Symantec Security Information Manager 4.5 Reporting Guide

Symantec Information Manager 4.5 Reporting Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 1.0 Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system

Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following s of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and izable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Contents Technical Support Chapter 1 Chapter 2 Chapter 3 Chapter 4 Introducing Symantec Information Manager reporting About Symantec Information Manager reporting... 9 Components of Symantec Information Manager reporting... 10 About Symantec Information Manager queries... 10 About Symantec Information Manager reports... 11 Where to get more information about Symantec Information Manager... 11 Understanding Symantec Information Manager queries About the predefined System queries... 13 What you can do with Symantec Information Manager queries... 15 Using the query features... 15 Understanding Symantec Information Manager reports About Symantec Information Manager reports... 17 Using the report creation tools... 20 Example: Creating a simple network health report... 20 System queries reference... 27 All folder... 28 folder... 28 Templates folder... 50 Product folder... 51 SSIM folder... 59 folder... 63

8 Contents queries... 76 Custom queries... 82 Summary queries... 90 Index

Chapter 1 Introducing Symantec Information Manager reporting This chapter includes the following topics: About Symantec Information Manager reporting Components of Symantec Information Manager reporting Where to get more information about Symantec Information Manager About Symantec Information Manager reporting Symantec Information Manager provides a rich set of query and reporting tools that allow you to collect and present data in a format that meets the needs of your organization. are used to retrieve data from the system for viewing events, displaying information on the dashboard, and building reports. Reports are designed, previewed, and scheduled from the Information Manager console. Numerous predefined queries are provided with Information Manager that can help you get started with building your own queries and reports. The query and reporting features allow you to distill the data that Information Manager gathers into the pieces of information that are most important to you.

10 Introducing Symantec Information Manager reporting Components of Symantec Information Manager reporting Components of Symantec Information Manager reporting The key components of reporting are queries and reports. are accessible from the Events tab in the system console. Reports are accessible from the Reports tab in the system console. and reports are saved in the System directory under default top-level folders, which determine how the files can be used for reporting. About Symantec Information Manager queries are used to retrieve data from the system for viewing events, displaying information on the dashboard, and building reports. Reports are designed, previewed, and scheduled from the Information Manager console. Numerous predefined queries are provided with Information Manager that can help you get started with building your own queries and reports. For more information on working with queries, see the Symantec Information Manager Administrator's Guide or the Symantec Information Manager User's Guide. About the query folders Information Manager includes the following groups of queries: My Published System Folder in the directory where queries are saved. These queries are only accessible by the user who created the query. saved as My can be used in the user dashboard or My Reports. Published is a folder in the directory where queries can be saved and shared. These queries are accessible by all system users. saved as Published can be used in the dashboard or Published Reports. System is a folder in the directory where predefined queries that are distributed with Information Manager are stored. These queries are accessible by all system users, but cannot be modified. System can be used as templates for queries that are saved as My or Published in the directory. The System provided are grouped into sub-folders by topics of interest such as by product, compliance, or security.

Introducing Symantec Information Manager reporting Where to get more information about Symantec Information Manager 11 About Symantec Information Manager reports The Information Manager console includes an interface to design, preview, and distribute reports. You can create reports by inserting queries, graphics, and specifying other elements in a report template. For example, you could setup headers and footers, add your company logo, specify the report color scheme, select fonts, and so forth. The default, top-level folders are My Reports and Published Reports. About the Reports folders Information Manager includes the following groups of reports: My Reports Published Reports My Reports is a folder in the directory where reports can be saved. These reports are only accessible by the user who created the report. saved as My, Published, and System can be used in reports saved as My Reports. Published Reports is a folder in the directory where reports can be saved and shared. These reports are accessible by all system users. saved as Published or System can be used in reports saved as Published Reports. Where to get more information about Symantec Information Manager This guide provides an overview of the query and report creation features of Information Manager as well as a query reference to facilitate ization. For more details including step-by-step instructions on how to use the query and reports features that are available in the Information Manager console, see the the following: Symantec Information Manager User's Guide Symantec Information Manager Administrator's Guide

12 Introducing Symantec Information Manager reporting Where to get more information about Symantec Information Manager

Chapter 2 Understanding Symantec Information Manager queries This chapter includes the following topics: About the predefined System queries What you can do with Symantec Information Manager queries About the predefined System queries In the Information Manager console, on the Events page, the System folder contains numerous predefined queries that you can use as query templates. Use these templates to create ized queries that are sui for your environment. Note: You cannot edit a query in the System folder. You must first move the query to the My folder by either exporting and then importing the query into the My folder, or dragging and dropping the query into that folder. You can also edit queries in the Published folder.

14 Understanding Symantec Information Manager queries About the predefined System queries Figure 2-1 My folder Table 2-1 shows how the queries are organized within the System folder and describes each query group. Table 2-1 Query group All Templates Product SSIM Predefined query groups Description This general category currently contains only one query: Event Counts by Severity Last 7 Days. This group contains subgroups of queries, one subgroup for each regulatory standard. Many of these subgroups are divided into further subcategories of compliance s. This group contains event queries that you can use to meet your organization's compliance needs. Premium collectors populate these queries with data. products do not populate these queries. This group contains subgroups of queries for the most common collectors, for example, Symantec Client. These queries are specific to Information Manager, and they are organized into product function subgroups. For example, the Incidents subgroup contains queries that let you examine incident activity that is sorted in various ways.

Understanding Symantec Information Manager queries What you can do with Symantec Information Manager queries 15 Table 2-1 Query group Predefined query groups (continued) Description This group contains event queries, which are grouped by device s that report the events, for example, intrusion devices. In many cases, the predefined queries require editing to meet your needs. To edit a query in the My folder, you can right-click the query and select Edit Query... to change the properties for that query. For example, the default time range in a query may be the previous 7 days. If you want the query to display data for the previous 30 days, you can edit the query to meet your requirements. s must contain only alphanumeric characters. Because some predefined query names contain non-alphanumeric characters, you must edit these query names before you can import them into My or Published. To edit a query name, export the query, then open the QML file in a text editor such as Wordpad. Edit the filename in the line called <query_filename>. Then import the query file into the desired query folder. For more information, see the Symantec Information Manager Administrator's Guide or the Symantec Information Manager User's Guide. What you can do with Symantec Information Manager queries Using the query features The queries that Symantec Information Manager provides include hundreds of preconfigured, izable queries and templates that can be used to analyze business aspects such as compliance and risk management. The queries return data in a meaningful, concise, and izable format that can be viewed from the Information Manager dashboard, dropped into a report, and distributed. The query functions that Information Manager provides include hundreds of preconfigured queries that can be ized to aggregate and filter data. Symantec Information Manager uses a combination of and language to gather and filter relevant data. Using the data querying tools that Information Manager provides, you can perform tasks such as the following: Use many of the preconfigured queries without a need to ize the settings.

16 Understanding Symantec Information Manager queries What you can do with Symantec Information Manager queries Customize an existing query by dropping it into the My folder and changing the parameters. Use the Query Wizard to create a new query that focuses on the data fields and settings you choose. The Query Wizard can be used to create a query that returns event or summary data, or it can be used to create a new query using. Import and export queries that can be saved or shared. Publish queries to other Information Manager users. Organize queries into query groups that are relevant to your organization. Change the appearance of the query results by changing the chart properties. For more information on working with queries, see the Symantec Information Manager Administrator's Guide.

Chapter 3 Understanding Symantec Information Manager reports This chapter includes the following topics: About Symantec Information Manager reports Using the report creation tools About Symantec Information Manager reports Symantec Information Manager provides a rich set of report creation tools that allow you to represent multiple, related sets of query data in the format you choose. To create a report, you can use the Information Manager reports page to assemble the data that you want to present, and format the document to meet your company standards. A report can be as simple as a single query with no formatting, or as complex as dozens of queries that are wrapped in a branded, organized format. Using the reports features, you can create reports by inserting queries, graphics, and other elements in a report template. Examples of izations include the ability to add graphics such as your company brand, add header and footer information, create a specific color scheme, select fonts, and so forth.

18 Understanding Symantec Information Manager reports About Symantec Information Manager reports Figure 3-1 Reports Design view

Understanding Symantec Information Manager reports About Symantec Information Manager reports 19 After you have created a report, you can share the report format with other users by publishing it. By default, a report is private in the Information Manager interface, meaning that it is only visible to the user that created it. Publishing a report places the report in the Published Reports folder, which makes it available to other Information Manager users. After a report has been placed in the Published Reports folder, you can use the features on the Distribute tab to schedule and send a report to the recipients you specify. To distribute the report, you can schedule a report for email delivery to specified recipients. You can also export the report as an.rml file which can then be distributed to be imported by another user, or saved as a backup copy. Figure 3-2 Reports Distribute view

20 Understanding Symantec Information Manager reports Using the report creation tools The flexibility of the reports feature provides a means to create ized reports that describe multiple sets of data in a single document. Most organizations employ a combination of query information to determine the overall state of the network. For example, an auditor may need to see a report that describes both the number of computers that are compliant with specific PCI regulations, as well as vulnerability data for those computers. Using the reporting tools provided, Information Manager reports can be ized to reflect a meaningful correlation of that data in report. For more infomation on working with reports, see the Symantec Information Manager Administrator's Guide or the Symantec Information Manager User's Guide. Using the report creation tools Using the completely izable report creation tools that Information Manager provides, you can create concise reports that represent security data in an understandable format. Using queries to populate an Information Manager report, you can create any report that you need, from compliance reports that are branded with your company logo to risk management reports that summarize the most important security risks on the network. The Reports tab in the Information Manager console allows you to design, preview, save, and distribute reports that you create. A report can be as simple as a single query dropped onto a page, or as complex as a full-featured report that includes the company brand, relevant contextual information, and multiple queries that are within the scope of the report. For more information on working with the report creation features, see About Symantec Information Manager reports Example: Creating a simple network health report The following example describes a real-world situation for which the Information Manager query and reporting features can be effectively used. In the scenario, the security administrator must compile a series of reports that describe the overall health of the network. Identify the requirements As part of the request from management, the security administrator must compile a report from Information Manager that includes visual representations of the following: Top 10 viruses

Understanding Symantec Information Manager reports Using the report creation tools 21 Top 20 security threats Viruses detected Email viruses Most vulnerable computers in the enterprise Times of day that firewalls are under the most stress Divide the requirements into logical groups The data for each item in the request can be acquired using the queries that are available in the Information Manager console. By analyzing the requirements, the security administrator divides the list into the following categories: Antivirus queries Vulnerability data queries data queries Intrusion detection (IDS) queries Identify and ize the applicable queries in Information Manager Information Manager provides queries that supply the data that is needed. Each of the queries are fully izable. In this case, the the security administrator adjusts the following settings where necessary: Visual representation of data Filter based on specific product To adjust the queries, the security administrator moves each query to the My folder and adjust the parameters. To move a query to the My folder, in the left pane of the Events page, drag and drop the query from the System folder to the My folder. In this case, the security administrator creates a subfolder named Sample network health queries in the My folder, and stores the copy of each query in this subfolder.

22 Understanding Symantec Information Manager reports Using the report creation tools Figure 3-3 Sample network health queries folder For example, the security administrator decides to edit the presentation of the Top 10 Virus query. After the Top 10 Virus queries is moved into the the Critical reports subfolder, the security administrator right-clicks the query and chooses Edit Query...

Understanding Symantec Information Manager reports Using the report creation tools 23 Figure 3-4 Choosing Edit Query from the right-click menu In the Edit Event Query dialog box, the Filter Criteria tab shows that the query is configured to use data from the last 30 days, and it is based on the Event ID equalling Virus. The security administrator decides that these parameters meet the requirements for this report. In the Edit Event Query dialog box, on the Chart Properties tab, the security administrator decides to change the visual properties of the data. The security administrator izes the title and changes the Chart to Pie.

24 Understanding Symantec Information Manager reports Using the report creation tools Figure 3-5 Chart properties view For each query that is used, the security administrator repeats these steps depending on the parameters and visual options that are most effective. Prepare the report After the queries have been ized, the security administrator creates the report. To create the report the security administrator does the following: In the Reports pane, create a new report. Insert the queries in the preferred display order. Customize the header and footer. Adjust the query display elements, such as the column width that is used in each and the colors that are used in each chart. Preview the report to verify that the output is what is expected.

Understanding Symantec Information Manager reports Using the report creation tools 25 Figure 3-6 Reports Preview view Distribute the report After the security administrator has configured the report with the desired queries and izations, the report is distributed. To distribute the report, the security administrator does the following: Set the distribution methods. Save the report.

26 Understanding Symantec Information Manager reports Using the report creation tools Figure 3-7 Reports Distribute view

Chapter 4 System queries reference This chapter includes the following topics: queries Custom queries Summary queries The s in this section provide detailed information about the system queries. This information will be helpful as you decide which queries you want to adapt for your own use. Note: The s in this section describe the queries that are available with the current release of Symantec Information Manager, including the most recent updates. If you do not see some of these queries in the console, you may not have the most recent updates installed. You may need to run additional scripts to access all of the queries, such as the compliance queries. For more information, see the Readme documentation that is included with the most recent update. The s describe the queries in each subfolder under System. In addition, there are specialized s for several s of queries: Each query that contains in the column also has an entry in Table 4-12, which shows the field that is substituted for N in the query.

28 System queries reference Custom Summary Each query that contains Custom in the column also has an entry in Table 4-13, which shows the database that the query uses. Each query that contains Summary in the column also has an entry in Table 4-14, which shows the summary that the query uses. Note: The time range of some queries is expressed in relative seconds. For example, a value of equals relative 86400 seconds, or 1 day (24 hours). All folder Table 4-1 describes the contents of the All folder. Table 4-1 All folder Event Counts by Severity Last 7 Days not applicable Current -7 days / folder The folder contains subgroups of queries, one subgroup for each regulatory standard. Many of these subgroups are divided into further subcategories of compliance s. FISMA queries in the folder Table 4-2 describes the contents of the FISMA subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).

System queries reference 29 Table 4-2 FISMA queries in the folder FISMA Administrative Access to Systems Event Code = 733, 39770, or Windows username = Administrator and product id =3105 FISMA Application Access Event Code = 39747 or 39748 FISMA Audit Policy Changes Event Code = 1525 FISMA Disabled Accounts Event Code = 2894 FISMA File and Directory Access Event Code = 765, 38765, 38768, 38676, 3788, 3789, 3790, 3791, 3792, 20280, 11501, 12985, 1560, 38845 FISMA Logon Failures event id = 512004 or Event Code = 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 FISMA User Account Management Changes Event Code = 44111, 719, 762, 757, 2322, 2894, 758, 759, 1559, 38765, 771, 38766, 1553 OR event_class=1071000 and target_resource=/people/ and event_id is not 1072000 or 1072001 FISMA User Logins event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 FISMA User Logouts vendor code =:538, event id = 1072001, or Event Code = 720, or intrusion action= 1037214

30 System queries reference GLBA queries in the folder Table 4-3describes the contents of the GLBA subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours). Table 4-3 GLBA queries in the folder GLBA Logon Failures event id = 512004 or Event Code = 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 GLBA User Logoff event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 GLBA User Logon vendor code =:538, event id = 1072001, or Event Code = 720, or intrusion action= 1037214 HIPAA queries in the folder Table 4-4describes the contents of the HIPAA subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).

System queries reference 31 Table 4-4 HIPAA queries in the folder HIPAA > Administrative Safeguards Open Incident Aging status <> 2 all sql HIPAA > Administrative Safeguards Closed Incidents by Disposition WHERE STATUS = 2 N/A sql HIPAA > Administrative Safeguards Open vs Closed Incident Count by Creation Date Last 7 Days case when status = 0 or status = 1 or status = 2 creation_time >= (current timestamp - 7 DAYS) sql HIPAA > Administrative Safeguards Opened Incident Count by Creation Date case when status = 0 or status = 1 creation_time >= (current timestamp - 7 DAYS) sql HIPAA Account Information Failed status id 1937201 and Event Code = 42488, 41456 HIPAA Account Integrity Failed status id 1937201 and Event Code = 41457 HIPAA Audit Logs Access Event Code =38764 or 39628 HIPAA Configuration and Policy Changes Event Code = 1525 HIPAA Configuration and Policy Changes on Windows Vendor signature=:612 HIPAA File Attributes and Watch Failed compliance status = 1937201 and Event Code = 41461 or 41708

32 System queries reference Table 4-4 HIPAA queries in the folder (continued) HIPAA Logon Failures event id = 512004 or Event Code = 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 HIPAA Network Integrity and Complexity Failed Event Code = 42476, 42485, 42493, 42536 and compliance status = 1937201 HIPAA OS Patches Failed Event Code= 41467 and compliance status=1937201 HIPAA Object Access event id = 302004, 302002, 302003, 302004, 302005, 1072012, 1072008, 1072010, 1072009, 1072011 OR Event Code = 39745, 39744, 39746, 39743 HIPAA Password Changes Event Code = 718 HIPAA Privilege Use Event Code = 733, 734, 39770, 42823, 41543, 10560 684 or product = 3105 and windows user=administrator HIPAA Strong Authentication and Password Policy Failed Event Code = 41460, 41454 or 42491 and compliance status=1937201 HIPAA System Auditing Failed Event Code = 41455 and compliance status=1937201 HIPAA User Logins event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466

System queries reference 33 Table 4-4 HIPAA queries in the folder (continued) HIPAA User Logouts vendor code =:538, event id = 1072001, or Event Code = 720, or intrusion action= 1037214 ISO17799 queries in the folder Table 4-5 describes the contents of the ISO17799 subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours). Table 4-5 ISO17799 queries in the folder ISO17799 Administrative Access to Systems Event Code = 733, 39770, or Windows username = Administrator and product id =3105 ISO17799 Disabled Accounts Event Code = 2894 ISO17799 Logon Failures event id = 512004 or Event Code = 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 PCI queries in the folder Table 4-6describes the contents of the PCI subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours).

34 System queries reference Table 4-6 PCI queries in the folder PCI > Antivirus Management All Risk Events event id = 122001 PCI > Antivirus Managemen All Virus Events per Hour event_id=122000 Summarizer PCI > Antivirus Managemen Antivirus Disabled Event Code = 3825 PCI > Antivirus Managemen Daily Virus Definitions Successful Last 30 Days event_id=92004 CURRENT TIMESTAMP - 30 DAYS sql PCI > Antivirus Managemen Infected Computers per Hour event id = 122001 or 122000 Summarizer PCI > Antivirus Managemen Top 15 Users Triggering Risks Last 7 Days event =122001 chart PCI > Antivirus Managemen Top 15 Users Triggering Viruses Last 7 Days event = 122000 chart PCI > Antivirus Managemen Total Client AV Version Count count(product_version) as "Total Client Count" sql PCI > Antivirus Managemen Virus Definition Updates Per Hour event_id=92004 >= CURRENT TIMESTAMP - 1 DAY sql PCI > Encrypt Transmissions HTTPS Connections source port = 443 or destination port = 443 or destination service = HTTPS AND event id = 512000 or 912001 PCI > Encrypt Transmissions Network Traffic Encryption Checks Event Code = 42536

System queries reference 35 Table 4-6 PCI queries in the folder (continued) PCI > Encrypt Transmissions Network Traffic Encryption Failed Event Code = 42536 and compliance status = 1937201 PCI > Encrypt Transmissions VPN Client Connections Accepted During the Day event id = 742000 PCI > Encrypt Transmissions VPN Client Connections Failed During the Day event_id=742001 PCI > Maintain Dropped or Denied Connections event id = 512002 or 512001 R 28800 PCI > Maintain Alerts or Failures Event Code = 40786 or 3969 PCI > Maintain Configuration Changes Event Code = 3974 or 3964 PCI > Maintain Failed Authentication Events Hourly Tally event id = 512004 Summarizer PCI > Maintain Intrusion Detection Events event id = 512008 PCI > Maintain Successful Authentication Events Hourly Tally event id = 512003 Summarizer PCI > Maintain Information Policy Information Policy Checks Event Code = 42491 or 42486

36 System queries reference Table 4-6 PCI queries in the folder (continued) PCI > Maintain Information Policy Information Policy Failed Event Code = 42491 or 42486 AND 1937201 PCI > Maintain Information Policy Device Policy Modifications Event Code = 42916, 42915, or 42914 PCI > Protect Stored Data Administrative Access to Systems Event Code = 733, 39770, or Windows username = Administrator and product id =3105 PCI > Protect Stored Data Database Configuration Change Checks Event Code = 42891 PCI > Protect Stored Data Database Configuration Change Failed Event Code = 42891 and compliance status id=1937201 PCI > Protect Stored Data Database Failed Logins product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027204 PCI > Protect Stored Data Database Failed Logins Top 5 Destination Hosts product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027204 chart PCI > Protect Stored Data Database Failed Logins Top 5 Usernames product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027204 chart PCI > Protect Stored Data Database Rights Granted Event Code = 3587

System queries reference 37 Table 4-6 PCI queries in the folder (continued) PCI > Protect Stored Data Database Successful Logins product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027203 PCI > Protect Stored Data Database Successful Logins Top 5 Destination Hosts product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027203 chart PCI > Protect Stored Data Database Successful Logins Top 5 Usernames product 3214 or 3234 or 3213 or 3229 or 3282 and intrusion_action=1037213 and intrusion_outcome=1027203 chart PCI > Protect Stored Data Database Users Added product 3214 or 3234 or 3213 or 3229and Event Code = 722 PCI > Protect Stored Data Database Users Removed product 3214 or 3234 or 3213 or 3229and Event Code =758 OR vendor signature = DROP USER PCI > Protect Stored Data Failed Logins event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 PCI > Protect Stored Data Failed Logins Top 5 Destination Hosts event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 chart

38 System queries reference Table 4-6 PCI queries in the folder (continued) PCI > Protect Stored Data Failed Logins Top 5 Usernames event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 chart PCI > Protect Stored Data Strong Authentication and Password Policy Checks Event Code = 41460, 41454 or 42491 PCI > Protect Stored Data Strong Authentication and Password Policy Failed Event Code = 41460, 41454 or 42491 and compliance status=1937201 PCI > Protect Stored Data Suspicious Database Traffic Events Event Code = 41389, 43104 or 3518 PCI > Regularly Test Systems and Processes Scan Conclusion Events Event id 1932001 PCI > Regularly Test Systems and Processes Incident Overview For Last Week N/A current timestamp - 7 days sql PCI > Regularly Test Systems and Processes Incidents Created Over Past Week status as "Status" current timestamp - 7 days sql

System queries reference 39 Table 4-6 PCI queries in the folder (continued) PCI > Regularly Test Systems and Processes Incidents Created Today N/A date (creation_ time + current timezone) = current date sql PCI > Regularly Test Systems and Processes Most Detected CVE Codes CVE_ID, N/A sql PCI > Regularly Test Systems and Processes Most Detected Vulnerability Codes VULNERABILITY_ID N/A sql PCI > Regularly Test Systems and Processes Open Incident Aging status <> 2 all sql PCI > Regularly Test Systems and Processes Open Incident Aging by Assignee Table status <> 2 all sql PCI > Regularly Test Systems and Processes Open Incidents By Assignee severity >= 1 and status < 2 sql PCI > Regularly Test Systems and Processes Open and Closed Incidents For Assignee Today when status = 0 or status = 1 or status = 2 DATE (CREATION_TIME + CURRENT TIMEZONE) = CURRENT_DATE) sql

40 System queries reference Table 4-6 PCI queries in the folder (continued) PCI > Regularly Test Systems and Processes Open vs Closed Incident Count by Creation Date Last 7 Days case when status = 0 or status = 1 or status = 2 creation_ time >= (current timestamp - 7 DAYS) sql PCI > Regularly Test Systems and Processes Recent Events Vulnerability eventclass=1081000, 1081001 or 1081002 PCI > Regularly Test Systems and Processes Time to Resolve Incidents Over Last Day CLOSED_TIME IS NOT NULL CREATED_ TIME >= (current timestamp - 1 Days) sql PCI > Regularly Test Systems and Processes Vulnerability Scans Commenced event_id=1082002 PCI > Restrict Access to Data Access Control Device Denied Events product 3218. Event Code 3988 or 785 or 43144 or 785 PCI > Restrict Access to Data Failed Logins event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204

System queries reference 41 Table 4-6 PCI queries in the folder (continued) PCI > Restrict Access to Data Failed Logins Top 5 Destination Hosts event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 chart PCI > Restrict Access to Data Failed Logins Top 5 Usernames event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 chart PCI > Restrict Access to Data File Ownership and Permissions Checks Event Code = 41496 PCI > Restrict Access to Data File Ownership and Permissions Failed Event Code = 41496 and compliance status id = 1937201 PCI > Restrict Access to Data Monitored System Object Created product=3248 and vendor signature = Object creation PCI > Restrict Access to Data Monitored System Object Deleted product=3248 and vendor signature = Object deleting or Deleted Element PCI > Restrict Access to Data Monitored System Object Modified product=3248 and vendor signature = Object changed or Object modification PCI > Restrict Access to Data Privileged Account Review Checks Event Code = 42488

42 System queries reference Table 4-6 PCI queries in the folder (continued) PCI > Restrict Access to Data Privileged Account Review Failed Event Code = 42488 and compliance status=1937201 PCI > Restrict Access to Data Successful Logins event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 PCI > Restrict Access to Data Successful Logins Top 5 Destination Hosts event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 chart PCI > Restrict Access to Data Successful Logins Top 5 Usernames event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 chart PCI > Restrict Access to Data System Access Restrictions Checks Event Code = 41462 PCI > Restrict Access to Data System Access Restrictions Failed Event Code = 41462 and compliance status=1937201 PCI > Restrict Physical Access Network Access Control Protection Checks Event Code = 42476 PCI > Restrict Physical Access Network Access Control Protection Failed Event Code = 42476 and compliance status=1937201 PCI > Secure Systems and Applications Most Detected CVE Codes CVE_ID, N/A sql PCI > Secure Systems and Applications Most Detected Vulnerability Codes VULNERABILITY_ID N/A sql

System queries reference 43 Table 4-6 PCI queries in the folder (continued) PCI > Secure Systems and Applications OS Patches Checks Event Code= 41467 R 86400 PCI > Secure Systems and Applications OS Patches Failed Event Code= 41467 and compliance status=1937201 PCI > Secure Systems and Applications Patch Management Events event id = 2012000 or 2012002 PCI > Secure Systems and Applications Patches Deployed event id = 2012002 PCI > Secure Systems and Applications Systems Most Vulnerable to Attack count cve, vulnerability on CIA sql PCI > Secure Systems and Applications Systems Not Patched event = 2012000 PCI > Track and Monitor All Access Access Logging and Monitoring Checks Event Code = 42474, 42386, 42485 PCI > Track and Monitor All Access Access Logging and Monitoring Failed status id 1937201 and Event Code = 42474, 42386, 42485 PCI > Track and Monitor All Access Administrative Access to Systems Event Code = 733, 39770, or Windows username = Administrator and product id =3105 PCI > Track and Monitor All Access Audit Logs Access Event Code =38764 or 39628

44 System queries reference Table 4-6 PCI queries in the folder (continued) PCI > Track and Monitor All Access Failed Logins event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 PCI > Track and Monitor All Access Failed Logins Top 5 Destination Hosts event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 chart PCI > Track and Monitor All Access Failed Logins Top 5 Usernames event id = 512004 OR vendor code = :529, :530, :531, :532, :533, :534, :535, :536, :537, :539, :675, :676, :681 AND intrusion action=1037213 and intrusion outcome = 1027204 chart PCI > Track and Monitor All Access Sensor Invalid Timestamp Incidents INCIDENT_TYPE_ID = 'Invalid Event Date Alert' CREATION_ TIME >= (current timestamp - 30 DAYS sql PCI > Track and Monitor All Access Successful Logins event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203

System queries reference 45 Table 4-6 PCI queries in the folder (continued) PCI > Track and Monitor All Access Successful Logins Top 5 Destination Hosts event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 chart PCI > Track and Monitor All Access Successful Logins Top 5 Usernames event id = 512003 or 302006, OR Event Code = 1564, 3733, 3105 OR intrusion action =1037213 and intrusion outcome=1027203 chart PCI > Track and Monitor All Access User Logins event id = 1072000, or Event Code= 2931, 3708, 3960, 38755, 41543, 40574, 11357, 777, 10532, 733, 623, 3103, 3733, 10423, 1564, 3105, 12775, or 4466 PCI > Track and Monitor All Access User Logouts vendor code =:538, event id = 1072001, or Event Code = 720, or intrusion action= 1037214 PCI > Unique User IDs Default Username Authentications event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa PCI > Unique User IDs Default Username Authentications Top 5 Usernames event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa chart PCI > Unique User IDs Strong Authentication and Password Policy Checks Event Code = 41460, 41454 or 42491

46 System queries reference Table 4-6 PCI queries in the folder (continued) PCI > Unique User IDs Strong Authentication and Password Policy Failed Event Code = 41460, 41454 or 42491 and compliance status=1937201 PCI > Unique User IDs User Account Management Changes Event Code = 44111, 719, 762, 757, 2322, 2894, 758, 759, 1559, 38765, 771, 38766, 1553 OR event_class=1071000 and target_resource=/people/ and event_id is not 1072000 or 1072001 PCI > Unique User IDs User Accounts Created Event Code = 722 PCI > Unique User IDs User Accounts Deleted Event Code = 758 PCI > Vendor Supplied Defaults Administrative Access to Systems Event Code = 733, 39770, or Windows username = Administrator and product id =3105 PCI > Vendor Supplied Defaults Audit Policy Changes Event Code = 1525 PCI > Vendor Supplied Defaults Default Username Authentications event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa PCI > Vendor Supplied Defaults Default Username Authentications Detected Event Code = 777, 2352 or 41376

System queries reference 47 Table 4-6 PCI queries in the folder (continued) PCI > Vendor Supplied Defaults Default Username Authentications Top 5 Usernames event id=512003 or 302006 OR Event Code= 1564, 3733,3105 or mechanisms = 11 or intrusion_action=1037213 and intrusion_outcome=1027203 AND target_resource=admin, administrator, root, guest or sa chart PCI > Vendor Supplied Defaults Disabled Accounts Event Code = 2894 PCI > Vendor Supplied Defaults Disabled User Accounts with Failed Login Attempts vendor signature = :531 r 604800 PCI > Vendor Supplied Defaults Authentication Events Hourly Tally event id = 512004 or 512003 Summarizer PCI > Vendor Supplied Defaults Password Changes Event Code = 718 SOX queries in the folder Table 4-7 describes the contents of the SOX subfolder. The time range column sometimes contains the letter R followed by a number. This value represents the duration of the query as a relative number of seconds. For example, a value of R 86400 equals relative 86400 seconds, or 1 day (24 hours). Table 4-7 SOX queries in the folder SOX Administrative Access to Systems Event Code = 733, 39770, or Windows username = Administrator and product id =3105 SOX Application Access Event Code = 39747 or 39748

48 System queries reference Table 4-7 SOX queries in the folder (continued) SOX Audit Logs Access Event Code =38764 or 39628 SOX Audit Policy Changes Event Code = 1525 SOX Disabled Accounts Event Code = 2894 SOX File and Directory Access Event Code = 765, 38765, 38768, 38676, 3788, 3789, 3790, 3791, 3792, 20280, 11501, 12985, 1560, 38845 SOX Incident Overview for Last Week N/A current timestamp - 7 days sql SOX Incidents Created Over Past Week status as "Status" current timestamp - 7 days sql SOX Incidents Created Today N/A date(creation_time + current timezone) = current date sql SOX Logon Failures event id = 512004 or Event Code = 707, 645, 708, 785, 779, 1535, 3988, 2708, 39768, 1246, 3237, 12780 OR intrusion_action = 1037213 and intrusion outcome = 1027204, OR event_detail_id=747201 or 517219 or 517226 OR event_id = 512007 SOX Open Incident Aging by Assignee Table status <> 2 all sql SOX Open Incidents by Assignee severity >= 1 and status < 2 sql SOX Open and Closed Incidents for Assignees Today when status = 0 or status = 1 or status = 2 DATE(CREATION_ TIME + CURRENT TIMEZONE) = CURRENT_DATE) sql