Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Report Tables

Report Tables

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 14, 2016

Views: 14 Votes: 0 Revisions: 4

The following tables list all LEM reports, provide descriptions of their contents, and suggest schedules for running each report.

Table of audit reports

The following table lists and describes each audit report, listed alphabetically by title.

Title Description File name Schedule

Authentication Report

This report lists all authentications tracked by the SolarWinds system, including user logon, logoff, failed logon attempts, guest logons, etc.

RPT2003-02.rpt

Weekly

Authentication Report - Authentication Audit

This report lists event events that are related to authentication and authorization of accounts and account 'containers' such as groups or domains. These events can be produced from any network node including firewalls, routers, servers, and clients.

RPT2003-02-10.rpt

As needed

Authentication Report - Suspicious Authentication

This report lists event events that are related to suspicious authentication and authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information.

RPT2003-02-9.rpt

As Needed

Authentication Report - Top User Log On by User

This report lists the Top User Log On events grouped by user name.

RPT2003-02-6-2.rpt

As needed

Authentication Report - Top User Log On Failure by User

This report lists the Top User Log On Failure events grouped by user name.

RPT2003-02-7-2.rpt

As needed

Authentication Report - SolarWinds Authentication

This report shows logon, logoff, and logon failure activity to the SolarWinds Console.

RPT2003-02-8.rpt

As needed

Authentication Report - User Log Off

User Logoff events reflect account logoff events from network devices (including network infrastructure devices). Each event will reflect the type of device from which the user was logging off. These events are usually normal events but are tracked for consistency and auditing purposes.

RPT2003-02-5.rpt

As needed

Authentication Report - User Log On

User Logon events reflect user account logon events from network devices monitored by SolarWinds (including network infrastructure devices). Each event will reflect the type of device that the logon was intended for along with all other relevant fields.

RPT2003-02-6.rpt

As needed

Authentication Report - User Log On by User

This report lists all account logon events, grouped by user name.

RPT2003-02-6-1.rpt

As needed

Authentication Report - User Log On Failure

User Logon Failure events reflect failed account logon events from network devices (including network infrastructure devices). Each event will reflect the point on the network where the user was attempting logon. In larger quantities, these events may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem.

RPT2003-02-7.rpt

As needed

Authentication Report - User Log On Failure by User

This report lists all account logon failure events, grouped by user name.

RPT2003-02-7-1.rpt

As needed

Change Management - General Authentication Related Events

This report includes changes to domains, groups, machine accounts, and user accounts.

RPT2006-20.rp

As needed

Change Management - General Authentication: Domain Events

This report includes changes to domains, including new domains, new members, and modifications to domain settings.

RPT2006-20-01.rpt

As needed

Change Management - General Authentication: Domain Events - Change Domain Attribute

This report lists changes to domain type. These events are uncommon and usually provided by the operating system. Usually, these changes are made by a user account with administrative privileges, but occasionally a change will happen when local system maintenance activity takes place.

RPT2006-20-01-7.rpt

As needed

Change Management - General Authentication: Domain Events - Change Domain Member

This report lists event events that occur when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally an event occurs when local system maintenance activity takes place. Events of this nature mean a user, machine, or service account within the domain has been modified.

RPT2006-20-01-4.rpt

As needed

Change Management - General Authentication: Domain Events - Delete Domain

This report lists event events that occur upon removal of a trust relationship between domains, deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges.

RPT2006-20-01-8.rpt

As needed

Change Management - General Authentication: Domain Events - Delete Domain Member

This report lists event events that occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place.

RPT2006-20-01-3.rpt

As needed

Change Management - General Authentication: Domain Events - Domain Member Alias

This report lists event events that happen when the alias for a domain member has been changed. This means an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear.

RPT2006-20-01-5.rpt

As needed

Change Management - General Authentication: Domain Events - DomainAuthAudit

This report lists authentication, authorization, and modification events that are related only to domains, subdomains, and account containers. These events are normally related to operating systems. However, they can be produced by any network device.

RPT2006-20-01-1.rpt

As needed

Change Management - General Authentication: Domain Events - New Domain

This report lists event events that occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges.

RPT2006-20-01-6.rpt

As needed

Change Management - General Authentication: Domain Events - New Domain Member

This report lists event events that occur when an account or an account container (a new user, machine, or service account) has been added to the domain. Usually, these additions are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place.

RPT2006-20-01-2.rpt

As needed

Change Management - General Authentication: Group Events

This report lists changes to groups, including new groups, members added/removed to/from groups, and modifications to group settings.

RPT2006-20-02.rpt

As needed

Change Management - General Authentication: Group Events - Change Group Attribute

This report lists event events that occur when a group type is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a they occur when local system maintenance activity takes place.

RPT2006-20-02-6.rpt

As needed

Change Management - General Authentication: Group Events - Delete Group

This report lists event events that occur upon deletion of a new group of any type. Usually, these additions are made by a user account with administrative privileges.

RPT2006-20-02-5.rpt

As needed

Change Management - General Authentication: Group Events - Delete Group Member

This report lists event events that occur when an account or group has been removed from a group. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place.

RPT2006-20-02-3.rpt

As needed

Change Management - General Authentication: Group Events - Group Audit

This report lists authentication, authorization, and modification events related only to account groups. These events are normally operating system related, however could be produced by any network device.

RPT2006-20-02-1.rpt

As needed

Change Management - General Authentication: Group Events - New Group

This report lists NewGroup events. These events occur upon creation of a new group of any type. Usually, these additions are made by a user account with administrative privileges.

RPT2006-20-02-4.rpt

As needed

Change Management - General Authentication: Group Events - New Group Member

This report lists NewGroupMember events. These events occur when an account (or other group) has been added to a group. Usually, these additions are made by a user account with administrative privileges, but occasionally an event will occur when local system maintenance activity takes place. A new user, machine, or service account has been added to the group.

RPT2006-20-02-2.rpt

As needed

Change Management - General Authentication: Machine Account Events

This report includes changes to machine accounts, including enabling/disabling machine accounts and modifications to machine account settings.

RPT2006-20-03.rpt

As needed

Change Management - General Authentication: Machine Account Events - Machine Disabled

This report lists MachineDisable events. These events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a computer or set of computers.

RPT2006-20-03-3.rpt

As needed

Change Management - General Authentication: Machine Account Events - Machine Enabled

This report lists MachineEnable events, which reflect the action of enabling a computer or machine account. These events are normally related to the operating system, and will trigger when a machine is enabled, normally by a user with administrative privileges.

RPT2006-20-03-1.rpt

As needed

Change Management - General Authentication: Machine Account Events - Machine Modify Attribute

This report lists MachineModifyAttribute events, which occur when a computer or machine type is changed. These events are uncommon and usually provided by the operating system.

RPT2006-20-03-2.rpt

As needed

Change Management - General Authentication: User Account Events

This report includes changes to user accounts, including enabling/disabling user accounts and modifications to user account settings.

RPT2006-20-04.rpt

As needed

Change Management - General Authentication: User Account Events - User Disabled

This report lists UserDisable events. These events occur when a user account is actively disabled and/or when a user is forcibly locked out by the operating system or other authentication tool. These events are usually related to the operating system and can reflect a potential issue with a user or set of users.

RPT2006-20-04-3.rpt

As needed

Change Management - General Authentication: User Account Events - User Enabled

This report lists UserEnable events, which reflect the action of enabling a user account. These events are normally related to the operating system . They occur both when an account is unlocked after lockout due to unsuccessful logons, and when an account is enabled in the traditional sense.

RPT2006-20-04-1.rpt

As needed

Change Management - General Authentication: User Account Events - User Modify Attributes

This report lists UserModifyAttribute events that occur when a user type is changed. These events are uncommon and usually provided by the operating system.

RPT2006-20-04-2.rpt

As needed

Change Management - Network Infrastructure: Policy/View Change

This report includes accesses to network infrastructure device policy, including viewing or changing device policy.

RPT2006-21.rpt

As needed

Change Management - Windows/Active Directory Domains: Group Created

This report includes creations of Windows/Active Directory groups.

RPT2006-22-01.rpt

As needed

Change Management - Windows/Active Directory Domains: Group Deleted

This report includes deletions of Windows/Active Directory groups.

RPT2006-22-02.rpt

As needed

Change Management - Windows/Active Directory Domains: Group Events

This report includes Windows/Active Directory group-related events.

RPT2006-22.rpt

As needed

Change Management - Windows/Active Directory Domains: Group Property Updated

This report includes changes to Windows/Active Directory group properties, such as the display name.

RPT2006-22-03.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events

This report includes Windows/Active Directory machine-related events.

RPT2006-23.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Account Created

This report includes creations of Windows/Active Directory machine accounts.

RPT2006-23-01.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Account Deleted

This report includes deletions of Windows/Active Directory machine accounts.

RPT2006-23-02.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Account Disabled

This report includes disables of Windows/Active Directory machine accounts.

RPT2006-23-03.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Account Enabled

This report includes enables of Windows/Active Directory machine accounts.

RPT2006-23-04.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Account Properties Update

This report includes changes to Windows/Active Directory machine account properties, such as the display name.

RPT2006-23-05.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Added To Group

This report includes additions of Windows/Active Directory machine accounts to groups.

RPT2006-23-06.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Added To OU

This report includes additions of Windows/Active Directory machine accounts to Organizational Units.

RPT2006-23-07.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Removed From Group

This report includes removals of Windows/Active Directory machine accounts from groups.

RPT2006-23-08.rpt

As needed

Change Management - Windows/Active Directory Domains: Machine Events - Removed From OU

This report includes removals of Windows/Active Directory machine accounts from Organizational Units.

RPT2006-23-09.rpt

As needed

Change Management - Windows/Active Directory Domains: New Critical Group Members

This report includes additions of Windows/Active Directory user accounts to critical groups, such as Domain or Enterprise Admins.

RPT2006-22-04.rpt

As needed

Change Management - Windows/Active Directory Domains: OU Events

This report includes Windows/Active Directory Organizational Unit-related events.

RPT2006-24.rpt

As needed

Change Management - Windows/Active Directory Domains: OU Events - OU Created

This report includes creation of Windows/Active Directory Organizational Units.

RPT2006-24-01.rpt

As needed

Change Management - Windows/Active Directory Domains: OU Events - OU Deleted

This report includes deletion of Windows/Active Directory Organizational Units.

RPT2006-24-02.rpt

As needed

Change Management - Windows/Active Directory Domains: OU Events - OU Properties Update

This report includes updates to Windows/Active Directory Organizational Unit properties, such as the display name.

RPT2006-24-03.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events

This report includes Windows/Active Directory user-related events.

RPT2006-25.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Account Created

This report includes creations of Windows/Active Directory user accounts.

RPT2006-25-01.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Account Deleted

This report includes deletions of Windows/Active Directory user accounts.

RPT2006-25-02.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Account Disabled

This report includes disables of Windows/Active Directory user accounts.

RPT2006-25-03.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Account Enabled

This report includes enables of Windows/Active Directory user accounts.

RPT2006-25-04.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Account Lockout

This report includes user-driven disables of Windows/Active Directory user accounts, such as a user triggering an excessive failed password limit.

RPT2006-25-05.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Account Properties Updated

This report includes changes to Windows/Active Directory user account properties, such as the display name.

RPT2006-25-06.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Added To Group

This report includes additions of Windows/Active Directory user accounts to groups.

RPT2006-25-07.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Added To OU

This report includes additions of Windows/Active Directory user accounts to Organizational Units.

RPT2006-25-08.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Removed From Group

This report includes removals of Windows/Active Directory user accounts from groups.

RPT2006-25-09.rpt

As needed

Change Management - Windows/Active Directory Domains: User Events - Removed From OU

This report includes removals of Windows/Active Directory user accounts from Organizational Units.

RPT2006-25-10.rpt

As needed

File Audit Events

This report tracks file system activity associated with audited files and system objects, such as file access successes and failures.

RPT2003-05.rpt

Weekly

File Audit Events - File Attribute Change

File Attribute Change is a specific File Write event generated for the modification of file attributes (including properties such as read-only status). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-41.rpt

As needed

File Audit Events -
File Audit

File Audit events are used to track file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation.

RPT2003-05-11.rpt

As needed

File Audit Events -
File Audit Failure

File Audit Failure events are used to track failed file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed.

RPT2003-05-12.rpt

As needed

File Audit Events -
File Create

File Create is a specific File Write event generated for the initial creation of a file. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-42.rpt

As needed

File Audit Events -
File Data Read

File Data Read is a specific File Read event generated for the operation of reading data from a file (not just properties or status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-31.rpt

As needed

File Audit Events -
File Data Write

File Data Write is a specific File Write event generated for the operation of writing data to a file (not just properties or status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-43.rpt

As needed

File Audit Events -
File Delete

File Delete is a specific File Write event generated for the deletion of an existing file. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-44.rpt

As needed

File Audit Events -
File Execute

File Execute is a specific File Read event generated for the operation of executing files. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-32.rpt

As needed

File Audit Events -
File Handle Audit

File Handle Audit events are used to track file handle activity on monitored network devices, usually through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation.

RPT2003-05-21.rpt

As needed

File Audit Events -
File Handle Close

File Handle Close is a specific File Handle Audit event generated for the closing of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'.

RPT2003-05-22.rpt

As needed

File Audit Events -
File Handle Copy

File Handle Copy is a specific File Handle Audit event generated for the copying of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'.

RPT2003-05-23.rpt

As needed

File Audit Events -
File Handle Open

File Handle Open is a specific File Handle Audit event generated for the opening of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'.

RPT2003-05-24.rpt

As needed

File Audit Events -
File Link

File Link is a specific File Write event generated for the creation, deletion, or modification of links to other files. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-45.rpt

As needed

File Audit Events -
File Move

File Move is a specific File Write event generated for the operation of moving a file that already exists. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-46.rpt

As needed

File Audit Events -
File Read

File Read is a specific File Audit event generated for the operation of reading files (including reading properties of a file or the status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-33.rpt

As needed

File Audit Events -
File Write

File Write is a specific File Audit event generated for the operation of writing to a file (including writing properties of a file or changing the status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some operating systems.

RPT2003-05-47.rpt

As needed

File Audit Events -
Object Audit

Object Audit events are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation.

RPT2003-05-51.rpt

As needed

File Audit Events -
Object Audit Failure

Object Audit Failure events are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation.

RPT2003-05-52.rpt

As needed

File Audit Events -
Object Delete

Object Delete is a specific Object Audit event generated for the deletion of an existing object. These events may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-53.rpt

As needed

File Audit Events -
Object Link

Object Link is a specific Object Audit event generated for the creation, deletion, or modification of links to other objects. These events may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems.

RPT2003-05-54.rpt

As needed

Incident Events

This report tracks the Incident, HostIncident, HybridIncident and NetworkIncident events that have been generated to reflect enterprise-wide issues.

RPT2006-19.rpt

Daily

Inferred Events

This report tracks events that are triggered by correlations built in the SolarWinds Rule Builder.

RPT2006-27.rpt

As needed

Inferred Events by Inference Rule

This report tracks events that are triggered by correlations, and orders them by the correlation rule name.

RPT2006-27-01.rpt

As needed

Log On/Off/Failure

Track activity associated with account events such as log on, log off and log on failures. This is a refined version of the Authentication Report that does not include SolarWinds authentication events. It is more appropriate for management reports or audit reviews than regular use.

RPT2003-03.rpt

Weekly

Network Traffic Audit

Track activity associated with network traffic audit events such as TCP, IP and UDP events. Specifically, this report tracks regular network traffic activity, such as encrypted traffic, web traffic, and other forms of UDP, TCP and ICMP traffic. It gives you both an overview and some details of exactly what is flowing through your network. This report can be quite large.

RPT2003-06.rpt

Daily, if needed

Network Traffic Audit - Application Traffic

ApplicationTrafficAudit events reflect network traffic that is mostly or all application-layer data. Events that are children of ApplicationTrafficAudit are also related to application-layer resources. Events placed in the parent ApplicationTrafficAudit event itself are known to be application-related, but are not able to be further categorized based on the message provided by the tool or because they are uncommon and rarely, if ever, imply network attack potential.

RPT2003-06-11.rpt

As needed

Network Traffic Audit - Application Traffic by Destination Machine

This report lists all Application Traffic events (such as WebTrafficAudit), grouped by destination machine/IP.

RPT2003-06-11-2.rpt

As needed

Network Traffic Audit - Application Traffic by Provider SID

This report lists all Application Traffic events (such as WebTrafficAudit), grouped by provider SID.

RPT2033-06-11-3.rpt

As needed

Network Traffic Audit - Application Traffic by Source Machine

This report lists all Application Traffic events (such as WebTrafficAudit), grouped by source machine/IP.

RPT2003-06-11-1.rpt

As needed

Network Traffic Audit - Application Traffic by Tool Alias

This report lists all Application Traffic events (such as WebTrafficAudit), grouped by the SolarWinds sensor tool alias that reported each event.

RPT2003-06-11-0.rpt

As needed

Network Traffic Audit - Configuration Traffic

Configuration Traffic Audit events reflect application-layer data related to configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic.

RPT2003-06-02.rpt

As needed

Network Traffic Audit -
Core Traffic

CoreTrafficAudit events reflect network traffic sent over core protocols. Events that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Events of this type and its children do not have any application-layer data. Events placed in the parent CoreTrafficAudit event itself are known to be a core protocol, but are not able to be further categorized based on the message provided by the tool.

RPT2003-06-03.rpt

As needed

Network Traffic Audit - Core Traffic by Destination Machine

This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by destination machine/IP.

RPT2003-06-03-2.rpt

As needed

Network Traffic Audit - Core Traffic by Provider SID

This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by provider SID.

RPT2003-06-03-3.rpt

As needed

Network Traffic Audit - Core Traffic by Source

This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by source machine/IP.

RPT2003-06-03-1.rpt

As needed

Network Traffic Audit - Core Traffic by Tool Alias

This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by the SolarWinds tool sensor alias that reported the event.

RPT2003-06-03-0.rpt

As needed

Network Traffic Audit - Encrypted Traffic

Encrypted Traffic Audit events reflect application-layer traffic that has been encrypted and is intended for a secure host. Included in Encrypted Traffic Audit are client and server side application events, such as key exchanges, that normally occur after the low-level session creation and handshaking have completed.

RPT2003-06-04.rpt

As needed

Network Traffic Audit -
Link Control Traffic

Link Control Traffic Audit events are generated for network events related to link level configuration. Link Control Traffic Audit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfiguration at the link level, inappropriate usage, or other abnormal traffic.

RPT2003-06-05.rpt

As needed

Network Traffic Audit - Network Traffic

Members of the Network Audit tree are used to define events centered on usage of network resources/bandwidth.

RPT2003-06-06.rpt

As needed

Network Traffic Audit -
Point to Point Traffic

Point To Point Traffic Audit events reflect application-layer data related to point-to-point connections between hosts. Included in Point To Point Traffic Audit are encrypted and unencrypted point-to-point traffic.

RPT2003-06-07.rpt

As needed

Network Traffic Audit - Remote Procedure Traffic

Remote Procedure Traffic Audit events reflect application-layer data related to remote procedure services. Included in Remote Procedure Traffic Audit are the traditional RPC services used to service remote logons and file shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit events generally indicate normal traffic for networks that have remote procedure services on their network; however, events of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic.

RPT2003-06-08.rpt

As needed

Network Traffic Audit - Routing Traffic

Routing Traffic Audit events are generated for network events related to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic.

RPT2003-06-09.rpt

As needed

Network Traffic Audit -
Time Traffic

Time Traffic Audit events reflect application-layer data related to network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates.

RPT2003-06-10.rpt

As needed

Network Traffic Audit -
Top Application Traffic by Source

This report lists the Top Application Traffic events (such as WebTrafficAudit), grouped by source machine/IP.

RPT2003-06-01-2.rpt

As needed

Network Traffic Audit -
Top Core Traffic by Source

This report lists the Top Core Traffic events (such as TCPTrafficAudit), grouped by source machine/IP.

RPT2003-06-03-2.rpt

As needed

Network Traffic Audit -
Web Traffic

WebTrafficAudit events reflect application-layer data related to web services. Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of inappropriate web usage, potential abuse of web services, or other abnormal traffic.

RPT2003-06-01.rpt

As needed

Network Traffic Audit - Web Traffic by Destination Machine

This report lists all WebTrafficAudit events grouped by destination machine/IP.

RPT2003-06-01-2.rpt

As needed

Network Traffic Audit -
Web Traffic by Provider SID

This report lists Web Traffic Audit events grouped by provider SID.

RPT2003-06-01-3.rpt

As needed

Network Traffic Audit - Web Traffic by Source Machine

This report lists all WebTrafficAudit events grouped by source machine/IP.

RPT2003-06-01-1.rpt

As needed

Network Traffic Audit -
Web Traffic by Tool Alias

This report lists Web Traffic Audit events grouped by tool alias.

RPT2003-06-01-0.rpt

As needed

Network Traffic Audit -
Web URL Requests by Source Machine

This report lists the most frequently visited URLs grouped by the requesting client source machine.

RPT2003-06-01-5.rpt

As needed

Network Traffic Audit -
Web URL Requests by Source Machine - Graphs

This report shows graphs of the most frequently visited URLs for each client source machine.

RPT2003-06-01-4.rpt

As needed

Resource Configuration

The Resource Configuration report details events that relate to configuration of user accounts, machine accounts, groups, policies and their relationships. Items such as domain or group modification, policy changes, and creation of new network resources.

RPT2003-08.rpt

Weekly

Resource Configuration - Authorization Audit

Events that are part of the Auth Audit tree are related to authentication and authorization of accounts and account containers such as groups or domains. These events can be produced from any network node including firewalls, routers, servers, and clients.

RPT2003-08-01.rpt

As needed

Resource Configuration - Domain Authorization Audit

Domain Auth Audit events are authentication, authorization, and modification events related only to domains, subdomains, and account containers. These events are normally operating system related, however could be produced by any network device.

RPT2003-08-02.rpt

As needed

Resource Configuration - Group Audit

Group Audit events are authentication, authorization, and modification events related only to account groups. These events are normally operating system related, however could be produced by any network device.

RPT2003-08-03.rpt

As needed

Resource Configuration - Machine Authorization Audit

Machine Auth Audit events are authentication, authorization, and modification events related only to computer or machine accounts. These events can be produced from any network node including firewalls, routers, servers, and clients, but are normally operating system related.

RPT2003-08-04.rpt

As needed

Resource Configuration - Policy Audit

Policy Audit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these events reflect normal system traffic. Most PolicyAudit events are provided by the Operating System.

RPT2003-08-06.rpt

As needed

Resource Configuration - User Authorization Audit

User Auth Audit events are authentication, authorization, and modification events related only to user accounts. These events can be produced from any network node including firewalls, routers, servers, and clients.

RPT2003-08-05.rpt

As needed

Table of security reports

The following table lists and describes each of the security reports, listed alphabetically by title.

Title

Description

File name

Schedule

Authentication Report - Failed Authentication

Failed Authentication events occur when a user has made several attempts to authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure.

RPT2003-02-1.rpt

As needed

Authentication Report - Guest Login

This report shows logins to various Guest accounts.

RPT2003-02-2.rpt

As needed

Authentication Report - Restricted Information Attempt

Restricted Information Attempt events describe a user attempt to access local or remote information that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information.

RPT2003-02-3.rpt

As needed

Authentication Report - Restricted Service Attempt

Restricted Service Attempt events describe a user attempt to access a local or remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services.

RPT2003-02-4.rpt

As needed

Console

The Console report shows every event that passes through the system in the given time interval. It mimics the basic management console view. It does not contain the same level of field detail, but it is useful to get a quick snapshot of activity for a period, a lunch hour, for example.This report can be very large, so you will only want to run for small time intervals, such as hours.

RPT2003-10.rpt

As needed

Console - Overview

An overview of all events during the specified time range. Shows graphs of the most common generic event field data from the console report.

RPT2003-10-00.rpt

As needed

Event Summary -
Attack Behavior Statistics

Event Summary Sub Report - Attack Behavior Statistics

RPT2003-01-02.rpt

As needed

Event Summary - Authorization Audit Statistics

Event Summary Sub Report - Authorization Audit Statistics

RPT2003-01-03.rpt

As needed

Event Summary -
Graphs

The event summary report gathers statistical data from all major event categories, summarizes it with a one-hour resolution, and presents a quick, graphical overview of activity on your network.

RPT2003-01.rpt

Daily

Event Summary -
Machine Audit Statistics

Event Summary Sub Report - Machine Audit Statistics

RPT2003-01-05.rpt

As needed

Event Summary -
Policy Audit Statistics

Event Summary Sub Report - Policy Audit Statistics

RPT2003-01-06.rpt

As needed

Event Summary -
Resource Audit Statistics

Event Summary Sub Report - Resource Audit Statistics

RPT2003-01-07.rpt

As needed

Event Summary -
Suspicious Behavior Statistics

Event Summary Sub Report - Suspicious Behavior Statistics

RPT2003-01-08.rpt

As needed

Event Summary -
Top Level Statistics

Event Summary Sub Report - Top Level Statistics

RPT2003-01-01.rpt

As needed

Machine Audit

Track activity associated with machine process and service audit events. This report shows machine-level events such as software installs, patches, system shutdowns, and reboots. It can be used to assist in software license compliance auditing by providing records of installs.

RPT2003-09.rpt

Weekly

Machine Audit -
File System Audit

This report tracks activity associated with file system audit events including mount file system and unmount file system events. These events are generally normal system activity, especially during system boot.

RPT2003-09-010.rpt

As needed

Machine Audit - File System Audit - Mount File System

Mount File System events are a specific type of File System Audit that reflect the action of creating an active translation between hardware to a usable files ystem. These events are generally normal during system boot.

RPT2003-09-012.rpt

As needed

Machine Audit - File System Audit - Unmount File System

Unmount File System events are a specific type of File System Audit that reflect the action of removing a translation between hardware and a usable files system. These events are generally normal during system shutdown.

RPT2003-09-013.rpt

As needed

Machine Audit - Process Audit

This report tracks activity related to processes, including processes that have started, stopped, or reported useful process-related information.

RPT2003-09-030.rpt

As needed

Machine Audit - Process Audit - Process Audit

This report lists Process Audit events that are generated to track launch, exit, status, and other events related to system processes. Usually, these events reflect normal system activity. Process-related activity that may indicate a failure will be noted separately from normal activity in the event detail.

RPT2003-09-031.rpt

As needed

Machine Audit - Process Audit - Process Info

Process Info is a specific type of Process Audit event that reflects information related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state.

RPT2003-09-032.rpt

As needed

Machine Audit - Process Audit - Process Start

Process Start is a specific type of Process Audit event that indicates a new process has been launched. Usually, Process Start reflects normal system activity.

RPT2003-09-033.rpt

As needed

Machine Audit - Process Audit - Process Stop

Process Stop is a specific type of Process Audit event that indicates a process has exited. Usually, Process Stop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted.

RPT2003-09-034.rpt

As needed

Machine Audit - Process Audit - Process Warning

Process Warning is a specific type of Process Audit event that indicates a process has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process.

RPT2003-09-035.rpt

As needed

Machine Audit - Service Audit

This report tracks activity related to services, including services that have started, stopped, or reported useful service-related information or warnings.

RPT2003-09-040.rpt

As needed

Machine Audit - Service Audit - Service Info

This report tracks ServiceInfo events, which reflect information related to a particular service. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state.

RPT2003-09-041.rpt

As needed

Machine Audit - Service Audit - Service Start

This report tracks ServiceStart events, which indicate that a new system service is starting.

RPT2003-09-042.rpt

As needed

Machine Audit - Service Audit - Service Stop

This report tracks ServiceStop events, which indicate that a system service is stopping. This activity is generally normal, however, in the event of an unexpected stop the abnormal state will be noted.

RPT2003-09-043.rpt

As needed

Machine Audit - Service Audit - Service Warning

This report lists ServiceWarning events. These events indicate a service has returned a Warning message that is not a fatal error and may not have triggered an exit of the service.

RPT2003-09-044.rpt

As needed

Machine Audit - System Audit

This report tracks activity associated with system status and modifications, including software changes, system reboots, and system shutdowns.

RPT2003-09-020.rpt

As needed

Machine Audit - System Audit - Machine Audit

Machine Audit events are used to track hardware or software status and modifications. These events are generally acceptable, but do indicate modifications to the client system that may be noteworthy.

RPT2003-09-021.rpt

As needed

Machine Audit - System Audit - Software Install

SoftwareInstall events reflect modifications to the system at a software level, generally at the operating system level (or equivalent, in the case of a network infrastructure device). These events are generated when a user updates a system or launches system-native methods to install third party applications.

RPT2003-09-025.rpt

As needed

Machine Audit - System Audit - Software Update

SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current version of software being installed to replace an older version.

RPT2003-09-026.rpt

As needed

Machine Audit - System Audit - System Reboot

System Reboot events occur on monitored network devices (servers, routers, etc.) and indicate that a system has restarted.

RPT2003-09-022.rpt

As needed

Machine Audit - System Audit - System Shutdown

System shutdown events occur on monitored network devices (servers, routers, etc.) and indicate that a system has been shutdown.

RPT2003-09-023.rpt

As needed

Machine Audit - System Audit - System Status

SystemStatus events reflect general system state events. These events are generally normal and informational, however, they could potentially reflect a failure or issue which should be addressed.

RPT2003-09-024.rpt

As needed

Machine Audit -
USB-Defender

This report tracks activity associated with USB-Defender, including insertion and removal events related to USB Mass Storage devices.

RPT2003-09-050.rpt

As needed

Malicious Code

This report tracks event activity associated with malicious code such as virus, Trojans, and worms, both on the network and on local machines, as detected by anti-virus software.

RPT2003-04.rpt

Weekly

Malicious Code - Service Process Attack

Members of the Service Process Attack tree are used to define events centered on malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system.

RPT2003-04-01.rpt

As needed

Malicious Code - Trojan Command Access

Trojan Command Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This event detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks).

RPT2003-04-05.rpt

As needed

Malicious Code - Trojan Infection Access

Trojan Infection Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This event detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks).

RPT2003-04-04.rpt

As needed

Malicious Code - Trojan Traffic Access

Trojan Traffic Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This event detects the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks).

RPT2003-04-02.rpt

As needed

Malicious Code Report - Trojan Traffic Denial

Trojan Traffic Denial events are a specific type of Denial event where the transport of the malicious or abusive usage originates with malicious code on a client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Trojan Traffic Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities.

RPT2003-04-03.rpt

As needed

Malicious Code Report - Virus Attack

Virus Attack events reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this event will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed.

RPT2003-04-06.rpt

As needed

Malicious Code Report - Virus Summary Attack

Virus Summary Attack events reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this event will depend on the Action Taken field which reflects whether the virus or other malicious code was successfully removed. These events differ from Virus Attack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan

RPT2003-04-07.rpt

As needed

Malicious Code Report - Virus Traffic Access

Virus Traffic Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. This event detects the communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients.

RPT2003-04-08.rpt

As needed

Network Events: Attack Behavior

This report tracks activity associated with top-level NetworkAttack events.

RPT2003-11-00.rpt

As needed

Network Events: Attack Behavior - Access

This report shows malicious asset access via the network. For example, attacks on FTP or Windows Network servers, malicious network database access, abuses of services, or attempted unauthorized entry.

RPT2003-11.rpt

Weekly

Network Events: Attack Behavior - Access - Access

Children of the Access tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources.

RPT2003-11-01.rpt

As needed

Network Events: Attack Behavior - Access - Application Access

Application Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all application-layer. Generally, ApplicationAccess events will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy.

RPT2003-11-02.rpt

As needed

Network Events: Attack Behavior - Access - Configuration Access

Configuration Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these events will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain system-level access to configuration servers themselves. In the case of SNMP and similar configuration protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack.

RPT2003-11-03.rpt

As needed

Network Events: Attack Behavior - Access - Core Access

Core Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess events will reflect attempted exploitation of weaknesses in network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices.

RPT2003-11-04.rpt

As needed

Network Events: Attack Behavior - Access - Database Access

Database Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer database traffic. Generally, these events will reflect attempted exploitation of weaknesses in database server or client software.

RPT2003-11-05.rpt

As needed

Network Events: Attack Behavior - Access - File System Access

File System Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote filesystem traffic (using protocols such as SMB and NFS). Generally, these events will reflect attempted exploitation of weaknesses in the remote filesystem server or client software or attempts to gain system-level access to remote filesystem servers themselves.

RPT2003-11-06.rpt

As needed

Network Events: Attack Behavior - Access - File Transfer

File Transfer Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these events will reflect attempted exploitation of weaknesses in file transfer server or client software.

RPT2003-11-07.rpt

As needed

Network Events: Attack Behavior - Access - Link Control Access

Link Control Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is low-level link control (using protocols such as ARP). Generally, Link Control Access events will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port analyzing activity may be forced into an unmanaged switch with no restrictions - allowing a malicious client to sniff traffic and enumerate or attack.

RPT2003-11-08.rpt

As needed

Network Events: Attack Behavior - Access - Mail Access

Mail Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer, retrieval, or service traffic. Generally, these events will reflect attempted exploitation of weaknesses in mail-related server or client software.

RPT2003-11-09.rpt

As needed

Network Events: Attack Behavior - Access - Naming Access

Naming Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer naming service traffic (using protocols such as DNS and WINS). Generally, these events will reflect attempted exploitation of weaknesses in the naming server or client software.

RPT2003-11-10.rpt

As needed

Network Events: Attack Behavior - Access - News Access

News Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer news traffic (over protocols such as NNTP). Generally, these events will reflect attempted exploitation of weaknesses in the news server or client software.

RPT2003-11-11.rpt

As needed

Network Events: Attack Behavior - Access - Point to Point Access

Point To Point Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via point to point traffic (using protocols such as PPTP). Generally, these events will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks.

RPT2003-11-12.rpt

As needed

Network Events: Attack Behavior - Access - Printer Access

Printer Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote printer traffic. Generally, these events will reflect attempted exploitation of weaknesses in the remote printer server or client software.

RPT2003-11-13.rpt

As needed

Network Events: Attack Behavior - Access - Remote Console Access

Remote Console Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these events will reflect attempted exploitation of weaknesses in the remote console server or client software.

RPT2003-11-14.rpt

As needed

Network Events: Attack Behavior - Access - Remote Procedure Access

Remote Procedure Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, these events will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves.

RPT2003-11-15.rpt

As needed

Network Events: Attack Behavior - Access - Routing Access

Routing Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is routing-related protocols (RIP, IGMP, etc.). Generally, Routing Access events will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks.

RPT2003-11-16.rpt

As needed

Network Events: Attack Behavior - Access - Time Access

Time Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote time service traffic (using protocols such as NTP). Generally, these events will reflect attempted exploitation of weaknesses in the remote time server or client software.

RPT2003-11-17.rpt

As needed

Network Events: Attack Behavior - Access - Virus Traffic Access

Virus Traffic Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. Generally, these events will reflect attempted exploitation of weaknesses in the web server or client software.

RPT2003-11-19.rpt

As needed

Network Events: Attack Behavior - Access - Web Access

Web Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic. Generally, these events will reflect attempted exploitation of weaknesses in the web server or client software.

RPT2003-11-18.rpt

As needed

Network Events: Attack Behavior - Denial / Relay

Track activity associated with network denial or relay attack behaviors. This report shows malicious asset relay attempts and denials of service via the network. For example, FTP bouncing, Distributed Denial of Service events, and many protocol abuses.

RPT2003-12.rpt

Weekly

Network Events: Attack Behavior - Denial / Relay - Application Denial

Application Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer protocols. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Application Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.

RPT2003-12-01.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Configuration Denial

Configuration Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is protocols related to configuration of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.

RPT2003-12-02.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Core Denial

Core Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Core Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.

RPT2003-12-03.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Denial

Children of the Denial tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources through a denial of service attack.

RPT2003-12-04.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - File System Denial

File System Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote filesystem-related protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. File System Denial events may be attempts to exploit weaknesses in remote filesystem services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.

RPT2003-12-05.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - File Transfer Denial

File Transfer Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer file transfer-related protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileTransferDenial events may be attempts to exploit weaknesses in file transfer-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities.

RPT2003-12-06.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Link Control Denial

Link Control Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is link level protocols (such as ARP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities.

RPT2003-12-07.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Mail Denial

MailDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related protocols (SMTP, IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities.

RPT2003-12-08.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Relay

Children of the Relay tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is relaying inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host.

RPT2003-12-09.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Remote Procedure Denial

Remote Procedure Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities.

RPT2003-12-10.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Routing Denial

Routing Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Routing Denial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities.

RPT2003-12-11.rpt

As needed

Network Events: Attack Behavior - Denial / Relay - Web Denial

Web Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Web Denial events may be attempts to exploit weaknesses in web-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities.

RPT2003-12-12.rpt

As needed

Network Events: Suspicious Behavior

Track activity associated with suspicious network behaviors such as reconnaissance or unusual traffic. Specifically, this report shows potentially dangerous activity, such as excessive authentication failures, port scans, stack fingerprinting, and network enumerations.

RPT2003-07.rpt

Weekly

Network Events: Suspicious Behavior - Application Enumerate

Application Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected.

RPT2003-07-01.rpt

As needed

Network Events: Suspicious Behavior - Banner Grabbing Enumerate

Banner Grabbing Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected.

RPT2003-07-02.rpt

As needed

Network Events: Suspicious Behavior - Core Scan

Core Scan events reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts.

RPT2003-07-03.rpt

As needed

Network Events: Suspicious Behavior - Enumerate

Enumerate events reflect attempts to gather information about target networks, or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would.

RPT2003-07-04.rpt

As needed

Network Events: Suspicious Behavior - Footprint

Footprint events reflect attempts to gather information about target networks by tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would.

RPT2003-07-05.rpt

As needed

Network Events: Suspicious Behavior - General Security

General Security events are generated when a supported product outputs data that has not yet been normalized into a specific event, but is known to be security issue-related.

RPT2003-07-17.rpt

As needed

Network Events: Suspicious Behavior - Host Scan

Host Scan events reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation.

RPT2003-07-06.rpt

As needed

Network Events: Suspicious Behavior - ICMP Query

ICMP Query events reflect attempts to gather information about specific target hosts, or networks, by sending ICMP-based queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation.

RPT2003-07-07.rpt

As needed

Network Events: Suspicious Behavior - MS Network Enumerate

MS Networking Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will illicit responses that reveal information about the application, host, or target network. This enumeration may be a LEMple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected.

RPT2003-07-08.rpt

As needed

Network Events: Suspicious Behavior - Network Suspicious

Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources.

RPT2003-07-09.rpt

As needed

Network Events: Suspicious Behavior - Port Scan

Port Scan events reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Port Scans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack.

RPT2003-07-10.rpt

As needed

Network Events: Suspicious Behavior - Recon

Children of the Recon tree reflect suspicious network behavior with intent of gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking.

RPT2003-07-11.rpt

As needed

Network Events: Suspicious Behavior - Remote Procedure Enumerate

Remote Procedure Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a LEMple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected.

RPT2003-07-12.rpt

As needed

Network Events: Suspicious Behavior - Scan

Scan events reflect attempts to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts.

RPT2003-07-13.rpt

As needed

Network Events: Suspicious Behavior - Stack Fingerprint

Stack Fingerprint events reflect attempts to gather information about specific target hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation.

RPT2003-07-14.rpt

As needed

Network Events: Suspicious Behavior - Trojan Scanner

Trojan Scanner events reflect attempts of Trojans on the network to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, and how much of the target network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information.

RPT2003-07-15.rpt

As needed

Network Events: Suspicious Behavior - Unusual Traffic

Unusual Traffic events reflect suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. Unusual Traffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely.

RPT2003-07-16.rpt

As needed

Priority Event (reference)

This report is no longer in use. The Priority Event report tracks those events that the user has identified as a priority event. These events appear in the Priority filter of the Console.

RPT2003-16.rpt

As needed

Priority Event By User (reference)

This report is no longer in use.This report mirrors the standard Priority Event report but groups the events received by Console User account. The same event may be seen by many users, so this report tends to be much larger than the standard Priority Event report.

RPT2003-17.rpt

As needed

Rule Subscriptions by User

The Rule Subscriptions report tracks those events that the user has subscribed to monitor.

RPT2006-28-01.rpt

Daily

SolarWinds Actions

The SolarWinds Action Report lists all commands or actions initiated by SolarWinds Network Security.

RPT2003-18.rpt

As needed

Table of support reports

Support Reports are diagnostic tools used by SolarWinds Customer Support. Only run these reports at the request of SolarWinds. The reports are listed alphabetically by title.

Title

Description

File name

Schedule

Agent Connection Status

This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report tracks internal agent online and offline events.

RPT2009-33-1.rpt

As requested

Agent Connection Status by Agent

This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report tracks internal agent online and offline events grouped by agent.

RPT2009-33-2.rpt

As requested

Agent Connection Summary

This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report shows high level summary information for when agents go online and offline.

RPT2009-33.rpt

As requested

Audit - Internal Audit Report

Audit - Internal Audit Report

RPT2006-31-01.rpt

As requested

Audit - Internal Audit Report by User

Internal Audit Report grouped by User

RPT2006-31-02.rpt

As requested

Agent Maintenance Report

This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report displays internal event data for possible misconfigured agents.

RPT2007-32.rpt

As requested

Database Maintenance Report

This report is a diagnostic tool used by Customer Support, and generally run only at their request.

RPT2006-26.rpt

As requested

List of Rules for Rule Subscriptions

This report lists available rules for the Rule Subscriptions.

RPT2006-29-02.rpt

As needed

List of Subscription Rules by User

This report lists the rules that users have subscribed to.

RPT2006-29-03.rpt

As needed

List of Users

This report lists each user entered. Currently, the users are only used for Rule Subscriptions.

RPT2006-29-01.rpt

As needed

Tool Maintenance by Alias

This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data events based on Tool Alias.

RPT2003-14.rpt

As needed

Tool Maintenance by Insertion Point

This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data events based on Agent InsertionIP.

RPT2003-15.rpt

As needed

Tool Maintenance by Provider

This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data events based on ProviderSID.

RPT2003-13.rpt

As needed

Tool Maintenance Detail Report

This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of all SolarWinds error messages received from various tools.

RPT2003-14.rpt

As requested

Tool Maintenance Report

This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of unique SolarWinds error messages received from various tools.

RPT2003-13.rpt

As requested

Report schedule definitions

The following table describes each recommended report schedule.

Schedule Description

Daily

Run and review this report once each day.

Weekly

Run and review this report once each week.

As needed

SolarWinds suggests that you run these reports only when needed for specific auditing purposes, or when you need the details surrounding a Priority event or a suspicious event.

As requested

These reports are diagnostic tools and should only be run at the request of SolarWinds's technical support personnel.

 

Last modified
07:49, 14 Sep 2016

Tags

Classifications

Public