Anda di halaman 1dari 366

RSAenVision Reports

Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
www.rsa.com
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation
in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation,
and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto
is hereby transferred. Any unauthorized use or reproduction of this software and the documentation
may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by
EMC.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed in the
thirdpartylicenses.pdf file.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import,
or export of encryption technologies, and current use, import, and export regulations should be
followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright 2012 EMC Corporation. All Rights Reserved. Published in the USA. Friday, October 31, 2014

RSAenVision Reports

Contents
About Reports

Archer Control Procedures Reports

23

Class Reports

28

Compliance Reports

66

Event Source Reports

151

Insider Threat Reports

344

RSA enVision Reports

About Reports
The enVision Reports module has standard network security and traffic analysis reports
and graphs. You can copy and modify these reports, or create your own custom reports to
meet your specific reporting needs. For details, see the enVision Help.
The Reports module has standard network security and traffic analysis reports and
graphs. Reports are organized by device class. Reports are available for:
l Archer
l

Compliance

Correlated alerts

Host Event Sources (Devices)

Insider Threat Mitigation Reports


o

Unix and Database Reports

Windows Reports

Network Event Sources (Devices)

Security Event Sources (Devices)

Storage Event Sources (Devices)

Task Triage, with the following limitations:


o

You cannot bind them.

You cannot specify device groups or a time range in the Run/Copy/Modify/Delete


Report window for them.

If you have a multiple appliance site or a multiple site deployment, any customized
Task Triage reports (created from the Task Triage table) are only installed on the
primary A-SRV. You must run them from this A-SRV.

Virtualization Infrastructure Security

Vulnerabilities and Asset Management (VAM), with the following limitations:


o

You cannot bind them.

You cannot specify device groups or a time range in the Run/Copy/Modify/Delete


Report window for them.

When you select a report, enVision displays the Run/Copy/Modify/Delete Report screen
from which you run the report and specify runtime parameters (if any).

RSAenVision Reports

Correlated Reports
RSAenVision has standard correlated reports.
Device Class

Reports
Correlated Alerts Details: lists all the alerts that caused a correlated alert.

Correlated Alerts Reports

Correlated Alerts List: lists all correlated alerts in a given time period.
Correlated Alerts Summary: graphs the top 20 correlated alerts in descending order.
Top 10 Source Addresses of Alarms
Top 10 Alarms
Top 10 Destinations of Alarms
Top 10 Requested URL/FTP Destinations
Top 20 Bandwidth Ports

Correlated Multi-Device Reports

Top 20 Bandwidth Users


Top 20 Connections by Address
Top 20 Connections by Port
Top 20 Denied Inbound by Address
Top 20 Denied Inbound by Port
Top 20 Denied Outbound by Address

RSA enVision Reports

Host Reports
RSA enVision has standard reports for Host event sources (devices).
l Host.Application Servers reports
l

Host.Mail Servers reports

Host.Mainframes reports

Host.Midrange reports

Host.Unix Hosts reports

Host.Virtualization reports

Host.Web Logs reports

Host.Windows reports

Device Class

Event Source / Category

Reports
System Configuration Changes/Configuration Changes
This report lists all the system configuration changes made.

General

Application
Servers

System Health/System Health Statistics This report lists


system normal conditions,unusual activity,errors,system
startup,system shutdown, and system license.

Note: The Configuration Changes and System


Health Statistics reports are updated reports. Content
2.0 event sources populate the data for these reports.

SAP ERP Central Component

Detailed Logon Failures This tabular report displays all the


log on failures in the time selected.

General

General Mail Server Reports

Microsoft Exchange

Microsoft Exchange Server Reports

General

General Mainframe Reports

CA ACF2

CA ACF2 Reports

IBM MainFrame ICSF

Overview of Events Details events from IBM Mainframe Integrated Cryptographic Service Facility.

Mail Servers

RSAenVision Reports

Device Class
Mainframes

Midrange

Event Source / Category

Reports

IBM MainFrame (RACF)

MainFrame (RACF) Reports

IBM MainFrame (Top Secret)

MainFrame (Top Secret) Reports

IBM MainFrame (SMA_RT)

MainFrame (SMA_RT) Reports

IBMiSeries

iSeries Reports

General

General Virtualization Reports

VMware View

VMware View Reports

AIX

AIX Reports

Apple Mac OS X

Mac OS X Reports

HP-UX / FreeBSD

Hewlett-Packard UNIX and FreeBSD Reports

Check Point IPSO

Check Point IPSOReports

Linux

Linux Reports

Solaris Basic Security Module

Solaris BSM Reports

Solaris

Solaris Reports

General

General Web Logs Reports

Apache

Apache HTTPServer Reports

Blue Coat

Blue Coat Systems CacheOS and SGOS Reports

Blue Coat ELFF

Blue Coat ELFF Reports

Cisco Content Engine

Cisco Content Engine Reports

Cisco Ironport WSA

Cisco IronPort WSAReports

Juniper DX

Juniper DX Application Accelerator Reports

Microsoft IIS

Microsoft IIS Reports

Virtualization

Unix Hosts

Web Logs

RSA enVision Reports

Device Class

Windows

Event Source / Category

Reports

Microsoft ISA Server

Microsoft ISA Server Reports

NetCache

Network Appliance NetCache Reports

Nortel WebOS

Nortel Alteon Switch Firewall Reports

Websense Web Security

Websense Web Security Suite Reports

Account Management

Windows Account Management Reports

Application Errors

Windows Application Error Reports

Disk and Memory

Windows Disk and Memory Reports

Files / Objects Access

Windows Files and Objects Access Reports

Logon / Logoff

Windows Logon and Logoff Reports

Policy Changes and Audit Logs

Windows Policy Changes and Audit Logs Reports

Restarts / Shutdowns

Windows Restart/Shutdown Reports

Summary Reports

Windows Summary Reports

Trend Reports

Windows Trend Reports

User Activity

Windows User Activity Reports

Windows Filtering Platform

Windows Filtering Platform Reports

Microsoft Audit Collection


Service

Microsoft Audit Collection Service Reports

RSAenVision Reports

Network Reports
RSA enVision has standard reports for Network event sources (devices).
l Network.Application Delivery reports
l Network.Configuration Management reports
l Network.Configuration and Policy Management reports
l Network.Messaging reports
l Network.Routers reports
l Network.Switches reports
l Network.System reports:
Alerts
Audit
l Automatic Update
l DHCP
l Infoblox NIOS
l Statistics
Network.Wireless Devices reports
l
l

Device Class
Application
Delivery

Configuration
Management

Event Source

Reports

Cisco Application Control


Engine

Cisco Application Control Engine Reports

General

Standard Configuration Management Reports

Cisco Unified Computing


System Manager

Cisco Unified Computing System Manager Reports

EMCIonix

EMC Ionix Reports

LANDesk Management
Suite

List of Applications Installed on Devices:Displays a list of the LANDesk Management Suite devices and the applications installed on them.

Lumension Endpoint
Management and Security
Suite

Lumension EMSSReports

Microsoft System Center


Configuration Manager

Microsoft System Center Configuration Manager Reports

Microsoft Windows Server


Update Service

Microsoft Windows Server Update Service Reports

Safend Protector

Safend Protector Reports

CiscoWorks Network

CiscoWorks Network Compliance Manager Reports

RSA enVision Reports

Device Class

Event Source

Reports

Compliance Manager

Configuration and
Policy Management

Messaging

Routers

Switches

McAfee Policy Auditor

Audit Rule Results: Displays audit rule results from Policy Auditor.

Netscreen-Security
Management

Juniper Networks NetScreen-Security Manager Reports

Solsoft NP

Solsoft NP Reports

Tripwire Enterprise

Tripwire Enterprise Reports

General

General Messaging Reports

Cisco Router

Cisco Router Reports

Juniper JUNOS Router

Juniper Networks JUNOS Router Reports

Nortel Passport 8600

Nortel Passport 8600 Routing Switch Reports

General

Switches Reports

Alcatel-Lucent OmniSwitch

Alcatel-Lucent OmniSwitch Reports

Cisco Content Switch

Cisco Content Switch Reports

Cisco Switch

Cisco Switch Reports

Extreme Networks
ExtremeWare

Extreme Networks ExtremeWare Switch Reports

Extreme Networks
ExtremeXOS

Extreme Networks ExtremeXOS Reports

Foundry Switches

Foundry Networks Switch Reports


System Reports

System

N/A

Alerts Reports (All Devices)


Audit Reports (All Devices)
Automatic Update Reports

System DHCP

Microsoft DHCP

DHCP Lease Change: Lists Host names leased to DHCP IP Addresses.

System -

IBMWebSphere

IBM Websphere DataPower - Summary Report: Summarizes the events

10

RSAenVision Reports

Device Class

Event Source

Reports

IBMWebSphere
DataPower

DataPower

captured on IBM Websphere DataPower in descending order.

System InfobloxNIOS

Infoblox NIOS

Infoblox NIOS Summary Report: Summarizes events captured on


Infoblox.

System Statistics

N/A

Statistics Reports (All Devices)

General Reports

General Wireless Device Reports

Cisco Aironet Access


Points

Cisco Aironet AP Reports

Cisco Mobility Services


Engine

Cisco MSE Rogue AP & Clients

Wireless
Devices

11

RSA enVision Reports

Security Reports
RSA enVision has standard reports for Security event sources (devices).
l Security.Access Control reports
l Security.Analysis reports
l Security.Antivirus reports
l Security.Application Firewall reports
l Security.Firewalls reports
l Security.VPN reports
l Security.DLP reports
l Security.Intrusion reports
l Security.Intrusion Detection Systems reports
l Security.Intrusion Prevention Systems reports
l Security.Vulnerability reports
Device Class

Event Source
General

General Access Control Reports

ActivIdentity AAAServer

ActivIdentity AAA Server Reports

Cisco NAC

Cisco NAC Reports

Cisco Secure ACS

Cisco Secure Access Control Server


Reports

Cyber-Ark Enterprise Password Vault, InterBusiness Vault, and Sensitive Document Vault

Cyber-Ark Enterprise Password Vault,


Inter-Business Vault, and Sensitive
Document Vault Reports

F5 Big-IP APM

Access Control

Reports

Big-IP APM - Most Frequent Sources


of Connections
Big-IP APM - Session Control
Information

Juniper Networks Infranet Controller 4500

Juniper Networks Infranet Controller


4500 Reports

Microsoft Network Access Protection

Microsoft Network Access Protection


Reports

Oracle Identity Manager

Oracle Identity Manager Reports

RSAACEServer

RSA Authentication Manager and


UCM Reports

RSAAdaptive Authentication (Hosted)

RSA Adaptive Authentication

12

RSAenVision Reports

Device Class

Event Source
General

Reports
General Access Control Reports
(Hosted) Reports

Analysis

Antivirus

Application Firewall

13

RSAAdaptive Authentication (OnPrem)

RSA Adaptive Authentication


(OnPrem) Reports

Steel Belted Radius

Juniper Networks Steel Belted


Radius Reports

Top Layer Secure Edge Controller

Top Layer Secure Edge Controller


Reports

General

General Analysis Reports

Cisco MARS

Cisco MARS Reports

NetWitness NextGen

NetWitness NextGen Reports

SafeStone DetectIT

SafeStone DetectITReports

SECUDESecurity Intelligence

SECUDESecurity Intelligence
Reports

General

General Antivirus Reports

McAfee Virus Scan

McAfee Virus Scan Reports

McAfee ePolicy Orchestrator

McAfee ePolicy Orchestrator Reports

Symantec AntiVirus

Symantec AntiVirus Reports

Trend Micro

Trend Micro Reports

General

General Application Firewall Reports

Cisco Ironport ESA

Cisco Ironport ESA Reports

F5Big-IP Application Security Manager

F5 Big-IP Application Security


Manager Reports

Trend Micro Deep Security

Trend Micro Deep Security Reports

General

General Firewall Reports

Check Point Firewall-1

Check Point Firewall-1 Reports

RSA enVision Reports

Device Class

Firewalls

VPN

Event Source

Reports

General

General Access Control Reports

Cisco ASA

Cisco ASA Reports

Cisco IOS

Cisco IOS Firewall Reports

Cisco PIX

Cisco PIX Reports

Cyberguard Classic

CyberGuard Classic Reports

Cyberguard Firewall

CyberGuard Firewall Reports

Fortinet FortiGate

Fortinet FortiGate

Microsoft ISAServer

Microsoft ISA Server Reports

Netscreen Firewall

Juniper Networks NetScreen Firewall


Reports

Palo Alto Networks Enterprise Firewall

Palo Alto Networks Enterprise


Firewall Reports

McAfee Firewall Enterprise (formerly named


Secure Computing Sidewinder G2 Security
Appliance)

McAfee Firewall Enterprise Reports

Symantec Enterprise Firewall

Symantec Enterprise Firewall Reports

General

General VPN Reports

Checkpoint VPN

Checkpoint VPN Reports

Cisco ASAVPN

Cisco ASA VPN Reports

Cisco PIXVPN

Cisco PIX VPN Reports

Cisco VPN3000 Concentrator

Cisco VPN 3000 Concentrator


Reports

Citrix Access Gateway

Citrix Access Gateway Reports

Intel VPN

Intel VPN Reports

Juniper SSLVPN

Juniper SSL VPN Reports

Nortel Contivity VPN

Nortel Contivity VPN Reports

14

RSAenVision Reports

Device Class

DLP
Intrusion

Event Source
General

General Access Control Reports

Symantec Enterprise VPN

Symantec Enterprise VPN Reports

General

General DLP Reports

General

General Intrusion Reports

Trend Micro OSSEC

General

Intrusion Detection
Systems

15

Reports

Trend Micro OSSEC - List of All


Active-Responses: Lists all of the Active
Responses generated by OSSEC.
Trend Micro OSSEC - List of All
Alerts:Lists all of the alerts generated by
OSSEC.
IDS Top Alarms by Category
Top 20 IDS Categories

Checkpoint SmartDefense

Check Point SmartDefense Reports

Cisco ASA

Cisco ASA IDS Reports

Cisco IOS

Cisco IOS IDS Reports

Cisco PIX

Cisco PIX IDS Reports

Cisco Secure IDS

Cisco Secure IDS Reports

Dragon IDS

Enterasys Dragon IDS Reports

Entercept

Entercept Reports

eEye Retina Network Security Scanner

eEye Retina Network Security


Scanner Reports

ISSREALSECURE

ISS REALSECURE Reports

Intrushield

IntruShield Reports

Lancope StealthWatch

Lancope StealthWatch Reports

NFRSecurity NIDS

NFR Security NIDS Reports

Netscreen

Juniper Networks NetScreen (IDS)


Reports

RSA enVision Reports

Device Class

Intrusion Prevention
Systems

Vulnerability

Event Source

Reports

General

General Access Control Reports

Snort

SNORT Reports

Symantec Intruder Alert

Symantec Intruder Alert Reports

Symantec Network Security

Symantec Network Security SNS


Reports

Tipping Point

Tipping Point Reports

General

General Intrusion Prevention


Systems Reports

Top Layer Attack Mitigator

Top Layer Attack Mitigator Reports

Arbor Peakflow SP5

Arbor Peakflow SP Reports

Arbor Peakflow X

Arbor Peakflow X Reports

Cisco Security Agent

Cisco Security Agent Reports

Mazu Profiler

Mazu Networks Profiler Reports

Netscreen IDP

NetscreenIDP Reports

General

General Vulnerability Reports

16

RSAenVision Reports

Storage Reports
RSA enVision has standard reports for Storage event sources (devices).
l Storage.Content Management System Reports
l Storage.Database reports
l Storage.Document reports
l Storage.Storage reports
Device Class
Content Management
System

Database

Document
Storage

Event Source

Reports

Perforce

Overview of Actions: Details the actions logged to the audit log file on
Perforce. The actions captured here are SYNC, DIFF, REVERT,
ANNOTATE, INTEGRATE, RESOLVE, and PRINT.

Application Security
DbProtect

Application Security DbProtect Reports

IBM DB2 UDB

IBM Mainframe DB2 UDB Reports

Documentum

EMC Documentum Reports

GIT

GIT- Overview of Actions: Details all users access to the repositories.

Microsoft SQLServer

Microsoft SQL Server Reports

MySQL Enterprise

MYSQL Reports

Oracle Database

Oracle Database Reports

PostgreSQL

PostgreSQL - Top Ten Sessions Based on Log Frequency


Activity

Sybase ASE

Sybase ASEReports

General

General Document Reports

EMCVPLEX

Detailed Event Report:This report details all the commands that are
run across the VPLEX data store, which are collected from session
logs.

General

Standard Storage Reports

GECentricity Enterprise
Archive

GECEA - Configuration Changes by User:This report details all the


configuration changes by a user logged on the GECentricity Enterprise
Archive console.
GECEA - Overview of ILM Events:This report details all the ILM
module activities performed on the GECentricity Enterprise Archive.

17

RSA enVision Reports

Device Class

Event Source
Network Appliance Data
ONTAP

Reports
Network Appliance Data ONTAP Reports

18

RSAenVision Reports

Task Triage Reports


RSAenVision has standard Task Triage reports.
l Average Time to Acknowledge: depicts the average time to acknowledge a task in
one hour intervals over the previous 24 hour reporting period.
l

l
l

l
l

19

Average Time to Close: depicts the average time to close a task in one hour intervals
over the previous 24 hour reporting period.
Closure Rate: depicts the task closure rate in one hour intervals over the previous 24
hour period.
Incident Rate: depicts the incident rate in one hour intervals over the previous 24 hour
reporting period.
Last Modified Tasks: depicts the most recently modified task entries.
Longest Open Tasks: depicts the tasks that have been open for the longest amount of
time.
Longest Unacknowledged Tasks: depicts the tasks that have been unacknowledged
for the longest amount of time.
Open Tasks by Owner: depicts the number of open tasks for each unique owner
contained in the Task Triage database.
Open Tasks by Priority: depicts the percentage of open tasks by priority level.
Tasks by Priority and Owner: depicts the number of open items by priority for a
specified user.

RSA enVision Reports

Virtualization Infrastructure Security Standard


Reports
The Reports module includes the following standard system reports for virtualization
infrastructure security.
Note: Unless otherwise specified, these virtualization infrastructure security reports can
only be used with the following event sources:Cisco Secure ACS, VMware ESX,
VMware vCenter, and Microsoft SQL Server.

Vblock - Accounts Created


This report contains logs of the accounts that were created.

Vblock - Accounts Deleted


This report contains logs of the accounts that were deleted.

Vblock - Accounts Modified


This report contains logs of the accounts that were modified.

Vblock - Administrator Access to Vblock Systems- Detail


This report focuses on all actions taken by any individual with root or administrative
privileges. This report displays all successful or failed logons.

Vblock - Configuration Changes


The purpose of this report is to follow change control processes and procedures for all the
changes to system components.

Vblock - Escalation of Privileges


This report displays log of events containing information on the escalation of privileges of
accounts to perform administrative tasks.

Vblock - Logon Failures - Detail


The purpose of this report is to monitor invalid logical access attempts. This report
contains the logs of all logon failures.

Vblock - Logon Failures - Summary


This report contains a count of all logon failures.

Vblock - Password Changes


This report contains logs of the accounts with password changes.

20

RSAenVision Reports

Vblock - User Access Revoked


This report lists all the rights removed from a user.

Vblock - User Access to Vblock Systems - Detail


The purpose of this report is to monitor valid logical access attempts. This report contains
the logs of all successful logons.

Vblock - User Account Management Bind Report


This bind report combines the following reports:
l Vblock - Accounts Created
l Vblock - Accounts Deleted
l Vblock - Accounts Modified

21

RSA enVision Reports

Vulnerability Assessment Management (VAM)Reports


RSAenVision has standard Vulnerability Assessment Management reports.
l Least Recently Scanned: lists assets in order of the longest duration since last scan.
l

Most Vulnerable Assets By Business Rating: lists the assets in order of business rating
and the aggregate vulnerability severity score.
Most Vulnerable Assets By Count: lists the assets in order of the number of
vulnerabilities associated with an asset.
Most Vulnerable Assets By Severity: lists the assets in order of the aggregate
vulnerability severity score.
Vulnerability by Severities: depicts the detected vulnerabilities as a percentage of the
total organized by severity value.

22

RSAenVision Reports

Archer Control Procedures Reports


RSA enVision has control procedure reports for the following event sources (devices).
Event Source

Reports

Check Point Firewall-1

Check Point Firewall-1 Control Procedure Reports

Microsoft SharePoint Server

Microsoft SharePoint Server Control Procedure Reports

Oracle WebLogic

Oracle WebLogic Control Procedure Reports

VMware

VMware Control Procedure Reports

23

Archer Control Procedures Reports

RSA enVision Reports

Archer Control Procedure Reports Check Point


The Reports module includes the following control procedure reports for the Check Point
FireWall-1 event source and the Security Suite.

CP-32029 Checkpoint Stealth Rule


Displays the alerts from the Stealth rule, which is a rule that drops traffic destined for a
firewall interface. The rule hides the firewall interfaces from the other network
resources.
Note: You must enter the Stealth rule number before running the report.

CP-32036 Checkpoint Drop Rule


Displays the alerts from the firewall that handles incoming connections. The Checkpoint
Drop rule uses the Drop option instead of Reject.

CP-32049 Checkpoint Authentication Failure


Displays the alerts from the Authentication Failure rule that logs failed authentication
attempts.

CP-32050 Checkpoint Cleanup Rule


Displays the alerts from the Cleanup rule. The firewall drops and logs all connections not
previously accepted by the firewall. You must add a default rule denying access to ANY
from ANY as the last rule in the rule set. You must also enable logging for this rule to
function.
Note: You must enter the Clean Up rule number before running the report.

Archer Control Procedures Reports

24

RSAenVision Reports

Archer Control Procedure Reports Oracle WebLogic


The Reports module includes the following control procedure reports for the Oracle
WebLogic event source.

CP-31949 User Lockout Enabled


This report displays the amount of times that a user has tried to access an account and
whether they have reached the maximum threshold for allowed attempts. The account
lockout feature allows for disabling an account after a number of failed logon attempts.
General recommended guidelines suggest to lock out the account after 3 to 5 failed logon
attempts.

25

Archer Control Procedures Reports

RSA enVision Reports

Archer Control Procedure Reports Microsoft


SharePoint Server 2007
The Reports module includes the following control procedure reports for the Microsoft
SharePoint Server 2007 event source.

CP-34177 SharePoint Administrator Logon


Displays the alerts from the Administrator Logon Rule. This rule restricts the local logon
to SharePoint servers to only Administrators.

CP-34181 SharePoint File Access Audit


This report allows administrators to be notified of who attempts to access the Microsoft
SharePoint Server. You must enable file access audit to SharePoint folders on the server
for this report to function.

Archer Control Procedures Reports

26

RSAenVision Reports

Archer Control Procedure Reports VMware


The Reports module includes the following control procedure reports for the VMware
event source.

CP-34663 Inventory Deployed Virtual Machines


The inventory of deployed virtual machines should be compared against the approved
virtual environments in accordance with the approved documented procedure.

CP-34670 Logins to ESXServer


Checks for users logged into the ESX Server from unexpected hosts. Any suspicious
activity should be appropriately investigated.

CP-34687 ESXHost Restarts


System shutdowns and restarts on the ESX server should be monitored and any
unexpected shutdowns and restarts should be investigated.

27

Archer Control Procedures Reports

RSA enVision Reports

Class Reports
RSA enVision includes reports that focus on specific event source classes, for example
Firewall reports.
Standard Reports Alerts

29

Standard Reports Firewall Device Categories

31

Standard Reports IDS Device Categories

32

Standard Reports Statistics

33

Standard Reports Configuration Management

35

Standard Reports Correlated Alerts

36

Standard Reports Correlated Multi-Device Reports

37

Standard Reports DHCP

38

General Access Control Reports

39

General Analysis Reports

41

General Antivirus Reports

42

General Application Firewall Reports

43

General Automatic Update Reports

44

General DLP Reports

45

General Intrusion Reports

48

General Intrusion Prevention Systems Reports

50

General Mail Server Reports

51

General Messaging Reports

54

General Document Reports

47

General Switches Reports

55

General Virtualization Reports

56

General VPN Reports

57

General Vulnerability Reports

58

General Web Logs Reports

59

General Wireless Devices Reports

61

Standard Reports Audit

62

Standard Reports System

64

Standard Reports Storage

65

Class Reports

28

RSAenVision Reports

Standard Reports Alerts


The Reports module includes the following standard system reports for alerts.

Alert Notes by Date and Time


Lists all alert notes in the database sorted by the time that they occurred.

Alert Notes by View


Lists all alert notes for a specific view. You must modify the report query to specify the
view that you want to see displayed.

Alerts per Hour


Displays the distribution of all alerts over time, in one-hour intervals.

Alerts Status Summary


Lists a count of alerts within a time range sorted by status, such as new alert, under
investigation, or resolved.

Alerts Under Investigation by Date/Time


Lists all alerts under investigation in the database sorted by the time that the alerts
occurred. Use this report to track alerts under investigation.

Alerts Under Investigation by View


Lists all alerts under investigation in the database for a specific view.
You must modify this report before running it. On the Create/Modify Report - Specify
Report Selection Criteria window, replace the text type viewname here with the name
of the view that you want to see displayed.

Available Alerts by Date/Time


Lists all alerts and the status of each alert in the database sorted by the time that the
alerts occurred.

New Alerts by Date/Time


Lists all new alerts in the database sorted by the time that the alerts occurred.

New Alerts by View


Lists all new alerts in the database for a specific view.

29

Class Reports

RSA enVision Reports

You must modify this report before running it. On the Create/Modify Report - Specify
Report Selection Criteria window, replace the text type viewname here with the name
of the view that you want to see displayed.

Percentages of Alerts by NIC Category


Displays the distribution of alerts by NIC category.

Percentages of Alerts by Alert Levels


Displays the distribution of alerts by alert levels.

Percentages of Alerts by Severity Levels


Displays the distribution of alerts by severity levels.

Resolved Alerts by Date/Time


Lists all resolved alerts in the database sorted by the time that the alerts occurred. Use
this report to identify the alerts that have been resolved.

Resolved Alerts by View


Lists all resolved alerts in the database for a specific view.

Top 20 Alert Categories


Displays the top 20 alert categories by number of alerts.

Class Reports

30

RSAenVision Reports

Standard Reports Firewall Device Categories


The Reports module includes the following standard reports for reporting on firewalls by
categories.

Firewalls - Top Events by Category


Displays the top events by category from all firewall event sources.

Top 20 Firewall Categories


Displays the 20 firewall categories that generate the highest number of events from all
firewall event sources.

31

Class Reports

RSA enVision Reports

Standard Reports IDS Device Categories


The Reports module includes the following standard reports for reporting on IDS event
sources by categories.

IDS Top Alarms by Category


Displays the top signatures by categories from all IDS event sources.

Top 20 IDS Categories


Displays the 20 IDS categories that generate the highest number of events from all IDS
event sources.

Class Reports

32

RSAenVision Reports

Standard Reports Statistics


The Reports module includes the following standard reports for statistics.
Important: To gather the data for these reports, you must start the Alerter Service.

Count of Messages Per Device


Counts messages collected per event source and event source type for a specific time
range. The order is ascending, which means that event sources that did not collect any
data will be listed first.

Daily Event Counts


Displays the total event counts by day.

Hourly Event Counts


Displays the total event counts by hour.

Percentage of Events by Device Class


Displays the percentage of the total number of events by event source class.

Percentage of Events by Device Type


Displays the percentage of the total number of events by event source type.

Percentage of Events by NIC Category


Displays the percentage of the total number of events by NIC category.

Syslog Collection Statistics


Summarizes the syslog message quantity and byte count on an hourly basis by logging
event sources. Assesses log host system and disk space requirements. Use this report to
identify the periods of highest activity.

Top 20 Devices
Displays the top 20 event sources generating events during the selected time period.

Top 20 Devices Generating Unknown Events


Displays the top 20 event sources generating unknown events during the selected time
period.

33

Class Reports

RSA enVision Reports

Top 20 Device Types Generating Unknown Events


Displays the top 20 event source types generating unknown events during the selected
time period.

Top 20 Event Categories


Displays the top 20 event categories during the selected time period.

Top 20 Events
Displays the top 20 event IDs collected during the selected time period.

Class Reports

34

RSAenVision Reports

Standard Reports Configuration Management


The Reports module includes the following standard Configuration Management reports.

Configuration Changes by Device


Lists configuration changes, grouped by event source.

Configuration Changes by Devices


A list of configuration changes done by the event sources.

Detailed Event Report


Contains the details of all events over a period of time.

Failed Attempts by User


Lists failed attempts made by all users.

Login and Logout


Lists events relating to logon and logoff.

Overview of Actions by Computer ID


This report lists the details of all the actions that are performed on the clients based on
the Computer ID. If the Computer ID is not specified, the report will list the details of the
actions performed on all the clients.

Overview of Detailed Events Report


A report with details of all events over a period of time.

Top 25 Triggered Policy Rules


Displays the top 25 triggered policy rules during auditing systems.

35

Class Reports

RSA enVision Reports

Standard Reports Correlated Alerts


The Reports module includes the following standard reports for correlated alerts.

Correlated Alerts Details


Lists all the alerts that caused a correlated alert.

Correlated Alerts List


Lists all correlated alerts triggered over a specific time period.

Correlated Alerts Summary


Displays the top 20 correlated alerts in descending order.

Class Reports

36

RSAenVision Reports

Standard Reports Correlated Multi-Device Reports


The Reports module includes the following standard reports for the multiple event source
reports.

IDS event sources - Top 10 Source Addresses of Alarms


Displays the top 10 source addresses of intrusion detection alarms.

IDS event sources - Top 10 Alarms


Displays the top 10 alarms by signature ID that have been generated.

IDS event sources - Top 10 Destinations of Alarms


Displays the top 10 destination IP addresses that have been targeted for attack.

Top 10 Requested URL/FTP Destinations


Displays the top 10 URL or FTP destinations requested by internal users.

Top 20 Bandwidth Ports


Displays the 20 ports with the most bandwidth usage.

Top 20 Bandwidth Users


Displays the top 20 bandwidth users.

Top 20 Connections by Address


Displays the top 20 users of connections.

Top 20 Connections by Port


Displays the 20 ports with the most connections.

Top 20 Denied Inbound by Address


Displays the top 20 foreign addresses that were denied inbound access.

Top 20 Denied Inbound by Port


Displays the 20 ports with the most denied connections.

Top 20 Denied Outbound by Address


Displays the top 20 local addresses that were denied outbound access.

37

Class Reports

RSA enVision Reports

Standard Reports DHCP


The Reports module includes the following standard system reports for DHCP
processing.

DHCP Lease Change


Lists the lease time of DHCP IP addresses.

Class Reports

38

RSAenVision Reports

General Access Control Reports


The Reports module includes the following standard reports for the Access Control class.

Authentication Failures
Lists the user names with authentication failures and the corresponding reason.

Authentication Success
Lists successful authentications over a specific time period.

File Server Usage Summary Report


A summary report indicating the usage of all file servers.

Historical Overview of Allowed Network Access


Displays the systems that were allowed full access to network resources over a specific
time period.

Historical Overview of Blocked Network Access


Displays the systems that were denied full access to network resources over a specific
time period.

Key Generations
Lists events related to security or crypto key generations.

Login and Logout


Lists events related to logons and logoffs.

Top 10 Users Accessing File Servers


This report highlights the users performing the most read/write operations on a file system
governed by a File System access control tool.

Top 20 Malicious Systems


Displays the top 20 malicious systems in the network.

Error Types Overview


Lists all generated error event types, including event type name and count, over a specific
time period.

Historical Overview of Failed Logins


Lists the user names and actions that led to failed logons.

39

Class Reports

RSA enVision Reports

Historical Overview of Successful Login/Logout


Lists user names with successful logons or logoffs.

Informational and Configuration Messages


Lists user activity information and configuration changes.

Overview of Configuration Changes


Lists the configuration changes.

Overview of Failed Authentication Events


This report details failed authentication events.

Overview of Successful Authentication Events


This report details successful authentication events.

Top 10 Error Types


Lists the top 10 generated error event types, including event type name and count, over a
specific time period.

Top 10 Event Type View


Lists the top 10 generated event types over a specific time period.

User Deletion Event Statistics


Displays the number of user deletion event types over a specific time period.

User Enrollment Event Statistics


Displays the number of user enrollment event types over a specific time period.

Class Reports

40

RSAenVision Reports

General Analysis Reports


The Reports module includes the following standard reports for the Analysis class.

List of Conversation Events


Lists conversational events over the network.

List of Network Security Events


Lists network security events including denial of service attacks and network connection
errors.

User Failed Logons


This report displays logon failure events.

User Login and Logouts


This report displays login and logout events.

41

Class Reports

RSA enVision Reports

General Antivirus Reports


The Reports module includes the following standard reports for the Antivirus class.

List of All Audit Events


Lists all audit events.

List of All System Alerts


Lists all system alerts.

Summary of Scanned Objects


This report gives a brief summary of all objects scanned by the Anti-Virus application.

Overview of Audit Events


An overview of audit events.

Overview of System Alerts


An overview of system alerts.

Overview of Viruses Found


A detailed list of viruses found.

Top 20 Processes Generating Virus Alerts


Lists the top 20 processes running that are trying to invoke files/processes affected by
virus.

Top 20 Viruses
A summary report of the top 20 viruses affecting the systems.

Virus Detection Details


Lists the details of viruses detected by the system.

List of Top 20 Viruses


A summary report of the top 20 viruses affecting the systems.

Overview of VirusDetection Details


Overviews the details of viruses detected by the system.

Class Reports

42

RSAenVision Reports

General Application Firewall Reports


The Reports module includes the following standard reports for the General Application
Firewall event sources.

Alerts by Source IP Address


Lists application firewall alerts by source IP address.

Blocked E-mails
Lists e-mails that are blocked due to the threat of a virus, trojan, or worm, and by the
settings of the content filter. Also lists e-mails that are blocked because the sender is
unknown.

Clean E-mails
Lists e-mails that were successfully delivered.

E-mails Sent and Received


Lists e-mails that were sent and received by each user. This report also includes blocked
and undelivered e-mails.

High Severity Alerts


Lists the application firewall high severity alerts.

List of All Violations


Lists all violations associated with application firewall events.

Login and Logout Activity


A detailed report of all logon and logout events.

Overview of User Activities


Lists all commands executed by the user.

System Configuration Changes


A detailed report of all the system configuration changes.

43

Class Reports

RSA enVision Reports

General Automatic Update Reports


The Reports module includes the following standard reports for the Automatic Update
class.

Details by Package ID or Patch ID


This report is a detailed listing of actions executed for a given patch by Package ID/Patch
ID.

Failed Patches by Date Time


This report is a listing of patches that failed during installation over a specific time
period. Refer to autoupdatelog.log or the AutomaticUpdate - Details by Package ID or
Patch ID report for more details.

Successful Patches by Date Time


This report is a listing of all patches successfully installed over a specific time period.
Refer to autoupdatelog.log or the Automatic Update - Details by Package ID or Patch ID
report for more details.

Class Reports

44

RSAenVision Reports

General DLP Reports


The Reports module includes the following standard reports for the general DLP event
sources.

Data Leakage by Endpoint Computer


Displays the top 20 client computers where DLP incidents originate.

Data Leakage Summary


Displays the historical report of all DLP attacks detected.

Device Control Report


Displays the statistics of all removable event sources plugged in.

Failed Logins
Displays the historical view of failed logons.

Incidents by User Reports


Displays all DLP incidents associated with a particular user identifier.

Login/Logout
Displays the historical overview of successful logons and logoffs.

Most Frequent Policy Violations


Displays the most frequent policy violations.

Network Incidents by Protocol


Displays the number of DLP incidents by protocol.

Policy/Rule Changes
Displays the historical overview of policy or rule changes.

Regulatory Data Scan Report


Summarizes the number of files marked with DLP tags that indicate the presence of
regulatory or proprietary data. This report is generated after a data scan.

Top 20 Offending File Owners


Displays the top 20 owners of files where incidents originate.

45

Class Reports

RSA enVision Reports

Top 20 Offending Users


Displays the top 20 users logged on where DLP incidents originate.

Class Reports

46

RSAenVision Reports

General Document Reports


The Reports module includes the following standard reports for the general Document
event sources.

Configuration Changes by Device


Lists configuration changes by event source.

Detailed Event Report


Details all events over a specified period of time.

Overview of Actions
Details all audit actions over a specified period of time.

Successful and Failed Authentications


Lists events relating to successful and failed authentications.

47

Class Reports

RSA enVision Reports

General Intrusion Reports


The Reports module includes the following standard reports for the general Intrusion
event sources.

Alarm Destination Report


This report displays alarms sorted by the Destination IP Address that generated the
alarm.

Alarm Levels
This graph displays the number of alarms for each alarm level.

Alarm Report
This report displays alarms based on signature names, sorted by alarms and signature
names.

Alarms by Hour
This graph displays the number of alarms by hour for a given time period.

Alarms by Sensor
This graph displays the alarm count for each sensor.

Alarms by Sensor Device


This report shows the total number of alarms generated by each sensor device. The report
is sorted by total number of alarms.

Top 10 Sources of Alarms


This graph displays the top 10 sources of alarms by source IP address.

Top 20 Alarms
This report displays the top 20 alarms by signature ID.

Top 20 Alarms by Port


This report displays the Top 20 alarms based on the destination port.

Top 20 Destinations of Alarms


This report displays the top 20 destination IP addresses that have been targeted for attack.

Top 20 Source-Destination Pairs of Alarms


This report displays the 20 source-destination pairs that have generated the most alarms.

Class Reports

48

RSAenVision Reports

Top 20 Sources of Alarms


This report displays the 20 source IP addresses that have generated the most events and
alarms from the Cisco Secure IDS sensors.

49

Class Reports

RSA enVision Reports

General Intrusion Prevention Systems Reports


The Reports module includes the following standard reports for the general Intrusion
Prevention Systems event sources.

All Attacks Classified by Attack Category


This report classifies attacks by their attack category.

All Attacks Classified by Risk Types


This report classifies attacks by their level of risk.

High Risk Attacks


This report provides a list of all high level attacks.

List of User Activity


This report provides a list of all user activity.

List of Attacks over Time


This report provides a list of all attacks.

Low Risk Attacks


This report provides a list of all low-level attacks.

Medium Risk Attacks


This report provides a list of all medium-level attacks.

Top 10 Attacked Destinations


This report provides a graph of the 10 most commonly attacked destinations.

Top 10 Attacks
This report provides a graph of the 10 most common attacks.

Top 10 Sources of Attacks


This report provides a graph of the 10 most common sources of attacks.

Class Reports

50

RSAenVision Reports

General Mail Server Reports


The Reports module includes the following standard reports for the Mail Server class.

Exchange Error Condition


This report shows all error events.

Failed Logon Attempts to Mailboxes


This report shows all failed logons to mailboxes.

Internet Traffic by E-Mail Accounts


This report shows the inbound and outbound traffic for e-mail accounts.

Logons to Mailbox with Administrative Privileges


This report shows successful logons to mailboxes by users who have administrator
privileges on those mailboxes.

Mailboxes with the Most Logon Failures


This report shows users responsible for the greatest number of failed mailbox logons.

Non-Owner Mailbox Access


This report shows users who connect to mailboxes apart from their primary user
accounts.

Successful Logons to Mailboxes


This report shows successful logons to mailboxes.

Summary of Configuration Errors


This report shows all configuration errors and failures.

Top 10 E-Mail Accounts Mailing Most Outside the Organization


This report shows top 10 e-mail accounts responsible for the most email traffic to public
domains.

Top 10 E-Mail Accounts Receiving Messages


This report displays the 10 e-mail accounts that are receiving the most messages.

Top 10 E-Mail Accounts Receiving Messages Volume


This report displays the 10 e-mail accounts that are receiving the largest volume of
messages.

51

Class Reports

RSA enVision Reports

Top 10 E-Mail Accounts Sending Messages


This report displays the 10 e-mail accounts that are sending the most messages.

Top 10 E-Mail Accounts Sending Messages Volume


This report displays the 10 e-mail accounts that are sending the largest volume of
messages.

Top 10 Sender-Receiver Pairs


This report displays the top 10 sender-receiver pairs.

Top 10 Sender-Receiver Pairs Within the Organization


This report displays the top 10 sender-receiver pairs within the organization.

Use of Send Privileges


This report shows users who used their Send As privileges.

Class Reports

52

RSAenVision Reports

General Mainframe Reports


The Reports module includes the following standard reports for the Mainframe class.

Denial of Access to Resources


Details all messages regarding failed or violated access events.

Overview of Audit Events


Details all security events.

53

Class Reports

RSA enVision Reports

General Messaging Reports


The Reports module includes the following standard reports for the general Messaging
event sources.

Phone Call Summary


This report summarizes all phone calls monitored by the messaging server.

PIN Messaging Summary


This report summarizes of all the PIN Messages handled by the messaging server.

PIN Transmission Errors


This report provides a summary of all the transmission errors during PIN messaging.

SMS Summary
This report summarizes all SMSmessages handled by the messaging server.

SMS Transmission Errors


This report lists SMSmessages that experienced transmission errors.

Class Reports

54

RSAenVision Reports

General Switches Reports


The Reports module includes the following standard reports for the general Switch event
sources.

Configuration Changes
Displays all configuration changes on the Switches event sources.

Failed Logins
Displays all unsuccessful attempts to log on to the Switches event sources.

Successful Logins
Displays all successful logons to the Switches event sources.

System Error
Displays all system errors.

System Errors
Displays system errors.

Successful Login
Displays all successful logons to the Switches event sources.

Failed Login
Displays all unsuccessful attempts to log on to the Switches event sources.

Configuration Change
Displays all configuration changes on the Switches event sources.

55

Class Reports

RSA enVision Reports

General Virtualization Reports


The Reports module includes the following standard reports for the general Virtualization
event sources.

Cluster and Resource Management


Displays cluster and resource management events.

Network Infrastructure
Displays network host system and service events.

Storage
Displays database events create, extend, remove, and configure.

User Groups and Permissions


Displays events for users, groups, permissions, authorization, and session.

Virtual Machine Operations


Displays virtual machine operation events like power on, power off, snapshot, migration,
creation, cloning, renaming, and so on.

Class Reports

56

RSAenVision Reports

General VPN Reports


The Reports module includes the following standard reports for the VPN class.

Failed Login Summary


This report details all the failed logins by each user.

Resource Access Details


This report details all attempts by remote clients to access internal resources.

Successful Login Details


This report details the successful logins.

Top 20 Failed Logons


This report lists all failed VPN logons.

Top 20 Successful Logons


This report lists all successful VPN logons.

57

Class Reports

RSA enVision Reports

General Vulnerability Reports


The Reports module includes the following standard reports for the general vulnerability
event sources.

Detailed Event Report


This report gives the details of the scans, actions or events preformed through
vulnerability event sources.
Scans Completed In the Past One Hour
This report displays all the scans completed in the past one hour.

Scans StartedIn the Past One Hour


This report displays all the scans started in the past one hour.

Class Reports

58

RSAenVision Reports

General Web Logs Reports


The Reports module includes the following standard reports for the general Web Logs
event sources.

Activity by Administrative Users


Displays web browsing activity with administrative user accounts as defined by a usercreated watchlist.

Activity by Users
Displays configuration changes, policies, and rules made, and tracks web browsing
activity by the user accounts.

Client Access Statistics


Displays reports of overall URLaccess by each client.

Historical Overview of Successful and Failed Logons


Displays successful and failed logons.

Historical Overview Of Successful URLAccess


Displays URLsaccessed by the host.

Historical Overview Of URL Blocked


Displays URLs blocked while users were accessing the web.

List of All User Requests


This report lists all http requests by users.

Number of Configuration Changes by each Configuration Module


Displays the number of configuration changes per configuration module.

Number of System/Network Errors


Lists the number of errors of each type, such as system errors, network errors, and
configuration errors.

Overview of Successful URL Access


Gives an overview of successful URLaccess events.

59

Class Reports

RSA enVision Reports

Top 20 IM Source Machines


Lists the top 20 client addresses generating IMtraffic. The report also includes the
corresponding IMuser ID.

Top 25 Client IPs by Connection Requests


Displays the 25 client IPaddresses with the most successful website connections.

Top 25 Client IPs by Total Bytes


Displays the 25 client IPaddresses with the largest amount of total bytes.

Total Connections by HTTP Status Code


Queries for connection counts and groups them by HTTPsuccess or failure code. The
Administrator can use this report to see, by code, how many connections were
successful, redirected, or failed.

URLs Containing Archive File Types


Displays URLs containing archive file types and the corresponding client IPaddresses
making the connection.

URLs Containing Executable File Types


Displays URLs containing executable file types and the corresponding client IPaddresses
making the connection.

Virus Statistics
Details virus IDsand the corresponding sources of the viruses.

Class Reports

60

RSAenVision Reports

General Wireless Devices Reports


The Reports module includes the following standard reports for the Wireless Device
class.

Admin Operations
This report enumerates all of the administrative events.

Authentication Succeeded/Failure
This report enumerates all of the Authentication events.

Rogue AP Detection
This report enumerates all of the Rogue Accesspoint detections.

61

Class Reports

RSA enVision Reports

Standard Reports Audit


The Reports module includes the following standard system reports for the system
auditing function.

Configuration Changes by Action


Lists all the configuration changes with the specified action.
Runtime parameters - Action.

Configuration Changes by Date/Time


Lists all configuration changes made to enVision.

Configuration Changes by Object Type


Lists all configuration changes made against the specified object.
Runtime parameters - Object Type.

Configuration Changes by User


Lists all configuration changes made by the specified user.
Runtime parameters - User ID.

Report Access Activity by Date/Time


Lists all reports that have been either e-mailed or viewed and by whom (user names).

Report Access Activity by User


List all reports that the specified user has e-mailed or viewed.
Runtime parameters - User ID.

Report E-mailing Activity by Date/Time


Lists all reports that have been e-mailed and by whom (user names).

Report E-mailing Activity by User


Lists all reports that the specified user has e-mailed.
Runtime parameters - User ID.

Report Viewing Activity by Date/Time


Lists all reports that have been viewed and by whom (user names).

Class Reports

62

RSAenVision Reports

Report Viewing Activity by User


List all reports that the specified user has viewed.
Runtime parameters - User ID.

User Session Activity by Date/Time


Lists all the successful and failed enVision logon and logoff attempts.

User Session Activity by User


Lists all the successful and failed enVision logon and logoff attempts by the specified
user.
Runtime parameters - User ID.

63

Class Reports

RSA enVision Reports

Standard Reports System


The Reports module includes the following standard NIC System reports.

Appliance Disk Errors


Lists all of the appliance disk errors.

Appliance Operating Environment Errors


Lists all of the appliance operating environment errors.

Failed Terminal Server Logins to the Appliance


Lists all failed terminal server logon attempts to the appliance.

Failed enVision Logins


Lists all failed attempts to log on to enVision.

Monitored Device Collection Errors


Lists all errors in collection of data from monitored event sources.

Class Reports

64

RSAenVision Reports

Standard Reports Storage


The Reports module includes the following standard reports for the Storage class.

Configuration Changes by Device


Lists configuration changes, grouped by event source.

Detailed Event Report


Lists all events over a period of time.

Failed Logon Details


This report lists all the failed logon attempts to the filer.

File Access Summary by User


This report summarizes all the file access events by user.

Files Deleted
This report lists all the files deleted and the users who initiated the deletes.

Successful Logon Details


This report details all the successful logons during a chosen period.

Successful and Failed Authentications


Lists events relating to successful and failed authentications.

65

Class Reports

RSA enVision Reports

Compliance Reports
RSA enVision has standard compliance reports for various compliance issues.
l Basel II
l

Bill 198

Federal Information Security Management Act of 2002 (FISMA)

Gramm-Leach-Bliley Act (GLBA)

Good Practice Guide (GPG) 13

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

International Reports:
l

Basel II (Refreshed)

ISO 27002 (Refreshed)

Payment Card Industry (PCI) Data Security

ISO27002

Memo 22 Reports

North American Electric Reliability Council (NERC)

National Industrial Security Program Operating Manual (NISPOM)

Payment Card Industry (PCI) Data Security

Statement on Auditing Standards (SAS) No. 70 (SAS 70)

Sarbanes-Oxley Act of 2002

UK Reports: GPG-13 (Refreshed)

US Reports:

Compliance Reports

Bill 198 (Refreshed)

Family Educational Rights and Privacy Act (FERPA)

Federal Financial Institutions Examination Council (FFIEC)

Gramm-Leach-Bliley Act (GLBA) (Refreshed)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)


(Refreshed)

North American Electric Reliability Council (NERC) (Refreshed)

Statement on Standards for Attestation Engagements (SSAE) No. 16 (SSAE 16)

Sarbanes-Oxley Act of 2002 (Refreshed)

66

RSAenVision Reports

Basel II - Compliance Reports


Basel II consists of recommendations by bank supervisors and central bankers to improve
the consistency of capital regulations internationally, make regulatory capital more risk
sensitive, and promote enhanced risk-management practices among international banking
organizations.

Computer Account Logon Activity


Lists all local and remote log on activity for all monitored Windows, HP- UX, AIX Unix,
Sun Solaris, Red Hat Linux, and Apple Mac OS X systems.

Computer Account Logon Activity - Windows Detail


Lists all log on activity for all monitored Windows domains and systems. This report is
specific to monitored Windows systems, but provides a greater level of detail than the
Computer Account Logon Activity report.

Computer Account Status by Account - Windows


Lists all log on activity for specific user accounts. The user accounts in question should
be listed as run time parameters.

Control ofCollected Evidence


Lists all changes and object level access Events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called "Rules for Evidence", and that object level auditing be enabled on these
directories.

Control ofCollected Evidence - Windows Detail


Lists all changes and object level access Events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called "Rules for Evidence", and that object level auditing be enabled on these
directories. This report is specific to monitored Windows systems, but provides a greater
level of detail than the standard Control of Collected Evidence report.

Control of Human Resources Data


Lists all changes and object level access Events to the device group "HR". This report
requires that all software and Human Relations data be contained within a device group,
and object level auditing be enabled on the directories containing the Human Relations
data.

Control of Human Resources Data - Windows Detail


Lists all changes and object level access Events to the device group "HR". This report
requires that all software and Human Relations data be contained within a device group,

67

Compliance Reports

RSA enVision Reports

and object level auditing be enabled on the directories containing the Human Relations
data. This report is specific to monitored Windows systems, but provides a greater level
of detail than the standard Control of Human Resources Data report.

Control of Operational Software


Lists all changes and object level access Events to the device group "Operational
Software". This report requires that all Operational Software be contained within a
device group, and object level auditing be enabled on the directories containing the
Operational Software and data.

Control of Operational Software - Windows Detail


Lists all changes and object level access events to the device group "Operational
Software". This report requires that all Operational Software be contained within a
device group, and object level auditing be enabled on the directories containing the
Operational Software and data. This report is specific to Windows devices but provides
more detail than the standard Control of Operational Software report.

Control of System Audit Data


Lists all changes and object level access Events to the software and data used to perform
system audits. This report requires that the software, source data and result data be
contained within a device group, and object level auditing be enabled on the containing
directories.

Control of System Audit Data - Windows Detail


Lists all changes and object level access events to the software and data used to perform
system audits. This report requires that the software, source data and result data be
contained within a device group, and object level auditing be enabled on the containing
directories. This report is specific to Windows devices but provides more detail that the
standard Control of System Audit Data report.

Control of System Test Data


Lists all changes and object level access Events to the systems and data used in the
testing of Operational Software security. This report requires that all system test data be
contained within a device group, and object level auditing be enabled on the directories
containing the system test software, source data and test results.

Control of System Test Data - Windows Detail


Lists all changes and object level access Events to the systems and data used in the
testing of Operational Software security. This report requires that all system test data be
contained within a device group, and object level auditing be enabled on the directories
containing the system test software, source data and test results.

Compliance Reports

68

RSAenVision Reports

External Contractors Report


Lists all changes and object level access Events to the device group "External Contractor
Access". This report requires that all computers, software, source data and result findings
be contained within a device group, and object level auditing be enabled on the
directories containing this data.

External Contractors Report - Windows Detail


Lists all changes and object level access Events to the device group "External Contractor
Access". This report requires that all computers, software, source data and result findings
be contained within a device group, and object level auditing be enabled on the
directories containing this data.

Financial Data Access


Lists all successful and failed access attempts for all financial data. This report requires
that all financial data be contained within a device group, and object level auditing be
enabled on the directories containing the financial data.

Financial Data Access - Windows Detail


Lists all successful and failed access attempts for all financial data. This report requires
that all financial data be contained within a device group, and object level auditing be
enabled on the directories containing the financial data.

Malicious Software Activity


Lists all malicious software activity for all monitored event sources.

Operation Change Control Report


Lists all configuration and policy changes for the Financial Operational infrastructure.

Operation Change Control Report - Windows Detail


Lists all configuration and policy changes for the Financial Operational infrastructure.
This report is restricted to only Windows devices, but delivers a greater level of detail
than the standard Operation Change Control Report.

Password Changes and Expirations


Lists all manual and automatic password change and expiration events. This includes
Windows, Sun Solaris, Red Hat Linux, HP-UX, AIX and Apple Mac OS X operating
systems.

Source Code Access


Lists all changes and object level access Events to the device group "Source Code". This
report requires that the source code for all custom software and commercial software

69

Compliance Reports

RSA enVision Reports

customization be contained within a device group, and object level auditing be enabled on
the directories containing the source code.

Source Code Access - Windows Detail


Lists all changes and object level access Events to the device group "Source Code". This
report requires that the source code for all custom software and commercial software
customization be contained within a device group, and object level auditing be enabled on
the directories containing the source code.

User Activity from External Domains - Windows


Lists all activities of non-domain authenticated users. All authenticated domains are
identified in run time parameters.

Compliance Reports

70

RSAenVision Reports

Basel II - Compliance Reports (Refreshed)


Basel II consists of recommendations by bank supervisors and central bankers to improve
the consistency of capital regulations internationally, make regulatory capital more risk
sensitive, and promote enhanced risk-management practices among international banking
organizations.
RSA has refreshed some compliance reports, and reorganized their location in the
RSAenVision UI. These refreshed reports are available in the following path:
Reports >Compliance > International >BASEL II
Note: Unless otherwise specified, these compliance reports can only be used with the
following event sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX,
Hewlett-Packard Open VMS, Linux, and Sun Solaris.

Accounts Created
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays user accounts
that have been created.

Accounts Deleted
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays user accounts
that have been deleted.

Accounts Modified
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays user accounts
that have been modified.

Administrative Access to Financial Systems - Detail


Basel II; ISO 27002 - 10.10.4: This report displays all successful logons.

Administrative Access to Financial Systems - Summary


Basel II; ISO 27002 - 10.10.4: This report displays count of successful logons.

Change in Audit Settings


Note: This report can only be used with the Microsoft Windows event source.
Basel II; ISO 15408-2: This report displays all events that describes the audit settings that
were enabled or disabled by users.

71

Compliance Reports

RSA enVision Reports

Financial Data Access - Detail


Note: This report can only be used with the Microsoft Windows event source.
Basel II: This report displays logs related to files accessed by users. The file names
containing Financial data can be added in the watchlist for a filtered view.

Financial Data Access - Summary


Note: This report can only be used with the Microsoft Windows event source.
Basel II: This report displays count of files accessed by users. The file names containing
Financial data can be added in the watchlist for a filtered view.

Group Management
Basel II; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: This report displays log of events
containing information on changes to user groups.

Login Failures - Detail


Basel II; ISO 27002 - 11.5.1: This report displays all logon failures.

Login Failures - Summary


Basel II; ISO 27002 - 11.5.1: This report contains a count of all logon failures..

Password Changes
Basel II: This report contains logs of the accounts with password changes.

User Access Revoked


Basel II; ISO 27002 - 11.2.1: This report lists all rights removed from a user.

User Access to Financial Systems - Detail


Basel II; ISO 27002 -11.5.1: This report displays all successful logons.

User Access to Financial Systems - Summary


Basel II; ISO 27002 -11.5.1: This report displays count of successful logons.

User Account Management Bind Report


This bind report combines the following reports:
l Accounts Created
l Accounts Modified
l Accounts Deleted

Compliance Reports

72

RSAenVision Reports

Bill 198 - Compliance Reports


Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect
investors in public Canadian companies by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws.

Administrative Access to Financial Systems


Lists all log on and privileged access attempts by "administrator" or "SU" accounts.

Computer Account Logon Activity


Lists all local and remote log on activity for all monitored Windows, HP- UX, AIX Unix,
Sun Solaris, Red Hat Linux, and Apple Mac OS X systems.

Computer Account Logon Activity - Windows Detail


Lists all log on activity for all monitored Windows domains and systems. This report is
specific to monitored Windows systems, but provides a greater level of detail than the
Computer Account Logon Activity report.

Computer Account Status by Account - Windows


Lists all log on activity for specific user accounts. The user accounts in question should
be listed as run time parameters, and multiple values can be specified by listing each
value in single quotes and separating them by commas.

Control ofCollected Evidence


Lists all changes and object level access Events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called "Rules for Evidence", and that object level auditing be enabled on these
directories.

Control ofCollected Evidence - Windows Detail


Lists all changes and object level access Events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called "Rules for Evidence", and that object level auditing be enabled on these
directories. This report is specific to monitored Windows systems, but provides a greater
level of detail than the standard Control of Collected Evidence report.

Control of Human Resources Data


Lists all changes and object level access Events to the device group "HR". This report
requires that all software and Human Relations data be contained within a device group,
and object level auditing be enabled on the directories containing the Human Relations
data.

73

Compliance Reports

RSA enVision Reports

Control of Human Resources Data - Windows Detail


Lists all changes and object level access Events to the device group "HR". This report
requires that all software and Human Relations data be contained within a device group,
and object level auditing be enabled on the directories containing the Human Relations
data. This report is specific to monitored Windows systems, but provides a greater level
of detail than the standard Control of Human Resources Data report.

Control of Operational Software


Lists all changes and object level access Events to the device group "Operational
Software". This report requires that all Operational Software be contained within a
device group, and object level auditing be enabled on the directories containing the
Operational Software and data.

Control of Operational Software - Windows Detail


Lists all changes and object level access events to the device group "Operational
Software". This report requires that all Operational Software be contained within a
device group, and object level auditing be enabled on the directories containing the
Operational Software and data. This report is specific to Windows devices but provides
more detail than the standard Control of Operational Software report.

Control of System Audit Data


Lists all changes and object level access Events to the software and data used to perform
system audits. This report requires that the software, source data and result data be
contained within a device group, and object level auditing be enabled on the containing
directories.

Control of System Audit Data - Windows Detail


Lists all changes and object level access events to the software and data used to perform
system audits. This report requires that the software, source data and result data be
contained within a device group, and object level auditing be enabled on the containing
directories. This report is specific to Windows devices but provides more detail that the
standard Control of System Audit Data report.

Control of System Test Data


Lists all changes and object level access Events to the systems and data used in the
testing of Operational Software security. This report requires that all system test data be
contained within a device group, and object level auditing be enabled on the directories
containing the system test software, source data, and test results.

Control of System Test Data - Windows Detail


Lists all changes and object level access Events to the systems and data used in the
testing of Operational Software security. This report requires that all system test data be

Compliance Reports

74

RSAenVision Reports

contained within a device group, and object level auditing be enabled on the directories
containing the system test software, source data, and test results.

Disabled Accounts Report - Windows


Lists all user accounts that have been manually or automatically disabled in the requested
time period.

External Contractors Report


Lists all changes and object level access Events to the device group "External Contractor
Access". This report requires that all computers, software, source data and result findings
be contained within a device group, and object level auditing be enabled on the
directories containing this data.

External Contractors Report - Windows Detail


Lists all changes and object level access Events to the device group "External Contractor
Access". This report requires that all computers, software, source data and result findings
be contained within a device group, and object level auditing be enabled on the
directories containing this data.

Financial Data Access


Lists all successful and failed access attempts for all financial data. This report requires
that all financial data be contained within a device group, and object level auditing be
enabled on the directories containing the financial data.

Financial Data Access - Windows Detail


Lists all successful and failed access attempts for all financial data. This report requires
that all financial data be contained within a device group, and object level auditing be
enabled on the directories containing the financial data.

Login and Authorization Failures


Lists all local and remote failed log on attempts to all monitored event sources in the
"Financial System" device group. This covers Windows, Sun Solaris, Red Hat Linux, HPUX, Apple Mac OS X, Nokia IPSO and IBM Mainframe (SMA_RT).

Malicious Software Activity


Lists all malicious software activity for all monitored event sources.

Operation Change Control Report


Lists all configuration and policy changes for the Financial Operational infrastructure.

75

Compliance Reports

RSA enVision Reports

Operation Change Control Report - Windows Detail


Lists all configuration and policy changes for the Financial Operational infrastructure.
This report is restricted to only Windows devices, but delivers a greater level of detail
than the standard Operation Change Control Report.

Password Changes and Expirations


Lists all manual and automatic password change and expiration events. This includes
Windows, Sun Solaris, Red Hat Linux, HP-UX, AIX and Apple Mac OS X operating
systems.

Source Code Access


Lists all changes and object level access Events to the device group "Source Code". This
report requires that the source code for all custom software and commercial software
customization be contained within a device group, and object level auditing be enabled on
the directories containing the source code.

Source Code Access - Windows Detail


Lists all changes and object level access Events to the device group "Source Code". This
report requires that the source code for all custom software and commercial software
customization be contained within a device group, and object level auditing be enabled on
the directories containing the source code.

User Activity from External Domains - Windows


Lists all activities of non-domain authenticated users. All authenticated domains are
identified in run time parameters, and multiple domains can be contained within single
quotes and separated by commas..

Compliance Reports

76

RSAenVision Reports

Bill 198 - Compliance Reports (Refreshed)


Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect
investors in public Canadian companies by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws.
RSA has refreshed some compliance reports, and reorganized their location in the
RSAenVision UI. These refreshed reports are available in the following path:
Reports >Compliance > CA >Bill 198
Note: Unless otherwise specified, these compliance reports can only be used with the
following event sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX,
Hewlett-Packard Open VMS, Linux, and Sun Solaris.

Accounts Created
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays user
accounts that have been created.

Accounts Deleted
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays user
accounts that have been deleted.

Accounts Modified
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays user
accounts that have been modified.

Administrative Access to Financial Systems - Detail


Bill 198; ISO 27002 - 10.10.4: All activities by System Administrators and System
Operators should be logged. This report displays all successful logons.

Administrative Access to Financial Systems - Summary


Bill 198; ISO 27002 - 10.10.4:Management assessment of internal controls. All activities
by System Administrators and System Operators should be logged. This report displays
count of successful logons.

77

Compliance Reports

RSA enVision Reports

Change in Audit Settings


Note: This report can only be used with the Microsoft Windows event source.
Bill 198; ISO 15408-2: The system should ensure that security policy enforcement
functions succeed before functions are allowed to proceed. This report displays all events
that describes the audit settings that were enabled / disabled by users.

Financial Data Access - Detail


Note: This report can only be used with the Microsoft Windows event source.
Bill 198: This report displays logs related to files accessed by users. The file names
containing Financial data can be added in the watchlist for a filtered view.

Financial Data Access - Summary


Note: This report can only be used with the Microsoft Windows event source.
Bill 198:This report displays count of files accessed by users. The file names containing
Financial data can be added in the watchlist for a filtered view.

Group Management
Bill 198; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: An access control policy should be
developed and should state the access control rules and rights for all users and groups.
Both logical and physical access controls should be used. This report displays log of
events containing information on changes to user groups.

Login Failures - Detail


Bill 198; ISO 27002 - 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays all logon failures.

Login Failures - Summary


Bill 198; ISO 27002 - 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report contains a count of all logon failures.

Password Changes
Bill 198: This report contains logs of the accounts with password changes.

User Access Revoked


Bill 198; ISO 27002 - 11.2.1: Users who have changed jobs or left the organization should
have their access rights removed immediately. This report lists all rights removed from a
user.

Compliance Reports

78

RSAenVision Reports

User Access to Financial Systems - Detail


Bill 198; ISO 27002 -11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays all successful logons.

User Access to Financial Systems - Summary


Bill 198; ISO 27002 -11.5.1: All successful and unsuccessful logon attempts should be
recorded.This report displays count of successful logons.

User Account Management Bind Report


This bind report combines the following reports:
l Accounts Created
l Accounts Modified
l Accounts Deleted

79

Compliance Reports

RSA enVision Reports

Family Educational Rights and Privacy Act (FERPA) Compliance Reports


The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR
Part 99) is a Federal law that protects the privacy of student education records. The law
applies to all schools that receive funds under an applicable program of the U.S.
Department of Education.
Note: Unless otherwise specified, these compliance reports can only be used with the
following event sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX,
Hewlett-Packard Open VMS, Linux, and Sun Solaris.

FERPA - Access to Student Records


This report displays logs related to files accessed by users. The file names containing
Student Record data can be added in the watchlist for a filtered view.

FERPA - Accounts Created


This report contains logs of the accounts that were created.

FERPA - Accounts Deleted


This report contains logs of the accounts that were deleted.

FERPA - Accounts Modified


This report contains logs of the accounts that were modified.

FERPA - Administrative Access to FERPA Systems - Detail


This report displays all successful logons by administrators.

FERPA - Administrative Access to FERPA Systems - Summary


This report displays count of successful logons by administrators.

FERPA - Change in Audit Settings


This report displays all events that describes the audit settings that were enabled /
disabled by users.

FERPA - Escalation of Privileges


This report displays log of events containing information on escalation of privileges of
accounts to perform administrative tasks.

Compliance Reports

80

RSAenVision Reports

FERPA - Group Management


This report displays log of events containing information on changes to user groups.

FERPA - Logon Failures - Detail


This report contains log of all logon failures.

FERPA - Logon Failures - Summary


This report contains a count of all logon failures.

FERPA - Password Changes


This report contains logs of the accounts with password changes.

FERPA - User Access Revoked


This report lists all rights removed from a user.

FERPA - User Access to FERPA Systems - Detail


This report displays all non-administrator successful logons.

FERPA - User Access to FERPA Systems - Summary


This report displays count of non-administrator successful logons.

FERPA- User Management Bind Report


This bind report combines the following reports:
l FERPA- Accounts Created
l FERPA- Accounts Deleted
l FERPA- Accounts Modified

81

Compliance Reports

RSA enVision Reports

Federal Financial Institutions Examination Council


(FFIEC) - Compliance Reports
The Federal Financial Institutions Examination Council (FFIEC) is a body of the United
States government empowered to prescribe principles, standards, and report forms for the
federal examination of financial institutions by the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), the Office of the Comptroller of the Currency
(OCC), Mergers & Acquisitions International Clearing (MAIC), and the Consumer
Financial Protection Bureau (CFPB). The following are reports in the RSAenVision
Platform that monitor your environment's compliance with these standards.
Note: Unless otherwise specified, these compliance reports can only be used with the
following event sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX,
Hewlett-Packard Open VMS, Linux, and Sun Solaris.

FFIEC- Accounts Created


This report contains logs of the accounts that were created.

FFIEC- Accounts Deleted


This report contains logs of the accounts that were deleted.

FFIEC- Accounts Modified


This report contains logs of the accounts that were modified.

FFIEC- Administrative Access to Financial Systems - Detail


This report displays all successful logons.

FFIEC- Administrative Access to Financial Systems - Summary


This report displays count of successful logons.

FFIEC- Encryption Failures


This report displays log of encryption failures.
Note: This report can only be used with the following event sources:Cisco PIX, Cisco
ASA, Cisco Router, and Juniper Networks NetScreen.

FFIEC- Escalation of Privileges


This report displays log of events containing information on escalation of privileges of
accounts to perform administrative tasks.

Compliance Reports

82

RSAenVision Reports

FFIEC- Failed Remote Access - Detail


This report displays logs containing failed remote access details.
Note: This report can only be used with the following event sources: Cisco PIX, Cisco
ASA, Cisco VPN3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSLVPN,
and Nortel VPNContivity.

FFIEC- Failed Remote Access - Summary


This report displays count of username based on failed no of remote accesses.
Note: This report can only be used with the following event sources: Cisco PIX, Cisco
ASA, Cisco VPN3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSLVPN,
and Nortel VPNContivity.

FFIEC- Firewall Configuration Changes


This report displays log of changes made to Firewall Configuration.
Note: This report can only be used with the following event sources:Cisco PIX, Cisco
ASA, and Cisco Router.

FFIEC- Logon Failures - Detail


This report contains log of all logon failures.

FFIEC- Logon Failures - Summary


This report contains a count of all logon failures.

FFIEC- Password Changes


This report contains logs of the accounts with password changes.

FFIEC- Router Configuration Changes


This report displays log of changes made to Router Configuration.

FFIEC- Successful Remote Access - Detail


This report displays logs containing successful remote access details.
Note: This report can only be used with the following event sources: Cisco PIX, Cisco
ASA, Cisco VPN3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSLVPN,
and Nortel VPNContivity.

83

Compliance Reports

RSA enVision Reports

FFIEC- Successful Remote Access - Summary


This report displays count of username based on successful no of remote accesses.
Note: This report can only be used with the following event sources: Cisco PIX, Cisco
ASA, Cisco VPN3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSLVPN,
and Nortel VPNContivity.

FFIEC- Successful Use of Encryption


This report displays logs which indicate successful use of encryptions.
Note: This report can only be used with the following event sources:Cisco PIX, Cisco
ASA, Cisco Router, and Juniper Networks NetScreen.

FFIEC- User Access Revoked


This report lists all the rights removed from a user.

FFIEC- User Account Management Bind Report


This bind report combines the following reports:
l FFIEC- Accounts Created
l FFIEC- Accounts Deleted
l FFIEC- Accounts Modified

Compliance Reports

84

RSAenVision Reports

Federal Information Security Management Act of 2002


(FISMA) - Compliance Reports
The Federal Information Security Management Act (FISMA)is designed to ensure
appropriate security controls for government information systems.

Access Control for Portable and Mobile Devices


Details the preventative measures that are taken before mobile devices are allowed to
connect to network resources.

Access Control Policy and Procedures


Details all configuration changes made to the access control policy and associated access
controls.

Access Enforcement
Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.

Account Management
Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.

Accounts Created
NIST 800-53 AC-2: Ensure proper user identification and authentication management for
nonconsumer users and administrators on all system components. This report contains
logs of the accounts that were created.

Accounts Deleted
NIST 800-53 AC-2: Ensure proper user identification and authentication management for
non-consumer users and administrators on all system components. This report contains
logs of the accounts that were deleted.

Accounts Modified
NIST 800-53 AC-2: Ensure proper user identification and authentication management for
non-consumer users and administrators on all system components. This report contains
logs of the accounts that were modified.

85

Compliance Reports

RSA enVision Reports

Change in Audit Settings


NIST 800-53 AU-9: Configure system security parameters to prevent misuse. This report
displays all events that describe the audit settings that were enabled or disabled by users.

Collaborative Computing
For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.

Configuration Change Control


Details all configuration changes made to monitored systems.

Cryptographic Key Establishment and Management

Encryption Key Generation and Changes


NIST 800-53 SC-12: Encrypt transmission of cardholder data across open, public
networks. This report displays log of activities related to the management of
cryptographic keys.

Failed Remote Access Detail


NIST 800-53 AC-17: This report displays logs containing failed remote access details.

Failed Remote Access Summary


NIST 800-53 AC-17: This report displays a count of usernames based on the number of
failed remote accesses.

Firewall Configuration Changes


NIST 800-53 CM-3: Follow change control processes and procedures for all changes to
system components. This report displays logs of changes made to firewall configurations.

Intrusion Detection Tools and Techniques


Summarizes the top IDS signatures detected from IDS systems.

Logon Failures Count


NIST 800-53 AC-8: Invalid logical access attempts. This report contains a count of all
logon failures.

Compliance Reports

86

RSAenVision Reports

Logon Failures Details


NIST 800-53 AC-7: Invalid logical access attempts. This report contains logs of all logon
failures.

Malicious Code Protection Detail


Details all malicious code instances detected on the network.

Malicious Code Protection Summary


Summarizes malicious code signatures detected on the network.

Mobile Code
Details all uses of mobile code within the information system. This includes Java,
JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript.

Network Disconnects

Password Changes
NIST 800-53 IA-5: Ensure proper user identification and authentication management for
non-consumer users and administrators on all system components. This report contains
logs of the accounts with password changes.

Permitted Actions Without Identification or Authentication


Summarizes all actions that can be taken without user authentication.

Personal Termination - Windows


Details all user accounts that have been manually terminated or disabled.

Personal Termination - Windows Server 2003


Details all user accounts that have been manually terminated or disabled.

Public Key Infrastructure Certificates

Remote Access Detail


Details all VPN connections, listing the duration of the connection, foreign host, and the
number of bytes.

87

Compliance Reports

RSA enVision Reports

Remote Access Summary


Summarizes all VPN connection activity by user name.

Router Configuration Changes


NIST 800-53 CM-3: Follow change control processes and procedures for all changes to
system components. This report displays the logs of changes made to router
configurations.

Session Lock - Windows


Details all session lock and unlock actions. Excessive lock and unlock actions may
indicate failure to log off systems when not in use.

Session Termination
Details all session terminations due to periods of inactivity.

Software and Information Integrity - Windows


Details all operating system and software configuration changes.

Spam and Spyware Protection Detail


Details all spam and spyware instances detected on the network.

Spyware Protection Summary


Summarizes the spyware signatures detected on the network.

Successful Remote Access Detail


NIST 800-53 AC-17: This report displays logs containing successful remote access
details.

Successful Remote Access Summary


NIST 800-53 AC-17: This report displays a count of usernames based on the number of
successful remote accesses.

Transmission Confidentiality
Details all encryption failures in transmission media configured to be encrypted.

Transmission Integrity
Details all successful encrypted transmissions.

Trusted Path

Compliance Reports

88

RSAenVision Reports

Unsuccessful Login Attempts


Details all unsuccessful log on attempts and account lockouts due to excessive failed log
ons.

Unsuccessful Login Summary


Summarizes all failed log on activity by user name.

Use Of Validated Cryptography


Lists all cryptographic operations where use of the cryptography failed or was disabled
by the user.

User Account Management Bind Report


This bind report combines the following reports:
l Accounts Created
l Accounts Deleted
l Accounts Modified

User Identification And Authentication Detail


Details all successful log on attempts to monitored systems.

User Identification And Authentication Summary


Summarizes all user account log on activity by user name and the systems they are
logging on to.

User Installed Software


Details all software that has been installed on monitored systems.

89

Compliance Reports

RSA enVision Reports

GPG-13 - Compliance Reports


Good Practice Guide 13 defines requirements for protective monitoringfor example, the
use of intrusion detection and prevention systems (IDS/IPS)that local authorities must
comply with in order to prevent accidental or malicious data loss..

Security Even Logs Cleared


Details the preventative measures that are taken before mobile devices are allowed to
connect to network resources.

Firewall Privileged Command Execution


Details all configuration changes made to the access control policy and associated access
controls.

Network Configuration Changes


Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.

Process Start/Stop - Unix


Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.

Process Start/Stop - Windows


For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.

Restarts/Shutdown - Unix
Details all configuration changes made to monitored systems.

Restarts/Shutdown - Windows
Details all configuration changes made to monitored systems.

Successful Network Transaction Details


Summarizes the top IDS signatures detected from IDS systems.

Successful Network Transaction Summary


Details all malicious code instances detected on the network.

Compliance Reports

90

RSAenVision Reports

Access to Audited Files - Unix


Summarizes malicious code signatures detected on the network.

Access to Audited Files - Windows


Details all uses of mobile code within the information system. This includes Java,
JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript.

Activity Detail Report


Summarizes all actions that can be taken without user authentication.

Activity Summary Report


Summarizes all actions that can be taken without user authentication.

Logon/Logoff - Unix
Details all user accounts that have been manually terminated or disabled.

Logon/Logoff - Windows
Details all user accounts that have been manually terminated or disabled.

User Account Changes - Unix


Details all user accounts that have been manually terminated or disabled.

User Account Changes - Windows


Details all VPN connections, listing the duration of the connection, foreign host, and the
number of bytes.

User Privilege Changes - Unix


Summarizes all VPN connection activity by user name.

User Privilege Changes - Windows


Details all session lock and unlock actions. Excessive lock and unlock actions may
indicate failure to log off systems when not in use.

91

Compliance Reports

RSA enVision Reports

Good Practice Guide (GPG)13 Compliance Reports


(Refreshed)
Good Practice Guide 13 defines requirements for protective monitoringfor example, the
use of intrusion detection and prevention systems (IDS/IPS)that local authorities must
comply with in order to prevent accidental or malicious data loss..
RSA has refreshed some compliance reports, and reorganized their location in the
RSAenVision UI. These refreshed reports are available in the following path:
Reports >Compliance > UK >GPG13
Note: Unless otherwise specified, these compliance reports can only be used with the
following event sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX,
Hewlett-Packard Open VMS, Linux, and Sun Solaris.

GPG13 - Access to Audited Data


PMC7: Recording of session activity by user and workstation. This report displays logs
related to files accessed by users. The file names of interest can be added in the
watchlist for a filtered view.
Note: This report can only be used with the Microsoft Windows event source. For the
Windows security policy, you must enable Audit Object Access.
Note: You must have a watchlist that contains the paths of all the files with sensitive
data.

GPG13 - Accounts Created


PMC7: Recording of session activity by user and workstation. This report contains logs of
the accounts that were.

GPG13 - Accounts Deleted


PMC7: Recording of session activity by user and workstation. This report contains logs of
the accounts that were.

GPG13 - Accounts Modified


PMC7: Recording of session activity by user and workstation. This report contains logs of
the accounts that were.

Compliance Reports

92

RSAenVision Reports

GPG13 - Administrator Access to GPG13 Systems - Detail


PMC7: Recording of session activity by user and workstation.This report displays all
successful logons.

GPG13 - Administrator Access to GPG13 Systems - Summary


PMC7: Recording of session activity by user and workstation.This report displays count
of successful logons.

GPG13 - Escalation of Privileges


PMC7: Recording of session activity by user and workstation. This report displays log of
events containing information on escalation of privileges of accounts to perform
administrative tasks.

GPG13 - Failed Remote Access - Detail


PMC6: Recording relating to network connections. This report displays logs containing
failed remote access details.
Note: This report can only be used with the following event sources:Cisco PIX, Cisco
ASA, Cisco VPN 3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSL VPN,
and Nortel VPN Contivity.

GPG13 - Firewall Configuration Changes


PMC4: Recording of workstation, server or device status.This report displays log of
changes made to Firewall.
Note: This report can only be used with the following event sources:Cisco PIX and
Cisco ASA.

GPG13 - Group Management


PMC7: Recording of session activity by user and workstation. This report displays log of
events containing information on changes to user groups.

GPG13 - Internal Network Traffic


PMC5: Recording relating to suspicious internal network activity.This report displays
traffic on the network.
Note: This report can only be used with the following event sources:Cisco PIX and
Cisco ASA.

93

Compliance Reports

RSA enVision Reports

GPG13 - Logon Failures - Detail


PMC7: Recording of session activity by user and workstation. This report contains log of
all logon failures.

GPG13 - Logon Failures - Summary


PMC7: Recording of session activity by user and workstation. This report contains a
count of all logon failures.

GPG13 - Perimeter Network Traffic


PMC2: Recording relating to business traffic crossing a boundary. This report displays
traffic on the network.
Note: This report can only be used with the following event sources:Cisco PIX and
Cisco ASA.

GPG13 - Router Configuration Changes


PMC4: Recording of workstation, server or device status. This report displays log of
changes made to Router.
Note: This report can only be used with the Cisco Router event source.

GPG13 - Successful Remote Access - Detail


PMC6: Recording relating to network connections. This report displays logs containing
successful remote access.
Note: This report can only be used with the following event sources:Cisco PIX, Cisco
ASA, Cisco VPN 3000, Citrix NetScaler, Citrix Access Gateway, Juniper SSL VPN,
and Nortel VPN Contivity.

GPG13 - System Clock Synchronization


PMC1: Accurate time in logs. This report displays log of success and failure of system
clock synchronization.

GPG13 - User Access to GPG13 Systems - Detail


PMC7: Recording of session activity by user and workstation.This report displays all
successful logons.

GPG13 - User Access to GPG13 Systems - Summary


PMC7: Recording of session activity by user and workstation.This report displays count
of successful logons.

Compliance Reports

94

RSAenVision Reports

GPG13 - User Account Management Bind Report


This bind report combines the following reports:
l GPG13 - Accounts Created
l GPG13 - Accounts Modified
l GPG13 - Accounts Deleted

95

Compliance Reports

RSA enVision Reports

Gramm- Leach- Bliley Act (GLBA) - Compliance


Reports
The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as
financial institutions to ensure the security and confidentiality of this type of
information. As part of its implementation of GLBA, the Federal Trade Commission
(FTC) issued the Safeguards Rule, which requires financial institutions under FTC
jurisdiction to have measures in place to keep customer information secure.

Access Control Changes - Windows


Displays all successful file access attempts to file objects in the "GLBA" device group.

Access Control Summary


Summarizes all user account log on activity by user name and the systems they are
logging on to.

Anti - Virus Update Procedures


Lists all update procedures for Anti-virus systems.

Configuration Changes
Lists all configuration and policy changes for devices in the "GLBA" device group.

Encryption Failures
Lists all cryptographic operations where use of the cryptography failed or was disabled
by the user.

Malicious Code and Spyware Detail


Details all malicious code instances detected on the network.

Malicious Code and Spyware Summary


Summarizes malicious code signatures detected on monitored device in the "GLBA"
device group.

Network Traffic Summary


Summarizes all successful network traffic between monitored systems.

Outbound Port Traffic Summary


Summarizes all outbound traffic by destination. GLBA requires that all outbound traffic
be restricted to what is necessary for the business operations.

Compliance Reports

96

RSAenVision Reports

Password Change Details


Details all password change events on monitored systems in the "GLBA" device group.

Password Change Summary


Summarizes all password change events by user name and system for monitored system
in the "GLBA" device group.

Remote Access Detail


Details all VPN connections, listing the duration of the connection, foreign host, and the
number of bytes.

Remote Access Summary


Summarizes all VPN connection activity by user name.

Successful Use of Encryption


Details the successful use of encryption for network data transfers.

Terminated Employee Details


Details all user ID removal events.

Workstation Lock Details


Details all session lock and unlock actions. Excessive lock and unlock actions may
indicate failure to log off systems when not in use.

97

Compliance Reports

RSA enVision Reports

Gramm- Leach- Bliley Act (GLBA) - Compliance


Reports (Refreshed)
The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as
financial institutions to ensure the security and confidentiality of this type of
information. As part of its implementation of GLBA, the Federal Trade Commission
(FTC) issued the Safeguards Rule, which requires financial institutions under FTC
jurisdiction to have measures in place to keep customer information secure.
RSA has refreshed some compliance reports, and reorganized their location in the
RSAenVision UI. These refreshed reports are available in the following path:
Reports >Compliance > US >GLBA

Accounts Created
Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts that were created.

Accounts Deleted
Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts that were deleted.

Accounts Modified
Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts that were modified.

Anti-Virus Signature Update


Note: This report supports the following event sources:CA Integrated Threat
Management, Kaspersky Anti-Virus, and Symantec Endpoint Protection.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays the logs of anti-virus signature updates.

Compliance Reports

98

RSAenVision Reports

Change in Audit Settings


Note: This report supports the Microsoft Windows event source.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays all events that describe the audit settings that were enabled or disabled by users.

Encryption Failures
Note: This report supports the following event sources:Cisco PIX, Cisco ASA, Cisco
Router, and Juniper Networks NetScreen Firewall.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays the logs of encryption failures that have occurred.

Failed Remote Access Detail


Note: This report supports the following event sources:Cisco PIX and Cisco ASA.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards This report
displays logs containing failed remote access details.

Failed Remote Access Summary


Note: This report supports the following event sources:Cisco PIX and Cisco ASA.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards This report
displays count of username based on failed no of remote accesses.

Group Management
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays the log of events containing information on changes to user groups.
Note: This report supports the Microsoft Windows event source.

Inbound Network Traffic


Note: This report supports the following event sources:Cisco PIX and Cisco ASA.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays inbound traffic on the network, and can be filtered to specific IP addresses based
on user input.

99

Compliance Reports

RSA enVision Reports

Outbound Network Traffic


Note: This report supports the following event sources:Cisco PIX and Cisco ASA.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays outbound traffic on the network, and can be filtered to specific IP addresses
based on user input.

Password Changes Summary


Note: This report supports the following event sources:Microsoft Windows, IBMAIX,
Hewlett-Packard UNIX, Linux, and Sun Solaris.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains the count of the usernames that made password changes.

Password Changes
Note: This report supports the following event sources:Microsoft Windows, IBMAIX,
Hewlett-Packard UNIX, Linux, and Sun Solaris.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
contains logs of the accounts with password changes.

Successful Remote Access Detail


Note: This report supports the following event sources:Cisco PIX and Cisco ASA.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards This report
displays logs containing successful remote access details.

Successful Remote Access Summary


Note: Note:This report supports the following event sources:Cisco PIX and Cisco
ASA.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards This report
displays a count of usernames based on the successful number of remote accesses.

Successful Use of Encryption


Note: This report supports the following event sources:Cisco PIX, Cisco ASA, and
Cisco Router.

Compliance Reports

100

RSAenVision Reports

GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
displays logs which indicate successful use of encryptions.

User Access Revoked


Note: This report supports the following event sources:Microsoft Windows, IBMAIX,
Hewlett-Packard UNIX, Linux, and Sun Solaris.
GLBA 15 USC, Subchapter I, 6801 (b) (2): Financial institutions safeguards. This report
lists all rights removed from a user.

User Accounts Management Bind Report


Note: This report supports the Microsoft Windows event source.
This bind report combines the following reports:
l Account Created
l Accounts Deleted
l Accounts Modified

101

Compliance Reports

RSA enVision Reports

Health Insurance Portability and Accountability Act of


1996 (HIPAA) - Compliance Reports
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that
providers, health plans, clearinghouses, and their business associates establish
appropriate administrative, technical, and physical safeguards to protect the privacy and
security of sensitive health information.

Access Authorization
This report lists all login Events for monitored Windows, Unix, Linux and AIX
computers. The HIPAA device group should be selected when running this report. Only
For event ID 4624 in Microsoft Windows Server 2008, the column Primary Username
identifies the user that requested the logon while the column Logon Account Name
represents the user who logged on.

Access Authorization - Windows Detail


This report shows detailed information about all login Events on monitored Windows
computers. The HIPAA device group should be selected when running this report. Only
For event ID 4624 in Microsoft Windows Server 2008, the column Primary Username
identifies the user that requested the logon while the column Logon Account Name
represents the user who logged on.

Access Establishment and Modification - Windows Detail


This report lists all configuration and policy changes that could result in increased access
to ePHI data. The HIPAA device group should be selected when running this report.

Access Establishment and Modification - Windows Server 2003 Detail


This report lists all configuration and policy changes that could result in increased access
to ePHI data. The HIPAA device group should be selected when running this report.

Alerts Under Investigation by Date and Time


This report is a listing of all alerts under investigation in the database sorted by the time
they occurred.

Alerts Under Investigation by View


This report shows all alerts under investigation that have been in a particular view. The
name of the view to be reported on should be specified as a run time parameter.

Automatic Workstation Logoffs - Windows


Workstation Use requires that users log off their workstations when not in use. This
report displays all Type 3 automatic logoff Events, which constitute a violation of this

Compliance Reports

102

RSAenVision Reports

policy.

Failed Logon Attempts to ePHI Systems


All failed login attempts to Windows devices in the HIPAA device group. Only For event
ID 4625 in Microsoft Windows Server 2008, the column Primary Username identifies the
user that requested the logon while the column Logon Account Name represents the user
who tried to log on.

Login Attempts by Unauthorized Accounts - Windows


This report displays all failed login attempts by unauthorized accounts. Reasons for login
failure include a bad username or the account being locked, disabled or expired.

Manual Workstation Logoffs - Windows


Workstation Use requires that users log off their workstations when not in use. This
report displays all manual logoff Events, which constitutes adherence with this policy.

Password Changes and Expirations


This report lists all password changes and expirations on Windows devices in the HIPAA
device group.

Password Changes and Expirations - Windows Server 2003


This report lists all password changes and expirations on Windows devices in the HIPAA
device group.

Resolved Alerts by Date and Time


This report is a listing of all alerts in the database that have a status of resolved. They are
sorted by the time they occurred.

Resolved Alerts by View


Workstation Use requires that users log off their workstations when not in use. This
report displays all manual logoff Events, which constitutes adherence with this policy.

ePHI Access Report


Object Level Access to all directories containing electronic Personal Health Information.

ePHI Access Report - Windows Detail


Object level audit report for Windows directories containing electronic Personal Health
Information.

103

Compliance Reports

RSA enVision Reports

ePHI Access Report by Administrative Users


This report shows all logon and privileged access attempts by "SU" or "SUDO" or
Windows "Administrator" accounts. For Event ID 520 in Windows, the Column Primary
Username will identify the local system if system time was changed automatically;
otherwise will correspond to local system.

Compliance Reports

104

RSAenVision Reports

Health Insurance Portability and Accountability Act of


1996 (HIPAA) - Compliance Reports (Refreshed)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that
providers, health plans, clearinghouses, and their business associates establish
appropriate administrative, technical, and physical safeguards to protect the privacy and
security of sensitive health information.

Access to ePHI Data


This report displays logs related to files accessed by users. The file names containing
confidential ePHI (electronic Personal Health Information) data can be added in the
watchlist for a filtered view.

Accounts Created
This report shows detailed information about all HIPAA-related accounts that were
created.

Accounts Deleted
This report shows detailed information about all HIPAA-related accounts that have been
deleted.

Accounts Modified
This report shows detailed information about all HIPAA-related accounts that have been
changed.

Administrative Access to HIPAASystems - Detail


This report displays the details of all successful logons by administrators.

Administrative Access to HIPAASystems - Summary


This report displays the count of all successful logons by administrators.

Change in Audit Settings


This report displays all events that contain information about audit settings that were
changed (enabled or disabled) by users.

Escalation of Privileges
This report displays log of events containing information on escalation of privileges of
accounts to perform administrative tasks.

Group Management
This report displays log of events containing information on changes to user groups
105

Compliance Reports

RSA enVision Reports

Logon Failures - Details


This report contains the details of all logon failures.

Logon Failures - Summary


This report contains a count of all logon failures.

Password Changes
This report contains logs of the accounts that have password changes.

User Access Revoked


This report lists all rights removed from a user.

User Access to HIPAASystems - Detail


This report displays all non-administrator successful logons.

User Access to HIPAASystems - Summary


This report displays a count of all non-administrator successful logons.

User Management Bind Report


A binding report that consists of the Accounts Created, Accounts Deleted, and Accounts
Modified reports.

Compliance Reports

106

RSAenVision Reports

ISO 27002 - Compliance Reports


ISO 27002 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. ISO
27002 is used as the foundation and technical guidelines for many international and
industry compliance standards and are generally good practices for all organizations.

Computer Account Logon Activity


This report lists all local and remote logon activity for all monitored Windows, HP-UX,
AIX Unix, Sun Solaris, Red Hat Linux and Apple Mac OS X systems.

Computer Account Logon Activity - Windows Detail


This report lists all logon activity for all monitored Windows domains and systems. This
report is specific to monitored Windows systems, but provides a greater level of detail
than the Computer Account Logon Activity report.

Computer Account Status by Account - Windows


This report lists all logon activity for specific user accounts. The user accounts in
question should be listed as run time parameters.

Control of Collected Evidence


This report lists all changes and object level access Events to all collected evidence. This
report requires that all evidence be contained within directories included in a device
group called "Rules for Evidence", and that object level auditing be enabled on these
directories.

Control of Collected Evidence - Windows Detail


This report lists all changes and object level access Events to all collected evidence. This
report requires that all evidence be contained within directories included in a device
group called "Rules for Evidence", and that object level auditing be enabled on these
directories. This report is specific to monitored Windows systems, but provides a greater
level of detail than the standard Control of Collected Evidence report.

Control of Human Resources Data


This report lists all changes and object level access Events to the device group "HR".
This report requires that all software and Human Relations data be contained within a
device group, and object level auditing be enabled on the directories containing the
Human Relations data.

Control of Human Resources Data - Windows Detail


This report lists all changes and object level access Events to the device group "HR".
This report requires that all software and Human Relations data be contained within a

107

Compliance Reports

RSA enVision Reports

device group, and object level auditing be enabled on the directories containing the
Human Relations data. This report is specific to monitored Windows systems, but
provides a greater level of detail than the standard Control of Human Resources Data
report.

Control of Operational Software


This report lists all changes and object level access Events to the device group
"Operational Software". This report requires that all Operational Software be contained
within a device group, and object level auditing be enabled on the directories containing
the Operational Software and data.

Control of Operational Software - Windows Detail


This report lists all changes and object level access events to the device group
"Operational Software". This report requires that all Operational Software be contained
within a device group, and object level auditing be enabled on the directories containing
the Operational Software and data. This report is specific to Windows devices but
provides more detail than the standard Control of Operational Software report.

Control of System Audit Data


This report lists all changes and object level access Events to the software and data used
to perform system audits. This report requires that the software, source data and result
data be contained within a device group, and object level auditing be enabled on the
containing directories.

Control of System Audit Data - Windows Detail


This report lists all changes and object level access events to the software and data used
to perform system audits. This report requires that the software, source data and result
data be contained within a device group, and object level auditing be enabled on the
containing directories. This report is specific to Windows devices but provides more
detail that the standard Control of System Audit Data report.

Control of System Test Data


This report lists all changes and object level access Events to the systems and data used
in the testing of Operational Software security. This report requires that all system test
data be contained within a device group, and object level auditing be enabled on the
directories containing the system test software, source data and test results.

Control of System Test Data - Windows Detail


This report lists all changes and object level access Events to the systems and data used
in the testing of Operational Software security. This report requires that all system test
data be contained within a device group, and object level auditing be enabled on the
directories containing the system test software, source data and test results.

Compliance Reports

108

RSAenVision Reports

External Contractors Report


This report lists all changes and object level access Events to the device group "External
Contractor Access". This report requires that all computers, software, source data and
result findings be contained within a device group, and object level auditing be enabled on
the directories containing this data.

External Contractors Report - Windows Detail


This report lists all changes and object level access Events to the device group "External
Contractor Access". This report requires that all computers, software, source data and
result findings be contained within a device group, and object level auditing be enabled on
the directories containing this data.

Malicious Software Activity


This report lists all malicious software activity for all monitored devices.

Operation Change Control Report


This report lists all configuration and policy changes for the Application System
infrastructure.

Operation Change Control Report - Windows Detail


This report lists all configuration and policy changes for the Application System
infrastructure. This report is restricted to only Windows devices, but delivers a greater
level of detail than the standard "Operation Change Control Report."

Password Changes and Expirations


Lists all manual and automatic password change and expiration events. This includes
Windows, Sun Solaris, Red Hat Linux, HP-UX, AIX and Apple Mac OS X operating
systems.

Source Code Access


This report lists all changes and object level access events to the device group "Source
Code."

Source Code Access - Windows Detail


This report lists all changes and object level access events to the device group "Source
Code."

User Activity from External Domains - Windows


This report details all activities of non-domain authenticated users. All authenticated
domains are identified in run time parameters.

109

Compliance Reports

RSA enVision Reports

Compliance Reports

110

RSAenVision Reports

ISO 27002 - Compliance Reports (Refreshed)


ISO 27002 establishes guidelines and general principles for initiating, implementing,
maintaining and improving information security management in an organization. ISO
27002 is used as the foundation and technical guidelines for many international and
industry compliance standards and are generally good practices for all organizations.
RSA has refreshed some compliance reports, and reorganized their location in the
RSAenVision UI. These refreshed reports are available in the following path:
Reports >Compliance > International >ISO 27002-2005

Accounts Created
ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report contains logs of the accounts that were
created.

Accounts Deleted
ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report contains logs of the accounts that were
deleted.

AccountsModified
ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report contains logs of the accounts that were
modified.

Anti-virus Signature Update


ISO 27002:2005 10.4.1: The software should be set up to automatically download and
update signature files to ensure the protection is kept up to date. This report displays log
of anti-virus signature update.

Change in Audit Settings


ISO 27002:2005 12.52;12.53: When the operating system is changed, all critical
applications should be tested and reviewed to ensure there are no adverse impacts on
operations or security. This report displays all events that describes the audit settings that
were enabled / disabled by users.

Encryption Failures
ISO 27002:2005 15.1.6: Cryptographic controls should be in compliance with all laws and
regulations. This report displays log of encryption failures occurred.

111

Compliance Reports

RSA enVision Reports

Encryption Key Generation and Changes


ISO 27002:2005 12.3.2: Key-management techniques should be in place. All keys should
be protected against modification, loss, destruction, and unauthorized disclosure. This
report displays log of activities related to the management of cryptographic key.

Escalation of Privileges
ISO 27002:2005 10.10.4: All activities by System Administrators and System Operators
should be logged. This report displays log of events containing information on escalation
of privileges of accounts to perform administrative tasks.

Failed Remote Access Details


ISO 27002:2005 11.7.2: Operational procedures and plans should be developed for use by
teleworking employees. This report displays logs containing failed remote access details.

Failed Remote Access Summary


ISO 27002:2005 11.7.2: Operational procedures and plans should be developed for use by
teleworking employees. This report displays count of username based on failed no of
remote accesses.

Firewall Configuration Changes


ISO 27002:2005 12.52;12.53: When the operating system is changed, all critical
applications should be tested and reviewed to ensure there are no adverse impacts on
operations or security. This report displays log of changes made to Firewall
Configuration.

Firmware Changes on Wireless Devices


ISO 27002:2005 12.52;12.53: When the operating system is changed, all critical
applications should be tested and reviewed to ensure there are no adverse impacts on
operations or security. This report displays log of firmware updated on all wireless
devices.

Logon Failures Detail


ISO 27002:2005 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report contains log of all logon failures.

Logon Failures Summary


ISO 27002:2005 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report contains a count of all logon failures.

Compliance Reports

112

RSAenVision Reports

Password Changes
ISO 27002:2005 11.3.1: Passwords should be changed on a regular basis and when there
is an indication of compromise. This report contains logs of the accounts with password
changes.

Router Configuration Changes


ISO 27002:2005 12.52;12.53: When the operating system is changed, all critical
applications should be tested and reviewed to ensure there are no adverse impacts on
operations or security. This report displays log of changes made to Router Configuration.

Successful Administrative Logons Detail


ISO 27002:2005 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays all successful logons.

Successful Administrative Logons Summary


ISO 27002:2005 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays count of successful logons.

Successful Remote Access Detail


ISO 27002:2005 11.7.2: Operational procedures and plans should be developed for use by
teleworking employees. This report displays logs containing successful remote access
details.

Successful Remote Access Summary


ISO 27002:2005 11.7.2: Operational procedures and plans should be developed for use by
teleworking employees. This report displays count of username based on successful no of
remote accesses.

Successful Use of Encryption


ISO 27002:2005 15.1.6: Cryptographic controls should be in compliance with all laws and
regulations. This report displays logs which indicate successful use of encryptions.

Successful User Logons Detail


ISO 27002:2005 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays all successful logons.

Successful User Logons Summary


ISO 27002:2005 11.5.1: All successful and unsuccessful logon attempts should be
recorded. This report displays count of successful logons.

113

Compliance Reports

RSA enVision Reports

System Clock Synchronization


ISO 27002:2005 10.10.6: All system clocks should be automatically synchronized with an
accurate time source. This report displays log of success and failure of system clock
synchronization.

User Access Revoked


ISO 27002:2005 11.2.1: A formal process should be in place for the granting and revoking
of access to information systems. This report lists all rights removed from a user.

User Account Management Bind Report


This bind report combines the following reports:
l Accounts Created
l Accounts Modified
l Accounts Deleted

User Session Terminated - Idle Session


ISO 27002:2005 11.5.5: Inactive sessions should be shut down after a period of time. This
report displays log of accounts that were logged out due to the session being idle.

Compliance Reports

114

RSAenVision Reports

Memo 22 Reports
Memo 22 is a risk management and accreditation of information system standard that
applies to all UK National Infrastructure Security systems. This standard defines major
security threats and the associated security requirements.

Access to Audited Files - Unix


Details all configuration changes made to the access control policy and associated access
controls.

Access to Audited Files - Windows


Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.

Activity Detail Report


Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.

Activity Summary Report


For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.

Correlation Alert History


Details all configuration changes made to monitored systems.

Firewall Privileged Command Execution


Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.

Logon/Logoff - Unix
Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.

Logon/Logoff - Windows
For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.

115

Compliance Reports

RSA enVision Reports

Network Configuration Changes


Details all configuration changes made to monitored systems.

Process Start/Stop - Unix


Details all configuration changes made to monitored systems.

Process Start/Stop - Windows


Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.

Restarts/Shutdown - Unix
Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.

Restarts/Shutdown - Windows
For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.

Security Event Logs Cleared


Details all configuration changes made to monitored systems.

Successful Network Transaction Details


Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.

Successful Network Transaction Summary


Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.

User Account Changes - Unix


For Windows Server 2008, Primary fields identify the account that requested the logon,
Client fields represent the user who logged on. For Windows Server 2003 events, the user
who logged on is identified by primary fields.

User Account Changes - Windows


Details all configuration changes made to monitored systems.

Compliance Reports

116

RSAenVision Reports

User Privileged Changes - Unix


Details all configuration changes made to monitored systems.

User Privileged Changes - Windows


Details all changes made to access control policies, for example, identity-based policies,
role-based policies, and ruled-based policies, and associated access enforcement
mechanisms, for example, the access control list.

Windows Security Events


Details all changes made to information system accounts, including establishing,
activating, modifying, reviewing, disabling, and removing accounts.

117

Compliance Reports

RSA enVision Reports

NERC CIPReports
The Reports module includes the following North American Electric Reliability
Corporation Compliance reports.

NERC CIP 002 R3 Critical Cyber Asset Identification


Description

This report displays a list of all Critical Cyber Assets (CCA).


l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it

Output Inference

Host Hostname of the event origination device

Device IP address of the event source

ObjectType Lists the changed object, such as a physical interface or a port

NERC CIP 003 R6 Change Configuration to Critical Cyber Assets


Description

Output Inference

Compliance Reports

This report displays a list of all configuration changes to Critical Cyber Assets
(CCA).
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it
l

Event Category Name

Host Hostname of the event origination device

UserName Account name

Action Action taken or proposed to be taken

Category Category of the event

ObjectName Name of the object

ObjectType Lists the changed object, such as a physical interface or a


network port

ObjectAttribute

ChangeNewValue New value of an attribute or object in a change event

ChangeOldValue Prior value of an attribute or object in a change event

118

RSAenVision Reports

NERC CIP 004 R4.2 Account Access Monitoring for Critical


Cyber Assets
This report displays access information from Cisco Access Control Server
(ACS) to create a list of authorized user IDs.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it

Description

Output Inference

SourceAddress Source IP address of the event origination

Version Information about Cisco ACS

LogonType Type of logon

UserID Unique user identifier that is associated with the username

NERC CIP 005 R2.1 Denied Access to Critical Cyber Assets


This report displays a list of denied access events to Critical Cyber Assets
(CCA).
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it

Description

Output Inference

MessageID

SourceAddress Source IP address of the event origination

UserName Account name

EventDescription Detailed description of the event, which typically


includes additional specific details that would not be captured in a separate
column

LogonType Type of logon

Fail Reason

NERC CIP 005 R2.2 Port Configuration Changes


Description

This report displays all types of network and physical port configuration
changes in order to create a list for the same using data from the Cisco LAN
Management Solution (LMS) device.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it
l

IPAddress Event source IP address

Host Information about Cisco LMS

UserName Account name

ObjectType Lists the changed object, such as a physical interface or a


network port

ChangeNewValue New value of an attribute or object in a change event

Output Inference

119

Compliance Reports

RSA enVision Reports

Compliance Reports

ChangeOldValue Prior value of an attribute or object in a change event

EventDescription Detailed description of the event, which typically


includes additional specific details that would not be captured in a separate
column

120

RSAenVision Reports

NERC CIP 005 R2.4 External Access Monitoring for Critical


Cyber Assets
This report lists all external usernames that successfully pass authentication
using data from Cisco Access Control Server (ACS).
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it

Description

Version Information about Cisco ACS

IPAddress Event source IP address

HostID Host identifier

UserID Unique user identifier that is associated with the username

NetworkServiceName Name of the external authentication service


usedAccount name

EventDescription Detailed description of the event, which typically


includes additional specific details that would not be captured in a separate
column

AuthenticationMethod Any other authentication methods used by the


authentication service

Output Inference

NERC CIP 005 R3.2 Account Access Monitoring for the Electronic
Security Perimeter
Description

Output Inference

121

This report identifies both successful and failed login attempts to the
Electronic Security Perimeter (ESP).
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it
l

DeviceID

UserID Unique user identifier that is associated with the username

SessionID

Fail Reason

EventCategoryName

Network Device Group

Compliance Reports

RSA enVision Reports

NERC CIP 007 R2 Ports and Services


This report displays a list of all open and close port modifications within the
Critical Cyber Asset Infrastructure.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it

Description

Host Hostname of the event origination device

Device Event Source IP address

Category Category of the event

Username Actor in the event

EventDescription Detailed description of the event, which typically


includes additional specific details that would not be captured in a separate
column

ObjectType Lists the changed object, such as a physical interface or a port

ObjectName Name of the object

Action Action taken or proposed to be taken

ChangeAttribute Attribute for which the value was changed

ChangeNewValue New value of an attribute or object in a change event

ChangeOldValue Prior value of an attribute or object in a change event

Output Inference

NERC CIP 007 R5 Account Management


Description

This report tracks user account changes.


l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it

Output Inference

EventDescription Detailed description of the event, which typically


includes additional specific details that would not be captured in a separate
column

ReferenceID ID for reference

SourceAddress Admin IP address

Version ACS version

Username Actor in the event

Logon Type Admin interface

Information Additional information about the event

The Reports module includes the following North American Electric Reliability
Corporation Compliance reports.

Compliance Reports

122

RSAenVision Reports

CIP - Access to Critical Cyber Asset Information


NERC CIP-003-4 R3: The Responsible Entity shall implement and document a program
to identify, classify and protect information associated with Critical Cyber Assets. This
report displays logs related to files accessed by users. The file names containing
confidential information / Card holder data can be added in the watchlist for a filtered
view.
This report is only compatible with Microsoft Windows.

CIP - Accounts Created


NERC CIP-007-4 R5.1.1: The Responsible Entity shall ensure that user accounts are
implemented as approved by designated personnel. This report contains logs of the
accounts that were created.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - Accounts Deleted


NERC CIP-007-4 R5.1.1: The Responsible Entity shall ensure that user accounts are
implemented as approved by designated personnel. This report contains logs of the
accounts that were deleted.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - Accounts Modified


NERC CIP-007-4 R5.1.1: The Responsible Entity shall ensure that user accounts are
implemented as approved by designated personnel. This report contains logs of the
accounts that were modified.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - Administrative Access to Critical Cyber Assets - Detail


NERC CIP-007-4 R5.1.2: The Responsible Entity shall establish methods, processes, and
procedures that generate logs of sufficient detail to create historical audit trails of
individual user account access activity. This report displays all successful logons.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - Administrative Access to Critical Cyber Assets - Summary


NERC CIP-007-4 R5.1.2: The Responsible Entity shall establish methods, processes, and
procedures that generate logs of sufficient detail to create historical audit trails of

123

Compliance Reports

RSA enVision Reports

individual user account access activity. This report displays count of successful logons.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - Anti-virus Signature Update


NERC CIP-007-4 R4.2: The Responsible Entity shall document and implement a process
for the update of anti-virus and malware prevention "signatures". This report displays log
of anti-virus signature update.
This report is only compatible with Symantec Anti-Virus, CAIntegrated Threat
Management, and Kaspersky Anti-Virus.

CIP - Escalation of Privileges


NERC CIP-004-4 R4.1: The Responsible Entity shall review the lists of its personnel...or
any change in the access rights of such personnel. This report displays log of events
containing information on escalation of privileges of accounts to perform administrative
tasks.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Linux, and Sun Solaris.

CIP - Failed Remote Access Detail


NERC CIP-005-4a R3.2: Where technically feasible, the security monitoring processes
shall detect and alert for attempts at or actual unauthorized accesses. This report displays
logs containing failed remote access details.
This report is only compatible with Cisco PIXand Cisco ASA.

CIP - Failed Remote Access Summary


NERC CIP-005-4a R3.2: Where technically feasible, the security monitoring processes
shall detect and alert for attempts at or actual unauthorized accesses. This report displays
count of username based on failed no of remote accesses.
This report is only compatible with Cisco PIXand Cisco ASA.

CIP - Firewall Configuration Changes


NERC CIP-003-4 R6: Change Control and Configuration Management. This report
displays log of changes made to Firewall Configuration.
This report is only compatible with Cisco PIX, Cisco ASA, Cisco Router, and AirMagnet
Enterprise.

Compliance Reports

124

RSAenVision Reports

CIP - Firmware Changes on Wireless Devices


NERC CIP-003-4 R6: Change Control and Configuration Management. This report
displays log of firmware updated on all wireless devices.
This report is only compatible with Cisco PIX, Cisco ASA, Cisco Router, and AirMagnet
Enterprise.

125

Compliance Reports

RSA enVision Reports

CIP - Group Management


NERC CIP-007-4 R5.1.1: The Responsible Entity shall ensure that user accounts are
implemented as approved by designated personnel. This report displays log of events
containing information on changes to user groups.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Linux, and Sun Solaris.

CIP - Logon Failures - Detail


NERC CIP-005-4a R3.2: Where technically feasible, the security monitoring processes
shall detect and alert for attempts at or actual unauthorized accesses. This report contains
log of all logon failures.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - Logon Failures - Summary


NERC CIP-005-4a R3.2: Where technically feasible, the security monitoring processes
shall detect and alert for attempts at or actual unauthorized accesses. This report contains
a count of all logon failures.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - Router Configuration Changes


NERC CIP-003-4 R6: Change Control and Configuration Management. This report
displays log of changes made to Router Configuration.
This report is only compatible with Cisco PIX, Cisco ASA, Cisco Router, and AirMagnet
Enterprise.

CIP - Successful Remote Access Detail


NERC CIP-005-4a R3: Monitoring Electronic Access. This report displays logs
containing successful remote access details.
This report is only compatible with Cisco PIXand Cisco ASA.

CIP - Successful Remote Access Summary


NERC CIP-005-4a R3: Monitoring Electronic Access: This report displays count of
username based on successful no of remote accesses.
This report is only compatible with Cisco PIXand Cisco ASA.

Compliance Reports

126

RSAenVision Reports

CIP - User Access to Critical Cyber Assets - Detail


NERC CIP-007-4 R5.1.2: The Responsible Entity shall establish methods, processes, and
procedures that generate logs of sufficient detail to create historical audit trails of
individual user account access activity. This report displays all successful logons.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - User Access to Critical Cyber Assets - Summary


NERC CIP-007-4 R5.1.2: The Responsible Entity shall establish methods, processes, and
procedures that generate logs of sufficient detail to create historical audit trails of
individual user account access activity. This report displays count of successful logons.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Hewlett-Packard Open VMS, Linux, and Sun Solaris.

CIP - User Access Revoked


NERC CIP-004-4 R4.2: The Responsible Entity shall Revoke such access to Critical
Cyber Assets within 24 hours for personnel terminated for cause and within seven
calendar days for personnel who no longer require such access to Critical Cyber Assets.
This report lists all rights removed from a user.
This report is only compatible with Microsoft Windows, IBMAIX, Hewlett-Packard
UNIX, Linux, and Sun Solaris.

127

Compliance Reports

RSA enVision Reports

National Industrial Security Program Operating Manual


(NISPOM) - Compliance Reports
The National Industrial Security Program Operating Manual (NISPOM) developed by the
Department of Defense, sets comprehensive standards for protecting classified data. All
government agencies and commercial contractors who have access to classified data are
required to implement system protection processes to ensure continued availability and
integrity of this data, and prevent its unauthorized disclosure. These regulations apply to
systems used in the capture, creation, storage, processing or distribution of restricted
information.

Access Control List Changes


This report details changes to access control lists on monitored devices.

Configuration Management
This report details all configuration changes made to monitored systems.

Controlled Interface Requirements - Communication Summary


This report summarizes all successful network traffic between monitored systems.

Data Transmission Encryption Requirements


This report details all failed encrypted traffic events due to invalid encryption methods.

Data Transmission Encryption Summary


This report summarizes all encrypted traffic by source and destination.

Discretionary Access Control Summary


This report summarizes successful user access attempts to monitored systems.

Malicious Code Protection Detail


This report details all malicious code instances detected on the network.

Malicious Code Protection Summary


This report summarizes malicious code signatures detected on the network.

Password Change Events - Detail


This report details all password change events on monitored systems.

Password Change Events - Summary


This report summarizes all password change events by username and system.

Compliance Reports

128

RSAenVision Reports

Session Controls - Successive Logon Attempts - Windows


This report details all automatic account lockouts due to excessive logon failures

Standard Authenticator Password Changes


This report details all password change events for standard authenticator accounts on
monitored systems.

User ID Removal
This report details all user id removal events.

129

Compliance Reports

RSA enVision Reports

Payment Card Industry (PCI) 1.0 - Compliance Reports


The Payment Card Industry (PCI) Data Security Standard applies to all payment card
industry members, merchants, and service providers that store, process or transmit
payment cardholder data. Additionally, these security requirements apply to all "system
components" - any network component, server, or application included in, or connected
to, the cardholder data environment.

PCI - Access to All Audit Trails


This report displays all successful logins to enVision.

PCI- Administrative Privilege Escalation - Unix &Linux


This report displays all successful administrative privilege escalations on monitored Unix
and Linux systems.

PCI - All Actions by Individuals with Root or Administrative Privileges - Unix &Linux
This report displays all actions taken by users logged in as 'root'. This report should be
modified to include any additional usernames that have been granted full administrative
privileges in your environment.

PCI - All Actions by Individuals with Root or Administrative Privileges - Windows


This report displays all actions taken by users logged in as 'administrator'. This report
should be modified to include any additional usernames that have been granted full
administrative privileges in your environment.

PCI- Anti-Virus Update Procedures


This report lists all update procedures for Anti-virus systems.

PCI - Encrypted Transmission Failures


This report lists all cryptographic operations where use of the cryptography failed or was
disabled by the user.

PCI- Encryption Key Generation and Changes


This report details all the generation and period changing of encryption keys used in the
secure storage and transfer of payment card data.

PCI- Firewall Configuration Changes


This report displays all configuration changes made to firewalls within the PCI device
group.

PCI- Inbound Network Traffic on non-standard ports - Detail


This report details all inbound Internet traffic not on ports 80, 22, 443 and 1723.
Compliance Reports

130

RSAenVision Reports

PCI- Inbound Network Traffic on non-standard ports - Summary


This report summarizes all inbound Internet traffic not on ports 80, 22, 443 and 1723 by
the destination IP address.

PCI - Individual User Accesses to Cardholder Data - Mainframes


This report displays all successful file access attempts to file objects in the "Cardholder
Data" device group.

PCI - Individual User Accesses to Cardholder Data - Windows


This report displays all successful file access attempts to file objects in the "Cardholder
Data" device group.

PCI- Initialization of Audit Logs


This report shows the initialization of audit logs in Windows, Solaris, Linux, AIX and
HP-UX operating systems.

PCI - Invalid Logical Access Attempts - ACLDenied Summary


This report displays all access attempts that have been denied due to access control list
restrictions.

PCI - Invalid Logical Access Attempts - Mainframes


This report displays all access attempts that have been denied due to access control list
restrictions.

PCI- Outbound Network Traffic - Detail


This report details all outbound traffic for a specific internal IP Address. The IP Address
in question should be entered as a run-time parameter.

PCI- Outbound Network Traffic - Summary


This report summarizes all outbound traffic by destination. PCI requires that all outbound
traffic be restricted to what is necessary for the payment card environment.

PCI - Router Configuration Changes


This report displays all configuration changes made to routers within the PCI device
group.

PCI - Traffic to Non-Standard Ports - Detail


This report details all firewall traffic on ports other than 80, 22, 443 and 1723 to the IP
address specified as a run time parameter. This report can be modified to include the
ports not directly justified by PCI.

131

Compliance Reports

RSA enVision Reports

PCI - Traffic to Non-Standard Ports - Summary


This report summarizes all firewall traffic not on ports 80, 22, 443 and 1723 to destination
computer where the port used is not directly justified by PCI.

Compliance Reports

132

RSAenVision Reports

Payment Card Industry (PCI) 2.0 - Compliance Reports


The Payment Card Industry (PCI) Data Security Standard applies to all payment card
industry members, merchants, and service providers that store, process or transmit
payment cardholder data. Additionally, these security requirements apply to all "system
components" - any network component, server, or application included in, or connected
to, the cardholder data environment.

PCI - Access to Card holder Data


This report displays logs related to files accessed by users. The file names containing
confidential information / Card holder data can be added in the watchlist for a filtered
view.
Note: This report can only be used with the Microsoft Windows event source. For the
Windows security policy, you must enable Audit Object Access.
Note: You must have a watchlist that contains the paths of all the files with sensitive
data.

PCI - Accounts Created


This report ensures proper user identification and authentication management for users
that are non-consumers and administrators on all systems components..
Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.

PCI - Accounts Deleted


The purpose of this report is to ensures proper user identification and authentication
management for non-consumer users and administrators on all system components. This
report contains the logs of the accounts that were deleted.
Note: Note:This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.

PCI - Accounts Modified


This report ensures proper user identification and authentication management for users
that are non-consumers and administrators on all systems components.

133

Compliance Reports

RSA enVision Reports

Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.

PCI - Administrative Access to PCISystems - Detail


This report focuses on all actions taken by any individual with root or administrative
privileges. This report displays all successful logons.

PCI - Administrative Access to PCISystems - Summary


This report focuses on all actions taken by any individual with root or administrative
privileges. This report displays a count of all successful logons.

PCI - Anti-virus Signature Update


The purpose of this report is to ensure that all anti-virus mechanisms are updated,
actively running, and generating audit logs. This report displays the logs of anti-virus
signature update.
Note: This report can only be used with the following event sources:Symantec Endpoint
Protection and CA Integrated Threat Management.

PCI - Change in Audit Settings


This report displays all events that describe the audit settings that were enabled or
disabled by users.
Note: Note:This report can only be used with the Microsoft Windows event source.

PCI - Encryption Failures


The purpose of this report is to help encrypt transmission of cardholder data across open,
public networks. This report displays log of encryption failures occurred.
Note: Note:This report can only be used with the following event sources:Cisco PIX,
Cisco ASA, Cisco Router, and Juniper Networks NetScreen Firewall ScreenOS.

PCI- Encryption Key Generation and Changes


The purpose of this report is to help encrypt transmission of cardholder data across open,
public networks. This report displays log of activities related to the management of
cryptographic keys.

Compliance Reports

134

RSAenVision Reports

PCI - Escalation of Privileges


This report displays log of events containing information on the escalation of privileges of
accounts to perform administrative tasks.
Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Linux, and Sun Solaris.

PCI - Firewall Configuration Changes


The purpose of this report is to follow change control processes and procedures for all the
changes to system components. This report displays the logs of changes made to firewall
configuration.
Note: This report can only be used with the following event sources:Cisco PIX and
Cisco ASA.

PCI - Firmware changes on Wireless Devices


The purpose of this report is to follow change control processes and procedures for all the
changes to system components. This report displays the logs of firmware updated on all
wireless devices.
Note: Note:This report can only be used with the AirMagnet Enterprise event source.

PCI - Group Management


This report displays the log of events containing information on changes to user groups.

PCI - Inbound Network Traffic


The purpose of this report is to restrict inbound and outbound traffic to what is necessary
for the cardholder data environment. This report displays inbound traffic on the network
and can be filtered to specific IP addresses based on user input.
Note: This report can only be used with the following event sources:Cisco PIX and
Cisco ASA.

PCI - Logon Failures Count


The purpose of this report is to monitor invalid logical access attempts. This report
contains a count of all logon failures.

135

Compliance Reports

RSA enVision Reports

Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.

PCI - Logon Failures


The purpose of this report is to monitor invalid logical access attempts. This report
contains the logs of all logon failures.
Note: Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open VMS, Linux, and
Sun Solaris.

PCI - Outbound Network Traffic


The purpose of this report is to restrict inbound and outbound traffic to what is necessary
for the cardholder data environment. This report displays outbound traffic on the network
and can be filtered to specific IP addresses based on user input.
Note: Note:This report can only be used with the following event sources:Cisco PIX
and Cisco ASA.

PCI - Password Changes


The purpose of this report is to ensure proper user identification and authentication
management for non-consumer users and administrators on all system components. This
report contains logs of the accounts with password changes.
Note: This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Linux, and Sun Solaris.

PCI - Router Configuration Changes


This report displays the logs of changes made to router configuration.
Note: This report can only be used with the Cisco Router event source.

PCI - System Clock Synchronization


The purpose of this report is to help use time-synchronization technology, synchronize all
critical system clocks and times, and ensure that it is implemented for acquiring,
distributing, and storing time. This report displays the logs of success and failure of
system clock synchronization.

Compliance Reports

136

RSAenVision Reports

Note: Note:This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, and Sun Solaris.

PCI - User Access Revoked


This report lists all the rights removed from a user.
Note: Note:This report can only be used with the following event sources:Microsoft
Windows, IBMAIX, Hewlett-Packard UNIX, Linux, and Sun Solaris.

PCI - User Access to PCISystems - Detail


Verify all individual access to cardholder data is logged. This report displays all
successful logons.
Note: This report can only be used with the following event sources:IBMAIX,
Hewlett-Packard UNIX, Linux, and Sun Solaris.

PCI - User Account Management Bind Report


This bind report combines the following reports:
l PCI - Accounts Created
l PCI - Accounts Modified
l PCI - Accounts Deleted

PCI - User Session Terminated - Idle Session


This report displays the logs of accounts that were logged out due to the session being
idle.
Note: This report can only be used with the following event sources:IBMAIX,
Hewlett-Packard UNIX, Linux, and Sun Solaris.

137

Compliance Reports

RSA enVision Reports

SAS70 - Compliance Reports


The American Institute of Certified Public Accountants developed the Statement on
Auditing Standards (SAS) No. 70. Organizations that successfully complete a SAS 70
audit have been through an in-depth audit of their control activities, including controls
over IT and related processes. SAS 70 allows a company to provide a third-party
certification of its internal controls to customers.
SAS 70 data centers have to maintain prescribed levels of data security and redundancy,
as well as personnel controls. These requirements include reporting on the following:
l Firewall configuration and access
l

Database access

Data transmissions

Data backup and recovery

Application security

Product development

In addition, data center staff cannot access servers or data without a specific procedure.
All access and activity is logged and all physical access is highly controlled.

SAS 70 - Host & Application - Privilege & Configuration Changes


Details all configuration and privilege changes made to SAS 70 relevant operating
systems and applications.

SAS 70 - Network & Security - Configuration Changes


Details all configuration changes made on SAS 70 relevant network and security
infrastructure.

SAS 70 - Network Bandwidth Utilization


Summarizes network bandwidth utilization through SAS 70 relevant network devices.

SAS 70 - Report Review Audit


Details the audit review actions of users within RSAenVision.

SAS 70 - Windows Software Installations


Details all software installations on SAS 70 relevant Windows operating systems.

SAS 70 - Windows System Updates - Operating System Update Applications


Details Operating System patch and update applications for SAS 70 monitored Windows
systems.

Compliance Reports

138

RSAenVision Reports

Statement on Standards for Attestation Engagements


No. 16 (SSAE 16)
Statement on Standards for Attestation Engagements (SSAE 16) is an attestation
standard issued by the Auditing Standards Board (ASB) of the American Institute of
Certified Public Accountants (AICPA) specifically geared towards addressing
engagements conducted by service organizations to report on the design of controls and
their operating effectiveness.
These refreshed reports are available in the following path in the RSAenVision platform:
Reports >Compliance > US >SSAE16
Note: These compliance reports can only be used with the following event
sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open
VMS, Linux, and Sun Solaris.

SSAE16 - Accounts Created


An access control policy should be developed and should state the access control rules
and rights for all users and groups. Both logical and physical access controls should be
used. This report displays user accounts that have been created.

SSAE16 - Accounts Deleted


An access control policy should be developed and should state the access control rules
and rights for all users and groups. Both logical and physical access controls should be
used. This report displays user accounts that have been deleted.

SSAE16 - Accounts Modified


An access control policy should be developed and should state the access control rules
and rights for all users and groups. Both logical and physical access controls should be
used. This report displays user accounts that have been modified.

SSAE16 - Administrative Access to Financial Systems - Detail


All activities by System Administrators and System Operators should be logged. This
report displays all successful logons, and ensures that administrators are in the
administrative accounts watchlist.

SSAE16 - Administrative Access to Financial Systems - Summary


All activities by System Administrators and System Operators should be logged. This
report displays a count of successful logons, and ensures that administrators are in the
administrative accounts watchlist.

139

Compliance Reports

RSA enVision Reports

SSAE16 - Change in Audit Settings


The system should ensure that security policy enforcement functions success before
functions are allows to proceed. This report displays all events that describe the audit
settings that were enabled or disabled by users.
Note: This report can only be used with the Microsoft Windows event source.

SSAE16 - Financial Data Access - Detail


This report displays logs related to files accessed by users. The file names containing
financial data can be added in the watchlist for a filtered view.
Note: You must create a watchlist with administrative accounts for this report.

SSAE16 - Financial Data Access - Summary


This report displays logs related to files accessed by users. The file names containing
financial data can be added in the watchlist for a filtered view.
Note: You must create a watchlist with administrative accounts for this report.

SSAE16 - Group Management


An access control policy should be developed and should state the access control rules
and rights for all users and groups. Both logical and physical access controls should be
used. This report displays the logs of events containing information on changes to user
groups.

SSAE16 - Logon Failures Count


All successful and unsuccessful logon attempts should be recorded. This report contains a
count of all logon failures.

SSAE16 - Logon Failures


All successful and unsuccessful logon attempts should be recorded. This report contains a
count of all logon failures.

SSAE16 - Password Changes


This report contains logs of the accounts with password changes.

SSAE16 - User Access Revoked


Users who have changed jobs or left the organization have their access rights removed
immediately. This report lists all rights removed from a user.

Compliance Reports

140

RSAenVision Reports

SSAE16 - User Access to Financial Systems - Detail


All successful and unsuccessful logon attempts should be recorded. This report displays
all successful logons, and ensures that a user is not in the administrative accounts
watchlist.

SSAE16 - User Access to Financial Systems - Summary


All successful and unsuccessful logon attempts should be recorded. This report displays
all successful logons, and ensures that a user is not in the administrative accounts
watchlist.

SSAE16 - User Account Management Bind Report


This bind report combines the following reports:
l SSAE16 - Accounts Created
l SSAE16 - Accounts Modified
l SSAE16 - Accounts Deleted

141

Compliance Reports

RSA enVision Reports

Sarbanes-Oxley Compliance Reports


Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in
large part to protect investors by improving the accuracy and reliability of corporate
disclosures made pursuant to the securities laws.
Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an
adequate internal control structure, but also to assess its effectiveness on an annual basis.

Sarbanes Oxley - Administrative Access to Financial Systems


Sarbanes Oxley sec 302 (a)(4)(C) & (D)
Shows all log on and privileged access attempts by administrator or super-user accounts.

Sarbanes Oxley - Computer Account Logon Activity


ISO 17799 Section A.9.5.2; Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX Unix,
Sun Solaris, Red Hat Linux and Apple Mac OS X systems.

Sarbanes Oxley - Computer Account Logon Activity - Windows Detail


ISO 17799 Section A.9.5.2; Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all log on activity for all monitored domains and systems. This report is specific to
monitored Windows systems, but provides a greater level of detail than the Computer
Account Logon Activity report.

Sarbanes Oxley - Computer Account Status by Account - Windows


ISO 17799 Section A.9.5.3; Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all log on activity for specific user accounts. The user accounts in question should
be listed as run time parameters, and multiple values can be specified by listing each
value in single quotes and separating them by commas.

Sarbanes Oxley - Control of Collected Evidence


ISO 17799 Section A.12.1.7.1
Lists all changes and object level access events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called Rules for Evidence, and that object level auditing be enabled on these directories.

Sarbanes Oxley - Control of Collected Evidence - Windows Detail


ISO 17799 Section A.12.1.7.1

Compliance Reports

142

RSAenVision Reports

Lists all changes and object level access events to all collected evidence. This report
requires that all evidence be contained within directories included in a device group
called "Rules for Evidence", and that object level auditing be enabled on these
directories. This report is specific to monitored Windows systems, but provides a greater
level of detail than the standard Control of Collected Evidence report.

Sarbanes Oxley - Control of Human Resources Data


ISO 17799 Section A.12.1.3
Lists all changes and object level access events to the device group HR. This report
requires that all software and Human Relations data be contained within a device group,
and object level auditing be enabled on the directories containing the Human Relations
data.

Sarbanes Oxley - Control of Human Resources Data - Windows Detail


ISO 17799 Section A.12.1.3
This report is specific to monitored Windows systems, but provides a greater level of
detail than the standard Control of Human Resources Data report.

Sarbanes Oxley - Control of Operational Software


ISO 17799 Section A.10.4.1
Lists all changes and object level access events to the device group Operational
Software. This report requires that all Operational Software be contained within a device
group, and object level auditing be enabled on the directories containing the Operational
Software and data.

Sarbanes Oxley - Control of Operational Software - Windows Detail


ISO 17799 Section A.10.4.1
This report is specific to Windows devices but provides more detail than the standard
Control of Operational Software report.

Sarbanes Oxley - Control of System Audit Data


ISO 17799 Section A.12.3.2
Lists all changes and object level access events to the software and data used to perform
system audits. This report requires that the software, source data and result data be
contained within a device group, and object level auditing be enabled on the containing
directories.

Sarbanes Oxley - Control of System Audit Data - Windows Detail


ISO 17799 Section A.12.3.2

143

Compliance Reports

RSA enVision Reports

This report is specific to Windows devices but provides more detail that the standard
Control of System Audit Data report.

Sarbanes Oxley - - Control of System Test Data


ISO 17799 Section A.10.4.2
Lists all changes and object level access events to the systems and data used in the
testing of Operational Software security. This report requires that all system test data be
contained within a device group, and object level auditing be enabled on the directories
containing the system test software, source data and test results.

Sarbanes Oxley - Control of System Test Data - Windows Detail


ISO 17799 Section A.10.4.2
This report is specific to Windows devices but provides more detail that the standard
Control of System Test Data report.

Sarbanes Oxley -Disabled Accounts Report - Windows


Sarbanes Oxley sec 308 (a)(4)(C) & (D)
Lists all user accounts that have been manually or automatically disabled in the requested
time period.

Sarbanes Oxley - External Contractors Report


ISO 17799 Section A.8.1.6
Lists all changes and object level access events to the device group External
Contractor Access. This report requires that all computers, software, source data and
result findings be contained within a device group, and object level auditing be enabled on
the directories containing this data.

Sarbanes Oxley - External Contractors Report- Windows Detail


ISO 17799 Section A.8.1.6
This report is specific to Windows devices but provides more detail that the standard
External Contractors Report report.

Sarbanes Oxley - Financial Data Access


ISO 17799 Section A.12.1.4
Lists all successful and failed access attempts for all financial data. This report requires
that all financial data be contained within a device group, and object level auditing be
enabled on the directories containing the financial data.

Compliance Reports

144

RSAenVision Reports

Sarbanes Oxley -- Financial Data Access- Windows Detail


ISO 17799 Section A.12.1.4
This report is specific to Windows devices but provides more detail that the standard
Financial Data Access report.

Sarbanes Oxley - Login and Authorization Failures


Sarbanes Oxley Section 304 (a)(4)(C) & (D)
Lists all local and remote failed log on attempts to all monitored devices in the Financial
System device group. This covers Windows, Sun Solaris, Red Hat Linux, HP-UX, Apple
Mac OS X, Nokia IPSO and IBM Mainframe (SMA_RT).

Sarbanes Oxley - Malicious Software Activity


ISO 17799 Section A.8.3
Lists all malicious software activity for all monitored devices.

Sarbanes Oxley - Operation Change Control Report


ISO 17799 Section A.8.1.2
Lists all configuration and policy changes for the Financial Operational infrastructure.

Sarbanes Oxley - Operation Change Control Report - Windows Detail


ISO 17799 Section A.8.1.2
This report is specific to Windows devices but provides more detail that the standard
Operation Change Control report.

Sarbanes Oxley - Password Changes and Expirations


ISO 17799 Section A.9.2.3
Lists all manual and automatic password change and expiration events. This covers
Windows, Sun Solaris, Red Hat Linux, HP-UX, AIX and Apple Mac OS X operating
systems.

Sarbanes Oxley - Source Code Access


ISO 17799 sec. A.10.4.3
Lists all changes and object level access events to the device group Source Code. This
report requires that the source code for all custom software and commercial software
customization be contained within a device group, and object level auditing be enabled on
the directories containing the source code.

145

Compliance Reports

RSA enVision Reports

Sarbanes Oxley - Source Code Access - Windows Detail


ISO 17799 sec. A.10.4.3
This report is specific to Windows devices but provides more detail that the standard
Source Code Access report.

Sarbanes Oxley - User Activity from External Domains - Windows


ISO 17799 Section A.9.4.3
Details all activities of non-domain authenticated users. All authenticated domains are
identified in run time parameters, and multiple domains can be contained within single
quotes and separated by commas.

Compliance Reports

146

RSAenVision Reports

Sarbanes-Oxley Compliance Reports (Refreshed)


Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in
large part to protect investors by improving the accuracy and reliability of corporate
disclosures made pursuant to the securities laws.
Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an
adequate internal control structure, but also to assess its effectiveness on an annual basis.
RSA has refreshed some compliance reports, and reorganized their location in the
RSAenVision UI. These refreshed reports are available in the following path:
Reports >Compliance > US >Sarbanes-Oxley
Note: These compliance reports can only be used with the following event
sources:Microsoft Windows, IBMAIX, Hewlett-Packard UNIX, Hewlett-Packard Open
VMS, Linux, and Sun Solaris.

Sarbanes Oxley - Accounts Created


SOX 404; ISO27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: Management assessment of internal
controls. An access control policy should be developed and should state the access
control rules and rights for all users and groups. Both logical and physical access controls
should be used.
This report displays user accounts that have been created.

Sarbanes Oxley - Accounts Deleted


SOX 404; ISO27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: Management assessment of internal
controls. An access control policy should be developed and should state the access
control rules and rights for all users and groups. Both logical and physical access controls
should be used.
This report displays user accounts that have been deleted.

Sarbanes Oxley - Accounts Modified


SOX 404; ISO27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: Management assessment of internal
controls. An access control policy should be developed and should state the access
control rules and rights for all users and groups. Both logical and physical access controls
should be used.
This report displays user accounts that have been modified.

Sarbanes Oxley - Administrative Access to Financial Systems - Detail


SOX 404; ISO27002 - 10.10.4: Management assessment of internal controls. All
activities by System Administrators and System Operators should be logged.

147

Compliance Reports

RSA enVision Reports

This report displays all successful logons, and ensures that administrators are in the
administrative accounts watchlist.

Sarbanes Oxley - Administrative Access to Financial Systems - Summary


SOX 404; ISO27002 - 10.10.4: Management assessment of internal controls. All
activities by System Administrators and System Operators should be logged.
This report displays a count of successful logons, and ensures that administrators are in
the administrative accounts watchlist.

Sarbanes Oxley - Change in Audit Settings


SOX 404; ISO15408-2: Management assessment of internal controls. The system should
ensure that security policy enforcement functions success before functions are allows to
proceed.
This report displays all events that describe the audit settings that were enabled or
disabled by users.
Note: This report can only be used with the Microsoft Windows event source.

Sarbanes Oxley - Financial Data Access - Detail


SOX 404: Management assessment of internal controls.
This report displays logs related to files accessed by users. The file names containing
financial data can be added in the watchlist for a filtered view.
Note: You must create a watchlist with administrative accounts for this report.

Sarbanes Oxley - Financial Data Access - Summary


SOX 404: Management assessment of internal controls.
This report displays logs related to files accessed by users. The file names containing
financial data can be added in the watchlist for a filtered view.
Note: You must create a watchlist with administrative accounts for this report.

Sarbanes Oxley - Group Management


SOX 404; ISO27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1: Management assessment of internal
controls. An access control policy should be developed and should state the access
control rules and rights for all users and groups. Both logical and physical access controls
should be used.
This report displays the logs of events containing information on changes to user groups.

Compliance Reports

148

RSAenVision Reports

Sarbanes Oxley - Logon Failures Count


SOX 404; ISO27002 - 11.5.1: Management assessment of internal controls. All
successful and unsuccessful logon attempts should be recorded.
This report contains a count of all logon failures.

Sarbanes Oxley - Logon Failures


SOX 404; ISO27002 - 11.5.1: Management assessment of internal controls. All
successful and unsuccessful logon attempts should be recorded.
This report contains a count of all logon failures.

149

Compliance Reports

RSA enVision Reports

Sarbanes Oxley - Password Changes


SOX 404: Management assessment of internal controls.
This report contains logs of the accounts with password changes.

Sarbanes Oxley - User Access Revoked


SOX 404; ISO27002 - 11.2.1: Management assessment of internal controls. Users who
have changed jobs or left the organization have their access rights removed immediately.
This report lists all rights removed from a user.

Sarbanes Oxley - User Access to Financial Systems - Detail


SOX 404; ISO27002 - 11.5.1: Management assessment of internal controls. All
successful and unsuccessful logon attempts should be recorded.
This report displays all successful logons, and ensures that a user is not in the
administrative accounts watchlist.

Sarbanes Oxley - User Access to Financial Systems - Summary


SOX 404; ISO27002 - 11.5.1: Management assessment of internal controls. All
successful and unsuccessful logon attempts should be recorded.
This report displays all successful logons, and ensures that a user is not in the
administrative accounts watchlist.

Sarbanes Oxley - User Account Management Bind Report


This bind report combines the following reports:
l Sarbanes Oxley - Accounts Created
l Sarbanes Oxley - Accounts Modified
l Sarbanes Oxley - Accounts Deleted

Compliance Reports

150

RSAenVision Reports

Event Source Reports


RSA enVision includes reports that focus on specific event sources, for example Cisco
PIX. These are sometimes referred to as "device-specific" reports.

151

Event Source Reports

RSA enVision Reports

ActivIdentity AAA Server Standard Reports


The Reports module includes the following standard reports for the ActivIdentity AAA
Server event source.

Accepted Authentications
Lists all accepted user authentications.

Accounting Attributes
Lists the attribute set from the user account profile.

Privileged Operations
Lists the operational changes in the administrative audit log.

Rejected Authentications
Lists all rejected user authentications.

Event Source Reports

152

RSAenVision Reports

Alcatel-Lucent OmniSwitch Standard Reports


The Reports module includes the following standard reports for the Alcatel-Lucent
OmniSwitch.

DOS Attacks
Gives a report of DOS attacks on the system with source IPinformation.

Failed Authentications
Gives a report of failed authentications.

Successful Authentications
Gives a report of all successful authentications for various remote connections like SSH,
TELNET, FTP, etc.

153

Event Source Reports

RSA enVision Reports

Apache HTTP Server Standard Reports


The Reports module includes the following standard reports for the Apache HTTP
Server.

Top 20 Client IP Addresses by Connection Requests


Displays the 20 client IP addresses that had the most successful web site connections.

Total Bytes by Apache Device Address


Displays total bytes passed by Apache event source address.

Total Bytes by Client IP Address


Displays total bytes passed by client address.

Event Source Reports

154

RSAenVision Reports

Apple Mac OS X Standard Reports


The Reports module includes the following standard reports for the Apple Mac OS X
event source.

Failed Authentication Attempts


Displays the failed authentication or privilege switch attempts.

Failed Authentications by Device


Displays the failed authentication attempts for each monitored event source by date and
time.

Failed Super User Attempts


Displays the failed attempts to use the switch user command and the user name
associated with each attempt.

Successful Authentication Attempts


Displays the successful authentication or privilege switch attempts.

Successful Connections
Displays the successful connection information.

Successful Super User Attempts


Displays the successful attempts to use the switch user command to root and the user
name associated with each attempt.

User Action Audit by Username


Lists all user actions linked to their usernames. Enter a username between percent signs,
then run the report.

155

Event Source Reports

RSA enVision Reports

Application Security DbProtect Standard Reports


The Reports module includes the following standard reports for the Application Security
DbProtect event source.

Count of Alerts vs. Alert Type


Lists counts of alerts against the rule title recognized by DbProtect under the Audit and
Threat Management Console in a tabular report.

Enumerate Debug Alerts


Lists all debug alerts reported by various database servers to DbProtect under the Audit
and Threat Management Console.

Enumerate Important Alerts


Lists all important alerts reported by various database servers to DbProtect under the
Audit and Threat Management Console.

Penetration Test Scan Results


Lists scan results from all penetration tests.

Event Source Reports

156

RSAenVision Reports

Arbor Peakflow SP Standard Reports


The Reports module includes the following standard reports for the Arbor Peakflow SP
event source.

Historical Overview of All Alerts


Lists all alert scripts that have been executed.

Historical Overview of All Executed Mitigations


Displays detailed information for all executed mitigations.

Historical Overview of DoS Messages by Router Interface


Details all DoS messages reported by Arbor Peakflow SP by router interface.

Hourly Rate of All DoS Messages


Displays the number of DoS messages by hour.

Overview of All TMS Generated Traps Messages


Details all messages generated by TMS traps on a TMS appliance.

157

Event Source Reports

RSA enVision Reports

Arbor Networks Peakflow X Standard Reports


The Reports module includes the following standard reports for the Arbor Networks
Peakflow X event source.

Detailed Alert
Lists detailed information for the last 100 alerts generated.

Events by Hour
Displays the number of events by hour for a given time period.

Top 10 Destinations
Displays the top 10 destinations of events detected.

Top 10 Sources
Displays the top 10 sources of events detected.

Top 10 Events
Displays the top 10 events detected.

Event Source Reports

158

RSAenVision Reports

Blue Coat Systems ELFF Standard Reports


The Reports module includes the following standard reports for the Blue Coat Systems
SGOS event source.

Top 100 Requested Domains


Displays the top 100 requested domains for the given time period.

Top 100 Requested URL


Displays the top 100 requested URLstrings for the given time period.

Top 20 Categories
Displays the top 20 categories.

Top 20 Categories Graph


Displays the top 20 denied categories.

Top 20 Clients by Connection Request


Displays the top 20 client addresses that made the most connections requests for a
specified time period.

Top 20 Denied Categories


Displays the top 20 denied categories.

Top 20 Denied Categories Graph


Displays the top 20 denied categories.

Top 20 Domains by Connection Counts


Displays the top 20 domains that were accessed via all monitored devices.

Top 20 Observed Categories


Displays the top 20 observed categories.

Top 20 Observed Categories Graph


Displays the top 20 observed categories.

Top 20 Root Domains by Connection Counts


Displays the top 20 domains that were accessed via all monitored devices.

159

Event Source Reports

RSA enVision Reports

Top 20 Users - Denied Categories


Displays the top 20 user names of denied categories.

Top 25 Client IPs by Total Bytes


Displays the top 25 client IPaddresses with the most total bytes.

Total Bytes Passed by Hour


Represents the total sent and received bytes and displays a histogram of the traffic
pattern over the selected time period.

Total Bytes Received by Client Device


Displays the total bytes received grouped by client device.

Total Bytes Received by Top 25 Cache Devices


Displays the 25 client IPaddresses that received the most total bytes.

Total Bytes Sent by Top 25 Cache Devices


Displays the total bytes sent grouped by cache device.

Total Bytes Sent by Client Device


Displays the total bytes sent grouped by client device.

Total Bytes by Domain


Displays the total bytes for each connection, sorted by domain.

Total Bytes by Top 100 Cache Devices


Displays the total bytes passed, grouped by the cache device address.

Total Bytes by Top 100 Client IP Addresses


Queries for total bytes passed and displays the data grouped by client IPaddress.

Total Connection Requests by Hour


Displays the number of connection requests grouped by hour of day.

Total Connections by HTTP Status Code


Queries for connection counts and groups them by HTTPsuccess/failure code. This
grouping allows the administrator to see by code how many connections were successful,
redirected, failed, etc.

Event Source Reports

160

RSAenVision Reports

Blue Coat Systems CacheOS and SGOS Standard


Reports
The Reports module includes the following standard reports for the Blue Coat Systems
CacheOS and Blue Coat Systems SGOS event sources.

Top 100 Requested URL


Displays the top 100 requested URL strings for a given time period.

Top 20 Clients by Connection Request


Displays the 20 client addresses that made the most connection requests for a specified
time period.

Top 20 Domains by Connection Counts


Displays the top 20 domains that were accessed through all monitored event sources.

Top 20 Root Domains by Connection Counts


Displays the top 20 root domains that were accessed through all monitored event sources.

Top 25 Client IPs by Total Bytes


Displays the 25 client IP addresses with the most total bytes.

Total Bytes Passed by Hour


Represents the total sent and received bytes and displays a histogram of the traffic
pattern over the selected time period.

Total Bytes Received by Client Device


Displays the total bytes received grouped by client event source.

Total Bytes Received by Top 25 Cache Devices


Displays the total bytes received grouped by the top 25 cache event sources.

Total Bytes Sent by Client Device


Displays the total bytes sent grouped by client event source.

Total Bytes Sent by Top 25 Cache Devices


Displays the total bytes sent grouped by the top 25 cache event sources.

Total Bytes by Domain


Represents the total bytes for each connection and displays the data sorted by domain.
161

Event Source Reports

RSA enVision Reports

Total Bytes by Top 100 Cache Devices


Queries for total bytes passed and displays the data grouped by cache event source
address.

Total Bytes by Top 100 Client IP Addresses


Queries for total bytes passed and displays the data grouped by client IP address.

Total Connections by HTTP Status Code


Queries for connection counts and groups the data by HTTP success or failure code.
Administrators can use this report to determine, by code, how many connections were
successful, redirected, failed, and so on.

Total Connection Requests by Hour


Displays the number of connection requests grouped by hour of day.

Event Source Reports

162

RSAenVision Reports

Check Point IPSO Standard Reports


The Reports module includes the following standard reports for the Check Point IPSO
event source.

Failed Authentication Attempts Foreign Address


Displays the total number of failed authentication attempts by the foreign address
associated with the request.

Interface Up/Down Messages


Displays interface up and interface down errors grouped by event source open a given
time period.

System Events by Device


Displays all the system-related events reported by the event sources during a specified
time period.

163

Event Source Reports

RSA enVision Reports

Check Point Security Suite (IDS) Standard Reports


The Reports module includes the following standard reports for the Check Point Security
SuiteIDS.

Top 10 Source Addresses


Displays the top 10 source addresses associated with recognized attack signatures.

Total Alarms by Device Address


Displays the total number of recognized attacks sorted by SmartDefense event source
address.

Total Attacks by Signature


Displays the total number of recognized attacks sorted by attack signature name over a
specified time period.

Event Source Reports

164

RSAenVision Reports

Check Point Security Suite (VPN) Standard Reports


The Reports module includes the following standard reports for the Check Point Security
SuiteVPN event sources.

VPN-1 Denied Connections by VPN Device


Displays a list of all failed VPN connection attempts including time, Check Point server,
reason for failure, service and scheme used, and source and destination address and port.

VPN-1 Detailed Connections Events by Date/Time


Displays a detailed record of successful connections within the selected time range
sorted by date and time.

VPN-1 Successful Connections by VPN Device


Displays a graph of successful connections sorted by Check Point server address.

VPN-1 System Changes


Queries for VPN system messages and reports the changes including user name, action,
and VPN event source address.

VPN-1 Top 20 Denied Connections by Username


Displays the count of rejected connection attempts and the top 20 user names associated
to those rejected connections.

VPN-1 Top 20 Users by Number of Connections


Displays the top 20 user names associated with successful VPN connection attempts for
all VPN event sources.

165

Event Source Reports

RSA enVision Reports

Check Point SmartDefense Standard Reports


The Reports module includes the following standard reports for the Check Point
SmartDefense event source.

Top 10 Source Addresses


Displays the top 10 source addresses associated with recognized attack signatures.

Total Alarms by Device Address


Displays the total number of recognized attacks sorted by SmartDefense event source
address.

Top Attacks by Signature


Displays the total number of recognized attacks sorted by attack signature name in a
specified time period.

Event Source Reports

166

RSAenVision Reports

Check Point FireWall-1 and Check Point Security Suite


(Firewall) Standard Reports
The Reports module includes the following standard reports for the Check Point
FireWall-1 event source and the Check Point Security Suite.

Audit - Operations by Administrator


Counts the number of audit operations sorted by administrator.

Audit - Operations by Application


Counts the number of audit operations sorted by application.

Audit - Operations by Type


Counts the number of audit operations sorted by operation type.

Audit - Operations Details


Lists all audit operations with all relevant details for each operation.

Bandwidth by Department
Displays bandwidth usage by department through FireWall-1 firewalls. Use this report to
quickly determine which departments are using large amounts of bandwidth.

Bandwidth Usage by Address


Summarizes bandwidth usage by local address for all traffic passing through Check Point
FireWall-1 firewalls. Sorted by total byte usage. Use this report to quickly determine the
"top talkers" on your company network. Only firewalls with debug level logging enabled
are reported.

Bandwidth Usage by Department


Summarizes bandwidth usage by department for all traffic passing through Check Point
FireWall-1 firewalls. Sorted by total byte usage. Use this report to quickly assess which
departments are consuming the most bandwidth. Only firewalls with debug level logging
enabled are reported.

Bandwidth Usage by Port


Summarizes bandwidth usage by port for traffic passing through FireWall-1 firewalls.
Sorted by total byte usage count. Use this report to quickly determine which applications
are consuming the most bandwidth. Other common TCP/IP words used synonymously
with applications are port and services. Only FireWall-1 firewalls with debug level
logging enabled are reported.

167

Event Source Reports

RSA enVision Reports

Bandwidth Usage per Hour


Displays bandwidth usage per hour through FireWall-1 firewalls. Use this report to
quickly spot bandwidth usage trends occurring during specific time periods. Each tick
mark on vertical hourly axes represents accumulated usage for the previous hour.

Configuration Changes
Lists configuration change messages from FireWall-1 firewalls. Sorted by date and time
sequence.

Denied Connections per Hour


Displays the number of denied connections per hour through FireWall-1 firewalls. Use
this report to quickly spot security threat trends occurring during specific time periods.
Each tick mark on vertical hourly axes represents accumulated denied connections for the
previous hour.

Denied Inbound Traffic by Address


Summarizes denied inbound traffic through FireWall-1 firewalls by foreign address.
Sorted by connection count.

Denied Inbound Traffic by Port


Summarizes denied inbound traffic filtered through FireWall-1 firewalls by port. Sorted
by connection count.

Denied Outbound Traffic by Address


Summarizes denied outbound traffic filtered through FireWall-1 firewalls by local
address. Sorted by connection count.

Denied Outbound Traffic by Port


Summarizes denied outbound traffic filtered through FireWall-1 firewalls by port. Sorted
by connection count.

E-mail Security
Lists e-mail security messages received from FireWall-1 firewalls. Sorted in date and
time sequence.

Inbound E-mail Traffic


Summarizes bandwidth usage of inbound SMTP traffic through FireWall-1 firewalls.
Sorted by total connection count.

Event Source Reports

168

RSAenVision Reports

Inbound FTP Traffic


Summarizes bandwidth usage of inbound FTP traffic through FireWall-1 firewalls. Sorted
by total connection count.

Inbound HTTP Traffic


Summarizes bandwidth usage of inbound HTTP traffic through FireWall-1 firewalls.
Sorted by total connection count.

Inbound Telnet Traffic


Summarizes bandwidth usage of inbound Telnet traffic through FireWall-1 firewalls.
Sorted by total connection count.

Outbound E-mail Traffic


Summarizes bandwidth usage of outbound SMTP traffic through FireWall-1 firewalls.
Sorted by total connection count.

Outbound FTP Traffic


Summarizes bandwidth usage of outbound FTP traffic through FireWall-1 firewalls.
Sorted by total connection count.

Outbound HTTP Traffic


Summarizes bandwidth usage of outbound HTTP traffic through FireWall-1 firewalls.
Sorted by total connection count.

Outbound Telnet Traffic


Summarizes bandwidth usage of outbound Telnet traffic through FireWall-1 firewalls.
Sorted by total connection count.

Permitted Connections per Hour


Displays the number of connections per hour through FireWall-1 firewalls. Use this
report to spot connection trends occurring during specific time periods. Each tick mark on
vertical hourly axes represents accumulated permitted connections for the previous hour.

SiteTrack Detection
Lists network traffic through FireWall-1 firewalls that contained SiteTrack keywords.
Sorted by date and time. The keyword is enclosed in quotation marks.

Top 10 Requested URL/FTP Destinations


Displays the top 10 requested URL and FTP destinations by internal users through
FireWall-1 firewalls. Use this report to quickly spot trends of the most popular foreign
sites.

169

Event Source Reports

RSA enVision Reports

Top 20 Bandwidth Ports


Displays the 20 ports with the most bandwidth usage through FireWall-1 firewalls. Use
this report to quickly identify which applications are consuming the most bandwidth.

Top 20 Bandwidth Users


Displays the top 20 bandwidth users through FireWall-1 firewalls. Use this report to
quickly identify which users are consuming the most bandwidth.

Top 20 Connections by Address


Displays the top 20 users of connections through FireWall-1 firewalls. Use this report to
quickly determine which users are consuming the most connections.

Top 20 Connections by Port


Displays the 20 ports with the most connections through FireWall-1 firewalls. Use this
report to quickly identify which applications are consuming the most connections.

Top 20 Denied Inbound by Address


Displays the top 20 foreign addresses that were denied inbound access by FireWall-1
firewalls. Use this report to quickly spot foreign hosts that may have been attempting to
gain unauthorized access to your network.

Top 20 Denied Inbound by Port


Displays the 20 ports with the most denied inbound connections through FireWall-1
firewalls. Use this report to quickly identify which applications are the top sources of
inbound denied connections.

Top 20 Denied Outbound by Address


Displays the top 20 local addresses that were denied outbound access by FireWall-1
firewalls. Use this report to quickly identify the top internal hosts that may have been
attempting to breach your company's outbound Internet security policy.

Top URL/FTP Destinations


Summarizes outbound URL and FTP requests to foreign sites by local users through
FireWall-1 firewalls. Sorted by foreign address and then by the number of requests.

URL/FTP Requests by Date/Time


Lists URL and FTP requests through FireWall-1 firewalls. Sorted by date and time.

Event Source Reports

170

RSAenVision Reports

URL/FTP Requests by Department


Summarizes the outbound URL and FTP requests for each department through FireWall-1
firewalls. Sorted by number of requests.

URL/FTP Requests by Foreign Address


Summarizes the outbound URL and FTP requests through FireWall-1 firewalls. Sorted by
foreign address and number of requests.

URL/FTP Requests by Local Address


Summarizes the outbound URL and FTP requests through FireWall-1 firewalls. Sorted by
local address and number of requests.

URL/FTP Requests by User Name


Summarizes the outbound URL and FTP requests by authenticated user name through
FireWall-1 firewalls. Sorted by user name and the number of requests. Requires that
AAA user authentication be configured on the firewall.

171

Event Source Reports

RSA enVision Reports

Cisco Access Control Server Standard Reports


The Reports module includes the following standard reports for the Cisco Access Control
Server event source.

ACS Backup And Restore


Displays all backup and restore operations. Sorted by descendingtime.

ACS Service Monitoring


Tracks messages and activities internal to Cisco ACS.

Administration Audit
Displays an administrative report of all activity performed using the Cisco Secure ACS
HTML Management interface. Sorted by descendingtime.

CiscoACS Failed Authentication Attempts


Lists out all of the failed authentication attempts for Cisco Secure ACS Version 5.1 and
above.

CiscoACS Failed User Logins


Lists all of the failed administrator logins for Cisco Secure ACS Version 5.1 and above.

CiscoACSPassed Authentications
Lists all of the Passed Authentications for Cisco Secure ACS Version 5.1 and above.

CiscoACS RADIUSDiagnostics
Gives diagonostic details on Radius protocol for Cisco Secure ACS Version 5.1 and
above.

Database Replication
Tracks ACS database replication activity. Sorted by descending time.

Failed Authentications
Displays a list of all failed logon attempts. Sorted by descending time.

Failed Authentications Count


Displays a count of all failed logon attempts. Sorted by descendingtime.

Passed Authentications
Displays a list of all users that have successfully logged on. Sorted by descending time.

Event Source Reports

172

RSAenVision Reports

Passed Authentications Count


Displays a count of all users that have successfully logged on. Sorted by descendingtime.

TACACS+ Accounting
Tracks all logon and logoff traffic.

TACACS+ Administration - Permanent Configuration Changes


Tracks configuration changes that have been executed using the write memory (write
mem) or copy running start (copy run) commands.

Top 10 Users
Counts the number of successful logons (successful authentications) and sorts the top 10
users by user name.

Top 10 Users by Duration


Calculates the total amount of time that users have spent logged on to network event
sources and lists the top 10 users in descending order by time.

173

Event Source Reports

RSA enVision Reports

Cisco Application Control Engine Standard Reports


The Reports module includes the following standard reports for the Cisco Application
Control Engine event source.

Network Health Monitoring Report


A detailed report of all the Network activities.

System Health Monitoring Report


A detailed report of all the System Errors, Normal Activity and Unusual activities.

Event Source Reports

174

RSAenVision Reports

Cisco Aironet AP Standard Reports


The Reports module includes the following standard reports for the Cisco Aironet AP
event source.

Access Point Disassociations


Displays all wireless event sources that disassociated or roamed from access points.

Access Point Failed Authentications


Displays all wireless event sources that failed to authenticate and the reason that each
failed.

No SSIDs Configured
Displays all wireless event sources that do not have an SSID configured. At least one
SSID needs to be configured for the radio to run.

Rogue Access Point Detection


Displays all rogue access points detected.

Successful Access Point Associations


Displays all wireless event sources that have successfully associated to access points.

175

Event Source Reports

RSA enVision Reports

Cisco Adaptive Security Appliance (firewall)


Standard Reports
The Reports module includes the following standard reports for the Cisco ASA (firewall)
event source.

AAA User Authentications


Displays AAA user authentications through Cisco ASA firewalls, sorted by date and
time. This report requires AAA user authentication.

Bandwidth Usage by Address


Summarizes bandwidth usage by local address for all traffic passing through Cisco ASA
firewalls. Sorted by total byte usage. Use to quickly determine the "top talkers" on your
company network. Only ASA firewalls with debug level logging enabled are reported.

Bandwidth Usage by Department


Displays bandwidth usage by department through ASA firewalls. Use to quickly
determine which departments are consuming the most bandwidth.

Bandwidth Usage by Port


Summarizes bandwidth usage by port for traffic passing through Cisco ASA firewalls.
Sorted by total byte usage count. Use this report to quickly determine which applications
are consuming the most bandwidth. Other common TCP/IP words used synonymously
with applications are port and services. Only ASA firewalls with debug level logging
enabled are reported.

Bandwidth Usage per Hour


Displays bandwidth usage per hour through ASA firewalls. Use this report to quickly spot
bandwidth usage trends occurring during specific time periods. Each tick mark on vertical
hourly axes represents accumulated usage for the previous hour.

Bandwidth Utilization
Displays the bandwidth utilization on the network in a combination of a graph and a
report.

Blocked URL Events


Displays the blocked URL events of internal IP addresses attempting to connect to
external web sites that have been restricted by the company. Sorted by date and time.
Websense Enterprise software must be installed to activate the URL blocking capability.

Event Source Reports

176

RSAenVision Reports

Configuration Changes
Lists configuration change messages from Cisco ASA firewalls, sorted by date and time.
Monitors when configuration changes were made to Cisco ASA firewalls. Only ASA
firewalls with logging enabled are reported.

Connection Limit Exceeded


Details exceeded connection limits by static addresses.

CPU Over-Capacity Events by Date and Time


Lists all instances of ASA Firewall CPU utilizations rising above 100 percent. If this
condition, which is generally considered to be an error condition, happens frequently, you
may need to contact Cisco Systems.

Denied Connections per Hour


Displays the number of denied connections per hour through ASA firewalls. Use this
report to quickly spot security threat trends occurring during specific time periods. Each
tick mark on vertical hourly axes represents accumulated denied connections for the
previous hour.

Denied Inbound IP Spoofing


Tracks when an ASA Firewall receives an external packet with the IP source address
equal to the IP destination and the destination port equal to the source port. Sorted by the
destination address. This event indicates a spoofed packet designed to attack systems.
This attack is referred to as a land attack.

Denied Inbound Traffic by Address


Summarizes denied inbound traffic filtered through Cisco ASA firewalls by foreign
address. Sorted by connection count. Use this report to quickly determine which foreign
hosts are being denied access to your company's internal network. Denied connections
may indicate an attempted security policy breach, malicious network reconnaissance, or a
host or network event source configuration issue. Only ASA firewalls with logging
enabled are reported.

Denied Inbound Traffic by Port


Summarizes denied inbound traffic filtered through Cisco ASA firewalls by port. Sorted
by connection count. Port numbers are used to represent services or applications. Use this
report to quickly determine which applications are being denied access. Denied
connections may indicate an attempted security policy breach, malicious network
reconnaissance like a port scan, or a host or network event source configuration issue.
Only ASA firewalls with logging enabled are reported.

177

Event Source Reports

RSA enVision Reports

Denied Outbound Traffic by Address


Summarizes denied outbound traffic filtered through Cisco ASA firewalls by local
address. Sorted by connection count. Use this report to quickly determine which local
addresses may be attempting to bypass your company security policy. Only ASA
firewalls with logging enabled are reported.

Denied Outbound Traffic by Port


Summarizes denied outbound traffic filtered through Cisco ASA firewalls by port. Sorted
by connection count. Port numbers are used to represent services or applications. Use this
report to quickly determine which outbound applications are being denied. These denied
messages may indicate an attempted security policy breach, malicious network
reconnaissance like a port scan, or a host or network event source configuration issue.
Only ASA firewalls with logging enabled are reported.

E-mail Security
Lists ASA MailGuard messages received from Cisco ASA firewalls. Sorted by date and
time. Use this report to quickly view possible e-mail security breach attempts that were
prevented by ASA firewalls. Only ASA firewalls with logging enabled are reported.

Failover Messages
Lists failover messages from Cisco ASA firewalls by date and time.

FTP Requests by Date and Time


Lists FTP requests through Cisco ASA Firewalls by date and time.

FTP Requests by Department


Displays FTP requests for each department through Cisco ASA firewalls by number of
requests.

FTP Requests by Foreign Address


Note: The name for this report under the Content 2.0 schema is FTPRequests by
Source Address.
Displays FTP requests to foreign sites by local users through Cisco ASA firewalls by
foreign address and the number of requests.

FTP Requests by Local Address


Note: The name for this report under the Content 2.0 schema is FTPRequests by
Destination Address.

Event Source Reports

178

RSAenVision Reports

Displays FTP requests by each local address through Cisco ASA firewalls by local
address and number of requests.

Inbound E-mail Recipients


Displays inbound e-mails and the intended recipients.

Inbound E-mail Senders


Displays inbound e-mails and the senders.

Inbound E-mail Traffic


Displays bandwidth usage of inbound e-mail traffic through Cisco ASA firewalls. Sorted
by total connection count. Use this report to quickly determine top foreign e-mail senders
if your e-mail servers are located on an internal or DMZ interface. Summarizes e-mail
traffic from your own e-mail gateways if they are sitting on an external ASA interface.
Only ASA firewalls with logging enabled are reported. The system calculates inbound email traffic by summarizing all the 302002 traffic logged on local port 25.

Inbound FTP Traffic


Displays bandwidth usage of inbound FTP traffic through Cisco ASA firewalls. Sorted by
total connection count. Use this report to quickly determine which external users use FTP
most frequently in your company. Only ASA firewalls with logging enabled are reported.
The system calculates inbound FTP traffic by summarizing all the 302002 traffic logged
on local ports 20 and 21.

Inbound HTTP Traffic


Displays bandwidth usage of inbound HTTP traffic through Cisco ASA firewalls. Sorted
by total connection count. Use this report to quickly assess which foreign users are
accessing your internal web servers most frequently. Only ASA firewalls with logging
enabled are reported. The system calculates inbound http traffic by summarizing all the
302002 traffic logged on local port 80.

Inbound IP Fragmentation Alert


Summarizes inbound IP fragmentation, sorted by count and foreign address.The ASA
Firewall limits the number of IP fragments that can be concurrently reassembled. This
restriction prevents memory depletion at the firewall under abnormal network conditions.
If this message persists, a denial of service ( DoS) attack may be in progress.

Inbound Telnet Traffic


Displays bandwidth usage of inbound Telnet traffic through Cisco ASA firewalls. Sorted
by total connection count. Use this report to quickly determine top external Telnet users.
Only ASA firewalls with logging enabled are reported. The system calculates inbound
Telnet traffic by summarizing all the 302002 traffic logged on local port 23.

179

Event Source Reports

RSA enVision Reports

Management Access from External Source


Details all of the event source management events on the ASA firewall sorted by date
and time.

Outbound E-mail Recipients


Displays outbound e-mails and the intended recipients.

Outbound E-mail Senders


Displays outbound e-mails and the senders.

Outbound E-mail Traffic


Summarizes bandwidth usage of outbound e-mail traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine top e-mail users in
your company if your e-mail gateway is located on an external or DMZ interface.
Reflects top e-mail gateways if your mail gateways are on the internal ASA interface.
Only ASA firewalls with logging enabled are reported. The system calculates outbound
e-mail traffic by summarizing all the 302002 traffic logged on foreign port 25.

Outbound FTP Traffic


Summarizes bandwidth usage of outbound FTP traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine which internal
users use FTP most frequently in your company. Only ASA firewalls with logging
enabled are reported. The system calculates outbound FTP traffic by summarizing all the
302002 traffic logged on foreign ports 20 and 21.

Outbound HTTP Traffic


Summarizes bandwidth usage of outbound HTTP traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine top HTTP users in
your company. Only ASA firewalls with logging enabled are reported. The system
calculates outbound HTTP traffic by summarizing all the 302002 traffic logged on foreign
port 80.

Outbound IP Fragmentation Alert


Displays the ASA Firewall limits on the number of IP fragments that can be concurrently
reassembled, sorted by count by local address. This restriction prevents memory depletion
at the firewall under abnormal network conditions.

Outbound Telnet Traffic


Summarizes bandwidth usage of outbound Telnet traffic through Cisco ASA firewalls.
Sorted by total connection count. Use this report to quickly determine top local Telnet

Event Source Reports

180

RSAenVision Reports

users. Only ASA firewalls with logging enabled are reported. The system calculates
outbound Telnet traffic by summarizing all the 302002 traffic logged on foreign port 23.

Permitted Connections per Hour


Displays the number of connections per hour through ASA firewalls. Use this report to
quickly spot connection trends occurring during specific time periods. Each tick mark on
vertical hourly axes represents accumulated permitted connections for the previous hour.

RIP External Security Alert


Displays the ASA Firewall events for received internal RIP reply messages with bad
authentication sorted by the local address. This event can be caused by misconfiguration
on the router or the ASA Firewall, or the event may be a unsuccessful attempt to attack
the ASA Firewall unit's routing table.

RIP Internal Security Alert


Displays the ASA Firewall events for received external RIP reply messages with bad
authentication sorted by foreign address. This event can be caused by misconfiguration on
the router or the ASA Firewall, or the event may be a unsuccessful attempt to attack the
ASA Firewall unit's routing table.

SiteTrack Detection
Note: This report is not compatible with the Content 2.0 schema.
Lists network traffic through Cisco ASA firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified with parentheses ( ) preceding the
message in the Message column. The SiteTrack feature performs a text string comparison
of the DNS host name lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and ASA
firewall logging must be enabled. For information about SiteTrack, see the enVision
Online Help.

Top 10 Requested URL/FTP Destinations


Displays the top 10 requested URL and FTP destinations by internal users through ASA
firewalls. Use this report to quickly spot trends of the most popular foreign sites.

Top 20 Bandwidth Ports


Displays the 20 ports with the most bandwidth usage through ASA firewalls. Use this
report to quickly identify which applications are consuming the most bandwidth.

Top 20 Bandwidth Users


Displays the top 20 bandwidth users through ASA firewalls.

181

Event Source Reports

RSA enVision Reports

Top 20 Connections by Address


Displays the top 20 users of connections through ASA firewalls. Use this report to
quickly determine which users are consuming the most connections.

Top 20 Connections by Port


Displays the 20 ports with the most connections through ASA firewalls. Use this report to
quickly identify which applications are consuming the most connections.

Top 20 Denied Inbound by Address


Displays the top 20 foreign addresses that were denied inbound access by ASA firewalls.
Use this report to quickly spot foreign hosts that may have been attempting to gain
unauthorized access to your network.

Top 20 Denied Inbound by Port


Displays the 20 ports with the most denied inbound connections through ASA firewalls.
Use this report to quickly identify which applications are the top sources of inbound
denied connections.

Top 20 Denied Outbound by Address


Displays the top 20 local addresses that were denied outbound access by ASA firewalls.
Use this report to quickly identify the top internal hosts that may have been attempting to
breach your company's outbound Internet security policy.

Top FTP Destinations


Displays FTP requests to foreign addresses through Cisco ASA firewalls, sorted by the
number of requests.

Top URL Destinations


Displays URL requests to foreign addresses through Cisco ASA firewalls, sorted by the
number of requests.

Total Connections by Global/Translated Address


Displays the activity for each global address going through the ASA firewall, sorted by
percentage of total connections within a specific time period.

Translation Activity by Connection ID


Lists buildup and teardown messages for connections through an ASA firewall. Sorted by
connection ID.

Event Source Reports

182

RSAenVision Reports

URL Requests by Date/Time


Lists URL and FTP requests through Cisco ASA Firewalls. Sorted by date and time.
Only ASA firewalls with logging enabled are reported.

URL Requests by Department


Summarizes the outbound URL and FTP requests for each department through Cisco
ASA firewalls. Sorted by number of requests. Use this report to quickly determine which
departments are downloading the most URLs and FTP files. Only ASA firewalls with
logging enabled are reported.

URL Requests by Foreign Address


Note: The name for this report under the Content 2.0 schema is URL Requests by
Source Address.
Summarizes outbound URL and FTP requests to foreign addresses through Cisco ASA
firewalls. Sorted by total connections. Use this report to quickly determine the most
common URL and FTP destinations in your company. Only ASA firewalls with logging
enabled are reported.

URL Requests by Local Address


Note: The name for this report under the Content 2.0 schema is URL Requests by
Destination Address.
Summarizes the outbound URL and FTP requests by each local address through Cisco
ASA firewalls. Sorted by local address and number of URL and FTP requests. Use this
report to quickly determine the most common URL and FTP destinations by local address
for your company. Only ASA firewalls with logging enabled are reported.

URL Requests by User Name


Summarizes the outbound URL and FTP requests by authenticated user name through
Cisco ASA firewalls. Sorted by user name and the number of URL and FTP requests.
Requires that AAA user authentication be configured on the firewall. Use this report to
quickly determine the most common URL and FTP destinations on a user name basis for
your company. Only ASA firewalls with logging enabled are reported.

183

Event Source Reports

RSA enVision Reports

Cisco Adaptive Security Appliance (IDS) Standard


Reports
The Reports module includes the following standard reports for the Cisco ASA (IDS)
event source.

Alarm Level Summary


Summarizes the number of alarms for each alarm level.

Alarms by IDS Device


Displays the alarm count for each sensor.

Intrusion Event Summary by Alarm Level


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the event source, sorted by alarm level.

Intrusion Event Summary by External Source Address


Lists the attack events detected by the Cisco integrated firewall intrusion detection sensor
on the event source from external sources.

Intrusion Event Summary by Intrusion Detection System (IDS) Device


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the ASA. Sorted by ASA address, alarm level, and number of alarms.

Intrusion Event Summary by Internal Source Address


Lists the attack events detected by the Cisco integrated firewall intrusion detection sensor
on the ASA from internal sources.

Intrusion Event Summary by Signature ID


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the ASA by signature description. Sorted by alarm level.

Intrusion Event Summary by Source Address


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the ASA by intruding source address. Sorted by source address and
number of alarms.

Intrusion Event Summary by Source/Destination Direction


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the ASA by source and destination direction. Sorted by alarm level.

Event Source Reports

184

RSAenVision Reports

Intrusion Events by Date/Time


Lists the intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the ASA.

Top 10 Sources Address of Alarms


Lists the 10 source IP addresses that have generated the most events or alarms.

Top Source Addresses of Intrusion Events


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the ASA by source and destination direction. Sorted by alarm level.

185

Event Source Reports

RSA enVision Reports

Cisco Adaptive Security Appliance VPN Standard


Reports
The Reports module includes the following standard reports for the Cisco ASA VPN
event source.

Denied Packets per Device


Displays the denied packets per event source for all VPN gateways.

Denied Packets per Hour


Displays the denied packets per hour for all VPN gateways.

Failed Authentications by Device


Lists the failed authentications for all users of VPN gateways. Sorted by event source
address.

Failed Authentications by Username


Lists the failed authentications for all users of VPN gateways. Sorted by user name.

Failed X-Authentications by Device


Lists the failed x-authentications for all users of VPN gateways. Sorted by event source
address.

Successful Authentications by Date/Time


Lists the successful authentications for all users of VPN gateways. Sorted by date and
time.

System Events by Device


Lists the VPN system events from Cisco ASA. Sorted by event source.

Total Connections by Username


Lists the total connections for all users of VPN gateways. Sorted by user name.

Event Source Reports

186

RSAenVision Reports

Cisco Content Engine Standard Reports


The Reports module includes the following standard reports for the Cisco Content Engine
event source.

Failed System Events


Lists all failed system events.

Memory Related Errors


Displays all memory related errors.

Top 100 Requested URL


Displays the top 100 requested URL strings for the given time period.

Top 20 Clients by Connection Requests


Displays the 20 client IP addresses that made the most connection requests for a
specified time period.

Top 25 Client IPs by Total Bytes


Displays the 25 client IP addresses with the most total bytes.

Total Bytes Passed by Hour


Displays tallies, sent and received bytes, and displays a histogram of the traffic pattern
over the selected time period.

Total Bytes by Cache Device


Displays the data for total bytes passed by cache event source (supplied_ip). The supplied
IP is the address of the cache event source that fulfilled the HTTP request.

Total Bytes by Client IP


Displays the total bytes passed by client IP address sorted by requesting address.

Total Byes by Domain


Displays the total bytes for each connection. Sorted by domain.

Total Connection Requests by Hour


Displays the number of connection requests grouped by hour of day.

187

Event Source Reports

RSA enVision Reports

Total Connections by HTTP Status Code


Queries for connection counts and groups the tallies by the HTTP success or failure code.
Administrator can use this report to determine by code how many connections were
successful, redirected, failed, and so on.

Event Source Reports

188

RSAenVision Reports

Cisco Content Services Switch Standard Reports


The Reports module includes the following standard reports for the Cisco Content
Services Switch event source.

Down Links
Displays all messages associated with a down link in a given time period.

Reboots
Displays all messages associated with event source reboots in a given time period.

Top 50 Users by Number of Connections


Displays the total number of connections to the content switch grouped by the associated
user name.

Total Attacks by Attack Type


Displays the total number of attacks recognized by the event source grouped by the attack
type.

Total Attacks by Destination Address


Displays the total number of attacks recognized by the event source grouped by the
destination address.

Total Attacks by Destination Port


Displays the total number of attacks recognized by the event source grouped by the
destination port.

Total Attacks by Source Address


Displays the total number of attacks recognized by the event source grouped by the
source address.

Total Logins by Source Address


Displays the total number of successful logons by source address.

189

Event Source Reports

RSA enVision Reports

Cisco IOS IDS Standard Reports


The Reports module includes the following standard reports for the Cisco IOS (IDS)
event source.

Alarm Level Summary


Summarizes the number of alarms for each alarm level.

Alarms by IDS Device


Displays the alarm count for each sensor.

Intrusion Event Summary by Alarm Level


Summarizes intrusion events detected by the Cisco integrated intrusion detection sensor
on the router by alarm level. Sorted by alarm level.

Intrusion Event Summary by External Source Address


Lists the attack events detected by the Cisco integrated intrusion detection sensor on the
router from external sources.

Intrusion Event Summary by Intrusion Detection System (IDS) Device


Summarizes intrusion events detected by the Cisco integrated intrusion detection sensor
on the router. Sorted by router address, alarm level, and number of alarms.

Intrusion Event Summary by Internal Source Address


Lists the attack events detected by the Cisco integrated intrusion detection sensor on the
router from internal sources.

Intrusion Event Summary by Signature Category


Summarizes intrusion events detected by the Cisco integrated intrusion detection sensor
on the router by signature category. Sorted by alarm level and number of alarms.

Intrusion Event Summary by Signature Description


Summarizes intrusion events detected by the Cisco integrated intrusion detection sensor
on the router by signature description. Sorted by alarm level.

Intrusion Event Summary by Source Address


Summarizes intrusion events detected through the Cisco integrated intrusion detection
sensor on the router by intruding source address. Sorted by source address and number of
alarms.

Event Source Reports

190

RSAenVision Reports

Intrusion Event Summary by Source/Destination Direction


Summarizes intrusion events detected through the Cisco integrated intrusion detection
sensor on the router by source and destination direction. Sorted by alarm level.

Intrusion Events by Date/Time


Lists the intrusion events detected by the Cisco integrated intrusion detection sensor on
the router. Sorted by date and time, and alarm level.

Top 10 Sources Address of Alarms


Lists the 10 source IP addresses that have generated the most events or alarms.

Top Source Addresses of Intrusion Events


Summarizes intrusion events detected through the Cisco integrated intrusion detection
sensor on the router by source and destination direction. Sorted by alarm level.

191

Event Source Reports

RSA enVision Reports

Cisco IOS
The Reports module includes the following standard reports for the Cisco IOS event
source.

Bandwidth Usage by Address


Summarizes bandwidth usage by local address for all traffic passing through Cisco IOS
firewalls. Sorted by total byte usage. Use this report to quickly determine the "top
talkers" on your company network. Only IOS firewalls with debug level logging enabled
are reported.

Bandwidth Usage by Department


Displays bandwidth usage by department through Cisco IOS firewalls. Use this report to
quickly determine which departments are consuming the most bandwidth.

Bandwidth Usage by Port


Summarizes bandwidth usage by port for traffic passing through Cisco IOS firewalls.
Sorted by total byte usage count. Use this report to quickly determine which applications
are consuming the most bandwidth. Only IOS firewalls with debug level logging enabled
are reported.

Bandwidth Usage per Hour


Displays bandwidth usage per hour through Cisco IOS firewalls. Use this report to
quickly spot bandwidth usage trends occurring during specific time periods. Each tick
mark on vertical hourly axes represents accumulated usage for the previous hour.

Inbound E-mail Traffic


Displays bandwidth usage of inbound e-mail traffic through Cisco IOS firewalls. Sorted
by session count.

Inbound FTP Traffic


Displays bandwidth usage of inbound FTP traffic through Cisco IOS firewalls. Sorted by
session count.

Inbound HTTP Traffic


Displays bandwidth usage of inbound HTTP traffic through Cisco IOS firewalls. Sorted
by session count.

Inbound Telnet Traffic


Displays bandwidth usage of inbound Telnet traffic through Cisco IOS firewalls. Sorted
by session count.

Event Source Reports

192

RSAenVision Reports

Outbound E-mail Traffic


Summarizes bandwidth usage of outbound e-mail traffic through Cisco IOS firewalls.
Sorted by session count.

Outbound FTP Traffic


Summarizes bandwidth usage of outbound FTP traffic through Cisco IOS firewalls.
Sorted by session count.

Outbound HTTP Traffic


Summarizes bandwidth usage of outbound HTTP traffic through Cisco IOS firewalls.
Sorted by session count.

Outbound Telnet Traffic


Summarizes bandwidth usage of outbound Telnet traffic through Cisco IOS firewalls.
Sorted by session count.

Security Threats
Lists the security threat messages from Cisco IOS firewalls. Sorted by date and time.

Top 20 Bandwidth Users


Displays the top 20 bandwidth users through Cisco IOS firewalls.

Top 20 Requested Destinations


Displays the top 20 requested destinations through Cisco IOS firewalls.

Top Destinations
Summarizes the top destinations by users through Cisco IOS firewalls. Sorted by session
count.

193

Event Source Reports

RSA enVision Reports

Cisco Ironport Email Security Appliance Standard


Reports
The Reports module includes the following standard reports for the Cisco Ironport ESA
event source.

Content Filter Report


Lists messages that have been quarantined according to filter settings.

Event Source Reports

194

RSAenVision Reports

Cisco Ironport Web Security Appliance Standard


Reports
The Reports module includes the following standard reports for the Cisco Ironport WSA
event source.

Blocked URLs
Lists the blocked URLs along with the IPaddress that requested them and the reason why
they were blocked (the reason is given as URLcategory).

Top 20 users based on MB download


Lists the top 20 users based on MBdownload.

195

Event Source Reports

RSA enVision Reports

Cisco MARS Standard Reports


The Reports module includes the following standard reports for the Cisco MARS event
source.

Severity Red Incidents


Lists the incidents that are at red severity level including the incident number, the rule
triggered, and the time of the incident.

Worms and/or Attacks


Lists the incidents for rules having the words "worm" or "attack" and lists the severity
and time of the incident.

Event Source Reports

196

RSAenVision Reports

Cisco Network Admission Control Standard Reports


The Reports module includes standard reports for Cisco NAC (Network Admission
Control).

Application Posture Token Distribution


Lists posture credential vendor and application type combinations by NAC state.

Endpoint Detail
Lists the recent network admission of each endpoint and provides details about each
event.

Endpoint Status Query Failures


Displays the number of status query failures by endpoint.

Endpoints by NAC State


Lists endpoints by NAC state.

IOS Static Authorization


Displays non-responsive endpoints that are configured as static exceptions on the network
admission event source.

Network Admission Devices by NAC State


Lists network admission event sources by NAC state.

Network Device Groups by NAC State


Lists network event source groups by NAC state.

Non-Responsive Endpoints by NAC State


Lists non-responsive endpoints by NAC state.

Rejected Endpoints by NAC State


Lists rejected endpoints by NAC state.

Top 10 Endpoints by SPTs


Lists the top 10 endpoints by selected System Posture Token (SPT). You select the SPT
from a runtime parameter list. If you select multiple SPTs, the report lists the top 10
endpoints by all selected SPTs, not the top 10 endpoints for each SPT.

197

Event Source Reports

RSA enVision Reports

Top 10 Users by SPTs


Lists the top 10 users by selected System Posture Token (SPT). You select the SPT from
a runtime parameter list. If you select multiple SPTs, the report lists the top 10 endpoints
by all selected SPTs, not the top 10 endpoints for each SPT.

User Detail
Lists recent network admissions for each user and provides details about each event.

User Groups by NAC State


Lists user groups by NAC state.

Users by NAC State


Lists user names by NAC state.

Event Source Reports

198

RSAenVision Reports

CiscoWorks Network Compliance Manager Standard


Reports
The Reports module includes the following standard reports for the Cisco Content
Services Switch event source.

Configuration Changes by Device


Lists configuration changes made, sorted by event source.

Detailed Event Report


Lists details of all events over a period of time.

Failed Attempts by User


Lists failed attempts based on user name.

Login and Logout


Lists events relating to logon and logoff.

199

Event Source Reports

RSA enVision Reports

Cisco PIX (firewall) Standard Reports


The Reports module includes the following standard reports for the Cisco PIX (firewall)
event source.

AAA User Authentications


Displays AAA user authentications through Cisco PIX firewalls, sorted by date and time.
This report requires AAA user authentication.

Bandwidth Usage by Address


Summarizes bandwidth usage by local address for all traffic passing through Cisco PIX
firewalls. Sorted by total byte usage. Use this report to quickly determine the "top
talkers" on your company network. Only PIX firewalls with debug level logging enabled
are reported.

Bandwidth Usage by Department


Displays bandwidth usage by department through PIX firewalls. Use this report to quickly
determine which departments are consuming the most bandwidth.

Bandwidth Usage by Port


Summarizes bandwidth usage by port for traffic passing through Cisco PIX firewalls.
Sorted by total byte usage count. Use this report to quickly determine which applications
are consuming the most bandwidth. Other common TCP/IP words used synonymously
with applications are port and services. Only PIX firewalls with debug level logging
enabled are reported.

Bandwidth Usage per Hour


Displays bandwidth usage per hour through PIX firewalls. Use this report to quickly spot
bandwidth usage trends occurring during specific time periods. Each tick mark on vertical
hourly axes represents accumulated usage for the previous hour.

Bandwidth Utilization
Displays the bandwidth utilization on the network in a combination of a graph and a
report.

Blocked URL Events


Displays the blocked URL events of internal IP addresses attempting to connect to
external web sites that have been restricted by the company. Sorted by date and time.
Websense Enterprise software must be installed to activate the URL blocking capability.

Event Source Reports

200

RSAenVision Reports

Configuration Changes
Lists configuration change messages from Cisco PIX firewalls, sorted by date and time.
Monitors when configuration changes were made to Cisco PIX Firewalls. Only PIX
firewalls with logging enabled are reported.

Connection Limit Exceeded


Details exceeded connection limits by static addresses.

CPU Over-Capacity Events by Date and Time


Lists all instances of PIX Firewall CPU use rising above 100 percent. If this condition,
which is generally considered to be an error condition, happens frequently, you may need
to contact Cisco Systems.

Denied Connections per Hour


Displays the number of denied connections per hour through PIX firewalls. Use this
report to quickly spot security threat trends occurring during specific time periods. Each
tick mark on vertical hourly axes represents accumulated denied connections for the
previous hour.

Denied Inbound IP Spoofing


Tracks when a PIX Firewall receives an external packet with the IP source address equal
to the IP destination and the destination port equal to the source port. Sorted by the
destination address. This event indicates a spoofed packet designed to attack systems.
This attack is referred to as a land attack.

Denied Inbound Traffic by Address


Summarizes denied inbound traffic filtered through Cisco PIX firewalls by foreign
address. Sorted by connection count. Use this report to quickly determine which foreign
hosts are being denied access to your company's internal network. Denied connections
may indicate an attempted security policy breach, malicious network reconnaissance, or a
host or network event source configuration issue. Only PIX firewalls with logging
enabled are reported.

Denied Inbound Traffic by Port


Summarizes denied inbound traffic filtered through Cisco PIX firewalls by port. Sorted by
connection count. Port is used synonymously with services or applications. Use this report
to quickly determine which applications are being denied access. Denied connections
may indicate an attempted security policy breach, malicious network reconnaissance like
a port scan, or a host or network event source configuration issue. Only PIX firewalls
with logging enabled are reported.

201

Event Source Reports

RSA enVision Reports

Denied Outbound Traffic by Address


Summarizes denied outbound traffic filtered through Cisco PIX firewalls by local
address. Sorted by connection count. Use this report to quickly determine which local
addresses may be attempting to bypass your company security policy. Only PIX firewalls
with logging enabled are reported.

Denied Outbound Traffic by Port


Summarizes denied outbound traffic filtered through Cisco PIX firewalls by port. Sorted
by connection count. Port numbers are used to represent services or applications. Use this
report to quickly determine which outbound applications are being denied. These denied
messages may indicate an attempted security policy breach, malicious network
reconnaissance like a port scan, or a host or network event source configuration issue.
Only PIX firewalls with logging enabled are reported.

E-mail Security
Lists PIX MailGuard messages received from Cisco PIX firewalls. Sorted by date and
time. Use this report to quickly view possible e-mail security breach attempts that were
prevented by PIX firewalls. Only PIX firewalls with logging enabled are reported.

Failover Messages
Lists failover messages from Cisco PIX firewalls by date and time.

FTP Requests by Date/ Time


Lists FTP requests through Cisco PIX Firewalls by date and time.

FTP Requests by Department


Displays FTP requests for each department through Cisco PIX firewalls by number of
requests.

FTP Requests by Foreign Address


Note: The name for this report under the Content 2.0 schema is FTPRequests by
Source Address.
Displays FTP requests to foreign sites by local users through Cisco PIX firewalls by
foreign address and the number of requests.

Event Source Reports

202

RSAenVision Reports

FTP Requests by Local Address


Note: The name for this report under the Content 2.0 schema is FTPRequests by
Destination Address.
Displays FTP requests by each local address through Cisco PIX firewalls by local
address and number of requests.

Inbound E-mail Recipients


Displays inbound e-mails and the intended recipients.

Inbound E-mail Senders


Displays inbound e-mails and the senders.

Inbound E-mail Traffic


Displays bandwidth usage of inbound e-mail traffic through Cisco PIX firewalls. Sorted
by total connection count. Use this report to quickly determine top foreign e-mail senders
if your e-mail servers are located on an internal or DMZ interface. Summarizes e-mail
traffic from your own e-mail gateways if they are sitting on an external PIX interface.
Only PIX firewalls with logging enabled are reported. The system calculates inbound email traffic by summarizing all the 302002 traffic logged on local port 25.

Inbound FTP Traffic


Displays bandwidth usage of inbound FTP traffic through Cisco PIX firewalls. Sorted by
total connection count. Use this report to quickly determine which external users use FTP
most frequently in your company. Only PIX firewalls with logging enabled are reported.
The system calculates inbound FTP traffic by summarizing all the 302002 traffic logged
on local ports 20 and 21.

Inbound HTTP Traffic


Displays bandwidth usage of inbound HTTP traffic through Cisco PIX firewalls. Sorted
by total connection count. Use this report to quickly assess which foreign users are
accessing your internal web servers most frequently. Only PIX firewalls with logging
enabled are reported. The system calculates inbound http traffic by summarizing all the
302002 traffic logged on local port 80.

Inbound IP Fragmentation Alert


Summarizes inbound IP fragmentation, sorted by count by foreign address.The PIX
Firewall limits the number of IP fragments that can be concurrently reassembled. This
restriction prevents memory depletion at the firewall under abnormal network conditions.
If this message persists, a denial of service (DoS) attack may be in progress.

203

Event Source Reports

RSA enVision Reports

Inbound Telnet Traffic


Displays bandwidth usage of inbound Telnet traffic through Cisco PIX firewalls. Sorted
by total connection count. Use this report to quickly determine top external Telnet users.
Only PIX firewalls with logging enabled are reported. The system calculates inbound
Telnet traffic by summarizing all the 302002 traffic logged on local port 23.

Management Access from External Source


Details all of the event source management events on the PIX firewall sorted by date and
time.

Outbound E-mail Recipients


Displays outbound e-mails and the intended recipients.

Outbound E-mail Senders


Displays outbound e-mails and the senders.

Outbound E-mail Traffic


Summarizes bandwidth usage of outbound e-mail traffic through Cisco PIX firewalls.
Sorted by total connection count. Use this report to quickly determine the top e-mail users
in your company if your e-mail gateway is located on an external or DMZ interface.
Reflects top e-mail gateways if your mail gateways are on the PIX internal interface
network. Only PIX firewalls with logging enabled are reported. The system calculates
outbound e-mail traffic by summarizing all the 302002 traffic logged on foreign port 25.

Outbound FTP Traffic


Summarizes bandwidth usage of outbound FTP traffic through Cisco PIX firewalls.
Sorted by total connection count. Use this report to quickly determine which internal
users use FTP most frequently in your company. Only PIX firewalls with logging enabled
are reported. The system calculates outbound FTP traffic by summarizing all the 302002
traffic logged on foreign ports 20 and 21.

Outbound HTTP Traffic


Summarizes bandwidth usage of outbound HTTP traffic through Cisco PIX firewalls.
Sorted by total connection count. Use this report to quickly determine top HTTP users in
your company. Only PIX firewalls with logging enabled are reported. The system
calculates outbound HTTP traffic by summarizing all the 302002 traffic logged on foreign
port 80.

Outbound IP Fragmentation Alert


Displays the PIX Firewall limits the number of IP fragments that can be concurrently
reassembled, sorted by count by local address. This restriction prevents memory depletion

Event Source Reports

204

RSAenVision Reports

at the firewall under abnormal network conditions.

Outbound Telnet Traffic


Summarizes bandwidth usage of outbound Telnet traffic through Cisco PIX firewalls.
Sorted by total connection count. Use this report to quickly determine top local Telnet
users. Only PIX firewalls with logging enabled are reported. The system calculates
outbound Telnet traffic by summarizing all the 302002 traffic logged on foreign port 23.

Permitted Connections per Hour


Displays the number of connections per hour through PIX firewalls. Use this report to
quickly spot connection trends occurring during specific time periods. Each tick mark on
vertical hourly axes represents accumulated permitted connections for the previous hour.

RIP External Security Alert


Displays the PIX Firewall events for received internal RIP reply messages with bad
authentication sorted by the local address. This event can be caused by misconfiguration
on the router or the PIX Firewall, or the event may be a unsuccessful attempt to attack
the PIX Firewall unit's routing table.

RIP Internal Security Alert


Displays the PIX Firewall events for received external RIP reply messages with bad
authentication sorted by the local address. This event can be caused by misconfiguration
on the router or the PIX Firewall, or the event may be a unsuccessful attempt to attack
the PIX Firewall unit's routing table.

SiteTrack Detection
Note: This report is not compatible with the Content 2.0 schema.
Lists network traffic through Cisco PIX firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified with parentheses ( ) preceding the
message in the Message column. The SiteTrack feature performs a text string comparison
of the DNS host name lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and PIX
firewall logging must be enabled.

Top 10 Requested URL/FTP Destinations


Displays the top 10 requested URL and FTP destinations by internal users through PIX
firewalls. Use this report to quickly spot trends of the most popular foreign sites.

Top 20 Bandwidth Ports


Displays the 20 ports with the most bandwidth usage through PIX firewalls. Use this
report to quickly identify which applications are consuming the most bandwidth.

205

Event Source Reports

RSA enVision Reports

Top 20 Bandwidth Users


Displays the top 20 bandwidth users through PIX firewalls.

Top 20 Connections by Address


Displays the top 20 users of connections through PIX firewalls. Use this report to quickly
determine which users are consuming the most connections.

Top 20 Connections by Port


Displays the 20 ports with the most connections through PIX firewalls. Use this report to
quickly identify which applications are consuming the most connections.

Top 20 Denied Inbound by Address


Displays the top 20 foreign addresses that were denied inbound access by PIX firewalls.
Use this report to quickly spot foreign hosts that may have been attempting to gain
unauthorized access to your network.

Top 20 Denied Inbound by Port


Displays the 20 ports with the most denied inbound connections through PIX firewalls.
Use this report to quickly identify which applications are the top sources of inbound
denied connections.

Top 20 Denied Outbound by Address


Displays the top 20 local addresses that were denied outbound access by PIX firewalls.
Use this report to quickly identify the top internal hosts that may have been attempting to
breach your company's outbound Internet security policy.

Top FTP Destinations


Displays FTP requests to foreign addresses through Cisco PIX firewalls. Sorted by the
number of requests.

Top URL Destinations


Displays URL requests to foreign addresses through Cisco PIX firewalls. Sorted by the
number of requests.

Total Connections by Global/Translated Address


Displays the activity for each global address going through the PIX firewall, sorted by
percentage of total connections within a specific time period.

Event Source Reports

206

RSAenVision Reports

Translation Activity by Connection ID


Lists the buildup and teardown messages for connections through a PIX firewall. Sorted
by connection ID.

URL Requests by Date/Time


Lists URL and FTP requests through Cisco PIX Firewalls. Sorted by date and time. Use
this report and the HTTP/FTP query report can be used to view which URLs and FTP
files were accessed during a certain date and time range. Only PIX firewalls with
logging enabled are reported.

URL Requests by Department


Summarizes the outbound URL and FTP requests for each department through Cisco PIX
firewalls. Sorted by number of requests. Use this report to quickly determine which
departments are downloading the most URLs and FTP files. Only PIX firewalls with
logging enabled are reported.

URL Requests by Foreign Address


Note: The name for this report under the Content 2.0 schema is URL Requests by
Source Address.
Summarizes outbound URL and FTP requests to foreign addresses through Cisco PIX
firewalls. Sorted by total connections. Use this report to quickly determine the most
common URL and FTP destinations in your company. Only PIX firewalls with logging
enabled are reported.

URL Requests by Local Address


Note: The name for this report under the Content 2.0 schema is URL Requests by
Destination Address.
Summarizes the outbound URL and FTP requests by each local address through Cisco
PIX firewalls. Sorted by local address and number of URL and FTP requests. Use this
report to quickly determine the most common URL and FTP destinations by local address
for your company. Only PIX firewalls with logging enabled are reported.

URL Requests by User Name


Summarizes the outbound URL and FTP requests by authenticated user name through
Cisco PIX firewalls. Sorted by user name and the number of URL and FTP requests.
Requires that AAA user authentication be configured on the firewall. Use this report to
quickly determine the most common URL and FTP destinations on a user name basis for
your company. Only PIX firewalls with logging enabled are reported.

207

Event Source Reports

RSA enVision Reports

Cisco PIX (IDS) Standard Reports


The Reports module includes the following standard reports for the Cisco PIX (IDS)
event source.

Alarm Level Summary


Summarizes the number of alarms for each alarm level.

Alarms by IDS Device


Displays the alarm count for each sensor.

Intrusion Event Summary by Alarm Level


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX by alarm level. Sorted by alarm level.

Intrusion Event Summary by External Source Address


Lists the attack events detected by the Cisco integrated firewall intrusion detection sensor
on the PIX from external sources.

Intrusion Event Summary by Intrusion Detection System (IDS) Device


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX. Sorted by PIX address, alarm level, and number of alarms.

Intrusion Event Summary by Internal Source Address


Lists the attack events detected by the Cisco integrated firewall intrusion detection sensor
on the PIX from internal sources.

Intrusion Event Summary by Signature ID


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX by signature description. Sorted by alarm level.

Intrusion Event Summary by Source Address


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the PIX by intruding source address. Sorted by source address and
number of alarms.

Intrusion Event Summary by Source/Destination Direction


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the PIX by source and destination direction. Sorted by alarm level.

Event Source Reports

208

RSAenVision Reports

Intrusion Events by Date/Time


Lists the intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX.

Top 10 Sources Address of Alarms


Lists the 10 source IP addresses that have generated the most events or alarms.

Top Source Addresses of Intrusion Events


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the PIX by source and destination direction. Sorted by alarm level.

209

Event Source Reports

RSA enVision Reports

Cisco PIX (VPN) Standard Reports


The Reports module includes the following standard reports for the Cisco PIX (VPN)
event source.

Denied Packets per Device


Displays the denied packets per event source for all VPN gateways.

Denied Packets per Hour


Displays the denied packets per hour for all VPN gateways.

Failed Authentication by Device


Lists the failed authentications for all users of VPN gateways. Sorted by event source
address.

Failed Authentication by Username


Lists the failed authentications for all users of VPN gateways. Sorted by user name.

Failed XAuthentications by Device


Lists the failed Xauthentications for all users of VPN gateways. Sorted by event source
address.

Successful Authentication by Date/Time


Lists the successful authentications for all users of VPN gateways. Sorted by date and
time.

System Events by Device


Lists the VPN system events from Cisco PIX. Sorted by event source.

Total Connections by Username


Lists the total connections for all users of VPN gateways. Sorted by user name.

Event Source Reports

210

RSAenVision Reports

Cisco Router (IDS) Standard Reports


The Reports module includes the following standard reports for the Cisco Router (IDS)
event source.

Alarm Level Summary


Summarizes the number of alarms for each alarm level.

Alarms by IDS Device


Displays the alarm count for each sensor.

Intrusion Event Summary by Alarm Level


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX by alarm level. Sorted by alarm level.

Intrusion Event Summary by External Source Address


Lists the attack events detected by the Cisco integrated firewall intrusion detection sensor
on the PIX from external sources.

Intrusion Event Summary by Intrusion Detection System (IDS) Device


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX. Sorted by PIX address, alarm level, and number of alarms.

Intrusion Event Summary by Internal Source Address


Lists the attack events detected by the Cisco integrated firewall intrusion detection sensor
on the PIX from internal sources.

Intrusion Event Summary by Signature Category


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX by signature category. Sorted by alarm level.

Intrusion Event Summary by Signature Description


Summarizes intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX by signature description. Sorted by alarm level.

Intrusion Event Summary by Source Address


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the PIX by intruding source address. Sorted by source address and
number of alarms.

211

Event Source Reports

RSA enVision Reports

Intrusion Event Summary by Source/Destination Direction


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the PIX by source and destination direction. Sorted by alarm level.

Intrusion Events by Date/Time


Lists the intrusion events detected by the Cisco integrated firewall intrusion detection
sensor on the PIX.

Top 10 Source Addresses of Alarms


Lists the 10 source IP addresses that have generated the most events or alarms.

Top Source Addresses of Intrusion Events


Summarizes intrusion events detected through the Cisco integrated firewall intrusion
detection sensor on the PIX by source and destination direction. Sorted by alarm level.

Event Source Reports

212

RSAenVision Reports

Cisco Router Standard Reports


The Reports module includes the following standard reports for the Cisco Router event
source.

Bandwidth Usage by Address


Summarizes the number of permitted packets per source address for all network traffic
through Cisco routers. Sorted by packet count. Only network traffic from Cisco router
interfaces with access control lists applied and logging enabled is reported. Source
address can be an Internet or intranet address depending on which router interface the
access list is applied and in which direction.

Bandwidth Usage by Department


Summarizes the number of permitted packets per source address for all network traffic
through Cisco routers. Sorted by packet count. Only network traffic from Cisco router
interfaces with access control lists applied and logging enabled is reported. Source
address can be an Internet or intranet address depending on which router interface the
access list is applied and in which direction.

Bandwidth Usage by Port


Summarizes the number of permitted packets passing through Cisco routers by port.
Sorted by packet count. Only network traffic from Cisco router interfaces with access
control lists applied and logging enabled is reported. Source address can be an Internet or
intranet address depending on which router interface the access list is applied and in
which direction.

Denied Packets per Hour


Displays the number of denied packets per hour by Cisco routers. Use this report to spot
possible security threat trends over time ranges. Each tick mark on vertical hourly axes
represents accumulated denied packets for the previous hour.

Denied Traffic by Address


Summarizes the number of denied packets per source address through Cisco routers.
Sorted by denied packet count. Only network traffic from Cisco router interfaces with
access control lists applied and logging enabled is reported. Source address can be an
internal or external address depending on which router interface the access list is applied
and in which direction.

Denied Traffic by Port


Summarizes denied traffic filtered through Cisco routers by port. Sorted by packet count.
Only network traffic from Cisco router interfaces with access control lists applied and
logging enabled is reported.

213

Event Source Reports

RSA enVision Reports

Inbound E-mail Traffic


Summarizes the number of inbound e-mail packets permitted through Cisco routers by
destination address. Sorted by router address, access control list, and number of sessions.
Only network traffic from Cisco router interfaces with access control lists applied and
logging enabled is reported. The system determines inbound or outbound traffic from the
network information entered in its ipaddr.tab file. If this file is not configured, the
system assumes that traffic is inbound.

Inbound FTP Traffic


Summarizes permitted inbound FTP packet usage through Cisco routers. Sorted by router
address, access control list, and number of sessions. Only network traffic from Cisco
router interfaces with access control lists applied and logging enabled is reported. The
system determines whether traffic is inbound or outbound from the information entered in
the ipaddr.tab file located in the program directory. If this file is not configured, the
system assumes that traffic is inbound.

Inbound HTTP Traffic


Summarizes the number of permitted packets transferred by destination address for
inbound HTTP traffic through Cisco routers. Sorted by router address, access control list,
and number of sessions. Only network traffic from Cisco router interfaces with access
control lists applied and logging enabled is reported. The system determines whether
traffic is inbound or outbound from the information entered in the ipaddr.tab file located
in the program directory. If this file is not configured, the system assumes that traffic is
inbound.

Inbound Telnet Traffic


Summarizes the number of inbound Telnet packets permitted through Cisco routers.
Sorted by router address, access control list, and number of sessions. Only network
traffic from Cisco router interfaces with access control lists applied and logging enabled
is reported. The system determines inbound or outbound traffic from the network
information entered in the ipaddr.tab file. If this file is not configured, the system
assumes that traffic is inbound.

Outbound E-mail Traffic


Summarizes the number of outbound e-mail packets permitted through Cisco routers by
destination address. Sorted by router address, access control list, and number of sessions.
Only network traffic from Cisco router interfaces with access control lists applied and
logging enabled is reported. The system determines inbound or outbound traffic from the
network information entered in the ipaddr.tab file. If this file is not configured, the
system assumes that traffic is inbound.

Event Source Reports

214

RSAenVision Reports

Outbound FTP Traffic


Summarizes the number of permitted packets transferred per source and destination
address pair for outbound FTP sessions through Cisco routers. It is sorted by router
address, access control list, and number of sessions. Only network traffic from Cisco
router interfaces with access control lists applied and logging enabled is reported. The
system determines whether traffic is inbound or outbound from the information entered in
the ipaddr.tab file located in the program directory. If this file is not configured, the
system assumes that traffic is inbound.

Outbound HTTP Traffic


Summarizes the number of permitted packets transferred by destination address for
outbound HTTP traffic through Cisco routers. Sorted by router address, access control
list, and number of sessions. Only network traffic from Cisco router interfaces with
access control lists applied and logging enabled is reported. The system determines
whether traffic is inbound or outbound from the information entered in the ipaddr.tab file
located in the Program directory. If this file is not configured, the system assumes that
traffic is inbound.

Outbound Telnet Traffic


Summarizes the number of outbound Telnet packets permitted through Cisco routers.
Sorted by router address, access control list, and number of sessions. Only network
traffic from Cisco router interfaces with access control lists applied and logging enabled
is reported. The system determines inbound or outbound traffic from the network
information entered in the ipaddr.tab file. If this file is not configured, the system
assumes that traffic is inbound.

Permitted Packets by Address


Displays the number of permitted packets by address through Cisco routers. Use this
report to spot top packet users through your router.

Permitted Packets per Hour


Displays the number of permitted packets per hour by Cisco routers. Use this report to
spot peak packet usage trends over time ranges. Each tick mark on vertical hourly axes
represents accumulated permitted packets for the previous hour.

Permitted Packets by Port


Displays the number of permitted packets by port through Cisco routers. Use this report to
spot top bandwidth applications running across your router.

SiteTrack Detection
Lists packets that have been permitted or denied through Cisco routers with hostname
lookups that match any of the keywords entered in the SiteTrack keyword list. Sorted by

215

Event Source Reports

RSA enVision Reports

date and time. Keyword match is listed in the report with parentheses ( ) preceding the
message in the Message field. Keywords need to be entered in the SiteTrack, and its
DNS Resolver service must be enabled for this feature to function. The DNS Resolver
service performs a hostname lookup of both source and destination IP addresses in every
packet that it receives from Cisco routers.

System Critical Events


Lists router system status messages received from Cisco routers. Sorted by date and time.
Only Cisco routers with logging enabled are reported.

System Interface Events


Lists system interface status messages from Cisco routers. Sorted by date and time. Only
Cisco routers with logging enabled are reported.

Top 20 Bandwidth Users


Displays the top 20 bandwidth users by address through Cisco routers. Use this report to
spot top bandwidth users through the router.

Top 20 Denied Packets by Address


Displays the top 20 addresses of denied packets through Cisco routers. Use this report to
quickly spot foreign addresses that are possibly attempting to breach your security policy.

Top 20 Denied Packets by Port


Displays the 20 ports with the most denied packets through Cisco routers. Use this report
to quickly spot which applications may possibly be used for an attempted security breach.

Call Data - Call Information By Call ID


Displays all information associated with specified calls within a time period. Information
includes setup time, user name, number called or calling, origin, connection speed, and
traffic passed.

Call Data - Top 10 Total Duration By Number Called


Displays the total call time duration associated with the top 10 numbers called. The call
time is displayed in seconds.

Call Data - Top 10 Total Duration By Username


Displays the top 10 user names based upon call duration time for the specified time
period.

Call Data - Total Disconnects by Error for Each Device


Displays the number of events that present an error in the disconnect code for each call.

Event Source Reports

216

RSAenVision Reports

Call Data - Total Usage By Device


Displays the call traffic associated with each event source. This is an executive-level
report for administrators.

Call Data - Total Usage By Username


Queries the call data record for all associated call information. Results are displayed by
the user name associated with the calls.

217

Event Source Reports

RSA enVision Reports

Cisco Secure IDS Standard Reports


The Reports module includes the following standard reports for the Cisco Secure IDS
event source.

Top 10 Sources of Alarms


Displays the top 10 sources of alarms by source IP address.

Top 20 Alarms
Displays the top 20 alarms by signature ID that have been generated.

Top 20 Destinations of Alarms


Displays the top 20 destination IP addresses that have been targeted for attack.

Top 20 Source-Destination Pairs of Alarms


Displays the 20 source-destination pairs that have generated the most alarms.

Top 20 Sources of Alarms


Displays the 20 source IP addresses that have generated the most events or alarms from
the Cisco Secure IDS sensors.

Alarm Destination Report


Displays alarms sorted by destination IP address.

Top 20 Alarms by Port


Displays the top 20 alarms sorted by destination port.

Alarm Report
Displays alarms based on signature names. Sorted by alarms and signature names.

Alarm Levels
Displays the number of alarms for each alarm level.

Alarms by Hour
Displays the number of alarms by hour for a given time period.

Alarms by Sensor
Displays the alarm count for each sensor.

Event Source Reports

218

RSAenVision Reports

Alarms by Sensor Device


Displays the total number of alarms generated by each sensor event source. Sorted by
total number of alarms.

219

Event Source Reports

RSA enVision Reports

Cisco Security Agent (IPS) Standard Reports


The Reports module includes the following standard reports for the Cisco Security Agent
event source.

Security Agent License Messages


Displays events that deal with the Security Agent licenses.

Service and Agent Messages


Displays events that deal with the Security Agent restart events.

Total Attack Events by Event Type


Displays the total number of intrusion events grouped by the event type.

Total Events by ButtonCode


Displays the total number of intrusion events grouped by the ButtonCode (Disposition).

Total Number of Attacks by Host ID


Displays the total intrusion events forwarded to the RSA enVision Collector grouped by
the host ID of Security Agent.

Event Source Reports

220

RSAenVision Reports

Cisco Security Agent Standard Reports


The Reports module includes the following standard reports for the Cisco Security Agent
event source.

Security Agent License Messages


Lists events associated with the Security Agent licenses.

Service and Agent Messages


Lists Security Agent restart events.

Total Attack Events by Event Type


Displays the total number of intrusion events, grouped by the event type.

Total Events by ButtonCode


Displays the total number of intrusion events, grouped by disposition (ButtonCode).

Total Number of Attacks by Host ID


Displays the total intrusion events, grouped by the host ID of Security Agent.

221

Event Source Reports

RSA enVision Reports

Cisco Switch Standard Reports


The Reports module includes the following standard reports for the Cisco Switch event
source.

Failed Authentications
Displays the total number of failed authentications during the specified time period.

Failed Authentications by Username


Displays the total number of failed authentications by user name during the specified time
period.

Successful Authentications
Displays the total number of successful authentications during the specified time period.

Successful Authentications by Username


Displays the total number of successful authentications by user name during the specified
time period.

Event Source Reports

222

RSAenVision Reports

Cisco Unified Computing System Manager Standard


Reports
The Reports module includes the following standard reports for the Cisco Unified
Computing System Manager event source.

Historical Overview of Hardware Faults


Displays all the information about hardware faults reported by Cisco UCS Manager.

Failed Authentications by User name


Displays the total number of failed authentications by user name during a specified time
period.

223

Event Source Reports

RSA enVision Reports

Cisco VPN 3000 Concentrator Standard Reports


The Reports module includes the following standard reports for the Cisco VPN 3000
Concentrator event source.

Bandwidth Usage per Hour


Displays the VPN bandwidth usage per hour.

Connection Statistics by Username


Lists the date and time stamp, user name, and event source addresses associated with
each successful connection attempt.

Denied Connections
Displays the number of denied connections by VPN gateway.

Denied Connections by Date/Time


Displays the VPN denied connections by date and time for the entire group of VPN
gateways.

Denied Connections by Username


Displays the VPN denied connections by user name for the entire group of VPN
gateways. Sorted by denied connections.

Denied Connections per Hour


Displays the VPN denied connections per hour.

Successful Authentications by Date/Time


Queries the database for messages that report successful authentication requests.
Displays information such as date and time, event source address, user name, local port
name, and group name.

Successful Authentications by GroupName


Queries the database for messages that report successful authentication requests. Reports
successful connection counts by group name.

Successful Authentications by Username


Queries the database for messages that report successful authentication requests. Reports
successful connection counts by user name.

Event Source Reports

224

RSAenVision Reports

Successful Connections by Device Address


Total of all successful connections to a monitored Cisco VPN 3000 concentrators. Sorted
by event source address.

Systems Events by Device


Lists system events, such as configuration changes and hardware errors, for each event
source. Sorted by date and time and VPN event source.

Top 20 Bandwidth Users By Total Bytes


Displays the top 20 users for all VPN gateways by total bytes.

Top 20 Users by Durations


Displays the top 20 tunnel connections for all VPN gateways.

Top 20 Users by Number of Connections


Displays the top 20 users by connections for all VPN gateways.

Total Bytes by Username


Lists the total bytes by local address for all VPN gateways. Sorted by user name and total
bytes. The total bytes are calculated by adding up the byte entries for each local address.

Total Duration by Username


Lists the total duration for all users of VPN gateways. Sorted by IP address and total
duration. The total duration is calculated by adding up the duration entries for each local
address.

225

Event Source Reports

RSA enVision Reports

Citrix Access Gateway Standard Reports


The Reports module includes the following standard reports for the Citrix Access
Gateway event source.

Configuration Changes
Details all configuration changes to the Citrix Access Gateway event source.

Overview of Successful Authentication


Details information about successful authentication attempts.

Overview of Failed Authentication


Details information about failed authentication attempts.

Event Source Reports

226

RSAenVision Reports

Cyber-Ark PIM Standard Reports


The Reports module includes the following standard reports for the Cyber-Ark PIM event
source.

Historical Overview Of Failed Logins


Lists user names and actions that led to failed logons.

Historical Overview Of Successful Login/Logout


Lists user names with successful logons and logoffs.

Informational And Configuration Messages


Lists user activity information and configuration changes.

227

Event Source Reports

RSA enVision Reports

CyberGuard Firewall Standard Reports


The Reports module includes standard reports for the CyberGuard Firewall event source.

Authentication Failures
Lists the users that failed to authenticate to the sensor.

Critical Hardware Events


Lists the hardware sensors generating events.

Login Events
Lists the logon events.

Top 20 Bandwidth Ports


Lists the top 20 bandwidth ports.

Top 20 Bandwidth Users


Lists the top 20 bandwidth users.

Top 20 Connections by Address


Lists the top 20 connections, sorted by IP address.

Top 20 Connections by Port


Lists the top 20 connections, sorted by port.

Top 20 Denied Addresses


Lists the top 20 addresses that were denied.

Event Source Reports

228

RSAenVision Reports

Enterasys Dragon (IDS) Standard Reports


The Reports module includes the following standard reports for the Enterasys Dragon
(IDS) event source.

Top 10 Attacks by Attack Signature


Displays the top 10 attacks grouped by attack signature.

Top 10 Attacks by Destination Address


Displays the top 10 attacks grouped by destination address. Administrators can use this
report to determine which devices are routinely being attacked.

Top 10 Attacks by Destination Port


Displays the top 10 attacks grouped by destination port. Administrators can use this report
to determine which network services are routinely being attacked.

Top 10 Attacks by Network Sensor


Displays the top 10 attacks grouped by sensor. Administrators can use this report to
determine which sensors are detecting the most attacks and, based on sensor deployment,
which areas of the network are routinely being attacked.

Top 10 Attacks by Source Address


Displays the top 10 attacks grouped by source address.

Total Attacks by Hour


Displays the number of attacks grouped by the hour of detection. Administrators can use
this report to determine patterns of attacks based on the time of day.

229

Event Source Reports

RSA enVision Reports

eEye Retina Network Security Scanner Standard


Reports
The Reports module includes the following standard reports for the eEye Retina Network
Security Scanner event source.

Alarm Level Summary


Displays the number of alarms per alarm level.

Alarms per Device


Displays the number of detected alarms per event source in the network.

All Vulnerabilities
Lists all vulnerabilities reported by eEye Retina Scanner.

Event Source Reports

230

RSAenVision Reports

EMCDocumentum Standard Reports


The Reports module includes the following standard reports for the EMCDocumentum
event source.

Audit Check-in / Checkout Events


Lists the details about all check-ins and checkouts.

Top 10 Audit Events by Action


Lists the details of all the messages from the audit trails.

231

Event Source Reports

RSA enVision Reports

EMCIonix Standard Reports


The Reports module includes the following standard reports for EMCIonix.

Agent Deployment Statistics


Reports all the successful and unsuccessful agent deployment events.

Successful and Failed Compliance Statistics


Reports all the successful and failed compliance template results.

Successful and Failed Logons


Reports successful and failed logon attempts to the SCM console.

Top 20 Changed Data Types


Reports the top 20 changed data types between successive collections of Ionix SCM.

Event Source Reports

232

RSAenVision Reports

Enterasys Networks Dragon Standard Reports


The Reports module includes the following standard reports for the Enterasys Networks
Dragon event source.

Top 10 Attacks by Attack Signature


Displays a count of all attacks grouped by attack signature.

Top 10 Attacks by Destination Address


Displays a count of all attacks grouped by destination address. Administrators can use
this report to determine which event sources are routinely being attacked.

Top 10 Attacks by Destination Port


Displays a count of all attacks grouped by destination port. Administrators can use this
report to determine which network services are routinely being attacked.

Top 10 Attacks by Network Sensor


Displays a count of all attacks grouped by sensor. Administrators can use this report to
determine which network sensors are detecting the most attacks and, based on sensor
deployment, which areas of the network are routinely being attacked.

Top 10 Attacks by Source Address


Displays a count of all attacks grouped by source address.

Total Attacks by Hour


Displays a count of all attacks grouped by hour of detection. Administrators can use this
report to determine patterns in attacks based on time of day.

233

Event Source Reports

RSA enVision Reports

McAfee ePolicy Orchestrator Standard Reports


The Reports module includes the following standard reports for McAfee ePolicy
Orchestrator.

McAfee ePolicy Detailed task report


Lists all task-related activities from McAfee ePolicy.

McAfee ePolicy Error conditions


Lists all the error conditions reported from McAfee ePolicy.

McAfee ePolicy Top 20 Viruses


Displays the top 20 viruses found on the network.

McAfee ePolicy Top 20 e-mail Viruses


Displays the top 20 e-mail viruses found on the network.

McAfee ePolicy Top 20 infected e-mail sources


Displays the top 20 infected e-mail sources found on the network.

McAfee ePolicy Top 20 infected files


Displays the top 20 infected files found on the network.

McAfee ePolicy Top 20 infected systems


Displays the top 20 infected systems found on the network.

Event Source Reports

234

RSAenVision Reports

Extreme Networks ExtremeWare Switch Standard


Reports
The Reports module includes the following standard reports for the Extreme Networks
ExtremeWare Switch event source.

Failed logins
Displays all failed logon attempts.

Successful logins
Displays all successful logon attempts.

235

Event Source Reports

RSA enVision Reports

Extreme Networks ExtremeXOS Standard Reports


The Reports module includes the following standard reports for the Extreme Networks
ExtremeXOS event source.

Failed logins
Lists all failed logon attempts.

Successful logins
Lists all successful logon attempts.

Event Source Reports

236

RSAenVision Reports

F5 Big-IP Application Security Manager Standard


Reports
Reports module includes the following standard reports for the F5 Big-IP Application
Security Manager event source.

BigIP ASM List of All Policy Violations


Displays all policy violations blocked by the ASM module on the Big-IP switch.

BigIPASM List of AllNon-Blocked Policy Violations


Displays all policy violations logged but not blocked by the ASMmodule on the Big-IP
switch.

BigIPASM Most Frequent Sources of Attacks


Displays the top sources of attacks by source IP address.

BigIP ASM Chart of Dropped Requests PerAttacked URL


Displays dropped requests per attacked URL.

BigIP ASM List of Intrusion Attacks by Destination


Lists intrusion attacks on the system with the number of dropped requests.

237

Event Source Reports

RSA enVision Reports

Fortinet FortiGate Standard Reports


The Reports module includes the following standard reports for the Fortinet FortiGate
event source.
For some device-specific reports, the class of the report changes when the event source
is updated to Content 2.0. In this case, the location of the report in the enVision UI also
changes.
For example, for Fortinet FortiGate, the URL Blocks report changed classes from
Security.Firewall to Host.Web Logs. In the enVision UI, the report moved as follows:
l

Location for standard content: Reports > Ad Hoc Reports > Security > Firewalls >
Fortinet Antivirus Firewall > URL Blocks
Location for Content 2.0: Reports > Ad Hoc Reports > Host > Web Logs > Fortinet
> URL Blocks

If you update the event source to Content 2.0, you must run the report from this new
location.
Note: For backwards compatibility, the report continues to exist in its previous location.
However, once you update an event source to Content 2.0, the old report will not return
any data.

Report Name and Description


Admin Configuration Changes

Content 1.0 Class

Content 2.0 Class

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Host.Web Logs

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Displays all the administration configuration changes.


Admin Critical Events
Displays all the critical events based on administrator actions.
Admin Failed Login Events
Displays all the failed logon events to a FortiGate appliance.
Admin Warning Events
Displays all the warning events based on administrator actions.
Category Blocks
Displays URL requests blocked by the web category filtering.
Critical System Events
Displays all the critical system events.
Failed Authentications
Displays all the failed authentications through a FortiGate
appliance.

Event Source Reports

238

RSAenVision Reports

Historical overview of all Application Control Events

Security.Firewall

Security.Firewall

Security.Firewall

Security.DLP

Security.Firewall

Security.Firewall

Security.Firewall

Security.Intrusion

Security.Firewall

Security.Intrusion

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Security.Firewall

Network.Messaging

Security.Firewall

Host.Web Logs

Security.Firewall

Security.Antivirus

Displays an overview of all the application control events.


Historical overview of all Data Leak Prevention Events
Displays an overview of all the data leak prevention events.
Successful Authentications
Displays all the successful authentications through a FortiGate
appliance.
Top 20 Attack Signatures
Displays the top 20 attack signatures.
Top 20 Attack Source Addresses
Displays the top 20 IP addresses generating attacks.
Top 20 Connections by Address
Displays the top 20 IP addresses that connected through a
FortiGate appliance.
Top 20 Connections by Port
Displays the top 20 ports that connected through a FortiGate
appliance.
Top 20 Denied IP Addresses
Displays the top 20 IP addresses that were denied through a
FortiGate appliance.
Top 20 Denied Ports
Displays the top 20 ports that were denied through a FortiGate
appliance.
Top 20 Spam IP Addresses
Displays the top 20 addresses generating spam e-mail messages.
URL Bocks
Displays URL requests blocked due to being on the block list.
Virus Infection Events
Displays all the files infected with a virus.

239

Event Source Reports

RSA enVision Reports

Foundry Networks Switch Standard Reports


The Reports module includes the following standard reports for the Foundry Networks
Switch event source.

Attack Prevention - Host Holddown


Lists all source and destination IP address pairs that the Attack Prevention feature has in
"holddown." The system is not sending these packets to any servers.

Hardware Failures
Displays the details of critical system hardware failures.

Privileged Logins
Lists all users that have exercised privileged logon rights.

SNMP Authentication Failures


Displays the details of SNMP authentication failures.

Secured Port Access Violations


Displays the attempts by unauthorized event sources to communicate to secured ports.

Top 20 Access Control List Drops


Displays the top 20 access control list drop events.

Top 20 Access Control List Drops by Source Address Summary


Lists the top 20 source addresses that have had packets dropped or denied.

Top 20 Access Control List Drops by Source Address Summary Graph


Displays a graph of the top 20 source addresses that have had packets dropped or denied.

Top 20 SMTP Root Bridge Changes


Lists the top 20 root bridge changes that have taken place.

Event Source Reports

240

RSAenVision Reports

HP UX / FreeBSD Standard Reports


The Reports module includes the following standard reports for the HP UX / FreeBSD
event source.

HPUX / FreeBSD - Super User Access


Displays successful super user attempts and the user name associated with each attempt.

HPUX / FreeBSD - Super User Access by Username


Displays all super user authentication attempts, the result of the attempts, and the
usernames associated with the attempts. Enter a username in the provided field between
the percent signs, then run the report.

HPUX / FreeBSD - Total Bytes by Device Address


Displays the total bytes transferred by individual user name.

HPUX / FreeBSD - Total Connections by Address


Displays the total connections to a monitored event source by foreign address.

HPUX / FreeBSD - Total Connections by Username


Displays the total connection attempts by a specific user name in a specified time range.

241

Event Source Reports

RSA enVision Reports

IBM AIX Standard Reports


The Reports module includes the following standard reports for IBM AIX.

Failed Login Attempts


Lists failed logon attempts by user name. The date and time of the attempt are also listed.

Failed Logon Attempts by Username


Lists the failed logon attempts of all users. Enter a user name in the provided field
between the percent signs, then run the report.

Failed Super User Attempts


Lists unsuccessful attempts to use the switch user command (attempts to switch user to
"root" that were denied) by user.

Failed Super User Attempts by Username


Lists unsuccessful attempts to use the switch user command (attempts to switch user to
"root" that were denied). Enter a user name in the provided field between the percent
signs, and then run the report.

Super User Access


Lists successful attempts to use the switch user command (attempts to switch user to
"root" that succeeded) by user and the time the action was performed.

Super User Access by Username


Lists successful attempts to use the switch user command (attempts to switch user to
"root" that succeeded). Enter a user name in the provided field between the percent signs,
then run the report.

Total Connections by Foreign Address


Displays total connections by source address.

Total Connections by Port


Displays the total connections by source port.

Total Connections by Username


Displays the total connections by user name.

Syslog Conf File Changes


Summarizes all of the events when users try to modify the Syslog.conf file.

Event Source Reports

242

RSAenVision Reports

IBM iSeries Standard Reports


The Reports module includes the following standard reports for the IBM iSeries event
source.

Access Control List Changes Details


Displays changes to the access control list entries.

Account Limit Exceeded Details


Displays the account limit exceeded entries.

Actions that Affect Jobs Details


Displays the actions that affect jobs entries.

Attribute Changes Details


Displays the attribute changes entries.

Auditing Changes Details


Displays the auditing changes entries.

Authority Changes Details


Displays the authority changes entries.

Authority Failures Details


Displays the authority failure entries.

Create Object Details


Displays the create object entries.

Delete Object Details


Displays the delete object entries.

Entry Types by System


Displays the count of entry types by system.

Entry Types by User


Displays the count of entry types by user.

Invalid Password Details


Displays the invalid password entries.

243

Event Source Reports

RSA enVision Reports

Jobs by Systems
Displays the counts of jobs by systems.

Jobs by Users
Displays the counts of jobs by user names.

Logging On and Off Details


Displays the logging on and off entries.

Network Password Errors Details


Displays the network password errors entries.

Object Move or Rename Details


Displays the object move or rename entries.

Printed Output Details


Displays the printed output entries.

Program Change Details


Displays the program change entries.

Programs by Systems
Displays the counts of programs by system.

Server Security User Information Details


Displays the server security user information entries.

System Management Changes Details


Displays the invalid password entries.

System Value Changes Details


Displays the changes to the system value entries.

Top 20 Entry Types


Displays the 20 entry types generating the highest number of events in the audit journal.

Top 20 Jobs
Displays the 20 programs generating the highest number of events in the audit journal.

Event Source Reports

244

RSAenVision Reports

Top 20 Programs
Displays the 20 programs generating the highest number of events in the audit journal.

Top 20 Systems
Displays the 20 systems generating the highest number of events in the audit journal.

Top 20 Users
Displays the 20 users generating the highest number of events in the audit journal.

User Activity by Systems


Displays the counts of user activity by system.

iSeries - User Authentication Details


This table displays details about User Access.

245

Event Source Reports

RSA enVision Reports

CA ACF2 Standard Reports


The Reports module includes the following standard reports for CA ACF2.

Denial of Access to resources or Services


Lists denial of access to resources or services.

Failed Login Attempts


Lists failed logon attempts.

Event Source Reports

246

RSAenVision Reports

IBM Mainframe DB2 UDB Standard Reports


The Reports module includes the following standard reports for IBM Mainframe DB2
UDB.

Authorization
Lists assignment or change of an authorization ID.

Bind Attempts
Lists the attempts for the bind of static and dynamic SQL statement for the types
INSERT, UPDATE, DELETE, CREATE VIEW, and LOCK TABLE.

Change Table Attempts


Lists changes to audited tables including accesses to dependent tables.

Denied Access Attempts


Lists access attempts to DB2 that failed due to inadequate authorization.

Explicit GRANT
Lists the explicit GRANT statements and their results.

Read Accesses
Lists all read access to identified and audited tables.

247

Event Source Reports

RSA enVision Reports

IBM Mainframe RACF Standard Reports


The Reports module includes the following standard reports for IBM Mainframe RACF.

Denial of Access to resources or Services


Lists denial of access to resources or services.

Failed Login Attempts


Lists failed logon attempts.

Successful Login by Username


Lists all successful logon messages by user name.

Successful Login of Non Policy Accounts


Lists successful logon of non-policy accounts.

Uses and Groups Creations or Deletions


Lists the groups and users created or deleted.

Users or Groups Modifications


Lists the groups and users modified.

Event Source Reports

248

RSAenVision Reports

IBM Mainframe SMA_RT (OS390/ZOS) Standard


Reports
The Reports module includes the following standard reports for IBM Mainframe SMA_
RT (OS390/ZOS).

Login Errors by Username


Displays a count of logon errors and password violations grouped by user name.

Successful Logins by Username


Displays a count of successful logon messages grouped by user name.

249

Event Source Reports

RSA enVision Reports

IBM Mainframe Top Secret Standard Reports


The Reports module includes the following standard reports for the IBM Mainframe Top
Secret event source.

Denial of Access to resources or Services


Lists denial of access to resources or services.

Failed Login Attempts


Lists failed logon attempts.

Top Secret All Records


Lists all records.

Top Secret Dataset


Lists all datasets.

Top Secret Resource


Lists all resources.

Event Source Reports

250

RSAenVision Reports

Intel NetStructure VPN Standard Reports


The Reports module includes the following standard reports for the Intel NetStructure
VPN event sources.

Bandwidth Usage per Hour


Displays the VPN bandwidth usage per hour.

Bandwidth by Local Address


Lists the total bytes by local address for all VPN gateways. Sorted by user name and total
bytes. The total bytes are calculated by adding up the byte entries for each local address.

Denied Connections
Displays the number of denied connections by VPN gateway.

Denied Connections by Foreign Address


Displays the VPN denied connections by IP address for the entire group of VPN
gateways. Sorted by denied connections.

Denied Connections by Port


Displays the denied connections by port number. Sorted by denied connections.

Denied Connections by Hour


Displays the VPN denied connections per hour.

System Events by Device


Lists each system event, such as configuration changes and hardware errors, for each
event source. Sorted by date and time and VPN event source.

Top 20 Bandwidth Users by Total Kbytes


Displays the top 20 users for all VPN gateways by total bytes.

Top 20 Port Traffic Distribution


Displays the top 20 TCP/IP application ports for all VPN gateways. Sorted by total bytes.

Top 20 Tunnel Bandwidth Users


Displays the top 20 tunnel carriers. Sorted by total bytes.

Top 20 Tunnel Durations


Displays the top 20 tunnel connections. Sorted by total duration.

251

Event Source Reports

RSA enVision Reports

Top 20 Tunnel Users by Total Connections


Displays the top 20 tunnel users. Sorted by total connections.

Top 20 Users by Durations


Displays the top 20 tunnel connections for all VPN gateways.

Top 20 Users by Number of Connections


Displays the top 20 users by connections for all VPN gateways.

Total Connections by Local Address


Lists the total number of connections by local address for all VPN gateways. Sorted by
local address and total connections. The total connection count is calculated by the
number of rows per user.

Total Duration by Local Address


Lists the total duration for all users of VPN gateways. Sorted by IP address and total
duration. The total duration is calculated by adding up the duration entries for each local
address.

Tunnel Summary of Bandwidth by Username


Displays the VPN tunnel summary by each VPN event source and for each tunnel. Sorted
by VPN event source and total bytes by each user.

Tunnel Summary of Total Duration by Username


Displays the VPN tunnel summary by each VPN event source and for each tunnel. Sorted
by VPN event source and total duration by each user.

Event Source Reports

252

RSAenVision Reports

ISS RealSecure IDS Server Sensor


The Reports module includes the following standard reports for the ISS RealSecure IDS
Server Sensor event source.

Alarm Destination Report


Lists alarms sorted by the destination IP address that generated the alarm.

Alarm Levels
Displays the number of alarms for each alarm level.

Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.

Alarms by Hour
Displays the number of alarms by hour for a given time period.

Alarms by Sensor
Lists the alarm count for each sensor.

Alarms by Sensor (ODBC Collection Only)


Lists the alarm count for each sensor. Use this report only for ODBC collection when
address field is used.

Alarms by Sensor Device


Displays the alarm count for each sensor.

Alarms by Sensor Device (ODBC Collection Only)


Displays the alarm count for each sensor. Use this report only for ODBC collection when
address field is used.

Top 10 Alarms
Lists the top 10 alarms by signature name that have been generated.

Top 10 Destinations of Alarms


Lists the top 10 destination IP addresses that have been targeted for attack.

Top 10 Source-Destination Pairs of Alarms


Lists the 10 source-destination pairs that have generated the most alarms.

253

Event Source Reports

RSA enVision Reports

Top 10 Sources of Alarms


Lists top 10 sources of alarms by source IP address.

Event Source Reports

254

RSAenVision Reports

Juniper DX Application Accelerator Standard


Reports
The Reports module includes the following standard reports for
theJuniperDXApplicationAccelerator event source.

Top 100 Requested URLs for a Given Time Period


Lists the top 100 requested URLs for a given time period.

Top 20 Clients by Request


Lists the top 20 clients by request.

Top 20 Requests by Domain Name


Lists the top 20 requests by domain name.

Total Bytes Passed by Hour


Displays the total bytes passed by hour.

Total Bytes by Client IP


Lists the top 25 policies (policy names) by the number of attacks that they recognize.

Total Bytes by Domain Name


Displays the total bytes by domain.

Total Requests by Hour


Displays the total number of requests by hour.

255

Event Source Reports

RSA enVision Reports

Juniper Networks IDP Standard Reports


The Reports module includes the following standard reports for the Juniper Networks IDP
event source.

Severe Attacks
Displays the severe attacks as recognized by the IDP event sources. A severe attack is
when the process field was set to DROP or CLOSE.

Top 25 Attacks
Displays the top 25 recognized attacks by number of occurrences.

Top 25 Destination Ports


Displays the top 25 ports for which recognized attacks were destined.

Top 25 Detailed Attacks


Displays the top 25 attacks by number of occurrences in a detailed format.

Top 25 Policies
Displays the top 25 policies (policy names) by the number of attacks that they recognize.

Top Attackers by Source Address


Displays the 25 source addresses responsible for the most attacks recognized by the IDP
event source.

Top Targets by Destination Address


Displays the top 25 destination addresses for recognized attacks.

Event Source Reports

256

RSAenVision Reports

Juniper Networks Infranet Controller 4500 Standard


Reports
The Reports module includes the following standard reports for the Juniper Networks
Infranet Controller 4500 event source.

Error Types Overview


Lists the different error types.

Failed Attempts by SourceIP


Lists failed attempts based on the source IP address.

Failed Attempts by User


Lists failed attempts based on user name.

Login and Logout


Lists all logon and logoff events.

Policy Events
Lists all events relating to any policy changes.

Top 10 Error Types


Lists the top 10 generated error types.

Top 20 Event Types


Lists the top 20 generated event types.

257

Event Source Reports

RSA enVision Reports

Juniper Networks JUNOS Router Standard Reports


The Reports module includes the following standard reports for the Juniper Networks
JUNOS Router event source.

Configuration Committed Changes


Displays all messages regarding committed changes to the router configuration.

Database Schema Errors


Displays all messages regarding database schema errors or changes.

Successful Authentication by Foreign Address


Displays the successful authentications grouped by foreign address.

Successful Authentications by Device Address


Displays the total number of successful authentications that occurred during the requested
time period grouped by event source address.

System Authentication Events


Displays system authentication events that occurred during the specified time frame.

System Errors
Displays all error messages that occurred during the specified time frame.

Total Authentication Failures by Device Address


Displays the authentication failures that occurred during the requested time period
grouped by event source address.

JunOS-Successful Authentication by Foreign Address


Displays the successful authentications grouped by source address.

Event Source Reports

258

RSAenVision Reports

Juniper Networks NetScreen Firewall ScreenOS


Standard Reports
The Reports module includes the following standard reports for the Juniper Networks
Netscreen Firewall ScreenOS event source.

Authentication and Login Events


Lists logon information for each attempt. Sorted by date and time.

Bandwidth by Department
Summarizes bandwidth usage by department for all traffic passing through NetScreen
firewalls. Sorted by total byte usage. Use this report to quickly assess which departments
are consuming the most bandwidth. Only NetScreen firewalls with debug level logging
enabled are reported.

Bandwidth Usage by Address


Summarizes the number of permitted packets per source address for all network traffic
through NetScreen firewalls. Sorted by packet count. Only network traffic from
NetScreen firewall interfaces with access control lists applied and logging enabled are
reported. Source address can be an Internet or intranet address depending on the router
interface to which the access list is applied and in which direction.

Bandwidth Usage by Department


Lists bandwidth usage by department through NetScreen firewalls. Use this report to
quickly determine which departments are consuming the most bandwidth.

Bandwidth Usage by Port


Summarizes the number of permitted packets passing through NetScreen by port. Sorted
by packet count. Only network traffic from NetScreen interfaces with access control lists
applied and logging enabled are reported. Source address can be an Internet or intranet
address depending on the router interface to which the access list is applied and in which
direction.

Bandwidth Usage per Hour


Lists bandwidth usage per hour through NetScreen firewalls. Use this report to quickly
spot bandwidth usage trends occurring during specific time periods. Each tick mark on
vertical hourly axes represents accumulated usage for the previous hour.

Configuration Changes
Lists the configuration changes made to the NetScreen event source. Includes the date
and time of the change, the event source address, and the system message detailing the

259

Event Source Reports

RSA enVision Reports

change.

Configuration Changes by Virtual Firewall


Displays configuration change messages. Sorted by date and time.

Denied Connections per Hour


Lists the number of denied connections per hour through NetScreen firewalls. Use this
report to quickly spot security threat trends occurring during specific time periods. Each
tick mark on vertical hourly axes represents accumulated denied connections for the
previous hour.

Denied Inbound Traffic by Address


Summarizes denied inbound traffic filtered through NetScreen firewalls by foreign
address. Sorted by connection count. Use this report to quickly determine which foreign
hosts are being denied access to your company's internal network. Denied connections
may indicate an attempted security policy breach, malicious network reconnaissance, or a
host or network event source configuration issue. Only NetScreen firewalls with logging
enabled are reported.

Denied Inbound Traffic by Port


Summarizes denied inbound traffic filtered through NetScreen firewalls by port. Sorted
by connection count. Port is used synonymously with services or applications. Use this
report to quickly determine which applications are being denied access. Denied
connections may indicate an attempted security policy breach, malicious network
reconnaissance such as a port scan, or a host or network event source configuration issue.
Only NetScreen firewalls with logging enabled are reported.

Denied Outbound Traffic by Address


Summarizes denied outbound traffic filtered through NetScreen firewalls by local
address. Sorted by connection count. Use this report to quickly determine which local
addresses are possibly attempting to bypass your company security policy. Only
NetScreen firewalls with logging enabled are reported.

Denied Outbound Traffic by Port


Summarizes denied outbound traffic filtered through NetScreen firewalls by port. Sorted
by connection count. Port numbers are used to represent services or applications. Use this
report to quickly determine which outbound applications are being denied. Denied
messages may indicate an attempted security policy breach, malicious network
reconnaissance such as a port scan, or a host or network event source configuration issue.
Only NetScreen firewalls with logging enabled are reported.

Event Source Reports

260

RSAenVision Reports

Inbound E-mail Traffic


Summarizes bandwidth usage of inbound e-mail traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top foreign email senders if your e-mail servers are located on an internal or DMZ interface.
Summarizes e-mail traffic from your own e-mail gateways if your e-mail servers are
sitting on an external NetScreen interface. Only NetScreen firewalls with logging
enabled are reported. The system calculates inbound e-mail traffic by summarizing all the
302002 traffic logged on local port 25.

Inbound FTP Traffic


Summarizes bandwidth usage of inbound FTP traffic through NetScreen firewalls. Sorted
by total connection count. Use this report to quickly determine which external users use
FTP most frequently in your company. Only NetScreen firewalls with logging enabled are
reported. The system calculates inbound FTP traffic by summarizing all the 302002
traffic logged on local ports 20 and 21.

Inbound HTTP Traffic


Summarizes bandwidth usage of inbound HTTP traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly assess which foreign users are
accessing your internal web servers most frequently. Only NetScreen firewalls with
logging enabled are reported. The system calculates inbound HTTP traffic by
summarizing all the 302002 traffic logged on local port 80.

Inbound Telnet Traffic


Summarizes bandwidth usage of inbound Telnet traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top external
Telnet users. Only NetScreen firewalls with logging enabled are reported. The system
calculates inbound Telnet traffic by summarizing all the 302002 traffic logged on local
port 23.

Outbound E-mail Traffic


Summarizes bandwidth usage of outbound e-mail traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top e-mail users
in your company if your e-mail gateway is located on an external or DMZ interface.
Reflects top e-mail gateways if your mail gateways are on the NetScreen internal
interface network. Only NetScreen firewalls with logging enabled are reported. The
system calculates outbound e-mail traffic by summarizing all the 302002 traffic logged on
foreign port 25.

Outbound FTP Traffic


Summarizes bandwidth usage of outbound FTP traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine which internal

261

Event Source Reports

RSA enVision Reports

users use FTP most frequently in your company. Only NetScreen firewalls with logging
enabled are reported. The system calculates outbound FTP traffic by summarizing all the
302002 traffic logged on foreign ports 20 and 21.

Outbound HTTP Traffic


Summarizes bandwidth usage of outbound HTTP traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine top HTTP users in
your company. Only NetScreen firewalls with logging enabled are reported. The system
calculates outbound HTTP traffic by summarizing all the 302002 traffic logged on foreign
port 80.

Outbound Telnet Traffic


Summarizes bandwidth usage of outbound Telnet traffic through NetScreen firewalls.
Sorted by total connection count. Use this report to quickly determine the top local Telnet
users. Only NetScreen firewalls with logging enabled are reported. The system
calculates outbound Telnet traffic by summarizing all the 302002 traffic logged on foreign
port 53.

Permitted Connections per Hour


Lists the number of connections per hour through NetScreen firewalls. Use this report to
quickly spot connection trends occurring during specific time periods. Each tick mark on
vertical hourly axes represents accumulated permitted connections for the previous hour.

SiteTrack Detection
Lists network traffic through NetScreen firewalls that contained SiteTrack keywords.
Sorted by date and time. Keyword match is identified by parentheses ( ) preceding the
message in the Message column. The SiteTrack feature performs a text string comparison
of the DNS hostname lookup of source and destination IP addresses, as well as accessed
URL pages and FTP filenames. The DNS Resolver service must be enabled, and
NetScreen firewall logging must be enabled. For information about SiteTrack, see the
enVision Help.

Top 20 Bandwidth Ports


Lists the top 20 ports of bandwidth usage through NetScreen firewalls. Use this report to
quickly identify which applications are consuming the most bandwidth.

Top 20 Bandwidth Users


Lists the top 20 bandwidth users through NetScreen firewalls. Use this report to quickly
identify which users are consuming the most bandwidth.

Event Source Reports

262

RSAenVision Reports

Top 20 Connections by Address


Lists the top 20 users of connections through NetScreen firewalls. Use this report to
quickly determine which users are consuming the most connections.

Top 20 Connections by Port


Lists the top 20 ports with the most connections through NetScreen firewalls. Use this
report to quickly identify which applications are consuming the most connections.

Top 20 Denied Inbound by Address


Lists the top 20 foreign addresses that were denied inbound access by NetScreen
firewalls. Use this report to quickly spot foreign hosts that may have been attempting to
gain unauthorized access to your network.

Top 20 Denied Inbound by Port


Lists the 20 ports with the most denied inbound connections through NetScreen firewalls.
Use this report to quickly identify which applications are the top sources of inbound
denied connections.

Top 20 Denied Outbound by Address


Lists the top 20 local addresses that were denied outbound access by NetScreen
firewalls. Use this report to quickly identify the top internal hosts that may have been
attempting to breach your company's outbound Internet security policy.

Total Bandwidth by Virtual Firewall


Displays total bytes grouped by virtual name (vsys_name).

Total Connections by Dest Zone


Summarizes total traffic passed as well as duration time of all connections sorted by their
associated destinations. Administrators can use this report to understand the destiny the
majority of the data.

Total Connections By Source Zone


Displays summaries of connection information sorted by Source Zone. Administrators can
use this report to see high level connection information from each originating zone.

Total Connections by Virtual Firewall


Displays successful connections grouped by virtual name (vsys_name).

263

Event Source Reports

RSA enVision Reports

Total Denied Inbound by Virtual Firewall


Displays the foreign addresses that were denied inbound access grouped by virtual name
(vsys_name).

Total Denied Outbound by Virtual Firewall


Displays the foreign addresses that were denied outbound access grouped by virtual name
(vsys_name).

Zone Bindings
Queries the firewall security table and selects zone binding events. Displays the source
zone and the destination zone to which it is bound.

Event Source Reports

264

RSAenVision Reports

Juniper Networks NetScreen IDS Reports Standard


Reports
The Reports module includes the following standard reports for the Juniper Networks
NetScreen (IDS) event source.

Alarm Level Summary


Displays the number of alarms per alarm level.

Alarms by IDS Device


Displays the number of detected alarms per sensor.

Intrusion Event Summary by Source Address


Lists the attack events detected by the NetScreen integrated firewall intrusion detection
sensor from external sources.

Intrusion Events by Date and Time


Lists the intrusion events detected by the NetScreen integrated firewall intrusion
detection sensor. Sorted by date and time.

Intrusion Events by Device


Lists the intrusion events detected by the NetScreen integrated firewall intrusion
detection sensor. Sorted by event source address.

Intrusion Events by Event Type


Lists the intrusion events detected by the NetScreen integrated firewall intrusion
detection sensor. Sorted by event type.

Top 10 Source Addresses of Alarms


Displays the top 10 source addresses of intrusion detection alarms.

265

Event Source Reports

RSA enVision Reports

Juniper Networks NetScreen-Security Manager


Standard Reports
The Reports module includes the following standard reports for the Juniper Networks
NetScreen-Security Manager event source.

NetScreen-Security Manager - Authentication and Login Events


Summarizes authentication data for Juniper NetScreen-Security Manager. Sorted by date
and time.

NetScreen-Security Manager - Severe Attacks


Displays the severe attacks. A severe attack is one where the process field was set to
DROP or CLOSE.

NetScreen-Security Manager - Top 20 Bandwidth Ports


Displays the top 20 ports of bandwidth usage.

NetScreen-Security Manager - Top 20 Bandwidth Users


Displays the top 20 users of bandwidth.

NetScreen Management - Top 25 Attacks


Displays the top 25 recognized attacks by number of occurrences.

NetScreen-Security Manager - Top 25 Destination Ports


Displays the top 25 ports for which recognized attacks were destined.

NetScreen-Security Manager - Top Attackers by Source address


Displays the 25 source addresses responsible for the most attacks recognized.

NetScreen-Security Manager - Total Connections by Dest Zone


Summarizes the total traffic passed of all connections sorted by the associated
destinations.

NetScreen-Security Manager - Total Connections By Source Zone


Queries the firewall accounting table for connection information and displays that
information sorted by zone.

NetScreen-Security Manager - Top Targets by Destination Address


Displays the top 25 destination addresses for recognized attacks.

Event Source Reports

266

RSAenVision Reports

Juniper Networks SSL VPN Standard Reports


The Reports module includes the following standard reports for the Juniper Networks
SSLVPN event source.

Detailed Connections Events by Date and Time


Lists details of connections within the selected time range sorted by date and time.

Failed Login Attempts by Username


Displays failed logon attempts by user name.

Juniper VPN - Successful Login Attempts by Username


Displays successful logon attempts by user name.

System Changes
Lists the system changes. Includes the message and VPN event source address.

267

Event Source Reports

RSA enVision Reports

Juniper Networks Steel-Belted Radius Standard


Reports
The Reports module includes the following standard reports for the Juniper Networks
Steel-Belted Radius event source.

Detailed Usage
Lists details of usage per user. Sorted by logon ID.

Failed Attempts
Lists failed attempts due to authorization failure, authentication failure, or bad requests
from the NAS.

Top 20 Users by Duration


Lists the top 20 users by duration.

User Usage Summary


Lists the system changes. Includes the message and VPN event source address.

Event Source Reports

268

RSAenVision Reports

Lancope StealthWatch Standard Reports


The Reports module includes the following standard reports for the Lancope
StealthWatch event source.

Detailed Alert Report


Lists detailed information for the last 100 alerts generated.

Events by Hour
Displays the number of events by hour for a given time period.

Top 10 Destination
Displays the top 10 destinations of events detected.

Top 10 Events
Displays the top 10 events detected.

Top 10 Sources
Displays the top 10 sources of events detected.

269

Event Source Reports

RSA enVision Reports

Linux Standard Reports


The Reports module includes the following standard reports for the Novell Linux and Red
Hat Linux event sources.

Linux - Failed Authentications by Device


Displays the failed authentication attempts for each monitored event source by date and
time.

Linux - Failed SuperUser Attempts


Displays the failed attempts to use the switch user command and the user name
associated with each attempt.

Linux - Successful Connections


Displays the successful connection information.

Linux - Successful SuperUser Attempts


Displays the successful attempts to use the switch user command to change the user to
"root" and the user name associated with each attempt.

Linux - Total Connections by Address


Displays the total connections by foreign address.

Linux - Total Connections by Username


Displays the total connections for each user within the specified time range.

Linux - IPTables Traffic Summary


Summarizes all of the data passing through the IPTables firewall.

Event Source Reports

270

RSAenVision Reports

Lumension Endpoint Management and Security Suite


Standard Reports
The Reports module includes the following standard reports for the Lumension EMSS
event source.

EMSSSummary Report
A patch detail summary report ordered by end points.

271

Event Source Reports

RSA enVision Reports

Mazu Networks Profiler Standard Reports


The The Reports module includes the following standard reports for the Mazu Profiler
event source.

Detailed Alert Report


Lists detailed information for the last 100 alerts generated.

Top 10 Destinations
Displays the top 10 destination IP addresses that have been targeted for attack. Due to
limitations in the data available from Mazu Profiler in host scan, port scan, and worm
events, these events do not contain addresses, ports, or services and therefore do not
contribute to this report.

Top 10 Events
Displays the number of events by hour for a given time period.

Top 10 Sources
Displays the top 10 source IP addresses that have generated the most events. Due to
limitations in the data available from Mazu Profiler in host scan, port scan, and worm
events, these events do not contain addresses, ports, or services and therefore do not
contribute to this report.

Event Source Reports

272

RSAenVision Reports

McAfee IntruShield Standard Reports


The Reports module includes the following standard reports for the McAfee IntruShield
event source.

Alarm Destination Report


Displays alarms sorted by the destination IP address that generated the alarm.

Alarm Levels
Displays the number of alarms for each alarm level.

Alarm Report
Lists alarms based on signature names. Sorted by alarms and signature names.

Alarms by Hour
Displays the number of alarms by hour for a given time period.

Alarms by Sensor
Lists the alarm count for each sensor.

Alarms by Sensor Device


Displays the total number of alarms generated by the each sensor event source. Sorted by
total number of alarms.

Top 10 Sources of Alarms


Lists the top 10 source IP addresses that have generated the most events or alarms.

Top 20 Alarms
Displays the top 20 alarms by signature ID that have been generated.

Top 20 Alarms by Port


Displays the top 20 alarms based on the destination port.

Top 20 Destinations of Alarms


Displays the top 20 destination IP addresses that have been targeted for attack.

Top 20 Source-Destination Pairs of Alarms


Displays the 20 source-destination pairs that have generated the most alarms.

273

Event Source Reports

RSA enVision Reports

Top 20 Sources of Alarms


Lists the 20 source IP addresses that have generated the most events or alarms.

Event Source Reports

274

RSAenVision Reports

McAfee VirusScan Enterprise Standard Reports


The Reports module includes the following standard reports for the McAfee VirusScan
Enterprise event source.

Top 20 infected systems


Displays the top 20 infected systems found on the network.

Top 20 Viruses Detected


Displays the top 20 viruses found on the network.

Virus Detection Details


Lists all the detected viruses sorted by date and time.

275

Event Source Reports

RSA enVision Reports

McAfee Entercept Standard Reports


The Reports module includes the following standard reports for the McAfee Entercept
(Host Intrusion Prevention Server) event source.

Alarm Levels
Displays the number of alarms for each alarm level.

Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.

Alarms by Hour
Displays the number of alarms by hour for a given time period.

Alarms by Sensor
Lists the alarm count for each sensor.

Alarms by Server
Displays the alarm count for each server.

Top 10 Alarm Signatures


Displays the top 10 alarms by signature ID that have been generated.

Top 10 Sources of Alarms


Lists the 10 source IP addresses that have generated the most events or alarms.

Event Source Reports

276

RSAenVision Reports

Microsoft Exchange Server Standard Reports


The Reports module includes the following standard reports for the Microsoft Exchange
Server event source.

MS Exchange Exchange Error Condition


Displays all Exchange error events.

MS Exchange Failed Logins Attempts to Mailboxes


Displays failed logons to mailboxes in the Microsoft Exchange environment.

MS Exchange Failed Mailbox Creation/Deletion


Displays failed mailbox creation and deletion events.

MS Exchange Internet Traffic by E-mail Accounts


Displays the inbound and outbound Internet traffic to email accounts.

MS Exchange Logons to Mailbox with Administrator Privileges


Displays successful logons to mailboxes in the Microsoft Exchange environment by users
who have administrator privileges on the mailboxes.

MS Exchange Mailboxes with the most logon failures


Displays users responsible for the greatest number of failed logons.

MS Exchange Non-owner Mailbox Access


Displays users who connect to Exchange mailboxes apart from their primary user
accounts.

MS Exchange Successful Logons to Mailboxes


Displays successful logons to mailboxes in the Microsoft Exchange environment.

MS Exchange Top 10 E-mail Accounts Receiving Messages


Displays the 10 email accounts receiving the most messages.

MS Exchange 10 E-mail Accounts Receiving Messages Volume


Displays the 10 email accounts receiving the highest message volume.

MS Exchange Top 10 E-mail Accounts Sending Messages


Displays the 10 email accounts sending the most messages.

277

Event Source Reports

RSA enVision Reports

MS Exchange Top 10 E-mail Account Sending Messages Volume


Displays the 10 email accounts sending the highest message volume.

MS Exchange Top 10 Sender-Receiver Pairs


Displays top 10 pairs of email accounts sending messages to, and receiving messages
from, each other.

MS Exchange Top 10 Sender-Receiver Pairs within the Organization


Displays the 10 email accounts receiving the most messages.

MS Exchange Top 10 E-mail Accounts mailing most with the Internet


Displays the 10 email accounts responsible for the most Internet traffic.

MS Exchange Use of Send Privileges


Displays users who grant users permissions to send as privileges.

Event Source Reports

278

RSAenVision Reports

Microsoft Internet Information Services Standard


Reports
The Reports module includes the following standard reports for the Microsoft IIS event
source.

Access Denied Attempts (500)


Displays page access attempts that were denied over time. If multiple sites were chosen,
an additional runtime option is to select if the access denied attempts are displayed
cumulatively or comparatively.

Browser Versions
Displays the percentage of browser types to the sites selected.

Hits per Day


Displays the number of requested pages for the sites chosen during runtime. An additional
runtime option allows you to select whether you want the information for multiple sites
summed together or compared against each other.

Top 20 Page not Found (404)


Displays the top 20 requested files that were not found. If multiple sites were chosen at
runtime, the site from where the file was requested is also included in the report.

Top 20 Referring Domains


Displays the top 20 referring domains. If multiple sites are chosen at runtime, the name to
which the site is referred is also in the report.

Top 20 Referring Pages


Displays the top 20 referring URLs, as well as the number of referrals each URL
provided. If multiple sites are chosen at runtime, the name to which the site is referred is
also in the report.

Top 20 Requested Content


Displays a summary of the top 20 requests by the root level directory in which the file is
contained. This provides a summary of the most active areas of the web site. If there are
multiple sites chosen at runtime, the name of the site where the directory resides is also
in the report.

279

Event Source Reports

RSA enVision Reports

Top 20 Requested Pages


Displays a summary of the top 20 most requested pages for the sites chosen during
runtime. If multiple sites are chosen at runtime for this report, the name of the site from
which the requested page is served is also included in the report.

Top 20 Script Errors (501)


Displays the top 20 requested page and script error combinations. A page may appear on
this report multiple times if the page has multiple different script errors. If multiple sites
are chosen at runtime for inclusion in the report, the site on which the page resides is
included in the report.

Visitors per Day


Displays the number of unique IP addresses of visitors for the sites chosen during
runtime. An IP address is only counted the first time is appears during the chosen time
period.

Event Source Reports

280

RSAenVision Reports

Microsoft Internet Security and AccelerationServer


Standard Reports
The Reports module includes the following standard reports for the Microsoft ISA event
source.
For some device-specific reports, the class of the report changes when the event source
is updated to Content 2.0. In this case, the location of the report in the enVision UI also
changes.
For example, for Microsoft ISA, the Total Bytes by Client IP report is now also
included in the Security.Firewall class. In the enVision UI, the report moved as follows:
l

Location for standard content:


Reports > Ad Hoc Reports > Host > Web Logs > Microsoft Internet Security and
Acceleration Server > Total Bytes by Client IP

Locations for Content 2.0:


Reports > Ad Hoc Reports > Host > Web Logs > Microsoft Internet Security and
Acceleration Server > Total Bytes by Client IP
or
Reports > Ad Hoc Reports > Security > Firewall > Microsoft Internet Security
and Acceleration Server > Total Bytes by Client IP

If you update the event source to Content 2.0, you must run the report from its new
location.

281

Event Source Reports

RSA enVision Reports

Attacks

Note: For backwards compatibility, the report continues to exist in its previous location. However, once you update an event sou
Displays all of the attacks that were identified by the ISA Firewall Service.

Firewall Denied Connections


Displays the firewall denied connections recorded by the ISA Firewall Service.

Firewall Errors

Note: For backwards compatibility, the report continues to exist in its previous location. However, once you update an event sou
Displays the firewall error messages as recorded by the ISA Firewall Service.

Firewall Failed Connections


Displays the firewall failed connections as recorded by the ISA Firewall Service.

Event Source Reports

282

RSAenVision Reports

Firewall Successful Connections


Displays the firewall successful connections as recorded by the ISA Firewall Service.

Total Bytes by Client IP


Displays the total bytes of all connections associated to specific client IP addresses.

Total Duration by Client IP


Displays the total duration of all connections associated to specific client IP addresses.

283

Event Source Reports

RSA enVision Reports

Total Number of Connections by Domain Name


Displays the number of connections associated to each domain name during a given time period.

Total Number of Connections by Server IP


Displays number of connections associated to each server IP address during a given time period.

Event Source Reports

284

RSAenVision Reports

Microsoft Network Access Protection Standard


Reports
The Reports module includes the following standard reports for the Microsoft Network
Access Protection event source.

Details of Non-Compliant Requests Received


Displays details of the received requests..

Summary of Event Types


Displays a summary of the event types.

285

Event Source Reports

RSA enVision Reports

Microsoft System Center Configuration Manager


Standard Reports
The Reports module includes the following standard reports for Microsoft System Center
Configuration Manager event source.

All Enumerated Error or Warning Messages


Lists all messages from Microsoft System Center Configuration Manager with a severity
level of Error or Warning.

All Enumerated Messages


Lists all messages related to Microsoft System Center Configuration Manager.

Event Source Reports

286

RSAenVision Reports

Microsoft SQL Server Standard Reports


The Reports module includes the following standard reports for the Microsoft SQLServer
event source.

Audit Failed Logons


Displays all failed logon events to SQL Server systems captured by the trace tool.

Audit Logon/Logoff Events


Displays all logon and logoff events to SQL Server systems captured by the trace tool.

Configuration changes
Displays configuration changes made to SQL Server systems.

Database backups
Displays backup events from SQL Server systems.

Errors that can be corrected by a user


Displays all error conditions from SQL Server systems that can be corrected by a user.

Failed Logons
Displays all failed logons events to SQL Server systems.

Fatal Errors
Displays fatal errors from SQL Server systems.

Insufficient resources
Displays insufficient resources events from SQL Server systems.

Logon/Logoff Events
Displays all logons and logoff events to SQL Server systems.

Nonfatal Internal Errors


Displays nonfatal internal errors from SQL Server systems.

Object events
Displays object trace events from SQL Server systems.

287

Event Source Reports

RSA enVision Reports

Microsoft Windows Standard Reports


Microsoft Windows reports fall into the following categories:
l Account Management
l Application Errors
l Disk and Memory
l Files/Objects Access
l Filtering Platform
l Logon/Logoff
l Policy Changes and Audit Logs
l Restart/Shutdown
l Summary Reports
l Trend Reports
l User Activity

Event Source Reports

288

RSAenVision Reports

Microsoft Windows (Account Management) Standard


Reports
The Reports module includes the following standard reports for Windows.

Account Changes Details


Lists all account changes.

Account Changes Summary


Displays the number of account changes by event ID in descending order.

Computer Account Changes


Lists all computer account changes.

Global Group Account Changes


Lists all global group account changes.

Local Group Account Changes


Lists all local group account changes.

Universal Group Account Changes


Lists all universal group account changes.

User Group Account Changes


Lists all user account changes.

289

Event Source Reports

RSA enVision Reports

Microsoft Windows (Application Errors) Standard


Reports
The Reports module includes the following standard reports for Windows.

Errors Reported by Dr. Watson


Lists errors reported by Dr. Watson.

Top 20 Application Errors


Displays the top 20 application errors collected from all Microsoft Windows servers.

Top 20 Errors-Logging Applications


Displays the top 20 applications logging application errors from all Microsoft Windows
servers.

Event Source Reports

290

RSAenVision Reports

Microsoft Windows (Disk and Memory) Standard


Reports
The Reports module includes the following standard reports for Windows.

Bad Blocks
Lists system events reporting bad blocks.

Disk at Near Capacity


Lists system events reporting disk at near capacity.

Out of Virtual Memory


Lists system events reporting out of virtual memory.

291

Event Source Reports

RSA enVision Reports

Microsoft Windows (Files/Objects Access) Standard


Reports
The Reports module includes the following standard reports for Windows.

Access to Files
Lists all files accessed in folders monitored for access auditing.

Registry Access
Lists all accesses to registry files and keys.

Write Access to System Files


Lists all files opened with write access rights in the system32 folder.

Event Source Reports

292

RSAenVision Reports

Microsoft Windows (Filtering Platform) Standard


Reports
The Reports module includes the following standard reports for Windows.

Detected DoS Attacks


Lists network information when Windows Filtering Platform detects a DoS attack.

Packets Discarded Due To DoS Attack


Details information about packets blocked by Windows Filtering Platform.

Packets Blocked By Windows Filtering Platform


Lists the number of packets discarded due to DoS attacks.

293

Event Source Reports

RSA enVision Reports

Microsoft Windows (Logon/Logoff) Standard


Reports
The Reports module includes the following standard reports for Windows.

Failed Logins
Lists all failed logon events including failure reason, user name, domain name, and
workstation.

Local Logins/Logouts by User


Lists all local logon and logoff activities. Sorted by user name.

Logins/Logouts by User
Lists all logon and logoff activities. Sorted by user name.

Logins/Logouts by User During Non-Business Hours


Lists all logon and logoff activities. Sorted by user name during non-business hours.

Event Source Reports

294

RSAenVision Reports

Microsoft Windows (Policy Changes and Audit Logs)


Standard Reports
The Reports module includes the following standard reports for Windows.

Audit Log Cleared


Lists audit log cleared events.

Audit Log Full


Lists audit log is full events.

Audit Policy Changes


Lists all audit policy changes.

Policy Changes Details


Lists all policy changes events.

Policy Changes Summary


Displays the number of policy changes by event ID in descending order.

Trusted Domain Changes


Lists all trusted domain changes.

Trusted Domain Changes - Windows Server 2003


Lists all trusted domain changes for Windows Server 2003.

User Rights Changes - Windows Server 2008


Lists all user rights changes for Windows Server 2008.

User Rights Changes - Windows Server 2003


Lists all user rights changes for Windows Server 2003.

295

Event Source Reports

RSA enVision Reports

Microsoft Windows (Restart/Shutdown) Standard


Reports
The Reports module includes the following standard reports for Windows.

System Restarts/Shutdowns
Lists all system restarts and shutdowns.

Event Source Reports

296

RSAenVision Reports

Microsoft Windows (Summary Reports) Standard


Reports
The Reports module includes the following standard reports for Windows.

Application Log Activity per Computer


Displays the total count of application events per computer in descending order.

Application Log Activity per User


Displays the total count of application events per user in descending order.

Hyper-V Log Activity


Displays a table showing the total count of Hyper-V events in descending order.

Hyper-V Log Errors


Displays a table of Hyper-V error events in descending order.

Security Log Activity per Computer


Displays the total count of security events per computer in descending order.

Security Log Activity per User


Displays the total count of security events per user in descending order.

System Log Activity per Computer


Displays the total count of system events per computer in descending order.

297

Event Source Reports

RSA enVision Reports

Microsoft Windows (Trend Reports) Standard


Reports
The Reports module includes the following standard reports for the Windows event
sources.

Application Log Activity


Displays the number of application events over a specified period of time.

Security Account Login Activity


Displays the number of security account logon events over a specified period of time.

Security Account Management Activity


Displays the number of security account management events over a specified period of
time.

Security Detailed Tracking Activity


Displays the number of security detailed tracking events over a specified period of time.

Security Log Activity


Displays the number of security events over a specified period of time.

Security Login/Logout Activity


Displays the number of security logon/logoff events over a specified period of time.

Security Object Access Activity


Displays the number of security object access events over a specified period of time.

Security Policy Change Activity


Displays the number of security policy change events over a specified period of time.

Security Privilege Use Activity


Displays the number of security privilege use events over a specified period of time.

Security System Event Activity


Displays the number of security system events over a specified period of time.

System Log Activity


Displays the number of system events over a specified period of time.

Event Source Reports

298

RSAenVision Reports

Microsoft Windows (User Activity) Standard Reports


The Reports module includes the following standard reports for Windows.

Account Locked Out


Lists all the accounts that are locked out.

Applications by Users
Lists applications running on computers over the network, sorted by user name.

Applications by Users Windows Server 2003


Lists applications running on computers over the network for Windows Server 2003,
sorted by user name.

Print Jobs by Users Summary


Summarizes print jobs by users, showing user name, number of print jobs, total pages,
and total bytes.

Privileged Activities by User


Lists activities involving the use of privileges, sorted by primary user name.

299

Event Source Reports

RSA enVision Reports

Microsoft Audit Collection Service Standard Reports


The Reports module includes the following standard reports for the Microsoft Audit
Collection Service event source.

System Events Report


A detailed report of all the System events, which include Normal Conditions, Errors,
Startup, Shutdown, Unusual Activity, Audit, Accounting, and so on.

System Policy Report


A detailed report of all Policy-related events.

User Activity Report


A detailed report of all the User Activities, which include Successful and Failed Logins,
Logoff, Normal user activities, File Access, and so on.

Event Source Reports

300

RSAenVision Reports

Microsoft Windows Server Update Service Standard


Reports
The Reports module includes the following standard reports for the Microsoft Windows
Server Update Service event source.

Failed Update Installation and Un-installation


Lists failed update installation and un-installation events.

Successful Update Installation and Un-installation


Lists successful update installation and un-installation events.

System Alert - Action Required


Lists alerts where action is required.

System Errors
Lists system errors.

301

Event Source Reports

RSA enVision Reports

MYSQL Server Standard Reports


The Reports module includes the following standard reports for the MYSQLServer event
source.

Overview of Performance
Displays events that concern the system performance of MYSQL Server.

Overview of Memory Usage


Displays events that concern the memory usage of the server.

Schema Changes
Displays all the schema changes done across the MYSQL Server.

Event Source Reports

302

RSAenVision Reports

Network Appliance Data ONTAP Standard Reports


The Reports module includes the following standard reports for the Network Appliance
Data ONTAP event source.

Checksum Error Events


Displays NetApp checksum errors.

Reboot Events
Displays all reboot events.

303

Event Source Reports

RSA enVision Reports

Network Appliance NetCache Standard Reports


The Reports module includes the following standard reports for the Network Appliance
NetCache event source.

Top 100 Requested URL


Displays the top 100 requested URL strings for a given time period.

Top 20 Clients by Connection Request


Displays the 20 client addresses that made the most connection requests over a specified
time period.

Top 20 Domains by Connection Counts


Displays the top 20 domains that were accessed through all monitored event sources.

Top 20 Root Domains by Connection Counts


Displays the top 20 root domains that were accessed through all monitored event sources.

Top 25 Client IP's by Total Bytes


Displays the 25 client IP addresses with the most total bytes.

Total Bytes Passed by Hour


Represents the total sent and received bytes, and displays a histogram of the traffic
pattern over the selected time period.

Total Bytes Received by Cache Device


Displays the total bytes received grouped by cache event source.

Total Bytes Received by Client Device


Displays the total bytes received grouped by client event source.

Total Bytes Sent by Cache Device


Displays the total bytes sent grouped by cache event source.

Total Bytes Sent by Client Device


Displays the total bytes sent grouped by client event source.

Total Bytes by Cache Device


Queries for total bytes passed and displays the data grouped by the cache event source
address.

Event Source Reports

304

RSAenVision Reports

Total Bytes by Client IP


Queries for total bytes passed and displays the data grouped by the client IP address.

Total Bytes by Domain


Displays the total bytes for each connection, and displays the data. Sorted by domain.

Total Connection Requests by Hour


Displays the number of connection requests displayed grouped by hour of day.

Total Connections by HTTP Status Code


Queries for connection counts and groups the data by the HTTP success or failure code.
Administrators can use this report to see, by code, how many connections were
successful, redirected, failed, and so on.

305

Event Source Reports

RSA enVision Reports

NetWitness NextGen Standard Reports


The Reports module includes the following standard reports for the NetWitness NextGen
event source.

Summary of Files transferred


Displays a summary of files transferred.

Top 10 Alerts
Displays the top 10 alerts.

Event Source Reports

306

RSAenVision Reports

NFR NIDS Standard Reports


The Reports module includes the following standard reports for the NFR NIDS event
source.

Alarm Destination Report


Displays alarms sorted by the destination IP address that generated the alarm.

Alarm Levels
Displays the number of alarms for each alarm level.

Alarm Report
Displays alarms based on signature names, sorted by alarms and signature names.

Alarms by Category
Displays the total events in the database grouped by signature category.

Alarms by Hour
Displays the number of alarms by hour for a given time period.

Top 10 Sources of Alarms


Displays the top 10 sources of alarms by source IP address.

Top 20 Alarms
Displays the top 20 alarms by signature ID that have been generated.

Top 20 Alarms by Port


Displays the top 20 alarms based on the destination port.

Top 20 Destinations of Alarms


Displays the top 20 destination IP addresses that have been targeted for attack.

Top 20 Source-Destination Pairs of Alarms


Displays the 20 source-destination pairs that have generated the most alarms.

Top 20 Sources of Alarms


Displays the 20 source IP addresses that have generated the most events or alarms from
the IDS sensors.

307

Event Source Reports

RSA enVision Reports

Nortel Alteon Switch Firewall Standard Reports


The Reports module includes the following standard reports for theNortel Alteon Switch
Firewall event source.

Restart Events
Lists all system restart events.

Session Failures
Lists all source addresses with which the switch has experienced a session failure and
the reason for the failure.

Event Source Reports

308

RSAenVision Reports

Nortel Contivity VPN Switch Standard Reports


The Reports module includes the following standard reports for the Nortel Contivity VPN
Switch event source.

Admin User Connections


Displays a graph showing the number of both successful and denied administrator
connections.

Authentication Errors by Address


Displays authentication errors between the VPN event source and the remote event
source. These errors can be indicative of misconfigured VPN event sources.

Failed Login Attempts by Username


Displays a graph of failed logon attempts by user name.

OSPF modifications by VPN


Displays the OSPF modifications made.

Percent Failed Connections


Displays failed message IDs and counts.

Successful Connections by Method


Queries for successful authentication messages and displays the number of successful
authentications by authentication method.

Successful Connections by Username


Queries for successful connection messages and displays a count of connections by user
name.

System Errors by Device


Queries for events associated with system errors or failures and displays message_ID
counts by VPN event source.

309

Event Source Reports

RSA enVision Reports

Nortel Passport 8600 Routing Switch Standard


Reports
The Reports module includes the following standard reports for the Nortel Passport 8600
Routing Switch event source.

Authentications Failures by Device Address


Lists the failed authentications that occurred during the requested time period grouped by
event source address.

Failed Login Attempts


Lists the failed logon attempts.

Total Authentication Failures by Device Address


Displays the total number of authentication failures that occurred during the requested
time period grouped by event source address.

Event Source Reports

310

RSAenVision Reports

Oracle Identity Manager Standard Reports


The Reports module includes the following standard reports for the Oracle Identity
Manager event source.

Audit Group Membership Changes


Gives an overview of the group membership of the users, for example, who belongs to the
Manager category and who belongs to the general category, All Users.

Audit Resource Updates


Gives an overview of the kinds of resources with which a user has been privileged, for
example, VPN access, Safeboot account, and Active Directory.

Audit User Profile Changes


Gives details of the changes done to the user profile, for example, name, address, and
other administrative details.

Overview of users created and deleted


Gives an overview of the current and past users in the organization and their names..

311

Event Source Reports

RSA enVision Reports

Oracle Standard Reports


The Reports module includes the following standard reports for the Oracle event source.

Audit Details by Action


Displays detailed audit actions sorted by action.

Audit Details by Database Process ID


Displays detailed audit actions sorted by database process ID.

Audit Details by System


Displays detailed audit actions sorted by system name.

Audit Details by User


Displays detailed audit actions sorted by user name.

Audit Details Based on Username


Lists Oracle audit details sorted by username.

Audit Details Based on Username and Privilege


Lists Oracle audit details sorted by username and privileges.

Event Source Reports

312

RSAenVision Reports

Palo Alto Networks Enterprise Firewall Standard


Reports
The Reports module includes the following standard reports for the Palo Alto Networks
Enterprise Firewall event source.

Blocked URL Events


Lists blocked URLs by source and destination address, rule, and category.

Configuration Changes
Lists the configuration changes by event category.

Denied Traffic by Address


Lists all denied traffic by source and destination address.

Denied Traffic by Port


Lists all denied traffic by source and destination ports.

Successful Logins and Logouts


Lists all successful logons and logoffs.

313

Event Source Reports

RSA enVision Reports

RSA Authentication Manager and User Credential


Manager Standard Reports
The Reports module includes the following standard reports for the Authentication
Manager and User Credential Manager event source.

Bad PINGood Tokencode Count


This report tracks how frequently a user enters an incorrect PIN during an authentication
attempt.

Bad PIN Previous Tokencode Count


A user authenticates, then maybe mistypes the PINduring the second authentication
attempt before the tokencode changes. This report tracks these events.

Bad Tokencode Good PIN Count


A user may enter a good PIN,but accidentally enter the incorrect tokencode during an
authentication attempt. This report tracks these events.

Cleared PINs Count


This report can be used to track how frequently PINs are being cleared.

Deleted Agent Hosts


Displays any agent hosts deleted from the existing users in the database over a specified
time period.

Excessive Failed Authentications Outside Business Hours


This report displays all failed authentication messages within your defined time range.
This report can be used to identify failed logons beyond business hours.

Failed Authentication Attempts


Displays all of the failed authentication attempts by user name.

Failed Authentication Count


Displays the number of failed authentication attempts.

Group Modifications
Displays any modifications to the existing groups in the database over a specified time
period.

Event Source Reports

314

RSAenVision Reports

New Agent Hosts


Displays any new agent hosts added to the existing users in the database over a specified
time period.

New Groups Added


Displays all of the new groups added to the database over a specified time period.

New Users Added


Displays all of the new users added to the database over a specified time period.

Next Tokencode Mode Activated Count


Displays a count of the times that the Next Tokencode Mode is activated.

Next Tokencode Requested Count


Displays a count of the times that a next tokencode is requested.

Passcode Reuse Count


A user may accidentally enter the same password on two separate authentication
attempts. This report tracks these events.

Successful Authentication Attempts


Displays all of the successful authentication attempts by user name.

Token Disabled Count


This report displays the number ofdisabled tokens.

User Lockout Count


This report displays the number of users that have been locked out due to failed
authentications.

User Modification
Displays any modifications to the existing users in the database over a specified time
period.

315

Event Source Reports

RSA enVision Reports

RSA Adaptive Authentication (Hosted) Standard


Reports
The Reports module includes the following standard reports for the RSA Adaptive
Authentication (Hosted)RSA Adaptive Authentication (Hosted) event source.

Back Office Operator Activities


This report summarizes the activities of the back office operators as reported by the RSA
Adaptive Authentication (Hosted) event source.

Cases Summary
This report summarizes the different types of cases, as reported by the RSA Adaptive
Auth (Hosted) event source.

Failed Login Details


This report details all the attempted logins that failed for the duration specified.

Event Source Reports

316

RSAenVision Reports

RSA Adaptive Authentication (OnPrem) Standard


Reports
The Reports module includes the following standard reports for the RSA Adaptive
Authentication (OnPrem) event source.

Audit Event Type Statistics


Lists all generated audit event types, including event type name and count.

Device High Risks Event Statistics


Lists the event source high risk statistics.

Device ID Created Event Statistics


Lists the number of device IDs created.

Risk Score Event Statistics


Lists the risk score.

User Challenged Event Statistics


Lists the number of user-challenged event types.

User Locked Out Event Statistics


Lists the number of users that have been locked out.

User Sign In Event Statistics


Lists the number of user sign-ins.

317

Event Source Reports

RSA enVision Reports

RSA SecurID Standard Reports


The Reports module includes the following standard reports for the RSA SecurID event
source.

Deleted Agent Hosts


Displays any new agent hosts deleted from the existing users in the database over a
specified time period.

Failed Authentication Attempts


Displays all of the failed authentication attempts by user name.

Group Modifications
Displays any modifications to the existing groups in the database over a specified time
period.

New Agent Hosts


Displays any new agent hosts added to the existing users in the database over a specified
time period.

New Groups Added


Displays all of the new groups added to the database over a specified time period.

New Users Added


Displays all of the new users added to the database over a specified time period.

Successful Authentication Attempts


Displays all of the successful authentication attempts by user name.

User Modifications
Displays any modifications to the existing users in the database over a specified time
period.

Event Source Reports

318

RSAenVision Reports

Safend Protector Standard Reports


The Reports module includes the following standard reports for the Safend Protector
event source.

Safend Protector Summary Report


Summarizes server and client messages.

319

Event Source Reports

RSA enVision Reports

SafeStone DetectIT Standard Reports


The Reports module includes the following standard reports for the SafeStone DetectIT
event source.

System Configuration detailed report


Details all of the system configuration related events

System Health detailed report


Details all of the System events, including Normal Conditions, Errors, Startup, Shutdown,
Unusual Activity, and Audit Accounting.

User Activity detailed report


Details all User Activity.

Event Source Reports

320

RSAenVision Reports

SECUDESecurity Intelligence Standard Reports


The Reports module includes the following standard reports for the SECUDESecurity
Intelligence event source.

Document Change Logs


Displays logs of changes that have been made on tables and the corresponding
information.

Failed Logins and Disabled User Accounts


Lists failed login attempts and user accounts disabled for various reasons.

Operating System Errors


Lists OS Call Errors and other Error Logs.

Privileged Access Failures


Lists Privileged Access denied and similar events.

Security Audit Log Errors


Lists Transactional, Reporting and other errors in Security Audit Logs.

Software Errors
Lists Software Errors logged by SECUDE SI.

System Alerts
Lists System Alerts that need to be investigated.

System Heartbeat Errors


Shows Heartbeat Errors logged.

User Management Activity


Lists user creation, deletion, modifications, and so on.

321

Event Source Reports

RSA enVision Reports

McAfee Firewall Enterprise Standard Reports


The Reports module includes the following standard reports for the McAfee Firewall
Enterprise (formerly named Secure Computing Sidewinder G2 Security Appliance)
event source.

Configuration Changes
Lists configuration change messages. Sorted by date and time.

Failed Authentication
Lists failed authentication messages.

Hardware Failure
Lists hardware failure messages.

Software Failure
Lists software failure messages.

Successful Authentication
Lists successful authentication information.

Successful Connections
Lists successful connection information.

URL Requests by Source Address


Lists URL requests summarized by each source address. Sorted by source address and
number of requests.

Event Source Reports

322

RSAenVision Reports

SNORT Standard Reports


The Reports module includes the following standard reports for the SNORTevent source.

Alarm Destination Report


Lists alarms sorted by the destination IP address that generated the alarm.

Alarm Levels
Displays the number of alarms for each alarm level.

Alarm Report
Lists alarms based on signature names. Sorted by alarms and signature names.

Alarms by Hour
Displays the number of alarms by hour for a given time period.

Alarms by Sensor
Lists the alarm count for each sensor.

Alarms by Sensor Device


Displays the alarm count for each sensor event source.

Top 10 Alarm Signatures


Lists the top 10 alarms that have been generated by signature name.

Top 10 Destinations of Alarms


Lists the top 10 destination IP addresses that have been targeted for attack.

Top 10 Source-Destination Pairs of Alarms


Lists the 10 source-destination pairs that have generated the most alarms.

Top 10 Sources of Alarms


Displays the top 10 sources of alarms by source IP address.

323

Event Source Reports

RSA enVision Reports

Solsoft NP Standard Reports


The Reports module includes the following standard reports for the Solsoft NP event
source.

Configuration Compares by Device


Displays the results of comparisons of event source configurations.

Configuration Rollbacks by Device


Displays event sources that were rolled back to the original configuration.

Failed Logins by Usernames


Displays all failed logon attempts by individual users.

Newly Generated Configurations by Project


Displays configurations that were generated by project ID, version, and user name.

Results of Configuration Uploads by Device


Displays event sources that were uploaded with new configurations and the results of the
upload.

Successful Logins by Usernames


Displays all successful logon attempts by individual users.

Event Source Reports

324

RSAenVision Reports

Sun Solaris BSM Standard Reports


The Reports module includes the following standard reports for the Sun Solaris BSM
event source.

Event Audit by Content


Lists all events containing a particular string, sorted by date and time.

Event Details by Audit Event Type


Lists all events for a particular audit event type, sorted by date and time.

Event Details by Audit Events


Lists all events for a particular audit event type, sorted by date and time. Select the audit
event type before running the report.

Event Inventory
Lists all event types collected, sorted by count.

Kernel-Level Events
Lists all Kernel-Level events generated by system calls.
Note: This report is deprecated. Use the Kernel-Level Events by System report
instead.

Kernel-Level Events by System


Lists all Kernel-Level events generated by system calls.

Login and Logout Activity


Lists all logon and logoff activity for a particular user, sorted by date and time.

Permission Changes
Lists all permission changes by a process or user.

Privileged Operations
Lists all privilege capabilities or role-based access control.

Startup, Shutdown, Reboot and Halt


Lists all startup, shutdown, reboot, and halt audit events.

325

Event Source Reports

RSA enVision Reports

Super User Events


Lists all super user events.

User-Level Events
Lists user-level events generated by application software.

Event Source Reports

326

RSAenVision Reports

Sun Solaris Standard Reports


The Reports module includes the following standard reports for the Sun Solaris event
source.

Failed Super User Attempts


Displays users who attempted to switch user to "root" and were denied.

Percentage of Connections by Service


Queries for messages with a message ID of 317013 and counts them, sorted by agent or
service. This message is created by the inetd daemon and logs all connections by service,
such as logon, ftp, or telnet.

Super User Access


Queries for messages with message ID of 366847:01 and displays which users switched
user to "root" and at what time.

Total Connections by Foreign Address


Note: The name for this report under the Content 2.0 schema is Total Connections by
Source Address.
Displays the total connections by source address.

Total Connections by Port


Displays the total number of connections grouped by port number.

Compliance Reports
The following compliance reports will yield different results if you apply the Content 2.0
update of the Sun Solaris event source:

FISMA - Unsuccessful Login Attempts


FISMA - Unsuccessful Login Summary
PCI / All Actions by Individuals with Root or Administrative Privileges - Unix & Linux
PCI - Initialization of Audit Logs
PCI - Administrative Privilege Escalation - Unix & Linux

327

Event Source Reports

RSA enVision Reports

Sybase ASE Standard Reports


The Reports module includes the following standard reports for the Sybase ASE event
source.

Audit Details Based on Username


Lists Sybase ASE audit details by user name.

Audit Details Based on Username and Role


Lists Sybase ASE audit details by user name and role.

Event Source Reports

328

RSAenVision Reports

Symantec Antivirus Corporate Edition Standard


Reports
The Reports module includes the following standard reports for the Symantec Antivirus
Corporate Edition event source.

Top Infected Systems


Displays the top 20 systems detected with viruses.

Top Viruses Detected


Displays the top 20 viruses detected.

Virus Detection Details


Displays all detected viruses. Sorted by date and time.

329

Event Source Reports

RSA enVision Reports

Symantec Enterprise Firewall Standard Reports


The Reports module includes the following standard reports for Symantec Enterprise
Firewall event source.

Bandwidth Usage by Address


Displays bandwidth usage by address sorted by byte count.

Bandwidth Usage by Address Tabular


Displays bandwidth usage by address sorted by byte count.

Bytes Received by Address


Summarizes received bandwidth by address sorted by byte count in a table.

Bytes Sent by Address


Summarizes transmitted bandwidth usage by address sorted by byte count.

FTP Destinations
Summarizes FTP activity to foreign addresses by the number of requests.

HTTP Destinations
Summarizes HTTP activity to foreign addresses by the number of requests.

Top FTP Destinations


Summarizes FTP requests to foreign addresses by the number of requests.

Top HTTP Destinations


Summarizes HTTP requests to foreign addresses by the number of requests.

Event Source Reports

330

RSAenVision Reports

Symantec Enterprise Firewall (VPN) Standard


Reports
The Reports module includes the following standard reports for the Symantec Enterprise
Firewall (VPN) event source.

Dropped Packets
Displays information about packets that were dropped by the gateway.

Packet Errors Detected


Displays errors that were discovered in a VPN packet with the specified source and
destination address.

331

Event Source Reports

RSA enVision Reports

Symantec Intruder Alert Standard Reports


The Reports module includes the following standard reports for the Symantec Intruder
Alert event source.

Symantec Intruder Alert - Top 10 Policy Violations


Lists the top 10 policy violations detected by Symantec Intruder Alert.

Symantec Intruder Alert - Top 10 Rules


Lists the top 10 rules detected by Symantec Intruder Alert.

Symantec Intruder Alert - Top 10 Sensors


Lists the top 10 sensors generating alerts detected by Symantec Intruder Alert.

Symantec Intruder Alert Detailed Alert Report


Displays detailed information for the last 100 alerts generated by Symantec Intruder
Alert.

Event Source Reports

332

RSAenVision Reports

Symantec Network Security (SNS) Standard Reports


The Reports module includes the following standard reports for the Symantec Network
Security (SNS) event source.

Destinations for Specific Source IP Address


Lists the destination for a specific source IP address for a given time period.

Event List by Reporting Device


Lists events by reporting event source.

Event List for Destination IP Address


Displays the event list for destination IP address for a given time period.

Event List for Source IP Address


Displays the event list for source IP address for a given time period.

Events per Day


Displays the number of events per day for a given time period.

Events per Hour


Displays the number of events per hour for a given time period.

Incidents per Day


Displays the number of incidents per day for a given time period.

Incidents per Hour


Displays the number of incidents per hour for a given time period.

Number of Events by IP Protocol


Displays the number of events by IP protocol.

Number of Events by Reporting Device


Displays the number of events by a reporting event source.

Specific Event for all Source IP Addresses


Displays the specific events list for all source IP addresses for a given time period.

Top 20 Event Destinations


Displays the top 20 event destinations for a given time period.

333

Event Source Reports

RSA enVision Reports

Top 20 Event Sources


Displays the top 20 event sources for a given time period.

Top 20 Event Types


Displays the top 20 event types for a given time period.

Event Source Reports

334

RSAenVision Reports

TippingPoint UnityOne Standard Reports


The Reports module includes the following standard reports for the TippingPoint
UnityOne event source.

Top 10 Attacks by Destination Address


Displays a count of all attacks grouped by the destination address field. Administrators
can use this report to see which event sources are routinely being attacked.

Top 10 Attacks by Destination Port


Displays a count of all attacks grouped by the destination port field. Administrators can
use this report to see which network services are routinely being attacked.

Top 10 Attacks by Network Sensor


Displays a count of all attacks grouped by the sensor field. Administrators can use this
report to see which sensors are detecting the most attacks and, based on sensor
deployment, which areas of the network are routinely being attacked.

Top 10 Attacks by Source Address


Displays a count of all attacks grouped by the source address field.

Total Attacks by Hour


Displays a count of all attacks grouped by hour of detection. Administrators can use this
report to see patterns in attacks based upon time of day.

335

Event Source Reports

RSA enVision Reports

Top Layer Attack Mitigator Standard Reports


The Reports module includes the following standard reports for the Top Layer Attack
Mitigator event source.

Attack Events information


Displays recent attack signatures, including attack time, attack signature, source and
destination protocol, source and destination addresses, disposition of attack, top layer
device type, message information, threat level, circuit number, and origin of attack.

Top 25 Client IPs by Bytes Sent


Displays the top 25 client IP addresses that passed traffic and the total bytes sent (cbtx)
by each.

Top 25 Server IPs by Bytes Sent


Displays the top 25 server IP addresses that passed traffic and the total bytes sent (sbtx)
by each.

Top Protocols by Total Traffic


Displays the total traffic passed grouped by the protocols of the connections.

Total Attacks by Attack Signature


Displays the totals of attack events grouped by attack signature.

Total Attacks by Origin


Displays the totals of attack event grouped by source identifier. Use this report to view
the number of recognized attacks by source origin, either outside or inside your network.

Total Attacks by Source Address


Displays the totals of attack events grouped by source address.

Total Bytes by Username


Displays the total bytes by user name.

Event Source Reports

336

RSAenVision Reports

Top Layer Secure Edge Controller Standard Reports


The Reports module includes the following standard reports for the Top Layer Secure
Edge Controller event source.

Detailed Remote Access Events


Displays detailed information about successful remote access connections by user name.

Top 20 Users by Total Connections


Queries for connection messages and displays the tally grouped by user name.

Total Bytes by Username


Queries for accounting information and displays a tally grouped by user name.

Total Traffic Passed By Device Address


Queries for total kbytes passed and displays the results sorted by event source address.

Total Traffic Passed by VLAN


Displays traffic levels sorted by VLANs. Administrators can use this report to get a high
level view of how individual segments of the network are performing.

Total Traffic by Product Type


Queries for byte transfer information and displays the results summed by product type.

337

Event Source Reports

RSA enVision Reports

Trend Micro Deep Security Standard Reports


The Reports module includes the following standard reports for the Trend Micro Deep
Security event source.

Summary Report
Lists all events by event time.

Event Source Reports

338

RSAenVision Reports

Trend Micro OfficeScan Standard Reports


The Reports module includes the following standard reports for the Trend Micro
OfficeScan event source.

Top Infected Systems


Displays the top 20 systems detected with viruses.

Top Viruses Detected


Displays the top 20 viruses detected.

Virus Detection Details


Displays all detected viruses sorted by date and time.

Virus Outbreaks Details


Displays all virus outbreaks sorted by date and time.

339

Event Source Reports

RSA enVision Reports

Tripwire Enterprise Standard Reports


The Reports module includes the following standard reports for the Tripwire Enterprise
event source.

Node Change Rates


Lists the nodes with detected changes sorted by time of change occurrence.

Node Change Rates by Severity


Lists the nodes with detected changes sorted by detected severity.

Node Change Rates by Date/Time


Lists changes detected sorted by frequency of occurrence.

System Access
Lists user logons and logoffs.

Event Source Reports

340

RSAenVision Reports

VMware View Standard Reports


The Reports module includes the following standard reports for the VMware View event
source.

Desktop Connection Events


Displays desktop connection events.

Desktop Management Events


Displays desktop management events.

Failed Authentication Attempts


Displays failed authentication attempts.

User Login Events


Displays user login events.

341

Event Source Reports

RSA enVision Reports

VMware vShield Standard Reports


The Reports module includes the following standard reports for the VMware vShield
event source.

Configuration Changes
Lists configuration change messages from VMware vShield.

Firewall Events
Lists the firewall events in VMware vShield.

Event Source Reports

342

RSAenVision Reports

Websense Web Security Standard Reports


The Reports module includes the following standard reports for the Websense Web
Security event source.

Blocked URLs Details


Displays all the information related to blocked URL access.

Top 20 Blocked Categories


Displays the top 20 blocked categories of web sites.

Top 20 Blocked Users


Displays the top 20 blocked users.

Top 20 Categories
Displays the top 20 categories of web sites.

Top 20 Visited Domains


Displays the top 20 visited root domains.

343

Event Source Reports

RSA enVision Reports

Insider Threat Reports


RSA enVision includes reports that focus on mitigating insider threats.
Insider Threat Mitigation Standard Reports
Unix and Database Insider Threat Mitigation Reports
Windows Insider Threat Mitigation Reports

Insider Threat Reports

345
346
358

344

RSAenVision Reports

Insider Threat Mitigation Standard Reports


The Reports module includes the following standard system reports for insider threats.

AIX - Run All Bind Report


This is a package to run all AIX reports for a given time span.

HPUX/Free BSD - Run All Bind Report


This is a package to run all HP-UX or FreeBSDreports for a given time span.

MacOSX- Run All Bind Report


This is a package to run all Mac OS X reports for a given time span.

Oracle Database Audit Details Bind Report


This is a package to run Oracle Audit reports.

Solaris BSM - Run All Bind Report


This is a package to run all Solaris BSMreports for a given time span.

Sybase ASE- Database Audit Details


This is a package to run Sybase Adaptive Server Enterprise Audit reports.

Windows - Run All Bind Report


Windows bind report for insider threats.

345

Insider Threat Reports

RSA enVision Reports

Unix and Database Insider Threat Mitigation Reports


There is a constant need for businesses to change strategies, add resources, modify their
business models, and take immediate action to meet the different requirements of the
current market. Factors such as inadvertent employee error, laptop theft, contractors
unauthorized access to information, disgruntled employees, and password
mismanagement can lead to drastic revenue loss, legal liabilities, diminished productivity,
and brand erosion. A collection of such scenarios is called an Internal Threat Model, and
this document outlines the need to mitigate such threat.
The IT departments of many large organizations are faced with the challenging task of
detecting and preventing insider threats, which pose one of the biggest security concerns
to organizations.
This document focuses on the following report types:
l Unix Reports
l

Database Reports

Unix Reports
These reports were collected for the following:
l Unix AIX
l

Mac OS X

HP-UX

Solaris Basic Security Module (BSM)

AIX Failed Logon Attempts by Username


Report Name
Description
Input Parameters
Result Set

Insider Threat Reports

AIX- Failed Logon Attempts by Username


This report displays the Failed Login attempts of all users.
Enter the desired user name to span across all events for the same, or leave
blank to get all such events.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..
l

Device Address IP address of the event source that sent the event to
enVision.

UserName Account name.

Agent Logon service or method used.

Reason Reason for the failed logon attempt.

346

RSAenVision Reports

AIX Failed Super User Attempts by Username


Report Name
Description
Input Parameters
Result Set

AIX- Failed Super User Attempts by Username


This report displays a list of denied user attempts to Switch User to root.
Enter the desired user name to span across all events for the same, or leave
blank to get all such events.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..
l

Device Address IP address of the event source that sent the event to
enVision.

UserName Account name.

Action Action taken or proposed to be taken.

AIX Super User Access by Username


Report Name
Description
Input Parameters
Result Set

AIX- Super User Access by Username


This report displays a list of successful Switch User escalation to root
Enter the desired user name to span across all events for the same, or leave
blank to get all such events.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..
l

Device Address IP address of the event source that sent the event to
enVision.

UserName Account name.

Action Action taken or proposed to be taken.

Mac OSX User Action Audit by Username


Report Name
Description
Input Parameters
Result Set

347

Mac OSX User Action Audit by Username


This report lists all user actions linked to their usernames.
Enter the desired user name to span across all events for the same, or leave
blank to get all such events.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..
l

Device Address IP address of the event source that sent the event to
enVision.

UserName Account name.

Agent Logon service or method used.

Action Action taken or proposed to be taken.

Reason Reason for the above status.

Insider Threat Reports

RSA enVision Reports

Mac OSX Failed Authentication Attempts


Report Name
Description

Mac OSX Failed Authentication Attempts


This report displays failed authentication or privilege switch attempts by all
users.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..

Result Set

Device Address IP address of the event source that sent the event to
enVision.

UserName Account name.

Agent Logon service or method used.

Action Action taken or proposed to be taken.

Reason Reason for the above status.

Mac OSX Successful Authentication Attempts


Report Name
Description
Result Set

Insider Threat Reports

Mac OSX Successful Authentication Attempts


This report displays failed authentication or privilege switch attempts by all
users.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..
l

Device Address IP address of the event source that sent the event to
enVision.

UserName Account name.

Agent Logon service or method used.

Action Action taken or proposed to be taken.

Reason The reason for the above status.

348

RSAenVision Reports

HPUX/FreeBSD Super Access by Username


Report Name
Description
Input Parameters
Result Set

HPUX/FreeBSD Super Access by Username


This report displays all super user authentication attempts, the result of the
attempts, and the user names associated with the attempts.
Enter the desired user name to span across all the same events, or leave blank to
get all events.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..
l

Device Address IP address of the event source that sent the event to
enVision.

Message ID

UserName Account name.

Agent Logon service or method used.

Reason Reason for the above status.

Solaris BSM Event Audit by Content


Report Name
Description
Input Parameters
Result Set

349

Solaris BSM Event Audit by Content


This report shows a list of all events containing a particular string, sorted by
date and time.
Enter a user name, group name, server, command, path, process ID, or action
type in the Runtime parameters field. You can then run the report
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Interface Device interface name.

MessageID

UserName Account name.

Action Performed

Information Information about the object on which the action above is


performed.

Insider Threat Reports

RSA enVision Reports

Solaris BSM Event Details by Audit Event Type


Report Name
Description

Solaris BSM Event Details by Audit Event Type


This report shows a list of all events for a particular audit event type, sorted by
date and time.
Select the audit event type from the drop-down list before running the report.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it..

Input Parameters
Result Set

Device Address IP address of the event source that sent the event to
enVision.

Message ID

Real User ID Logon ID

Effective User ID Current assumed logon in the system.

Information Information about the object on which the action above is


performed.

Status Status of the permission change.

Solaris BSM Kernel-Level Events


Report Name
Description
Result Set

Insider Threat Reports

Solaris BSM Kernel-Level Events


Kernel-Level events generated by system calls.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Message ID

Real User ID Logon ID

Effective User ID Current assumed logon in the system.

Information Information about the object on which the action above is


performed.

Status Status of the permission change.

350

RSAenVision Reports

Solaris BSM Login and Logout Activity


Report Name
Description
Input Parameters
Result Set

Solaris BSM Login and Logout Activity


This report shows a list of all logon and logout activity for a particular user,
sorted by date and time.
Enter a username in the Runtime parameters field.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Host Name Name of the machine running Solaris.

Interface Client interface.

Message ID

UserName Account name.

Status Status of the permission change.

Reason Reason for the above status.

Solaris BSM Permission Changes


Report Name
Description
Result Set

351

Solaris BSM Permission Changes


This report shows a list of all logon and logout activity for a particular user,
sorted by date and time.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Host Name Name of the machine running Solaris.

Interface Client interface.

Message ID

Real User ID Logon ID.

Effective User ID Current assumed logon in the system.

Group Group to switch the settings.

Information Information about the object accessed by the user after the
permission changes.

Status Status of the permission change.

Result Result (error) string.

Insider Threat Reports

RSA enVision Reports

Solaris BSM Privileged Operations


Report Name
Description
Result Set

Solaris BSM Privileged Operations


Use of Privilege Capabilities or Role-Based Access Control.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Interface Client interface.

Message ID

Real User ID Logon ID.

Effective User ID Current assumed logon in the system.

Status Status of the permission change.

Solaris BSM Startup, Shutdown, Reboot, and Halt


Report Name
Description
Result Set

Solaris BSM Startup, Shutdown, Reboot, and Halt


Startup,Shutdown,Reboot,Halt Audit events by users with group information.
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Interface Client interface.

Message ID

UserName Account name.

Group Group to which the user belongs.

Agent Logon service or method used.

Solaris BSM Super User Events


Report Name
Description
Result Set

Insider Threat Reports

Solaris BSM Super User Events


List of all events generated by escalation only to a super user
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Interface Client interface.

Message ID

UserName Account name.

Status Status of the permission change.

352

RSAenVision Reports

Solaris BSM User-Level Events


Report Name
Description
Result Set

Solaris BSM User-Level Events


User-Level events generated by application software or users
l EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.
l

Device Address IP address of the event source that sent the event to
enVision.

Host Name Name of the machine running Solaris.

Interface Client interface.

Message ID

UserName Account name.

Status Status of the permission change.

Reason Reason associated with the status.

Database Reports
BIND Reports
These reports only work with Windows Server 2003 events collected by the following :
1. Oracle Database Audit Details Bind Report: This report binds the following Oracle
reports:
l
l

Oracle Audit details based on Username


Oracle Audit details based on Username and Privilege

The bind report should be scheduled based on your environment using the Scheduled Reports
Tab under Reports in the RSA enVision user interface.
2. Sybase ASE Database Audit Details Bind Report: This report binds the following
Sybase ASEreports:
l
l

Sybase ASE Audit details based on Username


Sybase ASE Audit details based on Username and Role

The bind report should be scheduled based on your environment using the Scheduled Reports
Tab under Reports in the RSA enVision user interface.

353

Insider Threat Reports

RSA enVision Reports

Oracle Audit Details Based on Username


Report Name
Description
Device Group
Input Parameters

Result Set

Insider Threat Reports

Oracle Audit Details Based on Username


This report lists all database activities by a user, sorted by event time. It looks
at all the event IDs within the Oracle XML.
Select or create and device group which has the device ORACLE only, as the
report will run on all the devices that you select within the device group.
l Database Username Username with which the user accessed the Oracle
database. The default value is null.
l

OS Username Operating system logon username of the user whose actions


were audited. The default value is null.

Starting from hour Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.

Until hour Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.

The Database username and the OS Username are joined by an OR clause


within the SQL query. If you are searching for records based on one field,
then the other field should not be left blank. Oracle logs leave a blank if the
field is not populated. Make sure you put a default value such as null in
the other field.
EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.

UserName Database username.

Action Action taken or proposed to be taken.

OS UserName Operating system logon username of the user whose actions


were audited.

Privilege Privilege level or attributes used.

System Name Name of the system.

Object Creator- Creator of the object affected. by the action.

Operating System Name of the operating system.

Object Name Name of the object.

Oracle Version

Node Name Name of the node.

Instance Name Name of the instance.

DatabaseProcessID Process ID for the database server where this is not


the main process ID that is shown within a single event.

User Host Name - Client host machine name.

354

RSAenVision Reports

Oracle Audit Details Based on Username and Privilege


Report Name
Description
Device Group
Input Parameters

Result Set

355

Oracle Audit Details Based on Username and Privilege


This report lists all database activities by a user, sorted by event time. It looks
at all the event IDs within the Oracle XML.
Select or create and device group which has the device ORACLE only, as the
report will run on all the devices that you select within the device group.
l Database UserName - Username with which the user accessed the Oracle
database. The default value is null.
l

OS UserName - Operating system logon username of the user whose actions


were audited. The default value is null.

Starting from hour - Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.

Until hour - Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.

The Database username and the OS Username are joined by an OR clause


within the SQL query. If you are searching for records based on one field,
then the other field should not be left blank. Oracle logs leave a blank if the
field is not populated. Make sure you put a default value such as null in
the other field.
EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.

UserName Database username.

Action Action taken or proposed to be taken.

OS UserName Operating system logon username of the user whose


actions were audited.

Privilege

System Name Name of the system.

Object Creator- Creator of the object affected. by the action.

Operating System Name of the operating system.

Object Name Name of the object.

Oracle Version

Node Name Name of the node.

Instance Name Name of the instance.

DatabaseProcessID Process ID for the database server where this is not


the main process ID that is shown within a single event.

User Host Name - Client host machine name.

Insider Threat Reports

RSA enVision Reports

Sybase ASE Audit Details Based on Username


Report Name
Description
Device Group
Input Parameters

Result Set

Insider Threat Reports

Sybase ASE Audit Details Based on Username


This report lists all database activities by a user, sorted by event time. It looks
at all the event IDs within the Sybase ASE XML.
Select or create and device group which has the device Sybase ASE only, as
the report will run on all the devices that you select within the device group.
l Database UserName Database user name.
l

Starting from hour Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.

Until hour Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.
EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.

UserName Logon name corresponding to LogonSid.

LogonSid Server logon ID of the user who performed the audited event.

Action Action taken or proposed to be taken.

DatabaseName Database name.

DatabaseProcessID Process ID for the database server where this is not


the main process ID that is shown within a single event.

Node Name Server Node ID in a cluster where the event occurred.

Roles

Mode Indicates whether or not the event in question passed permission


checks.

Object Owner

Object Name Name of the object.

356

RSAenVision Reports

Sybase ASE Audit Details Based on Username and Role


Report Name
Description
Device Group
Input Parameters

Result Set

357

Sybase ASE Audit Details Based on Username and Role


This report lists all database activities by a user, sorted by event time. It looks
at all the event IDs within the Sybase ASE XML.
Select or create and device group which has the device Sybase ASE only, as
the report will run on all the devices that you select within the device group.
l Database Username Database user name.
l

Role Roles that the user has.

Starting from hour Displays all records starting from this hour of the day,
possible values range from 0 to 23. The default value is 0.

Until hour Displays all records until this hour of the day, possible values
range from 0 to 23. The default value is 23.
EventTime Date or time of the occurrence of the event as recorded by the
system that generated it.

UserName Logon name corresponding to LogonSid.

LogonSid Server logon ID of the user who performed the audited event.

Action Action taken or proposed to be taken.

DatabaseName Database name.

DatabaseProcessID Process ID for the database server where this is not


the main process ID that is shown within a single event.

Node Name Server Node ID in a cluster where the event occurred.

Roles

Mode Indicates whether or not the event in question passed permission


checks.

Object Owner

Object Name Name of the object.

Insider Threat Reports

RSA enVision Reports

Windows Insider Threat Mitigation Reports


There is constant need for businesses to change strategies, add resources, modify their
business models, and take immediate action to meet the different requirements of the
current market. Factors such as inadvertent employee error, laptop theft, contractors
unauthorized access to information, disgruntled employees, and password
mismanagement can lead to drastic revenue loss, legal liabilities, diminished productivity,
and brand erosion. A collection of such scenarios is called an Internal Threat Model, and
this document outlines the need to mitigate such threat.
The IT departments of many large organizations are faced with the challenging task of
detecting and preventing insider threats, which pose one of the biggest security concerns
to organizations.
This set of collected by the following :
l NICAgentless
l

InterSect Alliance SNARE BackLog

InterSect Alliance SNARE

Adiscon EventReporter

Refer to RSA SecurCare Online for the different versions of Windows currently
supported by RSA enVision.
Every report has its own set of input parameters that can be used to show only records
that meet a certain criteria. The input parameters fall into three categories:
l Time fields: Each report has two fields, Starting from hour and Until hour that help
define a time range for the result set. Possible values for these fields range from 0 to
23. For example, to find all failed logon attempts between 4:00 PM and 10 PM, enter
16 in the Starting from hour field and 22 in the Until hour field.
l

Test fields: For these fields, you can use wild cards to help you limit the result set to
show only records of interest. For example, to find all file access attempts by user
Administrator, you can enter Admin% or simply enter Administrator.
Note: A value of % will return all file access attempts by all users.

Drop-down lists: If you already have watch lists on your enVision server, then they
will be included in the drop-down lists. Otherwise, you need to create new ones based
on the report itself. For example, you may need to create a watch list for
administrative users that have values like: Admin or Administrator. For more
information on creating new watch lists or updating existing ones, refer to the enVision
Help.

All reports query the Windows Accounting table.

Insider Threat Reports

358

RSAenVision Reports

Note: All Windows reports are found in the report, Windows - Run All Bind Report.

Windows Insider Threat Mitigation Reports


l

Windows - Computer Account Changes

Windows - Computer Account Changes - Windows Server 2003

Windows - User Group Account Changes

Windows - User Group Account Changes - Windows Server 2003

Windows - Access to Files

Windows - Registry Access

Windows - Logons/logoffs by User During Non-Business Hours

Windows - User Rights Changes

Windows - User Rights Changes - Windows Server 2003

Windows - Access to Files by Administrators

Windows - Applications by Administrative Users

Windows - Account Locked Out

Windows - Applications by Users

Windows - Applications by Users - Windows Server 2003

Windows - Privileged Activities by User

Windows - Computer Account Changes


Description

Input Parameters

Result Set
Meaning

359

Windows - Computer Account Changes


This report shows a list of all computer account changes.
It checks for the following Microsoft-Windows-Security-Auditing event IDs: 4741, 4742 and
4743.
l Changes Made by User: User who made the changes
l

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
Date/Time

Target User Name

Computer

Action

EventID

Event Type

Insider Threat Reports

RSA enVision Reports

Windows - Computer Account Changes - WindowsServer 2003


Windows - Computer Account Changes - Windows Server 2003
Description
This report shows a list of all computer account changes. This report works only for Windows
Server 2003 and earlier. It checks for the following Security event IDs: 645, 646 and 647.
Input Parameters l Changes Made by User: User who made the changes

Result Set
Meaning

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
Date/Time

Target User Name

Computer

Action

EventID

Event Type

Windows - User Group Account Changes


Description
Input
Parameters

Result Set
Meaning

Windows - User Group Account Changes


This report shows a list of all user account changes. It checks for the following MicrosoftWindows-Security-Auditing event IDs: 4720, 4726 and 4738.
l Changes Made by User: User who made the changes
l

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
Date/Time

Target User Name

Computer

Action

EventID

Event Type

Windows - User Group Account Changes - Windows Server 2003


Windows - User Group Account Changes - Windows Server 2003
Description
This report shows a list of all user account changes. This report works only for Windows
Server 2003 and earlier. It checks for the following Security event IDs: 624, 630 and 642.
Input Parameters l Changes Made by User: User who made the changes

Result Set

Starting from Hour: Show all records starting from this hour of the day

Until Hour: Show all records until this hour of the day
Date/Time

Insider Threat Reports

360

RSAenVision Reports

Meaning

Windows - User Group Account Changes - Windows Server 2003


Target User Name

Computer

Action

EventID

Event Type

Windows - Access to Files


Windows - Access to Files
Description This report shows a list of all files accessed in folders monitored for access auditing. It checks for the
following Security event ID 560 and Microsoft-Windows-Security-Auditing 4565.
Input
l User: User who accessed the file.
Parameters
l Starting from Hour: Show all records starting from this hour of the day
l

Result Set
Meaning

Until Hour: Show all records until this hour of the day
Date/Time

Primary Domain Name: For Windows Server 2003, it will indicate the domain of the user when
the object is opened locally

Primary User Name: For Windows Server 2003, it will indicate the user when the object is
opened locally

Client Domain: For Windows Server 2003, it will indicate the domain of the user when the
object is opened remotely

Client User Name: For Windows Server 2003, it will indicate the user when the object is
opened remotely

Event Type

Name: Name of the object being accessed

Accesses

Privileges

AdditionalInfo1

Windows - Registry Access


Windows - Registry Access
Description This report shows a list of all accesses to registry files and keys. It checks for the following Security
event IDs: 560, 561, 562, 563, 564, 565 and 566. It also checks for the following MicrosoftWindows-Security-Auditing: 4656, 4657, 4658, 4659, 4660, 4661, 4662, 5136 and 5137.
Input
l User: User who made the changes to the registry
Parameters
l Starting from Hour: Show all records starting from this hour of the day
l

361

Until Hour: Show all records until this hour of the day

Insider Threat Reports

RSA enVision Reports

Windows - Registry Access


Result Set
Meaning

Date/Time

Event ID

Event

Name: Modified registry key/value

Primary Domain Name: For Windows Server 2003, it will indicate the domain of the user when
the changes are done locally

Primary User Name: For Windows Server 2003, it will indicate the user when changes are done
locally

Client Domain: For Windows Server 2003, it will indicate the domain of the user when changes
are done remotely

Client User Name: For Windows Server 2003, it will indicate the user when the changes are
done remotely

Accesses

Windows - Logons/Logoffs by User During Non-Business Hours


Windows - Logons/logoffs by User During Non-Business Hours
This report shows a list of all logon and logoff activities sorted by user name during
non-business hours.
l Work Days: Show all events that were recorded on this day of the week

Description
Input Parameters

Result Set Meaning

Starting Hour: Show all records starting from this hour of the day

l
l

End Hour: Show all records until this hour of the day
Date/Time

Event Computer

User Name

Logon ID

Event ID

Logon Type

Workstation

Domain Name

Windows - User Rights Changes


Description
Input
Parameters

Windows - User Rights Changes


This report shows a list of all user rights changes. It checks for the following Microsoft-WindowsSecurity-Auditing: 4704 and 4705.
l Changes Made by User: User who made the changes to the account
l

Starting from Hour: Show all records starting from this hour of the day

Insider Threat Reports

362

RSAenVision Reports

Windows - User Rights Changes


Until Hour: Show all records until this hour of the day
Date/Time

Event ID

Event

Event User

Domain Name

User Name

Target User Name

Result Set
Meaning

Windows - User Rights Changes - Windows Server 2003


Windows - User Rights Changes - Windows Server 2003
This report shows a list of all user rights changes. This report works only for Windows Server
2003 and earlier. It checks for the following Security event IDs: 608 and 609.
l Changes Made by User: User who made the changes to the account

Description
Input
Parameters

Result Set
Meaning

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
Date/Time

Event ID

Event

Event User

Domain Name

User Name

Target User Name

Windows - Access to Files by Administrators


Description
Input
Parameters

Result Set
Meaning

363

Windows - Access to Files by Administrators


This report shows a list of all files accessed by administrators in folders monitored for access
auditing. It checks for the following Security event IDs: 560 and 567.
l Administrative Users: Drop-down list for watch lists that include the account names of
administrative user.
l

File Name Filter: File that has been accessed by the user

Starting From Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the


Date/Time

Domain Name: Domain of the user if the file is accessed locally

Insider Threat Reports

RSA enVision Reports

Windows - Access to Files by Administrators


User Name: User name if the file is accessed locally

Client Domain: Domain of the user if the file is accessed remotely

Client User Name: User name if the file is accessed remotely

Event Type

Name

Accesses

Privileges

Object Type

Windows - Applications by Administrative Users


Windows - Applications by Administrative Users
Description This report shows a list of applications running on computers over the network, sorted by user name.
It checks for the following Security event IDs: 592 and 593. It also checks for the following
Microsoft-Windows-Security-Auditing: 4688 and 4689.
Input
l Administrative Users: Drop-down list for watch lists that include the account names of
Parameters
administrative users

Result Set
Meaning

Process Name Filter: Name of the process that has been launched by the user

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
Date/Time

Domain Name

User Name

Process ID

Process Name

Description

Windows - Account Locked Out


Windows - Account Locked Out
Description
This report shows a listing of accounts that were locked out. It checks for Security event ID
644.
Input Parameters l Locked by User: User who took the action

Result Set
Meaning

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
Date/Time

IP Address

Insider Threat Reports

364

RSAenVision Reports

Windows - Account Locked Out


l

Event Computer

User Account

Description

Windows - Applications by Users


Windows - Applications by Users
Description This report shows a list of applications running on computers over the network, sorted by user name.
It checks for Microsoft-Windows-Security-Auditing event ID 4689.
Input
l User: User who launched the application
Parameters
l Starting from Hour: Show all records starting from this hour of the day

Until Hour: Show all records until this hour of the day
User Name

Date/Time

Process ID

Process

Domain Name

Result Set
Meaning

Windows - Applications by Users - Windows Server 2003


Description

Input
Parameters

Result Set
Meaning

Windows - Applications by Users - Windows Server 2003


This report shows a list of applications running on computers over the network, sorted by user
name. This report works only for Windows Server 2003 and earlier. It checks for Security event
ID 593.
l User: User who launched the application
l

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
User

Date/Time

Process

Name

Domain Name

Windows - Privileged Activities by User


Windows - Privileged Activities by User
Description This report shows a list of activities invoking right of privileges, sorted by primary user name. It
checks for the following Security event IDs: 577 and 578. It also checks for the following
Microsoft-Windows-Security-Auditing: 4673 and 4674.

365

Insider Threat Reports

RSA enVision Reports

Input
Parameters

Result Set
Meaning

Windows - Privileged Activities by User


User: User who did the activities

Starting from Hour: Show all records starting from this hour of the day

l
l

Until Hour: Show all records until this hour of the day
Date/Time

Primary User Name

Primary Domain Name

Client User Name

Client Domain Name

Description

Event ID

Privileges

Insider Threat Reports

366