Attack Detected Summary
The Attack Detected Summary report (#1338) returns a summary of attacks against an organization’s environment as determined by the enabled AIE rules. This report contains details about the attacks that help reduce detection time and facilitate a faster response by security and operations personnel. This is a key factor for success in protecting the organization’s environment.
Internal Account Created, Used and Deleted
The Int Acct Created, Used, Deleted report (#1339) is based on a configured AIE rule that looks to capture summary information when an internal account is created, used and deleted on the same hosts. These activities could be indicative of malicious activity that may require further investigation.
Patches or Signatures Updated Summary
The Patches or Signatures Updated Summary report (#1329) provides summary information around successful and failed installation of patches or signature updates. This report aims to support the effort of insuring the latest security components are applied to all log sources in the environment.
Top Targeted Assets, Top Targeted Applications, Top Suspicious Logins, Top Attacker Summaries
The “Top” reports (#1331/1332/1333/1334) are designed to assist organizations in identifying areas at risk for malware intrusion, thereby enabling a more proactive approach to protecting your cyber security assets and supplementing NERC-CIP control objectives. These reports cover various layers of your infrastructure, including critical applications and hosts, security operations, audits, and executive personnel within your organization.
Knowledge Base Content
NERC-CIP: Attack Detected Summary
NERC-CIP: Int Acct Created, Used, Deleted
NERC-CIP: Patches or Signatures Updated Summary
NERC-CIP: Top Targeted Assets Summary
NERC-CIP: Top Targeted Application Summary
NERC-CIP: Top Suspicious Login Summary
NERC-CIP: Top Attacker Summary
Components reports can cover all log sources in your environment, but are primarily intended for logs from anti-malware systems, servers, workstations, security enforcing devices, file integrity monitors, VPN devices, backup monitoring, access control systems, remote authentication devices, and vulnerability detection systems. When configured properly, detected attacks are processed and included in the various reports contained within the compliance module. This provides a sound platform to continuously monitor and improve both compliance and cyber security programs. Further, as systems and other IT assets are grouped by impact (entity structure), this grouping is captured in each report to indicate where top priority events occur.
How to Use Reports
Reports provide additional data to supplement AIE alerts and notifications about potential and known malicious activity. You can supplement these reports with details gathered from deep-dive investigations for a better understanding of the threats against your organization’s environment.