The Reports view lets you create and manage Information Manager reports.
To create a report, you insert one or more queries into a report template. You can also add graphic elements and text, including a header and footer. Reports can span multiple views, or you can subdivide a single view and insert multiple queries on that view.
import reports in RML format.
The Reports toolbar contains icons for report management tasks. The tasks available to you depend upon the roles to which you have been assigned, and may include one or more of the following:
■ Refresh the Explorer pane.
■ Create a folder.
■ Create a report.
■ Save a report.
■ Remove the selected report or folder.
■ Import a report from an RML format file.
■ Export the selected report to an RML format file.
■ Adjust the view settings for a report, including the view size and orientation.
■ Publish the selected report by placing the report in the Published Reports folder.
The Reports view has the following panes:
■ Explorer
The Explorer pane lets you manage the My Reports folder and the Published Reports folders, as well as any new folders that you create. When you create a report in the My Reports folder, it is only available to the user who created it. When you create a report in the Published Reports folder, it is available to all of the users who have the applicable permissions for the contents of the report. To publish a report, drag it from your private folder to the Published Reports folder. When you publish a report by dragging it into the Published Reports folder, the two reports are not linked.
In addition to creating, publishing, and deleting reports, you can create and delete report folders. You can also import reports, export reports, and move reports from one folder to another.
■ Properties
The Properties pane lets you view and edit the selected report property values, such as the background color or line thickness.
■ Report
The Report pane provides the tabs that let you design, preview, and distribute the selected report.
Table 2-6describes the tabs that appear in the right pane when you create a new report or select an existing report from the list in the left pane.
Table 2-6 Report pane tabs Description Tab
Lets you specify and format the contents of your report. You can include multiple data queries, images, annotation text, and grids in your report.
The queries that are available to you depend upon the roles to which you are assigned. For example, you may have access to queries that pertain to firewall and VPN data, but may not have access to queries on antivirus data.
Design
Displays a preview of the report. You can also save or print the report from the Preview tab.
You can also drill down on the following query types by clicking on the reports that are displayed:
■ Top N by Field
■ Trending for Top N by Field
■ Summary Data Queries
See“Performing a drill-down on reports”on page 343.
Preview
Lets you schedule the report and specify report recipients. You can compose an email report notification message, attach the report as a PDF and RTF, or include a URL link to the report.
Note:When the recipient clicks on the URL link, the report can be accessed directly if the user has already logged on to the Web configuration interface using the host name of Information Manager.
However if the user has logged on using the IP address of Information Manager, then the user is prompted for authentication to access the report.
You can also test the report distribution configuration with the Test option. The reports are immediately distributed after you perform the testing.
To schedule a report for distribution, you must first publish the report by placing it in the Published Reports folder.
Distribute
Note:The Distribute option is available only for the Published Reports.
See“About the Information Manager console”on page 29.
Manager uses to filter known false positives and declare security incidents. Default rules provide a starting point for determining the most common kinds of security incidents, including denial-of-service attacks and blended threats. The default filtering rules provide a set of common filters that can also be used to create customized filters. You can enable, disable, and fine-tune the default rules and filters based on the needs of your organization and the security products that are running.
The Rules view also includes folders for monitors and lookup tables. Monitoring rules are used to detect unexpected security-related changes to systems or periods of inactivity from the systems that are monitored. The lookup tables provide a set of tables that can be configured to list known malicious IP addresses, sensitive files, sensitive URLs, services, Trojan horses, and Windows events that can be used to fine-tune rules and filters. For example, if you have detected a set of IP addresses that routinely attempt to maliciously infiltrate your network, you can add these IP addresses to an IP address lookup table. You can then create a custom rule that checks the table for these known malicious IP addresses during rules processing.
When you define the actions that take place when an incident is triggered, you can create remediation notes. These notes appear on the Remediation tab for an incident that is created. When you add remediation information to a rule and save the changes, the remediation information is updated for the new and the existing incidents.
The Rules view toolbar contains icons for the following tasks:
■ Refresh the Rules list.
■ Create a rule.
■ Create a new folder.
■ Delete a rule.
■ Import rules
■ Export rules
■ Copy a rule.
■ Deploy a rule.
■ Revert changes to a rule.
■ Enable rules.
■ Disable rules.
Each folder in the navigation tree includes two subfolders: a System subfolder and a User subfolder. By default, the System subfolder contains the predefined rules, filters, monitors, and lookup tables that are included with Information Manager.
You can enable or disable the items in the System subfolders However, you cannot make changes to these predefined elements. To create a modified version of a preconfigured rule, filter, monitor, or lookup table, you can create a custom version of the rule and save it in the corresponding User folder. If you create a custom rule or lookup table, you must deploy and enable the new element before it can be used during event processing.
Table 2-7describes the items that are displayed in the Event Filters list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.
Table 2-7 Event filters Description Item
Displays the list of default filters in the System Filters folder and custom filtering rules in the User Filters folder. Use the checkboxes to turn on the rules and turn off the rules.
Event Filters list
Displays the event criteria that the filtering rules use to filter events.
If you create a custom filter, you can add or remove event criteria from this pane.
Conditions tab
Lets you test filtering rules with saved event data so that you can evaluate whether the rule filters when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from filtering events.
Testing tab
Shows the date and the time that a user last edited a rule.
History tab
Table 2-8describes the items that are displayed in the Monitors list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.
Table 2-8 Monitors Description Category
Displays the list of default monitors in the System Monitors folder and custom monitors in the User Monitors folder. Use the checkboxes to turn on the rules and turn off the rules
Monitors list
Lists the monitor properties that let you configure the system monitors.
Properties tab
Lets you specify the follow-up actions that are required to resolve the incident. You can also specify the user or the team that is assigned to investigate and resolve the incident.
See“About automatically assigning incidents”on page 59.
See“Assigning incidents automatically to the least busy member in a user group”on page 302.
Actions tab
Shows the date and time when a user last edited a monitoring rule.
History tab
Table 2-9describes the items that are displayed in the Correlation Rules list in the left pane. It also describes the tabs that appear in the right pane when you make a selection from this list.
Table 2-9 Correlation rules Description Category
Displays the list of default rules in the System Rules folder and custom rules in the User Rules folder. Use the checkboxes to turn on the rules and turn off the rules.
Rules list
Displays the event criteria that the rules use to declare a security incident. If you create a custom rule, you can add or remove event criteria from this pane.
Conditions tab
Specify the follow-up actions that are required to resolve the incident.
You can specify the user or the team that is assigned to investigate and resolve the incident.
See“About automatically assigning incidents”on page 59.
See“Assigning incidents automatically to the least busy member in a user group”on page 302.
You can also create the remediation notes that are associated with each incident that this rule creates.
You can also configure the notifications when the rule conditions are triggered.
Actions tab
Table 2-9 Correlation rules (continued) Description
Category
Lets you test rules with saved event data to let you evaluate whether the rule declares incidents when it should. This tool helps you fine-tune a rule to filter out the events that cause false positives. You can also debug the errors that prevent the rule from declaring incidents when it should.
Testing tab
Shows the date and time when a user last edited a rule.
History tab
Table 2-10describes the items that are displayed in the Lookup Tables list in the left pane. It also describes each of the lookup tables that are listed under System Lookup Tables.
Table 2-10 Lookup tables
Description Tables
Lists the default lookup tables in the System Lookup Tables folder and custom tables in the User Lookup Tables folder.
Lookup Tables list
Lists the users who can perform administrative activities.
Administrative Users
Lists the authorized ports through which incoming traffic is allowed as per the policies.
Authorized Ports Inbound
Lists the authorized ports through which outgoing traffic is allowed as per the policies.
Authorized Ports Outbound
Lists the IP addresses of the servers that are critical from business perspective.
Critical Servers
Lists the authorized users.
default usernames
Lists the IP addresses of known attackers.
An incident is created if an event is detected from one of these IP addresses.
A configurable table that is available for manually tracking known bad IP addresses.
DeepSight and LiveUpdate updates maintain separate internal IP Watch List. The list contains IP addresses known to be malicious in the larger Internet environment.
IP Watch List
Lists the Whitelist IP addresses. These IP addresses and domain names are reputed and can be trusted. You can add your trusted domain names and IP addresses to the list.
IP Whitelist
Lists the logging devices that must be monitored after a specific time span for idle state.
Monitored Logging Devices
Provides a table for the user to describe the organizational domains that are monitored.
Organization Domains
Lists the P2P programs.
P2P Programs
Lists the IP addresses of the hosts that can potentially violate the policy.
Potential Policy Violation IPs
Lists of all of the bad IP addresses on which your sensitive data can communicate.
Rapid Response Monitored Address Traffic
Lists the file names to monitor during FTP transfers.
sensitive files
Lists the text strings that are often included in malicious URLs.
sensitive urls
Lists the services that are associated with each port number.
services
Lists the known Trojan horse exploits.
trojans
Provides a table in which you can list users and the user names that formerly had access to the network.
user watchlist
Lists the days of the week to allow further refinement of queries based on the day or days associated with an event.
Weekdays
Lists the days of the weekend to allow further refinement of queries based on the day or days associated with an event.
Weekend
Lists the Windows events that may indicate violations of security policies or other malicious activities.
Windows events
The following tables list the event criteria available and their descriptions.
Table 2-11 Event Criteria: Common tab Description Field
The host name of the computer on which the agent is installed.
Agent Host
The IP address of the computer on which the agent is installed.
Agent IP
The MAC address of the computer on which the agent is installed.
Agent Mac
The numeric IP address of the computer on which the agent is installed.
Agent Numeric IP
The subnet to which the agent computer belongs.
Agent Subnet
Lets you select the criteria on category of the event from among Application, Communication, Device,
Diagnostics, Environment, QS, and Security.
Category ID
The host name of computer on which the product (collector) is installed.
Collection Device Host
The IP address of computer on which the product (collector) is installed.
Collection Device IP
The device ID of computer on which the product (collector) is installed.
Collection Device ID
The MAC address of computer on which the product (collector) is installed.
Collection Device Mac
The numeric IP of computer on which the product (collector) is installed.
Collection Device Numeric IP
Identifies the sensor that recorded the event that a collector sent.
Collector Sensor
The ID of the configuration.
Configuration ID
The date that the event was created.
■ Server Time - When the event occurs, the time zone of the server is considered for the event correlation.
■ Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation.
■ Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation.
If the time zone is not specified, by default the time zone of the server is considered for the event correlation.
Created Date
The numeric value that describes the CVS score for the vulnerability, if detected.
CVSS
A description of the event.
Description
The destination host name.
Destination Host name
Describes the action that the point product took (the event was prevented, permitted, failed, successful, or denied ).
Device Action
The domain from which the data object originated.
Domain
The effects of malicious activity.
Effects
The date when event ended.
■ Server Time - When the event occurs, the time zone of the server is considered for the event correlation.
■ Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation.
■ Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation.
If the time zone is not specified, by default the time zone of the server is considered for the event correlation.
Event ending date
The ID of the archive to which the event belongs (used in summarizers).
Event Archive ID
Table 2-11 Event Criteria: Common tab (continued) Description
Field
The possible values: symc_hdr_tkt_update_class or symc_hdr_task_update_class.
Event class ID
The number of times that an event occurred to cause the event to be logged.
Event Count
The date when the event occurred.
■ Server Time - When the event occurs, the time zone of the server is considered for the event correlation.
■ Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation.
■ Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation.
If the time zone is not specified, by default the time zone of the server is considered for the event correlation.
Event Date
The day when the event occurred.
■ Server Time - When the event occurs, the time zone of the server is considered for the event correlation.
■ Source Network Time Zone - When the event occurs, the time zone of the source network is considered for the event correlation.
■ Destination Network Time Zone - When the event occurs, the time zone of the destination network is considered for the event correlation.
If the time zone is not specified, by default the time zone of the server is considered for the event correlation.
Event Day
The event type such as Host Intrusion Event, or Vulnerability Detected.
Event Type ID
The domain of the computer on which the product is installed.
Host Domain
The IP address of the destination.
IP Destination Address
The port of the destination or target.
IP Destination Port
The IP address of the source.
IP Source Address
The port address of the source.
IP Source Port
The location where the event was created.
■ Server Time - When the event occurs, the time zone of the server is considered for the event correlation.
■ Source Network Time Zone - When the event occurs the time zone of the Source Network is considered for the event correlation.
■ Destination Network Time Zone - When the event occurs the time zone of the Destination Network is considered for the event correlation.
If the time zone is not specified, by default the time zone of the server is considered for the event correlation.
Logged at
The IP of the device that logged the event.
Logging Device IP
The MAC of the device that logged the event.
Logging Device Mac
The name of the device that logged the event.
Logging Device Name
The numeric IP of the device that logged the event.
Logging Device Numeric IP
The account name that was used to log the event.
Logging User
The comma-separated integer values that represent the mechanisms categorization.
Mechanisms
Contains a normalized protocol value. This field is populated by the developer based on mapping the value of nw_protocol or network_protocol_id to a standardized protocol identifier such as TCP, UDP, ICMP, IGMP, or ARP.
Network Protocol
The direction of the network traffic such as external, internal, inbound, outbound, or unknown.
Network Traffic Direction
The numeric IP of the destination address.
Numeric IP Destination Address
The numeric IP of source address.
Numeric IP Source Address
The Information Manager organizational unit of the computer.
The Information Manager organizational unit of the computer.