- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
What reports are on your Dashboard?
Besides the default reports, I have one custom report I've created. It is called the "Alerts - Failed Windows Logons".
Table: Windows Accounting
Fields: Count(MessageID), MessageID, UserName
Sort Order: count(MessageID) (Descending)
SQL where clause: EventLog = 'Security' AND Reason NOT IN ('An unexpected error occurred during logon') AND (MessageID IN ('Security_675_Security') OR MessageID IN ('Security_672_Security') OR MessageID IN ('Security_676_Security'))
==============================================
Please post your custom reports with specifics.
- Tags:
- aid
- as
- at
- coming!
- Community Thread
- Dashboard
- Discussion
- enhance
- enVision
- experience
- fellas
- forthcoming
- Forum Thread
- great
- greatly
- here
- in
- information
- is
- it
- keep
- look
- product
- releases.
- Reports
- rsa
- RSA enVision
- stuff.
- the
- this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I won't clutter the post with all the details of each dashboard item, but here's a partial list of some of our more popular ones. If anyone is interested in details for one in particular let me know.
ACE Server - Failed Auths (lost expired dissabled)
ACE server - Failed Auths - Top 10
ACE Server - Failed Auths Trend - 16 HR
ACE Server - Failed Auths by Type - 16 HR
ACE Server - SecurID Tokens Dissabled -16 HR
ACE Server - Succesful Auths - Top 10
ACE Server - Succesful Auths Trend
ACE Server - Succesful Auths by Agent Host
ACE Server - Succesful Auths by type
Accounts added to admin Group
CPFW - All Top Denied IPs
CPFW - (firewall cluster name here) Top Denied Inbound IPs <<we have one for each cluster
Failed PW Resets
IDS - Alarm Trends (All sensors)
IDS - Alarm Trends (network sensors)
IDS - Alarm Trends (server sensors)
IDS - Top 10 Alarm Destinations (network - DMZ)
IDS - Top 10 Alarm Sources (network - DMZ)
IDS - Top 10 Alarms (network sensors)
IDS - Top 10 Alarms (server sensors)
IDS - Top Threats - 1 HR
IDS - Trends 16 HR
Interactive Logins By Service Accounts
Windows Server Admin Login Distributions
Locked out Accounts
Locked out Admin Accounts
NAS - successful SSH Logins
NAS - Unsupported Operation Errors Top 20
NAS - Virus Hits - 16 HR
PW Changes by Non-Owner
Top Failed Login Accts - (Watchlist name here) <<we have one for each watchlist
User Accounts Created
User Accounts Deleted
User Accounts Enabled
User Accounts Disabled
User Accounts Locked
User Accounts Unlocked
(departmentname)-Oncall-View-Alert-Summary <<we have one for each team who's on-call
(departmentname)-Oncall-View-ALert-Trend <<we have one for each team who's on-call
Open RSA Support Cases << I'm just kidding, i dont really dashbard that but wouldn't that be cool
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
A couple that I like to create for prospects to show the executive summarizing capabilities of the dashboard are:
Top 10 Windows Security Events (Bar Graph)
Windows Accounting Table
X Axis: EventID
Y Axis: count(EventID)
SQL: MessageID LIKE 'Security%Security'
Top 10 Threat Summary (Tabular)
Baseline Table
Fields: EventCategory, sum(TotalMsgs)
SQL: DeviceTypeName != 'nic' AND (EventCategory LIKE 'Recon.%' OR EventCategory LIKE 'Attacks.%' OR EventCategory LIKE 'User.Activity.%')
**You can use whatever other categories you may consider as a threat in the SQL Where Clause for this one - this is just what I use
Set the time ranges to whatever period suits your needs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
People might already know this, but I find that a good place to get the details (or inspiration) for dashboard items is to go into Reports, and copy an existing canned report so that you can then click on modify and get the details of the table/fields and SQL clause that you need to create a similar dashboard item.
In a future version, could there eventually be a function to click on a button and automatically convert reports into dashboard items? (Minus the runtime parameters and the like).
Below is a simple dashboard item that shows exclusively account lockout events in Windows (i.e. not failed logins, but only cases where accounts have been locked out).
Table: Windows Accounting
Select Fields:
DATEFORMAT(Date/Time,'yyyy-mm-dd hh')
UserID
Workstation
Sort DATEFORMAT(Date/Time,'yyyy-mm-dd hh') Descending
SQL: EventID = '644'
This will show a timestamp, username of the locked account (domain/username format), and source workstation/device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
In enVision Release 4.0 there will be two new categories of reports added to the Dashboard; Incident Mangement Reports (Task Triage) and Vulnerability Reports; 15 new reports in total.
For details see http://www.rsa.com/products/envision/sb/9952_ENVSO_SB_0209.pdf
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
That's good to know. I am not sure when we'll make the push to 4.0 though. I've seen the wireframe mock ups for enVision.V and I really like those dashboards!
