- User Management Bind Report

l FERPA- Accounts Created
l FERPA- Accounts Deleted
l FERPA- Accounts Modified
81
Compliance Reports
Federal Financial Institutions Examination Council

(FFIEC) - Compliance Reports
The Federal Financial Institutions Examination Council (FFIEC) is a body of the United
States government empowered to prescribe principles, standards, and report forms for the
federal examination of financial institutions by the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), the Office of the Comptroller of the Currency
(OCC), Mergers & Acquisitions International Clearing (MAIC), and the Consumer
Financial Protection Bureau (CFPB). The following are reports in the RSAenVision
Platform that monitor your environment's compliance with these standards.
FFIEC- Accounts Created

FFIEC- Accounts Deleted

FFIEC- Accounts Modified

FFIEC- Administrative Access to Financial Systems - Detail

This report displays all successful logons.
FFIEC- Administrative Access to Financial Systems - Summary

This report displays count of successful logons.
FFIEC- Encryption Failures

This report displays log of encryption failures.
Note: This report can only be used with the following event sources:Cisco PIX, Cisco
ASA, Cisco Router, and Juniper Networks NetScreen.
FFIEC- Escalation of Privileges

Compliance Reports
82
RSAenVision Reports
FFIEC- Failed Remote Access - Detail

This report displays logs containing failed remote access details.
Note: This report can only be used with the following event sources: Cisco PIX, Cisco
ASA, Cisco VPN3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSLVPN,
and Nortel VPNContivity.
FFIEC- Failed Remote Access - Summary

This report displays count of username based on failed no of remote accesses.
FFIEC- Firewall Configuration Changes

This report displays log of changes made to Firewall Configuration.
ASA, and Cisco Router.
FFIEC- Logon Failures - Detail

This report contains log of all logon failures.
FFIEC- Logon Failures - Summary

FFIEC- Password Changes

FFIEC- Router Configuration Changes

This report displays log of changes made to Router Configuration.
FFIEC- Successful Remote Access - Detail

This report displays logs containing successful remote access details.
83
Compliance Reports
FFIEC- Successful Remote Access - Summary

This report displays count of username based on successful no of remote accesses.
FFIEC- Successful Use of Encryption

This report displays logs which indicate successful use of encryptions.
ASA, Cisco Router, and Juniper Networks NetScreen.
FFIEC- User Access Revoked

FFIEC- User Account Management Bind Report

l FFIEC- Accounts Created
l FFIEC- Accounts Deleted
l FFIEC- Accounts Modified
Compliance Reports
84
RSAenVision Reports
Federal Information Security Management Act of 2002

(FISMA) - Compliance Reports
The Federal Information Security Management Act (FISMA)is designed to ensure
appropriate security controls for government information systems.
Access Control for Portable and Mobile Devices

Details the preventative measures that are taken before mobile devices are allowed to
connect to network resources.
Access Control Policy and Procedures

Details all configuration changes made to the access control policy and associated access
controls.
Access Enforcement
Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.
Account Management
Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.
Accounts Created
NIST 800-53 AC-2: Ensure proper user identification and authentication management for
nonconsumer users and administrators on all system components. This report contains
logs of the accounts that were created.
Accounts Deleted
non-consumer users and administrators on all system components. This report contains
logs of the accounts that were deleted.
Accounts Modified
logs of the accounts that were modified.
85
Compliance Reports

NIST 800-53 AU-9: Configure system security parameters to prevent misuse. This report
displays all events that describe the audit settings that were enabled or disabled by users.
Collaborative Computing
For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.
Configuration Change Control

Details all configuration changes made to monitored systems.
Cryptographic Key Establishment and Management
Encryption Key Generation and Changes

NIST 800-53 SC-12: Encrypt transmission of cardholder data across open, public
networks. This report displays log of activities related to the management of
cryptographic keys.
Failed Remote Access Detail

NIST 800-53 AC-17: This report displays logs containing failed remote access details.
Failed Remote Access Summary

NIST 800-53 AC-17: This report displays a count of usernames based on the number of
failed remote accesses.
Firewall Configuration Changes

NIST 800-53 CM-3: Follow change control processes and procedures for all changes to
system components. This report displays logs of changes made to firewall configurations.
Intrusion Detection Tools and Techniques

Summarizes the top IDS signatures detected from IDS systems.
Logon Failures Count

NIST 800-53 AC-8: Invalid logical access attempts. This report contains a count of all
logon failures.
Compliance Reports
86
RSAenVision Reports
Logon Failures Details

NIST 800-53 AC-7: Invalid logical access attempts. This report contains logs of all logon
failures.
Malicious Code Protection Detail

Details all malicious code instances detected on the network.
Malicious Code Protection Summary

Summarizes malicious code signatures detected on the network.
Mobile Code
Details all uses of mobile code within the information system. This includes Java,
JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript.
Network Disconnects
Password Changes
NIST 800-53 IA-5: Ensure proper user identification and authentication management for
logs of the accounts with password changes.
Permitted Actions Without Identification or Authentication

Summarizes all actions that can be taken without user authentication.
Personal Termination - Windows

Details all user accounts that have been manually terminated or disabled.
Personal Termination - Windows Server 2003

Public Key Infrastructure Certificates
Remote Access Detail

Details all VPN connections, listing the duration of the connection, foreign host, and the
number of bytes.
87
Compliance Reports
Remote Access Summary

Summarizes all VPN connection activity by user name.
Router Configuration Changes

NIST 800-53 CM-3: Follow change control processes and procedures for all changes to
system components. This report displays the logs of changes made to router
configurations.
Session Lock - Windows

Details all session lock and unlock actions. Excessive lock and unlock actions may
indicate failure to log off systems when not in use.
Session Termination
Details all session terminations due to periods of inactivity.
Software and Information Integrity - Windows

Details all operating system and software configuration changes.
Spam and Spyware Protection Detail

Details all spam and spyware instances detected on the network.
Spyware Protection Summary

Summarizes the spyware signatures detected on the network.
Successful Remote Access Detail

NIST 800-53 AC-17: This report displays logs containing successful remote access
details.
Successful Remote Access Summary

NIST 800-53 AC-17: This report displays a count of usernames based on the number of
successful remote accesses.
Transmission Confidentiality
Details all encryption failures in transmission media configured to be encrypted.
Transmission Integrity
Details all successful encrypted transmissions.
Trusted Path
Compliance Reports
88
RSAenVision Reports
Unsuccessful Login Attempts

Details all unsuccessful log on attempts and account lockouts due to excessive failed log
ons.
Unsuccessful Login Summary

Summarizes all failed log on activity by user name.
Use Of Validated Cryptography

Lists all cryptographic operations where use of the cryptography failed or was disabled
by the user.

l Accounts Created
l Accounts Deleted
l Accounts Modified
User Identification And Authentication Detail

Details all successful log on attempts to monitored systems.
User Identification And Authentication Summary

Summarizes all user account log on activity by user name and the systems they are
logging on to.
User Installed Software

Details all software that has been installed on monitored systems.
89
Compliance Reports
GPG-13 - Compliance Reports

Good Practice Guide 13 defines requirements for protective monitoringfor example, the
use of intrusion detection and prevention systems (IDS/IPS)that local authorities must
comply with in order to prevent accidental or malicious data loss..
Security Even Logs Cleared

Details the preventative measures that are taken before mobile devices are allowed to
connect to network resources.
Firewall Privileged Command Execution

controls.
Network Configuration Changes

Process Start/Stop - Unix

Process Start/Stop - Windows

Restarts/Shutdown - Unix
Restarts/Shutdown - Windows
Successful Network Transaction Details

Summarizes the top IDS signatures detected from IDS systems.
Successful Network Transaction Summary

Compliance Reports
90
RSAenVision Reports
Access to Audited Files - Unix

Summarizes malicious code signatures detected on the network.
Access to Audited Files - Windows

Details all uses of mobile code within the information system. This includes Java,
JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript.
Activity Detail Report

Activity Summary Report

Logon/Logoff - Unix
Logon/Logoff - Windows
User Account Changes - Unix

User Account Changes - Windows

number of bytes.
User Privilege Changes - Unix

User Privilege Changes - Windows

91
Compliance Reports
Good Practice Guide (GPG)13 Compliance Reports

(Refreshed)
Good Practice Guide 13 defines requirements for protective monitoringfor example, the
use of intrusion detection and prevention systems (IDS/IPS)that local authorities must
comply with in order to prevent accidental or malicious data loss..
Reports >Compliance > UK >GPG13
GPG13 - Access to Audited Data

PMC7: Recording of session activity by user and workstation. This report displays logs
related to files accessed by users. The file names of interest can be added in the
watchlist for a filtered view.
Note: This report can only be used with the Microsoft Windows event source. For the
Windows security policy, you must enable Audit Object Access.
Note: You must have a watchlist that contains the paths of all the files with sensitive
data.
GPG13 - Accounts Created

PMC7: Recording of session activity by user and workstation. This report contains logs of
the accounts that were.
GPG13 - Accounts Deleted

GPG13 - Accounts Modified

Compliance Reports
92
RSAenVision Reports
GPG13 - Administrator Access to GPG13 Systems - Detail

PMC7: Recording of session activity by user and workstation.This report displays all
successful logons.
GPG13 - Administrator Access to GPG13 Systems - Summary

PMC7: Recording of session activity by user and workstation.This report displays count
of successful logons.
GPG13 - Escalation of Privileges

PMC7: Recording of session activity by user and workstation. This report displays log of
events containing information on escalation of privileges of accounts to perform
administrative tasks.
GPG13 - Failed Remote Access - Detail

PMC6: Recording relating to network connections. This report displays logs containing
failed remote access details.
ASA, Cisco VPN 3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSL VPN,
and Nortel VPN Contivity.
GPG13 - Firewall Configuration Changes

PMC4: Recording of workstation, server or device status.This report displays log of
changes made to Firewall.
Note: This report can only be used with the following event sources:Cisco PIX and
Cisco ASA.
GPG13 - Group Management

PMC7: Recording of session activity by user and workstation. This report displays log of
events containing information on changes to user groups.
GPG13 - Internal Network Traffic

PMC5: Recording relating to suspicious internal network activity.This report displays
traffic on the network.
Cisco ASA.
93
Compliance Reports
GPG13 - Logon Failures - Detail

PMC7: Recording of session activity by user and workstation. This report contains log of
all logon failures.
GPG13 - Logon Failures - Summary

PMC7: Recording of session activity by user and workstation. This report contains a
count of all logon failures.
GPG13 - Perimeter Network Traffic

PMC2: Recording relating to business traffic crossing a boundary. This report displays
traffic on the network.
Cisco ASA.
GPG13 - Router Configuration Changes

PMC4: Recording of workstation, server or device status. This report displays log of
changes made to Router.
Note: This report can only be used with the Cisco Router event source.
GPG13 - Successful Remote Access - Detail

PMC6: Recording relating to network connections. This report displays logs containing
successful remote access.
ASA, Cisco VPN 3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSL VPN,
and Nortel VPN Contivity.
GPG13 - System Clock Synchronization

PMC1: Accurate time in logs. This report displays log of success and failure of system
clock synchronization.
GPG13 - User Access to GPG13 Systems - Detail

PMC7: Recording of session activity by user and workstation.This report displays all
successful logons.
GPG13 - User Access to GPG13 Systems - Summary

PMC7: Recording of session activity by user and workstation.This report displays count
of successful logons.
Compliance Reports
94
RSAenVision Reports
GPG13 - User Account Management Bind Report

l GPG13 - Accounts Created
l GPG13 - Accounts Modified
l GPG13 - Accounts Deleted
95
Compliance Reports
Gramm- Leach- Bliley Act (GLBA) - Compliance

Reports
The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as
financial institutions to ensure the security and confidentiality of this type of
information. As part of its implementation of GLBA, the Federal Trade Commission
(FTC) issued the Safeguards Rule, which requires financial institutions under FTC
jurisdiction to have measures in place to keep customer information secure.
Access Control Changes - Windows

Displays all successful file access attempts to file objects in the "GLBA" device group.
Access Control Summary

Summarizes all user account log on activity by user name and the systems they are
logging on to.
Anti - Virus Update Procedures

Lists all update procedures for Anti-virus systems.
Lists all configuration and policy changes for devices in the "GLBA" device group.
Encryption Failures
Lists all cryptographic operations where use of the cryptography failed or was disabled
by the user.
Malicious Code and Spyware Detail

Malicious Code and Spyware Summary

Summarizes malicious code signatures detected on monitored device in the "GLBA"
device group.
Network Traffic Summary

Summarizes all successful network traffic between monitored systems.
Outbound Port Traffic Summary

Summarizes all outbound traffic by destination. GLBA requires that all outbound traffic
be restricted to what is necessary for the business operations.
Compliance Reports
96
RSAenVision Reports
Password Change Details

Details all password change events on monitored systems in the "GLBA" device group.
Password Change Summary

Summarizes all password change events by user name and system for monitored system
in the "GLBA" device group.
Remote Access Detail

number of bytes.
Remote Access Summary

Successful Use of Encryption

Details the successful use of encryption for network data transfers.
Terminated Employee Details

Details all user ID removal events.
Workstation Lock Details

97
Compliance Reports
Gramm- Leach- Bliley Act (GLBA) - Compliance

Reports (Refreshed)
The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as
financial institutions to ensure the security and confidentiality of this type of
information. As part of its implementation of GLBA, the Federal Trade Commission
(FTC) issued the Safeguards Rule, which requires financial institutions under FTC
jurisdiction to have measures in place to keep customer information secure.
Reports >Compliance > US >GLBA
Accounts Created
Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts that were created.
Accounts Deleted
contains logs of the accounts that were deleted.
Accounts Modified
contains logs of the accounts that were modified.
Anti-Virus Signature Update

Note: This report supports the following event sources:CA Integrated Threat
Management, Kaspersky Anti-Virus, and Symantec Endpoint Protection.
displays the logs of anti-virus signature updates.
Compliance Reports
98
RSAenVision Reports

displays all events that describe the audit settings that were enabled or disabled by users.
Encryption Failures
Note: This report supports the following event sources:Cisco PIX, Cisco ASA, Cisco
Router, and Juniper Networks NetScreen Firewall.
displays the logs of encryption failures that have occurred.
Failed Remote Access Detail

Note: This report supports the following event sources:Cisco PIX and Cisco ASA.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards This report
displays logs containing failed remote access details.

displays count of username based on failed no of remote accesses.
Group Management
displays the log of events containing information on changes to user groups.
Inbound Network Traffic

displays inbound traffic on the network, and can be filtered to specific IP addresses based
on user input.
99
Compliance Reports
Outbound Network Traffic

displays outbound traffic on the network, and can be filtered to specific IP addresses
based on user input.
Password Changes Summary

Note: This report supports the following event sources:Microsoft Windows, IBMAIX,
Hewlett-Packard UNIX, Linux, and Sun Solaris.
contains the count of the usernames that made password changes.
Password Changes
contains logs of the accounts with password changes.

displays logs containing successful remote access details.

Note: Note:This report supports the following event sources:Cisco PIX and Cisco
ASA.
displays a count of usernames based on the successful number of remote accesses.

Note: This report supports the following event sources:Cisco PIX, Cisco ASA, and
Cisco Router.
Compliance Reports
100
RSAenVision Reports
displays logs which indicate successful use of encryptions.
User Access Revoked

lists all rights removed from a user.
User Accounts Management Bind Report

l Account Created
l Accounts Deleted
l Accounts Modified
101
Compliance Reports
Health Insurance Portability and Accountability Act of

1996 (HIPAA) - Compliance Reports
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that
providers, health plans, clearinghouses, and their business associates establish
appropriate administrative, technical, and physical safeguards to protect the privacy and
security of sensitive health information.
Access Authorization
This report lists all login Events for monitored Windows, Unix, Linux and AIX
computers. The HIPAA device group should be selected when running this report. Only
For event ID 4624 in Microsoft Windows Server 2008, the column Primary Username
identifies the user that requested the logon while the column Logon Account Name
represents the user who logged on.
Access Authorization - Windows Detail

This report shows detailed information about all login Events on monitored Windows
computers. The HIPAA device group should be selected when running this report. Only
For event ID 4624 in Microsoft Windows Server 2008, the column Primary Username
identifies the user that requested the logon while the column Logon Account Name
represents the user who logged on.
Access Establishment and Modification - Windows Detail

This report lists all configuration and policy changes that could result in increased access
to ePHI data. The HIPAA device group should be selected when running this report.
Access Establishment and Modification - Windows Server 2003 Detail

This report lists all configuration and policy changes that could result in increased access
to ePHI data. The HIPAA device group should be selected when running this report.
Alerts Under Investigation by Date and Time

This report is a listing of all alerts under investigation in the database sorted by the time
they occurred.
Alerts Under Investigation by View

This report shows all alerts under investigation that have been in a particular view. The
name of the view to be reported on should be specified as a run time parameter.
Automatic Workstation Logoffs - Windows

Workstation Use requires that users log off their workstations when not in use. This
report displays all Type 3 automatic logoff Events, which constitute a violation of this
Compliance Reports
102
RSAenVision Reports
policy.
Failed Logon Attempts to ePHI Systems

All failed login attempts to Windows devices in the HIPAA device group. Only For event
ID 4625 in Microsoft Windows Server 2008, the column Primary Username identifies the
user that requested the logon while the column Logon Account Name represents the user
who tried to log on.
Login Attempts by Unauthorized Accounts - Windows

This report displays all failed login attempts by unauthorized accounts. Reasons for login
failure include a bad username or the account being locked, disabled or expired.
Manual Workstation Logoffs - Windows

report displays all manual logoff Events, which constitutes adherence with this policy.

This report lists all password changes and expirations on Windows devices in the HIPAA
device group.
Password Changes and Expirations - Windows Server 2003

This report lists all password changes and expirations on Windows devices in the HIPAA
device group.
Resolved Alerts by Date and Time

This report is a listing of all alerts in the database that have a status of resolved. They are
sorted by the time they occurred.
Resolved Alerts by View

report displays all manual logoff Events, which constitutes adherence with this policy.
ePHI Access Report

Object Level Access to all directories containing electronic Personal Health Information.
ePHI Access Report - Windows Detail

Object level audit report for Windows directories containing electronic Personal Health
Information.
103
Compliance Reports
ePHI Access Report by Administrative Users

This report shows all logon and privileged access attempts by "SU" or "SUDO" or
Windows "Administrator" accounts. For Event ID 520 in Windows, the Column Primary
Username will identify the local system if system time was changed automatically;
otherwise will correspond to local system.
Compliance Reports
104
RSAenVision Reports
Health Insurance Portability and Accountability Act of

1996 (HIPAA) - Compliance Reports (Refreshed)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that
providers, health plans, clearinghouses, and their business associates establish
appropriate administrative, technical, and physical safeguards to protect the privacy and
security of sensitive health information.
Access to ePHI Data

confidential ePHI (electronic Personal Health Information) data can be added in the
watchlist for a filtered view.
Accounts Created
This report shows detailed information about all HIPAA-related accounts that were
created.
Accounts Deleted
This report shows detailed information about all HIPAA-related accounts that have been
deleted.
Accounts Modified
This report shows detailed information about all HIPAA-related accounts that have been
changed.
Administrative Access to HIPAASystems - Detail

This report displays the details of all successful logons by administrators.
Administrative Access to HIPAASystems - Summary

This report displays the count of all successful logons by administrators.

This report displays all events that contain information about audit settings that were
changed (enabled or disabled) by users.
Escalation of Privileges
Group Management
This report displays log of events containing information on changes to user groups
105
Compliance Reports
Logon Failures - Details

This report contains the details of all logon failures.
Logon Failures - Summary

Password Changes
This report contains logs of the accounts that have password changes.
User Access Revoked

User Access to HIPAASystems - Detail

This report displays all non-administrator successful logons.
User Access to HIPAASystems - Summary

This report displays a count of all non-administrator successful logons.
User Management Bind Report

A binding report that consists of the Accounts Created, Accounts Deleted, and Accounts
Modified reports.
Compliance Reports
106
RSAenVision Reports
ISO 27002 - Compliance Reports

ISO 27002 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. ISO
27002 is used as the foundation and technical guidelines for many international and
industry compliance standards and are generally good practices for all organizations.

This report lists all local and remote logon activity for all monitored Windows, HP-UX,
AIX Unix, Sun Solaris, Red Hat Linux and Apple Mac OS X systems.

This report lists all logon activity for all monitored Windows domains and systems. This
report is specific to monitored Windows systems, but provides a greater level of detail
than the Computer Account Logon Activity report.

This report lists all logon activity for specific user accounts. The user accounts in
question should be listed as run time parameters.
Control of Collected Evidence

This report lists all changes and object level access Events to all collected evidence. This
report requires that all evidence be contained within directories included in a device
group called "Rules for Evidence", and that object level auditing be enabled on these
directories.
Control of Collected Evidence - Windows Detail

This report lists all changes and object level access Events to all collected evidence. This
report requires that all evidence be contained within directories included in a device
group called "Rules for Evidence", and that object level auditing be enabled on these

This report lists all changes and object level access Events to the device group "HR".
This report requires that all software and Human Relations data be contained within a
Human Relations data.

This report lists all changes and object level access Events to the device group "HR".
This report requires that all software and Human Relations data be contained within a
107
Compliance Reports
Human Relations data. This report is specific to monitored Windows systems, but
provides a greater level of detail than the standard Control of Human Resources Data
report.

This report lists all changes and object level access Events to the device group
"Operational Software". This report requires that all Operational Software be contained
within a device group, and object level auditing be enabled on the directories containing
the Operational Software and data.

This report lists all changes and object level access events to the device group
"Operational Software". This report requires that all Operational Software be contained
within a device group, and object level auditing be enabled on the directories containing
the Operational Software and data. This report is specific to Windows devices but
provides more detail than the standard Control of Operational Software report.

This report lists all changes and object level access Events to the software and data used
to perform system audits. This report requires that the software, source data and result
data be contained within a device group, and object level auditing be enabled on the
containing directories.

This report lists all changes and object level access events to the software and data used
to perform system audits. This report requires that the software, source data and result
containing directories. This report is specific to Windows devices but provides more
detail that the standard Control of System Audit Data report.

This report lists all changes and object level access Events to the systems and data used
in the testing of Operational Software security. This report requires that all system test
directories containing the system test software, source data and test results.

This report lists all changes and object level access Events to the systems and data used
in the testing of Operational Software security. This report requires that all system test
directories containing the system test software, source data and test results.
Compliance Reports
108
RSAenVision Reports

This report lists all changes and object level access Events to the device group "External
Contractor Access". This report requires that all computers, software, source data and
result findings be contained within a device group, and object level auditing be enabled on
the directories containing this data.

This report lists all changes and object level access Events to the device group "External
Contractor Access". This report requires that all computers, software, source data and

This report lists all malicious software activity for all monitored devices.

This report lists all configuration and policy changes for the Application System
infrastructure.

This report lists all configuration and policy changes for the Application System
infrastructure. This report is restricted to only Windows devices, but delivers a greater
level of detail than the standard "Operation Change Control Report."

systems.
Source Code Access

This report lists all changes and object level access events to the device group "Source
Code."

This report lists all changes and object level access events to the device group "Source
Code."

This report details all activities of non-domain authenticated users. All authenticated
domains are identified in run time parameters.
109
Compliance Reports
Compliance Reports
110
RSAenVision Reports
ISO 27002 - Compliance Reports (Refreshed)

ISO 27002 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. ISO
27002 is used as the foundation and technical guidelines for many international and
industry compliance standards and are generally good practices for all organizations.
Reports >Compliance > International >ISO 27002-2005
Accounts Created
ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report contains logs of the accounts that were
created.
Accounts Deleted
deleted.
AccountsModified
modified.
Anti-virus Signature Update

ISO 27002:2005 10.4.1: The software should be set up to automatically download and
update signature files to ensure the protection is kept up to date. This report displays log
of anti-virus signature update.

ISO 27002:2005 12.52;12.53: When the operating system is changed, all critical
applications should be tested and reviewed to ensure there are no adverse impacts on
operations or security. This report displays all events that describes the audit settings that
were enabled / disabled by users.
Encryption Failures
ISO 27002:2005 15.1.6: Cryptographic controls should be in compliance with all laws and
regulations. This report displays log of encryption failures occurred.
111
Compliance Reports
Encryption Key Generation and Changes

ISO 27002:2005 12.3.2: Key-management techniques should be in place. All keys should
be protected against modification, loss, destruction, and unauthorized disclosure. This
report displays log of activities related to the management of cryptographic key.
Escalation of Privileges
ISO 27002:2005 10.10.4: All activities by System Administrators and System Operators
should be logged. This report displays log of events containing information on escalation
of privileges of accounts to perform administrative tasks.
Failed Remote Access Details

ISO 27002:2005 11.7.2: Operational procedures and plans should be developed for use by
teleworking employees. This report displays logs containing failed remote access details.

teleworking employees. This report displays count of username based on failed no of
remote accesses.
Firewall Configuration Changes

operations or security. This report displays log of changes made to Firewall
Configuration.
Firmware Changes on Wireless Devices

operations or security. This report displays log of firmware updated on all wireless
devices.
Logon Failures Detail

ISO 27002:2005 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report contains log of all logon failures.
Logon Failures Summary

recorded. This report contains a count of all logon failures.
Compliance Reports
112
RSAenVision Reports
Password Changes
ISO 27002:2005 11.3.1: Passwords should be changed on a regular basis and when there
is an indication of compromise. This report contains logs of the accounts with password
changes.
Router Configuration Changes

operations or security. This report displays log of changes made to Router Configuration.
Successful Administrative Logons Detail

Successful Administrative Logons Summary

recorded. This report displays count of successful logons.

teleworking employees. This report displays logs containing successful remote access
details.

teleworking employees. This report displays count of username based on successful no of
remote accesses.

ISO 27002:2005 15.1.6: Cryptographic controls should be in compliance with all laws and
regulations. This report displays logs which indicate successful use of encryptions.
Successful User Logons Detail

Successful User Logons Summary

recorded. This report displays count of successful logons.
113
Compliance Reports
System Clock Synchronization

ISO 27002:2005 10.10.6: All system clocks should be automatically synchronized with an
accurate time source. This report displays log of success and failure of system clock
synchronization.
User Access Revoked

of access to information systems. This report lists all rights removed from a user.

l Accounts Created
l Accounts Modified
l Accounts Deleted
User Session Terminated - Idle Session

ISO 27002:2005 11.5.5: Inactive sessions should be shut down after a period of time. This
report displays log of accounts that were logged out due to the session being idle.
Compliance Reports
114
RSAenVision Reports
Memo 22 Reports
Memo 22 is a risk management and accreditation of information system standard that
applies to all UK National Infrastructure Security systems. This standard defines major
security threats and the associated security requirements.
Access to Audited Files - Unix

controls.
Access to Audited Files - Windows

Activity Detail Report

Activity Summary Report

Correlation Alert History

Firewall Privileged Command Execution

Logon/Logoff - Unix
Logon/Logoff - Windows
115
Compliance Reports
Network Configuration Changes

Process Start/Stop - Unix

Process Start/Stop - Windows

Restarts/Shutdown - Unix
Restarts/Shutdown - Windows
Security Event Logs Cleared

Successful Network Transaction Details

Successful Network Transaction Summary

User Account Changes - Unix

User Account Changes - Windows

Compliance Reports
116
RSAenVision Reports
User Privileged Changes - Unix

User Privileged Changes - Windows

Windows Security Events

117
Compliance Reports
NERC CIPReports
The Reports module includes the following North American Electric Reliability
Corporation Compliance reports.
NERC CIP 002 R3 Critical Cyber Asset Identification

Description
This report displays a list of all Critical Cyber Assets (CCA).

l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it
Output Inference
Host Hostname of the event origination device
Device IP address of the event source
ObjectType Lists the changed object, such as a physical interface or a port
NERC CIP 003 R6 Change Configuration to Critical Cyber Assets

Description
Output Inference
Compliance Reports
This report displays a list of all configuration changes to Critical Cyber Assets
(CCA).
l
Event Category Name
UserName Account name
Action Action taken or proposed to be taken
Category Category of the event
ObjectName Name of the object
ObjectType Lists the changed object, such as a physical interface or a

network port
ObjectAttribute
ChangeNewValue New value of an attribute or object in a change event
ChangeOldValue Prior value of an attribute or object in a change event
118
RSAenVision Reports
NERC CIP 004 R4.2 Account Access Monitoring for Critical

Cyber Assets
This report displays access information from Cisco Access Control Server
(ACS) to create a list of authorized user IDs.
Description
Output Inference
SourceAddress Source IP address of the event origination
Version Information about Cisco ACS
LogonType Type of logon
UserID Unique user identifier that is associated with the username
NERC CIP 005 R2.1 Denied Access to Critical Cyber Assets

This report displays a list of denied access events to Critical Cyber Assets
(CCA).
Description
Output Inference
MessageID
SourceAddress Source IP address of the event origination
EventDescription Detailed description of the event, which typically

includes additional specific details that would not be captured in a separate
column
LogonType Type of logon
Fail Reason
NERC CIP 005 R2.2 Port Configuration Changes

Description
This report displays all types of network and physical port configuration
changes in order to create a list for the same using data from the Cisco LAN
Management Solution (LMS) device.
l
IPAddress Event source IP address
Host Information about Cisco LMS
ObjectType Lists the changed object, such as a physical interface or a

network port
Output Inference
119
Compliance Reports
Compliance Reports

column
120
RSAenVision Reports
NERC CIP 005 R2.4 External Access Monitoring for Critical

Cyber Assets
This report lists all external usernames that successfully pass authentication
using data from Cisco Access Control Server (ACS).
Description
Version Information about Cisco ACS
IPAddress Event source IP address
HostID Host identifier
NetworkServiceName Name of the external authentication service

usedAccount name

column
AuthenticationMethod Any other authentication methods used by the

authentication service
Output Inference
NERC CIP 005 R3.2 Account Access Monitoring for the Electronic
Security Perimeter
Description
Output Inference
121
This report identifies both successful and failed login attempts to the
Electronic Security Perimeter (ESP).
l
DeviceID
SessionID
Fail Reason
EventCategoryName
Network Device Group
Compliance Reports
NERC CIP 007 R2 Ports and Services

This report displays a list of all open and close port modifications within the
Critical Cyber Asset Infrastructure.
Description
Device Event Source IP address
Category Category of the event
Username Actor in the event

column
ObjectType Lists the changed object, such as a physical interface or a port
ObjectName Name of the object
Action Action taken or proposed to be taken
ChangeAttribute Attribute for which the value was changed
Output Inference
NERC CIP 007 R5 Account Management

Description
This report tracks user account changes.

Output Inference

column
ReferenceID ID for reference
SourceAddress Admin IP address
Version ACS version
Username Actor in the event
Logon Type Admin interface
Information Additional information about the event
The Reports module includes the following North American Electric Reliability
Corporation Compliance reports.
Compliance Reports
122
RSAenVision Reports
CIP - Access to Critical Cyber Asset Information

NERC CIP-003-4 R3: The Responsible Entity shall implement and document a program
to identify, classify and protect information associated with Critical Cyber Assets. This
report displays logs related to files accessed by users. The file names containing
confidential information / Card holder data can be added in the watchlist for a filtered
view.
This report is only compatible with Microsoft Windows.
CIP - Accounts Created

NERC CIP-007-4 R5.1.1: The Responsible Entity shall ensure that user accounts are
implemented as approved by designated personnel. This report contains logs of the
accounts that were created.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.
CIP - Accounts Deleted

accounts that were deleted.
CIP - Accounts Modified

accounts that were modified.
CIP - Administrative Access to Critical Cyber Assets - Detail

NERC CIP-007-4 R5.1.2: The Responsible Entity shall establish methods, processes, and
procedures that generate logs of sufficient detail to create historical audit trails of
individual user account access activity. This report displays all successful logons.
CIP - Administrative Access to Critical Cyber Assets - Summary

123
Compliance Reports
individual user account access activity. This report displays count of successful logons.
CIP - Anti-virus Signature Update

NERC CIP-007-4 R4.2: The Responsible Entity shall document and implement a process
for the update of anti-virus and malware prevention "signatures". This report displays log
of anti-virus signature update.
This report is only compatible with Symantec Anti-Virus, CAIntegrated Threat
Management, and Kaspersky Anti-Virus.
CIP - Escalation of Privileges

NERC CIP-004-4 R4.1: The Responsible Entity shall review the lists of its personnel...or
any change in the access rights of such personnel. This report displays log of events
containing information on escalation of privileges of accounts to perform administrative
tasks.
UNIX, Linux, and Sun Solaris.
CIP - Failed Remote Access Detail

NERC CIP-005-4a R3.2: Where technically feasible, the security monitoring processes
shall detect and alert for attempts at or actual unauthorized accesses. This report displays
logs containing failed remote access details.
This report is only compatible with Cisco PIXand Cisco ASA.
CIP - Failed Remote Access Summary

shall detect and alert for attempts at or actual unauthorized accesses. This report displays
count of username based on failed no of remote accesses.
CIP - Firewall Configuration Changes

NERC CIP-003-4 R6: Change Control and Configuration Management. This report
displays log of changes made to Firewall Configuration.
This report is only compatible with Cisco PIX, Cisco ASA, Cisco Router, and AirMagnet
Enterprise.
Compliance Reports
124
RSAenVision Reports
CIP - Firmware Changes on Wireless Devices

displays log of firmware updated on all wireless devices.
Enterprise.
125
Compliance Reports
CIP - Group Management

implemented as approved by designated personnel. This report displays log of events
containing information on changes to user groups.
CIP - Logon Failures - Detail

shall detect and alert for attempts at or actual unauthorized accesses. This report contains
log of all logon failures.
CIP - Logon Failures - Summary

shall detect and alert for attempts at or actual unauthorized accesses. This report contains
a count of all logon failures.
CIP - Router Configuration Changes

displays log of changes made to Router Configuration.
Enterprise.
CIP - Successful Remote Access Detail

NERC CIP-005-4a R3: Monitoring Electronic Access. This report displays logs
containing successful remote access details.
CIP - Successful Remote Access Summary

NERC CIP-005-4a R3: Monitoring Electronic Access: This report displays count of
username based on successful no of remote accesses.
Compliance Reports
126
RSAenVision Reports
CIP - User Access to Critical Cyber Assets - Detail

individual user account access activity. This report displays all successful logons.
CIP - User Access to Critical Cyber Assets - Summary

individual user account access activity. This report displays count of successful logons.
CIP - User Access Revoked

NERC CIP-004-4 R4.2: The Responsible Entity shall Revoke such access to Critical
Cyber Assets within 24 hours for personnel terminated for cause and within seven
calendar days for personnel who no longer require such access to Critical Cyber Assets.
127
Compliance Reports
National Industrial Security Program Operating Manual

(NISPOM) - Compliance Reports
The National Industrial Security Program Operating Manual (NISPOM) developed by the
Department of Defense, sets comprehensive standards for protecting classified data. All
government agencies and commercial contractors who have access to classified data are
required to implement system protection processes to ensure continued availability and
integrity of this data, and prevent its unauthorized disclosure. These regulations apply to
systems used in the capture, creation, storage, processing or distribution of restricted
information.
Access Control List Changes

This report details changes to access control lists on monitored devices.
Configuration Management
This report details all configuration changes made to monitored systems.
Controlled Interface Requirements - Communication Summary

This report summarizes all successful network traffic between monitored systems.
Data Transmission Encryption Requirements

This report details all failed encrypted traffic events due to invalid encryption methods.
Data Transmission Encryption Summary

This report summarizes all encrypted traffic by source and destination.
Discretionary Access Control Summary

This report summarizes successful user access attempts to monitored systems.
Malicious Code Protection Detail

This report details all malicious code instances detected on the network.
Malicious Code Protection Summary

This report summarizes malicious code signatures detected on the network.
Password Change Events - Detail

This report details all password change events on monitored systems.
Password Change Events - Summary

This report summarizes all password change events by username and system.
Compliance Reports
128
RSAenVision Reports
Session Controls - Successive Logon Attempts - Windows

This report details all automatic account lockouts due to excessive logon failures
Standard Authenticator Password Changes

This report details all password change events for standard authenticator accounts on
monitored systems.
User ID Removal
This report details all user id removal events.
129
Compliance Reports
Payment Card Industry (PCI) 1.0 - Compliance Reports

The Payment Card Industry (PCI) Data Security Standard applies to all payment card
industry members, merchants, and service providers that store, process or transmit
payment cardholder data. Additionally, these security requirements apply to all "system
components" - any network component, server, or application included in, or connected
to, the cardholder data environment.
PCI - Access to All Audit Trails

This report displays all successful logins to enVision.
PCI- Administrative Privilege Escalation - Unix &Linux

This report displays all successful administrative privilege escalations on monitored Unix
and Linux systems.
PCI - All Actions by Individuals with Root or Administrative Privileges - Unix &Linux
This report displays all actions taken by users logged in as 'root'. This report should be
modified to include any additional usernames that have been granted full administrative
privileges in your environment.
PCI - All Actions by Individuals with Root or Administrative Privileges - Windows

This report displays all actions taken by users logged in as 'administrator'. This report
should be modified to include any additional usernames that have been granted full
administrative privileges in your environment.
PCI- Anti-Virus Update Procedures

This report lists all update procedures for Anti-virus systems.
PCI - Encrypted Transmission Failures

This report lists all cryptographic operations where use of the cryptography failed or was
disabled by the user.
PCI- Encryption Key Generation and Changes

This report details all the generation and period changing of encryption keys used in the
secure storage and transfer of payment card data.
PCI- Firewall Configuration Changes

This report displays all configuration changes made to firewalls within the PCI device
group.
PCI- Inbound Network Traffic on non-standard ports - Detail

This report details all inbound Internet traffic not on ports 80, 22, 443 and 1723.
Compliance Reports
130
RSAenVision Reports
PCI- Inbound Network Traffic on non-standard ports - Summary

This report summarizes all inbound Internet traffic not on ports 80, 22, 443 and 1723 by
the destination IP address.
PCI - Individual User Accesses to Cardholder Data - Mainframes

This report displays all successful file access attempts to file objects in the "Cardholder
Data" device group.
PCI - Individual User Accesses to Cardholder Data - Windows

This report displays all successful file access attempts to file objects in the "Cardholder
Data" device group.
PCI- Initialization of Audit Logs

This report shows the initialization of audit logs in Windows, Solaris, Linux, AIX and
HP-UX operating systems.
PCI - Invalid Logical Access Attempts - ACLDenied Summary

This report displays all access attempts that have been denied due to access control list
restrictions.
PCI - Invalid Logical Access Attempts - Mainframes

This report displays all access attempts that have been denied due to access control list
restrictions.
PCI- Outbound Network Traffic - Detail

This report details all outbound traffic for a specific internal IP Address. The IP Address
in question should be entered as a run-time parameter.
PCI- Outbound Network Traffic - Summary

This report summarizes all outbound traffic by destination. PCI requires that all outbound
traffic be restricted to what is necessary for the payment card environment.
PCI - Router Configuration Changes

This report displays all configuration changes made to routers within the PCI device
group.
PCI - Traffic to Non-Standard Ports - Detail

This report details all firewall traffic on ports other than 80, 22, 443 and 1723 to the IP
address specified as a run time parameter. This report can be modified to include the
ports not directly justified by PCI.
131
Compliance Reports
PCI - Traffic to Non-Standard Ports - Summary

This report summarizes all firewall traffic not on ports 80, 22, 443 and 1723 to destination
computer where the port used is not directly justified by PCI.
Compliance Reports
132
RSAenVision Reports
Payment Card Industry (PCI) 2.0 - Compliance Reports

The Payment Card Industry (PCI) Data Security Standard applies to all payment card
industry members, merchants, and service providers that store, process or transmit
payment cardholder data. Additionally, these security requirements apply to all "system
components" - any network component, server, or application included in, or connected
to, the cardholder data environment.
PCI - Access to Card holder Data

confidential information / Card holder data can be added in the watchlist for a filtered
view.
Note: This report can only be used with the Microsoft Windows event source. For the
Windows security policy, you must enable Audit Object Access.
Note: You must have a watchlist that contains the paths of all the files with sensitive
data.
PCI - Accounts Created

This report ensures proper user identification and authentication management for users
that are non-consumers and administrators on all systems components..
Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.
PCI - Accounts Deleted

The purpose of this report is to ensures proper user identification and authentication
management for non-consumer users and administrators on all system components. This
report contains the logs of the accounts that were deleted.
Note: Note:This report can only be used with the following event sources:Microsoft
Sun Solaris.
PCI - Accounts Modified

This report ensures proper user identification and authentication management for users
that are non-consumers and administrators on all systems components.
133
Compliance Reports
Sun Solaris.
PCI - Administrative Access to PCISystems - Detail

privileges. This report displays all successful logons.
PCI - Administrative Access to PCISystems - Summary

privileges. This report displays a count of all successful logons.
PCI - Anti-virus Signature Update

The purpose of this report is to ensure that all anti-virus mechanisms are updated,
actively running, and generating audit logs. This report displays the logs of anti-virus
signature update.
Note: This report can only be used with the following event sources:Symantec Endpoint
Protection and CA Integrated Threat Management.
PCI - Change in Audit Settings

This report displays all events that describe the audit settings that were enabled or
disabled by users.
Note: Note:This report can only be used with the Microsoft Windows event source.
PCI - Encryption Failures

The purpose of this report is to help encrypt transmission of cardholder data across open,
public networks. This report displays log of encryption failures occurred.
Note: Note:This report can only be used with the following event sources:Cisco PIX,
Cisco ASA, Cisco Router, and Juniper Networks NetScreen Firewall ScreenOS.
PCI- Encryption Key Generation and Changes

The purpose of this report is to help encrypt transmission of cardholder data across open,
public networks. This report displays log of activities related to the management of
cryptographic keys.
Compliance Reports
134
RSAenVision Reports
PCI - Escalation of Privileges

This report displays log of events containing information on the escalation of privileges of
Windows, IBMAIX, Hewlett-Packard UNIX, Linux, and Sun Solaris.
PCI - Firewall Configuration Changes

changes to system components. This report displays the logs of changes made to firewall
configuration.
Cisco ASA.
PCI - Firmware changes on Wireless Devices

changes to system components. This report displays the logs of firmware updated on all
wireless devices.
Note: Note:This report can only be used with the AirMagnet Enterprise event source.
PCI - Group Management

This report displays the log of events containing information on changes to user groups.
PCI - Inbound Network Traffic

The purpose of this report is to restrict inbound and outbound traffic to what is necessary
for the cardholder data environment. This report displays inbound traffic on the network
and can be filtered to specific IP addresses based on user input.
Cisco ASA.
PCI - Logon Failures Count

contains a count of all logon failures.
135
Compliance Reports
Sun Solaris.
PCI - Logon Failures

contains the logs of all logon failures.
Note: Note: This report can only be used with the following event sources:Microsoft
Sun Solaris.
PCI - Outbound Network Traffic

The purpose of this report is to restrict inbound and outbound traffic to what is necessary
for the cardholder data environment. This report displays outbound traffic on the network
and can be filtered to specific IP addresses based on user input.
Note: Note:This report can only be used with the following event sources:Cisco PIX
and Cisco ASA.
PCI - Password Changes

The purpose of this report is to ensure proper user identification and authentication
management for non-consumer users and administrators on all system components. This
report contains logs of the accounts with password changes.
PCI - Router Configuration Changes

This report displays the logs of changes made to router configuration.
Note: This report can only be used with the Cisco Router event source.
PCI - System Clock Synchronization

The purpose of this report is to help use time-synchronization technology, synchronize all
critical system clocks and times, and ensure that it is implemented for acquiring,
distributing, and storing time. This report displays the logs of success and failure of
system clock synchronization.
Compliance Reports
136
RSAenVision Reports
Windows, IBMAIX, Hewlett-Packard UNIX, and Sun Solaris.
PCI - User Access Revoked

PCI - User Access to PCISystems - Detail

Verify all individual access to cardholder data is logged. This report displays all
successful logons.
Note: This report can only be used with the following event sources:IBMAIX,
PCI - User Account Management Bind Report

l PCI - Accounts Created
l PCI - Accounts Modified
l PCI - Accounts Deleted
PCI - User Session Terminated - Idle Session

This report displays the logs of accounts that were logged out due to the session being
idle.
Note: This report can only be used with the following event sources:IBMAIX,
137
Compliance Reports
SAS70 - Compliance Reports

The American Institute of Certified Public Accountants developed the Statement on
Auditing Standards (SAS) No. 70. Organizations that successfully complete a SAS 70
audit have been through an in-depth audit of their control activities, including controls
over IT and related processes. SAS 70 allows a company to provide a third-party
certification of its internal controls to customers.
SAS 70 data centers have to maintain prescribed levels of data security and redundancy,
as well as personnel controls. These requirements include reporting on the following:
l Firewall configuration and access
l
Database access
Data transmissions
Data backup and recovery
Application security
Product development
In addition, data center staff cannot access servers or data without a specific procedure.
All access and activity is logged and all physical access is highly controlled.
SAS 70 - Host & Application - Privilege & Configuration Changes

Details all configuration and privilege changes made to SAS 70 relevant operating
systems and applications.
SAS 70 - Network & Security - Configuration Changes

Details all configuration changes made on SAS 70 relevant network and security
infrastructure.
SAS 70 - Network Bandwidth Utilization

Summarizes network bandwidth utilization through SAS 70 relevant network devices.
SAS 70 - Report Review Audit

Details the audit review actions of users within RSAenVision.
SAS 70 - Windows Software Installations

Details all software installations on SAS 70 relevant Windows operating systems.
SAS 70 - Windows System Updates - Operating System Update Applications

Details Operating System patch and update applications for SAS 70 monitored Windows
systems.
Compliance Reports
138
RSAenVision Reports
Statement on Standards for Attestation Engagements

No. 16 (SSAE 16)
Statement on Standards for Attestation Engagements (SSAE 16) is an attestation
standard issued by the Auditing Standards Board (ASB) of the American Institute of
Certified Public Accountants (AICPA) specifically geared towards addressing
engagements conducted by service organizations to report on the design of controls and
their operating effectiveness.
These refreshed reports are available in the following path in the RSAenVision platform:
Reports >Compliance > US >SSAE16
Note: These compliance reports can only be used with the following event
sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open
VMS, Linux, and Sun Solaris.
SSAE16 - Accounts Created

An access control policy should be developed and should state the access control rules
and rights for all users and groups. Both logical and physical access controls should be
used. This report displays user accounts that have been created.
SSAE16 - Accounts Deleted

used. This report displays user accounts that have been deleted.
SSAE16 - Accounts Modified

used. This report displays user accounts that have been modified.
SSAE16 - Administrative Access to Financial Systems - Detail

All activities by System Administrators and System Operators should be logged. This
report displays all successful logons, and ensures that administrators are in the
administrative accounts watchlist.
SSAE16 - Administrative Access to Financial Systems - Summary

All activities by System Administrators and System Operators should be logged. This
report displays a count of successful logons, and ensures that administrators are in the
139
Compliance Reports
SSAE16 - Change in Audit Settings

The system should ensure that security policy enforcement functions success before
functions are allows to proceed. This report displays all events that describe the audit
settings that were enabled or disabled by users.
SSAE16 - Financial Data Access - Detail

financial data can be added in the watchlist for a filtered view.
Note: You must create a watchlist with administrative accounts for this report.
SSAE16 - Financial Data Access - Summary

SSAE16 - Group Management

used. This report displays the logs of events containing information on changes to user
groups.
SSAE16 - Logon Failures Count

All successful and unsuccessful logon attempts should be recorded. This report contains a
SSAE16 - Logon Failures

All successful and unsuccessful logon attempts should be recorded. This report contains a
SSAE16 - Password Changes

SSAE16 - User Access Revoked

Users who have changed jobs or left the organization have their access rights removed
immediately. This report lists all rights removed from a user.
Compliance Reports
140
RSAenVision Reports
SSAE16 - User Access to Financial Systems - Detail

All successful and unsuccessful logon attempts should be recorded. This report displays
all successful logons, and ensures that a user is not in the administrative accounts
watchlist.
SSAE16 - User Access to Financial Systems - Summary

All successful and unsuccessful logon attempts should be recorded. This report displays
all successful logons, and ensures that a user is not in the administrative accounts
watchlist.
SSAE16 - User Account Management Bind Report

l SSAE16 - Accounts Created
l SSAE16 - Accounts Modified
l SSAE16 - Accounts Deleted
141
Compliance Reports
Sarbanes-Oxley Compliance Reports

Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in
large part to protect investors by improving the accuracy and reliability of corporate
disclosures made pursuant to the securities laws.
Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an
adequate internal control structure, but also to assess its effectiveness on an annual basis.
Sarbanes Oxley - Administrative Access to Financial Systems

Sarbanes Oxley sec 302 (a)(4)(C) & (D)
Shows all log on and privileged access attempts by administrator or super-user accounts.
Sarbanes Oxley - Computer Account Logon Activity

ISO 17799 Section A.9.5.2; Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX Unix,
Sun Solaris, Red Hat Linux and Apple Mac OS X systems.
Sarbanes Oxley - Computer Account Logon Activity - Windows Detail

Lists all log on activity for all monitored domains and systems. This report is specific to
monitored Windows systems, but provides a greater level of detail than the Computer
Account Logon Activity report.
Sarbanes Oxley - Computer Account Status by Account - Windows

be listed as run time parameters, and multiple values can be specified by listing each
value in single quotes and separating them by commas.
Sarbanes Oxley - Control of Collected Evidence

ISO 17799 Section A.12.1.7.1
Lists all changes and object level access events to all collected evidence. This report
called Rules for Evidence, and that object level auditing be enabled on these directories.
Sarbanes Oxley - Control of Collected Evidence - Windows Detail

ISO 17799 Section A.12.1.7.1
Compliance Reports
142
RSAenVision Reports
Lists all changes and object level access events to all collected evidence. This report
Sarbanes Oxley - Control of Human Resources Data

ISO 17799 Section A.12.1.3
Lists all changes and object level access events to the device group HR. This report
data.
Sarbanes Oxley - Control of Human Resources Data - Windows Detail

This report is specific to monitored Windows systems, but provides a greater level of
detail than the standard Control of Human Resources Data report.
Sarbanes Oxley - Control of Operational Software

Lists all changes and object level access events to the device group Operational
Software. This report requires that all Operational Software be contained within a device
group, and object level auditing be enabled on the directories containing the Operational
Software and data.
Sarbanes Oxley - Control of Operational Software - Windows Detail

This report is specific to Windows devices but provides more detail than the standard
Control of Operational Software report.
Sarbanes Oxley - Control of System Audit Data

directories.
Sarbanes Oxley - Control of System Audit Data - Windows Detail

143
Compliance Reports
This report is specific to Windows devices but provides more detail that the standard
Control of System Audit Data report.
Sarbanes Oxley - - Control of System Test Data

Lists all changes and object level access events to the systems and data used in the
Sarbanes Oxley - Control of System Test Data - Windows Detail

Control of System Test Data report.
Sarbanes Oxley -Disabled Accounts Report - Windows

Sarbanes Oxley sec 308 (a)(4)(C) & (D)
Lists all user accounts that have been manually or automatically disabled in the requested
time period.
Sarbanes Oxley - External Contractors Report

Lists all changes and object level access events to the device group External
Contractor Access. This report requires that all computers, software, source data and
Sarbanes Oxley - External Contractors Report- Windows Detail

External Contractors Report report.
Sarbanes Oxley - Financial Data Access

Compliance Reports
144
RSAenVision Reports
Sarbanes Oxley -- Financial Data Access- Windows Detail

Financial Data Access report.
Sarbanes Oxley - Login and Authorization Failures

Sarbanes Oxley Section 304 (a)(4)(C) & (D)
Lists all local and remote failed log on attempts to all monitored devices in the Financial
System device group. This covers Windows, Sun Solaris, Red Hat Linux, HP-UX, Apple
Mac OS X, Nokia IPSO and IBM Mainframe (SMA_RT).
Sarbanes Oxley - Malicious Software Activity

ISO 17799 Section A.8.3
Lists all malicious software activity for all monitored devices.
Sarbanes Oxley - Operation Change Control Report

Sarbanes Oxley - Operation Change Control Report - Windows Detail

Operation Change Control report.
Sarbanes Oxley - Password Changes and Expirations

Lists all manual and automatic password change and expiration events. This covers
systems.
Sarbanes Oxley - Source Code Access

ISO 17799 sec. A.10.4.3
Lists all changes and object level access events to the device group Source Code. This
145
Compliance Reports
Sarbanes Oxley - Source Code Access - Windows Detail

ISO 17799 sec. A.10.4.3
Source Code Access report.
Sarbanes Oxley - User Activity from External Domains - Windows

Details all activities of non-domain authenticated users. All authenticated domains are
identified in run time parameters, and multiple domains can be contained within single
quotes and separated by commas.
Compliance Reports
146
RSAenVision Reports
Sarbanes-Oxley Compliance Reports (Refreshed)

Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in
large part to protect investors by improving the accuracy and reliability of corporate
disclosures made pursuant to the securities laws.
Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an
adequate internal control structure, but also to assess its effectiveness on an annual basis.
Reports >Compliance > US >Sarbanes-Oxley
Note: These compliance reports can only be used with the following event
sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open
VMS, Linux, and Sun Solaris.
Sarbanes Oxley - Accounts Created

SOX 404; ISO27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: Management assessment of internal
controls. An access control policy should be developed and should state the access
control rules and rights for all users and groups. Both logical and physical access controls
should be used.
This report displays user accounts that have been created.
Sarbanes Oxley - Accounts Deleted

should be used.
This report displays user accounts that have been deleted.
Sarbanes Oxley - Accounts Modified

should be used.
This report displays user accounts that have been modified.
Sarbanes Oxley - Administrative Access to Financial Systems - Detail

SOX 404; ISO27002 - 10.10.4: Management assessment of internal controls. All
activities by System Administrators and System Operators should be logged.
147
Compliance Reports
This report displays all successful logons, and ensures that administrators are in the
Sarbanes Oxley - Administrative Access to Financial Systems - Summary

activities by System Administrators and System Operators should be logged.
This report displays a count of successful logons, and ensures that administrators are in
the administrative accounts watchlist.
Sarbanes Oxley - Change in Audit Settings

SOX 404; ISO15408-2: Management assessment of internal controls. The system should
ensure that security policy enforcement functions success before functions are allows to
proceed.
This report displays all events that describe the audit settings that were enabled or
disabled by users.
Sarbanes Oxley - Financial Data Access - Detail

SOX 404: Management assessment of internal controls.
Sarbanes Oxley - Financial Data Access - Summary

Sarbanes Oxley - Group Management

should be used.
This report displays the logs of events containing information on changes to user groups.
Compliance Reports
148
RSAenVision Reports
Sarbanes Oxley - Logon Failures Count

successful and unsuccessful logon attempts should be recorded.
Sarbanes Oxley - Logon Failures

149
Compliance Reports
Sarbanes Oxley - Password Changes

Sarbanes Oxley - User Access Revoked

SOX 404; ISO27002 - 11.2.1: Management assessment of internal controls. Users who
have changed jobs or left the organization have their access rights removed immediately.
Sarbanes Oxley - User Access to Financial Systems - Detail

This report displays all successful logons, and ensures that a user is not in the
Sarbanes Oxley - User Access to Financial Systems - Summary

This report displays all successful logons, and ensures that a user is not in the
Sarbanes Oxley - User Account Management Bind Report

l Sarbanes Oxley - Accounts Created
l Sarbanes Oxley - Accounts Modified
l Sarbanes Oxley - Accounts Deleted
Compliance Reports
150
RSAenVision Reports

RSA enVision includes reports that focus on specific event sources, for example Cisco
PIX. These are sometimes referred to as "device-specific" reports.
151
ActivIdentity AAA Server Standard Reports

The Reports module includes the following standard reports for the ActivIdentity AAA
Server event source.
Accepted Authentications
Lists all accepted user authentications.
Accounting Attributes
Lists the attribute set from the user account profile.
Privileged Operations
Lists the operational changes in the administrative audit log.
Rejected Authentications
Lists all rejected user authentications.
152
RSAenVision Reports
Alcatel-Lucent OmniSwitch Standard Reports

The Reports module includes the following standard reports for the Alcatel-Lucent
OmniSwitch.
DOS Attacks
Gives a report of DOS attacks on the system with source IPinformation.
Failed Authentications
Gives a report of failed authentications.
Successful Authentications
Gives a report of all successful authentications for various remote connections like SSH,
TELNET, FTP, etc.
153
Apache HTTP Server Standard Reports

The Reports module includes the following standard reports for the Apache HTTP
Server.
Top 20 Client IP Addresses by Connection Requests

Displays the 20 client IP addresses that had the most successful web site connections.
Total Bytes by Apache Device Address

Displays total bytes passed by Apache event source address.
Total Bytes by Client IP Address

Displays total bytes passed by client address.
154
RSAenVision Reports
Apple Mac OS X Standard Reports

The Reports module includes the following standard reports for the Apple Mac OS X
event source.
Failed Authentication Attempts

Displays the failed authentication or privilege switch attempts.
Failed Authentications by Device

Displays the failed authentication attempts for each monitored event source by date and
time.
Failed Super User Attempts

Displays the failed attempts to use the switch user command and the user name
associated with each attempt.
Successful Authentication Attempts

Displays the successful authentication or privilege switch attempts.
Successful Connections
Displays the successful connection information.
Successful Super User Attempts

Displays the successful attempts to use the switch user command to root and the user
name associated with each attempt.
User Action Audit by Username

Lists all user actions linked to their usernames. Enter a username between percent signs,
then run the report.
155
Application Security DbProtect Standard Reports

The Reports module includes the following standard reports for the Application Security
DbProtect event source.
Count of Alerts vs. Alert Type

Lists counts of alerts against the rule title recognized by DbProtect under the Audit and
Threat Management Console in a tabular report.
Enumerate Debug Alerts

Lists all debug alerts reported by various database servers to DbProtect under the Audit
and Threat Management Console.
Enumerate Important Alerts

Lists all important alerts reported by various database servers to DbProtect under the
Audit and Threat Management Console.
Penetration Test Scan Results

Lists scan results from all penetration tests.
156
RSAenVision Reports
Arbor Peakflow SP Standard Reports

The Reports module includes the following standard reports for the Arbor Peakflow SP
event source.
Historical Overview of All Alerts

Lists all alert scripts that have been executed.
Historical Overview of All Executed Mitigations

Displays detailed information for all executed mitigations.
Historical Overview of DoS Messages by Router Interface

Details all DoS messages reported by Arbor Peakflow SP by router interface.
Hourly Rate of All DoS Messages

Displays the number of DoS messages by hour.
Overview of All TMS Generated Traps Messages

Details all messages generated by TMS traps on a TMS appliance.
157
Arbor Networks Peakflow X Standard Reports

The Reports module includes the following standard reports for the Arbor Networks
Peakflow X event source.
Detailed Alert
Lists detailed information for the last 100 alerts generated.
Events by Hour
Displays the number of events by hour for a given time period.
Top 10 Destinations
Displays the top 10 destinations of events detected.
Top 10 Sources
Displays the top 10 sources of events detected.
Top 10 Events
Displays the top 10 events detected.
158
RSAenVision Reports
Blue Coat Systems ELFF Standard Reports

The Reports module includes the following standard reports for the Blue Coat Systems
SGOS event source.
Top 100 Requested Domains

Displays the top 100 requested domains for the given time period.
Top 100 Requested URL

Displays the top 100 requested URLstrings for the given time period.
Top 20 Categories
Displays the top 20 categories.
Top 20 Categories Graph

Displays the top 20 denied categories.
Top 20 Clients by Connection Request

Displays the top 20 client addresses that made the most connections requests for a
specified time period.
Top 20 Denied Categories

Top 20 Denied Categories Graph

Top 20 Domains by Connection Counts

Displays the top 20 domains that were accessed via all monitored devices.
Top 20 Observed Categories

Displays the top 20 observed categories.
Top 20 Observed Categories Graph

Displays the top 20 observed categories.
Top 20 Root Domains by Connection Counts

Displays the top 20 domains that were accessed via all monitored devices.
159
Top 20 Users - Denied Categories

Displays the top 20 user names of denied categories.

Displays the top 25 client IPaddresses with the most total bytes.
Total Bytes Passed by Hour

Represents the total sent and received bytes and displays a histogram of the traffic
pattern over the selected time period.
Total Bytes Received by Client Device

Displays the total bytes received grouped by client device.
Total Bytes Received by Top 25 Cache Devices

Displays the 25 client IPaddresses that received the most total bytes.
Total Bytes Sent by Top 25 Cache Devices

Displays the total bytes sent grouped by cache device.
Total Bytes Sent by Client Device

Displays the total bytes sent grouped by client device.
Total Bytes by Domain

Displays the total bytes for each connection, sorted by domain.
Total Bytes by Top 100 Cache Devices

Displays the total bytes passed, grouped by the cache device address.
Total Bytes by Top 100 Client IP Addresses

Queries for total bytes passed and displays the data grouped by client IPaddress.
Total Connection Requests by Hour

Displays the number of connection requests grouped by hour of day.

Queries for connection counts and groups them by HTTPsuccess/failure code. This
grouping allows the administrator to see by code how many connections were successful,
redirected, failed, etc.
160
RSAenVision Reports
Blue Coat Systems CacheOS and SGOS Standard

Reports
The Reports module includes the following standard reports for the Blue Coat Systems
CacheOS and Blue Coat Systems SGOS event sources.

Displays the top 100 requested URL strings for a given time period.

Displays the 20 client addresses that made the most connection requests for a specified
time period.

Displays the top 20 domains that were accessed through all monitored event sources.

Displays the top 20 root domains that were accessed through all monitored event sources.

Displays the 25 client IP addresses with the most total bytes.

Represents the total sent and received bytes and displays a histogram of the traffic

Displays the total bytes received grouped by client event source.
Total Bytes Received by Top 25 Cache Devices

Displays the total bytes received grouped by the top 25 cache event sources.

Displays the total bytes sent grouped by client event source.
Total Bytes Sent by Top 25 Cache Devices

Displays the total bytes sent grouped by the top 25 cache event sources.

Represents the total bytes for each connection and displays the data sorted by domain.
161
Total Bytes by Top 100 Cache Devices

Queries for total bytes passed and displays the data grouped by cache event source
address.
Total Bytes by Top 100 Client IP Addresses

Queries for total bytes passed and displays the data grouped by client IP address.

Queries for connection counts and groups the data by HTTP success or failure code.
Administrators can use this report to determine, by code, how many connections were
successful, redirected, failed, and so on.

162
RSAenVision Reports
Check Point IPSO Standard Reports

The Reports module includes the following standard reports for the Check Point IPSO
event source.
Failed Authentication Attempts Foreign Address

Displays the total number of failed authentication attempts by the foreign address
associated with the request.
Interface Up/Down Messages

Displays interface up and interface down errors grouped by event source open a given
time period.
System Events by Device

Displays all the system-related events reported by the event sources during a specified
time period.
163
Check Point Security Suite (IDS) Standard Reports

The Reports module includes the following standard reports for the Check Point Security
SuiteIDS.
Top 10 Source Addresses

Displays the top 10 source addresses associated with recognized attack signatures.
Total Alarms by Device Address

Displays the total number of recognized attacks sorted by SmartDefense event source
address.
Total Attacks by Signature

Displays the total number of recognized attacks sorted by attack signature name over a
164
RSAenVision Reports
Check Point Security Suite (VPN) Standard Reports

The Reports module includes the following standard reports for the Check Point Security
SuiteVPN event sources.
VPN-1 Denied Connections by VPN Device

Displays a list of all failed VPN connection attempts including time, Check Point server,
reason for failure, service and scheme used, and source and destination address and port.
VPN-1 Detailed Connections Events by Date/Time

Displays a detailed record of successful connections within the selected time range
sorted by date and time.
VPN-1 Successful Connections by VPN Device

Displays a graph of successful connections sorted by Check Point server address.
VPN-1 System Changes

Queries for VPN system messages and reports the changes including user name, action,
and VPN event source address.
VPN-1 Top 20 Denied Connections by Username

Displays the count of rejected connection attempts and the top 20 user names associated
to those rejected connections.
VPN-1 Top 20 Users by Number of Connections

Displays the top 20 user names associated with successful VPN connection attempts for
all VPN event sources.
165
Check Point SmartDefense Standard Reports

The Reports module includes the following standard reports for the Check Point
SmartDefense event source.
Top 10 Source Addresses

Displays the top 10 source addresses associated with recognized attack signatures.
Total Alarms by Device Address

Displays the total number of recognized attacks sorted by SmartDefense event source
address.
Top Attacks by Signature

Displays the total number of recognized attacks sorted by attack signature name in a
166
RSAenVision Reports
Check Point FireWall-1 and Check Point Security Suite

(Firewall) Standard Reports
The Reports module includes the following standard reports for the Check Point
FireWall-1 event source and the Check Point Security Suite.
Audit - Operations by Administrator

Counts the number of audit operations sorted by administrator.
Audit - Operations by Application

Counts the number of audit operations sorted by application.
Audit - Operations by Type

Counts the number of audit operations sorted by operation type.
Audit - Operations Details

Lists all audit operations with all relevant details for each operation.
Bandwidth by Department
Displays bandwidth usage by department through FireWall-1 firewalls. Use this report to
quickly determine which departments are using large amounts of bandwidth.
Bandwidth Usage by Address

Summarizes bandwidth usage by local address for all traffic passing through Check Point
FireWall-1 firewalls. Sorted by total byte usage. Use this report to quickly determine the
"top talkers" on your company network. Only firewalls with debug level logging enabled
are reported.
Bandwidth Usage by Department

Summarizes bandwidth usage by department for all traffic passing through Check Point
FireWall-1 firewalls. Sorted by total byte usage. Use this report to quickly assess which
departments are consuming the most bandwidth. Only firewalls with debug level logging
enabled are reported.
Bandwidth Usage by Port

Summarizes bandwidth usage by port for traffic passing through FireWall-1 firewalls.
Sorted by total byte usage count. Use this report to quickly determine which applications
are consuming the most bandwidth. Other common TCP/IP words used synonymously
with applications are port and services. Only FireWall-1 firewalls with debug level
logging enabled are reported.
167
Bandwidth Usage per Hour

Displays bandwidth usage per hour through FireWall-1 firewalls. Use this report to
quickly spot bandwidth usage trends occurring during specific time periods. Each tick
mark on vertical hourly axes represents accumulated usage for the previous hour.
Lists configuration change messages from FireWall-1 firewalls. Sorted by date and time
sequence.
Denied Connections per Hour

Displays the number of denied connections per hour through FireWall-1 firewalls. Use
this report to quickly spot security threat trends occurring during specific time periods.
Each tick mark on vertical hourly axes represents accumulated denied connections for the
previous hour.
Denied Inbound Traffic by Address

Summarizes denied inbound traffic through FireWall-1 firewalls by foreign address.
Sorted by connection count.
Denied Inbound Traffic by Port

Summarizes denied inbound traffic filtered through FireWall-1 firewalls by port. Sorted
by connection count.
Denied Outbound Traffic by Address

Summarizes denied outbound traffic filtered through FireWall-1 firewalls by local
address. Sorted by connection count.
Denied Outbound Traffic by Port

Summarizes denied outbound traffic filtered through FireWall-1 firewalls by port. Sorted
by connection count.
E-mail Security
Lists e-mail security messages received from FireWall-1 firewalls. Sorted in date and
time sequence.
Inbound E-mail Traffic

Summarizes bandwidth usage of inbound SMTP traffic through FireWall-1 firewalls.
Sorted by total connection count.
168
RSAenVision Reports
Inbound FTP Traffic

Summarizes bandwidth usage of inbound FTP traffic through FireWall-1 firewalls. Sorted
by total connection count.
Inbound HTTP Traffic

Summarizes bandwidth usage of inbound HTTP traffic through FireWall-1 firewalls.
Inbound Telnet Traffic

Summarizes bandwidth usage of inbound Telnet traffic through FireWall-1 firewalls.
Outbound E-mail Traffic

Summarizes bandwidth usage of outbound SMTP traffic through FireWall-1 firewalls.
Outbound FTP Traffic

Summarizes bandwidth usage of outbound FTP traffic through FireWall-1 firewalls.
Outbound HTTP Traffic

Summarizes bandwidth usage of outbound HTTP traffic through FireWall-1 firewalls.
Outbound Telnet Traffic

Summarizes bandwidth usage of outbound Telnet traffic through FireWall-1 firewalls.
Permitted Connections per Hour

Displays the number of connections per hour through FireWall-1 firewalls. Use this
report to spot connection trends occurring during specific time periods. Each tick mark on
vertical hourly axes represents accumulated permitted connections for the previous hour.
SiteTrack Detection
Lists network traffic through FireWall-1 firewalls that contained SiteTrack keywords.
Sorted by date and time. The keyword is enclosed in quotation marks.

Displays the top 10 requested URL and FTP destinations by internal users through
FireWall-1 firewalls. Use this report to quickly spot trends of the most popular foreign
sites.
169

Displays the 20 ports with the most bandwidth usage through FireWall-1 firewalls. Use
this report to quickly identify which applications are consuming the most bandwidth.

Displays the top 20 bandwidth users through FireWall-1 firewalls. Use this report to
quickly identify which users are consuming the most bandwidth.

Displays the top 20 users of connections through FireWall-1 firewalls. Use this report to
quickly determine which users are consuming the most connections.

Displays the 20 ports with the most connections through FireWall-1 firewalls. Use this
report to quickly identify which applications are consuming the most connections.

Displays the top 20 foreign addresses that were denied inbound access by FireWall-1
firewalls. Use this report to quickly spot foreign hosts that may have been attempting to
gain unauthorized access to your network.

Displays the 20 ports with the most denied inbound connections through FireWall-1
firewalls. Use this report to quickly identify which applications are the top sources of
inbound denied connections.

Displays the top 20 local addresses that were denied outbound access by FireWall-1
firewalls. Use this report to quickly identify the top internal hosts that may have been
attempting to breach your company's outbound Internet security policy.
Top URL/FTP Destinations

Summarizes outbound URL and FTP requests to foreign sites by local users through
FireWall-1 firewalls. Sorted by foreign address and then by the number of requests.
URL/FTP Requests by Date/Time

Lists URL and FTP requests through FireWall-1 firewalls. Sorted by date and time.
170
RSAenVision Reports
URL/FTP Requests by Department

Summarizes the outbound URL and FTP requests for each department through FireWall-1
firewalls. Sorted by number of requests.
URL/FTP Requests by Foreign Address

Summarizes the outbound URL and FTP requests through FireWall-1 firewalls. Sorted by
foreign address and number of requests.
URL/FTP Requests by Local Address

Summarizes the outbound URL and FTP requests through FireWall-1 firewalls. Sorted by
local address and number of requests.
URL/FTP Requests by User Name

Summarizes the outbound URL and FTP requests by authenticated user name through
FireWall-1 firewalls. Sorted by user name and the number of requests. Requires that
AAA user authentication be configured on the firewall.
171
Cisco Access Control Server Standard Reports

The Reports module includes the following standard reports for the Cisco Access Control
ACS Backup And Restore

Displays all backup and restore operations. Sorted by descendingtime.
ACS Service Monitoring

Tracks messages and activities internal to Cisco ACS.
Administration Audit
Displays an administrative report of all activity performed using the Cisco Secure ACS
HTML Management interface. Sorted by descendingtime.
CiscoACS Failed Authentication Attempts

Lists out all of the failed authentication attempts for Cisco Secure ACS Version 5.1 and
above.
CiscoACS Failed User Logins

Lists all of the failed administrator logins for Cisco Secure ACS Version 5.1 and above.
CiscoACSPassed Authentications
Lists all of the Passed Authentications for Cisco Secure ACS Version 5.1 and above.
CiscoACS RADIUSDiagnostics
Gives diagonostic details on Radius protocol for Cisco Secure ACS Version 5.1 and
above.
Database Replication
Tracks ACS database replication activity. Sorted by descending time.
Displays a list of all failed logon attempts. Sorted by descending time.
Failed Authentications Count

Displays a count of all failed logon attempts. Sorted by descendingtime.
Passed Authentications
Displays a list of all users that have successfully logged on. Sorted by descending time.
172
RSAenVision Reports
Passed Authentications Count

Displays a count of all users that have successfully logged on. Sorted by descendingtime.
TACACS+ Accounting
Tracks all logon and logoff traffic.
TACACS+ Administration - Permanent Configuration Changes

Tracks configuration changes that have been executed using the write memory (write
mem) or copy running start (copy run) commands.
Top 10 Users
Counts the number of successful logons (successful authentications) and sorts the top 10
users by user name.
Top 10 Users by Duration

Calculates the total amount of time that users have spent logged on to network event
sources and lists the top 10 users in descending order by time.
173
Cisco Application Control Engine Standard Reports

The Reports module includes the following standard reports for the Cisco Application
Control Engine event source.
Network Health Monitoring Report

A detailed report of all the Network activities.
System Health Monitoring Report

A detailed report of all the System Errors, Normal Activity and Unusual activities.
174
RSAenVision Reports
Cisco Aironet AP Standard Reports

The Reports module includes the following standard reports for the Cisco Aironet AP
event source.
Access Point Disassociations

Displays all wireless event sources that disassociated or roamed from access points.
Access Point Failed Authentications

Displays all wireless event sources that failed to authenticate and the reason that each
failed.
No SSIDs Configured
Displays all wireless event sources that do not have an SSID configured. At least one
SSID needs to be configured for the radio to run.
Rogue Access Point Detection

Displays all rogue access points detected.
Successful Access Point Associations

Displays all wireless event sources that have successfully associated to access points.
175
Cisco Adaptive Security Appliance (firewall)

Standard Reports
The Reports module includes the following standard reports for the Cisco ASA (firewall)
event source.
AAA User Authentications

Displays AAA user authentications through Cisco ASA firewalls, sorted by date and
time. This report requires AAA user authentication.

Summarizes bandwidth usage by local address for all traffic passing through Cisco ASA
firewalls. Sorted by total byte usage. Use to quickly determine the "top talkers" on your
company network. Only ASA firewalls with debug level logging enabled are reported.

Displays bandwidth usage by department through ASA firewalls. Use to quickly
determine which departments are consuming the most bandwidth.

Summarizes bandwidth usage by port for traffic passing through Cisco ASA firewalls.
with applications are port and services. Only ASA firewalls with debug level logging

Displays bandwidth usage per hour through ASA firewalls. Use this report to quickly spot
bandwidth usage trends occurring during specific time periods. Each tick mark on vertical
hourly axes represents accumulated usage for the previous hour.
Bandwidth Utilization
Displays the bandwidth utilization on the network in a combination of a graph and a
report.
Blocked URL Events

Displays the blocked URL events of internal IP addresses attempting to connect to
external web sites that have been restricted by the company. Sorted by date and time.
Websense Enterprise software must be installed to activate the URL blocking capability.
176
RSAenVision Reports
Lists configuration change messages from Cisco ASA firewalls, sorted by date and time.
Monitors when configuration changes were made to Cisco ASA firewalls. Only ASA
firewalls with logging enabled are reported.
Connection Limit Exceeded

Details exceeded connection limits by static addresses.
CPU Over-Capacity Events by Date and Time

Lists all instances of ASA Firewall CPU utilizations rising above 100 percent. If this
condition, which is generally considered to be an error condition, happens frequently, you
may need to contact Cisco Systems.

Displays the number of denied connections per hour through ASA firewalls. Use this
report to quickly spot security threat trends occurring during specific time periods. Each
tick mark on vertical hourly axes represents accumulated denied connections for the
previous hour.
Denied Inbound IP Spoofing

Tracks when an ASA Firewall receives an external packet with the IP source address
equal to the IP destination and the destination port equal to the source port. Sorted by the
destination address. This event indicates a spoofed packet designed to attack systems.
This attack is referred to as a land attack.

Summarizes denied inbound traffic filtered through Cisco ASA firewalls by foreign
address. Sorted by connection count. Use this report to quickly determine which foreign
hosts are being denied access to your company's internal network. Denied connections
may indicate an attempted security policy breach, malicious network reconnaissance, or a
host or network event source configuration issue. Only ASA firewalls with logging

Summarizes denied inbound traffic filtered through Cisco ASA firewalls by port. Sorted
by connection count. Port numbers are used to represent services or applications. Use this
report to quickly determine which applications are being denied access. Denied
connections may indicate an attempted security policy breach, malicious network
reconnaissance like a port scan, or a host or network event source configuration issue.
Only ASA firewalls with logging enabled are reported.
177

Summarizes denied outbound traffic filtered through Cisco ASA firewalls by local
address. Sorted by connection count. Use this report to quickly determine which local
addresses may be attempting to bypass your company security policy. Only ASA

Summarizes denied outbound traffic filtered through Cisco ASA firewalls by port. Sorted
report to quickly determine which outbound applications are being denied. These denied
messages may indicate an attempted security policy breach, malicious network
E-mail Security
Lists ASA MailGuard messages received from Cisco ASA firewalls. Sorted by date and
time. Use this report to quickly view possible e-mail security breach attempts that were
prevented by ASA firewalls. Only ASA firewalls with logging enabled are reported.
Failover Messages
Lists failover messages from Cisco ASA firewalls by date and time.
FTP Requests by Date and Time

Lists FTP requests through Cisco ASA Firewalls by date and time.
FTP Requests by Department

Displays FTP requests for each department through Cisco ASA firewalls by number of
requests.
FTP Requests by Foreign Address

Note: The name for this report under the Content 2.0 schema is FTPRequests by
Source Address.
Displays FTP requests to foreign sites by local users through Cisco ASA firewalls by
foreign address and the number of requests.
FTP Requests by Local Address

Destination Address.
178
RSAenVision Reports
Displays FTP requests by each local address through Cisco ASA firewalls by local
address and number of requests.
Inbound E-mail Recipients

Displays inbound e-mails and the intended recipients.
Inbound E-mail Senders

Displays inbound e-mails and the senders.

Displays bandwidth usage of inbound e-mail traffic through Cisco ASA firewalls. Sorted
by total connection count. Use this report to quickly determine top foreign e-mail senders
if your e-mail servers are located on an internal or DMZ interface. Summarizes e-mail
traffic from your own e-mail gateways if they are sitting on an external ASA interface.
Only ASA firewalls with logging enabled are reported. The system calculates inbound email traffic by summarizing all the 302002 traffic logged on local port 25.
Inbound FTP Traffic

Displays bandwidth usage of inbound FTP traffic through Cisco ASA firewalls. Sorted by
total connection count. Use this report to quickly determine which external users use FTP
most frequently in your company. Only ASA firewalls with logging enabled are reported.
The system calculates inbound FTP traffic by summarizing all the 302002 traffic logged
on local ports 20 and 21.

Displays bandwidth usage of inbound HTTP traffic through Cisco ASA firewalls. Sorted
by total connection count. Use this report to quickly assess which foreign users are
accessing your internal web servers most frequently. Only ASA firewalls with logging
enabled are reported. The system calculates inbound http traffic by summarizing all the
302002 traffic logged on local port 80.
Inbound IP Fragmentation Alert

Summarizes inbound IP fragmentation, sorted by count and foreign address.The ASA
Firewall limits the number of IP fragments that can be concurrently reassembled. This
restriction prevents memory depletion at the firewall under abnormal network conditions.
If this message persists, a denial of service ( DoS) attack may be in progress.

Displays bandwidth usage of inbound Telnet traffic through Cisco ASA firewalls. Sorted
by total connection count. Use this report to quickly determine top external Telnet users.
Only ASA firewalls with logging enabled are reported. The system calculates inbound
Telnet traffic by summarizing all the 302002 traffic logged on local port 23.
179
Management Access from External Source

Details all of the event source management events on the ASA firewall sorted by date
and time.
Outbound E-mail Recipients

Displays outbound e-mails and the intended recipients.
Outbound E-mail Senders

Displays outbound e-mails and the senders.

Summarizes bandwidth usage of outbound e-mail traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine top e-mail users in
your company if your e-mail gateway is located on an external or DMZ interface.
Reflects top e-mail gateways if your mail gateways are on the internal ASA interface.
Only ASA firewalls with logging enabled are reported. The system calculates outbound
e-mail traffic by summarizing all the 302002 traffic logged on foreign port 25.

Summarizes bandwidth usage of outbound FTP traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine which internal
users use FTP most frequently in your company. Only ASA firewalls with logging
enabled are reported. The system calculates outbound FTP traffic by summarizing all the
302002 traffic logged on foreign ports 20 and 21.

Summarizes bandwidth usage of outbound HTTP traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine top HTTP users in
your company. Only ASA firewalls with logging enabled are reported. The system
calculates outbound HTTP traffic by summarizing all the 302002 traffic logged on foreign
port 80.
Outbound IP Fragmentation Alert

Displays the ASA Firewall limits on the number of IP fragments that can be concurrently
reassembled, sorted by count by local address. This restriction prevents memory depletion
at the firewall under abnormal network conditions.

Summarizes bandwidth usage of outbound Telnet traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine top local Telnet
180
RSAenVision Reports
users. Only ASA firewalls with logging enabled are reported. The system calculates
outbound Telnet traffic by summarizing all the 302002 traffic logged on foreign port 23.

Displays the number of connections per hour through ASA firewalls. Use this report to
quickly spot connection trends occurring during specific time periods. Each tick mark on
RIP External Security Alert

Displays the ASA Firewall events for received internal RIP reply messages with bad
authentication sorted by the local address. This event can be caused by misconfiguration
on the router or the ASA Firewall, or the event may be a unsuccessful attempt to attack
the ASA Firewall unit's routing table.
RIP Internal Security Alert

Displays the ASA Firewall events for received external RIP reply messages with bad
authentication sorted by foreign address. This event can be caused by misconfiguration on
the router or the ASA Firewall, or the event may be a unsuccessful attempt to attack the
ASA Firewall unit's routing table.
SiteTrack Detection
Note: This report is not compatible with the Content 2.0 schema.
Lists network traffic through Cisco ASA firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified with parentheses ( ) preceding the
message in the Message column. The SiteTrack feature performs a text string comparison
of the DNS host name lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and ASA
firewall logging must be enabled. For information about SiteTrack, see the enVision
Online Help.

Displays the top 10 requested URL and FTP destinations by internal users through ASA
firewalls. Use this report to quickly spot trends of the most popular foreign sites.

Displays the 20 ports with the most bandwidth usage through ASA firewalls. Use this
report to quickly identify which applications are consuming the most bandwidth.

Displays the top 20 bandwidth users through ASA firewalls.
181

Displays the top 20 users of connections through ASA firewalls. Use this report to

Displays the 20 ports with the most connections through ASA firewalls. Use this report to
quickly identify which applications are consuming the most connections.

Displays the top 20 foreign addresses that were denied inbound access by ASA firewalls.
Use this report to quickly spot foreign hosts that may have been attempting to gain
unauthorized access to your network.

Displays the 20 ports with the most denied inbound connections through ASA firewalls.
Use this report to quickly identify which applications are the top sources of inbound
denied connections.

Displays the top 20 local addresses that were denied outbound access by ASA firewalls.
Use this report to quickly identify the top internal hosts that may have been attempting to
breach your company's outbound Internet security policy.
Top FTP Destinations

Displays FTP requests to foreign addresses through Cisco ASA firewalls, sorted by the
number of requests.
Top URL Destinations

Displays URL requests to foreign addresses through Cisco ASA firewalls, sorted by the
number of requests.
Total Connections by Global/Translated Address

Displays the activity for each global address going through the ASA firewall, sorted by
percentage of total connections within a specific time period.
Translation Activity by Connection ID

Lists buildup and teardown messages for connections through an ASA firewall. Sorted by
connection ID.
182
RSAenVision Reports
URL Requests by Date/Time

Lists URL and FTP requests through Cisco ASA Firewalls. Sorted by date and time.
URL Requests by Department

Summarizes the outbound URL and FTP requests for each department through Cisco
ASA firewalls. Sorted by number of requests. Use this report to quickly determine which
departments are downloading the most URLs and FTP files. Only ASA firewalls with
URL Requests by Foreign Address

Note: The name for this report under the Content 2.0 schema is URL Requests by
Source Address.
Summarizes outbound URL and FTP requests to foreign addresses through Cisco ASA
firewalls. Sorted by total connections. Use this report to quickly determine the most
common URL and FTP destinations in your company. Only ASA firewalls with logging
URL Requests by Local Address

Summarizes the outbound URL and FTP requests by each local address through Cisco
ASA firewalls. Sorted by local address and number of URL and FTP requests. Use this
report to quickly determine the most common URL and FTP destinations by local address
for your company. Only ASA firewalls with logging enabled are reported.
URL Requests by User Name

Cisco ASA firewalls. Sorted by user name and the number of URL and FTP requests.
Requires that AAA user authentication be configured on the firewall. Use this report to
quickly determine the most common URL and FTP destinations on a user name basis for
your company. Only ASA firewalls with logging enabled are reported.
183
Cisco Adaptive Security Appliance (IDS) Standard

Reports
The Reports module includes the following standard reports for the Cisco ASA (IDS)
event source.
Alarm Level Summary

Summarizes the number of alarms for each alarm level.
Alarms by IDS Device

Displays the alarm count for each sensor.
Intrusion Event Summary by Alarm Level

Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the event source, sorted by alarm level.
Intrusion Event Summary by External Source Address

Lists the attack events detected by the Cisco integrated firewall intrusion detection sensor
on the event source from external sources.
Intrusion Event Summary by Intrusion Detection System (IDS) Device

sensor on the ASA. Sorted by ASA address, alarm level, and number of alarms.
Intrusion Event Summary by Internal Source Address

on the ASA from internal sources.
Intrusion Event Summary by Signature ID

sensor on the ASA by signature description. Sorted by alarm level.
Intrusion Event Summary by Source Address

Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the ASA by intruding source address. Sorted by source address and
number of alarms.
Intrusion Event Summary by Source/Destination Direction

detection sensor on the ASA by source and destination direction. Sorted by alarm level.
184
RSAenVision Reports
Intrusion Events by Date/Time

Lists the intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the ASA.
Top 10 Sources Address of Alarms

Lists the 10 source IP addresses that have generated the most events or alarms.
Top Source Addresses of Intrusion Events

detection sensor on the ASA by source and destination direction. Sorted by alarm level.
185
Cisco Adaptive Security Appliance VPN Standard

Reports
The Reports module includes the following standard reports for the Cisco ASA VPN
event source.
Denied Packets per Device

Displays the denied packets per event source for all VPN gateways.
Denied Packets per Hour

Displays the denied packets per hour for all VPN gateways.
Failed Authentications by Device

Lists the failed authentications for all users of VPN gateways. Sorted by event source
address.
Failed Authentications by Username

Lists the failed authentications for all users of VPN gateways. Sorted by user name.
Failed X-Authentications by Device

Lists the failed x-authentications for all users of VPN gateways. Sorted by event source
address.
Successful Authentications by Date/Time

Lists the successful authentications for all users of VPN gateways. Sorted by date and
time.

Lists the VPN system events from Cisco ASA. Sorted by event source.
Total Connections by Username

Lists the total connections for all users of VPN gateways. Sorted by user name.
186
RSAenVision Reports
Cisco Content Engine Standard Reports

The Reports module includes the following standard reports for the Cisco Content Engine
event source.
Failed System Events

Lists all failed system events.
Memory Related Errors

Displays all memory related errors.

Displays the top 100 requested URL strings for the given time period.
Top 20 Clients by Connection Requests

Displays the 20 client IP addresses that made the most connection requests for a


Displays tallies, sent and received bytes, and displays a histogram of the traffic pattern
over the selected time period.
Total Bytes by Cache Device

Displays the data for total bytes passed by cache event source (supplied_ip). The supplied
IP is the address of the cache event source that fulfilled the HTTP request.
Total Bytes by Client IP

Displays the total bytes passed by client IP address sorted by requesting address.
Total Byes by Domain

Displays the total bytes for each connection. Sorted by domain.

187

Queries for connection counts and groups the tallies by the HTTP success or failure code.
Administrator can use this report to determine by code how many connections were
188
RSAenVision Reports
Cisco Content Services Switch Standard Reports

The Reports module includes the following standard reports for the Cisco Content
Services Switch event source.
Down Links
Displays all messages associated with a down link in a given time period.
Reboots
Displays all messages associated with event source reboots in a given time period.
Top 50 Users by Number of Connections

Displays the total number of connections to the content switch grouped by the associated
user name.
Total Attacks by Attack Type

Displays the total number of attacks recognized by the event source grouped by the attack
type.
Total Attacks by Destination Address

Displays the total number of attacks recognized by the event source grouped by the
destination address.
Total Attacks by Destination Port

destination port.
Total Attacks by Source Address

source address.
Total Logins by Source Address

Displays the total number of successful logons by source address.
189
Cisco IOS IDS Standard Reports

The Reports module includes the following standard reports for the Cisco IOS (IDS)
event source.
Alarm Level Summary



Summarizes intrusion events detected by the Cisco integrated intrusion detection sensor
on the router by alarm level. Sorted by alarm level.

Lists the attack events detected by the Cisco integrated intrusion detection sensor on the
router from external sources.

on the router. Sorted by router address, alarm level, and number of alarms.

Lists the attack events detected by the Cisco integrated intrusion detection sensor on the
router from internal sources.
Intrusion Event Summary by Signature Category

on the router by signature category. Sorted by alarm level and number of alarms.
Intrusion Event Summary by Signature Description

on the router by signature description. Sorted by alarm level.

Summarizes intrusion events detected through the Cisco integrated intrusion detection
sensor on the router by intruding source address. Sorted by source address and number of
alarms.
190
RSAenVision Reports

sensor on the router by source and destination direction. Sorted by alarm level.

Lists the intrusion events detected by the Cisco integrated intrusion detection sensor on
the router. Sorted by date and time, and alarm level.


sensor on the router by source and destination direction. Sorted by alarm level.
191
Cisco IOS
The Reports module includes the following standard reports for the Cisco IOS event
source.

Summarizes bandwidth usage by local address for all traffic passing through Cisco IOS
firewalls. Sorted by total byte usage. Use this report to quickly determine the "top
talkers" on your company network. Only IOS firewalls with debug level logging enabled
are reported.

Displays bandwidth usage by department through Cisco IOS firewalls. Use this report to
quickly determine which departments are consuming the most bandwidth.

Summarizes bandwidth usage by port for traffic passing through Cisco IOS firewalls.
are consuming the most bandwidth. Only IOS firewalls with debug level logging enabled
are reported.

Displays bandwidth usage per hour through Cisco IOS firewalls. Use this report to
quickly spot bandwidth usage trends occurring during specific time periods. Each tick
mark on vertical hourly axes represents accumulated usage for the previous hour.

Displays bandwidth usage of inbound e-mail traffic through Cisco IOS firewalls. Sorted
by session count.
Inbound FTP Traffic

Displays bandwidth usage of inbound FTP traffic through Cisco IOS firewalls. Sorted by
session count.

Displays bandwidth usage of inbound HTTP traffic through Cisco IOS firewalls. Sorted
by session count.

Displays bandwidth usage of inbound Telnet traffic through Cisco IOS firewalls. Sorted
by session count.
192
RSAenVision Reports

Summarizes bandwidth usage of outbound e-mail traffic through Cisco IOS firewalls.
Sorted by session count.

Summarizes bandwidth usage of outbound FTP traffic through Cisco IOS firewalls.

Summarizes bandwidth usage of outbound HTTP traffic through Cisco IOS firewalls.

Summarizes bandwidth usage of outbound Telnet traffic through Cisco IOS firewalls.
Security Threats
Lists the security threat messages from Cisco IOS firewalls. Sorted by date and time.

Displays the top 20 bandwidth users through Cisco IOS firewalls.
Top 20 Requested Destinations

Displays the top 20 requested destinations through Cisco IOS firewalls.
Top Destinations
Summarizes the top destinations by users through Cisco IOS firewalls. Sorted by session
count.
193
Cisco Ironport Email Security Appliance Standard

Reports
The Reports module includes the following standard reports for the Cisco Ironport ESA
event source.
Content Filter Report

Lists messages that have been quarantined according to filter settings.
194
RSAenVision Reports
Cisco Ironport Web Security Appliance Standard

Reports
The Reports module includes the following standard reports for the Cisco Ironport WSA
event source.
Blocked URLs
Lists the blocked URLs along with the IPaddress that requested them and the reason why
they were blocked (the reason is given as URLcategory).
Top 20 users based on MB download

Lists the top 20 users based on MBdownload.
195
Cisco MARS Standard Reports

The Reports module includes the following standard reports for the Cisco MARS event
source.
Severity Red Incidents

Lists the incidents that are at red severity level including the incident number, the rule
triggered, and the time of the incident.
Worms and/or Attacks

Lists the incidents for rules having the words "worm" or "attack" and lists the severity
and time of the incident.
196
RSAenVision Reports
Cisco Network Admission Control Standard Reports

The Reports module includes standard reports for Cisco NAC (Network Admission
Control).
Application Posture Token Distribution

Lists posture credential vendor and application type combinations by NAC state.
Endpoint Detail
Lists the recent network admission of each endpoint and provides details about each
event.
Endpoint Status Query Failures

Displays the number of status query failures by endpoint.
Endpoints by NAC State

Lists endpoints by NAC state.
IOS Static Authorization

Displays non-responsive endpoints that are configured as static exceptions on the network
admission event source.
Network Admission Devices by NAC State

Lists network admission event sources by NAC state.
Network Device Groups by NAC State

Lists network event source groups by NAC state.
Non-Responsive Endpoints by NAC State

Lists non-responsive endpoints by NAC state.
Rejected Endpoints by NAC State

Lists rejected endpoints by NAC state.
Top 10 Endpoints by SPTs

Lists the top 10 endpoints by selected System Posture Token (SPT). You select the SPT
from a runtime parameter list. If you select multiple SPTs, the report lists the top 10
endpoints by all selected SPTs, not the top 10 endpoints for each SPT.
197
Top 10 Users by SPTs

Lists the top 10 users by selected System Posture Token (SPT). You select the SPT from
a runtime parameter list. If you select multiple SPTs, the report lists the top 10 endpoints
by all selected SPTs, not the top 10 endpoints for each SPT.
User Detail
Lists recent network admissions for each user and provides details about each event.
User Groups by NAC State

Lists user groups by NAC state.
Users by NAC State

Lists user names by NAC state.
198
RSAenVision Reports
CiscoWorks Network Compliance Manager Standard

Reports
The Reports module includes the following standard reports for the Cisco Content
Services Switch event source.

Lists configuration changes made, sorted by event source.

Lists details of all events over a period of time.

Lists failed attempts based on user name.
Login and Logout

Lists events relating to logon and logoff.
199
Cisco PIX (firewall) Standard Reports

The Reports module includes the following standard reports for the Cisco PIX (firewall)
event source.
AAA User Authentications

Displays AAA user authentications through Cisco PIX firewalls, sorted by date and time.
This report requires AAA user authentication.

Summarizes bandwidth usage by local address for all traffic passing through Cisco PIX
firewalls. Sorted by total byte usage. Use this report to quickly determine the "top
talkers" on your company network. Only PIX firewalls with debug level logging enabled
are reported.

Displays bandwidth usage by department through PIX firewalls. Use this report to quickly
determine which departments are consuming the most bandwidth.

Summarizes bandwidth usage by port for traffic passing through Cisco PIX firewalls.
with applications are port and services. Only PIX firewalls with debug level logging

Displays bandwidth usage per hour through PIX firewalls. Use this report to quickly spot
bandwidth usage trends occurring during specific time periods. Each tick mark on vertical
hourly axes represents accumulated usage for the previous hour.
Bandwidth Utilization
Displays the bandwidth utilization on the network in a combination of a graph and a
report.
Blocked URL Events

Displays the blocked URL events of internal IP addresses attempting to connect to
external web sites that have been restricted by the company. Sorted by date and time.
Websense Enterprise software must be installed to activate the URL blocking capability.
200
RSAenVision Reports
Lists configuration change messages from Cisco PIX firewalls, sorted by date and time.
Monitors when configuration changes were made to Cisco PIX Firewalls. Only PIX
Connection Limit Exceeded

Details exceeded connection limits by static addresses.
CPU Over-Capacity Events by Date and Time

Lists all instances of PIX Firewall CPU use rising above 100 percent. If this condition,
which is generally considered to be an error condition, happens frequently, you may need
to contact Cisco Systems.

Displays the number of denied connections per hour through PIX firewalls. Use this
previous hour.
Denied Inbound IP Spoofing

Tracks when a PIX Firewall receives an external packet with the IP source address equal
to the IP destination and the destination port equal to the source port. Sorted by the
destination address. This event indicates a spoofed packet designed to attack systems.
This attack is referred to as a land attack.

Summarizes denied inbound traffic filtered through Cisco PIX firewalls by foreign
host or network event source configuration issue. Only PIX firewalls with logging

Summarizes denied inbound traffic filtered through Cisco PIX firewalls by port. Sorted by
connection count. Port is used synonymously with services or applications. Use this report
to quickly determine which applications are being denied access. Denied connections
may indicate an attempted security policy breach, malicious network reconnaissance like
a port scan, or a host or network event source configuration issue. Only PIX firewalls
with logging enabled are reported.
201

Summarizes denied outbound traffic filtered through Cisco PIX firewalls by local
addresses may be attempting to bypass your company security policy. Only PIX firewalls
with logging enabled are reported.

Summarizes denied outbound traffic filtered through Cisco PIX firewalls by port. Sorted
report to quickly determine which outbound applications are being denied. These denied
Only PIX firewalls with logging enabled are reported.
E-mail Security
Lists PIX MailGuard messages received from Cisco PIX firewalls. Sorted by date and
time. Use this report to quickly view possible e-mail security breach attempts that were
prevented by PIX firewalls. Only PIX firewalls with logging enabled are reported.
Failover Messages
Lists failover messages from Cisco PIX firewalls by date and time.
FTP Requests by Date/ Time

Lists FTP requests through Cisco PIX Firewalls by date and time.
FTP Requests by Department

Displays FTP requests for each department through Cisco PIX firewalls by number of
requests.
FTP Requests by Foreign Address

Source Address.
Displays FTP requests to foreign sites by local users through Cisco PIX firewalls by
foreign address and the number of requests.
202
RSAenVision Reports
FTP Requests by Local Address

Displays FTP requests by each local address through Cisco PIX firewalls by local
address and number of requests.
Inbound E-mail Recipients

Displays inbound e-mails and the intended recipients.
Inbound E-mail Senders

Displays inbound e-mails and the senders.

Displays bandwidth usage of inbound e-mail traffic through Cisco PIX firewalls. Sorted
by total connection count. Use this report to quickly determine top foreign e-mail senders
if your e-mail servers are located on an internal or DMZ interface. Summarizes e-mail
traffic from your own e-mail gateways if they are sitting on an external PIX interface.
Only PIX firewalls with logging enabled are reported. The system calculates inbound email traffic by summarizing all the 302002 traffic logged on local port 25.
Inbound FTP Traffic

Displays bandwidth usage of inbound FTP traffic through Cisco PIX firewalls. Sorted by
total connection count. Use this report to quickly determine which external users use FTP
most frequently in your company. Only PIX firewalls with logging enabled are reported.
The system calculates inbound FTP traffic by summarizing all the 302002 traffic logged
on local ports 20 and 21.

Displays bandwidth usage of inbound HTTP traffic through Cisco PIX firewalls. Sorted
by total connection count. Use this report to quickly assess which foreign users are
accessing your internal web servers most frequently. Only PIX firewalls with logging
enabled are reported. The system calculates inbound http traffic by summarizing all the
Inbound IP Fragmentation Alert

Summarizes inbound IP fragmentation, sorted by count by foreign address.The PIX
Firewall limits the number of IP fragments that can be concurrently reassembled. This
restriction prevents memory depletion at the firewall under abnormal network conditions.
If this message persists, a denial of service (DoS) attack may be in progress.
203

Displays bandwidth usage of inbound Telnet traffic through Cisco PIX firewalls. Sorted
by total connection count. Use this report to quickly determine top external Telnet users.
Only PIX firewalls with logging enabled are reported. The system calculates inbound
Telnet traffic by summarizing all the 302002 traffic logged on local port 23.
Management Access from External Source

Details all of the event source management events on the PIX firewall sorted by date and
time.
Outbound E-mail Recipients

Displays outbound e-mails and the intended recipients.
Outbound E-mail Senders

Displays outbound e-mails and the senders.

Summarizes bandwidth usage of outbound e-mail traffic through Cisco PIX firewalls.
Sorted by total connection count. Use this report to quickly determine the top e-mail users
in your company if your e-mail gateway is located on an external or DMZ interface.
Reflects top e-mail gateways if your mail gateways are on the PIX internal interface
network. Only PIX firewalls with logging enabled are reported. The system calculates
outbound e-mail traffic by summarizing all the 302002 traffic logged on foreign port 25.

Summarizes bandwidth usage of outbound FTP traffic through Cisco PIX firewalls.
users use FTP most frequently in your company. Only PIX firewalls with logging enabled
are reported. The system calculates outbound FTP traffic by summarizing all the 302002
traffic logged on foreign ports 20 and 21.

Summarizes bandwidth usage of outbound HTTP traffic through Cisco PIX firewalls.
your company. Only PIX firewalls with logging enabled are reported. The system
port 80.
Outbound IP Fragmentation Alert

Displays the PIX Firewall limits the number of IP fragments that can be concurrently
reassembled, sorted by count by local address. This restriction prevents memory depletion
204
RSAenVision Reports
at the firewall under abnormal network conditions.

Summarizes bandwidth usage of outbound Telnet traffic through Cisco PIX firewalls.
Sorted by total connection count. Use this report to quickly determine top local Telnet
users. Only PIX firewalls with logging enabled are reported. The system calculates
outbound Telnet traffic by summarizing all the 302002 traffic logged on foreign port 23.

Displays the number of connections per hour through PIX firewalls. Use this report to
RIP External Security Alert

Displays the PIX Firewall events for received internal RIP reply messages with bad
on the router or the PIX Firewall, or the event may be a unsuccessful attempt to attack
the PIX Firewall unit's routing table.
RIP Internal Security Alert

Displays the PIX Firewall events for received external RIP reply messages with bad
on the router or the PIX Firewall, or the event may be a unsuccessful attempt to attack
the PIX Firewall unit's routing table.
SiteTrack Detection
Note: This report is not compatible with the Content 2.0 schema.
Lists network traffic through Cisco PIX firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified with parentheses ( ) preceding the
of the DNS host name lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and PIX
firewall logging must be enabled.

Displays the top 10 requested URL and FTP destinations by internal users through PIX
firewalls. Use this report to quickly spot trends of the most popular foreign sites.

Displays the 20 ports with the most bandwidth usage through PIX firewalls. Use this
report to quickly identify which applications are consuming the most bandwidth.
205

Displays the top 20 bandwidth users through PIX firewalls.

Displays the top 20 users of connections through PIX firewalls. Use this report to quickly
determine which users are consuming the most connections.

Displays the 20 ports with the most connections through PIX firewalls. Use this report to
quickly identify which applications are consuming the most connections.

Displays the top 20 foreign addresses that were denied inbound access by PIX firewalls.
Use this report to quickly spot foreign hosts that may have been attempting to gain
unauthorized access to your network.

Displays the 20 ports with the most denied inbound connections through PIX firewalls.
denied connections.

Displays the top 20 local addresses that were denied outbound access by PIX firewalls.
Use this report to quickly identify the top internal hosts that may have been attempting to
breach your company's outbound Internet security policy.

Displays FTP requests to foreign addresses through Cisco PIX firewalls. Sorted by the
number of requests.
Top URL Destinations

Displays URL requests to foreign addresses through Cisco PIX firewalls. Sorted by the
number of requests.
Total Connections by Global/Translated Address

Displays the activity for each global address going through the PIX firewall, sorted by
percentage of total connections within a specific time period.
206
RSAenVision Reports
Translation Activity by Connection ID

Lists the buildup and teardown messages for connections through a PIX firewall. Sorted
by connection ID.
URL Requests by Date/Time

Lists URL and FTP requests through Cisco PIX Firewalls. Sorted by date and time. Use
this report and the HTTP/FTP query report can be used to view which URLs and FTP
files were accessed during a certain date and time range. Only PIX firewalls with
URL Requests by Department

Summarizes the outbound URL and FTP requests for each department through Cisco PIX
firewalls. Sorted by number of requests. Use this report to quickly determine which
departments are downloading the most URLs and FTP files. Only PIX firewalls with
URL Requests by Foreign Address

Source Address.
Summarizes outbound URL and FTP requests to foreign addresses through Cisco PIX
firewalls. Sorted by total connections. Use this report to quickly determine the most
common URL and FTP destinations in your company. Only PIX firewalls with logging
URL Requests by Local Address

Summarizes the outbound URL and FTP requests by each local address through Cisco
PIX firewalls. Sorted by local address and number of URL and FTP requests. Use this
report to quickly determine the most common URL and FTP destinations by local address
for your company. Only PIX firewalls with logging enabled are reported.
URL Requests by User Name

Cisco PIX firewalls. Sorted by user name and the number of URL and FTP requests.
Requires that AAA user authentication be configured on the firewall. Use this report to
quickly determine the most common URL and FTP destinations on a user name basis for
your company. Only PIX firewalls with logging enabled are reported.
207
Cisco PIX (IDS) Standard Reports

The Reports module includes the following standard reports for the Cisco PIX (IDS)
event source.
Alarm Level Summary



sensor on the PIX by alarm level. Sorted by alarm level.

on the PIX from external sources.

sensor on the PIX. Sorted by PIX address, alarm level, and number of alarms.

on the PIX from internal sources.
Intrusion Event Summary by Signature ID

sensor on the PIX by signature description. Sorted by alarm level.

detection sensor on the PIX by intruding source address. Sorted by source address and
number of alarms.

detection sensor on the PIX by source and destination direction. Sorted by alarm level.
208
RSAenVision Reports

sensor on the PIX.


209
Cisco PIX (VPN) Standard Reports

The Reports module includes the following standard reports for the Cisco PIX (VPN)
event source.
Denied Packets per Device

Displays the denied packets per event source for all VPN gateways.

Displays the denied packets per hour for all VPN gateways.
Failed Authentication by Device

Lists the failed authentications for all users of VPN gateways. Sorted by event source
address.
Failed Authentication by Username

Lists the failed authentications for all users of VPN gateways. Sorted by user name.
Failed XAuthentications by Device

Lists the failed Xauthentications for all users of VPN gateways. Sorted by event source
address.
Successful Authentication by Date/Time

Lists the successful authentications for all users of VPN gateways. Sorted by date and
time.

Lists the VPN system events from Cisco PIX. Sorted by event source.

Lists the total connections for all users of VPN gateways. Sorted by user name.
210
RSAenVision Reports
Cisco Router (IDS) Standard Reports

The Reports module includes the following standard reports for the Cisco Router (IDS)
event source.
Alarm Level Summary



sensor on the PIX by alarm level. Sorted by alarm level.

on the PIX from external sources.

sensor on the PIX. Sorted by PIX address, alarm level, and number of alarms.

on the PIX from internal sources.
Intrusion Event Summary by Signature Category

sensor on the PIX by signature category. Sorted by alarm level.
Intrusion Event Summary by Signature Description

sensor on the PIX by signature description. Sorted by alarm level.

detection sensor on the PIX by intruding source address. Sorted by source address and
number of alarms.
211


sensor on the PIX.


212
RSAenVision Reports
Cisco Router Standard Reports

The Reports module includes the following standard reports for the Cisco Router event
source.

Summarizes the number of permitted packets per source address for all network traffic
through Cisco routers. Sorted by packet count. Only network traffic from Cisco router
interfaces with access control lists applied and logging enabled is reported. Source
address can be an Internet or intranet address depending on which router interface the
access list is applied and in which direction.

through Cisco routers. Sorted by packet count. Only network traffic from Cisco router
interfaces with access control lists applied and logging enabled is reported. Source
address can be an Internet or intranet address depending on which router interface the
access list is applied and in which direction.

Summarizes the number of permitted packets passing through Cisco routers by port.
Sorted by packet count. Only network traffic from Cisco router interfaces with access
control lists applied and logging enabled is reported. Source address can be an Internet or
intranet address depending on which router interface the access list is applied and in
which direction.

Displays the number of denied packets per hour by Cisco routers. Use this report to spot
possible security threat trends over time ranges. Each tick mark on vertical hourly axes
represents accumulated denied packets for the previous hour.
Denied Traffic by Address

Summarizes the number of denied packets per source address through Cisco routers.
Sorted by denied packet count. Only network traffic from Cisco router interfaces with
access control lists applied and logging enabled is reported. Source address can be an
internal or external address depending on which router interface the access list is applied
and in which direction.
Denied Traffic by Port

Summarizes denied traffic filtered through Cisco routers by port. Sorted by packet count.
Only network traffic from Cisco router interfaces with access control lists applied and
logging enabled is reported.
213

Summarizes the number of inbound e-mail packets permitted through Cisco routers by
destination address. Sorted by router address, access control list, and number of sessions.
logging enabled is reported. The system determines inbound or outbound traffic from the
network information entered in its ipaddr.tab file. If this file is not configured, the
system assumes that traffic is inbound.
Inbound FTP Traffic

Summarizes permitted inbound FTP packet usage through Cisco routers. Sorted by router
address, access control list, and number of sessions. Only network traffic from Cisco
router interfaces with access control lists applied and logging enabled is reported. The
system determines whether traffic is inbound or outbound from the information entered in
the ipaddr.tab file located in the program directory. If this file is not configured, the

Summarizes the number of permitted packets transferred by destination address for
inbound HTTP traffic through Cisco routers. Sorted by router address, access control list,
and number of sessions. Only network traffic from Cisco router interfaces with access
control lists applied and logging enabled is reported. The system determines whether
traffic is inbound or outbound from the information entered in the ipaddr.tab file located
in the program directory. If this file is not configured, the system assumes that traffic is
inbound.

Summarizes the number of inbound Telnet packets permitted through Cisco routers.
Sorted by router address, access control list, and number of sessions. Only network
traffic from Cisco router interfaces with access control lists applied and logging enabled
is reported. The system determines inbound or outbound traffic from the network
information entered in the ipaddr.tab file. If this file is not configured, the system
assumes that traffic is inbound.

Summarizes the number of outbound e-mail packets permitted through Cisco routers by
destination address. Sorted by router address, access control list, and number of sessions.
logging enabled is reported. The system determines inbound or outbound traffic from the
network information entered in the ipaddr.tab file. If this file is not configured, the
214
RSAenVision Reports

Summarizes the number of permitted packets transferred per source and destination
address pair for outbound FTP sessions through Cisco routers. It is sorted by router
address, access control list, and number of sessions. Only network traffic from Cisco
router interfaces with access control lists applied and logging enabled is reported. The
system determines whether traffic is inbound or outbound from the information entered in
the ipaddr.tab file located in the program directory. If this file is not configured, the

Summarizes the number of permitted packets transferred by destination address for
outbound HTTP traffic through Cisco routers. Sorted by router address, access control
list, and number of sessions. Only network traffic from Cisco router interfaces with
access control lists applied and logging enabled is reported. The system determines
whether traffic is inbound or outbound from the information entered in the ipaddr.tab file
located in the Program directory. If this file is not configured, the system assumes that
traffic is inbound.

Summarizes the number of outbound Telnet packets permitted through Cisco routers.
Sorted by router address, access control list, and number of sessions. Only network
traffic from Cisco router interfaces with access control lists applied and logging enabled
is reported. The system determines inbound or outbound traffic from the network
information entered in the ipaddr.tab file. If this file is not configured, the system
assumes that traffic is inbound.
Permitted Packets by Address

Displays the number of permitted packets by address through Cisco routers. Use this
report to spot top packet users through your router.
Permitted Packets per Hour

Displays the number of permitted packets per hour by Cisco routers. Use this report to
spot peak packet usage trends over time ranges. Each tick mark on vertical hourly axes
represents accumulated permitted packets for the previous hour.
Permitted Packets by Port

Displays the number of permitted packets by port through Cisco routers. Use this report to
spot top bandwidth applications running across your router.
SiteTrack Detection
Lists packets that have been permitted or denied through Cisco routers with hostname
lookups that match any of the keywords entered in the SiteTrack keyword list. Sorted by
215
date and time. Keyword match is listed in the report with parentheses ( ) preceding the
message in the Message field. Keywords need to be entered in the SiteTrack, and its
DNS Resolver service must be enabled for this feature to function. The DNS Resolver
service performs a hostname lookup of both source and destination IP addresses in every
packet that it receives from Cisco routers.
System Critical Events

Lists router system status messages received from Cisco routers. Sorted by date and time.
Only Cisco routers with logging enabled are reported.
System Interface Events

Lists system interface status messages from Cisco routers. Sorted by date and time. Only
Cisco routers with logging enabled are reported.

Displays the top 20 bandwidth users by address through Cisco routers. Use this report to
spot top bandwidth users through the router.
Top 20 Denied Packets by Address

Displays the top 20 addresses of denied packets through Cisco routers. Use this report to
quickly spot foreign addresses that are possibly attempting to breach your security policy.
Top 20 Denied Packets by Port

Displays the 20 ports with the most denied packets through Cisco routers. Use this report
to quickly spot which applications may possibly be used for an attempted security breach.
Call Data - Call Information By Call ID

Displays all information associated with specified calls within a time period. Information
includes setup time, user name, number called or calling, origin, connection speed, and
traffic passed.
Call Data - Top 10 Total Duration By Number Called

Displays the total call time duration associated with the top 10 numbers called. The call
time is displayed in seconds.
Call Data - Top 10 Total Duration By Username

Displays the top 10 user names based upon call duration time for the specified time
period.
Call Data - Total Disconnects by Error for Each Device

Displays the number of events that present an error in the disconnect code for each call.
216
RSAenVision Reports
Call Data - Total Usage By Device

Displays the call traffic associated with each event source. This is an executive-level
report for administrators.
Call Data - Total Usage By Username

Queries the call data record for all associated call information. Results are displayed by
the user name associated with the calls.
217
Cisco Secure IDS Standard Reports

The Reports module includes the following standard reports for the Cisco Secure IDS
event source.

Displays the top 10 sources of alarms by source IP address.
Top 20 Alarms


Displays the 20 source-destination pairs that have generated the most alarms.

Displays the 20 source IP addresses that have generated the most events or alarms from
the Cisco Secure IDS sensors.

Displays alarms sorted by destination IP address.

Displays the top 20 alarms sorted by destination port.
Alarm Report
Displays alarms based on signature names. Sorted by alarms and signature names.
Alarm Levels
Displays the number of alarms for each alarm level.
Alarms by Hour
Displays the number of alarms by hour for a given time period.
Alarms by Sensor
218
RSAenVision Reports

Displays the total number of alarms generated by each sensor event source. Sorted by
total number of alarms.
219
Cisco Security Agent (IPS) Standard Reports

The Reports module includes the following standard reports for the Cisco Security Agent
event source.
Security Agent License Messages

Displays events that deal with the Security Agent licenses.
Service and Agent Messages

Displays events that deal with the Security Agent restart events.
Total Attack Events by Event Type

Displays the total number of intrusion events grouped by the event type.
Total Events by ButtonCode

Displays the total number of intrusion events grouped by the ButtonCode (Disposition).
Total Number of Attacks by Host ID

Displays the total intrusion events forwarded to the RSA enVision Collector grouped by
the host ID of Security Agent.
220
RSAenVision Reports
Cisco Security Agent Standard Reports

The Reports module includes the following standard reports for the Cisco Security Agent
event source.
Security Agent License Messages

Lists events associated with the Security Agent licenses.
Service and Agent Messages

Lists Security Agent restart events.
Total Attack Events by Event Type

Displays the total number of intrusion events, grouped by the event type.
Total Events by ButtonCode

Displays the total number of intrusion events, grouped by disposition (ButtonCode).
Total Number of Attacks by Host ID

Displays the total intrusion events, grouped by the host ID of Security Agent.
221
Cisco Switch Standard Reports

The Reports module includes the following standard reports for the Cisco Switch event
source.
Displays the total number of failed authentications during the specified time period.
Failed Authentications by Username

Displays the total number of failed authentications by user name during the specified time
period.
Displays the total number of successful authentications during the specified time period.
Successful Authentications by Username

Displays the total number of successful authentications by user name during the specified
time period.
222
RSAenVision Reports
Cisco Unified Computing System Manager Standard

Reports
The Reports module includes the following standard reports for the Cisco Unified
Computing System Manager event source.
Historical Overview of Hardware Faults

Displays all the information about hardware faults reported by Cisco UCS Manager.
Failed Authentications by User name

Displays the total number of failed authentications by user name during a specified time
period.
223
Cisco VPN 3000 Concentrator Standard Reports

The Reports module includes the following standard reports for the Cisco VPN 3000
Concentrator event source.

Displays the VPN bandwidth usage per hour.
Connection Statistics by Username

Lists the date and time stamp, user name, and event source addresses associated with
each successful connection attempt.
Denied Connections
Displays the number of denied connections by VPN gateway.
Denied Connections by Date/Time

Displays the VPN denied connections by date and time for the entire group of VPN
gateways.
Denied Connections by Username

Displays the VPN denied connections by user name for the entire group of VPN
gateways. Sorted by denied connections.

Displays the VPN denied connections per hour.
Successful Authentications by Date/Time

Queries the database for messages that report successful authentication requests.
Displays information such as date and time, event source address, user name, local port
name, and group name.
Successful Authentications by GroupName

Queries the database for messages that report successful authentication requests. Reports
successful connection counts by group name.
Successful Authentications by Username

Queries the database for messages that report successful authentication requests. Reports
successful connection counts by user name.
224
RSAenVision Reports
Successful Connections by Device Address

Total of all successful connections to a monitored Cisco VPN 3000 concentrators. Sorted
by event source address.
Systems Events by Device

Lists system events, such as configuration changes and hardware errors, for each event
source. Sorted by date and time and VPN event source.
Top 20 Bandwidth Users By Total Bytes

Displays the top 20 users for all VPN gateways by total bytes.
Top 20 Users by Durations

Displays the top 20 tunnel connections for all VPN gateways.

Displays the top 20 users by connections for all VPN gateways.
Total Bytes by Username

Lists the total bytes by local address for all VPN gateways. Sorted by user name and total
bytes. The total bytes are calculated by adding up the byte entries for each local address.
Total Duration by Username

Lists the total duration for all users of VPN gateways. Sorted by IP address and total
duration. The total duration is calculated by adding up the duration entries for each local
address.
225
Citrix Access Gateway Standard Reports

The Reports module includes the following standard reports for the Citrix Access
Gateway event source.
Details all configuration changes to the Citrix Access Gateway event source.
Overview of Successful Authentication

Details information about successful authentication attempts.
Overview of Failed Authentication

Details information about failed authentication attempts.
226
RSAenVision Reports
Cyber-Ark PIM Standard Reports

The Reports module includes the following standard reports for the Cyber-Ark PIM event
source.
Historical Overview Of Failed Logins

Lists user names and actions that led to failed logons.
Historical Overview Of Successful Login/Logout

Lists user names with successful logons and logoffs.
Informational And Configuration Messages

Lists user activity information and configuration changes.
227
CyberGuard Firewall Standard Reports

The Reports module includes standard reports for the CyberGuard Firewall event source.
Authentication Failures
Lists the users that failed to authenticate to the sensor.
Critical Hardware Events

Lists the hardware sensors generating events.
Login Events
Lists the logon events.

Lists the top 20 bandwidth ports.

Lists the top 20 bandwidth users.

Lists the top 20 connections, sorted by IP address.

Lists the top 20 connections, sorted by port.
Top 20 Denied Addresses

Lists the top 20 addresses that were denied.
228
RSAenVision Reports
Enterasys Dragon (IDS) Standard Reports

The Reports module includes the following standard reports for the Enterasys Dragon
(IDS) event source.
Top 10 Attacks by Attack Signature

Displays the top 10 attacks grouped by attack signature.
Top 10 Attacks by Destination Address

Displays the top 10 attacks grouped by destination address. Administrators can use this
report to determine which devices are routinely being attacked.
Top 10 Attacks by Destination Port

Displays the top 10 attacks grouped by destination port. Administrators can use this report
to determine which network services are routinely being attacked.
Top 10 Attacks by Network Sensor

Displays the top 10 attacks grouped by sensor. Administrators can use this report to
determine which sensors are detecting the most attacks and, based on sensor deployment,
which areas of the network are routinely being attacked.
Top 10 Attacks by Source Address

Displays the top 10 attacks grouped by source address.
Total Attacks by Hour

Displays the number of attacks grouped by the hour of detection. Administrators can use
this report to determine patterns of attacks based on the time of day.
229
eEye Retina Network Security Scanner Standard

Reports
The Reports module includes the following standard reports for the eEye Retina Network
Security Scanner event source.
Alarm Level Summary

Displays the number of alarms per alarm level.
Alarms per Device

Displays the number of detected alarms per event source in the network.
All Vulnerabilities
Lists all vulnerabilities reported by eEye Retina Scanner.
230
RSAenVision Reports
EMCDocumentum Standard Reports

The Reports module includes the following standard reports for the EMCDocumentum
event source.
Audit Check-in / Checkout Events

Lists the details about all check-ins and checkouts.
Top 10 Audit Events by Action

Lists the details of all the messages from the audit trails.
231
EMCIonix Standard Reports

The Reports module includes the following standard reports for EMCIonix.
Agent Deployment Statistics

Reports all the successful and unsuccessful agent deployment events.
Successful and Failed Compliance Statistics

Reports all the successful and failed compliance template results.
Successful and Failed Logons

Reports successful and failed logon attempts to the SCM console.
Top 20 Changed Data Types

Reports the top 20 changed data types between successive collections of Ionix SCM.
232
RSAenVision Reports
Enterasys Networks Dragon Standard Reports

The Reports module includes the following standard reports for the Enterasys Networks
Dragon event source.
Top 10 Attacks by Attack Signature

Displays a count of all attacks grouped by attack signature.

Displays a count of all attacks grouped by destination address. Administrators can use
this report to determine which event sources are routinely being attacked.

Displays a count of all attacks grouped by destination port. Administrators can use this
report to determine which network services are routinely being attacked.

Displays a count of all attacks grouped by sensor. Administrators can use this report to
determine which network sensors are detecting the most attacks and, based on sensor
deployment, which areas of the network are routinely being attacked.

Displays a count of all attacks grouped by source address.

Displays a count of all attacks grouped by hour of detection. Administrators can use this
report to determine patterns in attacks based on time of day.
233
McAfee ePolicy Orchestrator Standard Reports

The Reports module includes the following standard reports for McAfee ePolicy
Orchestrator.
McAfee ePolicy Detailed task report

Lists all task-related activities from McAfee ePolicy.
McAfee ePolicy Error conditions

Lists all the error conditions reported from McAfee ePolicy.
McAfee ePolicy Top 20 Viruses

Displays the top 20 viruses found on the network.
McAfee ePolicy Top 20 e-mail Viruses

Displays the top 20 e-mail viruses found on the network.
McAfee ePolicy Top 20 infected e-mail sources

Displays the top 20 infected e-mail sources found on the network.
McAfee ePolicy Top 20 infected files

Displays the top 20 infected files found on the network.
McAfee ePolicy Top 20 infected systems

Displays the top 20 infected systems found on the network.
234
RSAenVision Reports
Extreme Networks ExtremeWare Switch Standard

Reports
The Reports module includes the following standard reports for the Extreme Networks
ExtremeWare Switch event source.
Failed logins
Displays all failed logon attempts.
Successful logins
Displays all successful logon attempts.
235
Extreme Networks ExtremeXOS Standard Reports

The Reports module includes the following standard reports for the Extreme Networks
ExtremeXOS event source.
Failed logins
Lists all failed logon attempts.
Successful logins
Lists all successful logon attempts.
236
RSAenVision Reports
F5 Big-IP Application Security Manager Standard

Reports
Reports module includes the following standard reports for the F5 Big-IP Application
Security Manager event source.
BigIP ASM List of All Policy Violations

Displays all policy violations blocked by the ASM module on the Big-IP switch.
BigIPASM List of AllNon-Blocked Policy Violations

Displays all policy violations logged but not blocked by the ASMmodule on the Big-IP
switch.
BigIPASM Most Frequent Sources of Attacks

Displays the top sources of attacks by source IP address.
BigIP ASM Chart of Dropped Requests PerAttacked URL

Displays dropped requests per attacked URL.
BigIP ASM List of Intrusion Attacks by Destination

Lists intrusion attacks on the system with the number of dropped requests.
237
Fortinet FortiGate Standard Reports

The Reports module includes the following standard reports for the Fortinet FortiGate
event source.
For some device-specific reports, the class of the report changes when the event source
is updated to Content 2.0. In this case, the location of the report in the enVision UI also
changes.
For example, for Fortinet FortiGate, the URL Blocks report changed classes from
Security.Firewall to Host.Web Logs. In the enVision UI, the report moved as follows:
l
Location for standard content: Reports > Ad Hoc Reports > Security > Firewalls >
Fortinet Antivirus Firewall > URL Blocks
Location for Content 2.0: Reports > Ad Hoc Reports > Host > Web Logs > Fortinet
> URL Blocks
If you update the event source to Content 2.0, you must run the report from this new
location.
Note: For backwards compatibility, the report continues to exist in its previous location.
However, once you update an event source to Content 2.0, the old report will not return
any data.
Report Name and Description

Admin Configuration Changes
Content 1.0 Class
Content 2.0 Class
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Host.Web Logs
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Displays all the administration configuration changes.

Admin Critical Events
Displays all the critical events based on administrator actions.
Admin Failed Login Events
Displays all the failed logon events to a FortiGate appliance.
Admin Warning Events
Displays all the warning events based on administrator actions.
Category Blocks
Displays URL requests blocked by the web category filtering.
Critical System Events
Displays all the critical system events.
Displays all the failed authentications through a FortiGate
appliance.
238
RSAenVision Reports
Historical overview of all Application Control Events
Security.Firewall
Security.Firewall
Security.Firewall
Security.DLP
Security.Firewall
Security.Firewall
Security.Firewall
Security.Intrusion
Security.Firewall
Security.Intrusion
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Security.Firewall
Network.Messaging
Security.Firewall
Host.Web Logs
Security.Firewall
Security.Antivirus
Displays an overview of all the application control events.

Historical overview of all Data Leak Prevention Events
Displays an overview of all the data leak prevention events.
Displays all the successful authentications through a FortiGate
appliance.
Top 20 Attack Signatures
Displays the top 20 attack signatures.
Top 20 Attack Source Addresses
Displays the top 20 IP addresses generating attacks.
Displays the top 20 IP addresses that connected through a
FortiGate appliance.
Displays the top 20 ports that connected through a FortiGate
appliance.
Top 20 Denied IP Addresses
Displays the top 20 IP addresses that were denied through a
FortiGate appliance.
Top 20 Denied Ports
Displays the top 20 ports that were denied through a FortiGate
appliance.
Top 20 Spam IP Addresses
Displays the top 20 addresses generating spam e-mail messages.
URL Bocks
Displays URL requests blocked due to being on the block list.
Virus Infection Events
Displays all the files infected with a virus.
239
Foundry Networks Switch Standard Reports

The Reports module includes the following standard reports for the Foundry Networks
Switch event source.
Attack Prevention - Host Holddown

Lists all source and destination IP address pairs that the Attack Prevention feature has in
"holddown." The system is not sending these packets to any servers.
Hardware Failures
Displays the details of critical system hardware failures.
Privileged Logins
Lists all users that have exercised privileged logon rights.
SNMP Authentication Failures

Displays the details of SNMP authentication failures.
Secured Port Access Violations

Displays the attempts by unauthorized event sources to communicate to secured ports.
Top 20 Access Control List Drops

Displays the top 20 access control list drop events.
Top 20 Access Control List Drops by Source Address Summary

Lists the top 20 source addresses that have had packets dropped or denied.
Top 20 Access Control List Drops by Source Address Summary Graph

Displays a graph of the top 20 source addresses that have had packets dropped or denied.
Top 20 SMTP Root Bridge Changes

Lists the top 20 root bridge changes that have taken place.
240
RSAenVision Reports
HP UX / FreeBSD Standard Reports

The Reports module includes the following standard reports for the HP UX / FreeBSD
event source.
HPUX / FreeBSD - Super User Access

Displays successful super user attempts and the user name associated with each attempt.
HPUX / FreeBSD - Super User Access by Username

Displays all super user authentication attempts, the result of the attempts, and the
usernames associated with the attempts. Enter a username in the provided field between
the percent signs, then run the report.
HPUX / FreeBSD - Total Bytes by Device Address

Displays the total bytes transferred by individual user name.
HPUX / FreeBSD - Total Connections by Address

Displays the total connections to a monitored event source by foreign address.
HPUX / FreeBSD - Total Connections by Username

Displays the total connection attempts by a specific user name in a specified time range.
241
IBM AIX Standard Reports

The Reports module includes the following standard reports for IBM AIX.
Failed Login Attempts

Lists failed logon attempts by user name. The date and time of the attempt are also listed.
Failed Logon Attempts by Username

Lists the failed logon attempts of all users. Enter a user name in the provided field
between the percent signs, then run the report.

Lists unsuccessful attempts to use the switch user command (attempts to switch user to
"root" that were denied) by user.
Failed Super User Attempts by Username

Lists unsuccessful attempts to use the switch user command (attempts to switch user to
"root" that were denied). Enter a user name in the provided field between the percent
signs, and then run the report.
Super User Access

Lists successful attempts to use the switch user command (attempts to switch user to
"root" that succeeded) by user and the time the action was performed.
Super User Access by Username

Lists successful attempts to use the switch user command (attempts to switch user to
"root" that succeeded). Enter a user name in the provided field between the percent signs,
then run the report.
Total Connections by Foreign Address

Displays total connections by source address.
Total Connections by Port

Displays the total connections by source port.

Displays the total connections by user name.
Syslog Conf File Changes

Summarizes all of the events when users try to modify the Syslog.conf file.
242
RSAenVision Reports
IBM iSeries Standard Reports

The Reports module includes the following standard reports for the IBM iSeries event
source.
Access Control List Changes Details

Displays changes to the access control list entries.
Account Limit Exceeded Details

Displays the account limit exceeded entries.
Actions that Affect Jobs Details

Displays the actions that affect jobs entries.
Attribute Changes Details

Displays the attribute changes entries.
Auditing Changes Details

Displays the auditing changes entries.
Authority Changes Details

Displays the authority changes entries.
Authority Failures Details

Displays the authority failure entries.
Create Object Details

Displays the create object entries.
Delete Object Details

Displays the delete object entries.
Entry Types by System

Displays the count of entry types by system.
Entry Types by User

Displays the count of entry types by user.
Invalid Password Details

Displays the invalid password entries.
243
Jobs by Systems
Displays the counts of jobs by systems.
Jobs by Users
Displays the counts of jobs by user names.
Logging On and Off Details

Displays the logging on and off entries.
Network Password Errors Details

Displays the network password errors entries.
Object Move or Rename Details

Displays the object move or rename entries.
Printed Output Details

Displays the printed output entries.
Program Change Details

Displays the program change entries.
Programs by Systems
Displays the counts of programs by system.
Server Security User Information Details

Displays the server security user information entries.
System Management Changes Details

Displays the invalid password entries.
System Value Changes Details

Displays the changes to the system value entries.
Top 20 Entry Types

Displays the 20 entry types generating the highest number of events in the audit journal.
Top 20 Jobs
Displays the 20 programs generating the highest number of events in the audit journal.
244
RSAenVision Reports
Top 20 Programs
Displays the 20 programs generating the highest number of events in the audit journal.
Top 20 Systems
Displays the 20 systems generating the highest number of events in the audit journal.
Top 20 Users
Displays the 20 users generating the highest number of events in the audit journal.
User Activity by Systems

Displays the counts of user activity by system.
iSeries - User Authentication Details

This table displays details about User Access.
245
CA ACF2 Standard Reports

The Reports module includes the following standard reports for CA ACF2.
Denial of Access to resources or Services

Lists denial of access to resources or services.

Lists failed logon attempts.
246
RSAenVision Reports
IBM Mainframe DB2 UDB Standard Reports

The Reports module includes the following standard reports for IBM Mainframe DB2
UDB.
Authorization
Lists assignment or change of an authorization ID.
Bind Attempts
Lists the attempts for the bind of static and dynamic SQL statement for the types
INSERT, UPDATE, DELETE, CREATE VIEW, and LOCK TABLE.
Change Table Attempts

Lists changes to audited tables including accesses to dependent tables.
Denied Access Attempts

Lists access attempts to DB2 that failed due to inadequate authorization.
Explicit GRANT
Lists the explicit GRANT statements and their results.
Read Accesses
Lists all read access to identified and audited tables.
247
IBM Mainframe RACF Standard Reports

The Reports module includes the following standard reports for IBM Mainframe RACF.


Successful Login by Username

Lists all successful logon messages by user name.
Successful Login of Non Policy Accounts

Lists successful logon of non-policy accounts.
Uses and Groups Creations or Deletions

Lists the groups and users created or deleted.
Users or Groups Modifications

Lists the groups and users modified.
248
RSAenVision Reports
IBM Mainframe SMA_RT (OS390/ZOS) Standard

Reports
The Reports module includes the following standard reports for IBM Mainframe SMA_
RT (OS390/ZOS).
Login Errors by Username

Displays a count of logon errors and password violations grouped by user name.
Successful Logins by Username

Displays a count of successful logon messages grouped by user name.
249
IBM Mainframe Top Secret Standard Reports

The Reports module includes the following standard reports for the IBM Mainframe Top
Secret event source.


Top Secret All Records

Lists all records.
Top Secret Dataset

Lists all datasets.
Top Secret Resource

Lists all resources.
250
RSAenVision Reports
Intel NetStructure VPN Standard Reports

The Reports module includes the following standard reports for the Intel NetStructure
VPN event sources.

Displays the VPN bandwidth usage per hour.
Bandwidth by Local Address

Lists the total bytes by local address for all VPN gateways. Sorted by user name and total
bytes. The total bytes are calculated by adding up the byte entries for each local address.
Denied Connections
Displays the number of denied connections by VPN gateway.
Denied Connections by Foreign Address

Displays the VPN denied connections by IP address for the entire group of VPN
gateways. Sorted by denied connections.
Denied Connections by Port

Displays the denied connections by port number. Sorted by denied connections.
Denied Connections by Hour

Displays the VPN denied connections per hour.

Lists each system event, such as configuration changes and hardware errors, for each
event source. Sorted by date and time and VPN event source.
Top 20 Bandwidth Users by Total Kbytes

Displays the top 20 users for all VPN gateways by total bytes.
Top 20 Port Traffic Distribution

Displays the top 20 TCP/IP application ports for all VPN gateways. Sorted by total bytes.
Top 20 Tunnel Bandwidth Users

Displays the top 20 tunnel carriers. Sorted by total bytes.
Top 20 Tunnel Durations

Displays the top 20 tunnel connections. Sorted by total duration.
251
Top 20 Tunnel Users by Total Connections

Displays the top 20 tunnel users. Sorted by total connections.
Top 20 Users by Durations

Displays the top 20 tunnel connections for all VPN gateways.

Displays the top 20 users by connections for all VPN gateways.
Total Connections by Local Address

Lists the total number of connections by local address for all VPN gateways. Sorted by
local address and total connections. The total connection count is calculated by the
number of rows per user.
Total Duration by Local Address

Lists the total duration for all users of VPN gateways. Sorted by IP address and total
duration. The total duration is calculated by adding up the duration entries for each local
address.
Tunnel Summary of Bandwidth by Username

Displays the VPN tunnel summary by each VPN event source and for each tunnel. Sorted
by VPN event source and total bytes by each user.
Tunnel Summary of Total Duration by Username

Displays the VPN tunnel summary by each VPN event source and for each tunnel. Sorted
by VPN event source and total duration by each user.
252
RSAenVision Reports
ISS RealSecure IDS Server Sensor

The Reports module includes the following standard reports for the ISS RealSecure IDS
Server Sensor event source.

Lists alarms sorted by the destination IP address that generated the alarm.
Alarm Levels
Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.
Alarms by Hour
Alarms by Sensor
Lists the alarm count for each sensor.
Alarms by Sensor (ODBC Collection Only)

Lists the alarm count for each sensor. Use this report only for ODBC collection when
address field is used.

Alarms by Sensor Device (ODBC Collection Only)

Displays the alarm count for each sensor. Use this report only for ODBC collection when
address field is used.
Top 10 Alarms
Lists the top 10 alarms by signature name that have been generated.

Lists the top 10 destination IP addresses that have been targeted for attack.

Lists the 10 source-destination pairs that have generated the most alarms.
253

Lists top 10 sources of alarms by source IP address.
254
RSAenVision Reports
Juniper DX Application Accelerator Standard

Reports
The Reports module includes the following standard reports for
theJuniperDXApplicationAccelerator event source.
Top 100 Requested URLs for a Given Time Period

Lists the top 100 requested URLs for a given time period.
Top 20 Clients by Request

Lists the top 20 clients by request.
Top 20 Requests by Domain Name

Lists the top 20 requests by domain name.

Displays the total bytes passed by hour.

Lists the top 25 policies (policy names) by the number of attacks that they recognize.
Total Bytes by Domain Name

Displays the total bytes by domain.
Total Requests by Hour

Displays the total number of requests by hour.
255
Juniper Networks IDP Standard Reports

The Reports module includes the following standard reports for the Juniper Networks IDP
event source.
Severe Attacks
Displays the severe attacks as recognized by the IDP event sources. A severe attack is
when the process field was set to DROP or CLOSE.
Top 25 Attacks
Displays the top 25 recognized attacks by number of occurrences.
Top 25 Destination Ports

Displays the top 25 ports for which recognized attacks were destined.
Top 25 Detailed Attacks

Displays the top 25 attacks by number of occurrences in a detailed format.
Top 25 Policies
Displays the top 25 policies (policy names) by the number of attacks that they recognize.
Top Attackers by Source Address

Displays the 25 source addresses responsible for the most attacks recognized by the IDP
event source.
Top Targets by Destination Address

Displays the top 25 destination addresses for recognized attacks.
256
RSAenVision Reports
Juniper Networks Infranet Controller 4500 Standard

Reports
The Reports module includes the following standard reports for the Juniper Networks
Infranet Controller 4500 event source.
Error Types Overview

Lists the different error types.
Failed Attempts by SourceIP

Lists failed attempts based on the source IP address.

Lists failed attempts based on user name.
Login and Logout

Lists all logon and logoff events.
Policy Events
Lists all events relating to any policy changes.
Top 10 Error Types

Lists the top 10 generated error types.
Top 20 Event Types

Lists the top 20 generated event types.
257
Juniper Networks JUNOS Router Standard Reports

JUNOS Router event source.
Configuration Committed Changes

Displays all messages regarding committed changes to the router configuration.
Database Schema Errors

Displays all messages regarding database schema errors or changes.
Successful Authentication by Foreign Address

Displays the successful authentications grouped by foreign address.
Successful Authentications by Device Address

Displays the total number of successful authentications that occurred during the requested
time period grouped by event source address.
System Authentication Events

Displays system authentication events that occurred during the specified time frame.
System Errors
Displays all error messages that occurred during the specified time frame.
Total Authentication Failures by Device Address

Displays the authentication failures that occurred during the requested time period
grouped by event source address.
JunOS-Successful Authentication by Foreign Address

Displays the successful authentications grouped by source address.
258
RSAenVision Reports
Juniper Networks NetScreen Firewall ScreenOS

Standard Reports
Netscreen Firewall ScreenOS event source.
Authentication and Login Events

Lists logon information for each attempt. Sorted by date and time.
Bandwidth by Department
Summarizes bandwidth usage by department for all traffic passing through NetScreen
firewalls. Sorted by total byte usage. Use this report to quickly assess which departments
are consuming the most bandwidth. Only NetScreen firewalls with debug level logging

through NetScreen firewalls. Sorted by packet count. Only network traffic from
NetScreen firewall interfaces with access control lists applied and logging enabled are
reported. Source address can be an Internet or intranet address depending on the router
interface to which the access list is applied and in which direction.

Lists bandwidth usage by department through NetScreen firewalls. Use this report to
quickly determine which departments are consuming the most bandwidth.

Summarizes the number of permitted packets passing through NetScreen by port. Sorted
by packet count. Only network traffic from NetScreen interfaces with access control lists
applied and logging enabled are reported. Source address can be an Internet or intranet
address depending on the router interface to which the access list is applied and in which
direction.

Lists bandwidth usage per hour through NetScreen firewalls. Use this report to quickly
spot bandwidth usage trends occurring during specific time periods. Each tick mark on
vertical hourly axes represents accumulated usage for the previous hour.
Lists the configuration changes made to the NetScreen event source. Includes the date
and time of the change, the event source address, and the system message detailing the
259
change.
Configuration Changes by Virtual Firewall

Displays configuration change messages. Sorted by date and time.

Lists the number of denied connections per hour through NetScreen firewalls. Use this
previous hour.

Summarizes denied inbound traffic filtered through NetScreen firewalls by foreign
host or network event source configuration issue. Only NetScreen firewalls with logging

Summarizes denied inbound traffic filtered through NetScreen firewalls by port. Sorted
by connection count. Port is used synonymously with services or applications. Use this
report to quickly determine which applications are being denied access. Denied
connections may indicate an attempted security policy breach, malicious network
reconnaissance such as a port scan, or a host or network event source configuration issue.
Only NetScreen firewalls with logging enabled are reported.

Summarizes denied outbound traffic filtered through NetScreen firewalls by local
addresses are possibly attempting to bypass your company security policy. Only
NetScreen firewalls with logging enabled are reported.

Summarizes denied outbound traffic filtered through NetScreen firewalls by port. Sorted
report to quickly determine which outbound applications are being denied. Denied
reconnaissance such as a port scan, or a host or network event source configuration issue.
Only NetScreen firewalls with logging enabled are reported.
260
RSAenVision Reports

Summarizes bandwidth usage of inbound e-mail traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top foreign email senders if your e-mail servers are located on an internal or DMZ interface.
Summarizes e-mail traffic from your own e-mail gateways if your e-mail servers are
sitting on an external NetScreen interface. Only NetScreen firewalls with logging
enabled are reported. The system calculates inbound e-mail traffic by summarizing all the
Inbound FTP Traffic

Summarizes bandwidth usage of inbound FTP traffic through NetScreen firewalls. Sorted
by total connection count. Use this report to quickly determine which external users use
FTP most frequently in your company. Only NetScreen firewalls with logging enabled are
reported. The system calculates inbound FTP traffic by summarizing all the 302002
traffic logged on local ports 20 and 21.

Summarizes bandwidth usage of inbound HTTP traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly assess which foreign users are
accessing your internal web servers most frequently. Only NetScreen firewalls with
logging enabled are reported. The system calculates inbound HTTP traffic by
summarizing all the 302002 traffic logged on local port 80.

Summarizes bandwidth usage of inbound Telnet traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top external
Telnet users. Only NetScreen firewalls with logging enabled are reported. The system
calculates inbound Telnet traffic by summarizing all the 302002 traffic logged on local
port 23.

Summarizes bandwidth usage of outbound e-mail traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top e-mail users
in your company if your e-mail gateway is located on an external or DMZ interface.
Reflects top e-mail gateways if your mail gateways are on the NetScreen internal
interface network. Only NetScreen firewalls with logging enabled are reported. The
system calculates outbound e-mail traffic by summarizing all the 302002 traffic logged on
foreign port 25.

Summarizes bandwidth usage of outbound FTP traffic through NetScreen firewalls.
261
users use FTP most frequently in your company. Only NetScreen firewalls with logging
enabled are reported. The system calculates outbound FTP traffic by summarizing all the
302002 traffic logged on foreign ports 20 and 21.

Summarizes bandwidth usage of outbound HTTP traffic through NetScreen firewalls.
your company. Only NetScreen firewalls with logging enabled are reported. The system
port 80.

Summarizes bandwidth usage of outbound Telnet traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top local Telnet
users. Only NetScreen firewalls with logging enabled are reported. The system
calculates outbound Telnet traffic by summarizing all the 302002 traffic logged on foreign
port 53.

Lists the number of connections per hour through NetScreen firewalls. Use this report to
SiteTrack Detection
Lists network traffic through NetScreen firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified by parentheses ( ) preceding the
of the DNS hostname lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and
NetScreen firewall logging must be enabled. For information about SiteTrack, see the
enVision Help.

Lists the top 20 ports of bandwidth usage through NetScreen firewalls. Use this report to
quickly identify which applications are consuming the most bandwidth.

Lists the top 20 bandwidth users through NetScreen firewalls. Use this report to quickly
identify which users are consuming the most bandwidth.
262
RSAenVision Reports

Lists the top 20 users of connections through NetScreen firewalls. Use this report to

Lists the top 20 ports with the most connections through NetScreen firewalls. Use this
report to quickly identify which applications are consuming the most connections.

Lists the top 20 foreign addresses that were denied inbound access by NetScreen
firewalls. Use this report to quickly spot foreign hosts that may have been attempting to
gain unauthorized access to your network.

Lists the 20 ports with the most denied inbound connections through NetScreen firewalls.
denied connections.

Lists the top 20 local addresses that were denied outbound access by NetScreen
firewalls. Use this report to quickly identify the top internal hosts that may have been
attempting to breach your company's outbound Internet security policy.
Total Bandwidth by Virtual Firewall

Displays total bytes grouped by virtual name (vsys_name).
Total Connections by Dest Zone

Summarizes total traffic passed as well as duration time of all connections sorted by their
associated destinations. Administrators can use this report to understand the destiny the
majority of the data.
Total Connections By Source Zone

Displays summaries of connection information sorted by Source Zone. Administrators can
use this report to see high level connection information from each originating zone.
Total Connections by Virtual Firewall

Displays successful connections grouped by virtual name (vsys_name).
263
Total Denied Inbound by Virtual Firewall

Displays the foreign addresses that were denied inbound access grouped by virtual name
(vsys_name).
Total Denied Outbound by Virtual Firewall

Displays the foreign addresses that were denied outbound access grouped by virtual name
(vsys_name).
Zone Bindings
Queries the firewall security table and selects zone binding events. Displays the source
zone and the destination zone to which it is bound.
264
RSAenVision Reports
Juniper Networks NetScreen IDS Reports Standard

Reports
NetScreen (IDS) event source.
Alarm Level Summary

Displays the number of alarms per alarm level.

Displays the number of detected alarms per sensor.

Lists the attack events detected by the NetScreen integrated firewall intrusion detection
sensor from external sources.
Intrusion Events by Date and Time

Lists the intrusion events detected by the NetScreen integrated firewall intrusion
detection sensor. Sorted by date and time.
Intrusion Events by Device

detection sensor. Sorted by event source address.
Intrusion Events by Event Type

detection sensor. Sorted by event type.

Displays the top 10 source addresses of intrusion detection alarms.
265
Juniper Networks NetScreen-Security Manager

Standard Reports
NetScreen-Security Manager event source.
NetScreen-Security Manager - Authentication and Login Events

Summarizes authentication data for Juniper NetScreen-Security Manager. Sorted by date
and time.
NetScreen-Security Manager - Severe Attacks

Displays the severe attacks. A severe attack is one where the process field was set to
DROP or CLOSE.
NetScreen-Security Manager - Top 20 Bandwidth Ports

Displays the top 20 ports of bandwidth usage.
NetScreen-Security Manager - Top 20 Bandwidth Users

Displays the top 20 users of bandwidth.
NetScreen Management - Top 25 Attacks

Displays the top 25 recognized attacks by number of occurrences.
NetScreen-Security Manager - Top 25 Destination Ports

Displays the top 25 ports for which recognized attacks were destined.
NetScreen-Security Manager - Top Attackers by Source address

Displays the 25 source addresses responsible for the most attacks recognized.
NetScreen-Security Manager - Total Connections by Dest Zone

Summarizes the total traffic passed of all connections sorted by the associated
destinations.
NetScreen-Security Manager - Total Connections By Source Zone

Queries the firewall accounting table for connection information and displays that
information sorted by zone.
NetScreen-Security Manager - Top Targets by Destination Address

Displays the top 25 destination addresses for recognized attacks.
266
RSAenVision Reports
Juniper Networks SSL VPN Standard Reports

SSLVPN event source.
Detailed Connections Events by Date and Time

Lists details of connections within the selected time range sorted by date and time.
Failed Login Attempts by Username

Displays failed logon attempts by user name.
Juniper VPN - Successful Login Attempts by Username

Displays successful logon attempts by user name.
System Changes
Lists the system changes. Includes the message and VPN event source address.
267
Juniper Networks Steel-Belted Radius Standard

Reports
Steel-Belted Radius event source.
Detailed Usage
Lists details of usage per user. Sorted by logon ID.
Failed Attempts
Lists failed attempts due to authorization failure, authentication failure, or bad requests
from the NAS.
Top 20 Users by Duration

Lists the top 20 users by duration.
User Usage Summary

Lists the system changes. Includes the message and VPN event source address.
268
RSAenVision Reports
Lancope StealthWatch Standard Reports

The Reports module includes the following standard reports for the Lancope
StealthWatch event source.
Detailed Alert Report

Events by Hour
Top 10 Destination
Displays the top 10 destinations of events detected.
Top 10 Events
Displays the top 10 events detected.
Top 10 Sources
Displays the top 10 sources of events detected.
269
Linux Standard Reports

The Reports module includes the following standard reports for the Novell Linux and Red
Hat Linux event sources.
Linux - Failed Authentications by Device

Displays the failed authentication attempts for each monitored event source by date and
time.
Linux - Failed SuperUser Attempts

Displays the failed attempts to use the switch user command and the user name
associated with each attempt.
Linux - Successful Connections

Displays the successful connection information.
Linux - Successful SuperUser Attempts

Displays the successful attempts to use the switch user command to change the user to
"root" and the user name associated with each attempt.
Linux - Total Connections by Address

Displays the total connections by foreign address.
Linux - Total Connections by Username

Displays the total connections for each user within the specified time range.
Linux - IPTables Traffic Summary

Summarizes all of the data passing through the IPTables firewall.
270
RSAenVision Reports
Lumension Endpoint Management and Security Suite

Standard Reports
The Reports module includes the following standard reports for the Lumension EMSS
event source.
EMSSSummary Report
A patch detail summary report ordered by end points.
271
Mazu Networks Profiler Standard Reports

The The Reports module includes the following standard reports for the Mazu Profiler
event source.
Detailed Alert Report

Top 10 Destinations
Displays the top 10 destination IP addresses that have been targeted for attack. Due to
limitations in the data available from Mazu Profiler in host scan, port scan, and worm
events, these events do not contain addresses, ports, or services and therefore do not
contribute to this report.
Top 10 Events
Top 10 Sources
Displays the top 10 source IP addresses that have generated the most events. Due to
limitations in the data available from Mazu Profiler in host scan, port scan, and worm
events, these events do not contain addresses, ports, or services and therefore do not
contribute to this report.
272
RSAenVision Reports
McAfee IntruShield Standard Reports

The Reports module includes the following standard reports for the McAfee IntruShield
event source.

Displays alarms sorted by the destination IP address that generated the alarm.
Alarm Levels
Alarm Report
Lists alarms based on signature names. Sorted by alarms and signature names.
Alarms by Hour
Alarms by Sensor

Displays the total number of alarms generated by the each sensor event source. Sorted by
total number of alarms.

Lists the top 10 source IP addresses that have generated the most events or alarms.
Top 20 Alarms

Displays the top 20 alarms based on the destination port.


273

274
RSAenVision Reports
McAfee VirusScan Enterprise Standard Reports

The Reports module includes the following standard reports for the McAfee VirusScan
Enterprise event source.
Top 20 infected systems

Displays the top 20 infected systems found on the network.
Top 20 Viruses Detected

Displays the top 20 viruses found on the network.

Lists all the detected viruses sorted by date and time.
275
McAfee Entercept Standard Reports

The Reports module includes the following standard reports for the McAfee Entercept
(Host Intrusion Prevention Server) event source.
Alarm Levels
Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.
Alarms by Hour
Alarms by Sensor
Alarms by Server
Displays the alarm count for each server.
Top 10 Alarm Signatures


276
RSAenVision Reports
Microsoft Exchange Server Standard Reports

The Reports module includes the following standard reports for the Microsoft Exchange
MS Exchange Exchange Error Condition

Displays all Exchange error events.
MS Exchange Failed Logins Attempts to Mailboxes

Displays failed logons to mailboxes in the Microsoft Exchange environment.
MS Exchange Failed Mailbox Creation/Deletion

Displays failed mailbox creation and deletion events.
MS Exchange Internet Traffic by E-mail Accounts

Displays the inbound and outbound Internet traffic to email accounts.
MS Exchange Logons to Mailbox with Administrator Privileges

Displays successful logons to mailboxes in the Microsoft Exchange environment by users
who have administrator privileges on the mailboxes.
MS Exchange Mailboxes with the most logon failures

Displays users responsible for the greatest number of failed logons.
MS Exchange Non-owner Mailbox Access

Displays users who connect to Exchange mailboxes apart from their primary user
accounts.
MS Exchange Successful Logons to Mailboxes

Displays successful logons to mailboxes in the Microsoft Exchange environment.
MS Exchange Top 10 E-mail Accounts Receiving Messages

Displays the 10 email accounts receiving the most messages.
MS Exchange 10 E-mail Accounts Receiving Messages Volume

Displays the 10 email accounts receiving the highest message volume.
MS Exchange Top 10 E-mail Accounts Sending Messages

Displays the 10 email accounts sending the most messages.
277
MS Exchange Top 10 E-mail Account Sending Messages Volume

Displays the 10 email accounts sending the highest message volume.
MS Exchange Top 10 Sender-Receiver Pairs

Displays top 10 pairs of email accounts sending messages to, and receiving messages
from, each other.
MS Exchange Top 10 Sender-Receiver Pairs within the Organization

Displays the 10 email accounts receiving the most messages.
MS Exchange Top 10 E-mail Accounts mailing most with the Internet

Displays the 10 email accounts responsible for the most Internet traffic.
MS Exchange Use of Send Privileges

Displays users who grant users permissions to send as privileges.
278
RSAenVision Reports
Microsoft Internet Information Services Standard

Reports
The Reports module includes the following standard reports for the Microsoft IIS event
source.
Access Denied Attempts (500)

Displays page access attempts that were denied over time. If multiple sites were chosen,
an additional runtime option is to select if the access denied attempts are displayed
cumulatively or comparatively.
Browser Versions
Displays the percentage of browser types to the sites selected.
Hits per Day

Displays the number of requested pages for the sites chosen during runtime. An additional
runtime option allows you to select whether you want the information for multiple sites
summed together or compared against each other.
Top 20 Page not Found (404)

Displays the top 20 requested files that were not found. If multiple sites were chosen at
runtime, the site from where the file was requested is also included in the report.
Top 20 Referring Domains

Displays the top 20 referring domains. If multiple sites are chosen at runtime, the name to
which the site is referred is also in the report.
Top 20 Referring Pages

Displays the top 20 referring URLs, as well as the number of referrals each URL
provided. If multiple sites are chosen at runtime, the name to which the site is referred is
also in the report.
Top 20 Requested Content

Displays a summary of the top 20 requests by the root level directory in which the file is
contained. This provides a summary of the most active areas of the web site. If there are
multiple sites chosen at runtime, the name of the site where the directory resides is also
in the report.
279
Top 20 Requested Pages

Displays a summary of the top 20 most requested pages for the sites chosen during
runtime. If multiple sites are chosen at runtime for this report, the name of the site from
which the requested page is served is also included in the report.
Top 20 Script Errors (501)

Displays the top 20 requested page and script error combinations. A page may appear on
this report multiple times if the page has multiple different script errors. If multiple sites
are chosen at runtime for inclusion in the report, the site on which the page resides is
included in the report.
Visitors per Day

Displays the number of unique IP addresses of visitors for the sites chosen during
runtime. An IP address is only counted the first time is appears during the chosen time
period.
280
RSAenVision Reports
Microsoft Internet Security and AccelerationServer

Standard Reports
The Reports module includes the following standard reports for the Microsoft ISA event
source.
For some device-specific reports, the class of the report changes when the event source
is updated to Content 2.0. In this case, the location of the report in the enVision UI also
changes.
For example, for Microsoft ISA, the Total Bytes by Client IP report is now also
included in the Security.Firewall class. In the enVision UI, the report moved as follows:
l
Location for standard content:

Reports > Ad Hoc Reports > Host > Web Logs > Microsoft Internet Security and
Acceleration Server > Total Bytes by Client IP
Locations for Content 2.0:

Reports > Ad Hoc Reports > Host > Web Logs > Microsoft Internet Security and
Acceleration Server > Total Bytes by Client IP
or
Reports > Ad Hoc Reports > Security > Firewall > Microsoft Internet Security
and Acceleration Server > Total Bytes by Client IP
If you update the event source to Content 2.0, you must run the report from its new
location.
281
Attacks
Note: For backwards compatibility, the report continues to exist in its previous location. However, once you update an event sou
Displays all of the attacks that were identified by the ISA Firewall Service.
Firewall Denied Connections

Displays the firewall denied connections recorded by the ISA Firewall Service.
Firewall Errors
Note: For backwards compatibility, the report continues to exist in its previous location. However, once you update an event sou
Displays the firewall error messages as recorded by the ISA Firewall Service.
Firewall Failed Connections

Displays the firewall failed connections as recorded by the ISA Firewall Service.
282
RSAenVision Reports
Firewall Successful Connections

Displays the firewall successful connections as recorded by the ISA Firewall Service.

Displays the total bytes of all connections associated to specific client IP addresses.
Total Duration by Client IP

Displays the total duration of all connections associated to specific client IP addresses.
283
Total Number of Connections by Domain Name

Displays the number of connections associated to each domain name during a given time period.
Total Number of Connections by Server IP

Displays number of connections associated to each server IP address during a given time period.
284
RSAenVision Reports
Microsoft Network Access Protection Standard

Reports
The Reports module includes the following standard reports for the Microsoft Network
Access Protection event source.
Details of Non-Compliant Requests Received

Displays details of the received requests..
Summary of Event Types

Displays a summary of the event types.
285
Microsoft System Center Configuration Manager

Standard Reports
The Reports module includes the following standard reports for Microsoft System Center
Configuration Manager event source.
All Enumerated Error or Warning Messages

Lists all messages from Microsoft System Center Configuration Manager with a severity
level of Error or Warning.
All Enumerated Messages

Lists all messages related to Microsoft System Center Configuration Manager.
286
RSAenVision Reports
Microsoft SQL Server Standard Reports

The Reports module includes the following standard reports for the Microsoft SQLServer
event source.
Audit Failed Logons

Displays all failed logon events to SQL Server systems captured by the trace tool.
Audit Logon/Logoff Events

Displays all logon and logoff events to SQL Server systems captured by the trace tool.
Configuration changes
Displays configuration changes made to SQL Server systems.
Database backups
Displays backup events from SQL Server systems.
Errors that can be corrected by a user

Displays all error conditions from SQL Server systems that can be corrected by a user.
Failed Logons
Displays all failed logons events to SQL Server systems.
Fatal Errors
Displays fatal errors from SQL Server systems.
Insufficient resources
Displays insufficient resources events from SQL Server systems.
Logon/Logoff Events
Displays all logons and logoff events to SQL Server systems.
Nonfatal Internal Errors

Displays nonfatal internal errors from SQL Server systems.
Object events
Displays object trace events from SQL Server systems.
287
Microsoft Windows Standard Reports

Microsoft Windows reports fall into the following categories:
l Account Management
l Application Errors
l Disk and Memory
l Files/Objects Access
l Filtering Platform
l Logon/Logoff
l Policy Changes and Audit Logs
l Restart/Shutdown
l Summary Reports
l Trend Reports
l User Activity
288
RSAenVision Reports
Microsoft Windows (Account Management) Standard

Reports
The Reports module includes the following standard reports for Windows.
Account Changes Details

Lists all account changes.
Account Changes Summary

Displays the number of account changes by event ID in descending order.
Computer Account Changes

Lists all computer account changes.
Global Group Account Changes

Lists all global group account changes.
Local Group Account Changes

Lists all local group account changes.
Universal Group Account Changes

Lists all universal group account changes.
User Group Account Changes

Lists all user account changes.
289
Microsoft Windows (Application Errors) Standard

Reports
Errors Reported by Dr. Watson

Lists errors reported by Dr. Watson.
Top 20 Application Errors

Displays the top 20 application errors collected from all Microsoft Windows servers.
Top 20 Errors-Logging Applications

Displays the top 20 applications logging application errors from all Microsoft Windows
servers.
290
RSAenVision Reports
Microsoft Windows (Disk and Memory) Standard

Reports
Bad Blocks
Lists system events reporting bad blocks.
Disk at Near Capacity

Lists system events reporting disk at near capacity.
Out of Virtual Memory

Lists system events reporting out of virtual memory.
291
Microsoft Windows (Files/Objects Access) Standard

Reports
Access to Files
Lists all files accessed in folders monitored for access auditing.
Registry Access
Lists all accesses to registry files and keys.
Write Access to System Files

Lists all files opened with write access rights in the system32 folder.
292
RSAenVision Reports
Microsoft Windows (Filtering Platform) Standard

Reports
Detected DoS Attacks

Lists network information when Windows Filtering Platform detects a DoS attack.
Packets Discarded Due To DoS Attack

Details information about packets blocked by Windows Filtering Platform.
Packets Blocked By Windows Filtering Platform

Lists the number of packets discarded due to DoS attacks.
293
Microsoft Windows (Logon/Logoff) Standard

Reports
Failed Logins
Lists all failed logon events including failure reason, user name, domain name, and
workstation.
Local Logins/Logouts by User

Lists all local logon and logoff activities. Sorted by user name.
Logins/Logouts by User
Lists all logon and logoff activities. Sorted by user name.
Logins/Logouts by User During Non-Business Hours

Lists all logon and logoff activities. Sorted by user name during non-business hours.
294
RSAenVision Reports
Microsoft Windows (Policy Changes and Audit Logs)

Standard Reports
Audit Log Cleared

Lists audit log cleared events.
Audit Log Full

Lists audit log is full events.
Audit Policy Changes

Lists all audit policy changes.
Policy Changes Details

Lists all policy changes events.
Policy Changes Summary

Displays the number of policy changes by event ID in descending order.
Trusted Domain Changes

Lists all trusted domain changes.
Trusted Domain Changes - Windows Server 2003

Lists all trusted domain changes for Windows Server 2003.
User Rights Changes - Windows Server 2008

Lists all user rights changes for Windows Server 2008.
User Rights Changes - Windows Server 2003

Lists all user rights changes for Windows Server 2003.
295
Microsoft Windows (Restart/Shutdown) Standard

Reports
System Restarts/Shutdowns
Lists all system restarts and shutdowns.
296
RSAenVision Reports
Microsoft Windows (Summary Reports) Standard

Reports
Application Log Activity per Computer

Displays the total count of application events per computer in descending order.
Application Log Activity per User

Displays the total count of application events per user in descending order.
Hyper-V Log Activity

Displays a table showing the total count of Hyper-V events in descending order.
Hyper-V Log Errors

Displays a table of Hyper-V error events in descending order.
Security Log Activity per Computer

Displays the total count of security events per computer in descending order.
Security Log Activity per User

Displays the total count of security events per user in descending order.
System Log Activity per Computer

Displays the total count of system events per computer in descending order.
297
Microsoft Windows (Trend Reports) Standard

Reports
The Reports module includes the following standard reports for the Windows event
sources.
Application Log Activity

Displays the number of application events over a specified period of time.
Security Account Login Activity

Displays the number of security account logon events over a specified period of time.
Security Account Management Activity

Displays the number of security account management events over a specified period of
time.
Security Detailed Tracking Activity

Displays the number of security detailed tracking events over a specified period of time.
Security Log Activity

Displays the number of security events over a specified period of time.
Security Login/Logout Activity

Displays the number of security logon/logoff events over a specified period of time.
Security Object Access Activity

Displays the number of security object access events over a specified period of time.
Security Policy Change Activity

Displays the number of security policy change events over a specified period of time.
Security Privilege Use Activity

Displays the number of security privilege use events over a specified period of time.
Security System Event Activity

Displays the number of security system events over a specified period of time.
System Log Activity

Displays the number of system events over a specified period of time.
298
RSAenVision Reports
Microsoft Windows (User Activity) Standard Reports

Account Locked Out

Lists all the accounts that are locked out.
Applications by Users
Lists applications running on computers over the network, sorted by user name.
Applications by Users Windows Server 2003

Lists applications running on computers over the network for Windows Server 2003,
sorted by user name.
Print Jobs by Users Summary

Summarizes print jobs by users, showing user name, number of print jobs, total pages,
and total bytes.
Privileged Activities by User

Lists activities involving the use of privileges, sorted by primary user name.
299
Microsoft Audit Collection Service Standard Reports

The Reports module includes the following standard reports for the Microsoft Audit
Collection Service event source.
System Events Report

A detailed report of all the System events, which include Normal Conditions, Errors,
Startup, Shutdown, Unusual Activity, Audit, Accounting, and so on.
System Policy Report

A detailed report of all Policy-related events.
User Activity Report

A detailed report of all the User Activities, which include Successful and Failed Logins,
Logoff, Normal user activities, File Access, and so on.
300
RSAenVision Reports
Microsoft Windows Server Update Service Standard

Reports
The Reports module includes the following standard reports for the Microsoft Windows
Server Update Service event source.
Failed Update Installation and Un-installation

Lists failed update installation and un-installation events.
Successful Update Installation and Un-installation

Lists successful update installation and un-installation events.
System Alert - Action Required

Lists alerts where action is required.
System Errors
Lists system errors.
301
MYSQL Server Standard Reports

The Reports module includes the following standard reports for the MYSQLServer event
source.
Overview of Performance
Displays events that concern the system performance of MYSQL Server.
Overview of Memory Usage

Displays events that concern the memory usage of the server.
Schema Changes
Displays all the schema changes done across the MYSQL Server.
302
RSAenVision Reports
Network Appliance Data ONTAP Standard Reports

The Reports module includes the following standard reports for the Network Appliance
Data ONTAP event source.
Checksum Error Events

Displays NetApp checksum errors.
Reboot Events
Displays all reboot events.
303
Network Appliance NetCache Standard Reports

The Reports module includes the following standard reports for the Network Appliance
NetCache event source.

Displays the top 100 requested URL strings for a given time period.

Displays the 20 client addresses that made the most connection requests over a specified
time period.

Displays the top 20 domains that were accessed through all monitored event sources.

Displays the top 20 root domains that were accessed through all monitored event sources.
Top 25 Client IP's by Total Bytes


Represents the total sent and received bytes, and displays a histogram of the traffic
Total Bytes Received by Cache Device

Displays the total bytes received grouped by cache event source.

Displays the total bytes received grouped by client event source.
Total Bytes Sent by Cache Device

Displays the total bytes sent grouped by cache event source.

Displays the total bytes sent grouped by client event source.
Total Bytes by Cache Device

Queries for total bytes passed and displays the data grouped by the cache event source
address.
304
RSAenVision Reports

Queries for total bytes passed and displays the data grouped by the client IP address.

Displays the total bytes for each connection, and displays the data. Sorted by domain.

Displays the number of connection requests displayed grouped by hour of day.

Queries for connection counts and groups the data by the HTTP success or failure code.
Administrators can use this report to see, by code, how many connections were
305
NetWitness NextGen Standard Reports

The Reports module includes the following standard reports for the NetWitness NextGen
event source.
Summary of Files transferred

Displays a summary of files transferred.
Top 10 Alerts
Displays the top 10 alerts.
306
RSAenVision Reports
NFR NIDS Standard Reports

The Reports module includes the following standard reports for the NFR NIDS event
source.

Displays alarms sorted by the destination IP address that generated the alarm.
Alarm Levels
Alarm Report
Displays alarms based on signature names, sorted by alarms and signature names.
Alarms by Category
Displays the total events in the database grouped by signature category.
Alarms by Hour

Top 20 Alarms

Displays the top 20 alarms based on the destination port.



Displays the 20 source IP addresses that have generated the most events or alarms from
the IDS sensors.
307
Nortel Alteon Switch Firewall Standard Reports

The Reports module includes the following standard reports for theNortel Alteon Switch
Firewall event source.
Restart Events
Lists all system restart events.
Session Failures
Lists all source addresses with which the switch has experienced a session failure and
the reason for the failure.
308
RSAenVision Reports
Nortel Contivity VPN Switch Standard Reports

The Reports module includes the following standard reports for the Nortel Contivity VPN
Switch event source.
Admin User Connections

Displays a graph showing the number of both successful and denied administrator
connections.
Authentication Errors by Address

Displays authentication errors between the VPN event source and the remote event
source. These errors can be indicative of misconfigured VPN event sources.
Failed Login Attempts by Username

Displays a graph of failed logon attempts by user name.
OSPF modifications by VPN

Displays the OSPF modifications made.
Percent Failed Connections

Displays failed message IDs and counts.
Successful Connections by Method

Queries for successful authentication messages and displays the number of successful
authentications by authentication method.
Successful Connections by Username

Queries for successful connection messages and displays a count of connections by user
name.
System Errors by Device

Queries for events associated with system errors or failures and displays message_ID
counts by VPN event source.
309
Nortel Passport 8600 Routing Switch Standard

Reports
The Reports module includes the following standard reports for the Nortel Passport 8600
Routing Switch event source.
Authentications Failures by Device Address

Lists the failed authentications that occurred during the requested time period grouped by
event source address.

Lists the failed logon attempts.
Total Authentication Failures by Device Address

Displays the total number of authentication failures that occurred during the requested
time period grouped by event source address.
310
RSAenVision Reports
Oracle Identity Manager Standard Reports

The Reports module includes the following standard reports for the Oracle Identity
Manager event source.
Audit Group Membership Changes

Gives an overview of the group membership of the users, for example, who belongs to the
Manager category and who belongs to the general category, All Users.
Audit Resource Updates

Gives an overview of the kinds of resources with which a user has been privileged, for
example, VPN access, Safeboot account, and Active Directory.
Audit User Profile Changes

Gives details of the changes done to the user profile, for example, name, address, and
other administrative details.
Overview of users created and deleted

Gives an overview of the current and past users in the organization and their names..
311
Oracle Standard Reports

The Reports module includes the following standard reports for the Oracle event source.
Audit Details by Action

Displays detailed audit actions sorted by action.
Audit Details by Database Process ID

Displays detailed audit actions sorted by database process ID.
Audit Details by System

Displays detailed audit actions sorted by system name.
Audit Details by User

Displays detailed audit actions sorted by user name.
Audit Details Based on Username

Lists Oracle audit details sorted by username.
Audit Details Based on Username and Privilege

Lists Oracle audit details sorted by username and privileges.
312
RSAenVision Reports
Palo Alto Networks Enterprise Firewall Standard

Reports
The Reports module includes the following standard reports for the Palo Alto Networks
Enterprise Firewall event source.
Blocked URL Events

Lists blocked URLs by source and destination address, rule, and category.
Lists the configuration changes by event category.
Denied Traffic by Address

Lists all denied traffic by source and destination address.
Denied Traffic by Port

Lists all denied traffic by source and destination ports.
Successful Logins and Logouts

Lists all successful logons and logoffs.
313
RSA Authentication Manager and User Credential

Manager Standard Reports
The Reports module includes the following standard reports for the Authentication
Manager and User Credential Manager event source.
Bad PINGood Tokencode Count

This report tracks how frequently a user enters an incorrect PIN during an authentication
attempt.
Bad PIN Previous Tokencode Count

A user authenticates, then maybe mistypes the PINduring the second authentication
attempt before the tokencode changes. This report tracks these events.
Bad Tokencode Good PIN Count

A user may enter a good PIN,but accidentally enter the incorrect tokencode during an
authentication attempt. This report tracks these events.
Cleared PINs Count

This report can be used to track how frequently PINs are being cleared.
Deleted Agent Hosts

Displays any agent hosts deleted from the existing users in the database over a specified
time period.
Excessive Failed Authentications Outside Business Hours

This report displays all failed authentication messages within your defined time range.
This report can be used to identify failed logons beyond business hours.

Displays all of the failed authentication attempts by user name.
Failed Authentication Count

Displays the number of failed authentication attempts.
Group Modifications
Displays any modifications to the existing groups in the database over a specified time
period.
314
RSAenVision Reports
New Agent Hosts

Displays any new agent hosts added to the existing users in the database over a specified
time period.
New Groups Added

Displays all of the new groups added to the database over a specified time period.
New Users Added

Displays all of the new users added to the database over a specified time period.
Next Tokencode Mode Activated Count

Displays a count of the times that the Next Tokencode Mode is activated.
Next Tokencode Requested Count

Displays a count of the times that a next tokencode is requested.
Passcode Reuse Count

A user may accidentally enter the same password on two separate authentication
attempts. This report tracks these events.

Displays all of the successful authentication attempts by user name.
Token Disabled Count

This report displays the number ofdisabled tokens.
User Lockout Count

This report displays the number of users that have been locked out due to failed
authentications.
User Modification
Displays any modifications to the existing users in the database over a specified time
period.
315
RSA Adaptive Authentication (Hosted) Standard

Reports
The Reports module includes the following standard reports for the RSA Adaptive
Authentication (Hosted)RSA Adaptive Authentication (Hosted) event source.
Back Office Operator Activities

This report summarizes the activities of the back office operators as reported by the RSA
Adaptive Authentication (Hosted) event source.
Cases Summary
This report summarizes the different types of cases, as reported by the RSA Adaptive
Auth (Hosted) event source.
Failed Login Details

This report details all the attempted logins that failed for the duration specified.
316
RSAenVision Reports
RSA Adaptive Authentication (OnPrem) Standard

Reports
The Reports module includes the following standard reports for the RSA Adaptive
Authentication (OnPrem) event source.
Audit Event Type Statistics

Lists all generated audit event types, including event type name and count.
Device High Risks Event Statistics

Lists the event source high risk statistics.
Device ID Created Event Statistics

Lists the number of device IDs created.
Risk Score Event Statistics

Lists the risk score.
User Challenged Event Statistics

Lists the number of user-challenged event types.
User Locked Out Event Statistics

Lists the number of users that have been locked out.
User Sign In Event Statistics

Lists the number of user sign-ins.
317
RSA SecurID Standard Reports

The Reports module includes the following standard reports for the RSA SecurID event
source.
Deleted Agent Hosts

Displays any new agent hosts deleted from the existing users in the database over a

Displays all of the failed authentication attempts by user name.
Group Modifications
Displays any modifications to the existing groups in the database over a specified time
period.
New Agent Hosts

Displays any new agent hosts added to the existing users in the database over a specified
time period.
New Groups Added

Displays all of the new groups added to the database over a specified time period.
New Users Added

Displays all of the new users added to the database over a specified time period.

Displays all of the successful authentication attempts by user name.
User Modifications
Displays any modifications to the existing users in the database over a specified time
period.
318
RSAenVision Reports
Safend Protector Standard Reports

The Reports module includes the following standard reports for the Safend Protector
event source.
Safend Protector Summary Report

Summarizes server and client messages.
319
SafeStone DetectIT Standard Reports

The Reports module includes the following standard reports for the SafeStone DetectIT
event source.
System Configuration detailed report

Details all of the system configuration related events
System Health detailed report

Details all of the System events, including Normal Conditions, Errors, Startup, Shutdown,
Unusual Activity, and Audit Accounting.
User Activity detailed report

Details all User Activity.
320
RSAenVision Reports
SECUDESecurity Intelligence Standard Reports

The Reports module includes the following standard reports for the SECUDESecurity
Intelligence event source.
Document Change Logs

Displays logs of changes that have been made on tables and the corresponding
information.
Failed Logins and Disabled User Accounts

Lists failed login attempts and user accounts disabled for various reasons.
Operating System Errors

Lists OS Call Errors and other Error Logs.
Privileged Access Failures

Lists Privileged Access denied and similar events.
Security Audit Log Errors

Lists Transactional, Reporting and other errors in Security Audit Logs.
Software Errors
Lists Software Errors logged by SECUDE SI.
System Alerts
Lists System Alerts that need to be investigated.
System Heartbeat Errors

Shows Heartbeat Errors logged.
User Management Activity

Lists user creation, deletion, modifications, and so on.
321
McAfee Firewall Enterprise Standard Reports

The Reports module includes the following standard reports for the McAfee Firewall
Enterprise (formerly named Secure Computing Sidewinder G2 Security Appliance)
event source.
Lists configuration change messages. Sorted by date and time.
Failed Authentication
Lists failed authentication messages.
Hardware Failure
Lists hardware failure messages.
Software Failure
Lists software failure messages.
Successful Authentication
Lists successful authentication information.
Successful Connections
Lists successful connection information.
URL Requests by Source Address

Lists URL requests summarized by each source address. Sorted by source address and
number of requests.
322
RSAenVision Reports
SNORT Standard Reports

The Reports module includes the following standard reports for the SNORTevent source.

Lists alarms sorted by the destination IP address that generated the alarm.
Alarm Levels
Alarm Report
Lists alarms based on signature names. Sorted by alarms and signature names.
Alarms by Hour
Alarms by Sensor

Displays the alarm count for each sensor event source.
Top 10 Alarm Signatures

Lists the top 10 alarms that have been generated by signature name.

Lists the top 10 destination IP addresses that have been targeted for attack.

Lists the 10 source-destination pairs that have generated the most alarms.

323
Solsoft NP Standard Reports

The Reports module includes the following standard reports for the Solsoft NP event
source.
Configuration Compares by Device

Displays the results of comparisons of event source configurations.
Configuration Rollbacks by Device

Displays event sources that were rolled back to the original configuration.
Failed Logins by Usernames

Displays all failed logon attempts by individual users.
Newly Generated Configurations by Project

Displays configurations that were generated by project ID, version, and user name.
Results of Configuration Uploads by Device

Displays event sources that were uploaded with new configurations and the results of the
upload.
Successful Logins by Usernames

Displays all successful logon attempts by individual users.
324
RSAenVision Reports
Sun Solaris BSM Standard Reports

The Reports module includes the following standard reports for the Sun Solaris BSM
event source.
Event Audit by Content

Lists all events containing a particular string, sorted by date and time.
Event Details by Audit Event Type

Lists all events for a particular audit event type, sorted by date and time.
Event Details by Audit Events

Lists all events for a particular audit event type, sorted by date and time. Select the audit
event type before running the report.
Event Inventory
Lists all event types collected, sorted by count.
Kernel-Level Events
Lists all Kernel-Level events generated by system calls.
Note: This report is deprecated. Use the Kernel-Level Events by System report
instead.
Kernel-Level Events by System

Lists all Kernel-Level events generated by system calls.
Login and Logout Activity

Lists all logon and logoff activity for a particular user, sorted by date and time.
Permission Changes
Lists all permission changes by a process or user.
Privileged Operations
Lists all privilege capabilities or role-based access control.
Startup, Shutdown, Reboot and Halt

Lists all startup, shutdown, reboot, and halt audit events.
325
Super User Events

Lists all super user events.
User-Level Events
Lists user-level events generated by application software.
326
RSAenVision Reports
Sun Solaris Standard Reports

The Reports module includes the following standard reports for the Sun Solaris event
source.

Displays users who attempted to switch user to "root" and were denied.
Percentage of Connections by Service

Queries for messages with a message ID of 317013 and counts them, sorted by agent or
service. This message is created by the inetd daemon and logs all connections by service,
such as logon, ftp, or telnet.
Super User Access

Queries for messages with message ID of 366847:01 and displays which users switched
user to "root" and at what time.
Total Connections by Foreign Address

Note: The name for this report under the Content 2.0 schema is Total Connections by
Source Address.
Displays the total connections by source address.
Total Connections by Port

Displays the total number of connections grouped by port number.
Compliance Reports
The following compliance reports will yield different results if you apply the Content 2.0
update of the Sun Solaris event source:
FISMA - Unsuccessful Login Attempts

FISMA - Unsuccessful Login Summary
PCI / All Actions by Individuals with Root or Administrative Privileges - Unix & Linux
PCI - Initialization of Audit Logs
PCI - Administrative Privilege Escalation - Unix & Linux
327
Sybase ASE Standard Reports

The Reports module includes the following standard reports for the Sybase ASE event
source.
Audit Details Based on Username

Lists Sybase ASE audit details by user name.
Audit Details Based on Username and Role

Lists Sybase ASE audit details by user name and role.
328
RSAenVision Reports
Symantec Antivirus Corporate Edition Standard

Reports
The Reports module includes the following standard reports for the Symantec Antivirus
Corporate Edition event source.
Top Infected Systems

Displays the top 20 systems detected with viruses.
Top Viruses Detected

Displays the top 20 viruses detected.

Displays all detected viruses. Sorted by date and time.
329
Symantec Enterprise Firewall Standard Reports

The Reports module includes the following standard reports for Symantec Enterprise
Firewall event source.

Displays bandwidth usage by address sorted by byte count.
Bandwidth Usage by Address Tabular

Displays bandwidth usage by address sorted by byte count.
Bytes Received by Address

Summarizes received bandwidth by address sorted by byte count in a table.
Bytes Sent by Address

Summarizes transmitted bandwidth usage by address sorted by byte count.
FTP Destinations
Summarizes FTP activity to foreign addresses by the number of requests.
HTTP Destinations
Summarizes HTTP activity to foreign addresses by the number of requests.

Summarizes FTP requests to foreign addresses by the number of requests.
Top HTTP Destinations

Summarizes HTTP requests to foreign addresses by the number of requests.
330
RSAenVision Reports
Symantec Enterprise Firewall (VPN) Standard

Reports
The Reports module includes the following standard reports for the Symantec Enterprise
Firewall (VPN) event source.
Dropped Packets
Displays information about packets that were dropped by the gateway.
Packet Errors Detected

Displays errors that were discovered in a VPN packet with the specified source and
destination address.
331
Symantec Intruder Alert Standard Reports

The Reports module includes the following standard reports for the Symantec Intruder
Alert event source.
Symantec Intruder Alert - Top 10 Policy Violations

Lists the top 10 policy violations detected by Symantec Intruder Alert.
Symantec Intruder Alert - Top 10 Rules

Lists the top 10 rules detected by Symantec Intruder Alert.
Symantec Intruder Alert - Top 10 Sensors

Lists the top 10 sensors generating alerts detected by Symantec Intruder Alert.
Symantec Intruder Alert Detailed Alert Report

Displays detailed information for the last 100 alerts generated by Symantec Intruder
Alert.
332
RSAenVision Reports
Symantec Network Security (SNS) Standard Reports

The Reports module includes the following standard reports for the Symantec Network
Security (SNS) event source.
Destinations for Specific Source IP Address

Lists the destination for a specific source IP address for a given time period.
Event List by Reporting Device

Lists events by reporting event source.
Event List for Destination IP Address

Displays the event list for destination IP address for a given time period.
Event List for Source IP Address

Displays the event list for source IP address for a given time period.
Events per Day

Displays the number of events per day for a given time period.
Events per Hour

Displays the number of events per hour for a given time period.
Incidents per Day

Displays the number of incidents per day for a given time period.
Incidents per Hour

Displays the number of incidents per hour for a given time period.
Number of Events by IP Protocol

Displays the number of events by IP protocol.
Number of Events by Reporting Device

Displays the number of events by a reporting event source.
Specific Event for all Source IP Addresses

Displays the specific events list for all source IP addresses for a given time period.
Top 20 Event Destinations

Displays the top 20 event destinations for a given time period.
333
Top 20 Event Sources

Displays the top 20 event sources for a given time period.
Top 20 Event Types

Displays the top 20 event types for a given time period.
334
RSAenVision Reports
TippingPoint UnityOne Standard Reports

The Reports module includes the following standard reports for the TippingPoint
UnityOne event source.

Displays a count of all attacks grouped by the destination address field. Administrators
can use this report to see which event sources are routinely being attacked.

Displays a count of all attacks grouped by the destination port field. Administrators can
use this report to see which network services are routinely being attacked.

Displays a count of all attacks grouped by the sensor field. Administrators can use this
report to see which sensors are detecting the most attacks and, based on sensor
deployment, which areas of the network are routinely being attacked.

Displays a count of all attacks grouped by the source address field.

Displays a count of all attacks grouped by hour of detection. Administrators can use this
report to see patterns in attacks based upon time of day.
335
Top Layer Attack Mitigator Standard Reports

The Reports module includes the following standard reports for the Top Layer Attack
Mitigator event source.
Attack Events information

Displays recent attack signatures, including attack time, attack signature, source and
destination protocol, source and destination addresses, disposition of attack, top layer
device type, message information, threat level, circuit number, and origin of attack.
Top 25 Client IPs by Bytes Sent

Displays the top 25 client IP addresses that passed traffic and the total bytes sent (cbtx)
by each.
Top 25 Server IPs by Bytes Sent

Displays the top 25 server IP addresses that passed traffic and the total bytes sent (sbtx)
by each.
Top Protocols by Total Traffic

Displays the total traffic passed grouped by the protocols of the connections.
Total Attacks by Attack Signature

Displays the totals of attack events grouped by attack signature.
Total Attacks by Origin

Displays the totals of attack event grouped by source identifier. Use this report to view
the number of recognized attacks by source origin, either outside or inside your network.
Total Attacks by Source Address

Displays the totals of attack events grouped by source address.

Displays the total bytes by user name.
336
RSAenVision Reports
Top Layer Secure Edge Controller Standard Reports

The Reports module includes the following standard reports for the Top Layer Secure
Edge Controller event source.
Detailed Remote Access Events

Displays detailed information about successful remote access connections by user name.
Top 20 Users by Total Connections

Queries for connection messages and displays the tally grouped by user name.

Queries for accounting information and displays a tally grouped by user name.
Total Traffic Passed By Device Address

Queries for total kbytes passed and displays the results sorted by event source address.
Total Traffic Passed by VLAN

Displays traffic levels sorted by VLANs. Administrators can use this report to get a high
level view of how individual segments of the network are performing.
Total Traffic by Product Type

Queries for byte transfer information and displays the results summed by product type.
337
Trend Micro Deep Security Standard Reports

The Reports module includes the following standard reports for the Trend Micro Deep
Security event source.
Summary Report
Lists all events by event time.
338
RSAenVision Reports
Trend Micro OfficeScan Standard Reports

The Reports module includes the following standard reports for the Trend Micro
OfficeScan event source.
Top Infected Systems

Displays the top 20 systems detected with viruses.
Top Viruses Detected

Displays the top 20 viruses detected.

Displays all detected viruses sorted by date and time.
Virus Outbreaks Details

Displays all virus outbreaks sorted by date and time.
339
Tripwire Enterprise Standard Reports

The Reports module includes the following standard reports for the Tripwire Enterprise
event source.
Node Change Rates

Lists the nodes with detected changes sorted by time of change occurrence.
Node Change Rates by Severity

Lists the nodes with detected changes sorted by detected severity.
Node Change Rates by Date/Time

Lists changes detected sorted by frequency of occurrence.
System Access
Lists user logons and logoffs.
340
RSAenVision Reports
VMware View Standard Reports

The Reports module includes the following standard reports for the VMware View event
source.
Desktop Connection Events

Displays desktop connection events.
Desktop Management Events

Displays desktop management events.

Displays failed authentication attempts.
User Login Events

Displays user login events.
341
VMware vShield Standard Reports

The Reports module includes the following standard reports for the VMware vShield
event source.
Lists configuration change messages from VMware vShield.
Firewall Events
Lists the firewall events in VMware vShield.
342
RSAenVision Reports
Websense Web Security Standard Reports

The Reports module includes the following standard reports for the Websense Web
Security event source.
Blocked URLs Details

Displays all the information related to blocked URL access.
Top 20 Blocked Categories

Displays the top 20 blocked categories of web sites.
Top 20 Blocked Users

Displays the top 20 blocked users.
Top 20 Categories
Displays the top 20 categories of web sites.
Top 20 Visited Domains

Displays the top 20 visited root domains.
343

RSA enVision includes reports that focus on mitigating insider threats.
Insider Threat Mitigation Standard Reports
Unix and Database Insider Threat Mitigation Reports
Windows Insider Threat Mitigation Reports
345
346
358
344
RSAenVision Reports
Insider Threat Mitigation Standard Reports

The Reports module includes the following standard system reports for insider threats.
AIX - Run All Bind Report

This is a package to run all AIX reports for a given time span.
HPUX/Free BSD - Run All Bind Report

This is a package to run all HP-UX or FreeBSDreports for a given time span.
MacOSX- Run All Bind Report

This is a package to run all Mac OS X reports for a given time span.
Oracle Database Audit Details Bind Report

This is a package to run Oracle Audit reports.
Solaris BSM - Run All Bind Report

This is a package to run all Solaris BSMreports for a given time span.
Sybase ASE- Database Audit Details

This is a package to run Sybase Adaptive Server Enterprise Audit reports.
Windows - Run All Bind Report

Windows bind report for insider threats.
345
Unix and Database Insider Threat Mitigation Reports

There is a constant need for businesses to change strategies, add resources, modify their
business models, and take immediate action to meet the different requirements of the
current market. Factors such as inadvertent employee error, laptop theft, contractors
unauthorized access to information, disgruntled employees, and password
mismanagement can lead to drastic revenue loss, legal liabilities, diminished productivity,
and brand erosion. A collection of such scenarios is called an Internal Threat Model, and
this document outlines the need to mitigate such threat.
The IT departments of many large organizations are faced with the challenging task of
detecting and preventing insider threats, which pose one of the biggest security concerns
to organizations.
This document focuses on the following report types:
l Unix Reports
l
Database Reports
Unix Reports
These reports were collected for the following:
l Unix AIX
l
Mac OS X
HP-UX
Solaris Basic Security Module (BSM)
AIX Failed Logon Attempts by Username

Report Name
Description
Input Parameters
Result Set
AIX- Failed Logon Attempts by Username

This report displays the Failed Login attempts of all users.
Enter the desired user name to span across all events for the same, or leave
blank to get all such events.
system that generated it..
l
Device Address IP address of the event source that sent the event to
enVision.
UserName Account name.
Agent Logon service or method used.
Reason Reason for the failed logon attempt.
346
RSAenVision Reports
AIX Failed Super User Attempts by Username

Report Name
Description
Input Parameters
Result Set
AIX- Failed Super User Attempts by Username

This report displays a list of denied user attempts to Switch User to root.
l
enVision.
Action Action taken or proposed to be taken.
AIX Super User Access by Username

Report Name
Description
Input Parameters
Result Set
AIX- Super User Access by Username

This report displays a list of successful Switch User escalation to root
l
enVision.
Mac OSX User Action Audit by Username

Report Name
Description
Input Parameters
Result Set
347
Mac OSX User Action Audit by Username

This report lists all user actions linked to their usernames.
l
enVision.
Reason Reason for the above status.
Mac OSX Failed Authentication Attempts

Report Name
Description
Mac OSX Failed Authentication Attempts

This report displays failed authentication or privilege switch attempts by all
users.
Result Set
enVision.
Mac OSX Successful Authentication Attempts

Report Name
Description
Result Set
Mac OSX Successful Authentication Attempts

This report displays failed authentication or privilege switch attempts by all
users.
l
enVision.
Reason The reason for the above status.
348
RSAenVision Reports
HPUX/FreeBSD Super Access by Username

Report Name
Description
Input Parameters
Result Set
HPUX/FreeBSD Super Access by Username

This report displays all super user authentication attempts, the result of the
attempts, and the user names associated with the attempts.
Enter the desired user name to span across all the same events, or leave blank to
get all events.
l
enVision.
Message ID
Solaris BSM Event Audit by Content

Report Name
Description
Input Parameters
Result Set
349
Solaris BSM Event Audit by Content

This report shows a list of all events containing a particular string, sorted by
date and time.
Enter a user name, group name, server, command, path, process ID, or action
type in the Runtime parameters field. You can then run the report
system that generated it.
l
enVision.
Interface Device interface name.
MessageID
Action Performed
Information Information about the object on which the action above is

performed.
Solaris BSM Event Details by Audit Event Type

Report Name
Description
Solaris BSM Event Details by Audit Event Type

This report shows a list of all events for a particular audit event type, sorted by
date and time.
Select the audit event type from the drop-down list before running the report.
Input Parameters
Result Set
enVision.
Message ID
Real User ID Logon ID
Effective User ID Current assumed logon in the system.

performed.
Status Status of the permission change.
Solaris BSM Kernel-Level Events

Report Name
Description
Result Set
Solaris BSM Kernel-Level Events

Kernel-Level events generated by system calls.
l
enVision.
Message ID
Real User ID Logon ID

performed.
350
RSAenVision Reports
Solaris BSM Login and Logout Activity

Report Name
Description
Input Parameters
Result Set
Solaris BSM Login and Logout Activity

This report shows a list of all logon and logout activity for a particular user,
Enter a username in the Runtime parameters field.
l
enVision.
Host Name Name of the machine running Solaris.
Interface Client interface.
Message ID
Solaris BSM Permission Changes

Report Name
Description
Result Set
351
Solaris BSM Permission Changes

This report shows a list of all logon and logout activity for a particular user,
l
enVision.
Message ID
Real User ID Logon ID.
Group Group to switch the settings.
Information Information about the object accessed by the user after the
permission changes.
Result Result (error) string.
Solaris BSM Privileged Operations

Report Name
Description
Result Set
Solaris BSM Privileged Operations

Use of Privilege Capabilities or Role-Based Access Control.
l
enVision.
Message ID
Real User ID Logon ID.
Solaris BSM Startup, Shutdown, Reboot, and Halt

Report Name
Description
Result Set
Solaris BSM Startup, Shutdown, Reboot, and Halt

Startup,Shutdown,Reboot,Halt Audit events by users with group information.
l
enVision.
Message ID
Group Group to which the user belongs.
Solaris BSM Super User Events

Report Name
Description
Result Set
Solaris BSM Super User Events

List of all events generated by escalation only to a super user
l
enVision.
Message ID
352
RSAenVision Reports
Solaris BSM User-Level Events

Report Name
Description
Result Set
Solaris BSM User-Level Events

User-Level events generated by application software or users
l
enVision.
Message ID
Reason Reason associated with the status.
Database Reports
BIND Reports
These reports only work with Windows Server 2003 events collected by the following :
1. Oracle Database Audit Details Bind Report: This report binds the following Oracle
reports:
l
l
Oracle Audit details based on Username

Oracle Audit details based on Username and Privilege
The bind report should be scheduled based on your environment using the Scheduled Reports
Tab under Reports in the RSA enVision user interface.
2. Sybase ASE Database Audit Details Bind Report: This report binds the following
Sybase ASEreports:
l
l
Sybase ASE Audit details based on Username

Sybase ASE Audit details based on Username and Role
The bind report should be scheduled based on your environment using the Scheduled Reports
Tab under Reports in the RSA enVision user interface.
353
Oracle Audit Details Based on Username

Report Name
Description
Device Group
Input Parameters
Result Set
Oracle Audit Details Based on Username

This report lists all database activities by a user, sorted by event time. It looks
at all the event IDs within the Oracle XML.
Select or create and device group which has the device ORACLE only, as the
report will run on all the devices that you select within the device group.
l Database Username Username with which the user accessed the Oracle
database. The default value is null.
l
OS Username Operating system logon username of the user whose actions

were audited. The default value is null.
Starting from hour Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.
Until hour Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.
The Database username and the OS Username are joined by an OR clause

within the SQL query. If you are searching for records based on one field,
then the other field should not be left blank. Oracle logs leave a blank if the
field is not populated. Make sure you put a default value such as null in
the other field.
EventTime Date or time of the occurrence of the event as recorded by the
UserName Database username.
OS UserName Operating system logon username of the user whose actions

were audited.
Privilege Privilege level or attributes used.
System Name Name of the system.
Object Creator- Creator of the object affected. by the action.
Operating System Name of the operating system.
Object Name Name of the object.
Oracle Version
Node Name Name of the node.
Instance Name Name of the instance.
DatabaseProcessID Process ID for the database server where this is not

the main process ID that is shown within a single event.
User Host Name - Client host machine name.
354
RSAenVision Reports
Oracle Audit Details Based on Username and Privilege

Report Name
Description
Device Group
Input Parameters
Result Set
355
Oracle Audit Details Based on Username and Privilege

at all the event IDs within the Oracle XML.
Select or create and device group which has the device ORACLE only, as the
report will run on all the devices that you select within the device group.
l Database UserName - Username with which the user accessed the Oracle
database. The default value is null.
l
OS UserName - Operating system logon username of the user whose actions

were audited. The default value is null.
Starting from hour - Displays all records starting from this hour of the day,
Until hour - Displays all records until this hour of the day, possible values
The Database username and the OS Username are joined by an OR clause

within the SQL query. If you are searching for records based on one field,
then the other field should not be left blank. Oracle logs leave a blank if the
field is not populated. Make sure you put a default value such as null in
the other field.
UserName Database username.
OS UserName Operating system logon username of the user whose

actions were audited.
Privilege
System Name Name of the system.
Object Creator- Creator of the object affected. by the action.
Operating System Name of the operating system.
Oracle Version
Node Name Name of the node.
Instance Name Name of the instance.

User Host Name - Client host machine name.
Sybase ASE Audit Details Based on Username

Report Name
Description
Device Group
Input Parameters
Result Set
Sybase ASE Audit Details Based on Username

at all the event IDs within the Sybase ASE XML.
Select or create and device group which has the device Sybase ASE only, as
the report will run on all the devices that you select within the device group.
l Database UserName Database user name.
l
UserName Logon name corresponding to LogonSid.
LogonSid Server logon ID of the user who performed the audited event.
DatabaseName Database name.

Node Name Server Node ID in a cluster where the event occurred.
Roles
Mode Indicates whether or not the event in question passed permission

checks.
Object Owner
356
RSAenVision Reports
Sybase ASE Audit Details Based on Username and Role

Report Name
Description
Device Group
Input Parameters
Result Set
357
Sybase ASE Audit Details Based on Username and Role

at all the event IDs within the Sybase ASE XML.
Select or create and device group which has the device Sybase ASE only, as
the report will run on all the devices that you select within the device group.
l Database Username Database user name.
l
Role Roles that the user has.
UserName Logon name corresponding to LogonSid.
LogonSid Server logon ID of the user who performed the audited event.
DatabaseName Database name.

Node Name Server Node ID in a cluster where the event occurred.
Roles
Mode Indicates whether or not the event in question passed permission

checks.
Object Owner

There is constant need for businesses to change strategies, add resources, modify their
business models, and take immediate action to meet the different requirements of the
current market. Factors such as inadvertent employee error, laptop theft, contractors
unauthorized access to information, disgruntled employees, and password
mismanagement can lead to drastic revenue loss, legal liabilities, diminished productivity,
and brand erosion. A collection of such scenarios is called an Internal Threat Model, and
this document outlines the need to mitigate such threat.
The IT departments of many large organizations are faced with the challenging task of
detecting and preventing insider threats, which pose one of the biggest security concerns
to organizations.
This set of collected by the following :
l NICAgentless
l
InterSect Alliance SNARE BackLog
InterSect Alliance SNARE
Adiscon EventReporter
Refer to RSA SecurCare Online for the different versions of Windows currently
supported by RSA enVision.
Every report has its own set of input parameters that can be used to show only records
that meet a certain criteria. The input parameters fall into three categories:
l Time fields: Each report has two fields, Starting from hour and Until hour that help
define a time range for the result set. Possible values for these fields range from 0 to
23. For example, to find all failed logon attempts between 4:00 PM and 10 PM, enter
16 in the Starting from hour field and 22 in the Until hour field.
l
Test fields: For these fields, you can use wild cards to help you limit the result set to
show only records of interest. For example, to find all file access attempts by user
Administrator, you can enter Admin% or simply enter Administrator.
Note: A value of % will return all file access attempts by all users.
Drop-down lists: If you already have watch lists on your enVision server, then they
will be included in the drop-down lists. Otherwise, you need to create new ones based
on the report itself. For example, you may need to create a watch list for
administrative users that have values like: Admin or Administrator. For more
information on creating new watch lists or updating existing ones, refer to the enVision
Help.
All reports query the Windows Accounting table.
358
RSAenVision Reports
Note: All Windows reports are found in the report, Windows - Run All Bind Report.

l
Windows - Computer Account Changes
Windows - Computer Account Changes - Windows Server 2003
Windows - User Group Account Changes
Windows - User Group Account Changes - Windows Server 2003
Windows - Access to Files
Windows - Registry Access
Windows - Logons/logoffs by User During Non-Business Hours
Windows - User Rights Changes
Windows - User Rights Changes - Windows Server 2003
Windows - Access to Files by Administrators
Windows - Applications by Administrative Users
Windows - Account Locked Out
Windows - Applications by Users
Windows - Applications by Users - Windows Server 2003
Windows - Privileged Activities by User

Description
Input Parameters
Result Set
Meaning
359

This report shows a list of all computer account changes.
It checks for the following Microsoft-Windows-Security-Auditing event IDs: 4741, 4742 and
4743.
l Changes Made by User: User who made the changes
l
Starting from Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the day
Date/Time
Target User Name
Computer
Action
EventID
Event Type
Windows - Computer Account Changes - WindowsServer 2003

Windows - Computer Account Changes - Windows Server 2003
Description
This report shows a list of all computer account changes. This report works only for Windows
Server 2003 and earlier. It checks for the following Security event IDs: 645, 646 and 647.
Input Parameters l Changes Made by User: User who made the changes
Result Set
Meaning
l
l
Date/Time
Target User Name
Computer
Action
EventID
Event Type

Description
Input
Parameters
Result Set
Meaning

This report shows a list of all user account changes. It checks for the following MicrosoftWindows-Security-Auditing event IDs: 4720, 4726 and 4738.
l Changes Made by User: User who made the changes
l
l
l
Date/Time
Target User Name
Computer
Action
EventID
Event Type

Description
This report shows a list of all user account changes. This report works only for Windows
Server 2003 and earlier. It checks for the following Security event IDs: 624, 630 and 642.
Input Parameters l Changes Made by User: User who made the changes
Result Set
Date/Time
360
RSAenVision Reports
Meaning

Target User Name
Computer
Action
EventID
Event Type

Description This report shows a list of all files accessed in folders monitored for access auditing. It checks for the
following Security event ID 560 and Microsoft-Windows-Security-Auditing 4565.
Input
l User: User who accessed the file.
Parameters
l Starting from Hour: Show all records starting from this hour of the day
l
Result Set
Meaning
Date/Time
Primary Domain Name: For Windows Server 2003, it will indicate the domain of the user when
the object is opened locally
Primary User Name: For Windows Server 2003, it will indicate the user when the object is
opened locally
Client Domain: For Windows Server 2003, it will indicate the domain of the user when the
object is opened remotely
Client User Name: For Windows Server 2003, it will indicate the user when the object is
opened remotely
Event Type
Name: Name of the object being accessed
Accesses
Privileges
AdditionalInfo1

Description This report shows a list of all accesses to registry files and keys. It checks for the following Security
event IDs: 560, 561, 562, 563, 564, 565 and 566. It also checks for the following MicrosoftWindows-Security-Auditing: 4656, 4657, 4658, 4659, 4660, 4661, 4662, 5136 and 5137.
Input
l User: User who made the changes to the registry
Parameters
l
361

Result Set
Meaning
Date/Time
Event ID
Event
Name: Modified registry key/value
Primary Domain Name: For Windows Server 2003, it will indicate the domain of the user when
the changes are done locally
Primary User Name: For Windows Server 2003, it will indicate the user when changes are done
locally
Client Domain: For Windows Server 2003, it will indicate the domain of the user when changes
are done remotely
Client User Name: For Windows Server 2003, it will indicate the user when the changes are
done remotely
Accesses
Windows - Logons/Logoffs by User During Non-Business Hours

Windows - Logons/logoffs by User During Non-Business Hours
This report shows a list of all logon and logoff activities sorted by user name during
non-business hours.
l Work Days: Show all events that were recorded on this day of the week
Description
Input Parameters
Result Set Meaning
Starting Hour: Show all records starting from this hour of the day
l
l
End Hour: Show all records until this hour of the day
Date/Time
Event Computer
User Name
Logon ID
Event ID
Logon Type
Workstation
Domain Name

Description
Input
Parameters

This report shows a list of all user rights changes. It checks for the following Microsoft-WindowsSecurity-Auditing: 4704 and 4705.
l Changes Made by User: User who made the changes to the account
l
362
RSAenVision Reports

Date/Time
Event ID
Event
Event User
Domain Name
User Name
Target User Name
Result Set
Meaning

This report shows a list of all user rights changes. This report works only for Windows Server
2003 and earlier. It checks for the following Security event IDs: 608 and 609.
l Changes Made by User: User who made the changes to the account
Description
Input
Parameters
Result Set
Meaning
l
l
Date/Time
Event ID
Event
Event User
Domain Name
User Name
Target User Name

Description
Input
Parameters
Result Set
Meaning
363

This report shows a list of all files accessed by administrators in folders monitored for access
auditing. It checks for the following Security event IDs: 560 and 567.
l Administrative Users: Drop-down list for watch lists that include the account names of
administrative user.
l
File Name Filter: File that has been accessed by the user
Starting From Hour: Show all records starting from this hour of the day
l
l
Until Hour: Show all records until this hour of the

Date/Time
Domain Name: Domain of the user if the file is accessed locally

User Name: User name if the file is accessed locally
Client Domain: Domain of the user if the file is accessed remotely
Client User Name: User name if the file is accessed remotely
Event Type
Name
Accesses
Privileges
Object Type

Description This report shows a list of applications running on computers over the network, sorted by user name.
It checks for the following Security event IDs: 592 and 593. It also checks for the following
Microsoft-Windows-Security-Auditing: 4688 and 4689.
Input
l Administrative Users: Drop-down list for watch lists that include the account names of
Parameters
administrative users
Result Set
Meaning
Process Name Filter: Name of the process that has been launched by the user
l
l
Date/Time
Domain Name
User Name
Process ID
Process Name
Description

Description
This report shows a listing of accounts that were locked out. It checks for Security event ID
644.
Input Parameters l Locked by User: User who took the action
Result Set
Meaning
l
l
Date/Time
IP Address
364
RSAenVision Reports

l
Event Computer
User Account
Description

Description This report shows a list of applications running on computers over the network, sorted by user name.
It checks for Microsoft-Windows-Security-Auditing event ID 4689.
Input
l User: User who launched the application
Parameters
User Name
Date/Time
Process ID
Process
Domain Name
Result Set
Meaning

Description
Input
Parameters
Result Set
Meaning

This report shows a list of applications running on computers over the network, sorted by user
name. This report works only for Windows Server 2003 and earlier. It checks for Security event
ID 593.
l User: User who launched the application
l
l
l
User
Date/Time
Process
Name
Domain Name

Description This report shows a list of activities invoking right of privileges, sorted by primary user name. It
checks for the following Security event IDs: 577 and 578. It also checks for the following
Microsoft-Windows-Security-Auditing: 4673 and 4674.
365
Input
Parameters
Result Set
Meaning

User: User who did the activities
l
l
Date/Time
Primary User Name
Primary Domain Name
Client User Name
Client Domain Name
Description
Event ID
Privileges
366

RSA Envision Reports

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

RSA Envision Reports

Hochgeladen von

Copyright:

Verfügbare Formate

RSAenVision Reports

Archer Control Procedures Reports

Event Source Reports

Insider Threat Reports

RSA enVision Reports

Host Event Sources (Devices)

Insider Threat Mitigation Reports

Unix and Database Reports

Network Event Sources (Devices)

Security Event Sources (Devices)

Storage Event Sources (Devices)

Task Triage, with the following limitations:

You cannot bind them.

You cannot specify device groups or a time range in the Run/Copy/Modify/Delete

Virtualization Infrastructure Security

Vulnerabilities and Asset Management (VAM), with the following limitations:

You cannot bind them.

You cannot specify device groups or a time range in the Run/Copy/Modify/Delete

Correlated Alerts Reports

Correlated Multi-Device Reports

Top 20 Bandwidth Users

RSA enVision Reports

Host.Mail Servers reports

Host.Unix Hosts reports

Host.Web Logs reports

Event Source / Category

System Health/System Health Statistics This report lists

Note: The Configuration Changes and System

SAP ERP Central Component

Detailed Logon Failures This tabular report displays all the

General Mail Server Reports

Microsoft Exchange Server Reports

General Mainframe Reports

IBM MainFrame ICSF

Event Source / Category

IBM MainFrame (RACF)

MainFrame (RACF) Reports

IBM MainFrame (Top Secret)

MainFrame (Top Secret) Reports

IBM MainFrame (SMA_RT)

MainFrame (SMA_RT) Reports

General Virtualization Reports

VMware View Reports

Hewlett-Packard UNIX and FreeBSD Reports

Check Point IPSO

Check Point IPSOReports

Solaris Basic Security Module

Solaris BSM Reports

General Web Logs Reports

Apache HTTPServer Reports

Blue Coat Systems CacheOS and SGOS Reports

Blue Coat ELFF

Blue Coat ELFF Reports

Cisco Content Engine

Cisco Content Engine Reports

Cisco Ironport WSA

Cisco IronPort WSAReports

Juniper DX Application Accelerator Reports

Microsoft IIS Reports

RSA enVision Reports

Event Source / Category

Microsoft ISA Server

Microsoft ISA Server Reports