Symantec™ Security
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version 1.0
Legal Notice
Copyright © 2007 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ A telephone and web-based support that provides rapid response and up-to-the-minute information
■ Upgrade assurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week
■ Advanced features, including Account Management Services
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:
www.symantec.com/techsupp/
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support information at the following URL:
www.symantec.com/techsupp/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.
When you contact Technical Support, please have the following information available:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/techsupp/
Customer service
Customer service information is available at the following URL: www.symantec.com/techsupp/
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and maintenance contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
■ Asia-Pacific and Japan: [email protected]
■ Europe, Middle-East, and Africa: [email protected]
■ North America and Latin America: [email protected]
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.
Consulting Services
Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. Educational Services
To access more information about Enterprise services, please visit our Web site at the following URL:
www.symantec.com
Technical Support
Chapter 1
Introducing Symantec Security Information Manager
reporting
About Symantec Security Information Manager reporting ... 9
Components of Symantec Security Information Manager reporting ... 10
About Symantec Security Information Manager queries ... 10
About Symantec Security Information Manager reports ... 11
Where to get more information about Symantec Security Information Manager ... 11
Chapter 2
Understanding Symantec Security Information
Manager queries
About the predefined System queries ... 13What you can do with Symantec Security Information Manager queries ... 15
Using the query features ... 15
Chapter 3
Understanding Symantec Security Information
Manager reports
About Symantec Security Information Manager reports ... 17Using the report creation tools ... 20
Example: Creating a simple network health report ... 20
Chapter 4
System queries reference
System queries folder ... 27All folder ... 28
Compliance Queries folder ... 28
Compliance Templates folder ... 50
Product Queries folder ... 51
SSIM folder ... 59
Security Queries folder ... 63
Introducing Symantec
Security Information
Manager reporting
This chapter includes the following topics:
■ About Symantec Security Information Manager reporting
■ Components of Symantec Security Information Manager reporting
■ Where to get more information about Symantec Security Information Manager
About Symantec Security Information Manager
reporting
Symantec Security Information Manager provides a rich set of query and reporting tools that allow you to collect and present data in a format that meets the needs of your organization. Queries are used to retrieve data from the system for viewing events, displaying information on the dashboard, and building reports. Reports are designed, previewed, and scheduled from the Information Manager console. Numerous predefined queries are provided with Information Manager that can help you get started with building your own queries and reports. The query and reporting features allow you to distill the data that Information Manager gathers into the pieces of information that are most important to you.
1
Components of Symantec Security Information
Manager reporting
The key components of reporting are queries and reports. Queries are accessible from the Events tab in the system console. Reports are accessible from the Reports tab in the system console. Queries and reports are saved in the System directory under default top-level folders, which determine how the files can be used for reporting.
About Symantec Security Information Manager queries
Queries are used to retrieve data from the system for viewing events, displaying information on the dashboard, and building reports. Reports are designed, previewed, and scheduled from the Information Manager console. Numerous predefined queries are provided with Information Manager that can help you get started with building your own queries and reports.
For more information on working with queries, see the Symantec Security
Information Manager Administrator's Guide or the Symantec Security Information Manager User's Guide.
About the query folders
Information Manager includes the following groups of queries:
Folder in the directory where custom queries are saved. These queries are only accessible by the user who created the query. Queries saved as My Queries can be used in the user dashboard or My Reports. My Queries
Published Queries is a folder in the directory where custom queries can be saved and shared. These queries are accessible by all system users. Queries saved as Published Queries can be used in the dashboard or Published Reports.
Published Queries
System Queries is a folder in the directory where predefined queries that are distributed with Information Manager are stored. These queries are accessible by all system users, but cannot be modified. System Queries can be used as templates for custom queries that are saved as My Queries or Published Queries in the directory. The System Queries provided are grouped into sub-folders by topics of interest such as by product, compliance, or security.
System Queries
About Symantec Security Information Manager reports
The Information Manager console includes an interface to design, preview, and distribute reports. You can create reports by inserting queries, graphics, and specifying other elements in a report template. For example, you could setup custom headers and footers, add your company logo, specify the report color scheme, select fonts, and so forth. The default, top-level folders are My Reports and Published Reports.
About the Reports folders
Information Manager includes the following groups of reports:
My Reports is a folder in the directory where custom reports can be saved. These reports are only accessible by the user who created the report. Queries saved as My Queries, Published Queries, and System Queries can be used in reports saved as My Reports.
My Reports
Published Reports is a folder in the directory where custom reports can be saved and shared. These reports are accessible by all system users. Queries saved as Published Queries or System Queries can be used in reports saved as Published Reports.
Published Reports
Where to get more information about Symantec
Security Information Manager
This guide provides an overview of the query and report creation features of Information Manager as well as a query reference to facilitate customization. For more details including step-by-step instructions on how to use the query and reports features that are available in the Information Manager console, see the the following:
■ Symantec Security Information Manager User's Guide
■ Symantec Security Information Manager Administrator's Guide
Introducing Symantec Security Information Manager reporting
Understanding Symantec
Security Information
Manager queries
This chapter includes the following topics:
■ About the predefined System queries
■ What you can do with Symantec Security Information Manager queries
About the predefined System queries
In the Information Manager console, on the Events page, the System Queries folder contains numerous predefined queries that you can use as query templates. Use these templates to create customized queries that are suitable for your environment.
Note: You cannot edit a query in the System Queries folder. You must first move the query to the My Queries folder by either exporting and then importing the query into the My Queries folder, or dragging and dropping the query into that folder. You can also edit queries in the Published Queries folder.
2
Figure 2-1 My Queries folder
Table 2-1shows how the queries are organized within the System Queries folder and describes each query group.
Table 2-1 Predefined query groups Description
Query group
This general category currently contains only one query: Event Counts by Severity Last 7 Days.
All
This group contains subgroups of queries, one subgroup for each regulatory standard. Many of these subgroups are divided into further subcategories of compliance types.
Compliance Queries
This group contains event queries that you can use to meet your organization's compliance needs. Premium collectors populate these queries with data. Compliance products do not populate these queries. Compliance
Templates
This group contains subgroups of queries for the most common collectors, for example, Symantec Client Security.
Product Queries
These queries are specific to Information Manager, and they are organized into product function subgroups. For example, the Incidents subgroup contains queries that let you examine incident activity that is sorted in various ways.
SSIM
Understanding Symantec Security Information Manager queries About the predefined System queries
Table 2-1 Predefined query groups (continued) Description
Query group
This group contains event queries, which are grouped by device types that report the events, for example, intrusion devices.
Security Queries
In many cases, the predefined queries require editing to meet your needs. To edit a query in the My Queries folder, you can right-click the query and select Edit Query... to change the properties for that query. For example, the default time range in a query may be the previous 7 days. If you want the query to display data for the previous 30 days, you can edit the query to meet your requirements. Query names must contain only alphanumeric characters. Because some predefined query names contain non-alphanumeric characters, you must edit these query names before you can import them into My Queries or Published Queries. To edit a query name, export the query, then open the QML file in a text editor such as Wordpad. Edit the filename in the line called <query_filename>. Then import the query file into the desired query folder.
For more information, see the Symantec Security Information Manager
Administrator's Guide or the Symantec Security Information Manager User's Guide.
What you can do with Symantec Security Information
Manager queries
The queries that Symantec Security Information Manager provides include hundreds of preconfigured, customizable queries and templates that can be used to analyze business aspects such as compliance and risk management. The queries return data in a meaningful, concise, and customizable format that can be viewed from the Information Manager dashboard, dropped into a report, and distributed.
Using the query features
The query functions that Information Manager provides include hundreds of preconfigured queries that can be customized to aggregate and filter data. Symantec Security Information Manager uses a combination of SQL and custom language to gather and filter relevant data.
Using the data querying tools that Information Manager provides, you can perform tasks such as the following:
■ Use many of the preconfigured queries without a need to customize the settings.
■ Customize an existing query by dropping it into the My Queries folder and changing the parameters.
■ Use the Query Wizard to create a new query that focuses on the data fields and settings you choose. The Query Wizard can be used to create a query that returns event or summary data, or it can be used to create a new query using SQL.
■ Import and export queries that can be saved or shared.
■ Publish queries to other Information Manager users.
■ Organize queries into query groups that are relevant to your organization.
■ Change the appearance of the query results by changing the chart properties. For more information on working with queries, see the Symantec Security
Information Manager Administrator's Guide. Understanding Symantec Security Information Manager queries
Understanding Symantec
Security Information
Manager reports
This chapter includes the following topics:
■ About Symantec Security Information Manager reports
■ Using the report creation tools
About Symantec Security Information Manager
reports
Symantec Security Information Manager provides a rich set of report creation tools that allow you to represent multiple, related sets of query data in the format you choose. To create a report, you can use the Information Manager reports page to assemble the data that you want to present, and format the document to meet your company standards. A report can be as simple as a single query with no formatting, or as complex as dozens of queries that are wrapped in a branded, organized format.
Using the reports features, you can create reports by inserting queries, graphics, and other elements in a report template. Examples of customizations include the ability to add graphics such as your company brand, add custom header and footer information, create a specific color scheme, select fonts, and so forth.
3
Figure 3-1 Reports Design view
After you have created a report, you can share the report format with other users by publishing it. By default, a report is private in the Information Manager interface, meaning that it is only visible to the user that created it. Publishing a report places the report in the Published Reports folder, which makes it available to other Information Manager users.
After a report has been placed in the Published Reports folder, you can use the features on the Distribute tab to schedule and send a report to the recipients you specify. To distribute the report, you can schedule a report for email delivery to specified recipients. You can also export the report as an .RML file which can then be distributed to be imported by another user, or saved as a backup copy. Figure 3-2 Reports Distribute view
19 Understanding Symantec Security Information Manager reports
The flexibility of the reports feature provides a means to create customized reports that describe multiple sets of data in a single document. Most organizations employ a combination of query information to determine the overall state of the network. For example, an auditor may need to see a report that describes both the number of computers that are compliant with specific PCI regulations, as well as
vulnerability data for those computers. Using the reporting tools provided, Information Manager reports can be customized to reflect a meaningful correlation of that data in custom report.
For more infomation on working with reports, see the Symantec Security
Information Manager Administrator's Guide or the Symantec Security Information Manager User's Guide.
Using the report creation tools
Using the completely customizable report creation tools that Information Manager provides, you can create concise reports that represent security data in an understandable format. Using queries to populate an Information Manager report, you can create any report that you need, from compliance reports that are branded with your company logo to risk management reports that summarize the most important security risks on the network.
The Reports tab in the Information Manager console allows you to design, preview, save, and distribute reports that you create. A report can be as simple as a single query dropped onto a page, or as complex as a full-featured report that includes the company brand, relevant contextual information, and multiple queries that are within the scope of the report.
For more information on working with the report creation features, seeAbout Symantec Security Information Manager reports
Example: Creating a simple network health report
The following example describes a real-world situation for which the Information Manager query and reporting features can be effectively used.
In the scenario, the security administrator must compile a series of reports that describe the overall health of the network.
Identify the requirements
As part of the request from management, the security administrator must compile a report from Information Manager that includes visual representations of the following:
■ Top 10 viruses
Understanding Symantec Security Information Manager reports Using the report creation tools
■ Top 20 security threats
■ Viruses detected
■ Email viruses
■ Most vulnerable computers in the enterprise
■ Times of day that firewalls are under the most stress
Divide the requirements into logical groups
The data for each item in the request can be acquired using the queries that are available in the Information Manager console. By analyzing the requirements, the security administrator divides the list into the following categories:
■ Antivirus queries
■ Vulnerability data queries
■ Firewall data queries
■ Intrusion detection (IDS) queries
Identify and customize the applicable queries in Information
Manager
Information Manager provides queries that supply the data that is needed. Each of the queries are fully customizable. In this case, the the security administrator adjusts the following settings where necessary:
■ Time range
■ Visual representation of data
■ Filter based on specific product
To adjust the queries, the security administrator moves each query to the My Queries folder and adjust the parameters. To move a query to the My Queries folder, in the left pane of the Events page, drag and drop the query from the System Queries folder to the My Queries folder.
In this case, the security administrator creates a custom subfolder named Sample network health queries in the My Queries folder, and stores the copy of each query in this subfolder.
21 Understanding Symantec Security Information Manager reports
Figure 3-3 Sample network health queries custom folder
For example, the security administrator decides to edit the presentation of the Top 10 Virus query. After the Top 10 Virus queries is moved into the the Critical reports subfolder, the security administrator right-clicks the query and chooses Edit Query....
Understanding Symantec Security Information Manager reports Using the report creation tools
Figure 3-4 Choosing Edit Query from the right-click menu
In the Edit Event Query dialog box, the Filter Criteria tab shows that the query is configured to use data from the last 30 days, and it is based on the Event Type ID equalling Virus. The security administrator decides that these parameters meet the requirements for this report.
In the Edit Event Query dialog box, on the Chart Properties tab, the security administrator decides to change the visual properties of the data. The security administrator customizes the title and changes the Chart Type to Pie.
23 Understanding Symantec Security Information Manager reports
Figure 3-5 Chart properties view
For each query that is used, the security administrator repeats these steps depending on the parameters and visual options that are most effective.
Prepare the report
After the queries have been customized, the security administrator creates the report. To create the report the security administrator does the following:
■ In the Reports pane, create a new report.
■ Insert the queries in the preferred display order.
■ Customize the header and footer.
■ Adjust the query display elements, such as the column width that is used in each table and the colors that are used in each chart.
■ Preview the report to verify that the output is what is expected.
Understanding Symantec Security Information Manager reports Using the report creation tools
Figure 3-6 Reports Preview view
Distribute the report
After the security administrator has configured the report with the desired queries and customizations, the report is distributed. To distribute the report, the security administrator does the following:
■ Set the distribution methods.
■ Save the report.
25 Understanding Symantec Security Information Manager reports
Figure 3-7 Reports Distribute view
Understanding Symantec Security Information Manager reports Using the report creation tools
System queries reference
This chapter includes the following topics:
■ System queries folder
■ Top N queries
■ Custom SQL queries
■ Summary queries
System queries folder
The tables in this section provide detailed information about the system queries. This information will be helpful as you decide which queries you want to adapt for your own use.
Note: The tables in this section describe the queries that are available with the current release of Symantec Security Information Manager, including the most recent updates. If you do not see some of these queries in the console, you may not have the most recent updates installed. You may need to run additional scripts to access all of the queries, such as the compliance queries. For more information, see the Readme documentation that is included with the most recent update.
The tables describe the queries in each subfolder under System Queries. In addition, there are specialized tables for several types of queries:
Each query that contains Top N in the Type column also has an entry inTable 4-12, which shows the field that is substituted for N in the query.
Top N
4
Each query that contains Custom SQL in the Type column also has an entry inTable 4-13, which shows the database table that the query uses.
Custom SQL
Each query that contains Summary in the Type column also has an entry inTable 4-14, which shows the summary table that the query uses.
Summary
Note: The time range of some queries is expressed in relative seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
All folder
Table 4-1describes the contents of the All folder. Table 4-1 All folder
Type Display type Time range Qualifications Query name custom SQL/ Top N bar chart Current -7 days not applicable
Event Counts by Severity Last 7 Days
Compliance Queries folder
The Compliance Queries folder contains subgroups of queries, one subgroup for each regulatory standard. Many of these subgroups are divided into further subcategories of compliance types.
FISMA queries in the Compliance Queries folder
Table 4-2describes the contents of the FISMA subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
Table 4-2 FISMA queries in the Compliance Queries folder Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code = 733, 39770, or Windows username = Administrator and product id =3105 Administrative Access to Systems FISMA archive table R 86400 Event Code = 39747 or 39748 Application Access FISMA archive table R 86400 Event Code = 1525
Audit Policy Changes FISMA archive table R 86400 Event Code = 2894 Disabled Accounts FISMA archive table R 86400 Event Code = 765, 38765, 38768, 38676, 3788, 3789, 3790, 3791, 3792, 20280, 11501, 12985, 1560, 38845
File and Directory Access
FISMA
archive table
R 86400 event id = 512004 or Event Code
= 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 Logon Failures FISMA archive table R 86400 Event Code = 44111, 719, 762, 757, 2322, 2894, 758, 759, 1559, 38765, 771, 38766, 1553 OR event_class=1071000 and target_resource=/People/ and event_id is not 1072000 or 1072001 User Account Management Changes FISMA archive table R 86400 event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 User Logins FISMA archive table R 86400 vendor code =Security:538,
event id = 1072001, or Event Code = 720, or intrusion action= 1037214
User Logouts FISMA
29 System queries reference
GLBA queries in the Compliance Queries folder
Table 4-3describes the contents of the GLBA subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
Table 4-3 GLBA queries in the Compliance Queries folder
Type Display type Time range Qualifications Query name Subfolder archive table R 86400 event id = 512004 or Event Code
= 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 Logon Failures GLBA archive table R 86400 event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 User Logoff GLBA archive table R 86400 vendor code =Security:538,
event id = 1072001, or Event Code = 720, or intrusion action= 1037214
User Logon GLBA
HIPAA queries in the Compliance Queries folder
Table 4-4describes the contents of the HIPAA subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
Table 4-4 HIPAA queries in the Compliance Queries folder Type Display type Time range Qualifications Query name Subfolder customsql table all status <> 2
Open Incident Aging HIPAA > Administrative Safeguards customsql table N/A WHERE STATUS = 2 Closed Incidents by Disposition HIPAA > Administrative Safeguards customsql table creation_time >= (current timestamp - 7 DAYS) case when status = 0 or status = 1 or status = 2
Open vs Closed Incident Count by Creation Date Last 7 Days HIPAA > Administrative Safeguards customsql table creation_time >= (current timestamp - 7 DAYS) case when status = 0 or status = 1 Opened Incident Count by Creation Date HIPAA > Administrative Safeguards archive table R 86400 Compliance status id 1937201
and Event Code = 42488, 41456 Account Information Compliance Failed HIPAA archive table R 86400 Compliance status id 1937201
and Event Code = 41457 Account Integrity Compliance Failed HIPAA archive table R 86400 Event Code =38764 or 39628
Audit Logs Access HIPAA archive table R 86400 Event Code = 1525 Configuration and Policy Changes HIPAA archive table R 86400 Vendor signature=Security:612 Configuration and Policy Changes on Windows HIPAA archive table R 86400 compliance status = 1937201
and Event Code = 41461 or 41708
File Attributes and Watch Compliance Failed
HIPAA
31 System queries reference
Table 4-4 HIPAA queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 event id = 512004 or Event Code
= 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 Logon Failures HIPAA archive table R 86400 Event Code = 42476, 42485, 42493, 42536 and compliance status = 1937201 Network Integrity and Complexity Compliance Failed HIPAA archive table R 86400 Event Code= 41467 and
compliance status=1937201 OS Patches Compliance Failed HIPAA archive table R 86400 event id = 302004, 302002, 302003, 302004, 302005, 1072012, 1072008, 1072010, 1072009, 1072011 OR Event Code = 39745, 39744, 39746, 39743 Object Access HIPAA archive table R 86400 Event Code = 718 Password Changes HIPAA archive table R 86400 Event Code = 733, 734, 39770, 42823, 41543, 10560 684 or product = 3105 and windows user=administrator Privilege Use HIPAA archive table R 86400 Event Code = 41460, 41454 or 42491 and compliance status=1937201 Strong Authentication and Password Policy Compliance Failed HIPAA archive table R 86400 Event Code = 41455 and
compliance status=1937201 System Auditing Compliance Failed HIPAA archive table R 86400 event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 User Logins HIPAA
Table 4-4 HIPAA queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 vendor code =Security:538,
event id = 1072001, or Event Code = 720, or intrusion action= 1037214
User Logouts HIPAA
ISO17799 queries in the Compliance Queries folder
Table 4-5describes the contents of the ISO17799 subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
Table 4-5 ISO17799 queries in the Compliance Queries folder Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code = 733, 39770, or Windows username = Administrator and product id =3105 Administrative Access to Systems ISO17799 archive table R 86400 Event Code = 2894 Disabled Accounts ISO17799 archive table R 86400 event id = 512004 or Event Code
= 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 Logon Failures ISO17799
PCI queries in the Compliance Queries folder
Table 4-6describes the contents of the PCI subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
33 System queries reference
Table 4-6 PCI queries in the Compliance Queries folder Type Display type Time range Qualifications Query name Subfolder archive table R 86400 event id = 122001
All Security Risk Events PCI > Antivirus Management Summarizer table R 86400 event_id=122000
All Virus Events per Hour PCI > Antivirus Managemen archive table R 86400 Event Code = 3825 Antivirus Disabled PCI > Antivirus Managemen customsql table CURRENT TIMESTAMP -30 DAYS event_id=92004 Daily Virus Definitions Successful Last 30 Days PCI > Antivirus Managemen Summarizer table R 86400 event id = 122001 or 122000 Infected Computers per Hour PCI > Antivirus Managemen archive chart R 86400 event type=122001 Top 15 Users Triggering Security Risks Last 7 Days PCI > Antivirus Managemen archive chart R 86400 event type = 122000 Top 15 Users Triggering Viruses Last 7 Days PCI > Antivirus Managemen customsql table R 86400 count(PRODUCT_VERSION) as
"Total Client Count" Total Client AV Version Count PCI > Antivirus Managemen customsql table >= CURRENT TIMESTAMP -1 DAY event_id=92004 Virus Definition Updates Per Hour PCI > Antivirus Managemen archive table R 86400 source port = 443 or destination
port = 443 or destination service = HTTPS AND event id = 512000 or 912001 HTTPS Connections PCI > Encrypt Transmissions archive table R 86400 Event Code = 42536 Network Traffic Encryption Compliance Checks PCI > Encrypt Transmissions
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code = 42536 and
compliance status = 1937201 Network Traffic Encryption Compliance Failed PCI > Encrypt Transmissions archive table R 86400 event id = 742000 VPN Client Connections Accepted During the Day PCI > Encrypt Transmissions archive table R 86400 event_id=742001 VPN Client Connections Failed During the Day PCI > Encrypt Transmissions archive table R 28800 event id = 512002 or 512001 Dropped or Denied Connections PCI > Maintain Firewall archive table R 86400 Event Code = 40786 or 3969 Firewall Alerts or Failures PCI > Maintain Firewall archive table R 86400 Event Code = 3974 or 3964 Firewall Configuration Changes PCI > Maintain Firewall Summarizer table R 86400 event id = 512004 Firewall Failed Authentication Events Hourly Tally PCI > Maintain Firewall archive table R 86400 event id = 512008 Firewall Intrusion Detection Events PCI > Maintain Firewall Summarizer table R 86400 event id = 512003 Firewall Successful Authentication Events Hourly Tally PCI > Maintain Firewall archive table R 86400 Event Code = 42491 or 42486 Information Security Policy Compliance Checks PCI > Maintain Information Security Policy 35 System queries reference
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code = 42491 or 42486 AND 1937201 Information Security Policy Compliance Failed PCI > Maintain Information Security Policy archive table R 86400 Event Code = 42916, 42915, or 42914 Security Device Policy Modifications PCI > Maintain Information Security Policy archive table R 86400 Event Code = 733, 39770, or Windows username = Administrator and product id =3105 Administrative Access to Systems PCI > Protect Stored Data archive table R 86400 Event Code = 42891 Database Configuration Change Compliance Checks PCI > Protect Stored Data archive table R 86400 Event Code = 42891 and
compliance status id=1937201 Database Configuration Change Compliance Failed PCI > Protect Stored Data archive table R 86400 product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027204 Database Failed Logins PCI > Protect Stored Data archive chart R 86400 product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027204 Database Failed Logins Top 5 Destination Hosts PCI > Protect Stored Data archive chart R 86400 product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027204 Database Failed Logins Top 5 Usernames PCI > Protect Stored Data archive table R 86400 Event Code = 3587 Database Rights Granted PCI > Protect Stored Data
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027203 Database Successful Logins PCI > Protect Stored Data archive chart R 86400 product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027203 Database Successful Logins Top 5 Destination Hosts PCI > Protect Stored Data archive chart R 86400 product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027203 Database Successful Logins Top 5 Usernames PCI > Protect Stored Data archive table R 86400 product 3214 or 3234 or 3213 or
3229and Event Code = 722 Database Users Added PCI > Protect Stored Data archive table R 86400 product 3214 or 3234 or 3213 or
3229and Event Code =758 OR vendor signature = DROP USER Database Users Removed PCI > Protect Stored Data archive table R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins PCI > Protect Stored Data archive chart R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins Top 5
Destination Hosts PCI > Protect
Stored Data
37 System queries reference
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive chart R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins Top 5
Usernames PCI > Protect Stored Data archive table R 86400 Event Code = 41460, 41454 or 42491 Strong Authentication and Password Policy Compliance Checks PCI > Protect Stored Data archive table R 86400 Event Code = 41460, 41454 or 42491 and compliance status=1937201 Strong Authentication and Password Policy Compliance Failed PCI > Protect Stored Data archive table R 86400 Event Code = 41389, 43104 or 3518 Suspicious Database Traffic Events PCI > Protect Stored Data archive table R 86400 Event type id 1932001 Compliance Scan Conclusion Events PCI > Regularly Test Security Systems and Processes customsql table current timestamp - 7 days N/A Incident Overview For Last Week PCI > Regularly Test Security Systems and Processes customsql table current timestamp - 7 days status as "Status" Incidents Created Over Past Week PCI >
Regularly Test Security Systems and Processes
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder customsql table date (creation_ time + current timezone) = current date N/A Incidents Created Today PCI > Regularly Test Security Systems and Processes customsql table N/A CVE_ID,
Most Detected CVE Codes PCI > Regularly Test Security Systems and Processes customsql table N/A VULNERABILITY_ID Most Detected Vulnerability Codes PCI > Regularly Test Security Systems and Processes customsql table all status <> 2
Open Incident Aging PCI > Regularly Test Security Systems and Processes customsql table all status <> 2
Open Incident Aging by Assignee Table PCI > Regularly Test Security Systems and Processes customsql table R 86400 severity >= 1 and status < 2
Open Incidents By Assignee PCI > Regularly Test Security Systems and Processes customsql table DATE (CREATION_TIME + CURRENT TIMEZONE) = CURRENT_DATE) when status = 0 or status = 1 or
status = 2 Open and Closed
Incidents For Assignee Today PCI > Regularly Test Security Systems and Processes 39 System queries reference
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder customsql table creation_ time >= (current timestamp - 7 DAYS) case when status = 0 or status = 1 or status = 2
Open vs Closed Incident Count by Creation Date Last 7 Days PCI > Regularly Test Security Systems and Processes archive table R 86400 eventclass=1081000 , 1081001 or 1081002 Recent Events Vulnerability PCI > Regularly Test Security Systems and Processes customsql table CREATED_ TIME >= (current timestamp - 1 Days) CLOSED_TIME IS NOT NULL
Time to Resolve Incidents Over Last Day PCI > Regularly Test Security Systems and Processes archive table R 86400 event_id=1082002 Vulnerability Scans Commenced PCI > Regularly Test Security Systems and Processes archive table R 86400 product 3218 . Event Code 3988
or 785 or 43144 or 785 Access Control Device Denied Events PCI > Restrict Access to Data archive table R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins
PCI > Restrict Access to Data
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive chart R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins Top 5
Destination Hosts PCI > Restrict Access to Data archive chart R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins Top 5
Usernames PCI > Restrict Access to Data archive table R 86400 Event Code = 41496
File Ownership and Permissions Compliance Checks PCI > Restrict Access to Data archive table R 86400 Event Code = 41496 and
compliance status id = 1937201 File Ownership and
Permissions Compliance Failed PCI > Restrict Access to Data archive table R 86400 product=3248 and vendor
signature = Object creation Monitored System Object Created PCI > Restrict Access to Data archive table R 86400 product=3248 and vendor
signature = Object deleting or Deleted Element Monitored System Object Deleted PCI > Restrict Access to Data archive table R 86400 product=3248 and vendor
signature = Object changed or Object modification Monitored System Object Modified PCI > Restrict Access to Data archive table R 86400 Event Code = 42488 Privileged Account Review Compliance Checks PCI > Restrict Access to Data 41 System queries reference
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code = 42488 and
compliance status=1937201 Privileged Account Review Compliance Failed PCI > Restrict Access to Data archive table R 86400 event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 Successful Logins PCI > Restrict Access to Data archive chart R 86400 event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 Successful Logins Top 5 Destination Hosts PCI > Restrict Access to Data archive chart R 86400 event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 Successful Logins Top 5 Usernames PCI > Restrict Access to Data archive table R 86400 Event Code = 41462 System Access Restrictions Compliance Checks PCI > Restrict Access to Data archive table R 86400 Event Code = 41462 and
compliance status=1937201 System Access Restrictions Compliance Failed PCI > Restrict Access to Data archive table R 86400 Event Code = 42476 Network Access Control Protection Compliance Checks PCI > Restrict Physical Access archive table R 86400 Event Code = 42476 and
compliance status=1937201 Network Access Control Protection Compliance Failed PCI > Restrict Physical Access customsql table N/A CVE_ID,
Most Detected CVE Codes PCI > Secure Systems and Applications customsql table N/A VULNERABILITY_ID Most Detected Vulnerability Codes PCI > Secure Systems and Applications
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 R 86400 Event Code= 41467 OS Patches Compliance Checks PCI > Secure Systems and Applications archive table R 86400 Event Code= 41467 and
compliance status=1937201 OS Patches Compliance Failed PCI > Secure Systems and Applications archive table R 86400 event id = 2012000 or 2012002 Patch Management Events PCI > Secure Systems and Applications archive table R 86400 event id = 2012002 Patches Deployed PCI > Secure Systems and Applications customsql table R 86400 count cve, vulnerability on CIA
Systems Most Vulnerable to Attack PCI > Secure Systems and Applications archive table R 86400 event type = 2012000
Systems Not Patched PCI > Secure Systems and Applications archive table R 86400 Event Code = 42474, 42386, 42485 Access Logging and Monitoring Compliance Checks PCI > Track and Monitor All Access archive table R 86400 Compliance status id 1937201
and Event Code = 42474, 42386, 42485
Access Logging and Monitoring Compliance Failed PCI > Track and Monitor All Access archive table R 86400 Event Code = 733, 39770, or Windows username = Administrator and product id =3105 Administrative Access to Systems PCI > Track and Monitor All Access archive table R 86400 Event Code =38764 or 39628
Audit Logs Access PCI > Track
and Monitor All Access
43 System queries reference
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins PCI > Track and Monitor All Access archive chart R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins Top 5
Destination Hosts PCI > Track and Monitor All Access archive chart R 86400 event id = 512004 OR vendor code = Security:529, Security:530, Security:531, Security:532, Security:533, Security:534, Security:535, Security:536, Security:537, Security:539, Security:675, Security:676, Security:681 AND intrusion action=1037213 and intrusion outcome = 1027204 Failed Logins Top 5
Usernames PCI > Track and Monitor All Access customsql table CREATION_ TIME >= (current timestamp -30 DAYS INCIDENT_TYPE_ID = 'Invalid
Event Date Alert' Sensor Invalid Timestamp Incidents PCI > Track and Monitor All Access archive table R 86400 event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 Successful Logins
PCI > Track and Monitor All Access
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive chart R 86400 event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 Successful Logins Top 5 Destination Hosts PCI > Track and Monitor All Access archive chart R 86400 event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 Successful Logins Top 5 Usernames PCI > Track and Monitor All Access archive table R 86400 event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 User Logins PCI > Track and Monitor All Access archive table R 86400 vendor code =Security:538,
event id = 1072001, or Event Code = 720, or intrusion action= 1037214 User Logouts PCI > Track and Monitor All Access archive table R 86400 event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa Default Username Authentications PCI > Unique User IDs archive chart R 86400 event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa Default Username Authentications Top 5 Usernames PCI > Unique User IDs archive table R 86400 Event Code = 41460, 41454 or 42491 Strong Authentication and Password Policy Compliance Checks PCI > Unique User IDs 45 System queries reference
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code = 41460, 41454 or 42491 and compliance status=1937201 Strong Authentication and Password Policy Compliance Failed PCI > Unique User IDs archive table R 86400 Event Code = 44111, 719, 762, 757, 2322, 2894, 758, 759, 1559, 38765, 771, 38766, 1553 OR event_class=1071000 and target_resource=/People/ and event_id is not 1072000 or 1072001 User Account Management Changes PCI > Unique User IDs archive table R 86400 Event Code = 722 User Accounts Created PCI > Unique User IDs archive table R 86400 Event Code = 758 User Accounts Deleted PCI > Unique User IDs archive table R 86400 Event Code = 733, 39770, or Windows username = Administrator and product id =3105 Administrative Access to Systems PCI > Vendor Supplied Defaults archive table R 86400 Event Code = 1525
Audit Policy Changes PCI > Vendor Supplied Defaults archive table R 86400 event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa Default Username Authentications PCI > Vendor Supplied Defaults archive table R 86400 Event Code = 777, 2352 or 41376 Default Username Authentications Detected PCI > Vendor Supplied Defaults
Table 4-6 PCI queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive chart R 86400 event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa Default Username Authentications Top 5 Usernames PCI > Vendor Supplied Defaults archive table R 86400 Event Code = 2894 Disabled Accounts PCI > Vendor Supplied Defaults archive table r 604800 vendor signature = Security:531
Disabled User Accounts with Failed Login Attempts PCI > Vendor Supplied Defaults Summarizer table R 86400 event id = 512004 or 512003 Firewall Authentication Events Hourly Tally PCI > Vendor Supplied Defaults archive table R 86400 Event Code = 718 Password Changes PCI > Vendor Supplied Defaults
SOX queries in the Compliance Queries folder
Table 4-7describes the contents of the SOX subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
Table 4-7 SOX queries in the Compliance Queries folder
Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code = 733, 39770, or Windows username = Administrator and product id =3105 Administrative Access to Systems SOX archive table R 86400 Event Code = 39747 or 39748 Application Access SOX 47 System queries reference
Table 4-7 SOX queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 Event Code =38764 or 39628
Audit Logs Access SOX
archive table
R 86400 Event Code = 1525
Audit Policy Changes SOX archive table R 86400 Event Code = 2894 Disabled Accounts SOX archive table R 86400 Event Code = 765, 38765, 38768, 38676, 3788, 3789, 3790, 3791, 3792, 20280, 11501, 12985, 1560, 38845
File and Directory Access SOX customsql table current timestamp - 7 days N/A Incident Overview for Last Week SOX customsql table current timestamp - 7 days status as "Status" Incidents Created Over Past Week SOX customsql table date(creation_time + current timezone) = current date N/A Incidents Created Today SOX archive table R 86400 event id = 512004 or Event Code
= 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 Logon Failures SOX customsql table all status <> 2
Open Incident Aging by Assignee Table SOX
customsql table
R 86400 severity >= 1 and status < 2
Open Incidents by Assignee SOX customsql table DATE(CREATION_ TIME + CURRENT TIMEZONE) = CURRENT_DATE) when status = 0 or status = 1 or
status = 2 Open and Closed
Incidents for Assignees Today SOX
Table 4-7 SOX queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table R 86400 vendor signature = Security:627
or Event Code = 1559, 718 or 39765 Password Change Attempts SOX archive table R 86400 Event Code = 38764 or 39628 Security Log Management SOX archive table CREATED_ TIME >= (current timestamp - 1 Days) CLOSED_TIME IS NOT NULL
Time to Resolve Incidents Over Last Day SOX archive table R 86400 Event Code = 44111, 719, 762, 757, 2322, 2894, 758, 759, 1559, 38765, 771, 38766, 1553 OR event_class=1071000 and target_resource=/People/ and event_id is not 1072000 or 1072001 User Account Management Changes SOX archive table R 86400 Event Code = 709, 710, 772, 1552, 731, 1538, 38770, 38769, 38747, 39767, 39646, 39647 or 39648 User Group Management Changes SOX archive table R 86400 event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 User Logins SOX archive table R 86400 vendor code =Security:538,
event id = 1072001, or Event Code = 720, or intrusion action= 1037214 User Logouts SOX archive table R 86400 vendor_code=Security:643, and
option1 = Password Policy or Lockout Policy
Windows Account Policy Changes SOX
49 System queries reference
Table 4-7 SOX queries in the Compliance Queries folder (continued) Type Display type Time range Qualifications Query name Subfolder archive table creation_ time >= (current timestamp - 7 DAYS) case when status = 0 or status = 1 Opened Incident Count by Creation Date SOX > Administrative Safeguards archive table R 86400 Compliance status id 1937201
and Event Code = 41457 Account Integrity Compliance Failed SOX > Change Notification Reports archive table R 86400 R 86400 compliance status = 1937201
and Event Code = 41461 or 41708
File Attributes and Watch Compliance Failed SOX > Change Notification Reports archive table R 86400 Event Code = 42476, 42485, 42493, 42536 and compliance status = 1937201 Network Integrity and Complexity Compliance Failed SOX > Change Notification Reports archive table R 86400 Event Code= 41467 and
compliance status=1937201 OS Patches Compliance Failed SOX > Control Compliance Reports archive table R 86400 Event Code = 41455 and
compliance status=1937201 System Auditing Compliance Failed SOX > Control Compliance Reports archive table R 86400 Compliance status id 1937201
and Event Code = 42488, 41456 Account Information Compliance Failed SOX > Resource Review Reports archive table R 86400 Event Code = 41460, 41454 or 42491 and compliance status=1937201 Strong Authentication and Password Policy Compliance Failed SOX > Resource Review Reports
Compliance Templates folder
The Compliance Templates folder contains event queries that you can use to meet your organization's compliance needs. Premium collectors populate these queries with data. Compliance products do not populate these queries.
InTable 4-8, the time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number
of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
Table 4-8 Compliance Templates folder
Type Display type Time range Qualifications Query name archive events table R 2419200 event_code=39747 or 39748 Application Monitoring archive events table R 2419200 event_code=1525 Audit Policy Changes archive events table R 2419200 event_code=Pro File Monitoring archive events table R 2419200 event_code=38764 or 39628 Log Management archive events table R 2419200 event_id=512004 or event_code=707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 or intrusion_action_id=1037213 and intrusion_outcome_id=1027204 or event_detail_id=747201 or event_detail_id 517219 OR event_id=512007 Logon Failures archive events table R 2419200 event_id=302004, 302002,302003, 302004, 302005, 1072012, 1072008, 1072010, 1072009, 1072011 OR event_code 39745, 39744, 39746, 39743 Object Monitoring archive events table R 2419200 event_code=722, 44111, 719, 762, 757, 2322, 2894, 758, 759, 1559, 38765, 771, 38766, 1553 or
event_class_id=1071000 and target_resource contains /People/ OR event_id=1072000 or 1072001 User Account Management archive events table R 2419200 event_code=709, 710, 772, 1552, 731, 1538, 38770, 38769, 38747, 39767, 39646, 39647, 39648 User Group Management archive events table R 2419200 event_id=1072000, or event_code=2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, 4466 User Logon archive events table R 2419200 event_id=1072001, event_code=720 or intrusion_action_id=1037214 User Logout
Product Queries folder
The Product Queries folder contains subgroups of queries, one subgroup for each collector that is installed, for example, Symantec Client Security.
51 System queries reference
InTable 4-9, the time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).
Table 4-9 Product Queries folder
Type Display type Time range or Display grouping Qualifications Query name Subfolder archive/ Top N bar chart R 86400 Product_id=3149 Top 10 Requested Files for Web Events IIS Collector archive/ Top N bar chart R 86400 Product_id=3149
Top 10 Src IPs for Web Events IIS Collector archive events table R 86400 Product_id=3214, intrusion_action_id=1037213, intrusion_outcome_id=1027204 Database Failed Logins MS SQL Server archive events table R 86400 Product_id=3214, intrusion_action_id=1037213, intrusion_outcome_id=1027203 Database Successful Logins MS SQL Server archive events table R 604800 event_id=1162007, product_id=3012 All Checkin Violation Events Symantec Client Security archive events table complete event_class_id=1161002, product_id=3012 All Client Audit
Events Symantec Client Security archive events table complete event_id=2082000 All Detail Snapshot
Events Symantec Client Security archive events table complete event_class_id=2081002 All Snapshot Catalog
Events Symantec Client Security archive events table R 604800 event_id=2082006, 2082008, 2082010, 2082002, 2082011, 2082000, 2082005, 2082007, 2082009, 2082001
All Snapshot Events Symantec Client Security archive events table complete event_id=2082001 All Summary Snapshot Events Symantec Client Security
Table 4-9 Product Queries folder (continued) Type Display type Time range or Display grouping Qualifications Query name Subfolder custom SQL pie chart group by product_version select product_version, count
Client Version Summary Latest Snapshot Symantec Client Security custom SQL table from summarizer not applicable select columns Client Versions Latest Snapshot Symantec Client Security custom SQL pie chart group by CF_version, CFV_count firewall version and count
Clients By Firewall Version All Snapshots Symantec Client Security custom SQL line chart current timestamp -30 days
event_id=92004 and time_slice Daily Virus Definitions Successful Deployment Last 30 Days Symantec Client Security archive events table complete product_id=3012 and event_id=1032000 Detected Intrusion Violations Symantec Client Security custom SQL table from summarizer group by els_serial_id ELS_SERIAL_ID License Allocation by Serial ID Symantec Client Security custom SQL table from summarizer group by sav_domain SAV_DOMAIN as Parent Server
Group, sum(L_COUNT) License Allocation by Server Group Symantec Client Security custom SQL table from summarizer not applicable ELS_LIFECYCLE as "License LifeCycle" License Status Summary Symantec Client Security custom SQL table from summarizer not applicable
L_COUNT as "License Count" License Status per
Computer Symantec Client Security custom SQL table from summarizer not applicable ELS_FEATURE_NAME as "License Feature Name" Licenses In Use Symantec Client Security 53 System queries reference
Table 4-9 Product Queries folder (continued) Type Display type Time range or Display grouping Qualifications Query name Subfolder custom SQL table from summarizer not applicable select * Licenses In Use Summary Symantec Client Security archive events table R 604800 vendor_code = SCF_ FirewallShutdown, swfeature_id=30170101 and event_id = 472001 SCF Disabled Symantec Client Security archive events table R 604800 vendor_code=SCF_FirewallStartup, swfeature_id=30170101 and event_id=472001 SCF Enabled Symantec Client Security archive events table R 604800 event_class_id=401001and event_id=472004 SCF Intrusion Detection Status Events Symantec Client Security archive events table R 604800 event_id=472003 and swfeature_id=30170101 SCF Policy Update Symantec Client Security archive/ Top N pie chart R 2419200 product_id=3012 and event_id=92004 Summary of Virus Definition Deployment Last 30 Days Symantec Client Security archive/ Top N bar chart R 604800 data_status_id=117233, 117232 or 117239 Top 10 Infected SCS Server Groups Symantec Client Security archive/ Top N bar chart R 604800 data_status_id=117233, 117232 or 117239 Top 10 Infected SCS Client Groups Symantec Client Security archive/ Top N bar chart R 604800 data_status_id=117237, 117232, or 117239 Top 10 Infected SCS Parent Servers Symantec Client Security archive/ Top N bar chart R 604800 event_id=122000 Top 10 SCS Client Groups Containing Virus Events Symantec Client Security
Table 4-9 Product Queries folder (continued) Type Display type Time range or Display grouping Qualifications Query name Subfolder archive/ Top N bar chart R 604800 event_id=122000 Top 10 SCS Parent Servers Containing Virus Events Symantec Client Security archive/ Top N bar chart R 604800 event_id=122000 Top 10 SCS Server Groups Containing Virus Events Symantec Client Security custom SQL pie chart group by product_version count(PRODUCT_VERSION) Total Client AV Version Count Symantec Client Security custom SQL table from summarizer group by parent parent server and count
SNAPSHOT_MACHINE Total Clients per
Parent Server Symantec Client Security summary line chart current timestamp -1 day event_id=92004 Virus Definition
Updates Per Hour Last 24 Hours Symantec Client Security custom SQL line chart order by bsav.snapshot_id virusdef = maxvirusdef Virus Definitions Current - Last 30 Snapshots Symantec Client Security custom SQL line chart order by bsav.snapshot_ id virus_definitions < mvd.maxvdef Virus Definitions
Out of Date - Last 30 Snapshots Symantec Client Security custom SQL stacked bar chart group by virus_ definitions rank <= 30 Virus Definitions Summary - Last 30 Snapshots Symantec Client Security custom SQL pie chart order by virus_ definitions snapshot_id = max Virus Definitions Summary - Latest Snapshot Symantec Client Security custom SQL table from summarizer order by snapshot_ id desc select * Virus Definitions Summary Table -Last 30 Snapshots Symantec Client Security custom SQL line chart order by client_group parent_virus_definitions > virus_definitions Virus Definitions by
Client Group - Out of Date - Latest Symantec
Client Security
55 System queries reference
