RSA enVision^® Discussions

RSAAdmin · ‎2009-01-20

Besides the default reports, I have one custom report I've created. It is called the "Alerts - Failed Windows Logons".

Table: Windows Accounting

Fields: Count(MessageID), MessageID, UserName

Sort Order: count(MessageID) (Descending)

SQL where clause: EventLog = 'Security' AND Reason NOT IN ('An unexpected error occurred during logon') AND (MessageID IN ('Security_675_Security') OR MessageID IN ('Security_672_Security') OR MessageID IN ('Security_676_Security'))

==============================================

Please post your custom reports with specifics.

RSAAdmin · ‎2009-01-20

I won't clutter the post with all the details of each dashboard item, but here's a partial list of some of our more popular ones. If anyone is interested in details for one in particular let me know.

ACE Server - Failed Auths (lost expired dissabled)
ACE server - Failed Auths - Top 10
ACE Server - Failed Auths Trend - 16 HR
ACE Server - Failed Auths by Type - 16 HR
ACE Server - SecurID Tokens Dissabled -16 HR
ACE Server - Succesful Auths - Top 10
ACE Server - Succesful Auths Trend
ACE Server - Succesful Auths by Agent Host
ACE Server - Succesful Auths by type
Accounts added to admin Group
CPFW - All Top Denied IPs
CPFW - (firewall cluster name here) Top Denied Inbound IPs <<we have one for each cluster
Failed PW Resets
IDS - Alarm Trends (All sensors)
IDS - Alarm Trends (network sensors)
IDS - Alarm Trends (server sensors)
IDS - Top 10 Alarm Destinations (network - DMZ)
IDS - Top 10 Alarm Sources (network - DMZ)
IDS - Top 10 Alarms (network sensors)
IDS - Top 10 Alarms (server sensors)
IDS - Top Threats - 1 HR
IDS - Trends 16 HR
Interactive Logins By Service Accounts
Windows Server Admin Login Distributions
Locked out Accounts
Locked out Admin Accounts
NAS - successful SSH Logins
NAS - Unsupported Operation Errors Top 20
NAS - Virus Hits - 16 HR
PW Changes by Non-Owner
Top Failed Login Accts - (Watchlist name here) <<we have one for each watchlist
User Accounts Created
User Accounts Deleted
User Accounts Enabled
User Accounts Disabled
User Accounts Locked
User Accounts Unlocked
(departmentname)-Oncall-View-Alert-Summary <<we have one for each team who's on-call
(departmentname)-Oncall-View-ALert-Trend <<we have one for each team who's on-call

Open RSA Support Cases << I'm just kidding, i dont really dashbard that but wouldn't that be cool

RSAAdmin · ‎2009-01-20

A couple that I like to create for prospects to show the executive summarizing capabilities of the dashboard are:

Top 10 Windows Security Events (Bar Graph)

Windows Accounting Table

X Axis: EventID

Y Axis: count(EventID)

SQL: MessageID LIKE 'Security%Security'

Top 10 Threat Summary (Tabular)

Baseline Table

Fields: EventCategory, sum(TotalMsgs)

SQL: DeviceTypeName != 'nic' AND (EventCategory LIKE 'Recon.%' OR EventCategory LIKE 'Attacks.%' OR EventCategory LIKE 'User.Activity.%')

**You can use whatever other categories you may consider as a threat in the SQL Where Clause for this one - this is just what I use

Set the time ranges to whatever period suits your needs.

RSAAdmin · ‎2009-01-21

Nice! Thank you Matt!

RSAAdmin · ‎2009-01-21

That's an impressive list! I'll have to talk to my team and see which ones we'd like to pick your brain about. Thanks!!

RSAAdmin · ‎2009-01-21

Fellas, this is great stuff. As we here at RSA look to enhance the user experience of enVison in forthcoming releases, this information is invaluable. Keep it coming. And if you have any questions/suggestions/comments for how you would like to see enVision improved, please feel free to contact me directly at adam.winkler@rsa.com.

RSAAdmin · ‎2009-01-23

People might already know this, but I find that a good place to get the details (or inspiration) for dashboard items is to go into Reports, and copy an existing canned report so that you can then click on modify and get the details of the table/fields and SQL clause that you need to create a similar dashboard item.

In a future version, could there eventually be a function to click on a button and automatically convert reports into dashboard items? (Minus the runtime parameters and the like).

Below is a simple dashboard item that shows exclusively account lockout events in Windows (i.e. not failed logins, but only cases where accounts have been locked out).

Table: Windows Accounting

Select Fields:

DATEFORMAT(Date/Time,'yyyy-mm-dd hh')

UserID

Workstation

Sort DATEFORMAT(Date/Time,'yyyy-mm-dd hh') Descending

SQL: EventID = '644'

This will show a timestamp, username of the locked account (domain/username format), and source workstation/device.

RSAAdmin · ‎2009-01-26

Thanks for adding your dashboard report j2008! I too use the Ad Hoc reports as my base for creating Dashboard reports. It is good practice to use Queries and Ad Hoc reports before creating the Dashboard report...mostly because it just saves time and headaches.

RSAAdmin · ‎2009-03-12

In enVision Release 4.0 there will be two new categories of reports added to the Dashboard; Incident Mangement Reports (Task Triage) and Vulnerability Reports; 15 new reports in total.

For details see http://www.rsa.com/products/envision/sb/9952_ENVSO_SB_0209.pdf

Dan

RSAAdmin · ‎2009-03-20

That's good to know. I am not sure when we'll make the push to 4.0 though. I've seen the wireframe mock ups for enVision.V and I really like those dashboards!

Message Edited by CaptainJackSparrow on03-20-200910:12 AM

RSA enVision® Discussions

What reports are on your Dashboard?

RSA enVision^® Discussions