Skip to content
  • There are no suggestions because the search field is empty.

RSA NetWitness Reports

RSA NetWitness Reports RSA NetWitness Reports

This topic lists the RSA NetWitness Reports. The reports are built upon rules and lists. When you download a report, all necessary RSA NetWitness Rules and RSA NetWitness Lists are also downloaded. You may, however, need to download supporting RSA Application Rules and parsers.

Note: For content that has been discontinued, see Discontinued Content.

  • Display Name: 11.1-11.2 Endpoint Machine Summary Report
  • File Name: 11.1-11.2 Endpoint Machine Summary Report
  • Description: This report shows information for the machines configured to run the RSA NetWitness Endpoint agent including an OS and endpoint version summary. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.1 and higher

    DEPENDENCIES
    NetWitness Rules:
    * 11.1-11.2 Endpoint Operating Systems Summary
    * 11.1-11.2 Endpoint Version Summary
  • Medium: endpoint
  • Tag: assurance, compliance, corporate, risk, vulnerability management

  • Display Name: 11.1-11.2 Endpoint Scan Data Autorun and Scheduled Task Report
  • File Name: 11.1-11.2 Endpoint Scan Data Autorun and Scheduled Task Report
  • Description: This report looks for suspicious autoruns and tasks using a few key features. Autoruns/Scheduled Tasks mechanisms are often used by attackers to maintain persistence on a compromised host. This is not an exhaustive set of potentially suspicious autorun behavior, but should give an analyst visibility into some of the more common techniques leveraged by attackers. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.1 and higher

    DEPENDENCIES
    NetWitness Rules:
    * 11.1-11.2 Autoruns and Scheduled Tasks From or Referencing AppData
    * 11.1-11.2 Autoruns and Scheduled Tasks From Root of Program Data
    * 11.1-11.2 Autoruns and Scheduled Tasks Invoking Command Shell
    * 11.1-11.2 Autoruns and Scheduled Tasks Invoking Windows Script Host
    * 11.1-11.2 Autoruns and Scheduled Tasks Running Scripts
    * 11.1-11.2 Rarest Autorun Registry Keys
  • Medium: endpoint
  • Tag: attack phase, exploit, threat

  • Display Name: 11.1-11.2 Endpoint Scan Data File and Process Outliers Report
  • File Name: 11.1-11.2 Endpoint Scan Data File and Process Outliers Report
  • Description: This report focuses on rarity of particular process, file, and autorun features in the environment. While rarity in each of these results does not automatically imply malicious activity, it is important to analyze and justify outliers before ruling out the possibility. As certain results are determined to be benign, care should be taken to adjust the rule logic accordingly to avoid future hits. The schedule of this report should be at the same interval as your scheduled scans to avoid aggregating results across multiple scans. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.1 and higher

    DEPENDENCIES
    NetWitness Rules:
    * 11.1-11.2 Rarest Child Processes of Web Server Processes
    * 11.1-11.2 Rarest Code Signing Certificate CNs
    * 11.1-11.2 Rarest Parent Processes of cmd
    * 11.1-11.2 Rarest Parent Processes of powershell
    * 11.1-11.2 Rarest Processes Running from AppData
    * 11.1-11.2 Windows Process Parent Child Mismatch
  • Medium: endpoint
  • Tag: attack phase, exploit, malware, threat

  • Display Name: 11.1-11.2 Endpoint Scan Data Host Report
  • File Name: 11.1-11.2 Endpoint Scan Data Host Report
  • Description: This rule will return information about the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine. Information includes autoruns, tasks, machine details, processes, services, DLLs and files. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.1 and higher

    CONFIGURATION
    When the Endpoint Scan Data Host Report is scheduled to run, you must enter a hostname or configure and use a NetWitness List of hostnames to return this scan data information.

    DEPENDENCIES
    NetWitness Rules:
    * 11.1-11.2 Autoruns and Tasks on Host
    * 11.1-11.2 DLLs on Host
    * 11.1-11.2 Files on Host
    * 11.1-11.2 Machine Details on Host
    * 11.1-11.2 Processes on Host
    * 11.1-11.2 Services on Host
  • Medium: endpoint
  • Tag: assurance, compliance, corporate, risk, vulnerability management

  • Display Name: 11.3 Endpoint Machine Summary Report
  • File Name: 11.3 Endpoint Machine Summary Report
  • Description: This report shows information for the machines configured to run the RSA NetWitness Endpoint agent including an OS and endpoint version summary. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.3 and higher

    DEPENDENCIES
    NetWitness Rules:
    * 11.3 Endpoint Operating Systems Summary
    * 11.3 Endpoint Version Summary
    * 11.3 Endpoint Indicators Summary
    * 11.3 Endpoint Indicators by Tactic and Technique
    * 11.3 Endpoint Indicators by Tactic
    * 11.3 Endpoint Indicators Analysis
    * 11.3 Endpoint Host State
  • Medium: endpoint
  • Tag: assurance, compliance, corporate, risk, vulnerability management

  • Display Name: 11.3 Endpoint Network Activity
  • File Name: 11.3 Endpoint Network Activity
  • Description: This report shows information for the network activity on machines configured to run the RSA NetWitness Endpoint agent. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.3 and higher

    DEPENDENCIES
    NetWitness Rules:
    * 11.3 Endpoint Module and Dynamic DNS
    * 11.3 Powershell to External Domain
    * 11.3 User Defined Domain Name Analysis
  • Medium: endpoint
  • Tag: assurance, compliance, corporate, risk, vulnerability management

  • Display Name: 11.3 Endpoint Scan Data Autorun and Scheduled Task Report
  • File Name: 11.3 Endpoint Scan Data Autorun and Scheduled Task Report
  • Description: This report looks for suspicious autoruns and tasks using a few key features. Autoruns/Scheduled Tasks mechanisms are often used by attackers to maintain persistence on a compromised host. This is not an exhaustive set of potentially suspicious autorun behavior, but should give an analyst visibility into some of the more common techniques leveraged by attackers. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.3 and higher

    DEPENDENCIES
    NetWitness Rules:
    * 11.3 Autoruns and Scheduled Tasks From or Referencing AppData
    * 11.3 Autoruns and Scheduled Tasks From Root of Program Data
    * 11.3 Autoruns and Scheduled Tasks Invoking Command Shell
    * 11.3 Autoruns and Scheduled Tasks Invoking Windows Script Host
    * 11.3 Autoruns and Scheduled Tasks Running Scripts
    * 11.3 Rarest Autorun Registry Keys
    * 11.3 Multiple Arguments for Same Task
    * 11.3 Multiple Filename for Task Name
    * 11.3 Multiple Task Name for Filename
    * 11.3 Rare Extension for Task
    * 11.3 Rarest Unsigned Service Names Across Endpoints
    * 11.3 Rarest Unsigned Task Names Across Endpoints
    * 11.3 Same Arguments for Different Task Filename
    * 11.3 Task Present on one Machine
    * 11.3 Uncommon Directory for Task
    * 11.3 User Created Unique Task
  • Medium: endpoint
  • Tag: attack phase, exploit, threat

  • Display Name: 11.3 Endpoint Scan Data File and Process Outliers Report
  • File Name: 11.3 Endpoint Scan Data File and Process Outliers Report
  • Description: This report focuses on rarity of particular process, file, and autorun features in the environment. While rarity in each of these results does not automatically imply malicious activity, it is important to analyze and justify outliers before ruling out the possibility. As certain results are determined to be benign, care should be taken to adjust the rule logic accordingly to avoid future hits. The schedule of this report should be at the same interval as your scheduled scans to avoid aggregating results across multiple scans. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.3 and higher

    DEPENDENCIES
    NetWitness Rules:
    * 11.3 Rarest Child Processes of Web Server Processes
    * 11.3 Rarest Code Signing Certificate CNs
    * 11.3 Rarest File Names Across Endpoints
    * 11.3 Rarest Parent Processes of cmd.exe
    * 11.3 Rarest Parent Processes of powershell.exe
    * 11.3 Rarest Processes Running from AppData
    * 11.3 Rarest Vendor of Unsigned Files Across Endpoints
    * 11.3 Windows Process Parent Child Mismatch
  • Medium: endpoint
  • Tag: attack phase, exploit, malware, threat

  • Display Name: 11.3 Endpoint Scan Data Host Report
  • File Name: 11.3 Endpoint Scan Data Host Report
  • Description: This rule will return information about the endpoint for the configured hostname. This information could be useful when conducting an investigation into a suspect machine. Information includes autoruns, tasks, machine details, processes, services, DLLs and files. Training on RSA NetWitness Endpoint, including analysis of Scan Data, may be found on RSA Link: https://community.rsa.com/docs/DOC-84977.

    VERSIONS SUPPORTED
    * RSA NetWitness Endpoint 11.3 and higher

    CONFIGURATION
    When the Endpoint Scan Data Host Report is scheduled to run, you must enter a hostname or configure and use a NetWitness List of hostnames to return this scan data information.

    DEPENDENCIES
    NetWitness Rules:
    * 11.3 Autoruns and Tasks on Host
    * 11.3 DLLs on Host
    * 11.3 Files on Host
    * 11.3 Machine Details on Host
    * 11.3 Processes on Host
    * 11.3 Services on Host
  • Medium: endpoint
  • Tag: assurance, compliance, corporate, risk, vulnerability management

  • Display Name: All Risk Suspicious
  • File Name: All Risk Suspicious
  • Description: This report lists All Risk Suspicious by Source, Destination and Session Size
  • Medium: log, packet
  • Tag: threat, identity, assurance, operations, situation awareness

  • Display Name: All Risk Warning
  • File Name: All Risk Warning
  • Description: This report lists All Risk Warning by Source, Destination and Session Size
  • Medium: log, packet
  • Tag: threat, identity, assurance, operations, situation awareness

  • Display Name: Amazon VPC Traffic Flow
  • File Name: Amazon VPC Traffic Flow
  • Description: The report provides insights on the Amazon VPC traffic flow.

    VERSIONS SUPPORTED
    10.6.5.x and higher

    CONFIGURATION
    Configure the Amazon VPC plugin with valid credentials as per the plugin configuration document
    Use the latest table-map.xml

    DEPENDENCIES
    CEF log parser
  • Medium: log
  • Tag: event analysis, flow analysis, operations

  • Display Name: Anonymous Proxy and Remote Control Activity
  • File Name: Anonymous Proxy and Remote Control Activity
  • Description: Displays suspected use of services, clients or protocols for anonymous access or remote control activities.
  • Medium: log, packet
  • Tag: assurance, compliance, audit, operations, event analysis, situation awareness

  • Display Name: AWS Access Permissions Modified Report
  • File Name: AWS Access Permissions Modified Report
  • Description: 10.5 and higher. Detects when Amazon Web Services (AWS) instance permissions are modified. The AWS CloudTrail log parser is a required dependency.
  • Medium: log
  • Tag: assurance, compliance, audit, identity, authorization

  • Display Name: AWS Critical VM Modified Report
  • File Name: AWS Critical VM Modified Report
  • Description: 10.5 and higher. Detects when Amazon Web Services (AWS) critical virtual machine instances are modified. Actions detected by this module include instances being terminated, stopped and rebooted as well as modification of instance attributes and monitoring status. In order to trigger an alert, a custom feed of critical instance source IPs must be created to populate the alert meta key with the value "critical_vm". The AWS CloudTrail log parser is a required dependency.
  • Medium: log
  • Tag: assurance, compliance, audit, identity, authorization

  • Display Name: Azure Monitoring Insights
  • File Name: Azure Monitoring Insights
  • Description: The report provides insights on the Azure Monitor operations.

    VERSIONS SUPPORTED
    10.6.5.x and higher

    CONFIGURATION
    Configure the Azure Monitor plugin with valid credentials as per the plugin configuration document
    Use the latest table-map.xml
  • Medium: log
  • Tag: event analysis, operations

  • Display Name: BASEL II - Compliance Report
  • File Name: BASEL II - Compliance Report
  • Description: This article introduces Basel II report templates. Basel II compliance reports are based on recommendations by bank supervisors and central bankers to improve the consistency of capital regulations internationally, make regulatory capital more risk sensitive, and promote enhanced risk-management practices among international banking organizations.
  • Medium: log
  • Tag: assurance, compliance, audit

  • Display Name: BILL 198 - Compliance Report
  • File Name: BILL 198 - Compliance Report
  • Description: This article introduces Bill 198 compliance reports. Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect investors in public Canadian companies by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.
  • Medium: log
  • Tag: assurance, compliance, audit

  • Display Name: Bulk Data Transfer - Report
  • File Name: Bulk Data Transfer - Report
  • Description: Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.
  • Medium: packet
  • Tag: assurance, compliance, audit

  • Display Name: Cleartext Authentications
  • File Name: Cleartext Authentications
  • Description: This report displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.
  • Medium: packet
  • Tag: assurance, risk, organizational hazard, operations, event analysis, protocol analysis

  • Display Name: Encrypted Traffic
  • File Name: Encrypted Traffic
  • Description: This report shows encrypted sessions that may warrant additional investigation by an analyst. A threat actor may use atypical protocols or ports to hide malicious activities such as data exfiltration.
  • Medium: log, packet
  • Tag: operations, situation awareness

  • Display Name: Encrypted Traffic over Non-Standard Port
  • File Name: Encrypted Traffic over Non-Standard Port
  • Description: Summarizes sessions containing encrypted traffic that are not on port 22, 993, 995 or 443.
  • Medium: packet
  • Tag: operations, event analysis, protocol analysis

  • Display Name: Executables
  • File Name: Executables
  • Description: This report presents instances of executables detected on wire. This report is broken into four sections: Executables by Domain, Country, Executables with abnormal characteristics - Suspicious and Warning
  • Medium: packet
  • Tag: operations, event analysis, file analysis

  • Display Name: FERPA - Compliance Report
  • File Name: FERPA - Compliance Report
  • Description: This article introduces the Family Educational Rights and Privacy Act (FERPA) compliance report templates. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g, 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
  • Medium: log
  • Tag: assurance, compliance, audit

  • Display Name: FFIEC - Compliance Report
  • File Name: FFIEC - Compliance Report
  • Description: This article introduces the Federal Financial Institutions Examination Council (FFIEC) compliance templates. The Federal Financial Institutions Examination Council (FFIEC) is a body of the United States government empowered to prescribe principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), Mergers & Acquisitions International Clearing (MAIC), and the Consumer Financial Protection Bureau (CFPB).
  • Medium: log
  • Tag: assurance, compliance, audit

  • Display Name: File Transport Over Uncommon Protocol
  • File Name: File Transport Over Uncommon Protocol
  • Description: Displays files transported over uncommon protocols such as ICMP and those identified as unknown. This report will ignore files transferred ov , FTP, SMTP, POP, RSYNC and TFTP.
  • Medium: packet
  • Tag: operations, event analysis, protocol analysis, audit, compliance, log analysis, operations, log analysis, operations, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.
  • Column 6: log
  • Column 7: assurance, compliance, audit, if the entire company reads CNN throughout the day, this report will show that usage. You could then make a decision to filter the CNN traffic from view,so that suspicious traffic becomes more noticeable.Available rules and lists cover different browsing categories, such as Ad servers, streaming sites,social networks,and so on.
  • Column 8: log, packet
  • Column 9: operations the use of intrusion detection and prevention systems(IDS/IPS)-with which local authorities must comply in order to prevent accidental or malicious data loss.
  • Column 10: log
  • Column 11: assurance, compliance, audit, health plans, clearinghouses, and their business associates establish appropriate administrative, technical, and physical safeguards to protect the privacy and security of sensitive health information.
  • Column 12: log
  • Column 13: assurance, compliance, audit, https://community.rsa.com/docs/DOC-62341, and the Hunting Feed, https://community.rsa.com/docs/DOC-62301, for more details about the contents of the pack and the suggested investigation techniques.

    This report displays events that have been categorized according to the following meta keys with added contextual evidence to assist an analyst.

    Note: This should be run as a daily report. The amount of meta values reported may be large depending on traffic volume and running over longer time frames may result in a query timeout.

    - Indicators of Compromise: Possible intrusions into the network or at the endpoint that can be identified through malware signatures or IPs and domains associated with command and control campaigns
    - Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection
    - Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause
    - Service Analysis: Core application protocols identification and inspection
    - Session Analysis: Client-server communication deviations
    - File Analysis: A large inspection library that highlights file characteristics and anomalies
  • Column 14: log, packet, endpoint
  • Column 15: application analysis, attack phase, event analysis https://community.rsa.com/docs/DOC-62341, and the Hunting Feed, https://community.rsa.com/docs/DOC-62301, for more details about the contents of the pack and the suggested investigation techniques.

    This report displays a summary of the events that have been categorized according to the following meta keys:

    - Indicators of Compromise: Possible intrusions into the network or at the endpoint that can be identified through malware signatures or IPs and domains associated with command and control campaigns
    - Behaviors of Compromise: Designated for suspect or nefarious behavior outside the standard signature-based detection
    - Enablers of Compromise: Instances of poor information or operational security. Post-mortem often ties these to the root cause
    - Service Analysis: Core application protocols identification and inspection
    - Session Analysis: Client-server communication deviations
    - File Analysis: A large inspection library that highlights file characteristics and anomalies
  • Column 16: log, packet, endpoint
  • Column 17: application analysis, attack phase, event analysis deletions, disables, modifications), group modifications, password changes and access revocations.
  • Column 18: log
  • Column 19: identity, accounting, operations, situation awareness event analysis, protocol analysis, flow analysis, risk alerts, threats, top destinations, OS types, browsers and clients.To use the report, create and populate the report list with source IP addresses as noted in the dependencies.
  • Column 20: log, packet
  • Column 21: identity, accounting implementing, maintaining and improving information security management in an organization. ISO 27002 is used as the foundation and technical guidelines for many international and industry compliance standards and are generally good practices for all organizations.
  • Column 22: log
  • Column 23: assurance, compliance, audit, risk, organizational hazard, operations, event analysis, flow analysis, those being indicative of a large file transfer from RFC 1918 to non RFC 1918 address.
  • Column 24: packet
  • Column 25: assurance, event analysis, flow analysis, operations, organizational hazard, risk, attack phase, featured, lateral movement, threat, you will need at least two of the related Lua parsers.

    Lua Parsers
    * HTTP_lua OR TLS_lua
    * DNS_verbose_lua OR DynDNS

    If collecting logs you will need at least one event source with device class of web logs. This includes web proxy and security products such as Cisco WSA and SQUID. And you will need at least one event source from the following device classes:
    * Firewall
    * IDS
    * IPS
    * Netflow (rsaflow)

    Note: For deployments prior to 10.6.2, you will also need to configure a set of new meta keys: inv.context and inv.category. See product documentation of the Investigation Feed for more details: https://community.rsa.com/docs/DOC-62303.
  • Column 26: log, packet
  • Column 27: featured, malware, threat, compliance enforcement, assessments of risk and preparedness, disseminating critical information via alerts to industry, and raising awareness of key issues.
  • Column 28: log
  • Column 29: assurance, compliance, audit, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-keys "direction" and "Source Port (ip.srcport) " are indexed in table-map.xml and index-concentrator-custom.xml
  • Column 30: log
  • Column 31: operations, event analysis, protocol analysis, flow analysis, Top Applications and First Heard IPs.For this report to get populated, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xml
  • Column 32: log
  • Column 33: operations, event analysis, filters, flow analysis, ensure that "RSAFLOW" LogParser for 10.3 or "CEF" LogParser for 10.4 is enabled and meta key "direction" is indexed in table-map.xml and index-concentrator-custom.xml.Also ensure that the meta-key "TCP Flags Seen (tcp.flags.seen)" is indexed index-concentrator-custom.xml
  • Column 34: log
  • Column 35: operations, event analysis, protocol analysis, flow analysis, ensure that device parser "RSAFlow" for 10.3 logdecoder or "CEF" for 10.4 logdecoder is enabledand meta-key "direction" is indexed in table-map.xml and index-concentrator-custom.xml
  • Column 36: log
  • Column 37: operations, event analysis, protocol analysis, flow analysis, situation awareness, compliance, audit, see the NetWitness Respond Configuration and User Guides for details.

    VERSIONS SUPPORTED
    10.6.2 and higher

    CONFIGURATION
    You must configure the Respond service and database, alert data sources and aggregation rules for this report to populate.

    DEPENDENCIES
    * Common Event Format Log Parser
  • Column 38: log, packet
  • Column 39: assurance, audit, compliance, Top Alias Host Destination by Source IP,Top Destination Country by Session Count,Top Destination Country by Session Size,Top Destination Country by Source IP,Top HTTPS Destination IP by Session Size,Top Network Service by Session Count
  • Column 40: log, packet
  • Column 41: operations, event analysis sets comprehensive standards for protecting classified data. All government agencies and commercial contractors who have access to classified data are required to implement system protection processes to ensure continued availability and integrity of this data, and prevent its unauthorized disclosure. These regulations apply to systems used in the capture, creation, storage, processing, or distribution of restricted information.
  • Column 42: log
  • Column 43: assurance, compliance, audit event analysis, protocol analysis, event analysis, protocol analysis, flow analysis, merchants, and service providers that store, process, or transmit payment cardholder data. Additionally, these security requirements apply to all "system components" - any network component, server, or application included in, or connected to mail traffic from top countries by frequency, top email subjects, top email addresses by frequency, top file extension of attachments by frequency.
  • Column 44: log, packet
  • Column 45: threat, attack phase, delivery, operations event counts and a description of each outcome.

    Note: You will need to index the non-standard meta key 'result' on the Log Decoder and Concentrator in order to fully populate this report. See the report documentation for more details at https://community.rsa.com/docs/DOC-43406.

    DEPENDENCIES:
    RSA Authentication Manager and User Credential Manager event source (log parser rsaacesrv)
  • Column 46: log
  • Column 47: featured, authentication, identity, identity, Shadow IT Use by Category - Event Count, Shadow IT Use by Category - Session Size, Shadow IT Use by IP Source, Shadow IT Use by BYOD. It is dependent on the following List: Watchlist by IP (optional for High Risk report). It is dependent on the following RSA Application Rules: Stealth EmailUse, Voice Chat Apps, File Sharing Apps, BYOD Mobile Web Agent Detected, Large Outbound Session. It is dependent on the following RSA Lua Parsers: http_lua but also to assess its effectiveness on an annual basis.
  • Column 48: log
  • Column 49: assurance, compliance, audit, compliance, audit, event analysis, protocol analysis, flow analysis, destination countries, destination countries by service type, destination IP addresses, search engine queries, services, uncategorized sites, websites and countries with warning or suspicious level alerts.
  • Column 50: log, packet
  • Column 51: threat protocol, outbound protocol, outbound source IP and foreign domain.
  • Column 52: log, packet
  • Column 53: assurance, compliance, audit, operations, event analysis flow analysis, operations, logout, cleartext authentication, email and activity categorized as risk.suspicious and risk.warning.To use the report, create and populate the report lists as noted in the dependencies.
  • Column 54: log, packet
  • Column 55: assurance, compliance, audit, identity , , , , , , , , , , , , , ,