Default reports included with SEM
This section describes the reports included with SEM and suggests how often to run each report.
Scheduling terminology used in this topic
This section describes the scheduling terminology used in the reports table.
Schedule | Description |
---|---|
Daily |
Run and review this report once each day. |
Weekly |
Run and review this report once each week. |
As needed |
SolarWinds suggests that you run these reports only when needed for specific auditing purposes, or when you need the details surrounding a Priority event or a suspicious event. |
As requested |
These reports are diagnostic tools and should only be run at the request of SolarWinds' technical support personnel. |
Audit reports included with SEM
The following table lists and describes each audit report, listed alphabetically by title.
Title | Description | File Name | Schedule |
---|---|---|---|
Authentication Report |
This report lists all authentications tracked by the SolarWinds system, including user logon, logoff, failed logon attempts, guest logons, and so on. |
RPT2003-02.rpt |
Weekly |
Authentication Report - Authentication Audit |
This report lists event events that are related to authentication and authorization of accounts and account “'containers'” such as groups or domains. These events can be produced from any network node including firewalls, routers, servers, and clients. |
RPT2003-02-10.rpt |
As needed |
Authentication Report - Suspicious Authentication |
This report lists event events that are related to suspicious authentication and authorization events. These events include excessive failed authentication or authorization attempts, suspicious access to unauthenticated users, and suspicious access to unauthorized services or information. |
RPT2003-02-9.rpt |
As Needed |
Authentication Report - Top User Log On by User |
This report lists the Top User Log On events grouped by user name. |
RPT2003-02-6-2.rpt |
As needed |
Authentication Report - Top User Log On Failure by User |
This report lists the Top User Log On Failure events grouped by user name. |
RPT2003-02-7-2.rpt |
As needed |
Authentication Report - SolarWinds Authentication |
This report shows logon, logoff, and logon failure activity to the SolarWinds Console. |
RPT2003-02-8.rpt |
As needed |
Authentication Report - User Log Off |
User Logoff events reflect account logoff events from network devices (including network infrastructure devices). Each event will reflect the type of device from which the user was logging off. These events are usually normal events but are tracked for consistency and auditing purposes. |
RPT2003-02-5.rpt |
As needed |
Authentication Report - User Log On |
User Logon events reflect user account logon events from network devices monitored by SolarWinds (including network infrastructure devices). Each event will reflect the type of device that the logon was intended for along with all other relevant fields. |
RPT2003-02-6.rpt |
As needed |
Authentication Report - User Log On by User |
This report lists all account logon events, grouped by user name. |
RPT2003-02-6-1.rpt |
As needed |
Authentication Report - User Log On Failure |
User Logon Failure events reflect failed account logon events from network devices (including network infrastructure devices). Each event will reflect the point on the network where the user was attempting logon. In larger quantities, these events may reflect a potential issue with a user or set of users, but as individual events they are generally not a problem. |
RPT2003-02-7.rpt |
As needed |
Authentication Report - User Log On Failure by User |
This report lists all account logon failure events, grouped by user name. |
RPT2003-02-7-1.rpt |
As needed |
Change Management - General Authentication Related Events |
This report includes changes to domains, groups, machine accounts, and user accounts. |
RPT2006-20.rp |
As needed |
Change Management - General Authentication: Domain Events |
This report includes changes to domains, including new domains, new members, and modifications to domain settings. |
RPT2006-20-01.rpt |
As needed |
Change Management - General Authentication: Domain Events - Change Domain Attribute |
This report lists changes to domain type. These events are uncommon and usually provided by the operating system. Usually, these changes are made by a user account with administrative privileges, but occasionally a change will happen when local system maintenance activity takes place. |
RPT2006-20-01-7.rpt |
As needed |
Change Management - General Authentication: Domain Events - Change Domain Member |
This report lists event events that occur when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally an event occurs when local system maintenance activity takes place. Events of this nature mean a user, machine, or service account within the domain has been modified. |
RPT2006-20-01-4.rpt |
As needed |
Change Management - General Authentication: Domain Events - Delete Domain |
This report lists event events that occur upon removal of a trust relationship between domains, deletion of a subdomain, or deletion of account containers within a domain. Usually, these changes are made by a user account with administrative privileges. |
RPT2006-20-01-8.rpt |
As needed |
Change Management - General Authentication: Domain Events - Delete Domain Member |
This report lists event events that occur when an account or account container has been removed from a domain. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. |
RPT2006-20-01-3.rpt |
As needed |
Change Management - General Authentication: Domain Events - Domain Member Alias |
This report lists event events that happen when the alias for a domain member has been changed. This means an account or account container within a domain has an alias created, deleted, or otherwise modified. This event is uncommon and is used to track links between domain members and other locations in the domain where the member may appear. |
RPT2006-20-01-5.rpt |
As needed |
Change Management - General Authentication: Domain Events - DomainAuthAudit |
This report lists authentication, authorization, and modification events that are related only to domains, subdomains, and account containers. These events are normally related to operating systems. However, they can be produced by any network device. |
RPT2006-20-01-1.rpt |
As needed |
Change Management - General Authentication: Domain Events - New Domain |
This report lists event events that occur upon creation of a new trust relationship between domains, creation of a new subdomain, or creation of new account containers within a domain. Usually, these creations are done by a user account with administrative privileges. |
RPT2006-20-01-6.rpt |
As needed |
Change Management - General Authentication: Domain Events - New Domain Member |
This report lists event events that occur when an account or an account container (a new user, machine, or service account) has been added to the domain. Usually, these additions are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. |
RPT2006-20-01-2.rpt |
As needed |
Change Management - General Authentication: Group Events |
This report lists changes to groups, including new groups, members added/removed to/from groups, and modifications to group settings. |
RPT2006-20-02.rpt |
As needed |
Change Management - General Authentication: Group Events - Change Group Attribute |
This report lists event events that occur when a group type is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. |
RPT2006-20-02-6.rpt |
As needed |
Change Management - General Authentication: Group Events - Delete Group |
This report lists event events that occur upon deletion of a new group of any type. Usually, these additions are made by a user account with administrative privileges. |
RPT2006-20-02-5.rpt |
As needed |
Change Management - General Authentication: Group Events - Delete Group Member |
This report lists event events that occur when an account or group has been removed from a group. Usually, these changes are made by a user account with administrative privileges, but occasionally they occur when local system maintenance activity takes place. |
RPT2006-20-02-3.rpt |
As needed |
Change Management - General Authentication: Group Events - Group Audit |
This report lists authentication, authorization, and modification events related only to account groups. These events are normally operating system related, however could be produced by any network device. |
RPT2006-20-02-1.rpt |
As needed |
Change Management - General Authentication: Group Events - New Group |
This report lists NewGroup events. These events occur upon creation of a new group of any type. Usually, these additions are made by a user account with administrative privileges. |
RPT2006-20-02-4.rpt |
As needed |
Change Management - General Authentication: Group Events - New Group Member |
This report lists NewGroupMember events. These events occur when an account (or other group) has been added to a group. Usually, these additions are made by a user account with administrative privileges, but occasionally an event will occur when local system maintenance activity takes place. A new user, machine, or service account has been added to the group. |
RPT2006-20-02-2.rpt |
As needed |
Change Management - General Authentication: Machine Account Events |
This report includes changes to machine accounts, including enabling/disabling machine accounts and modifications to machine account settings. |
RPT2006-20-03.rpt |
As needed |
Change Management - General Authentication: Machine Account Events - Machine Disabled |
This report lists MachineDisable events. These events occur when a machine account is actively disabled and/or when an account is forcibly locked out by the operating system or other authentication tool. These events are usually operating system related and could reflect a potential issue with a computer or set of computers. |
RPT2006-20-03-3.rpt |
As needed |
Change Management - General Authentication: Machine Account Events - Machine Enabled |
This report lists MachineEnable events, which reflect the action of enabling a computer or machine account. These events are normally related to the operating system, and will trigger when a machine is “enabled,” normally by a user with administrative privileges. |
RPT2006-20-03-1.rpt |
As needed |
Change Management - General Authentication: Machine Account Events - Machine Modify Attribute |
This report lists MachineModifyAttribute events, which occur when a computer or machine type is changed. These events are uncommon and usually provided by the operating system. |
RPT2006-20-03-2.rpt |
As needed |
Change Management - General Authentication: User Account Events |
This report includes changes to user accounts, including enabling/disabling user accounts and modifications to user account settings. |
RPT2006-20-04.rpt |
As needed |
Change Management - General Authentication: User Account Events - User Disabled |
This report lists UserDisable events. These events occur when a user account is actively disabled and/or when a user is forcibly locked out by the operating system or other authentication tool. These events are usually related to the operating system and can reflect a potential issue with a user or set of users. |
RPT2006-20-04-3.rpt |
As needed |
Change Management - General Authentication: User Account Events - User Enabled |
This report lists UserEnable events, which reflect the action of enabling a user account. These events are normally related to the operating system. They occur both when an account is unlocked after lockout due to unsuccessful logons, and when an account is “enabled” in the traditional sense. |
RPT2006-20-04-1.rpt |
As needed |
Change Management - General Authentication: User Account Events - User Modify Attributes |
This report lists UserModifyAttribute events that occur when a user type is changed. These events are uncommon and usually provided by the operating system. |
RPT2006-20-04-2.rpt |
As needed |
Change Management - Network Infrastructure: Policy/View Change |
This report includes accesses to network infrastructure device policy, including viewing or changing device policy. |
RPT2006-21.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Group Created |
This report includes creations of Windows/Active Directory groups. |
RPT2006-22-01.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Group Deleted |
This report includes deletions of Windows/Active Directory groups. |
RPT2006-22-02.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Group Events |
This report includes Windows/Active Directory group-related events. |
RPT2006-22.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Group Property Updated |
This report includes changes to Windows/Active Directory group properties, such as the display name. |
RPT2006-22-03.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events |
This report includes Windows/Active Directory machine-related events. |
RPT2006-23.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Account Created |
This report includes creations of Windows/Active Directory machine accounts. |
RPT2006-23-01.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Account Deleted |
This report includes deletions of Windows/Active Directory machine accounts. |
RPT2006-23-02.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Account Disabled |
This report includes disables of Windows/Active Directory machine accounts. |
RPT2006-23-03.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Account Enabled |
This report includes enables of Windows/Active Directory machine accounts. |
RPT2006-23-04.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Account Properties Update |
This report includes changes to Windows/Active Directory machine account properties, such as the display name. |
RPT2006-23-05.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Added To Group |
This report includes additions of Windows/Active Directory machine accounts to groups. |
RPT2006-23-06.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Added To OU |
This report includes additions of Windows/Active Directory machine accounts to Organizational Units. |
RPT2006-23-07.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Removed From Group |
This report includes removals of Windows/Active Directory machine accounts from groups. |
RPT2006-23-08.rpt |
As needed |
Change Management - Windows/Active Directory Domains: Machine Events - Removed From OU |
This report includes removals of Windows/Active Directory machine accounts from Organizational Units. |
RPT2006-23-09.rpt |
As needed |
Change Management - Windows/Active Directory Domains: New Critical Group Members |
This report includes additions of Windows/Active Directory user accounts to critical groups, such as Domain or Enterprise Admins. |
RPT2006-22-04.rpt |
As needed |
Change Management - Windows/Active Directory Domains: OU Events |
This report includes Windows/Active Directory Organizational Unit-related events. |
RPT2006-24.rpt |
As needed |
Change Management - Windows/Active Directory Domains: OU Events - OU Created |
This report includes creation of Windows/Active Directory Organizational Units. |
RPT2006-24-01.rpt |
As needed |
Change Management - Windows/Active Directory Domains: OU Events - OU Deleted |
This report includes deletion of Windows/Active Directory Organizational Units. |
RPT2006-24-02.rpt |
As needed |
Change Management - Windows/Active Directory Domains: OU Events - OU Properties Update |
This report includes updates to Windows/Active Directory Organizational Unit properties, such as the display name. |
RPT2006-24-03.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events |
This report includes Windows/Active Directory user-related events. |
RPT2006-25.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Account Created |
This report includes creations of Windows/Active Directory user accounts. |
RPT2006-25-01.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Account Deleted |
This report includes deletions of Windows/Active Directory user accounts. |
RPT2006-25-02.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Account Disabled |
This report includes disables of Windows/Active Directory user accounts. |
RPT2006-25-03.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Account Enabled |
This report includes enables of Windows/Active Directory user accounts. |
RPT2006-25-04.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Account Lockout |
This report includes user-driven disables of Windows/Active Directory user accounts, such as a user triggering an excessive failed password limit. |
RPT2006-25-05.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Account Properties Updated |
This report includes changes to Windows/Active Directory user account properties, such as the display name. |
RPT2006-25-06.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Added To Group |
This report includes additions of Windows/Active Directory user accounts to groups. |
RPT2006-25-07.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Added To OU |
This report includes additions of Windows/Active Directory user accounts to Organizational Units. |
RPT2006-25-08.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Removed From Group |
This report includes removals of Windows/Active Directory user accounts from groups. |
RPT2006-25-09.rpt |
As needed |
Change Management - Windows/Active Directory Domains: User Events - Removed From OU |
This report includes removals of Windows/Active Directory user accounts from Organizational Units. |
RPT2006-25-10.rpt |
As needed |
File Audit Events |
This report tracks file system activity associated with audited files and system objects, such as file access successes and failures. |
RPT2003-05.rpt |
Weekly |
File Audit Events - File Attribute Change |
File Attribute Change is a specific File Write event generated for the modification of file attributes (including properties such as read-only status). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-41.rpt |
As needed |
File Audit Events - |
File Audit events are used to track file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note success or failure of the requested operation. |
RPT2003-05-11.rpt |
As needed |
File Audit Events - |
File Audit Failure events are used to track failed file activity on monitored network devices, usually through the Operating System or a Host-Based IDS. These events will note what requested operation failed. |
RPT2003-05-12.rpt |
As needed |
File Audit Events - |
File Create is a specific File Write event generated for the initial creation of a file. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-42.rpt |
As needed |
File Audit Events - |
File Data Read is a specific File Read event generated for the operation of reading data from a file (not just properties or status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-31.rpt |
As needed |
File Audit Events - |
File Data Write is a specific File Write event generated for the operation of writing data to a file (not just properties or status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-43.rpt |
As needed |
File Audit Events - |
File Delete is a specific File Write event generated for the deletion of an existing file. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-44.rpt |
As needed |
File Audit Events - |
File Execute is a specific File Read event generated for the operation of executing files. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-32.rpt |
As needed |
File Audit Events - |
File Handle Audit events are used to track file handle activity on monitored network devices, usually through low level access to the Operating System, either natively or with or a Host-Based IDS. These events will note success or failure of the requested operation. |
RPT2003-05-21.rpt |
As needed |
File Audit Events - |
File Handle Close is a specific File Handle Audit event generated for the closing of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. |
RPT2003-05-22.rpt |
As needed |
File Audit Events - |
File Handle Copy is a specific File Handle Audit event generated for the copying of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. |
RPT2003-05-23.rpt |
As needed |
File Audit Events - |
File Handle Open is a specific File Handle Audit event generated for the opening of file handles. These events may be generated by a tool that has low-level file access, such as an Operating System or some Host-Based IDS'. |
RPT2003-05-24.rpt |
As needed |
File Audit Events - |
File Link is a specific File Write event generated for the creation, deletion, or modification of links to other files. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-45.rpt |
As needed |
File Audit Events - |
File Move is a specific File Write event generated for the operation of moving a file that already exists. These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-46.rpt |
As needed |
File Audit Events - |
File Read is a specific File Audit event generated for the operation of reading files (including reading properties of a file or the status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-33.rpt |
As needed |
File Audit Events - |
File Write is a specific File Audit event generated for the operation of writing to a file (including writing properties of a file or changing the status of a file). These events may be produced by any tool that is used to monitor the activity of file usage, including a Host-Based IDS and some operating systems. |
RPT2003-05-47.rpt |
As needed |
File Audit Events - |
Object Audit events are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note success or failure of the requested operation. |
RPT2003-05-51.rpt |
As needed |
File Audit Events - |
Object Audit Failure events are used to track special object activity on monitored network devices, usually through the Operating System or a Host-Based IDS. Generally, Objects are special types of system resources, such as registry items or user account databases. These objects may be actual 'files' on the system, but are not necessarily human readable. These events will note a failure of the requested operation. |
RPT2003-05-52.rpt |
As needed |
File Audit Events - |
Object Delete is a specific Object Audit event generated for the deletion of an existing object. These events may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-53.rpt |
As needed |
File Audit Events - |
Object Link is a specific Object Audit event generated for the creation, deletion, or modification of links to other objects. These events may be produced by any tool that is used to monitor the activity of file and object usage, including a Host-Based IDS and some Operating Systems. |
RPT2003-05-54.rpt |
As needed |
Incident Events |
This report tracks the Incident, HostIncident, HybridIncident and NetworkIncident events that have been generated to reflect enterprise-wide issues. |
RPT2006-19.rpt |
Daily |
Inferred Events |
This report tracks events that are triggered by correlations built in the SolarWinds Rule Builder. |
RPT2006-27.rpt |
As needed |
Inferred Events by Inference Rule |
This report tracks events that are triggered by correlations, and orders them by the correlation rule name. |
RPT2006-27-01.rpt |
As needed |
Log On/Off/Failure |
Track activity associated with account events such as log on, log off and log on failures. This is a refined version of the Authentication Report that does not include SolarWinds authentication events. It is more appropriate for management reports or audit reviews than regular use. |
RPT2003-03.rpt |
Weekly |
Network Traffic Audit |
Track activity associated with network traffic audit events such as TCP, IP and UDP events. Specifically, this report tracks regular network traffic activity, such as encrypted traffic, web traffic, and other forms of UDP, TCP and ICMP traffic. It gives you both an overview and some details of exactly what is flowing through your network. This report can be quite large. |
RPT2003-06.rpt |
Daily, if needed |
Network Traffic Audit - Application Traffic |
ApplicationTrafficAudit events reflect network traffic that is mostly or all application-layer data. Events that are children of ApplicationTrafficAudit are also related to application-layer resources. Events placed in the parent ApplicationTrafficAudit event itself are known to be application-related, but are not able to be further categorized based on the message provided by the tool or because they are uncommon and rarely, if ever, imply network attack potential. |
RPT2003-06-11.rpt |
As needed |
Network Traffic Audit - Application Traffic by Destination Machine |
This report lists all Application Traffic events (such as WebTrafficAudit), grouped by destination machine/IP. |
RPT2003-06-11-2.rpt |
As needed |
Network Traffic Audit - Application Traffic by Provider SID |
This report lists all Application Traffic events (such as WebTrafficAudit), grouped by provider SID. |
RPT2033-06-11-3.rpt |
As needed |
Network Traffic Audit - Application Traffic by Source Machine |
This report lists all Application Traffic events (such as WebTrafficAudit), grouped by source machine/IP. |
RPT2003-06-11-1.rpt |
As needed |
Network Traffic Audit - Application Traffic by Tool Alias |
This report lists all Application Traffic events (such as WebTrafficAudit), grouped by the SolarWinds sensor tool alias that reported each event. |
RPT2003-06-11-0.rpt |
As needed |
Network Traffic Audit - Configuration Traffic |
Configuration Traffic Audit events reflect application-layer data related to configuration of network resources. Included in ConfigurationTrafficAudit are protocols such as DHCP, BootP, and SNMP. ConfigurationTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfiguration, inappropriate usage, attempts to enumerate or access network devices or services, attempts to access devices that are configured via these services, or other abnormal traffic. |
RPT2003-06-02.rpt |
As needed |
Network Traffic Audit - |
CoreTrafficAudit events reflect network traffic sent over core protocols. Events that are children of CoreTrafficAudit are all related to the TCP, IP, UDP, and ICMP protocols. Events of this type and its children do not have any application-layer data. Events placed in the parent CoreTrafficAudit event itself are known to be a core protocol, but are not able to be further categorized based on the message provided by the tool. |
RPT2003-06-03.rpt |
As needed |
Network Traffic Audit - Core Traffic by Destination Machine |
This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by destination machine/IP. |
RPT2003-06-03-2.rpt |
As needed |
Network Traffic Audit - Core Traffic by Provider SID |
This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by provider SID. |
RPT2003-06-03-3.rpt |
As needed |
Network Traffic Audit - Core Traffic by Source |
This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by source machine/IP. |
RPT2003-06-03-1.rpt |
As needed |
Network Traffic Audit - Core Traffic by Tool Alias |
This report lists all Core Traffic events (such as TCPTrafficAudit), grouped by the SolarWinds tool sensor alias that reported the event. |
RPT2003-06-03-0.rpt |
As needed |
Network Traffic Audit - Encrypted Traffic |
Encrypted Traffic Audit events reflect application-layer traffic that has been encrypted and is intended for a secure host. Included in Encrypted Traffic Audit are client and server side application events, such as key exchanges, that normally occur after the low-level session creation and handshaking have completed. |
RPT2003-06-04.rpt |
As needed |
Network Traffic Audit - |
Link Control Traffic Audit events are generated for network events related to link level configuration. Link Control Traffic Audit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfiguration at the link level, inappropriate usage, or other abnormal traffic. |
RPT2003-06-05.rpt |
As needed |
Network Traffic Audit - Network Traffic |
Members of the Network Audit tree are used to define events centered on usage of network resources/bandwidth. |
RPT2003-06-06.rpt |
As needed |
Network Traffic Audit - |
Point To Point Traffic Audit events reflect application-layer data related to point-to-point connections between hosts. Included in Point To Point Traffic Audit are encrypted and unencrypted point-to-point traffic. |
RPT2003-06-07.rpt |
As needed |
Network Traffic Audit - Remote Procedure Traffic |
Remote Procedure Traffic Audit events reflect application-layer data related to remote procedure services. Included in Remote Procedure Traffic Audit are the traditional RPC services used to service remote logons and file shares, and other services which require remote procedure access to complete authentication, pass data, or otherwise communicate. RemoteProcedureTrafficAudit events generally indicate normal traffic for networks that have remote procedure services on their network; however, events of this type could also be symptoms of inappropriate access, misconfiguration of the remote procedure services, errors in the remote procedure calls, or other abnormal traffic. |
RPT2003-06-08.rpt |
As needed |
Network Traffic Audit - Routing Traffic |
Routing Traffic Audit events are generated for network events related to configuration of network routes, using protocols such as IGMP, IGRP, and RIP. RoutingTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of misconfigured routing, unintended route configuration, or other abnormal traffic. |
RPT2003-06-09.rpt |
As needed |
Network Traffic Audit - |
Time Traffic Audit events reflect application-layer data related to network time configuration. Included in TimeTrafficAudit are protocols such as NTP and activities, such as detection of client-side network time updates. |
RPT2003-06-10.rpt |
As needed |
Network Traffic Audit - |
This report lists the Top Application Traffic events (such as WebTrafficAudit), grouped by source machine/IP. |
RPT2003-06-01-2.rpt |
As needed |
Network Traffic Audit - |
This report lists the Top Core Traffic events (such as TCPTrafficAudit), grouped by source machine/IP. |
RPT2003-06-03-2.rpt |
As needed |
Network Traffic Audit - |
WebTrafficAudit events reflect application-layer data related to web services. Included in WebTrafficAudit are client and server web events from web servers, web applications, content filter related events, and other web services. WebTrafficAudit events generally indicate normal traffic, however, events of this type could also be symptoms of inappropriate web usage, potential abuse of web services, or other abnormal traffic. |
RPT2003-06-01.rpt |
As needed |
Network Traffic Audit - Web Traffic by Destination Machine |
This report lists all WebTrafficAudit events grouped by destination machine/IP. |
RPT2003-06-01-2.rpt |
As needed |
Network Traffic Audit - |
This report lists Web Traffic Audit events grouped by provider SID. |
RPT2003-06-01-3.rpt |
As needed |
Network Traffic Audit - Web Traffic by Source Machine |
This report lists all WebTrafficAudit events grouped by source machine/IP. |
RPT2003-06-01-1.rpt |
As needed |
Network Traffic Audit - |
This report lists Web Traffic Audit events grouped by tool alias. |
RPT2003-06-01-0.rpt |
As needed |
Network Traffic Audit - |
This report lists the most frequently visited URLs grouped by the requesting client source machine. |
RPT2003-06-01-5.rpt |
As needed |
Network Traffic Audit - |
This report shows graphs of the most frequently visited URLs for each client source machine. |
RPT2003-06-01-4.rpt |
As needed |
Resource Configuration |
The Resource Configuration report details events that relate to configuration of user accounts, machine accounts, groups, policies and their relationships. Items such as domain or group modification, policy changes, and creation of new network resources. |
RPT2003-08.rpt |
Weekly |
Resource Configuration - Authorization Audit |
Events that are part of the Auth Audit tree are related to authentication and authorization of accounts and account containers such as groups or domains. These events can be produced from any network node including firewalls, routers, servers, and clients. |
RPT2003-08-01.rpt |
As needed |
Resource Configuration - Domain Authorization Audit |
Domain Auth Audit events are authentication, authorization, and modification events related only to domains, subdomains, and account containers. These events are normally operating system related, however could be produced by any network device. |
RPT2003-08-02.rpt |
As needed |
Resource Configuration - Group Audit |
Group Audit events are authentication, authorization, and modification events related only to account groups. These events are normally operating system related, however could be produced by any network device. |
RPT2003-08-03.rpt |
As needed |
Resource Configuration - Machine Authorization Audit |
Machine Auth Audit events are authentication, authorization, and modification events related only to computer or machine accounts. These events can be produced from any network node including firewalls, routers, servers, and clients, but are normally operating system related. |
RPT2003-08-04.rpt |
As needed |
Resource Configuration - Policy Audit |
Policy Audit events are used to track access, modification, scope change, and creation of authentication, domain, account, and account container policies. Many of these events reflect normal system traffic. Most PolicyAudit events are provided by the Operating System. |
RPT2003-08-06.rpt |
As needed |
Resource Configuration - User Authorization Audit |
User Auth Audit events are authentication, authorization, and modification events related only to user accounts. These events can be produced from any network node including firewalls, routers, servers, and clients. |
RPT2003-08-05.rpt |
As needed |
Security reports included with SEM
The following table lists and describes each of the security reports, listed alphabetically by title.
Title |
Description |
File Name |
Schedule |
---|---|---|---|
Authentication Report - Failed Authentication |
Failed Authentication events occur when a user has made several attempts to authenticate themselves which has continuously failed, or when a logon failure is serious enough to merit a security event on a single failure. |
RPT2003-02-1.rpt |
As needed |
Authentication Report - Guest Login |
This report shows logins to various Guest accounts. |
RPT2003-02-2.rpt |
As needed |
Authentication Report - Restricted Information Attempt |
Restricted Information Attempt events describe a user attempt to access local or remote information that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to information. |
RPT2003-02-3.rpt |
As needed |
Authentication Report - Restricted Service Attempt |
Restricted Service Attempt events describe a user attempt to access a local or remote service that their level of authorization does not allow. These events may indicate user attempts to exploit services which they are denied access to or inappropriate access attempts to services. |
RPT2003-02-4.rpt |
As needed |
Console |
The Console report shows every event that passes through the system in the given time interval. It mimics the basic management console view. It does not contain the same level of field detail, but it is useful to get a quick snapshot of activity for a period, a lunch hour, for example. This report can be very large, so you will only want to run for small time intervals, such as hours. |
RPT2003-10.rpt |
As needed |
Console - Overview |
An overview of all events during the specified time range. Shows graphs of the most common generic event field data from the console report. |
RPT2003-10-00.rpt |
As needed |
Event Summary - |
Event Summary Sub Report - Attack Behavior Statistics |
RPT2003-01-02.rpt |
As needed |
Event Summary - Authorization Audit Statistics |
Event Summary Sub Report - Authorization Audit Statistics |
RPT2003-01-03.rpt |
As needed |
Event Summary - |
The event summary report gathers statistical data from all major event categories, summarizes it with a one-hour resolution, and presents a quick, graphical overview of activity on your network. |
RPT2003-01.rpt |
Daily |
Event Summary - |
Event Summary Sub Report - Machine Audit Statistics |
RPT2003-01-05.rpt |
As needed |
Event Summary - |
Event Summary Sub Report - Policy Audit Statistics |
RPT2003-01-06.rpt |
As needed |
Event Summary - |
Event Summary Sub Report - Resource Audit Statistics |
RPT2003-01-07.rpt |
As needed |
Event Summary - |
Event Summary Sub Report - Suspicious Behavior Statistics |
RPT2003-01-08.rpt |
As needed |
Event Summary - |
Event Summary Sub Report - Top Level Statistics |
RPT2003-01-01.rpt |
As needed |
Machine Audit |
Track activity associated with machine process and service audit events. This report shows machine-level events such as software installs, patches, system shutdowns, and reboots. It can be used to assist in software license compliance auditing by providing records of installs. |
RPT2003-09.rpt |
Weekly |
Machine Audit - |
This report tracks activity associated with file system audit events including mount file system and unmount file system events. These events are generally normal system activity, especially during system boot. |
RPT2003-09-010.rpt |
As needed |
Machine Audit - File System Audit - Mount File System |
Mount File System events are a specific type of File System Audit that reflect the action of creating an active translation between hardware to a usable files system. These events are generally normal during system boot. |
RPT2003-09-012.rpt |
As needed |
Machine Audit - File System Audit - Unmount File System |
Unmount File System events are a specific type of File System Audit that reflect the action of removing a translation between hardware and a usable files system. These events are generally normal during system shutdown. |
RPT2003-09-013.rpt |
As needed |
Machine Audit - Process Audit |
This report tracks activity related to processes, including processes that have started, stopped, or reported useful process-related information. |
RPT2003-09-030.rpt |
As needed |
Machine Audit - Process Audit - Process Audit |
This report lists Process Audit events that are generated to track launch, exit, status, and other events related to system processes. Usually, these events reflect normal system activity. Process-related activity that may indicate a failure will be noted separately from normal activity in the event detail. |
RPT2003-09-031.rpt |
As needed |
Machine Audit - Process Audit - Process Info |
Process Info is a specific type of Process Audit event that reflects information related to a process. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. |
RPT2003-09-032.rpt |
As needed |
Machine Audit - Process Audit - Process Start |
Process Start is a specific type of Process Audit event that indicates a new process has been launched. Usually, Process Start reflects normal system activity. |
RPT2003-09-033.rpt |
As needed |
Machine Audit - Process Audit - Process Stop |
Process Stop is a specific type of Process Audit event that indicates a process has exited. Usually, Process Stop reflects normal application exit, however in the event of an unexpected error the abnormal state will be noted. |
RPT2003-09-034.rpt |
As needed |
Machine Audit - Process Audit - Process Warning |
Process Warning is a specific type of Process Audit event that indicates a process has returned a 'Warning' message that is not a fatal error and may not have triggered an exit of the process. |
RPT2003-09-035.rpt |
As needed |
Machine Audit - Service Audit |
This report tracks activity related to services, including services that have started, stopped, or reported useful service-related information or warnings. |
RPT2003-09-040.rpt |
As needed |
Machine Audit - Service Audit - Service Info |
This report tracks ServiceInfo events, which reflect information related to a particular service. Most of these events can safely be ignored, as they are generally normal activity that does not reflect a failure or abnormal state. |
RPT2003-09-041.rpt |
As needed |
Machine Audit - Service Audit - Service Start |
This report tracks ServiceStart events, which indicate that a new system service is starting. |
RPT2003-09-042.rpt |
As needed |
Machine Audit - Service Audit - Service Stop |
This report tracks ServiceStop events, which indicate that a system service is stopping. This activity is generally normal, however, in the event of an unexpected stop the abnormal state will be noted. |
RPT2003-09-043.rpt |
As needed |
Machine Audit - Service Audit - Service Warning |
This report lists ServiceWarning events. These events indicate a service has returned a Warning message that is not a fatal error and may not have triggered an exit of the service. |
RPT2003-09-044.rpt |
As needed |
Machine Audit - System Audit |
This report tracks activity associated with system status and modifications, including software changes, system reboots, and system shutdowns. |
RPT2003-09-020.rpt |
As needed |
Machine Audit - System Audit - Machine Audit |
Machine Audit events are used to track hardware or software status and modifications. These events are generally acceptable, but do indicate modifications to the client system that may be noteworthy. |
RPT2003-09-021.rpt |
As needed |
Machine Audit - System Audit - Software Install |
SoftwareInstall events reflect modifications to the system at a software level, generally at the operating system level (or equivalent, in the case of a network infrastructure device). These events are generated when a user updates a system or launches system-native methods to install third party applications. |
RPT2003-09-025.rpt |
As needed |
Machine Audit - System Audit - Software Update |
SoftwareUpdate is a specific type of SoftwareInstall that reflects a more current version of software being installed to replace an older version. |
RPT2003-09-026.rpt |
As needed |
Machine Audit - System Audit - System Reboot |
System Reboot events occur on monitored network devices (servers, routers, etc.) and indicate that a system has restarted. |
RPT2003-09-022.rpt |
As needed |
Machine Audit - System Audit - System Shutdown |
System shutdown events occur on monitored network devices (servers, routers, etc.) and indicate that a system has been shutdown. |
RPT2003-09-023.rpt |
As needed |
Machine Audit - System Audit - System Status |
SystemStatus events reflect general system state events. These events are generally normal and informational, however, they could potentially reflect a failure or issue which should be addressed. |
RPT2003-09-024.rpt |
As needed |
This report tracks activity associated with USB-Defender, including insertion and removal events related to USB Mass Storage devices. |
RPT2003-09-050.rpt |
As needed |
|
Malicious Code |
This report tracks event activity associated with malicious code such as virus, Trojans, and worms, both on the network and on local machines, as detected by anti-virus software. |
RPT2003-04.rpt |
Weekly |
Malicious Code - Service Process Attack |
Members of the Service Process Attack tree are used to define events centered on malicious or abusive usage of services or user processes. These events include abuse or misuse of resources from malicious code placed on the client system. |
RPT2003-04-01.rpt |
As needed |
Malicious Code - Trojan Command Access |
Trojan Command Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as Trojan Horses. This event detects the communication related to Trojans sending commands over the network (infecting other clients, participating in a denial of service activity, being controlled remotely by the originator, etc.). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). |
RPT2003-04-05.rpt |
As needed |
Malicious Code - Trojan Infection Access |
Trojan Infection Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This event detects the infection traffic related to a Trojan entering the network (generally with intent to infect a client). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). |
RPT2003-04-04.rpt |
As needed |
Malicious Code - Trojan Traffic Access |
Trojan Traffic Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as a Trojan Horse. This event detects the communication related to Trojans over the network (generally, 'trojaned' clients calling home to the originator). Trojans are generally executables that generally require no user intervention to spread and contain malicious code that is placed on the client system and used to exploit the client (and return access to the originator of the attack) or exploit other clients (used in attacks such as distributed denial of service attacks). |
RPT2003-04-02.rpt |
As needed |
Malicious Code Report - Trojan Traffic Denial |
Trojan Traffic Denial events are a specific type of Denial event where the transport of the malicious or abusive usage originates with malicious code on a client system known as a Trojan. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Trojan Traffic Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, attempts to spread the Trojan to other hosts, or other denial of service activities. |
RPT2003-04-03.rpt |
As needed |
Malicious Code Report - Virus Attack |
Virus Attack events reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this event will depend on the ActionTaken field, which reflects whether the virus or other malicious code was successfully removed. |
RPT2003-04-06.rpt |
As needed |
Malicious Code Report - Virus Summary Attack |
Virus Summary Attack events reflect malicious code placed on a client or server system, which may lead to system or other resource compromise and may lead to further attack. The severity of this event will depend on the Action Taken field which reflects whether the virus or other malicious code was successfully removed. These events differ from Virus Attack in that they may be a composite of virus events normally due to a scheduled scan on the client system as opposed to a real-time scan |
RPT2003-04-07.rpt |
As needed |
Malicious Code Report - Virus Traffic Access |
Virus Traffic Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. This event detects the communication related to viruses over the network (generally, the spread of a virus infection or an incoming virus infection). Viruses are generally executables that require user intervention to spread, contain malicious code that is placed on the client system, and are used to exploit the client and possibly spread itself to other clients. |
RPT2003-04-08.rpt |
As needed |
Network Events: Attack Behavior |
This report tracks activity associated with top-level NetworkAttack events. |
RPT2003-11-00.rpt |
As needed |
Network Events: Attack Behavior - Access |
This report shows malicious asset access via the network. For example, attacks on FTP or Windows Network servers, malicious network database access, abuses of services, or attempted unauthorized entry. |
RPT2003-11.rpt |
Weekly |
Network Events: Attack Behavior - Access - Access |
Children of the Access tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources. |
RPT2003-11-01.rpt |
As needed |
Network Events: Attack Behavior - Access - Application Access |
Application Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all application-layer. Generally, ApplicationAccess events will reflect attempted exploitation of weaknesses in server or client software, or information that is restricted/prohibited by device access control or policy. |
RPT2003-11-02.rpt |
As needed |
Network Events: Attack Behavior - Access - Configuration Access |
Configuration Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via resource configuration traffic (using protocols such as DHCP, BootP, and SNMP). Generally, these events will reflect attempted exploitation of weaknesses in the configuration server or client software or attempts to gain system-level access to configuration servers themselves. In the case of SNMP and similar configuration protocols, it could reflect an attempt to enumerate a device or devices on the same network for further attack. |
RPT2003-11-03.rpt |
As needed |
Network Events: Attack Behavior - Access - Core Access |
Core Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is mostly or all core protocols (TCP, UDP, IP, ICMP). Generally, CoreAccess events will reflect attempted exploitation of weaknesses in network protocols or devices with intent to gain access to servers, clients, or network infrastructure devices. |
RPT2003-11-04.rpt |
As needed |
Network Events: Attack Behavior - Access - Database Access |
Database Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer database traffic. Generally, these events will reflect attempted exploitation of weaknesses in database server or client software. |
RPT2003-11-05.rpt |
As needed |
Network Events: Attack Behavior - Access - File System Access |
File System Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote file system traffic (using protocols such as SMB and NFS). Generally, these events will reflect attempted exploitation of weaknesses in the remote file system server or client software or attempts to gain system-level access to remote file system servers themselves. |
RPT2003-11-06.rpt |
As needed |
Network Events: Attack Behavior - Access - File Transfer |
File Transfer Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer file transfer traffic. Generally, these events will reflect attempted exploitation of weaknesses in file transfer server or client software. |
RPT2003-11-07.rpt |
As needed |
Network Events: Attack Behavior - Access - Link Control Access |
Link Control Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is low-level link control (using protocols such as ARP). Generally, Link Control Access events will reflect attempted exploitation of weaknesses in switching devices by usage of malformed incoming or outgoing data, with intent to enumerate or gain access to or through switching devices, clients that are also on the switching device, and entire networks attached to the switching device. In some cases, a managed switch with restrictions on port analyzing activity may be forced into an unmanaged switch with no restrictions - allowing a malicious client to sniff traffic and enumerate or attack. |
RPT2003-11-08.rpt |
As needed |
Network Events: Attack Behavior - Access - Mail Access |
Mail Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer mail transfer, retrieval, or service traffic. Generally, these events will reflect attempted exploitation of weaknesses in mail-related server or client software. |
RPT2003-11-09.rpt |
As needed |
Network Events: Attack Behavior - Access - Naming Access |
Naming Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer naming service traffic (using protocols such as DNS and WINS). Generally, these events will reflect attempted exploitation of weaknesses in the naming server or client software. |
RPT2003-11-10.rpt |
As needed |
Network Events: Attack Behavior - Access - News Access |
News Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer news traffic (over protocols such as NNTP). Generally, these events will reflect attempted exploitation of weaknesses in the news server or client software. |
RPT2003-11-11.rpt |
As needed |
Network Events: Attack Behavior - Access - Point to Point Access |
Point To Point Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via point to point traffic (using protocols such as PPTP). Generally, these events will reflect attempted exploitation of weaknesses in point to point server or client software, attempts to enumerate networks, or attempts to further attack devices on trusted networks. |
RPT2003-11-12.rpt |
As needed |
Network Events: Attack Behavior - Access - Printer Access |
Printer Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote printer traffic. Generally, these events will reflect attempted exploitation of weaknesses in the remote printer server or client software. |
RPT2003-11-13.rpt |
As needed |
Network Events: Attack Behavior - Access - Remote Console Access |
Remote Console Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote console service traffic (services such as telnet, SSH, and terminal services). Generally, these events will reflect attempted exploitation of weaknesses in the remote console server or client software. |
RPT2003-11-14.rpt |
As needed |
Network Events: Attack Behavior - Access - Remote Procedure Access |
Remote Procedure Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via remote procedure call traffic (using protocols such as the traditional RPC services, RMI, and CORBA). Generally, these events will reflect attempted exploitation of weaknesses in the remote procedure server or client software or attempts to gain system-level access to remote procedure servers themselves. |
RPT2003-11-15.rpt |
As needed |
Network Events: Attack Behavior - Access - Routing Access |
Routing Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources where the related data is routing-related protocols (RIP, IGMP, etc.). Generally, Routing Access events will reflect attempted exploitation of weaknesses in routing protocols or devices with intent to enumerate or gain access to or through routers, servers, clients, or other network infrastructure devices. These routing protocols are used to automate the routing process between multiple devices that share or span networks. |
RPT2003-11-16.rpt |
As needed |
Network Events: Attack Behavior - Access - Time Access |
Time Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer remote time service traffic (using protocols such as NTP). Generally, these events will reflect attempted exploitation of weaknesses in the remote time server or client software. |
RPT2003-11-17.rpt |
As needed |
Network Events: Attack Behavior - Access - Virus Traffic Access |
Virus Traffic Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources through malicious code commonly known as viruses. Generally, these events will reflect attempted exploitation of weaknesses in the web server or client software. |
RPT2003-11-19.rpt |
As needed |
Network Events: Attack Behavior - Access - Web Access |
Web Access events reflect malicious or abusive usage of network resources where the intention, or the result, is gaining access to resources via application-layer WWW traffic. Generally, these events will reflect attempted exploitation of weaknesses in the web server or client software. |
RPT2003-11-18.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay |
Track activity associated with network denial or relay attack behaviors. This report shows malicious asset relay attempts and denials of service via the network. For example, FTP bouncing, Distributed Denial of Service events, and many protocol abuses. |
RPT2003-12.rpt |
Weekly |
Network Events: Attack Behavior - Denial / Relay - Application Denial |
Application Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer protocols. The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Application Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. |
RPT2003-12-01.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Configuration Denial |
Configuration Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is protocols related to configuration of resources (DHCP, BootP, SNMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. ConfigurationDenial events may be attempts to exploit weaknesses in configuration-related software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. |
RPT2003-12-02.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Core Denial |
Core Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is core protocols (TCP, IP, ICMP, UDP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Core Denial events may be attempts to exploit weaknesses in software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. |
RPT2003-12-03.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Denial |
Children of the Denial tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is inappropriate or abusive access to network resources through a denial of service attack. |
RPT2003-12-04.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - File System Denial |
File System Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote file system-related protocols (NFS, SMB, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. File System Denial events may be attempts to exploit weaknesses in remote file system services or software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. |
RPT2003-12-05.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - File Transfer Denial |
File Transfer Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer file transfer-related protocols (FTP, TFTP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. FileTransferDenial events may be attempts to exploit weaknesses in file transfer-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. |
RPT2003-12-06.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Link Control Denial |
Link Control Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is link level protocols (such as ARP). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. LinkControlDenial events may be attempts to exploit weaknesses in link-level control software to gain access to a host system, attempts to exploit weaknesses in network infrastructure equipment to enumerate or reconfigure devices, or other denial of service activities. |
RPT2003-12-07.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Mail Denial |
MailDenial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer mail-related protocols (SMTP, IMAP, POP3, etc.) or services (majordomo, spam filters, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. MailDenial events may be attempts to exploit weaknesses in mail-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. |
RPT2003-12-08.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Relay |
Children of the Relay tree define events centered on malicious or abusive usage of network bandwidth/traffic where the intention, or the result, is relaying inappropriate or abusive access to other network resources (either internal or external). Generally, these attacks will have the perimeter or an internal host as their point of origin. When sourced from remote hosts, they may indicate a successful exploit of an internal or perimeter host. |
RPT2003-12-09.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Remote Procedure Denial |
Remote Procedure Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is remote procedure-related protocols (traditional RPC, RMI, CORBA, etc.) or service (portmapper, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. RemoteProcedureDenial events may be attempts to exploit weaknesses in remote procedure services or software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. |
RPT2003-12-10.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Routing Denial |
Routing Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is routing-related protocols (RIP, IGMP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Routing Denial events may be attempts to exploit weaknesses in routers or routing software to gain access to a host system, attempts to exploit weaknesses in the routing software or service to enumerate or reconfigure, or other denial of service activities. |
RPT2003-12-11.rpt |
As needed |
Network Events: Attack Behavior - Denial / Relay - Web Denial |
Web Denial events are a specific type of Denial event where the transport of the malicious or abusive usage is application-layer web-related protocols (HTTP, HTTPS, etc.) or services (CGI, ASP, etc.). The intent, or the result, of this activity is inappropriate or abusive access to network resources through a denial of service attack. Web Denial events may be attempts to exploit weaknesses in web-related software to gain access to a host system, attempts to exploit weaknesses in the software to enumerate or reconfigure, or other denial of service activities. |
RPT2003-12-12.rpt |
As needed |
Network Events: Suspicious Behavior |
Track activity associated with suspicious network behaviors such as reconnaissance or unusual traffic. Specifically, this report shows potentially dangerous activity, such as excessive authentication failures, port scans, stack fingerprinting, and network enumerations. |
RPT2003-07.rpt |
Weekly |
Network Events: Suspicious Behavior - Application Enumerate |
Application Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending active application-layer data which will elicit responses that reveal information about the application or host. This enumeration may be a command sent to the application to attempt to fingerprint what is allowed or denied by the service, requests to the application which may enable an attacker to surmise the version and specific application running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the host or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. |
RPT2003-07-01.rpt |
As needed |
Network Events: Suspicious Behavior - Banner Grabbing Enumerate |
Banner Grabbing Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending a request which will elicit a response containing the host or service's 'banner'. This 'banner' contains information that may provide a potential attacker with such details as the exact application and version running behind a port. These details could be used to craft specific attacks against hosts or services that an attacker may know will work correctly the first time - enabling them to modify their methodology go on relatively undetected. |
RPT2003-07-02.rpt |
As needed |
Network Events: Suspicious Behavior - Core Scan |
Core Scan events reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. |
RPT2003-07-03.rpt |
As needed |
Network Events: Suspicious Behavior - Enumerate |
Enumerate events reflect attempts to gather information about target networks, or specific target hosts, by sending active data which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the enumeration is generally attempting to acquire information that may reveal more than normal traffic to the target would. |
RPT2003-07-04.rpt |
As needed |
Network Events: Suspicious Behavior - Footprint |
Footprint events reflect attempts to gather information about target networks by tracing the network through routers, clients, servers, or other network infrastructure devices. The originating source of the footprint is generally attempting to acquire information that may reveal more about network behavior than normal traffic to the target would. |
RPT2003-07-05.rpt |
As needed |
Network Events: Suspicious Behavior - General Security |
General Security events are generated when a supported product outputs data that has not yet been normalized into a specific event, but is known to be security issue-related. |
RPT2003-07-17.rpt |
As needed |
Network Events: Suspicious Behavior - Host Scan |
Host Scan events reflect attempts to gather information about specific target hosts by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications on the host, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system and application information which may be used for further attack preparation. |
RPT2003-07-06.rpt |
As needed |
Network Events: Suspicious Behavior - ICMP Query |
ICMP Query events reflect attempts to gather information about specific target hosts, or networks, by sending ICMP-based queries that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks, contain many sequential ICMP packets, and generally have the intent of discovering operating system and application information which may be used for further attack preparation. |
RPT2003-07-07.rpt |
As needed |
Network Events: Suspicious Behavior - MS Network Enumerate |
MS Networking Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Microsoft networking services (using protocols such as NetBIOS and SMB/CIFS) that will illicit responses that reveal information about the application, host, or target network. This enumeration may be a simple command sent to the networking service to attempt to fingerprint what is allowed or denied by a service, requests to a service that may enable an attacker to surmise the version and specific service running, requests to a service that may enable an attacker to fingerprint the target network, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the networking service, host, or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. |
RPT2003-07-08.rpt |
As needed |
Network Events: Suspicious Behavior - Network Suspicious |
Members of the NetworkSuspicious tree are used to define events regarding suspicious usage of network bandwidth/traffic. These events include unusual traffic and reconnaissance behavior detected on network resources. |
RPT2003-07-09.rpt |
As needed |
Network Events: Suspicious Behavior - Port Scan |
Port Scan events reflect attempts to gather information about target networks, or specific target hosts, by sending scans over core network protocols (TCP, IP, ICMP, UDP) that will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. Port Scans specifically operate by sending probes to every port within a range, attempting to identify open ports that may use applications or services that are easy to enumerate and attack. |
RPT2003-07-10.rpt |
As needed |
Network Events: Suspicious Behavior - Recon |
Children of the Recon tree reflect suspicious network behavior with intent of gathering information about target clients, networks, or hosts. Reconnaissance behavior may be valid behavior on a network, however, only as a controlled behavior in small quantities. Invalid reconnaissance behavior may reflect attempts to determine security flaws on remote hosts, missing access control policies that allow external hosts to penetrate networks, or other suspicious behavior that results in general information gathering without actively attacking. |
RPT2003-07-11.rpt |
As needed |
Network Events: Suspicious Behavior - Remote Procedure Enumerate |
Remote Procedure Enumerate events reflect attempts to gather information about target hosts, or services on target hosts, by sending active data to Remote Procedure services (using protocols such as RMI, CORBA, and traditional RPC) that will elicit responses that reveal information about the application or host. This enumeration may be a simple command sent to the remote procedure service to attempt to fingerprint what is allowed or denied by the service, requests to the remote procedure service that may enable an attacker to surmise the version and specific service running, and other information gathering tactics. These enumerations may result in information being provided that can allow an attacker to craft a specific attack against the remote procedure service or application that may work correctly the first time - enabling them to modify their methodology to go on relatively undetected. |
RPT2003-07-12.rpt |
As needed |
Network Events: Suspicious Behavior - Scan |
Scan events reflect attempts to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, information such as a list of applications listening on ports, operating system information, and other information that a probe may discover without enumeration of the specific services or performing attack attempts. |
RPT2003-07-13.rpt |
As needed |
Network Events: Suspicious Behavior - Stack Fingerprint |
Stack Fingerprint events reflect attempts to gather information about specific target hosts by sending a certain set of packets to probe a device's network stack, which will elicit responses that reveal information about clients, servers, or other network infrastructure devices. The originating source of the scan is generally attempting to acquire information that may reveal more than normal traffic to the target would, such as operating system information (including type and version) and other information that a probe may discover without enumeration of the specific services or performing attack attempts. These scans generally do not occur across entire networks and generally have the intent of discovering operating system information which may be used for further attack preparation. |
RPT2003-07-14.rpt |
As needed |
Network Events: Suspicious Behavior - Trojan Scanner |
Trojan Scanner events reflect attempts of Trojans on the network to gather information about target networks, or specific target hosts, by sending scans which will elicit responses that reveal information about the host. The originating Trojan source of the scan is generally attempting to acquire information that will reveal whether a target host or network has open and available services for further exploitation, whether the target host or network is alive, and how much of the target network is visible. A Trojan may run a scan before attempting an attack operation to test potential effectiveness or targeting information. |
RPT2003-07-15.rpt |
As needed |
Network Events: Suspicious Behavior - Unusual Traffic |
Unusual Traffic events reflect suspicious behavior on network devices where the traffic may have no known exploit, but is unusual and could be potential enumerations, probes, fingerprints, attempts to confuse devices, or other abnormal traffic. Unusual Traffic may have no impending response, however, it could reflect a suspicious host that should be monitored closely. |
RPT2003-07-16.rpt |
As needed |
Priority Event (reference) |
This report is no longer in use. The Priority Event report tracks those events that the user has identified as a priority event. These events appear in the Priority filter of the Console. |
RPT2003-16.rpt |
As needed |
Priority Event By User (reference) |
This report is no longer in use. This report mirrors the standard Priority Event report but groups the events received by Console User account. The same event may be seen by many users, so this report tends to be much larger than the standard Priority Event report. |
RPT2003-17.rpt |
As needed |
Rule Subscriptions by User |
The Rule Subscriptions report tracks those events that the user has subscribed to monitor. |
RPT2006-28-01.rpt |
Daily |
SolarWinds Actions |
The SolarWinds Action Report lists all commands or actions initiated by SolarWinds Network Security. |
RPT2003-18.rpt |
Support reports included with SEM
Support Reports are diagnostic tools used by SolarWinds Customer Support. Only run these reports at the request of SolarWinds. The reports are listed alphabetically by title.
Title |
Description |
File Name |
Schedule |
---|---|---|---|
Agent Connection Status |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report tracks internal Agent online and offline events. |
RPT2009-33-1.rpt |
As requested |
Agent Connection Status by Agent |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report tracks internal Agent online and offline events grouped by Agent. |
RPT2009-33-2.rpt |
As requested |
Agent Connection Summary |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report shows high level summary information for when Agents go online and offline. |
RPT2009-33.rpt |
As requested |
Audit - Internal Audit Report |
Audit - Internal Audit Report |
RPT2006-31-01.rpt |
As requested |
Audit - Internal Audit Report by User |
Internal Audit Report grouped by User |
RPT2006-31-02.rpt |
As requested |
Agent Maintenance Report |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. This report displays internal event data for possible misconfigured Agents. |
RPT2007-32.rpt |
As requested |
Database Maintenance Report |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. |
RPT2006-26.rpt |
As requested |
List of Rules for Rule Subscriptions |
This report lists available rules for the Rule Subscriptions. |
RPT2006-29-02.rpt |
As needed |
List of Subscription Rules by User |
This report lists the rules that users have subscribed to. |
RPT2006-29-03.rpt |
As needed |
List of Users |
This report lists each user entered. Currently, the users are only used for Rule Subscriptions. |
RPT2006-29-01.rpt |
As needed |
Tool Maintenance by Alias |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data events based on Tool Alias. |
RPT2003-14.rpt |
As needed |
Tool Maintenance by Insertion Point |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data events based on Agent InsertionIP. |
RPT2003-15.rpt |
As needed |
Tool Maintenance by Provider |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. List of New Tool Data events based on ProviderSID. |
RPT2003-13.rpt |
As needed |
Tool Maintenance Detail Report |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of all SolarWinds error messages received from various tools. |
RPT2003-14.rpt |
As requested |
Tool Maintenance Report |
This report is a diagnostic tool used by Customer Support, and generally run only at their request. The report displays a summary of unique SolarWinds error messages received from various tools. |
RPT2003-13.rpt |
As requested |