Please post your entries for the enVision Reporting BASH here.
This report is called Ironport ESA - Attachment Quarantined Report.
I run this report daily to track how many emails with attachments are quarantined daily and for what reason, typically either because they are block protected or because it is an executable attachment.
this is a scheduled weekly report that I run for our NZ operations manager to track his staffs Citrix remote access usage. I also run similar reports for other divisions to track remote access by contractors as well.
A couple Motorola AirDefense reports that I have put together since out of the box, the event source is installed for AirDefense but no canned reports come with it.
Similar reports, sorted in a couple different ways. Run against your AirDefense device grouping for the desired time range.
#1 - Sorted by Severity of the Alarm and subsorted by most recent
#2: Sorted by Category (Rogue, Exploit, etc.)
#3- Sorted by the potential attacker MAC address. Useful for seeing trends from a MAC address, especially if you have auditors trying multiple methods to get into your system
#4: Like the previous Category report but this includes the MessageIDs as well. Been using it to see which IDs are tripping the most. There are a couple of IDs that are not parsing correctly out of the box, so this is my "debug" report.
We have a dashboard report that shows the top failed Windows logins in the past hour, but sometimes we need a report to show where these devices are failing to log into successfully. This occurs for us when a service account or a mobile user changes a password that somehow gets out of sync on their device or the servers.
So I wrote a simple report that shows, for the specified timeframe, all of the Windows account failed logins and where they failed sorted by the number of time they have failed. This helps me to track down our top offenders.
Run this report for your desired timeframe and against a device set of your AD Domain Controllers that perform user validation.
I use this report to find the devices that are attempting to authenticate to Cisco Secure ACS, but are not configured in the server. So when that pesky network team calls and asks "Why isn't my device authenticating to TACACS?" or "What's wrong with your TACACS server?" you'll have an answer for them.
This report givs you the Virus affected System which are left alone without any actions.
This can be run as Daily / Weekly Report
By default there is no way to view details of ICMP traffic which enVision labels as localport 0. This custom tabular report will allow that to be done.
This report will provide a tabular summary of denied port traffic sorted in order of the devices with the largest amount of denied traffic
Egress Firewall traffic, excluding DNS and some ICMP.
Report : Correlated Alerts by Viewname
This report would let you select the Viewname at run time to see the alerts created for a specific view.
This report is very useful when you have a View created for monitoring devices not sending logs. This report has captures the destination address , which is the device that did not send the logs. So if you have a view called "Device Health" created for monitoring inactive event sources , you can select this Viewname view and the report will show you mesage like below
where "10.20.98.242" is the inactive event source and "10.31.204.41" is the envision node sending the alert.
Report:Top Sources of Alerts
This report will show you the top sources of alerts , that is the event sources that trigger the most alerts. Analyzing alerts this way makes it easier for investigation. If you see a lot of alerts from a firewall device , you can then track down the location of that firewall and see which BU,location it caters to and see investigate further
Missed to attach the second report
Retrieving data ...