Enterprise Reporting - BeyondTrust€¦ · is displayed in tabular form. In the ePO edition of...

avecto.com

Enterprise Reporting 4.1 ePO Dashboards Guide v 1.1 April 2016

2 Defendpoint 4.1 Dashboard Guide (ePO)

Copyright Notice

The information contained in this document (“the Material”) is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Avecto Ltd, its associated companies and the publisher accept no liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose.

Copyright in the whole and every part of this document belongs to Avecto Ltd (“the Owner”) and may not be used, sold, transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to any person other than in accordance with the terms of the Owner’s Agreement or otherwise without the prior written consent of the Owner.

Accessibility Notice

In the event that you are unable to read any of the pages or documents on this website, please contact us and we will arrange to get an accessible version to you.


Table of Contents Introduction ................................................................................................................................... 5

Naming Conventions and Navigation ......................................................................................... 6

The Main Interface .................................................................................................................. 6

The Navigation Pane ............................................................................................................... 7

The Dashboard and Reports Pane ......................................................................................... 7

The Filter Pane ........................................................................................................................ 7

The Query Filter Dialog ........................................................................................................... 7

...................................................................................................................................................... 8

The ePO Tabs Bar .................................................................................................................. 9

Reports in Table Format ......................................................................................................... 9

Exporting and Printing Reports ............................................................................................... 9

Reputation Settings .................................................................................................................... 10

Server Tasks ......................................................................................................................... 11

Reputation in Reporting ........................................................................................................ 12

Dashboard Reference Guide ...................................................................................................... 15

Dashboard Overview ............................................................................................................. 15

Summary Dashboard ............................................................................................................ 17

Discovery Dashboard ............................................................................................................ 19

Discovery Tables ................................................................................................................... 20

4.4.1. Discovery By Path ......................................................................................................... 22

4.4.2. Discovery By Publisher ................................................................................................. 22

4.4.3. Discovery By Type ........................................................................................................ 22

4.4.4. Discovery Requiring Elevation ...................................................................................... 22

4.4.5. Discovery From External sources ................................................................................. 22

4.4.6. Discovery All .................................................................................................................. 22

Actions Dashboard ................................................................................................................ 23

4.5.1. Action Report ................................................................................................................. 24

Targets Dashboard ............................................................................................................... 25

4.6.1. Applications Report ....................................................................................................... 26


4.6.2. Specific Target Report .................................................................................................. 27

Targets (Grouped) Dashboard .............................................................................................. 28

Workstyles Dashboard .......................................................................................................... 29

4.8.1. Workstyles (All) Report ................................................................................................. 31

Users Dashboard .................................................................................................................. 32

4.9.1. User Experience Report ................................................................................................ 32

4.9.2. Privileged Logons Report .............................................................................................. 33

4.9.3. Privileged Account Protection Report ........................................................................... 34

Deployments Dashboard ................................................................................................... 36

Requests Dashboard ........................................................................................................ 37

4.11.1. Requests (All) Report .................................................................................................... 38

Events Dashboard ............................................................................................................. 38

4.12.1. Events (All) Report ........................................................................................................ 39

Help ................................................................................................................................... 40

Options .............................................................................................................................. 41

4.14.1. Database Monitoring ..................................................................................................... 41

4.14.2. Caching Options ............................................................................................................ 41

Drill-through Reports .................................................................................................................. 42

Process Events Table ........................................................................................................... 42

Process Control Event Details .............................................................................................. 43

Application Details ................................................................................................................. 45

Content Control Event Details ............................................................................................... 47

Host Details ........................................................................................................................... 48

Host Session Details ............................................................................................................. 49

Item List ................................................................................................................................. 49

Workstyle Details .................................................................................................................. 50

Privileged Account Protection Table ..................................................................................... 51

User Details ....................................................................................................................... 52

User Logons Table ............................................................................................................ 53

The Purge Tool Utility ................................................................................................................. 54


Introduction Defendpoint Enterprise Reporting (ER) is an enterprise level, scalable reporting solution which includes a rich set of dashboards and reports designed to simplify the centralized management and auditing of Defendpoint activity throughout the desktop and server estate. Each dashboard provides detailed and summarized information regarding Application, User, Host and Workstyle usage.

This guide explains each of the dashboards within Enterprise Reporting, as well as the reports and event data accessible from each view.


Naming Conventions and Navigation This section covers the Enterprise Reporting interface elements and Report exporting and linking:

The Main Interface

When Enterprise Reporting is incorporated with Defendpoint ePO Edition, the Avecto Reporting tab can be added to the ePO interface as seen above.

There is also a Scaling link that opens the scaling dialog box which allows you to control the size of the charts that are displayed.

Navigation Pane

ePO Tabs Bar

Dashboard & Reports Pane

Filter Pane

Enterprise Reporting Tab


The Navigation Pane

The Navigation pane contains links to an array of top-level Dashboards and Reports that are always available and can be accessed with one click. Some of these reports have sub-categories (sub-links) listed beneath them which are described later in this guide. Where a link has a sub-link All, the report is displayed in tabular form. In the ePO edition of Enterprise Reports, the top level reports are cached, providing the benefit of immediate display. Sub-categories (or top-level reports which also have a filtering option applied) must be generated, which may require some processing time. The advantage of caching is the immediacy with which these reports can be accessed. However if you wish to view the results of a query against the most up-to-the-minute data, caching can be disabled by applying a basic filter. Cached query results will display the time and date of processing in brackets. The top-level reports are listed below.

The Dashboard and Reports Pane

This is the area where dashboards and reports are displayed. A dashboard it a report with multiple charts covering a wide range of data whereas by report we mean a page with just a summary table or a page focused on a particular entity. A dashboard is still a report but in this context it is referred to as a dashboard due to the breadth of information available.

All the graphical elements of a dashboard or report are ‘interactive’. You can click on an element and by doing so ‘Drill Down’ into that aspect of the report.

The Filter Pane

The Filter pane displays a set of pre-defined filters relevant to the current Dashboard or Report. Filters help refine the information displayed. Simply click on a link to set a filter.

The Filter pane also includes a Filter link which opens the Query Filter dialog.

The Query Filter Dialog

The Query Filter dialog is opened by clicking Filter link in the Filter Pane.

The Query Filter dialog is available from all dashboards and reports, and allows custom filtering of data based on a number of properties.

As you drill down into reports, the options available from this page vary accordingly.


The filter options will automatically perform substring matches, meaning that any text entered will match properties Contained in the entered filter text.

Certain filter options support comma separated values so you can specify a list of filter values. For example, to restrict the results to three users you would enter user1,user2,user3 in the User Name field.

The filter options support SQL wildcard characters. See http://msdn.microsoft.com/en-us/library/ms179859.aspx for the Guide to SQL wildcards.

An additional option has been added to the Query Filter dialog functionality.

Character Effect

! Not – Use in front of a filter term to create Does not match

Note: Multiple “!” strings are accepted e.g. “!L-CZC13127L30l,!L-CNU410DJJ7”

Any text field supports wildcards, comma separated values (CSV) and the Does Not Match(!) options:

Query Filter Dialog Operator Effect

Comma separated list Value1,value2,value3

Wildcard part% part%part2,part3%part4

! !value !value1,!value2

http://msdn.microsoft.com/en-us/library/ms179859.aspx


The ePO Tabs Bar

The ePO tabs bar contains links that access the various different areas of the McAfee ePolicy Orchestrator (Avecto Reporting being available from here).

For more information on the McAfee ePolicy Orchestrator see: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx

Reports in Table Format

Any report that is displayed in tabular format can potentially contain numerous columns. In order to control column display select Actions > Choose Columns.

The Available Columns pane displays the complete list of columns available to a specific report. Use the arrow icons to add columns to the Selected Columns pane. In the Selected Columns pane use the X icon to return columns to the Available Columns pane and use the arrow icons to arrange the column display order. Alternatively you can ‘drag and drop’ individual columns to the desired location in the display order. Click Save when you are satisfied with the column choice and display order. Table columns can be sorted by clicking on the Column Name and using the vertical arrow heads next to each column name.

Exporting and Printing Reports

Tabular views can be exported using the built-in ePO Actions > Export Table feature to the following formats:

XML file with report data

CSV (comma delimited)

PDF

HTML (web archive)

Exported data is based on the data currently configured within the dashboard or report, including any advanced filtering options which have been set.

Charts can be saved using the built-in browser save functionality however Scaling options are provided is higher resolution charts are required.

http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx


Reputation Settings Intel Security’s Reputation feature can be configured from:

Menu > Server Settings > Avecto Reputation Settings

Click Edit to change the options.

Note: Threat Intelligence Exchange (TIE) via the Data Exchange Layer (DXL) and Virus Total are supported.

Use the radio buttons to enable each source. If the required DXL extensions are not installed then a warning message will be displayed indicating that TIE is not available.

Once added the screen should look like this:

Note: If using a public (non-commercial) Virus Total key, the rate of queries is limited to 4 per minute. These keys should only be used for evaluation. API keys are available to purchase directly from Virus Total.


TIE does not have this restriction so using “0” for an unlimited query rate is recommended.

Server Tasks

A server task for updating reputations in the background is available:

1. Select Menu > Server Tasks > New Task

2. Enter a name for the task such as “Reputation Update” and click Next.

3. Select “Avecto Reputation Update” from the Actions drop down menu.

4. Enable the check box for the reputation type you wish to update. It is possible to update both types using the same task, however that means they will be carried out sequentially which may not be desirable.

5. The task can either look for reputations of applications that do not yet have a reputation or it can search for reputations older than a specified number of days and then update them.

6. Schedule the task(s) as per other Server Tasks.


Reputation in Reporting

Reputations are displayed in various Avecto reports where they can be updated on-demand.

They are shown in the following reports:

Discovery

Applications

Application Details

Requests

Events

Event Details

Using the Applications report as an example, the screen shot shows all the reputation states of:

Pending (no reputation has been checked)

Unknown (the sources do not have a reputation)

Good (at least one source knows this application and it is good and no sources say it is poor)

Poor (any source indicates it has a poor reputation)

The threshold between Poor and Good is on the Server Settings page.

A detailed breakdown of the application can be accessed by clicking on it:


Reputations can be updated from Actions > Update Reputations.

Note: The speed of update via this method will be constrained by the rate of the slowest source. When using a public API based Virus Total update, this can be very slow but the update may be cancelled at any time.

Reputation is also displayed on the detailed Application Report and Event Report. Reputation can also be updated from here.


Dashboard Reference Guide

Dashboard Overview

Enterprise Reporting includes several high level dashboards that summarize the Defendpoint events collected by Enterprise Reporting.

Summary Dashboard – Provides a complete summary, over a given time frame, of the activity that Defendpoint has recorded.

Discovery Dashboard - Summarizes all unique applications that have been discovered. It differentiates between those that used elevated privileges and those that did not.

The subheadings beneath the DISCOVERY dashboard link display the data from different angles such as by the location of the executable or the type of the executable.

Actions Dashboard - Summarizes audited items categorized by the type of action taken. This allows focusing on the topic of interest – elevation, blocking etc.

The subheadings beneath the Actions dashboard link filter the dashboard to show audits only of the selected type:

Elevated

Blocked

Passive

Cancelled

Custom

Drop Admin

Enforce Default Rights

Target Types Dashboard – Breaks down all Defendpoint activity over the specified time interval by target type. Underneath Target Types is a sub-report All, which lists the targets in tabular form sorted by User count.

Note: The word Target refers to Applications, URLs and Content that has been controlled by Defendpoint.

The subheadings beneath the Target Types dashboard link filter the dashboard to show audits only of the selected type:

Applications

Services

COM

Remote PowerShell

ActiveX

All


Targets (Grouped) Dashboard – Breaks down all Defendpoint activity over the specified time interval by a broader target type that is grouped:

Publisher

Application Group

Message

Workstyle

Workstyles Dashboard - Summarizes all Defendpoint workstyle usage, including coverage statistics. This dashboard includes a sub report All, which lists, in tabular form, the total number of different action types each workstyle has controlled.

This dashboard allows analysis from the perspective of a specific workstyle.

Users Dashboard - Summarizes how users have interacted with messages, challenge / response dialogs and the shell integration within the specified time range.

The subheadings beneath the Users dashboard link filter the dashboard to show audits only of the selected type:

User Experience

Privileged Logons

Privileged Account Protection

Deployments Dashboard - Summarizes Defendpoint Client deployments. The report shows which versions of Defendpoint are currently installed across the organisation. Includes asset information about endpoints such as operating system and default language to assist with workstyle targeting.

Discovery Dashboard - Summarizes all unique applications that have been discovered. Differentiates between those that used elevated privileges and those that did not.

Requests Dashboard – Summarizes information about user requests that have been raised over the specific time frame. A blocked message with a reason entered or a cancelled challenge / response message is considered to be a request.

Events Dashboard - Summarizes information about the different types of events that have been raised over the specified time frame. It also shows how long it is since the different hosts raised an event.

Options – Overall reporting options and information:

Caching Options – Allows you to select and/or clear the caching of query results for 7 Day, 30 Day and 12 Month periods or All Caches.

Database Monitoring Graph – A graphical representation of the speed that individual reports are being generated by the system.

Database Monitoring Table – A tabular representation of the above.


Summary Dashboard

The Summary dashboard displays the most important activity that has occurred in the time period. Typically this information could result in workstyle changes or investigation of anomalies.

Chart Description

Application Discovered

The total number of newly discovered Applications in the time period. A chart and % number shows the proportion of applications that required Admin rights or Standard rights. It drills through to the Discovery table.

User Requests The total number of User Requests. A chart and % number shows the proportion of requests that were either Blocked with a reason provided or the User cancelled a challenge/response message. It drills through to the Requests table.

Admin logons, by users, on endpoints

A breakdown of administrator logons in the time period. The icons, numbers and text all drill through to the User Logons table.

Attempts to modify privileged groups

The number of blocked attempted privileged group modifications in the time period. The icons, numbers and text all drill through to the Privilege Account Protection table.

Applications with poor reputation

The number of distinct applications detected, that have been classified as having a poor reputation. The number drills through to the Applications table.


Applications with unknown reputation

The number of distinct applications detected, that have been classified as having an unknown reputation. The number drills through to the Applications table.

Application run from external sources

The number of distinct applications that were run from external sources in the time period. The icons, numbers and text all drill through to the Applications table.

Activities blocked The number of distinct applications blocked in the time period. The number of each activity type is shown. The icons, numbers, text and bar chart all drill through to the Applications table.

Applications used On-Demand privileges

The number of distinct applications launched from the shell menu in the time period. The icons, numbers and text all drill through to the Applications table.

UAC matches The number of distinct UAC triggered applications in the time period. The icons, numbers and text all drill through to the Applications table.

Hosts audited The number of distinct endpoints audited in the time period. A bar chart then breaks down these endpoints into categories depending on when they last sent an event. The icons, numbers, text and bar chart all drill through to a list of the hosts.

Events audited The total number of events processed in the time period. A bar chart breaks these events down into their types. The icons, numbers, text and bar chart all drill through to the Events All table.


Discovery Dashboard

This report displays information about applications that have been discovered i.e. audited for the first time. This information can inform the development of your Defendpoint workstyles.

Chart Description

Applications first reported in the specified time frame

A line chart showing the number of applications that have first been reported during the specified time frame. This is broken down into applications that require admin rights and those that do not. This chart drills through to the All Discovery Applications table.

Types of newly discovered applications

A column chart showing the number of distinct applications for each application type. The application types are broken down into applications that required admin rights and those that did not. This chart drills through to the All Discovery Applications table.

New applications with admin rights (top 10)

A list of discovered applications that required admin rights, ordered by the number of distinct users. A View all option is available. The application name drills through to the All Discovery Applications table. The User count drills through to a list of users.

New applications with standard rights (top 10)

A list of discovered applications that did not require admin rights, ordered by the number of distinct users. A View all option is available. The application name drills through to the All Discovery Applications table. The User count drills through to a list of users.


New applications with admin rights (by type)

A list of discovered applications that required admin rights broken down by type, ordered by the number of distinct applications. A View all option is available. The application type drills through to the All Discovery Applications table.

New applications with standard rights (by type)

A list of discovered applications that did not require admin rights broken down by type, ordered by the number of distinct applications. A View all option is available. The application type drills through to the All Discovery Applications table.

Discovery Tables

The six discovery tables show detailed information about each application discovered such as numbers of distinct user and hosts, total number of processes and the median number of processes per user in the time period

The discovery tables listed below share many common columns:

Description – The description of a specific application.

Publisher – The Publisher of a specific application.

Name – The Product Name of a specific application.

Type – The Type of application.

Version – The Version Number of a specific application.

# Users – The number of users.

Median # processes / user – The median number of processes per user.

# Hosts – The number of hosts.

# Processes – The number of processes.

Date first reported – The date when the database received the event.

Date first executed – The date when the event was generated. (These dates may differ when working off-line).


Drill through reports:

The i symbol – Displays the Application Report.

The + symbol – Where there are multiple items the + symbol will display a complete list.

The symbols – All column entries can be sorted in ascending or descending order by clicking on the arrow symbols at the top of each column.

Underlined Numbers – Where a number is underlined in a column (9) a drill through list of the individual entities can be accessed for entity specific information. (This is also true for the Elevate Method column entries where application elevations can be examined in more detail).

Search Filters:

All tables can be filtered on the criteria available from the left-hand filter panel:

Time first reported – The time when the database receives the event.

Time first executed – The time when the event was generated (these dates may differ when working offline).

Path – The location of the application.

Source – The source of the application.

Admin Rights – Whether the application required admin rights or not. *(Not available for the Requiring Elevation table).

Ownership – If the application has trusted ownership or not (was installed as part of Windows.)

Matched – Whether an application matched a rule directly or matched on the parent rule.

Elevate Method – Whether an application required admin rights, was auto-elevated by a workstyle rule or was elevated using the shell integration. (Only available for the Requiring Elevation table).

Challenge / Response – Whether an application was elevated as a result of a successful Challenge / Response message. (Only available for the Requiring Elevation table).


4.4.1. Discovery By Path

This table displays all distinct applications installed within certain locations that have been discovered during the specified time frame:

System – C:\Windows\

Program Files – C:\Program Files\,C:\Program Files (x86)\

User Profiles – C\Users\

4.4.2. Discovery By Publisher

This table displays the discovered applications grouped by publisher. Where there is more than one application per publisher the + symbol allows you to expand the entry to examine each application.

4.4.3. Discovery By Type

This table displays applications that have broken down by type. Where there is more than one application per type the + symbol allows you to expand the entry to examine each application.

4.4.4. Discovery Requiring Elevation

This table displays the applications that were elevated or required admin rights. This table has two extra filtering options:

Elevate Method – Whether the application required admin rights (detected by enabling privilege monitoring), was auto-elevated or was elevated using shell integration. The column drills through to the Event table which also displays the elevate method.

Challenge / Response - Whether an application was elevated as a result of a successful Challenge / Response message.

4.4.5. Discovery From External sources

This table displays all applications that have originated from an external source such as the internet or an external drive.

4.4.6. Discovery All

This table lists all applications discovered in the time period, grouped by the application description and ordered by user count descending.


Actions Dashboard

The Actions report breaks down the application activity in the specified time frame by token type. It also lists the most active targets.

Chart Description

All Targets over the last (time interval)

A column chart showing the process control activity broken down by token type (action) over time. Process Control activity incorporates Service Control, URL Sandboxing and Content Control events as well as the Standard Process events. This chart drills through to the Targets All table filtered to the selected type.

By type A pie chart and table showing all the process control activity within the specified time frame broken down by token type (action.) This chart drills through to the Targets All table filtered to the selected type.

Top 10 Targets A bar chart showing the 10 most used applications by process count. It drills through to the Events All table filtered to the selected application.


4.5.1. Action Report

The Action reports break down the process activity in the specified time frame for a specific token type by target type. They also list the most active targets for the specified token type.

Chart Description

(Action Type) actions over the last (time interval)

A column chart showing the process control activity for the specified token type broken down by target type over time. Process Control activity incorporates Service Control, URL Sandboxing and Content Control events as well as the standard Process events. This chart drills through to the Targets All table filtered to the selected type.

By type A pie chart and table showing all the process activity within the specified time frame broken down by target type for the specified token type. This chart drills through to the Targets All table filtered to the selected type.

Top 10 targets A bar chart showing the 10 most used applications by process count for the specified token type. It drills through to the Events All table filtered to the selected application.


Targets Dashboard

The Target report breaks down the application activity in the specified time frame by Target. It also lists the most common activities.

Chart Description

All actions over the last (time interval)

A column chart showing the process control activity broken down by target type over time. Process Control activity incorporates Service Control, URL Sandboxing and Content Control events as well as the Standard Process events. This chart drills through to the Targets All table filtered to the selected type.

By type A pie chart and table showing all the process activity within the specified time frame broken down by target type. This chart drills through to the Targets All table filtered to the selected type.

Top 10 targets A bar chart showing the 10 most common activities by process count. A unique activity is defined by its action (token type) and target name. This chart drills through to the Events All table filtered to the selected activity.


4.6.1. Applications Report

The Applications report displays all application activity within the specified time frame by application type. It also displays the most common application activities.

Chart Description

All application activity over the last (time interval)

A column chart showing the application activity broken down by application type over time. A target is defined as an application if it is one of the following: Executable, Windows Store Application, Batch File, Control Panel Applet, Management Console Snap-in, Installer Package, PowerShell Script, Registry Settings or Windows Script. This chart drills through to the Targets All table.

By type A pie chart and table showing all the application activity within the specified time frame broken down by application type. This chart drills through to the Targets All table.

Top 10 application activities

A bar chart showing the 10 most common application activities by process count. A unique activity is defined by its action (token type) and target name. This chart drills through to the Events All table.


4.6.2. Specific Target Report

The Specific Target reports display the process control activity over the specified time frame broken down by token type for a specific activity type. They also display the most common activities for that activity type.

Chart Description

All (target type) activity over the last (time interval)

A column chart showing the target type activity broken down by token type over time. This chart drills through to the Targets All table.

By type A pie chart and table showing all the target type activity within the specified time frame broken down by token type. This chart drills through to the Targets All table.

Top 10 application activities

A bar chart showing the 10 most common target type activities by process count. A unique activity is defined by its action (token type) and target name. This chart drills through to the Events All table.


Targets (Grouped) Dashboard

The Targets (Grouped) report allows you to break down all activity by one of four fields: Publisher, Application Group, Message or Workstyle.

Publisher

Target Application Group

Message

Workstyle

Chart Description

All activity by (group by field) over the last (time interval)

A pie chart and table breaking down all process control activity within the specified time frame broken down by the Group By (filter) choice. It drills through to the Targets All table. When grouping by workstyle the Workstyle Details report can be accessed by clicking on one of the workstyle links.


Workstyles Dashboard

The Workstyles report displays how the different workstyles defined in Defendpoint configurations are being used within the specified time period.


Chart Description

All Workstyles over the last (time interval)

This table shows how many Workstyles, Hosts, Users and Applications match the current filters. It also shows how many of each are in the database in total and the percentage that were matched. The Workstyles, Host and User counts drill through to a list of audits that matched the filters. The Applications count drills through to the Targets All table.

Summary by Process Activity (Target)

This bar chart shows the most active workstyles over the specified time period, broken down by token type. It drills through to the Events All table.

% Coverage by Workstyle

This bar chart shows the percentage of Users and Hosts the most active workstyles cover. The workstyles are ordered by the total number of Users and Hosts affected. Only the top ten are shown. This chart drills through to a list of Users or Hosts affected by the workstyle.

Process coverage by Workstyle

A pie chart breaking down the process activity within the specified time frame by workstyle. It drills down to the Events All table.

Process coverage by Policy

A pie chart breaking down the process activity within the specified time frame by policy. It drills down to the Events All table.

Top 10 Elevated Workstyles

A bar chart showing the top 10 workstyles responsible for the most distinct applications being elevated within the specified time frame. It drills through to the Targets All table.

Top 10 Blocked workstyles

A bar chart showing the top 10 workstyles responsible for the most distinct applications being blocked within the specified time frame. It drills through to the Targets All table.

Top 10 Passive Workstyles

A bar chart showing the top 10 workstyles responsible for the most distinct applications being passive audited within the specified time frame. It drills through to the Targets All table.

Top 10 Custom Token Workstyles

A bar chart showing the top 10 workstyles responsible for the most distinct applications being applied a custom token within the specified time frame. It drills through to the Targets All table.


4.8.1. Workstyles (All) Report

The Workstyles All report shows a table listing all the workstyles that were active within the specified time frame. The most active workstyles are listed first. The event count for each token type is shown along with the total event count. Any number can be clicked to drill through to the Events All table. The Workstyle Name column to the left of each row can be clicked to access the workstyle report.


Users Dashboard

The Users report links to the User Experience report.

4.9.1. User Experience Report

This report shows how users have interacted with Messages, Challenge/Response dialogs and the Shell menu within the specified time range.

Chart Description

User Experience over the last (time interval)

A column chart showing the percentage of users that have experienced each interaction type over the specified time period. It drills through to a list of users.

Message Distribution

A column chart showing how many users have received a certain number of messages per month / day / hour depending on the time interval. It drills through to a list of users.

Messages per action type

A table showing what message types were displayed for Allowed and Blocked actions. It drills through to the Events All table.


4.9.2. Privileged Logons Report

The Privileged Logon report displays how many accounts with Standard rights, Power User rights and Administrator rights have logged in over the specified time frame.

Please refer to the Defendpoint Administration Guide section Collect User Information for guidance on enabling generation of user logon audits.

Chart Description

Privileged Logons over the last (time interval)

A column chart and table showing the number of logons by the different account types over time. It drills through to the User Logons table.

Logons by Account Privilege

A column chart showing the total number of logons by the different account types. It drills through to the User Logons table.

Logons by Account Type

A column chart showing the total number of logons by Domain Accounts and Local Accounts. It drills through to the User Logons table.

Top 10 Logons by Chassis Type

A bar chart showing the total number of logons by the top 10 chassis types. It drills through to the User Logons table.

Top 10 Logons by host Operating System

A bar chart showing the total number of logons by the top 10 host operating systems. It drills through to the User Logons table.


Top 10 Accounts with Admin Rights

A bar chart showing the top 10 accounts with admin rights that have logged into the most host machines. It drills through to the User Logons table.

Top 10 hosts with Admin Rights

A bar chart showing the top 10 host machines which have been logged on to by the most users with Admin Rights. It drills through to the User Logons table.

4.9.3. Privileged Account Protection Report

The Privileged Account Protection report shows any blocked attempts to modify Privileged Accounts over the specified time interval.

Please refer to the Defendpoint Administration Guide section Prohibit Privileged Account Management for a list of Group Accounts that are considered privileged and for guidance on enabling generation of Privileged Account Protection audits.


Chart Description

Privileged Account Protection over the last (time interval)

A line chart showing how many Privileged Account modification blocked events have occurred at each time interval. It drills through to the Privileged Account Protection table.

Table A table showing the number of Users blocked, the number of Hosts blocked, the number of Applications blocked and the Total number of blocked modifications within the specified time frame. The Count numbers drill through to a list of Users, Hosts and Applications. The Total drills through to the Privileged Account Protection table.

By Privileged Group

A pie chart breaking down the Privileged Account Modification Blocked activity by Windows group name. It drills through to Privileged Account Protection table.

By Application A bar chart breaking down the Privileged Account Modification Blocked activity by Application Description. It drills through to the Privileged Account Protection table.

Top 10 users attempting account modifications

A bar chart showing the top 10 Users attempting the most account modifications. It drills through to the Privileged Account Protection table.

Top 10 hosts attempting account modifications

A bar chart showing the top 10 Hosts attempting the most account modifications. It drills through to the Privileged Account Protection table.


Deployments Dashboard

The Deployments report displays which versions of Defendpoint are currently installed across the organisation. It also breaks down the deployments by Operating System, Default Language, Chassis type and Operating System type.

Please refer to the Defendpoint Administration Guide section Collect Host Information for guidance on enabling collection of host information audits.

Chart Description

By Defendpoint Client Version

A bar chart showing the numbers of each Defendpoint Version deployed, as reported within the specified time frame. It drills through to the Deployments table.

By Operating System

A column chart breaking out the deployments by Operating System, as reported within the specified time frame. It drills through to the Deployments table.

By Default Language

A bar chart breaking out the deployments by Default Language, as reported within the specified time frame. It drills through to the Deployments table.

By Chassis Type A pie chart breaking out the deployments by Chassis type, as reported within the specified time frame. It drills through to the Deployments table.

By Operating System Type

A pie chart breaking out the deployments by Operating System type, as reported within the specified time frame. It drills through to the Deployments table.


Requests Dashboard

This report shows information about user requests that have been raised over the specified time frame. A Blocked message with a reason entered or a cancelled Challenge/Response message is considered to be a request.

Chart Description

All Requests over the last (time interval)

A stacked column chart showing the number of the different request types for the Time Interval. It drills through to the Requests Table.

Requests by Workstyle

A bar chart showing the number of the different request types broken down by Workstyle. It drills through to the Requests Table.

Requests by Activity

A bar chart showing the number of the different request types broken down by Activity Type. It drills through to the Requests Table.

Top 10 Activities Requested

A stacked bar chart showing the number of the different request types broken down by the Target Name. It drills through to the Requests Table.


4.11.1. Requests (All) Report

This report lists all the requests over the specified time period. Filters can be added using the drop-down Filter Panel and the table can be sorted by a specific column by clicking on the vertical arrows next to each column name.

Events Dashboard

This report shows information about the different types of events that have been raised over the specified time frame. It also shows how long it is since the different Hosts raised an event.


Chart Description

Events over the last (time interval)

A stacked column chart showing the number of the different event types for the time interval. It drills through to the Events Table.

Event Types A bar chart showing how many events of each type have been received within the specified time interval. It drills through to the Events Table.

By Category A pie chart breaking down the events received with the specified time interval by Category. It drills through to the Events Table.

Time since last endpoint event

A column chart showing the number of endpoints in each Time Since Last Event band. It drills through to a list of Endpoints in the Selected Band.

4.12.1. Events (All) Report

This table lists the 100 most recent events received by the ER database. Filters can be added using the Filter Query page or the Filter Pane on the left and the table can be sorted by specific column by clicking on the vertical arrow heads next to each column name. Various fields can be drilled through as described below: (To be implemented)

New event types generated by the sandboxing and content control features are visible in this tabular view alongside other events. The tabular view can be focused on URL or Content events by choosing the relevant item in the filter pane.

Column Destination

Description Application details report

User User details report

Host Host details report

Workstyle Workstyle details report

Event Time Event details report


Help

This link opens the Help file in a new browser tab.


Options

The Options link provides access to database information and actions.

4.14.1. Database Monitoring

The Database Monitoring chart is a graphical representation of the speed that individual reports are being generated by the system.

4.14.2. Caching Options

Caching Options allows you to select and/or clear the caching of query results for 7 Day, 30 Day and 12 Month periods.

For more information on configuring caching, please refer to the ePO Administrators Guide – Configuring the ER Staging Server Task.


Drill-through Reports

Process Events Table

This report lists all the process events within the specified time frame. Select the Events All table and apply the Processes filter. Different columns can be displayed, as described in Reports in Table format.

The Process Control Event Details report for a row can be accessed by clicking on the link in the Description column to the left of each row.

It is intended as a fine detail report to allow further filtering using the Query Filter dialog.


Process Control Event Details

This report gives details about a specific process control event. It can be accessed from the Events All table and selecting the Processes filter. From the Processes table click on the desired process description link to access the Process Details report.

Note: Only processes that match rules in Workstyles are displayed.


Various fields can be drilled through as described below:

Field Destination

Description Events All table

Publisher Events All table

Workstyle Workstyle details report

Parent process ID

Process event details

User name User details report

Host name Host details report

Process parent in “Process Hierarchy” section


Process child in “Process Hierarchy” section



Application Details

This report shows information about a specific application. It can be accessed from the Targets dashboard. Select the Application filter and drill-down by clicking on the application charts. From the Applications table click on the desired application description link to access the Application Details report.


Chart Description

Details at Top The details at the top of the report list the Application Description, the Publisher, the minimum and maximum Product Versions, the minimum and maximum File Version, the number of Parent applications found and the number of Children applications found. The parent and child application numbers drill through to the Targets All table.

Table The table shows the number of Users and Hosts that used this application compared to the total number of Users and Hosts found in the database for the specified time frame. It also shows the number of application processes found compared to the total number of processes found in the database for the specified time frame. The Count numbers drill through to a list of Users, Hosts or Processes.

Last (time interval)

A stacked column chart showing the application activity over the specified time interval broken down by Token Type. It drills through to the Events All table.

Top 10 Users A bar chart showing the top 10 Users who have started the application the most. It drills through to the Events All table.

Top 10 Hosts A bar chart showing the top 10 Hosts which have started the application the most. It drills through to the Events All table.

Run method A pie chart breaking down the application executions by how they were started. It drills through to the Events All table.

Discovery – admin rights required

A pie chart breaking down the application executions by whether admin rights were required or not. It drills through to the Events All table.


Content Control Event Details

This report gives details about a specific content control event. It can be accessed from the Events All table by selecting the Content Control link beneath Event Category in the Filter pane. In the Event Time column click on an Event Time link to access the Content Control Event Details report.


Host Details

This report shows information about Defendpoint activity on a specific Host. It can be accessed by selecting the Workstyles dashboard, drilling through the Hosts Affected field and selecting from the Hosts List.

Chart Description

Table The table shows the number of Applications, Processes and Users associated with this Host compared to the total number found in the database for the specified time frame. It also shows the number of logons found compared to the total number of logons found in the database for the specified time frame. The applications count drills through to the Targets All table. The processes count drills through to the Events All table. The users count drills through to a list of users that have used the host. The logons count drill through to the User Logons table.

Actions over the last (time interval)

A stacked column chart showing application activity associated with the host over the specified time period, broken down by token type. It drills through to the Targets All table.

Top 10 activities A bar chart showing the top 10 activities associated with the host ordered by process count. It drills through to the Events All table.

Run method A pie chart breaking down the host application executions by how they were started. It drills through to the Targets All table.



A pie chart breaking down the host application executions by whether admin rights were required or not. It drills through to the Targets All table.

Top 10 users A bar chart showing the top 10 users of the host by the number of distinct applications started within the specified time frame. It drills through to the Targets All table.

Host Session Details

This report lists the Hosts that have generated Defendpoint Service started events within the specified time period. Filters can be added using the Filter Query dialog and the table can be sorted by a specific column by clicking on the vertical arrow heads next to each column name.

Please refer to the Admin guide section <general rules> for more information on configuring generation of Defendpoint service start events.

The Host Name field drills through to the Host Details report. You can reach this table by drilling through the charts on the Deployments dashboard.

Item List

This report presents a list of items as a stepping stone to the next report. The items could be for example Users, Hosts, Workstyles or Applications. The report can be accessed in a number of ways such as from the Workstyles dashboard by clicking on the Matched Workstyles count at the top. The list can be sorted by clicking on the vertical arrow head at the top of the list. The details of an item can be accessed by clicking on the item link.


Workstyle Details

This report shows information about the activity managed by a specific workstyle over the specified time frame. It can be accessed in a number of ways, such as from the Workstyles All table. Click on the desired Workstyle Name link to access the Workstyle Details report.

Chart Description

Table The table shows the number of Applications, Processes, Hosts and Users managed by the workstyle compared to the total number found in the database for the specified time frame. The applications count drills through to the Targets All table. The processes count drills through to the Events All table. The hosts count drills through to a list of hosts that the workstyle has managed. The users count drills through to a list of users that the workstyle has managed.

Actions A stacked column chart showing application activity managed by the workstyle over the specified time period, broken down by token type. It drills through to the Targets All table.

Top 10 applications

A bar chart showing the top 10 applications managed by the workstyle ordered by process count. It drills through to the Events All table.

Top 10 users A bar chart showing the top 10 users managed by the workstyle ordered by the number of distinct applications started within the specified time frame. It drills through to the Targets All table.

Top 10 hosts A bar chart showing the top 10 hosts managed by the workstyle ordered by the number of distinct applications started within the specified time frame. It drills through to the Targets All table.


Privileged Account Protection Table

This table lists the privileged account protection events that have occurred within the specified time frame. Filters can be added using the Filter Query dialog. It can be accessed by selecting the Privileged Account Protection report and drilling through Top 10 Hosts chart. The table can be sorted by a specific column by clicking on the vertical arrow heads next to each column name.

The Host field drills through to the Host Details report. The User field drills through to the User Details report.


User Details

This report shows information about Defendpoint activity by a specific user. It can be accessed by selecting the User Logon filter on Events All table. Click on the Event Time link associated with a user to access the User List and select the appropriate user.


Chart Description

Table The table shows the number of Applications, Processes and Hosts associated with this user compared to the total number found in the database for the specified time frame. It also shows the number of message definitions seen, compared to the number found in the database for the specified time frame. The applications count drills through to the Targets All table. The processes count drills through to the Events All table. The hosts count drills through to a list of hosts used by the user. The message count drills through to a list of message definitions seen by the user.

Actions over the last (time interval)

A stacked column chart showing application activity associated with the user over the specified time period, broken down by token type. It drills through to the Targets All table.

Top 10 activities A bar chart showing the top 10 activities associated with the user ordered by process count. It drills through to the Events All table.

Run method A pie chart breaking down the user’s process executions by how they were started. It drills through to the Targets All table.


A pie chart breaking down the user’s process executions by whether admin rights were required or not. It drills through to the Targets All table.

Top 10 hosts A bar chart showing the top 10 hosts used by the user ordered by the number of distinct applications started within the specified time frame. It drills through to the Targets All table.

User Logons Table

This report shows the Detected user logon event information for the specified time frame. It can be accessed in a number of ways such as by drilling through on of the chart elements from the Privileged Logons dashboard.

Filters can be added using the Filter Query dialog. The table can be sorted by a specific column by clicking on the vertical arrow heads next to each column name. The Host field drills through to the Host Details report. The User field drills through to the User Details report. If there are multiple logon events for a single user within the time frame the individual events can be seen by clicking on the Count column.

Please refer to the admin guide section <general rules> for more information on configuring generation of User Logon audits.


The Purge Tool Utility Enterprise Reporting includes an optional ER Purge Tool, which allows old data to be purged from the Defendpoint database. The ER Purge Tool can be downloaded from the Avecto website. Once you have installed the ER Purge Tool, it can be run from the Windows Start Menu.

Note: Prior to purging large sets of data, please ensure your SQL Transaction logs are able to grow to accommodate. It may be necessary to delete data in stages when setting this up for the first time.

For a full description of the ER Purge Tool please refer to the Enterprise Reporting Setup Guide.

Enterprise Reporting - BeyondTrust€¦ · is displayed in tabular form. In the ePO edition of...

Documents

Transcript of Enterprise Reporting - BeyondTrust€¦ · is displayed in tabular form. In the ePO edition of...