manualshive.com logo in svg

M86 Security 700, Evaluation Manual, Page: 15 / 86

Share
Download
M86 Security 700 Evaluation Manual Download Page 15

S

ECTION

 1: P

RODUCTIVITY

 R

EPORTS

  

U

SE

 S

ECURITY

 R

EPORTER

 

TO

 

CONDUCT

 

AN

 

INVESTIGATION

M86 S

ECURITY

 E

VALUATION

 G

UIDE

9

Use Security Reporter to conduct an investigation

Once Custom Category Groups and User Groups have been created, administra-
tors can begin running their first reports. In most cases, administrators will employ 
the Security Reporter as a forensic tool to determine if anomalous Internet 
behavior exists in their organization. In order to facilitate this process, the Security 
Reporter menu structure is organized to follow the normal process flow of an inves-
tigation.

1. First, the administrator is greeted by a Dashboard of high-level productivity 

report information showing data for Blocked Requests and bar graph charts for 
Top Categories by Requests, Top Security Risks by Requests, Top Blocked 
Users by Requests, and Top Users by Requests. At a glance, the administrator 
can see if there is any anomalous behavior that needs investigation.

Additional productivity report content is available by consulting “

Summary 

Reports

.” 

By viewing either of these types of reports, a specific username might be iden-
tified as receiving a large number of blocked requests. Or a high rate of traffic 
might be identified in the “PornographyAdult Content” category. If something is 
detected that warrants further investigation, one would then proceed to the 

Drill Down Reports

” section.

2. The next stage of the investigation, Drill Down Reports, lets the administrator 

probe the multi-dimensional database to target the source of any Internet 
threat.

For example, if there is unusually high page count in the “Pornography/Adult 
Content” category, the administrator can drill down into the Category/User 
section to determine who is viewing this material. Once a specific end user is 
identified, the administrator can then delve into the detail page view section to 
see the exact pages that end user has been visiting.

This detailed information provides a wealth of information on the exact time the 
page was visited, the user’s IP address, whether the site was blocked by the 
Web Filter or SWG, how it was blocked (e.g. in URL library, blocked keyword, 
proxy pattern blocking, etc), and the full-length URL. By viewing this detail, the 
administrator can obtain an accurate gauge of the user’s intent—whether the 
user repeatedly attempted to go to a forbidden site or whether it was an isolated 
incident.

3. The last stage of an investigation is to document the long-term activity of a 

policy violator, since most organizations require more than one or two events to 
reprimand a user. Once the administrator determines the name of the user and 
the Web sites visited in the Drill Down Report, the next step is to run a custom 
report. The administrator can run a specific search of the policy violator for a 
custom time period by selecting the “

Report Wizard

” option. When generating 

this type of report, a custom time scope, specific category, and name of a 
specific end user can be specified.

As an example, the administrator would probably run a custom report for the 
policy violator by specifying the category “Pornography/Adult Content” and all 
activity within that category within the last month. The administrator can then 
save a PDF version of the report for documentation purposes. This custom 

Summary of Contents for 700

Page 1: ...M86 Security Reporter EVALUATION GUIDE Models 300 500 700 705 730 735 Software Version 3 0 00 Document Version 10 30 10...

Page 2: ...no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose M86 Security shall not be liable for any error or for inci...

Page 3: ...Summary Report 11 How to export a Summary Report 13 Use Drill Down Reports for an investigation 14 How to generate a Summary Drill Down Report 14 Summary Drill Down Report navigation 15 Count columns...

Page 4: ...eports only 33 For pie and bar charts only 33 Hide un Identified IPs checkbox 33 E Mail For e mail output only fields 34 Commonly used reports 35 How to generate a Sample Report 35 Report format 36 Ex...

Page 5: ...he right side of the panel 60 Step D Save the alert 60 SECTION 3 SECURITY REPORTS 61 Understand the most common and useful features 61 Use security reports for a view of network activity 61 How to mod...

Page 6: ...eduling the report 75 Method 1 Use the current report view 75 Method 2 Create a report using the Wizard 76 Step B Fill in the Report Details frame 76 Step C Include the users or group in the Users fra...

Page 7: ...his view can be memorized and saved to a user defined report menu for repetitive scheduled execution and distribution Web Filter logs provide content for dynamic real time graphical snapshots of netwo...

Page 8: ...Web Filter and or M86 Secure Web Gateway SWG appliance s must already be installed Either of these appli ances are required for this software release in order to send logs to the SR NOTE See the M86 W...

Page 9: ...icy After stepping through this section of the Evaluation Guide you will understand how to set up powerful reports that can be e mailed on a regular basis thus mini mizing the effort required for ongo...

Page 10: ...p reduces the time it takes to identify violations of this policy To create edit or delete a Custom Category Group navigate to Administration Custom Category Groups to display the Custom Category Grou...

Page 11: ...p is to create User Groups which are customized groupings of users that reside on the organization s network For example most enterprise customers prefer to set up user groups for each department with...

Page 12: ...one or more patterns in order to narrow the list of users to be included in the new group A pattern consists of a wildcard or a wildcard plus one or more alphanumeric characters 1 To add a pattern to...

Page 13: ...P and Ending IP range in the Starting IP and Ending IP fields below If necessary edits can be made to these fields To add an IP address range without selecting from the Parent Ranges frame a Enter the...

Page 14: ...splay in this list by using the Available Users Filter To use the Available Users Filter 1 Enter filter terms to narrow the selection of Available Users For example Type in 150 to only display results...

Page 15: ...threat For example if there is unusually high page count in the Pornography Adult Content category the administrator can drill down into the Category User section to determine who is viewing this mate...

Page 16: ...width Consumption for SWG only Bar chart depicting each top end user s total Mega Bytes for bandwidth requests Top 20 Users by Virus Hit Count for SWG only Bar chart report depicting each top end user...

Page 17: ...access more detailed information about specified end user activity How to generate a Summary Report 1 To generate a Summary Report go to the navigation panel and click Reports Summary Reports to disp...

Page 18: ...iew 4 To see details for the generated Summary Report view at the bottom of the report view click a Download Report option for PDF CSV or PNG to generate a report in the specified file format pdf csv...

Page 19: ...ed label The body of the pages following the first page of the bar or pie chart report includes the following information Top 20 Users by Blocked Request report User NAME and corresponding BLOCKED REQ...

Page 20: ...user activity IPs Includes Internet activity by user IP address Users Includes Internet activity by username Sites Includes activity on Web sites users accessed Category Groups Includes activity by Ca...

Page 21: ...formation on using the reporting elements described in this sub section 4 The drill down view can be exported saved and or scheduled to run at a spec ified time Summary Drill Down Report navigation Co...

Page 22: ...t but as a page since it comes from a different server By clicking the link in this column the detail report view displays data for all objects accessed including hyperlinks to those objects In the de...

Page 23: ...porting a report only selected records are included To de select a record click the checkbox to remove the check mark from that checkbox To de select all records click Uncheck All at the bottom of the...

Page 24: ...the suspected policy violator To generate a detail drill down report select the record and click the link in the Page Count column of the Summary Drill Down Report Detail Drill Down Report view Detai...

Page 25: ...e time the log file was created Content Displays criteria used for determining the categorization of the record or N A if unclassified Search String Displays the full search string the end user typed...

Page 26: ...g a suspected policy violator s Internet activity in the Detail Drill Down Report the administrator will have firm evidence on the user s intent which is critical forensic information to have in the e...

Page 27: ...thod the productivity Report Wizard How to use the Report Wizard for a single user report The Report Wizard option provides an intuitive setup process for generating custom reports for one time use or...

Page 28: ...e Includes viewed page results Specific User Detail by Object Includes viewed object results 2 Specify at least one of the following filters in the accordions at right to narrow your search for this e...

Page 29: ...y report specify the number of records to be returned in the results Sort by Select column by which the results will be sorted and displayed in the report Order For a detail report indicate whether re...

Page 30: ...ied IPs checkbox is de selected by default if the Hide Unidentified IPs checkbox is de selected in the Default Report Settings panel Output type Choose either E Mail As Attachment or E Mail As Link Fo...

Page 31: ...report Report Wizard s Schedule Report panel a Enter a Name for the event b Select the Report to Run from the list c Select the frequency When to Run from the pull down menu Daily Weekly or Monthly I...

Page 32: ...tries and to email the generated report to the designated recipient s After the report is emailed the Saved Reports panel displays if you need to run this report again or another report Saved Reports...

Page 33: ...eld pull down menu specify the amount of data to be exported For this exercise choose Only selected rows on this page Step C Export data via Email or PDF Download 1 Make selections and or entries in a...

Page 34: ...specified file format The view option lets you make any necessary adjustments to your report file settings prior to printing the report To print the report you must have a printer configured for your...

Page 35: ...columns may display with truncated text but an entire column can be viewed by mani pulating the column width in the generated report file These reports can then be printed at a smaller percentage tha...

Page 36: ...ick this radio button to only include the first set of records returned by the report query 3 Indicate the number of records to be included in a set by making an entry in the blank field represented h...

Page 37: ...are stored on the SR Yesterday This option generates the report view for yesterday only Month to Yesterday This option generates the report view for the range of days that includes the first day of th...

Page 38: ...ke a selection from the pull down menu for one of the available choices for which the summary report results will be limited Top Category Count Top IP Count Top User Count Top Site Count Top Page Coun...

Page 39: ...s Category Group or User Group pie chart or bar chart report and determines by which column the report will be sorted By default the field displays greyed out and becomes activated when a pie or bar c...

Page 40: ...ressee s Specify the following in the E Mail or For E Mail output only fields To Enter the email address of each intended report recipient separating each address by a comma and a space Subject Type i...

Page 41: ...s created 10 different sample report formats to help first time users understand the various types of reports available in the Security Reporter For purposes of this Evaluation Guide only three of the...

Page 42: ...ty Reporter and date range for today s date MM DD YYYY format report name description for that report type including the sort order and Page Count descending The body of the report contains rows of re...

Page 43: ...the categories in the M86 Security library This is a useful tool to quickly scan for excessive use of any category Sample Category Users report Sample Report 2 Top 20 Sites by User Site This report w...

Page 44: ...ple break report that shows all activity on the network broken out by category then user and then site This is a useful report if the administrator is looking for an all encompassing view of Internet...

Page 45: ...our organization s policies and prevent them from continuing to pursue such activities Monitor URL gauges When clicking Gauges in the navigation toolbar the URL Dashboard displays URL dashboard with U...

Page 46: ...of the gauge that is based upon the number of URL page hits see NOTE below that occur in this specific category in a given period of time NOTES In addition to page hits SR also counts blocked object...

Page 47: ...or can react quickly Step B Identify the source of a gauge s activity Each gauge is comprised of one or more gauge components derived from library categories in the Web Filter Sometimes end user activ...

Page 48: ...he Category View User panel showing a list of All Categories accessed by the selected end user for the gauge component View a list of Threats accessed by the user for that gauge Step D View URLs visit...

Page 49: ...by clicking the greyish white Back button at the bottom left of the panel Click the User Name link for that user to display the User Summary panel View the user s gauge activity in the User Summary p...

Page 50: ...o Reports URL Trend Charts to display the URL Trend Charts panel URL Trend Charts panel The pie trend chart is divided into pie slices named for each gauge in which there was activity The size of each...

Page 51: ...g that gauge s activity within the specified time period View activity for a specified gauge TIP You can also go to the bottom of the pie chart and click a tab for a gauge to access the line chart for...

Page 52: ...dle icon at the bottom of the gauge The gauge Trend Charts icon 2 The action of clicking the Trend Charts icon displays a pie Gauge Trend Chart for that gauge Gauge Trend Chart Note the pie slices in...

Page 53: ...urrent end user bandwidth activity on your network To display this panel first select Gauges and then click the Bandwidth tab above the Dashboard Bandwidth gauges Dashboard Default bandwidth gauges in...

Page 54: ...le showing all end user traffic for that protocol View bandwidth used by each end user for the protocol To the right of the User Name column are port numbers that comprise the protocol The number of b...

Page 55: ...idth protocol usage Step C View a user s port usage information Now drill down and view a user s port usage for a particular gauge In the Gauge Readings frame click the Gauge Name to activate the Cate...

Page 56: ...display the BandWidth Trend Charts panel BandWidth Trend Charts panel The pie trend chart is divided into pie slices named for each bandwidth gauge in which there was activity The size of each slice...

Page 57: ...gauge To learn more about the activity for a particular gauge click the pie slice for that gauge to view a line chart depicting that gauge s activity within the specified time period NOTE The score on...

Page 58: ...idth gauge In the bandwidth gauges Dashboard click the Trend Charts icon in the bottom middle of the gauge to display a pie trend chart for that gauge Bandwidth Gauge Trend Chart for a specified proto...

Page 59: ...ws you a list of users affecting URL gauges and Bandwidth gauges all in one panel This ranking table is accessed by navigating to Gauges Overall Ranking Overall Ranking table Note the URL frame to the...

Page 60: ...he panel by that name Select Add Edit Gauges By default the URL Gauges tab displays showing the list of URL gauges in the frame to the left If you wish to create a bandwidth gauge click the Bandwidth...

Page 61: ...he following entries selections in the Gauge Information frame at the left side of the panel Define Gauge Information and Gauge Components in the URL Gauge panel In the URL Gauge panel do the followin...

Page 62: ...Groups list box by selecting each cate gory and then clicking the add button Define Gauge Information and Gauge Components Step D Select users to be monitored by the gauge 1 Click the User Membership...

Page 63: ...time How to create an automated gauge alert This section will step you through the process of creating an automated threshold per user so you can be automatically notified via email and the violating...

Page 64: ...Select the Alerts option sample Alerts panel with Bandwidth Gauges tab selected 3 Choose the Gauge Name from the list in the left side of the panel and then click New Alert to display the next panel...

Page 65: ...heckbox is selected For a URL gauge a Low selection will lock out the user by the categories monitored by the specified URL gauge only For a bandwidth gauge a Low selection will lock out the user by t...

Page 66: ...hen an alert is triggered You can add multiple email addresses Specify email criteria sample Bandwidth Gauges panel For a URL gauge alert if a Low Lockout was specified click the Low Lockout Component...

Page 67: ...ith productivity reports security reports generated in the Security Reporter are easily customizable and can be saved exported or scheduled to run on a regular basis Use security reports for a view of...

Page 68: ...chart displays the name of the record along with the total hit count or bandwidth used in that record The Rule Transactions report also includes Actions and Policies information By default the bottom...

Page 69: ...Y REPORTS FOR A VIEW OF NETWORK ACTIVITY M86 SECURITY EVALUATION GUIDE 63 Click this icon to re display the top six graphs and table of records the default view Click this icon to display the table of...

Page 70: ...ustomized security report One method is by using the Report Settings Run feature and the other method is by generating a report view using the Report Wizard Step A Choose a Run option Option 1 Report...

Page 71: ...ull down menu Today default Month to Date Year to Date Yesterday Month to Yesterday Year to Yesterday Last Week Last Weekend Current Week Last Month Date Range If using the Report Settings Run feature...

Page 72: ...he end user IP address for filtering your results using the wildcard to return multiple IP addresses and then click Preview Users to display query results in the list box below For a Traffic Analysis...

Page 73: ...CUSTOMIZED SECURITY REPORT M86 SECURITY EVALUATION GUIDE 67 Step D Run the report Click Run to generate the security report view Generated Security Report view The report can now be exported by selec...

Page 74: ...he table and then clicking Export Selected Clicking either button opens the Export Report pop up window Export Report pop up window Step B Specify Break Type and URL limitation criteria 1 In the Expor...

Page 75: ...printed saved or emailed Option 2 Email the report To email the report 1 Enter at least one Email address and then click Add to include the email address in the list box below 2 Specify the Delivery...

Page 76: ...Generated by Filter information and Page number and page range The body of the first page of the report includes a bar chart showing the top six graphs with count indicators and the report name The bo...

Page 77: ...SECTION 3 SECURITY REPORTS CAPTURE THE SECURITY REPORT IN PDF FORMAT M86 SECURITY EVALUATION GUIDE 71 Sample PDF for Rule Transaction Security Report page 2...

Page 78: ...generated How to save a security report A security report can be saved only by using the Report Settings Save option Step A Select Report Settings Save option In the current security report view mous...

Page 79: ...top URLs to be exported Step C Select the users or group in the Users frame In the Users frame select one of the accordions and indicate criteria to include in the report to be generated By User Group...

Page 80: ...dress in the list box below 2 Specify the Delivery method for the email address To default Bcc or Cc 3 Type in the Subject for the email message 4 If you wish enter text to be included in the Body of...

Page 81: ...Security Report Wizard Using the former method saves several steps since the panel will be pre populated with data from the current report view How to use Wizard panels for scheduling reports Step A C...

Page 82: ...redefined Ranges If using the Report Wizard to generate and save a report this option is selected by default If choosing this option make a selec tion from the pull down menu Today default Month to Da...

Page 83: ...n the list box below For a Traffic Analysis or Rule Transactions report you can narrow your search result by including filters 1 Click Filters at the bottom right of the panel to display the filter re...

Page 84: ...cheduling 3 Select the frequency When to Run from the pull down menu Daily Weekly or Monthly If Weekly specify the Day of the Week from the pull down menu Sunday Saturday If Monthly specify the Day of...

Page 85: ...o display the Report Schedule panel Report Schedule panel In the Report Schedule panel reports scheduled to be run display as rows of records The following information is included for each record Name...

Page 86: ...the right of the table of report records View report schedule details The following information displays in this frame Name assigned to the scheduled event selected Report to Run interval When to Run...

Reviews:

No comments