Category Archives: FortiSIEM

FortiSIEM Integration API

Integration API

AccelOps provides an API that you can use to query and make changes to the CMDB, query events, and send notifications. These topics contain information on API parameters, sample XML input and output files, and python scripts that you can use to interact with the API.

Python Support

Versions 2.5, 2.6

Version 2.4 is only supported when import ssl is changed to from socket import ssl

Version 3.0 cannot be supported unless all print statements are rewritten

You will need to install httplib2 and ssl manually, if they are not already installed

Topics

Add or Update an Organization

Create or Update Credentials

Discover Devices

Get CMDB Device Info

Get the List of Monitored Devices and Attributes

Get the List of Monitored Organizations

Update Device Monitoring

Add, Update or Delete Device Maintenance Schedule

Events and Report Integration

Incident Notification

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API Using the Notification API

External Help desk / CMDB Integration External Threat Intelligence Integration License Registration

CMDB APIs

These APIs are available for interacting with the AccelOps CMDB.

Add or Update an Organization

Create or Update Credentials

Discover Devices

Get CMDB Device Info

Get the List of Monitored Devices and Attributes

Get the List of Monitored Organizations

Update Device Monitoring

Add, Update or Delete Device Maintenance Schedule

 

Add or Update an Organization

Applies To

API Parameters

Sample Code for Adding an Organization

Sample XML Input File

Sample Python Script

Sample Code for Updating an Organization’s Attributes

Sample XML Input File

Sample Python Script

Applies To

Multi-tenant deployments

API Parameters

Methodology  REST API based: makes an HTTP(S) request with an input XML containing the organization information. The key to the organization information is the name.
Request

URL

Add an organization: https://<AccelOps_IP>/phoenix/rest/organization/add

Update an organization: https://<AccelOps_IP>/phoenix/rest/organization/update

Input

Parameters

Username and password of Super account or Organization specific account, Organization definition file
Input XML Contains organization details – the key is the organization name, which means that entries with the same name will be merged.
Output None

Sample Code for Adding an Organization

The sample shows how to add the organization organization341 and specify its attributes.

Sample XML Input File

Sample Python Script

AddOrg.py script Usage
import sys, base64, urllib, urllib2 from xml.dom.minidom import Node, Document, parseString  def restPost(appServer, user, password, file):

f = open(file, ‘r’)     content = f.read()

f.close()     url = “https://” + appServer + “/phoenix/rest/organization/add”     auth = “Basic %s” % base64.encodestring(user + “:” + password)     request = urllib2.Request(url, content)     request.add_header(‘Authorization’, auth)     request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’     request.add_header(‘Content-Length’, len(content)+2)     request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’)     request.get_method = lambda: ‘PUT’      try:

handle = urllib2.urlopen(request)     except urllib2.HTTPError, error:         if (error.code != 204):

print error  if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: addOrgSample.py appServer user password orgDefFile”         print “Example: python addOrgSample.py 192.168.20.116 super/admin adm1n orgDef.xml”         sys.exit()

restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python addOrg.py <AccelOps_IP> <user> <password> <orgDefFile>

Sample Code for Updating an Organization’s Attributes

Th sample increases the max events per sec (eps) value of organization341 to 1000. The Key is the name. Sample XML Input File

Sample Python Script

AddOrg.py script Usage

 

python updateOrg.py <AccelOps_IP>

<user> <password> <orgDefFile>

Create or Update Credentials

Applies To

API Parameters

Multi-Tenant Deployments

Enterprise Deployments

Sample Code for Adding and Updating Credentials

Sample XML Input File

Sample Python Script

Applies To

Enterprise and multi-tenant deployments

API Parameters

The key is the credential name in the input XML. If a credential with the same name exists, then the credential in the database will be updated with the new content.

Multi-Tenant Deployments

Methodology REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Request URL https:///phoenix/rest/deviceMon/updateCredential
Input Parameters Username and password of Super account or Organization specific account, Organization name
Input XML  An XML file that contains credentials and IP to credential mappings
Output None

Enterprise Deployments

Methodology  REST API based: make an HTTP(S) request with an input XML
Request URL  https://<AccelOps_IP>/phoenix/rest/deviceMon/updateCredential
Input Parameters  Username and password of any AccelOps account
Input XML  An XML file that contains credentials and IP to credential mappings
Output None

 

Sample Code for Adding and Updating Credentials

This sample takes the credentials and, optionally, the organization name as arguments and writes out the parsed XML output file in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed. Sample XML Input File

Sample Python Script

UpdateCredentiual.py Script Usage

 

 

import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file,’r’)   content = f.read()

f.close()   url = “https://” + appServer + “/phoenix/rest/deviceMon/updateCredential”   auth = “Basic %s” % base64.encodestring(user + “:” + password)   request = urllib2.Request(url, content)   request.add_header(‘Authorization’, auth)   request.add_header(‘Content-Type’,’text/xml’) # ‘application/xml’   request.add_header(‘Content-Length’, len(content)+2)   request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’)   request.get_method = lambda: ‘PUT’   try:

handle = urllib2.urlopen(request)   except urllib2.HTTPError, error:     if (error.code != 204):

print error  if __name__==’__main__’:     if len(sys.argv) != 5:

print “Usage: UpdateCredential.py appServer user password credentialDefFile”         print “Example: python UpdateCredential.py 192.168.20.116 super/admin adm1n credentialDef.xml”         sys.exit()

restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

 python UpdateCredential.py

<AccelOps_IP> <user> <password> <credential xml file> Example

python UpdateCredential.py 172.16.20.210  “super/admin”

“admin*1”  AddCredential.xml

The Super_user needs to be explicitly stated in organization/user format, for

example “super/admin” or “super/ admin” instead of just “admin”

 

 

FortiSIEM Availability Related Rules and Reports

Availability Related Rules and Reports
AccelOps Availability Rules

System component issues

System Collector Down: Detects that collector is down

System Collector Event Delayed: Detects that collector has not sent an event to AccelOps cloud for more than 10 minutes System Worker Down: Detects that system worker is down License Issues

System License Warning: High Event Rate: Detects that the system is receiving events at a rate that is higher than the license limit.

Events beyond the license limit would be dropped unless the license is upgraded

System License Warning: High Config Items: Detects that the number of CMDB configuration items is close to the license limit additonal configuration items would not be stored unless the license is upgraded.

Notification issues

Scheduled Report Send Error: Detects that system has failed to deliver a scheduled report

Incident Notification Error: Detects that system has failed to take notification action on an incident

Large Supervisor JMS Request Queue: Detects that Supervisor JMS Request queue is very large

Large Supervisor JMS System Queue: Detects that Supervisor JMS System queue is very large

Data collection errors

WMI Service Unavailable: Detects that WMI service is unavailable

SNMP Service Unavailable: Detects that SNMP service is unavailable

Performance Monitoring Error: Detects that the system failed to monitor a performance monitoring metric

No Events Reported In Last Hour: Detects that a reporting device that reported events (logs etc) in the last hour did not report any events this hour. This does not include monitoring events (like CPU, Memory etc). This indicates that there is a problem in the network or at the reporting device.

Large Worker Input Event Queue: Detects that Worker input event queue is very large (greater than 100MB). This indicates that the workers are falling behind in handling events and cannot keep pace with the rate at which workers are sending events. Consider ading more workers or adding resources to workers.

Large Worker Input SVN Queue: Detects that Worker input SVN queue is very large (greater than 100MB). This indicates that the workers are falling behind in handling SVN files from collectors or from the parser modules. Check the SVN installation. Event Storage/Archiving/Purging issues

FortiSIEM Security Related Rules and Reports

Security Related Rules and Reports
Security Rules

Access Control Violations

Network Scanning Activity

Malware

Explicit Security Exploits

Policy Violations

Security Reports

Access Control Reports

Malware Reports

Other Security Issues

Network Traffic Analysis

Access Control Violations

Network Device Access

Multiple Admin Login Failures: Net Device: Detects excessive logon failures at a network device – 5 consecutive failures in a 10 minute period.

Repeated Admin Multiple Login Failures: Net Device: Detects repeating occurrences of multiple logon failures at a network device

Account Locked: Network Device: Detects account lockout caused by excessive logon failures

Server Access

Multiple Logon Failures: Server: Detects excessive logon failures at a server – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: Server: Detects repeating occurrences of multiple logon failures at a server from the same user. Multiple Privileged Logon Failures: Server: Detects excessive privileged logon failures at a server – 3 consecutive failures in a 10 minute period

Account Locked: Server: Detects account lockout caused by excessive logon failures

Network Access

Multiple Logon Failures: Domain: Detects multiple domain logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: Domain: Detects repeating occurrences of multiple domain logon failures

Multiple Logon Failures: VPN: Detects multiple VPN logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: VPN: Detects repeating occurrences of excessive VPN logon failures

Multiple Logon Failures: WLAN Detects multiple Wireless logon failures – 5 consecutive failures in a 10 minute period

Repeated Multiple Logon Failures: WLAN: Detects repeating occurrences of excessive wireless LAN logon failures

Account Locked: Domain: Detects account lockout caused by excessive logon failures

Application Access

Multiple Logon Failures: Web Server: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.

Repeated Multiple Logon Failures: Web Server: Detects repeating occurrences of multiple application logon failures

Multiple Logon Failures: Database: Detects excessive database logon failures – 5 consecutive failures in a 10 minute period.

Repeated Multiple Logon Failures: Database: Detects repeating occurrences of multiple application logon failures

Multiple Logon Failures: Misc App: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.

Repeated Multiple Logon Failures: Misc App: Detects repeating occurrences of multiple application logon failures

Special situations

Privileged Command Execution Failure: Detects excessive privileged command execution (e.g. sudo exec) failure at a server

Disabled Account Logon Attempt: Detects logon attempts to disabled accounts

Logon Time Restriction Violation: Detects logon attempts at times which are not permitted by policy

Multiple Logon Failures: Same Src, Multiple Hosts: Detects the same source having excessive logon failures at distinct hosts Multiple Logon Failures: Same Src and Dest, Multiple Accounts: Detects same source having excessive logon failures at the same destination host but multiple distinct accounts are used during the logon failure

Suspicious Logon Failure: no following successful login: Detects an unusual condition where a source has authentication failures at

a host but that is not followed by a successful authentication at the same host within the same day

Failed VPN Logon From Outside My Country: Detects VPN logon from outside my country. My Country is set to “United States” and may need to be changed for outside United States

Concurrent Failed Authentications To Same Account  From Multiple Countries: Detects simultaneous failed server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries.

Concurrent Failed Authentications To Same Account From Multiple Cities: Detects simultaneous failed server/network

device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.

Concurrent Successful Authentications To Same Account From Multiple Countries: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries. Concurrent Successful Authentications To Same Account From Multiple Cities: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.

Concurrent VPN Authentications To Same Account From Different Cities: Detects simultaneous VPN authentications to the same account within a short period of time from different cities. This may indicate a stolen credential.

Suspicious logon attempt detected: Detects suspicious logon attempts that indicate policy violations, e.g. root logon to database servers, default passwords, attempts to bypass authentication, root logon over unencrypted protocols such as Telnet, ftp, anonymous logons etc.

Transient Account Usage: Detects that an account was created, used and then deleted within a short period of time

Multiple Accounts Disabled by Administrator: Detects that multiple (more than 3) accounts were disabled by administrator in a short period of time

Network Scanning Activity

 Heavy TCP Host Scan: Detects excessive half-open TCP sessions from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.

 Heavy TCP Host Scan On Fixed Port: Detects excessive half-open TCP sessions from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy TCP Port Scan: Single Host: Detects a host performing a port scan – this involves excessive half open TCP connections from the same source to many distinct ports on a host in a short period of time. The thresholds are at least 20 distinct ports in a 2 minute window

Heavy TCP Port Scan: Multiple Hosts: Detects that a source is doing port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window

Heavy UDP Host Scan: Detects excessive number of UDP connections from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.

 Heavy UDP Host Scan On Fixed Port: Detects excessive number of UDP connections from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy UDP Port Scan: Single Host: Detects excessive UDP connections from the same source to many distinct ports on the same destination in a short period of time

Heavy UDP Port Scan: Multiple Hosts: Detects that a source is doing UDP port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window

Heavy ICMP Ping sweep: Detects excessive number of ICMP echo request packets from the same source to many distinct destinations in a short period of time. Nachhi worm exploited pings to spread. The threshold is 50 pings within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted.

Excessive ICMP Unreachables: Detects an usually high frequency of ICMP destination unreachable packets between the same source and destination – this indicates routing error

TCP DDOS Attack: Detects excessive number of half-open TCP connections from many distinct sources to the same destination host and on the same port in a short period of time. This may indicate that the destination server is under some sort of attack.

Excessive Denied Connections From Same Src: Detects excessive denies from the same source to many distinct destinations on the same port in a short period of time. The intent could be malicious or some sort of misconfiguration.

Excessive Denied Connections To Same Destination: Detects excessive denies from many distinct sources to the same destination on the same destination port

Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.

Invalid TCP/UDP Port Traffic: Detects invalid TCP/UDP traffic with 0 port

Invalid TCP Flags – Medium Intensity: Detects moderate (e.g. 100 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (NULL,FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) may indcate scanning and probing activity from the sender

Invalid TCP Flags – High Intensity: Detects excessive (e.g. 500 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) – may indicate scanning and probing activity from the sender

Excessive ICMP Traffic From Same Source: Detects excessive (e.g. more than 5000 in 5 minutes) ICMP traffic from the same source

 

Malware

Source: Antivirus, Security gateway, Host IPS, Network IPS, Firewall Log

Virus outbreak: Detects potential virus outbreak – same virus found on three distinct computers/IP addresses

Virus found but not remediated: Detects that host anti-virus or content inspection devices found a virus but could not remediate it Spyware found but not remediated: Detects that host anti-virus or content inspection devices found a spyware but could not remediate it

Spam/Malicious Mail Attachment found but not remediated:

Scanner found severe vulnerability:

Rootkit found:

Phishing attack found but not remediated:

Malware found but not remediated:

Denied Blacklisted Source:

Denied Blacklisted Destination:

Multiple Distinct IPS Events From Same Src:

Permitted Blacklisted Source:

Permitted Blacklisted Destination:

Source: External threat intelligence

Traffic to Zeus Blocked IP List:

Traffic to Emerging Threat Spamhaus List:

Traffic to Emerging Threat Shadow server List:

Traffic to Emerging Threat RBN List:

Traffic to Emerging Threat Dshield List:

Permitted traffic from Emerging Threat Spamhaus List:

Permitted Traffic from Zeus Blocked IP List:

Permitted Traffic from Emerging Threat Shadow server List:

Permitted Traffic from Emerging Threat RBN List:

Permitted Traffic from Emerging Threat Dshield List:

DNS Traffic to Malware Domains:

Adware process found:

Traffic to bogon networks:

Source: Network Traffic Analysis

Excessive End User Mail: Detects a scenario where a host, that is itself not an authorized mail gateway, is sending excessive emails (more than 20 emails in 2 minutes). This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).

Excessive Denied End User Mail To Unauthorized Mail Gateways: Detects a scenario where a host, that is itself not an authorized mail gateway, is unsuccessfully trying to send excessive emails to unauthorized mail gateways. Authorized mail gateways are represented by the “Mail Gateway” group. Such requests would be typically denied because, either the firewall would block SMTP from end hosts and/or mail gateways only receive mail from other authorized mail gateways. This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).  End User DNS Queries to Unauthorized DNS Servers: Detects a scenario where a host, that is itself not a DNS server, is trying to send DNS requests to unauthorized DNS servers. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, end hosts always send DNS requests to authorized DNS servers which in turn communicate to other DNS servers – so this behavior may indicate malware running on the end host.

Excessive End User DNS Queries: Detects a scenario where a host, that is itself not an DNS server, is sending excessive DNS requests. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, the frequency of end host DNS requests is not high unless, there is a script running – this might indicate the presence of malware on the end host.

Excessive Denied DNS Queries: Detects a scenario where a host, has a very high frequency of denied DNS traffic.

Excessive Uncommon DNS Queries: Detects the same host that is not a DNS server, doing an excessive amount of uncommon domain name queries – this indicates the host is likely infected with malware. An end host typically needs to perform only A and PTR queries; any other query inidicates the likely presence of malware.

Excessive Repeated DNS Queries To Same Domain: Detects an usually high frequency of DNS name resolution queries from the same host to the same domain name in a short period of time. This is not expected behavior since, in a typical scenario, the domain name resolution is cached at the end point. Repeated queries indicates that a special DNS client is likely running at the end host that is trying to make use of fast flux techniques to get back many infected hosts behind a crafted domain name.

Excessive Malware Domain Name Queries: Detects bad domain name queries which indicate malware infected end hosts.

 

Suspicious Botnet like End host DNS Behavior: Detects an end host meeting at least 3 requirements for suspicious use of DNS requests – this indicates that a bot is likely running on the end host

Unusually Large ICMP Echo Packets: Detects large (> 200 bytes/pkt) ICMP echo request and response packets – this is unusual since ICMP packets carry minimal information and are small in size. THis may indicate that some other traffic is being carried over ICMP protocol.

Unusual ICMP Traffic:

Explicit Security Issues

SQL Injection Attack detected by NIPS:

High Severity Non-Cisco IPS Exploit:

High Severity Inbound Permitted IPS Exploit:

High Severity Inbound Denied Security Exploit:

High Risk Rating Cisco IPS Exploit:

Excessive WLAN Exploits: Same Source:

Excessive WLAN Exploits:

DoS Attack detected by NIPS:

Distributed DoS Attack detected by NIPS:

Layer 2 Switch Port Security Violation:

Policy violations

Firewall Perimeter Policy

Outbound cleartext password usage detected:

Inbound cleartext password usage detected:

VNC from Internet:

Remote Desktop from Internet:

Large Outbound Transfer:

Large Outbound Transfer To Outside My Country:

Large Inbound Transfer From Outside My Country:

External website access policy

Inappropriate Website access: Multiple categories:

Inappropriate Website access: High volume:

Inappropriate Website access:

Internal website access policy

Executable file posting from external source:

Excessive HTTP Client Side Errors:

Excessive FTP Client Side Errors:

Change control policy

 Windows Audit Log Cleared:

Windows Audit Disabled:

WLAN policy

Rogue or Unsecure AP Detected:

Excessive Rogue or Unsecure APs Detected:

Wireless Host Blacklisted:

VPN policy

 Long lasting VPN session:

High throughput  VPN session:

Suspicious Traffic

 Tunneled traffic detected: IRC traffic detected:

P2P traffic consuming high network bandwidth:

 

Access Control Reports

Network Device Access

Failed Router Admin Logons: Details about failed router administrative logons

Successful Router Admin Logons: Details about successful router administrative logons

Failed Firewall Admin Logons: Details about failed firewall administrative logons

Successful Firewall Admin Logons: Details about successful firewall administrative logons

Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

Network Access

Top Users Ranked By Successful VPN Logon: Ranks the VPN Gateways and their users by the number of successful VPN logons.

Top VPN Gateways Ranked By Distinct Users: Ranks the VPN Gateways by the total number of distinct user logons

Top VPN Users Ranked By Failed VPN Logons: Ranks the VPN Gateways and their users by the number of failed VPN logons.

Wireless Logon Failure Details: Provides details of wireless logon authentication failures

Top Wireless Controllers, Users By Failed Logon Count: Ranks wireless controllers by the total number of failed logons

Top Windows Domain Controllers, Users By Successful Domain Authentication Count: Ranks the Windows Domain Controllers and their users by the number of successful domain authentications

Top Windows Domain Controllers, Users By Failed Domain Authentication Count: Ranks the Windows Domain Controllers and the users by the number of failed authentications

Windows Domain Account Lockouts: Details windows domain account lockouts

Remote Desktop Connections to Domain Controller: Details successful remote desktop connections

Privileged Domain Controller Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account

Failed Authentication Server Logons: Captures failed AAA Server Logons

Successful Authentication Server Logons: Captures successful AAA Server Logons

Server Access

Top Unix Servers, Users By Successful Logon Count: This report ranks the UNIX servers and their users by successful logon count

Top Unix Servers, Users By Failed Logon Count: This report ranks the UNIX servers and their users by failed logon count

Top Unix Servers, Users By Successful Privilege Escalation Count: This report ranks the UNIX servers and their users by successful privilege escalations (su) count

Top Unix Servers, Users By Failed Privilege Escalation Count: This report ranks the UNIX servers and their users by failed privilege escalations (su) count

Top Windows Servers, Users By Successful Logon Count: Ranks the Windows Servers and their users by the number of successful logons

Top Windows Servers, Users By Failed Logon Count: Ranks the Windows Servers and the users by the number of failed authentications

Windows Server Account Lockouts: Details windows server lockouts

Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures

Remote Desktop Connections to Windows Servers: Details successful remote desktop connections

Privileged Server Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account

Application Access

Top FTP Clients By Unauthorized Access Error Count: Ranks FTP servers and their clients by the total number of unauthorized access error count

Top Web Visitors By Unauthorized Access Error Count: Ranks web servers and visitors by the total number of unauthorized access error count

Top Users By Successful Database Server Logons: Ranks database users by the number of successful logons

Top Users By Failed Database Server Logons: Ranks database users by the number of failed logons

Malware Reports

Virus found and remediated Captures events that indicate the viruses found and remediated – the events could be from Host Anti-virus or Network Security Gateways

Virus found but not remediated Captures events that indicate viruses found but failed to remedy – the events could be from Host Anti-virus or Network Security Gateways

Spyware found and remediated Captures events that indicate spyware was found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways

Spyware found but not remediated Captures events that indicate spyware was found but the detecting software failed to remediated the vulnerability – the events could be from Host Anti-virus or Network Security Gateways

Spam/Malicious Mail Attachment found and remediated Captures events that indicate spam or mailicious mail attachments were found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways

Spam/Malicious Mail Attachment found but not remediated Captures events that indicate spyware was found but the detecting software did not remediated the vulnerability

Phishing attempt found and remediated Captures events that indicate phishing attempt

Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

Top Computers with Malware Found By Antivirus and Security Gateways: Tracks computers with Malware as found by Host Anti-virus and Security Gateways

Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS – these are somewhat less reliable than Host Anti-virus and Security Gateways

Top IPs with Malware Found By Security Gateways: Tracks IP addresses with Malware as found by Security Gateways

Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. Host Vulnerabilities discovered: Tracks vulnerabilities discovered on a host

Other Security Issues

Top Network IPS events By Severity, Count: Ranks the network IPS events by count

Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

Rogue APs detected: Lists the rogue APs

Rogue AP Detection Details: Provides details of rogue AP events

Top WLAN IDS Alerts: Ranks WLAN IDS alerts

Multiple Distinct IPS Events From Same Src: Detects multiple IPS events from the same source IP in a short period of time – the source IP may have been infected

Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.

High Risk Rating Cisco IPS Exploit: Detects a high risk rating IPS exploit event. This is applicable for Cisco IPS.

High Severity IPS Exploit: Detects a high severity IPS exploit detected by non-Cisco IPS

High Severity Security Exploit: Detects a high severity security exploit detected by non IPS devices

Network Traffic Analysis

Top Conversations By Bytes: Ranks the top conversations by total bytes. A conversation includes Source IP, Destination IP, Protocol and Destination Port.

Top Conversations By Bytes: Detailed View Ranks the top conversations by total bytes but also provides, sent Bytes and received Bytes as additional information. A conversation includes Source IP, Destination IP, Protocol and Destination Port.

Top Source IPs By Bytes Ranks the top source IPs by bytes

Top Source IPs By Bytes: Detailed View Ranks the top source IPs and destination ports by bytes

Top Destination IPs By Bytes Ranks the top destination IPs by bytes

Top Destination IPs By Bytes: Detailed View Ranks the top destination IPs and ports by bytes

Top Protocols By Bytes: Ranks the top protocols and destination ports by bytes

Top Protocols By Bytes: Detailed View: Ranks the top protocol and destination ports by bytes Top Router Link Usage By Bytes Ranks the top router link usage by bytes

 

FortiSIEM Application Performance Reports

Application Performance Reports

Performance: Top Oracle Database servers by buffer cache hit ratio: Ranks the Oracle database servers by buffer cache hit ratio and presents other metrics

Performance: Top Oracle Database servers by table space usage: Ranks the Oracle databases by table space usage

Performance: Top MS SQL Database servers by buffer cache hit ratio: Ranks the MS SQL Servers by buffer cache hit ratio and presents other metrics

Performance: Top MS SQL Database servers by space usage: Ranks the MS SQL Servers by space usage

FortiSIEM Performance related Reports

Performance related

Network Performance Rules

 

Network Performance Reports

Top Routers Ranked By CPU Utilization: Ranks the routers by average cpu utilization over a window

Top Router Network Intf By Util, Error, Discards: Ranks the firewalls and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

Top Routers By Memory Utilization: Ranks the firewalls by average memory utilization over a window

Top Firewalls By CPU Utilization: Ranks the firewalls by average cpu utilization over a window

Top Firewalls By Connection Count: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

Top Firewall Network Intf By Util, Error, Discards: Ranks the firewalls and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

Top Firewalls By Memory Utilization: Ranks the firewalls by average memory utilization over a window

Server Performance Rules

 

Server Performance Reports

Top Windows Servers By CPU Util: Ranks the windows servers by average cpu utilization over a window

Top Windows Servers By Memory Util and swap rate: Ranks the devices by average memory utilization and swap rate

Least Loaded Windows Servers By CPU Util: Ranks the windows servers by average cpu utilization over a window

Top Windows Servers By Disk I/O Activity: Ranks the windows servers by average disk I/O utilization over a window. This requires WMI.

Top Windows Servers By Disk Space Util: Ranks the devices by average system disk utilization over a window

Top Unix Devices By CPU Util: Ranks the devices by average cpu utilization

Top Unix Devices By Memory Util and Swap Rate: Ranks the unix devices by average memory utilization over a window and provides details of memory utilization components such as buffered and cached memory

Top Unix Devices By Disk Space Util: Ranks the devices by average system disk utilization over a window

Top Unix Servers By Disk I/O Activity: Ranks the unix servers by average disk I/O utilization over a window

Virtualization Performance Rules

 

Virtualization Performance Reports

VM level

Performance: Top VMs By CPU Utilization: This report ranks virtual machines by cpu utilization

Performance: Top VMs By CPU Utilization With Details: This report ranks virtual machines by cpu utilization. Other CPU usage metrics are included.

Performance: Top VMs By CPU Ready Pct: This report ranks virtual machines by cpu ready percent. A high number indicates the VMis starved of CPU

Performance: Least utilized VMs By CPU: This report ranks virtual machines in the descending order of cpu utilization

Performance: Top VMs By Memory Utilization With Details: This report ranks virtual machines by memory utilization. Other memory usage metrics are included.

Performance: Top VMs By Swap Activity: This report ranks virtual machines by swapping activity

Performance: Top VMs By Memory Utilization: This report ranks virtual machines by memory utilization

Performance: Top VMs By Disk I/O Activity With Details: This report ranks virtual machines by disk I/O activity. Other disk I/O usage metrics are included.

Performance: Top VMs By Disk I/O Read Latency: This report ranks virtual machines by disk I/O latency

Performance: Top VMs By Disk I/O Write Latency: This report ranks virtual machines by disk I/O latency

Performance: Top VMs By Disk I/O Read Volume (MBps): This report ranks virtual machines by disk I/O read (MBps)

Performance: Top VMs By Disk I/O Write Volume (MBps): This report ranks virtual machines by disk I/O writes (MBps)

 

Performance: Top VMs By Datastore I/O Activity With Details: This report ranks virtual machines by datastore I/O activity. Other datastore I/O usage metrics are included.

Performance: Top VMs By Datastore I/O Read Latency: This report ranks virtual machines by datastore I/O latency

Performance: Top VMs By Datastore I/O Write Latency: This report ranks virtual machines by datastore I/O latency

Performance: Top VMs By Datastore I/O Read Volume (MBps): This report ranks virtual machines by datastore I/O read (MBps)

Performance: Top VMs By Datastore I/O Write Volume (MBps): This report ranks virtual machines by datastore I/O writes (MBps)

ESX level

Performance: Top ESX Hosts By CPU Utilization: This report ranks ESX hosts by aggregate cpu utilization. Other CPU usage metrics are included.

Performance: Top ESX Hosts By Memory Utilization With Details: This report ranks ESX hosts by memory utilization. Other memory usage metrics are included.

Performance: Top ESX Hosts By Memory Utilization: This report ranks ESX hosts by memory utilization.

Performance: Top ESX Hosts By Swap Activity: This report ranks ESX hosts by swap activity

Performance: ESX Hosts With Balooning Memory: This report identifies ESX hosts with low enough memory where memory balooning technique is used for memory management

Performance: ESX Hosts With Swapping Memory: This report identifies ESX hosts with low memory where swapping memory technique is used for memory management

Performance: Top ESX Hosts By Disk I/O Activity With Details: This report ranks ESX hosts by disk I/O operations. Other disk I/O usage metrics are included.

Performance: Top ESX Hosts By Disk I/O Read Volume (MBps): This report ranks ESX hosts by read disk I/O (MBps)

Performance: Top ESX Hosts By Disk I/O Write Volume (MBps): This report ranks ESX hosts by write disk I/O (MBps)

Performance: Top ESX Hosts By Disk I/O Latency With Details: This report ranks ESX hosts by disk I/O latency. Other disk I/O usage metrics are included.

Performance: Top ESX Hosts By Kernel Disk I/O Read Latency: This report ranks ESX hosts by kernel disk I/O read latency.

Performance: Top ESX Hosts By Kernel Disk I/O Write Latency: This report ranks ESX hosts by kernel disk I/O write latency. Performance: Top ESX Hosts By Device Disk I/O Read Latency: This report ranks ESX hosts by device disk I/O read latency Performance: Top ESX Hosts By Device Disk I/O Write Latency: This report ranks ESX hosts by device disk I/O write latency.

Performance: Top ESX Hosts By Network Activity With Details: This report ranks ESX hosts by network activity.

Performance: Top ESX Hosts By Inbound Network Utilization: This report ranks ESX hosts by inbound network utilization

Performance: Top ESX Hosts By Outbbound Network Utilization: This report ranks ESX hosts by outbound network utilization

Performance: Datastores with Highest Utilization: This report ranks ESX hosts by datastore utlization

Performance: Datastores with Lowest Free Space: This report ranks ESX datastore with lowest free space

Performance: Top ESX Hosts By Datastore I/O Activity With Details: This report ranks ESX hosts by datsatore I/O operations. Other datastore I/O usage metrics are included.

Performance: Top ESX Hosts By Datastore I/O Read Volume (MBps: This report ranks ESX hosts by read datastore I/O (MBps)

Performance: Top ESX Hosts By Datastore I/O Write Volume (MBps): This report ranks ESX hosts by write datastore I/O (MBps) Performance: Top ESX Hosts By Datastore I/O Latency With Details: This report ranks ESX hosts by datastore I/O latency. Other datastore I/O usage metrics are included.

Performance: Top ESX Hosts By Kernel Datastore I/O Read Latency: This report ranks ESX hosts by kernel datastore I/O read latency.

Performance: Top ESX Hosts By Kernel Datastore I/O Write Latency: This report ranks ESX hosts by kernel datastore I/O write latency.

Performance: Top ESX Hosts By Device Datastore I/O Read Latency: This report ranks ESX hosts by device datastore I/O read latency

Performance: Top ESX Hosts By Device Datastore I/O Write Latency: This report ranks ESX hosts by device datastore I/O write latency.

Cluster level

Performance: Top VMWare Clusters By CPU Utilization: This report ranks VMWare clusters by CPU utilization

Performance: Top VMWare Clusters By Memory Utilization: This report ranks VMWare clusters by memory utilization

Performance: Top VMWare Clusters By Device Datastore Read Latency: This report ranks VMWare clusters by datastore read latency

Performance: Top VMWare Clusters By Device Datastore Write Latency: This report ranks VMWare clusters by datastore write latency

Performance: Top VMWare Clusters By Datastore I/O Activity With Details: This report ranks VMWare Clusters by datsatore I/O operations. Other datastore I/O usage metrics are included.

Performance: Top VMWare Clusters By Datastore I/O Read Volume (MBps): This report ranks ESX hosts by read datastore I/O (MBps)

Performance: Top VMWare Clusters By Datastore I/O Write Volume (MBps): This report ranks ESX hosts by write datastore I/O (MBps)

Performance: Top VMWare Clusters By Datastore I/O Latency With Details: This report ranks ESX hosts by datastore I/O latency.

Other datastore I/O usage metrics are included.

Performance: Top VMWare Clusters By Kernel Datastore I/O Read Latency: This report ranks ESX hosts by kernel datastore I/O read latency.

Performance: Top VMWare Clusters By Kernel Datastore I/O Write Latency: This report ranks ESX hosts by kernel datastore I/O write latency.

Performance: Least Utilized VMWare Clusters By CPU: This report ranks least utilized VMWare clusters by CPU utilization

Performance: Least Utilized VMWare Clusters By Memory: This report ranks least utilized VMWare clusters by memory utilization Performance: Least Utilized VMWare Clusters By Device Datastore Read Latency: This report ranks least utilized VMWare clusters by datastore read latency

Performance: Least Utilized VMWare Clusters By Device Datastore Write Latency: This report ranks least utilized VMWare clusters by datastore write latency

Performance: Least Utilized VMWare Clusters By Disk I/O Read Volume (MBps): This report ranks least utlized VMware clusters by disk I/O read (MBps)

Performance: Least Utilized VMware Clusters By Disk I/O Write Volume (MBps): This report ranks least utilized VMWare clusters by disk I/O write volume (MBps)

Resource pool level

 Performance: Top VMWare Resource Pools By CPU Utilization: This report ranks VMWare resource pools by CPU utilization Performance: Top VMWare Resource Pools By Memory Utilization: This report ranks least utilized VMWare resource pools by memory utilization

FortiSIEM Compliance related Reports

Compliance related
Compliance related

PCI

COBIT

SOX

HIPAA

PCI

PCI 1.x: Top Reporting Firewalls By Event Count: Ranks the firewalls by the number of events sent

PCI 1.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected From Log: This report provides details about router config changes

PCI 1.x: Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

PCI 1.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a firewall’s running and startup config

PCI 1.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Firewall Admin Activity Details: Provides details about firewall admin activity – logons, command executions and logoff

PCI 1.x: Router Admin Activity Details: Provides details about router admin activity – logons, command executions and logoff

PCI 1.x: Firewall NAT Translations: This report captures the NAT translations over a time window

PCI 1.x: Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

PCI 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

PCI 1.x: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

PCI 1.x: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined

connections – these connections would be typically be for administrative and monitoring purposes PCI 5.x: Top Reporting Security Management Servers:

PCI 1.x: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

PCI 5.x: Spyware found but not remediated by Host Antivirus:

PCI 5.x: Top hosts with Malware found by Host Antivirus:

PCI 5.x: Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

PCI 5.x: Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

PCI 5.x: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

PCI 8.x,10.x: Detailed Successful Login At PCI Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 8.x: Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation

PCI 8.x: Windows Domain Account Lockouts: This report details windows domain account lockouts

PCI 8.x: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Server Password Changes: Tracks password changes

PCI 8.x: Local Windows User Accounts Created: This report captures user accounts added on a server

PCI 8.x: Local Windows User Accounts Deleted: This report captures user accounts removed from a server PCI 8.x: Local Windows User Accounts Modified: This report captures local user account modifications.

PCI 8.x: Users Added To Local Groups: This report captures users added to local groups.

PCI 8.x: Users Added To Global Groups: This report captures users added to global or univeral groups.

PCI 8.x: Users Deleted From Local Groups: This report captures users deleted from local groups.

PCI 8.x: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

PCI 8.x: Local Windows Groups Deleted: This report captures local group deletions

PCI 8.x: Local Windows Groups Modified: This report captures local group modifications

PCI 8.x: Local Windows Groups Created: This report captures local group creations

PCI 8.x: Global Windows Groups Created: This report captures global group creations

PCI 8.x: Global Windows Groups Deleted: This report captures global group deletions

PCI 8.x: Global Windows Groups Modified: This report captures global group modifications

PCI 10.x: Detailed Failed Login At PCI System: Captures detailed failed logins at any device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 10.x: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

PCI 10.x: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections PCI 10.x: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

PCI 10.x: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

PCI 10.x: Successful Firewall Admin Logon Details: Details about successful firewall logons

PCI 10.x: Failed Firewall Admin Logon Details: Details about failed firewall logons

PCI 10.x: Successful Router Admin Logon Details: Details about successful router logons

PCI 10.x: Failed Router Admin Logon Details: Details about failed router logons

PCI 10.x: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

PCI 10.x: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

PCI 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

PCI 10.x: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

PCI 10.x: Network Device Down/Restart: Tracks network device down and restart events

PCI 10.x: Server Down/Restart: Tracks server down and restart events

PCI 10.x: Application Down/Restart: Tracks application stop and start events

PCI 10.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

PCI 10.x: Network Device Errors: Tracks errors reported by network device

COBIT

COBIT AI2.4: Successful Database Server Logon Details: Captures successful database server logons

COBIT AI2.4: Failed Database Server Logon Details: Captures failed database server logons

COBIT AI2.4: Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

COBIT AI2.5: Server Installed Software Changes: This report captures detected installed software changes

COBIT DS3.x: Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

COBIT DS3.x: Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

COBIT DS3.x: Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

COBIT DS3.x: Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

COBIT DS3.x: Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

COBIT DS3.x: Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

COBIT DS3.x: Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window COBIT DS3.x: Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS3.x: All devices under performance monitoring: Captures all devices under performance monitoring

COBIT DS4.x: Device Ping Monitor Statistics: Tracks the PING response times and packet loss for the monitored devices

COBIT DS4.x: Network Device Down/Restart: Tracks network device down and restart events

COBIT DS4.x: Server Down/Restart: Tracks server down and restart events

COBIT AI2.4,DS4.x: Application Down/Restart: Tracks application stop and start events

COBIT DS4.x: Network Device Failover: Tracks network device failovers

COBIT DS4.x: Network Device Interface Down/Up: Tracks network device interface down and up events

COBIT AI2.4,DS4.x: Server Interface Down/Up: Tracks server network interface down and up events

COBIT DS4.x: Network Device License Expiry: Tracks network device license expiry events

COBIT DS4.x: Application License Expiry: Tracks application license expiry events

COBIT DS4.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

COBIT DS4.x: Top Network Devices, Errors By Count: Ranks network devices by reported error count

COBIT DS4.x: Top Devices by Accumulated Downtime: Ranks the devices by total system downtime over the last week

COBIT AI2.4,DS4.x: Top Applications By Response Time: Ranks the services by average application level probe response times COBIT DS5.4: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Server Password Changes: Tracks password changes

COBIT DS5.4: Local Windows User Accounts Created: This report captures user accounts added on a server

COBIT DS5.4: Local Windows User Accounts Deleted: This report captures user accounts removed from a server COBIT DS5.4: Local Windows User Accounts Modified: This report captures local user account modifications.

COBIT DS5.4: Users Added To Local Windows User Groups: This report captures users added to local groups.

COBIT DS5.4: Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

COBIT DS5.4: Users Deleted From Local Windows User Groups: This report captures users deleted from local groups.

COBIT DS5.4: Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

COBIT DS5.4: Local Windows Groups Deleted: This report captures local group deletions

COBIT DS5.4: Local Windows Groups Modified: This report captures local group modifications

COBIT DS5.4: Local Windows Groups Created: This report captures local group creations

COBIT DS5.4: Global Windows Groups Created: This report captures global group creations

COBIT DS5.4: Global Windows Groups Deleted: This report captures global group deletions

COBIT DS5.4: Global Windows Groups Modified: This report captures global group modifications

COBIT DS5.4: Unix Users Added To Group: Tracks user additions to groups

COBIT DS5.4: Unix User Password Changed: Tracks password changes

COBIT DS5.5: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

COBIT DS5.5: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

COBIT DS5.5: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

COBIT DS5.5: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

COBIT DS5.5: Successful Router Admin Logon Details: Details about successful router logons

COBIT DS5.5: Failed Router Admin Logon Details: Details about failed router logons

COBIT DS5.5: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

COBIT DS5.5: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

COBIT DS5.5: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

COBIT DS5.5: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

COBIT DS5.6: Top Incidents Ranked By Severity, Count: Ranks the incidents by first their severity and then by their count.

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

COBIT DS5.6: Performance Incidents: Captures the performance related incidents

COBIT DS5.6: Security Incidents: Captures the security related incidents

COBIT DS5.9: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

COBIT DS5.9: Spyware found but not remediated by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware found by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

COBIT DS5.9: Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

COBIT DS5.9: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

COBIT DS5.10: Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

COBIT DS5.10: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

COBIT DS5.10: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

COBIT DS5.10: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

COBIT DS5.10: Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

COBIT DS5.10: Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

COBIT DS5.10: Top Network IPS events By Severity, Count: Ranks the network IPS events by count

COBIT DS5.10: Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

COBIT DS5.10: Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

COBIT DS5.10: Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used COBIT DS5.10: Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

COBIT DS5.10: Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

COBIT DS5.10: Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Outbound Spam Count: Counts total outbound spam denied by policy

COBIT DS5.10: Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

COBIT DS5.10: Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

COBIT DS9.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

COBIT DS9.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX

SOX (AI2.4): Successful Database Server Logons: Captures successful database server logons

SOX (AI2.4): Failed Database Server Logons: Captures failed database server logons

SOX (AI2.4,DS4.x): Top Applications By Response Time: Ranks the services by average application level probe response times

SOX (AI2.4): Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

SOX (AI2.4,DS4.x): Application Down/Restart: Tracks application stop and start events

SOX (AI2.4,DS4.x): Server Interface Down/Up: Tracks server network interface down and up events

SOX (AI2.5): Server Installed Software Changes: This report captures detected installed software changes

SOX (DS3.x): Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

SOX (DS3.x): Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

SOX (DS3.x): Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

SOX (DS3.x): Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

SOX (DS3.x): Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

SOX (DS3.x): Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

SOX (DS3.x): Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window SOX (DS3.x): Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

SOX (DS5.6): Performance Incidents: Captures the performance related incidents

SOX (DS3.x): All devices under performance monitoring: Captures all devices under performance monitoring

SOX (DS5.4): Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x)): Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x): Server Password Changes: Tracks password changes

SOX (DS5.4,PCI1.x): Local Windows User Accounts Created: This report captures user accounts added on a server

SOX (DS5.4,PCI1.x): Local Windows User Accounts Deleted: This report captures user accounts removed from a server SOX (DS5.4,PCI1.x): Local Windows User Accounts Modified: This report captures local user account modifications.

SOX (DS5.4,PCI1.x): Users Added To Local Windows User Groups: This report captures users added to local groups.

SOX (DS5.4): Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

SOX (DS5.4,PCI1.x): Users Deleted From Local Windows User Groups: This report captures users deleted from local groups. SOX (DS5.4,PCI1.x): Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

SOX (DS5.4,PCI1.x): Local Windows Groups Deleted: This report captures local group deletions

SOX (DS5.4,PCI1.x): Local Windows Groups Modified: This report captures local group modifications

SOX (DS5.4,PCI1.x): Local Windows Groups Created: This report captures local group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Created: This report captures global group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Deleted: This report captures global group deletions

SOX (DS5.4,PCI1.x): Global Windows Groups Modified: This report captures global group modifications

SOX (DS5.4,PCI1.x): Unix Users Added To Group: Tracks user additions to groups

SOX (DS5.4,PCI1.x): Unix User Password Changed: Tracks password changes

SOX (DS5.5,PCI1.x): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged

logon attempts to a windows server using the Administrator account

SOX (DS5.5,PCI1.x): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

SOX (DS5.5,PCI1.x): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

SOX (DS5.5,PCI1.x): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

SOX (DS5.5,PCI1.x): Successful Router Admin Logon Details: Details about successful router logons

SOX (DS5.5,PCI1.x): Failed Router Admin Logon Details: Details about failed router logons

SOX (DS5.5,PCI1.x): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

SOX (DS5.5,PCI1.x): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

SOX (DS5.5,PCI1.x): Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

SOX (DS5.5,PCI1.x): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

SOX (DS5.6): Security Incidents: Captures the security related incidents

SOX (DS5.9): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

SOX (DS5.9): Spyware found but not remediated by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware found by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

SOX (DS5.9): Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

SOX (DS5.9): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

SOX (DS5.10): Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

SOX (DS5.10): Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

SOX (DS5.10): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

SOX (DS5.10): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

SOX (DS5.10): Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

SOX (DS5.10): Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

SOX (DS5.10): Top Network IPS events By Severity, Count: Ranks the network IPS events by count

SOX (DS5.10): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

SOX (DS5.10): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

SOX (DS5.10): Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used SOX (DS5.10): Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

SOX (DS5.10): Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

SOX (DS5.10): Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Outbound Spam Count: Counts total outbound spam denied by policy

SOX (DS5.10): Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

SOX (DS5.10): Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

SOX (DS9.x): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX (DS9.x): Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA

HIPAA 164.308(a)(3): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(3),164.312(a)(2): Local Windows User Accounts Created: This report captures user accounts added on a server HIPAA 164.308(a)(3): Local Windows User Accounts Deleted: This report captures user accounts removed from a server HIPAA 164.308(a)(3): Local Windows User Accounts Modified: This report captures local user account modifications.

HIPAA 164.308(a)(3): Users Added To Local Groups: This report captures users added to local groups.

HIPAA 164.308(a)(3): Users Added To Global Groups: This report captures users added to global or univeral groups.

HIPAA 164.308(a)(3): Users Deleted From Local Groups: This report captures users deleted from local groups.

HIPAA 164.308(a)(3): Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

HIPAA 164.308(a)(3): Local Windows Groups Deleted: This report captures local group deletions

HIPAA 164.308(a)(3): Local Windows Groups Modified: This report captures local group modifications

HIPAA 164.308(a)(3): Local Windows Groups Created: This report captures local group creations

HIPAA 164.308(a)(3): Global Windows Groups Created: This report captures global group creations

HIPAA 164.308(a)(3): Global Windows Groups Deleted: This report captures global group deletions

HIPAA 164.308(a)(3): Global Windows Groups Modified: This report captures global group modifications

HIPAA 164.308(a)(4): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA 164.308(a)(4): Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

HIPAA 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

HIPAA 164.308(a)(4): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139),

MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

HIPAA 164.308(a)(4): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Successful Login At HIPAA Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Failed Login At HIPAA System: Captures detailed failed logins at any

device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Firewall Admin Logon Details: Details about successful firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Firewall Admin Logon Details: Details about failed firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Router Admin Logon Details: Details about successful router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Router Admin Logon Details: Details about failed router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

HIPAA 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Windows Server Logons: This report records successful windows server logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Windows Server Logons: This report reports failed windows servers logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Unix Server Logons: This report details successful unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Unix Server Logons: This report details failed unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures

HIPAA 164.308(a)(5): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(6): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

HIPAA 164.308(a)(6): Spyware found but not remediated by Host Antivirus:

HIPAA 164.308(a)(6): Top hosts with Malware found by Host Antivirus:

HIPAA 164.308(a)(6): Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS HIPAA 164.308(a)(6): Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

HIPAA 164.308(a)(6): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. HIPAA 164.308(a)(6): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

HIPAA 164.308(a)(6): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS HIPAA 164.308(a)(6): Top Network IPS events (affecting HIPAA devices) Ranked By Severity, Count: Ranks the network IPS events affecting HIPAA devices

HIPAA 164.308(a)(6): Top System detected Security Incidents (affecting HIPAA devices) Ranked By Severity, Count: Ranks the security related incidents by first their severity and then by their count – restricted to HIPAA devices

HIPAA 164.312(a)(2): Successful VPN Logons: Captures successful VPN logons

HIPAA 164.312(a)(2): Failed VPN Logons: Captures failed VPN logons

HIPAA 164.312(a)(2): Successful Wireless Logons: Captures successful wireless logons

HIPAA 164.312(a)(2): Failed Wireless Logons: Captures failed wireless logons

HIPAA 164.312(a)(2): Successful Windows Domain Authentications: Captures successful domain authentications

HIPAA 164.312(a)(2): Failed Windows Domain Authentications: Captures failed domain authentications

HIPAA 164.312(a)(2): Successful Database Server Logons: Captures successful database server logons

HIPAA 164.312(a)(2): Failed Database Server Logons: Captures failed database server logons

HIPAA 164.312(b): Windows Audit Policy Changed: This report captures audit policy changes

HIPAA 164.312(b): All System Admin User Logon Attempts: Details all System Admin User Logon Attempts

HIPAA 164.312(b): System Operational Warnings: Detects System operational errors including license limits, down collector

FortiSIEM Change management related reports

Change management related
Change management related

Network Device Config Changes

Server Change

Network Device Config Changes

Change: Router Configuration Changes Detected From Log: This report provides details about router config changes Change: Router Run versus Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Router Config Changes Detected Via Login: This report captures detected configuration changes via login

WLAN Config Change: This report tracks all software, hardware and device configuration changes at WLAN Access points and Base stations. The report includes Original Reporting Controller IP, Event Type and MAC address of the AP or Controller where the event happened. If the MAC address is empty then, the event happened at the reporting Controller.

Change: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

Server Changes

Change: Database Server DDL Changes: Captures database DDL changes

Change: Top Windows Servers, Users by Account Modification Count: This report ranks the windows servers and their administrative users by the number of user account modification events

Change: Windows Server Account Modification Details: This report captures the details of windows account modification events.

Details include the administrative user, target user, the operation performed and the raw log

Change: Windows File Access Details: This report captures the details of windows server file access events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Top Windows Servers, Users By Config/Policy Modification Count: This report ranks the windows servers and their administrative users by the number of server configuration or policy modification events

Change: Windows Server Config Modification Details: This report captures the details of windows server configuration or policy

modification events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Local User Accounts Created: This report captures user accounts added on a server Change: Local User Accounts Deleted: This report captures user accounts removed from a server Change: User Accounts Modified: This report captures local user account modifications.

Change: Users Added To Local Groups: This report captures users added to local groups.

Change: Users Added To Global Groups: This report captures users added to global or univeral groups.

Change: Users Deleted From Local Groups: This report captures users deleted from local groups.

Change: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

Change: Local Groups Deleted: This report captures local group deletions

Change: Local Groups Modified: This report captures local group modifications

Change: Global Groups Created: This report captures global group creations

Change: Global Groups Deleted: This report captures global group deletions

Change: Global Groups Modified: This report captures global group modifications

Change: Local Groups Created: This report captures local group creations

Change: Windows Server Password Changes: Tracks password changes

Change: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Windows Audit Policy Changed: This report captures audit policy changes

Change: Windows File Access Failures: This report captures the details of windows server file access failures. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Windows File Access Successes: This report captures the details of windows server file access successes. Details include the administrative user, file/directory, the operation performed and the raw log

Change: All Account/Group Change Events: This report lists all account/group change events

Change: Top Windows Domain Controllers, Users By Account Modification Count: Ranks Domain Controllers and their administrators by the number of account modifications performed

Change: Windows Domain Account Modification Details: Details windows domain account modifications

Change: Top Windows Domain Controllers, Users By File Modification Count: Ranks the Domain Controllers abd their administrators by the number of file modifications performed

Change: Windows Domain Controller File Modification Details: Provides details about domain controller file modifications Change: Top Windows Domain Controllers, Users By Config Modification Count: Ranks Domain Controllers and their administrators by the number of config modifications performed

Change: Windows Domain Controller Config Changes: Provides detailed windows domain controller config changes

Change: Computers added to domain: Captures computers added to a domain

Change: Computers deleted from domain: Captures computers removed from a domain Change: Domain user accounts created: Captures user accounts added to a domain Change: Domain user accounts deleted: Captures user accounts removed from a domain Change: Domain user accounts modified: Captures domain user account modifications.

Change: Domain groups created: Captures domain group creations

Change: Domain groups deleted: Captures domain group deletions

Change: Domain groups modified: Captures domain group modifications

Change: Users Added To Domain Groups: Tracks users added to domain groups

Change: Users Deleted From Domain Groups: Tracks users deleted from domain groups. The information contains who did it (User, Computer, Domain, Source IP) along with the deleted account (Target User) and group (Target User Group).

Change: Domain User Password Changes: Tracks password changes

Change: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Domain Account Unlocks: Captures account unlocks on domain accounts. Account unlocks happen after lockouts that may happen on repeated login failures

Change: Windows Domain Controller Audit Policy Changed: This report captures audit policy changes

Change: Unix Users Added To Group: Tracks user additions to groups

Change: Unix User Password Changed: Tracks password changes

Change: Audited file changes: Tracks user modifications to files and directories. Both the content and attribute modifications are captured. For actions on directories, the affected files in the directories are also captured.

FortiSIEM Security Information Management

Security Information Management

User Password Monitoring Events

AccelOps generates the following events related to user password monitoring during LDAP discoveries.

LDAP Password Never Expire Events

LDAP Password Not Required Events

LDAP Password Expiry Event

LDAP Password Stale Events

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Password age in days
Password Last

Set

passwordLastSet Date Time when password was last set

LDAP Password Not Required Events

Event Type: PH_DISCOV_ADS_PASSWORD_NOT_REQD

Description: Event contains users whose password is not required

Source: Windows Active Directory Discovery via LDAP Sample event

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1.
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name

LDAP Password Expiry Event

Event Type: PH_DISCOV_ADS_PASSWORD_TO_EXPIRE

Description: Event contains users and the times when their passwords were last set and when their passwords are about to expire Source: Windows Active Directory Discovery via LDAP

Sample event

<174>Feb 12 12:09:29 PH-QA-AUTOTEST phDiscover[22677]: [PH_DISCOV_ADS_PASSWORD_TO_EXPIRE]:[eventSeverity]=PHL_INFO,[procNa me]=phDiscover,[fileName]=dirUser.cpp,[lineNumber]=1750,[hostIpAddr ]=192.168.0.10,[user]=testuser,[userFullName]=Testuser,[userDN]=CN=

Testuser,CN=Users,DC=acme,DC=net,[daysToPasswordExpiry]=0,[password

LastSet]=1360606672,[phLogDetail]=

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_TO_EXPIRE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High

 

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Days to

Password

Expiry

daysToPasswordExpiry uint64 Number of days until the password will expire
Password Last

Set

passwordLastSet Date Time when password was last set
Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_STALE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name

 

User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Age of the password in days
Password Last

Set

passwordLastSet Date Time when password was last set