Events, Alerts, and Reports

Events

Vulnerability ProtectionDeep Security will record security Events when a protection module Rule or condition is triggered, and System Events when administrative or system-related Events occur (like a User signing in or Agent software being upgraded.) Events can occur many times on a daily basis and do not necessarily require individual attention.

Most Events that take place on a computer are sent to the Vulnerability ProtectionDeep Security Manager during the next heartbeat operation except the following which will be sent right away if Communication settings allow Relays/Agents/Appliances to initiate communication:

Smart Scan Server is offline
Smart Scan Server is back online
Integrity Monitoring scan is complete
Integrity Monitoring baseline created
Unrecognized elements in an Integrity Monitoring Rule
Elements of an Integrity Monitoring Rule are unsupported on the local platform
Abnormal restart detected
Low disk space warning
Log Inspection offline
Log Inspection back online
Reconnaissance scan detected (if the setting is enabled in Policy/Computer Editor > Firewall > Reconnaissance

By default, the Vulnerability ProtectionDeep Security Manager collects Event logs from the Agents/Appliances at every heartbeat. The Event data is used to populate the various reports, graphs, and charts in the Vulnerability ProtectionDeep Security Manager.

Once collected by the Vulnerability ProtectionDeep Security Manager, Events are kept for a period of time which can be set from Storage tab in the Administration > System Settings page.

From the main page you can:

View () the properties of an individual event.
Filter the list. Use the Period and Computer toolbars to filter the list of events.
Export () the event list data to a CSV file.
View existing Auto-Tagging () Rules.
Search () for a particular event.

Additionally, right-clicking an Event gives you the option to:

Add Tag(s) to this event (See Event Tagging.)
Remove Tag(s) from this event.
View the Computer Details window of the computer that generated the log entry.

View Event Properties

Double-clicking an event (or selecting View from the context menu) displays the Properties window for that entry which displays all the information about the event on one page. The Tags tab displays tags that have been attached to this Event. For More information on Event tagging, see Policies > Common Objects > Other > Tags, and Event Tagging.

Filter the List and/or Search for an Event

Selecting "Open Advanced Search" from the "Search" drop-down menu toggles the display of the advanced search options.

The Period toolbar lets you filter the list to display only those events that occurred within a specific time-frame.

The Computers toolbar lets you organize the display of event log entries by computer groups or computer Policies.

Advanced Search functions (searches are not case sensitive):

Contains: The entry in the selected column contains the search string
Does Not Contain: The entry in the selected column does not contain the search string
Equals: The entry in the selected column exactly matches the search string
Does Not Equal: The entry in the selected column does not exactly match the search string
In: The entry in the selected column exactly matches one of the comma-separated search string entries
Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Pressing the "plus" button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When you are ready, press the submit button (at the right of the toolbars with the right-arrow on it).

Export

Clicking Export... exports all or selected events to a CSV file.

Auto-Tagging...

Clicking Auto-Tagging... displays a list of existing Auto-Tagging Rules. (See Event Tagging.)

Alerts

Alerts are created when an unusual situation arises that requires a user's attention (like a User-issued command failing, or a hard disk running out of storage space). There is a pre-defined list of Alerts. Additionally, protection module Rules can be configured to generate Alerts if they are triggered.

If you connect Vulnerability ProtectionDeep Security to an SMTP server, you can have email notifications sent to Users when specific Alerts are raised.

The Alerts page displays all active Alerts. Alerts can be displayed in a Summary View which will group similar Alerts together, or in List View which lists all Alerts individually. To switch between the two views, use the drop-down menu next to "Alerts" in the page's title.

In Summary View, expanding an Alert panel (by clicking Show Details) displays all the computers (and/or Users) that have generated that particular Alert. (Clicking the computer will display the computer's Details window.)

In Summary View if the list of computers is longer than five, an ellipsis ("...") appears after the fifth computer. Clicking the ellipsis displays the full list. Once you have taken the appropriate action to deal with the Alert, you can dismiss the Alert by selecting the checkbox next to the target of the Alert and clicking the Dismiss link. (In List View, right-click the Alert to see the list of options in the context menu.)

Alerts that can't be dismissed (like "Relay Update Service Not Available") will be dismissed automatically when the condition no longer exists.

Alerts can be of two types: system and security. System Alerts are triggered by System Events (Agent Offline, Clock Change on Computer, etc.) Security Alerts are triggered by Intrusion Prevention, Firewall, Integrity, and Log Inspection RulesIntrusion Prevention and Firewall Rules. Alerts can be configured by clicking Configure Alerts... ().

Use the computers filtering bar to view only Alerts for computers in a particular computer group, with a particular Policy, etc.

Reports

Vulnerability ProtectionDeep Security Manager produces reports in PDF or RTF formats. Most of the reports generated by the Reports page have configurable parameters such as date range or reporting by computer group. Parameter options will be disabled for reports to which they don't apply.

Single Report

Report

The various reports can be output to PDF or RTF format, with the exception of the "Security Module Usage Report" and "Security Module Usage Cumulative Report", which are output as CSV files.

Depending on which protection modules you are using, these reports may be available:

Alert Report: List of the most common alerts
Anti-Malware Report: List of the top 25 infected computers
Attack Report: Summary table with analysis activity, divided by mode
Computer Report: Summary of each computer listed on the Computers tab
DPI Rule Recommendation Report: Intrusion Prevention rule recommentations. This report can be run for only one security policy or computer at a time.
Firewall Report: Record of Firewall Rule and Stateful Configuration activity
Forensic Computer Audit Report: Configuration of an Agent on a computer
Integrity Monitoring Baseline Report: Baseline of the host(s) at a particular time, showing Type, Key, and Fingerprinted Date.
Integrity Monitoring Detailed Change Report: Details about the changes detected
Integrity Monitoring Report: Summary of the changes detected
Intrusion Prevention Report: Record of Intrusion Prevention rule activity
Log Inspection Detailed Report: Details of log data that has been collected
Log Inspection Report: Summary of log data that has been collected
Recommendation Report: Record of recommendation scan activity
Security Module Usage Cumulative Report: Current computer usage of protection modules, including a cumulative total and the total in blocks of 100
Security Module Usage Report: Current computer usage of protection modules
Summary Report: Consolidated summary of Vulnerability ProtectionDeep Security activity
Suspicious Application Activity Report: Information about suspected malicious activity
System Event Report: Record of system (non-security) activity
System Report: Overview of Computers, Contacts, and Users
User and Contact Report: Content and activity detail for Users and Contacts
Web Reputation Report: List of computers with the most web reputation events

You can also add an optional Classification to PDF or RTF reports: BLANK, TOP SECRET, SECRET, CONFIDENTIAL, FOR OFFICIAL USE ONLY, LAW ENFORCEMENT SENSITIVE (LES), LIMITED DISTRIBUTION, UNCLASSIFIED, INTERNAL USE ONLY.

Tag Filter

When you select a report that contains event data, you have the option to filter the report data using Event Tags. Select All for all events, Untagged for only untagged events, or select Tag(s) and specify one or more tags to include only those events with your selected tag(s).

Time Filter

You can set the time filter for any period for which records exist. This is useful for security audits.

Time filter options:

Last 24 Hours: Includes events from the past 24 hours, starting and ending at the top of the hour. For example if you generate a report on December 5th at 10:14am, you will get a report for events that occurred between December 4th at 10:00am and December 5th at 10:00am.
Last 7 Days: Includes events from the past week. Weeks start and end at midnight (00:00). For example if you generate a report on December 5th at 10:14am, you will get a report for events that occurred between November 28th at 0:00am and December 5th at 0:00am.
Previous Month: Includes events from the last full calendar month, starting and ending at midnight (00:00). For example, if you select this option on November 15, you will receive a report for events that occurred between midnight October 1 to midnight November 1.
Custom Range: Enables you to specify your own date and time range for the report. In the report, the start time may be changed to midnight if the start date is more than two days ago.

Reports use data stored in counters. Counters are data aggregated periodically from Events. Counter data is aggregated on an hourly basis for the most recent three days. Data from the current hour is not included in reports. Data older than three days is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last three days can be specified at an hourly level of granularity, but beyond three days, the time period can only be specified on a daily level of granularity.

Computer Filter

Set the computers whose data will be included in the report.

All Computers: Every computer in Vulnerability ProtectionDeep Security Manager
My Computers: If the signed in User has restricted access to computers based on their User Role's rights settings, these are the computers the signed in User has view access right to.
In Group: The computers in a Vulnerability ProtectionDeep Security Group.
Using Policy: The computers using a specific protection Policy.
Computer: A single computer.

Encryption

Reports can be protected with the password of the currently signed in User or with a new password for this report only.

Disable Report Password: Report is not password protected.
Use Current User's Report Password: Use the current User's PDF report password. To view or modify the User's PDF report password, go to Administration > User Management > Users > Properties > Settings > Reports.
Use Custom Report Password: Create a one-time-only password for this report. The password does not have any complexity requirements.

To generate a report on specific computers from multiple computer groups, create a User who has viewing rights only to the computers in question and then either create a Scheduled Task to regularly generate an "All Computers" report for that User or sign in as that User and run an "All Computers" report. Only the computers to which that User has viewing rights will be included in the report.

Recurring Reports

Recurring Reports are simply Scheduled Tasks that periodically generate and distribute Reports to any number of Users and Contacts. Most of the options are identical to those for single reports, with the exception of Time Filter, which looks like this:

Last [N] Hour(s): When [N] is less than 60, the start and end times will be at the top of the specified hour. When [N] is more than 60, hourly data is not available for the beginning of the time range, so the start time in the report will be changed to midnight (00:00) of the start day.
Last [N] Day(s): Includes data from midnight [N] days ago to midnight of the current day.
Last [N] Week(s): Includes events from the last [N] weeks, starting and ending at midnight (00:00).
Last [N] Month(s): Includes events from the last [N] full calendar month, starting and ending at midnight (00:00). For example, if you select "Last 1 Month(s)" on November 15, you will receive a report for events that occurred between midnight October 1 to midnight November 1.

For more information on Scheduled Tasks, see the online help at Administration > Scheduled Tasks.