Net Report WMI Dashboard Summary Presentation
Download
Report
Transcript Net Report WMI Dashboard Summary Presentation
Net Report WMI Dashboard Summary
Fourth Quarter 2005
Table of Contents
1. WMI Dashboard Concept
2. WMI Dashboard Structure and Navigation
3. Glossary and Lexicon
July 17, 2015
www.net-report.net
2
1. WMI Dashboard Concept
July 17, 2015
www.net-report.net
3
WMI and Net Report
Windows Management Instrumentation (WMI):
“.. an API in the Windows OS enabling devices and systems in a network,
(i.e. enterprise networks) to be managed and controlled, setting
information on workstations, applications and networks…”
Net Report WMI Dashboards:
• Analyze and Report on Microsoft (Windows 2000, NT, 2003, XP)
Event Viewer Logs 24/7:
• Application Logs.
• Security Logs.
• System Logs.
• Increase Visibility on your Enterprise’s Applications, Security & Systems
in real-time.
July 17, 2015
www.net-report.net
4
Net Report Event Viewer Log Analysis
Focus on Potential Security Threats:
Your Enterprise’s Application, Security & System risks in real-time.
Check Security Policies are Respected & Appropriate:
Track User Trends 24/7, follow suspicious out-of-hours activity.
Ensure Data Confidentiality, Integrity & Availability:
Benefit from Net Report auto-audit options.
Economize your Enterprise Management Costs & TCO:
Benefit from our Centralized Business Intelligence Solution.
Benefit from Versatile Drill-down Features
Net Report Filter to drill-down to the exact data you need, to
avoid you wading through reams of log data, we highlight the
important information!
July 17, 2015
www.net-report.net
5
Net Report Dashboard Concept
Consolidated Dashboards
•
Net Report interprets and presents your Event
log data Statistics in easy-to-read, categorized,
graphical Dashboards.
Customized Dashboards
•
•
Dashboards generated with the Parameters
you entered in the Net Report Web Portal.
Add your company logos.
Chronologically Interlinked Dashboards
•
Dynamic Previous and Next arrows enable
you to navigate between reports from different
days, months and years.
Versatile Drill-down
•
July 17, 2015
Intuitive drill-down to the information you need.
www.net-report.net
6
Net Report WMI Dashboard Example
•
•
•
•
•
•
July 17, 2015
General WMI Statistics for all three Logs:
Application, Security and System Logs.
Graphs of Events by Hour of the Day.
Top n Log Activity per User.
Number of Security Events by Category.
Top Failed Logons.
Detailed Tracking: Most Active File/Directory
user, most accessed File/Directory.
www.net-report.net
7
2. WMI Dashboard Structure and Navigation
July 17, 2015
www.net-report.net
8
Three Major Sections
1. General WMI Three-Log Activity Statistics
• What is the number of specific event types logged (in the
Application, Security and System Logs) by hour for my organization?
• Who is clearing their Security Audit Log?
• What Log Activity Events are logged by my Enterprise?
2. Security Log Event Statistics
• What are the Successful/Failure Logon/Logoff Event Figures for my
Net Report
enterprise? Is there any Suspicious Out-of-hours Activity?
• Is my Enterprise a victim of Privilege Escalation? Is the Security
Privilege Use Policy appropriate?
• Who is changing Security Policy within my Enterprise?
WMI
Dashboards
• Who is making Account changes – do they have Admin rights?
3. File/Directory Access Statistics
• Who accesses Files/Directories the most often?
• What Files/Directories do they access the most?
• Is my Corporate Data Security Policy Effective?
July 17, 2015
www.net-report.net
9
Get the Info you Need: Bookmarks
1. General WMI Three-Log Activity Statistics
2. Security Log Event Statistics
3. File/Directory Access Statistics
July 17, 2015
www.net-report.net
10
Front Page Hyperlinks
1. General Three-Log
Activity Statistics
1. General Three-Log
Activity Statistics
1. General Three-Log
Activity Statistics
2. Security Log Event Statistics
2. Security Log Event Statistics
1. General Three-Log Activity Statistics
3. File/Directory Access Statistics
July 17, 2015
www.net-report.net
11
Front Cover – Interactive Features
Dashboard Home
Link via the WMI
Icon
Bookmarks
Previous and Next
Arrows
Date and Time
Dashboard was
Generated
Net Report Web Site
and Page Numbers
Key Points:
Hyperlinks: Each Table, Graph, Diagram and label is hyperlinked to the relevant point in the Dashboard Report
(“Dashboard”). Simply click the Table, Graph or part of the Diagram you are interested in to go to the detailed
breakdown in the Dashboard.
Dashboard Home Link via the WMI Icon: click the WMI icon
in the top right corner on any page
to return to the Dashboard home page.
Previous and Next Arrows: Easily navigate between Dashboards from month-to-month or day-to-day
(i.e. with Daily or Monthly Dashboards).
Date and Time Dashboard was Generated: You can also add additional Parameters via the Net Report
Web Portal. When the Parameter is GNORE this means that no information has been submitted or that no
information is available.
Bookmarks: Easily view the Table of Contents for the Dashboard, easily navigate through the Dashboard at any
Time via the Bookmarks tree structure in the left pane of the Dashboard.
July 17, 2015
www.net-report.net
12
Front Cover – Bookmarks
Bookmarks:
Your Table of Contents
• Importance: View the Bookmarks tab in the left
pane of your *.pdf Dashboard to use the Table of
Contents.
• Tree Structure: Click the plus sign adjacent to the
Report title you are interested in to expand the
branches and access the Report.
• Easy Navigation: Click the Report title you want,
to go directly to the sub-report in the Dashboard.
• Customized Parameters: You specify the Parameters
you want in the Net Report Web Portal. For example,
the Top n … you select whether you want the top 5,
10, 60, 100 and so on.
• Note: This Presentation follows the tree structure
in the Bookmarks tab to your left.
July 17, 2015
www.net-report.net
13
3. Glossary and Lexicon
July 17, 2015
www.net-report.net
14
Glossary (1) Log Definitions
Log Types
Application Log: Contains events logged
by applications or programs.
• Security Log: Records events such as valid
and invalid logon attempts, as well as events
related to resource such as creating, opening or
deleting files or other objects. An administrator
can specify what events are recorded in the
security log. For example, if you have enabled
logon auditing, attempts to log on to the system
are recorded in the security log.
System Log: Contains events logged by
Windows System components.
July 17, 2015
www.net-report.net
15
Glossary (2) Event Definitions
Event Types
The format and contents of the event description vary, depending on the event type. The
description is often the most useful piece of information, indicating what happened or the
significance of the events. The event logs record five types of events:
• Error Event: A significant problem, such as loss of data or loss of functionality. For example,
if a service fails to load during startup, an Error will be logged.
Warning Event: An event that is not necessarily significant, but may indicate a possible
future problem. For example, when disk space is low, a Warning event will be logged.
Information Event: An event that describes the successful operation of an application,
driver, or service. For example, when a network driver loads successfully, an Information
event will be logged.
Success Audit: An audited security access attempt that succeeds. For example, a user’s
successful attempt to log on the system will be logged as a Success Audit event.
Failure Audit: An audited security access attempt that fails. For example, if a user tries
to access a network drive and fails, the attempt will be logged as a Failure Audit event.
July 17, 2015
www.net-report.net
16
Glossary (3) Event ID Definitions
Event ID Definitions
• Universal Group: A security or distribution group that can contain users, groups, and computers
from any domain in its enterprise as members. Universal security groups can be granted rights and
permissions on resources in any domain in its enterprise.
• Security Descriptor: A data structure that contains security information associated with a
protected object. Security descriptors include information about who owns the object, who
can access it and in what way, and what types of access are audited of members of
administrative groups. Note: every 60 minutes on a domain controller a background thread
searches all members of administrative groups (such as domain, enterprise and schema
administrators) and applies a fixed security descriptor on them. This event is logged.
• SECURITY_DISABLED: in the formal, name, means that this group cannot be used
to grant permissions in access checks.
July 17, 2015
www.net-report.net
17
Lexicon: Event ID Examples
• 624: A User Account was created.
• 625: A User Account Type Change.
• 626: User Account enabled.
• 627: A User Password was changed.
• 628: A User Password was set.
• 629: User Account disabled.
• 630: A User Account was deleted.
• 631: Security Enabled Global Group created.
• 632: A Member was added to a global group.
• 633: A Member was removed from a local group.
• 634: A Global Group was deleted.
• 635: Security Disabled Local Group created.
• 636: A Member was added to a local group.
• 637: A Member was removed from a local group.
• 638: A Local Group was deleted.
• 639: A Local Group account was changed.
• 640: General Account Database change.
• 641: A Global Group Account was changed.
• 642: A User Account was changed.
• 644: A User Account was auto-locked.
• 645: A Computer Account was created.
• 646: A Computer Account was changed.
• 647: A Computer Account was deleted.
• 648: A Local Security Group with Security
Disabled was created.
• 649: A Local Security Group with Security
Disabled was changed.
July 17, 2015
• 650: A Member was added to a SecurityDisabled Local Security Group.
• 651: A Member was removed from a Securitydisabled Local Security Group.
• 652: A Security-disabled Local Group was deleted.
• 653: A Security-disabled Global Group was created.
• 654: A Security-disabled Global Group was changed.
• 655: A Member was added to a Security-disabled
Global Group.
• 656: A Member was removed from a Security-disabled
Global Group.
• 657: A Security-Disabled Global Group was deleted.
• 658: A Security-Enabled Universal Group.
• 659: A Security-Enabled Universal Group was changed.
• 660: A Member was added to a Security-Enabled
Universal Group.
• 661: A Member was removed from a Security-enabled
Universal Group.
• 662: A Security-enabled Universal Group was deleted.
• 663: A Security-disabled Universal Group was created.
• 664: A Security-disabled Universal Group was changed.
• 665: A Member was added to a Security-Disabled
Universal Group.
• 666: A Member was removed from a Security-disabled
Universal Group.
• 667: A Security-disabled Universal Group was deleted.
• 668: A Group was changed.
• 684: Set the Security Descriptor.
• 685: Name of an Account was changed.
www.net-report.net
18
Contact us
[email protected]
July 17, 2015
www.net-report.net
19
Visit our Web site
http://www.net-report.net
July 17, 2015
www.net-report.net
20