Compliance related
Compliance related
PCI
COBIT
SOX
HIPAA
PCI
PCI 1.x: Top Reporting Firewalls By Event Count: Ranks the firewalls by the number of events sent
PCI 1.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.
PCI 1.x: Router Config Changes Detected From Log: This report provides details about router config changes
PCI 1.x: Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config
PCI 1.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a firewall’s running and startup config
PCI 1.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.
PCI 1.x: Router Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.
PCI 1.x: Firewall Admin Activity Details: Provides details about firewall admin activity – logons, command executions and logoff
PCI 1.x: Router Admin Activity Details: Provides details about router admin activity – logons, command executions and logoff
PCI 1.x: Firewall NAT Translations: This report captures the NAT translations over a time window
PCI 1.x: Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service
PCI 1.x: Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service
PCI 1.x: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk
PCI 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web
PCI 1.x: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)
PCI 1.x: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined
connections – these connections would be typically be for administrative and monitoring purposes PCI 5.x: Top Reporting Security Management Servers:
PCI 1.x: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy
PCI 5.x: Spyware found but not remediated by Host Antivirus:
PCI 5.x: Top hosts with Malware found by Host Antivirus:
PCI 5.x: Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS
PCI 5.x: Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways
PCI 5.x: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.
PCI 8.x,10.x: Detailed Successful Login At PCI Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications
PCI 8.x: Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation
PCI 8.x: Windows Domain Account Lockouts: This report details windows domain account lockouts
PCI 8.x: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.
PCI 8.x: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.
PCI 8.x: Server Password Changes: Tracks password changes
PCI 8.x: Local Windows User Accounts Created: This report captures user accounts added on a server
PCI 8.x: Local Windows User Accounts Deleted: This report captures user accounts removed from a server PCI 8.x: Local Windows User Accounts Modified: This report captures local user account modifications.
PCI 8.x: Users Added To Local Groups: This report captures users added to local groups.
PCI 8.x: Users Added To Global Groups: This report captures users added to global or univeral groups.
PCI 8.x: Users Deleted From Local Groups: This report captures users deleted from local groups.
PCI 8.x: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.
PCI 8.x: Local Windows Groups Deleted: This report captures local group deletions
PCI 8.x: Local Windows Groups Modified: This report captures local group modifications
PCI 8.x: Local Windows Groups Created: This report captures local group creations
PCI 8.x: Global Windows Groups Created: This report captures global group creations
PCI 8.x: Global Windows Groups Deleted: This report captures global group deletions
PCI 8.x: Global Windows Groups Modified: This report captures global group modifications
PCI 10.x: Detailed Failed Login At PCI System: Captures detailed failed logins at any device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications
PCI 10.x: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account
PCI 10.x: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections PCI 10.x: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs
PCI 10.x: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server
PCI 10.x: Successful Firewall Admin Logon Details: Details about successful firewall logons
PCI 10.x: Failed Firewall Admin Logon Details: Details about failed firewall logons
PCI 10.x: Successful Router Admin Logon Details: Details about successful router logons
PCI 10.x: Failed Router Admin Logon Details: Details about failed router logons
PCI 10.x: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons
PCI 10.x: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons
PCI 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller
PCI 10.x: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller
PCI 10.x: Network Device Down/Restart: Tracks network device down and restart events
PCI 10.x: Server Down/Restart: Tracks server down and restart events
PCI 10.x: Application Down/Restart: Tracks application stop and start events
PCI 10.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events
PCI 10.x: Network Device Errors: Tracks errors reported by network device
COBIT
COBIT AI2.4: Successful Database Server Logon Details: Captures successful database server logons
COBIT AI2.4: Failed Database Server Logon Details: Captures failed database server logons
COBIT AI2.4: Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)
COBIT AI2.5: Server Installed Software Changes: This report captures detected installed software changes
COBIT DS3.x: Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window
COBIT DS3.x: Top Devices By Memory Util: Ranks the devices by average memory utilization over a window
COBIT DS3.x: Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window
COBIT DS3.x: Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.
COBIT DS3.x: Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.
COBIT DS3.x: Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window
COBIT DS3.x: Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window COBIT DS3.x: Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes
COBIT DS3.x: All devices under performance monitoring: Captures all devices under performance monitoring
COBIT DS4.x: Device Ping Monitor Statistics: Tracks the PING response times and packet loss for the monitored devices
COBIT DS4.x: Network Device Down/Restart: Tracks network device down and restart events
COBIT DS4.x: Server Down/Restart: Tracks server down and restart events
COBIT AI2.4,DS4.x: Application Down/Restart: Tracks application stop and start events
COBIT DS4.x: Network Device Failover: Tracks network device failovers
COBIT DS4.x: Network Device Interface Down/Up: Tracks network device interface down and up events
COBIT AI2.4,DS4.x: Server Interface Down/Up: Tracks server network interface down and up events
COBIT DS4.x: Network Device License Expiry: Tracks network device license expiry events
COBIT DS4.x: Application License Expiry: Tracks application license expiry events
COBIT DS4.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events
COBIT DS4.x: Top Network Devices, Errors By Count: Ranks network devices by reported error count
COBIT DS4.x: Top Devices by Accumulated Downtime: Ranks the devices by total system downtime over the last week
COBIT AI2.4,DS4.x: Top Applications By Response Time: Ranks the services by average application level probe response times COBIT DS5.4: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.
COBIT DS5.4: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.
COBIT DS5.4: Server Password Changes: Tracks password changes
COBIT DS5.4: Local Windows User Accounts Created: This report captures user accounts added on a server
COBIT DS5.4: Local Windows User Accounts Deleted: This report captures user accounts removed from a server COBIT DS5.4: Local Windows User Accounts Modified: This report captures local user account modifications.
COBIT DS5.4: Users Added To Local Windows User Groups: This report captures users added to local groups.
COBIT DS5.4: Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.
COBIT DS5.4: Users Deleted From Local Windows User Groups: This report captures users deleted from local groups.
COBIT DS5.4: Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.
COBIT DS5.4: Local Windows Groups Deleted: This report captures local group deletions
COBIT DS5.4: Local Windows Groups Modified: This report captures local group modifications
COBIT DS5.4: Local Windows Groups Created: This report captures local group creations
COBIT DS5.4: Global Windows Groups Created: This report captures global group creations
COBIT DS5.4: Global Windows Groups Deleted: This report captures global group deletions
COBIT DS5.4: Global Windows Groups Modified: This report captures global group modifications
COBIT DS5.4: Unix Users Added To Group: Tracks user additions to groups
COBIT DS5.4: Unix User Password Changed: Tracks password changes
COBIT DS5.5: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account
COBIT DS5.5: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections
COBIT DS5.5: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs
COBIT DS5.5: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server
COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons
COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons
COBIT DS5.5: Successful Router Admin Logon Details: Details about successful router logons
COBIT DS5.5: Failed Router Admin Logon Details: Details about failed router logons
COBIT DS5.5: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons
COBIT DS5.5: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons
COBIT DS5.5: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller
COBIT DS5.5: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller
COBIT DS5.6: Top Incidents Ranked By Severity, Count: Ranks the incidents by first their severity and then by their count.
COBIT DS5.6: All Availability Incidents: Captures the availability incidents
COBIT DS5.6: Performance Incidents: Captures the performance related incidents
COBIT DS5.6: Security Incidents: Captures the security related incidents
COBIT DS5.9: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy
COBIT DS5.9: Spyware found but not remediated by Host Antivirus:
COBIT DS5.9: Top Hosts with Malware found by Host Antivirus:
COBIT DS5.9: Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS
COBIT DS5.9: Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways
COBIT DS5.9: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.
COBIT DS5.10: Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service
COBIT DS5.10: Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service
COBIT DS5.10: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk
COBIT DS5.10: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web
COBIT DS5.10: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)
COBIT DS5.10: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes
COBIT DS5.10: Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count
COBIT DS5.10: Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count
COBIT DS5.10: Top Network IPS events By Severity, Count: Ranks the network IPS events by count
COBIT DS5.10: Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events
COBIT DS5.10: Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS
COBIT DS5.10: Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used COBIT DS5.10: Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out
COBIT DS5.10: Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections
COBIT DS5.10: Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections
COBIT DS5.10: Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections
COBIT DS5.10: Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.
COBIT DS5.10: Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.
COBIT DS5.10: Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy
COBIT DS5.10: Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.
COBIT DS5.10: Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.
COBIT DS5.10: Filtered Outbound Spam Count: Counts total outbound spam denied by policy
COBIT DS5.10: Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations
COBIT DS5.10: Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail
COBIT DS9.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.
COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config
COBIT DS9.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.
COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config
SOX
SOX (AI2.4): Successful Database Server Logons: Captures successful database server logons
SOX (AI2.4): Failed Database Server Logons: Captures failed database server logons
SOX (AI2.4,DS4.x): Top Applications By Response Time: Ranks the services by average application level probe response times
SOX (AI2.4): Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)
SOX (AI2.4,DS4.x): Application Down/Restart: Tracks application stop and start events
SOX (AI2.4,DS4.x): Server Interface Down/Up: Tracks server network interface down and up events
SOX (AI2.5): Server Installed Software Changes: This report captures detected installed software changes
SOX (DS3.x): Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window
SOX (DS3.x): Top Devices By Memory Util: Ranks the devices by average memory utilization over a window
SOX (DS3.x): Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window
SOX (DS3.x): Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.
SOX (DS3.x): Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.
SOX (DS3.x): Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window
SOX (DS3.x): Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window SOX (DS3.x): Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes
COBIT DS5.6: All Availability Incidents: Captures the availability incidents
SOX (DS5.6): Performance Incidents: Captures the performance related incidents
SOX (DS3.x): All devices under performance monitoring: Captures all devices under performance monitoring
SOX (DS5.4): Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.
SOX (DS5.4,PCI1.x)): Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.
SOX (DS5.4,PCI1.x): Server Password Changes: Tracks password changes
SOX (DS5.4,PCI1.x): Local Windows User Accounts Created: This report captures user accounts added on a server
SOX (DS5.4,PCI1.x): Local Windows User Accounts Deleted: This report captures user accounts removed from a server SOX (DS5.4,PCI1.x): Local Windows User Accounts Modified: This report captures local user account modifications.
SOX (DS5.4,PCI1.x): Users Added To Local Windows User Groups: This report captures users added to local groups.
SOX (DS5.4): Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.
SOX (DS5.4,PCI1.x): Users Deleted From Local Windows User Groups: This report captures users deleted from local groups. SOX (DS5.4,PCI1.x): Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.
SOX (DS5.4,PCI1.x): Local Windows Groups Deleted: This report captures local group deletions
SOX (DS5.4,PCI1.x): Local Windows Groups Modified: This report captures local group modifications
SOX (DS5.4,PCI1.x): Local Windows Groups Created: This report captures local group creations
SOX (DS5.4,PCI1.x): Global Windows Groups Created: This report captures global group creations
SOX (DS5.4,PCI1.x): Global Windows Groups Deleted: This report captures global group deletions
SOX (DS5.4,PCI1.x): Global Windows Groups Modified: This report captures global group modifications
SOX (DS5.4,PCI1.x): Unix Users Added To Group: Tracks user additions to groups
SOX (DS5.4,PCI1.x): Unix User Password Changed: Tracks password changes
SOX (DS5.5,PCI1.x): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged
logon attempts to a windows server using the Administrator account
SOX (DS5.5,PCI1.x): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections
SOX (DS5.5,PCI1.x): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs
SOX (DS5.5,PCI1.x): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server
COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons
COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons
SOX (DS5.5,PCI1.x): Successful Router Admin Logon Details: Details about successful router logons
SOX (DS5.5,PCI1.x): Failed Router Admin Logon Details: Details about failed router logons
SOX (DS5.5,PCI1.x): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons
SOX (DS5.5,PCI1.x): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons
SOX (DS5.5,PCI1.x): Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller
SOX (DS5.5,PCI1.x): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller
SOX (DS5.6): Security Incidents: Captures the security related incidents
SOX (DS5.9): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy
SOX (DS5.9): Spyware found but not remediated by Host Antivirus:
SOX (DS5.9): Top Hosts with Malware found by Host Antivirus:
SOX (DS5.9): Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS
SOX (DS5.9): Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways
SOX (DS5.9): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.
SOX (DS5.10): Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service
SOX (DS5.10): Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service
SOX (DS5.10): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk
SOX (DS5.10): Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web
SOX (DS5.10): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)
SOX (DS5.10): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes
SOX (DS5.10): Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count
SOX (DS5.10): Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count
SOX (DS5.10): Top Network IPS events By Severity, Count: Ranks the network IPS events by count
SOX (DS5.10): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events
SOX (DS5.10): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS
SOX (DS5.10): Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used SOX (DS5.10): Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out
SOX (DS5.10): Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections
SOX (DS5.10): Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections
SOX (DS5.10): Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections
SOX (DS5.10): Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.
SOX (DS5.10): Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.
SOX (DS5.10): Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy
SOX (DS5.10): Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.
SOX (DS5.10): Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.
SOX (DS5.10): Filtered Outbound Spam Count: Counts total outbound spam denied by policy
SOX (DS5.10): Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations
SOX (DS5.10): Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail
SOX (DS9.x): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.
SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config
SOX (DS9.x): Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.
SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config
HIPAA
HIPAA 164.308(a)(3): Server Password Changes: Tracks password changes
HIPAA 164.308(a)(3),164.312(a)(2): Local Windows User Accounts Created: This report captures user accounts added on a server HIPAA 164.308(a)(3): Local Windows User Accounts Deleted: This report captures user accounts removed from a server HIPAA 164.308(a)(3): Local Windows User Accounts Modified: This report captures local user account modifications.
HIPAA 164.308(a)(3): Users Added To Local Groups: This report captures users added to local groups.
HIPAA 164.308(a)(3): Users Added To Global Groups: This report captures users added to global or univeral groups.
HIPAA 164.308(a)(3): Users Deleted From Local Groups: This report captures users deleted from local groups.
HIPAA 164.308(a)(3): Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.
HIPAA 164.308(a)(3): Local Windows Groups Deleted: This report captures local group deletions
HIPAA 164.308(a)(3): Local Windows Groups Modified: This report captures local group modifications
HIPAA 164.308(a)(3): Local Windows Groups Created: This report captures local group creations
HIPAA 164.308(a)(3): Global Windows Groups Created: This report captures global group creations
HIPAA 164.308(a)(3): Global Windows Groups Deleted: This report captures global group deletions
HIPAA 164.308(a)(3): Global Windows Groups Modified: This report captures global group modifications
HIPAA 164.308(a)(4): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.
HIPAA 164.308(a)(4): Router Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.
HIPAA 164.308(a)(4): Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config
HIPAA 164.308(a)(4): Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service
HIPAA 164.308(a)(4): Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service
HIPAA 164.308(a)(4): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk
HIPAA 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web
HIPAA 164.308(a)(4): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139),
MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)
HIPAA 164.308(a)(4): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Successful Login At HIPAA Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Failed Login At HIPAA System: Captures detailed failed logins at any
device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Firewall Admin Logon Details: Details about successful firewall logons
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Firewall Admin Logon Details: Details about failed firewall logons
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Router Admin Logon Details: Details about successful router logons
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Router Admin Logon Details: Details about failed router logons
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons
HIPAA 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Windows Server Logons: This report records successful windows server logons
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Windows Server Logons: This report reports failed windows servers logons
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Unix Server Logons: This report details successful unix server logons with all parsed fields and raw logs
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Unix Server Logons: This report details failed unix server logons with all parsed fields and raw logs
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs
HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server
HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures
HIPAA 164.308(a)(5): Server Password Changes: Tracks password changes
HIPAA 164.308(a)(6): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy
HIPAA 164.308(a)(6): Spyware found but not remediated by Host Antivirus:
HIPAA 164.308(a)(6): Top hosts with Malware found by Host Antivirus:
HIPAA 164.308(a)(6): Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS HIPAA 164.308(a)(6): Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways
HIPAA 164.308(a)(6): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. HIPAA 164.308(a)(6): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events
HIPAA 164.308(a)(6): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS HIPAA 164.308(a)(6): Top Network IPS events (affecting HIPAA devices) Ranked By Severity, Count: Ranks the network IPS events affecting HIPAA devices
HIPAA 164.308(a)(6): Top System detected Security Incidents (affecting HIPAA devices) Ranked By Severity, Count: Ranks the security related incidents by first their severity and then by their count – restricted to HIPAA devices
HIPAA 164.312(a)(2): Successful VPN Logons: Captures successful VPN logons
HIPAA 164.312(a)(2): Failed VPN Logons: Captures failed VPN logons
HIPAA 164.312(a)(2): Successful Wireless Logons: Captures successful wireless logons
HIPAA 164.312(a)(2): Failed Wireless Logons: Captures failed wireless logons
HIPAA 164.312(a)(2): Successful Windows Domain Authentications: Captures successful domain authentications
HIPAA 164.312(a)(2): Failed Windows Domain Authentications: Captures failed domain authentications
HIPAA 164.312(a)(2): Successful Database Server Logons: Captures successful database server logons
HIPAA 164.312(a)(2): Failed Database Server Logons: Captures failed database server logons
HIPAA 164.312(b): Windows Audit Policy Changed: This report captures audit policy changes
HIPAA 164.312(b): All System Admin User Logon Attempts: Details all System Admin User Logon Attempts
HIPAA 164.312(b): System Operational Warnings: Detects System operational errors including license limits, down collector