FUIITSU
Horizon Event Logging Process for
Ref: RS/PRO/049
Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Originator & Dept:
Contributors
External Distribution:
Approval Authorities:
Horizon Event Logging Process for Operational Security
PRD
DRAFT
This document summarises the Operational Security Process
‘for Event logging
DRAFT
William Membery
Operational Security
Deborah Haworth CISO, Mike Conneely, Brian Gallacher
Tivoli, Dave Haywood Solutions Architect, Marie Clare
Mcoy ISD NT, Joe Diffen ISD Unix, Andy Gibson ISD UNIX,
Shaun Pinder ISD NT, James Gosnold CSA Security, Jo Booth
ISD Networks
(For Document Management to distribute following approval)
(See CM/ION/078 for Approval roles)
Name
Role
Signature Date
Howard Pritchard
Chief Information Security Officer
(iso)
Pete Sewell
Operations Security Manager
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 1 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
Fe) ; og
FUJITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
0.0 Document Control
0.1 Document History
Version No. Date Reason for Issue Associated
CPIPEAK/PPRR:
Reference
0.1 14/12/2007 _ I Process required for Event Logging
02 18/01/2008 I Amended following comments
0.2 Review Details
Review Comments by ‘Thursday, 14” January 2008
Review Comments to Bill. member”
}& RMGADocumentManagemenf
Mandatory Review
Role Name I
cisO Howard Pritchard
Service Delivery Manager (Ops) lan Cooley
Lead Architect Sean Kerrin
Operational Secunty Manager Peter Sewell
Head of Service Transiton and Change Graham Welsh
SV&l, LST Test Manager, RMGA
Shella Bamber *
Service Support Manager RMGA Peter Thompson
CS Network Services ‘Alex Kemp
CS System Support Centre Manager Mik Peach * [I
CS Business & Risk Security Manager Brian Pinder
‘SI Technical Designer lan Bowen
ISD Team Manager IS Operations (KA) Adrienne Thompson
ISD POA UNIX Administrator IS Operations KA. Andrew Gibson *
ISD NT Senior Systems Engineer IS Operations KA I Warren Welsh
ISD Practice Head - Implementations North Dave Jackson
IS Operations Manager erty Acton *
Principal Consultant
Mike Conneely *
Optional Review
Role Name
Principal Security Consultant Jim Sweeting
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
Fe) ; og
FUJITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
SIASS Designer
‘Alan Hodgkinson
CS Service Release Manager
John Budworth
SI Test Designer
Peter Robinson
SI Release Manager
James Stanton
CS Business Continuity Manager Tony Wicks
Design & Development Manager Roy Birkenshaw
Software Configuration Management (PO) Tariq Arain
Si Team Leader Peter Ambrose
SIASS Designer lan Devereux
Si Technical Designer Chris Beddoes
Programme Office Manager David Cooper
CS Major Release Manager
‘Sarah Payne / Peter Goodwin *
Service Delivery Manager (OBC)
lan Venables *
Service Management Manager
Liz Melrose
Customer Solutions Architect,
Technical Design Authority
Gareth Jenkins
Dave Tanner
Technical Consultant MSS, SMC. Dave Laker
Solutions Group - Service & Transition, Information I James Gosnold
Assurance
Release Controller John Boston
Lead Test Engineer - RMGA
Graham Jennings
Service Definition Manager
‘Adam Bowe
Problem Manager
Lionel Higman
Integration Team Leader
Asad Sheikh
Test Engineer - Applications
Nigel Taylor
Principal ConsultanvSAP Service Delivery Team
Leader
Eveline Bunce
Service Delivery Manager - Data File Transfer
Kirsty Gallacher
Product Specialist Mark Wright
Issued for Information ~ Please restrict this
distribution list to a minimum
Postion Name
(*)= Reviewers that returned comment sheets and/or attended a Group Review (Meeting Review)
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 3 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
0.3. Associated Documents
Reference Version I Date Title Source
PA/TEM/001 Fujitsu Services POA Horizon I PVCS
(00 NOT REMOVE) Programme Document
Template
Fujitsu Services Horizon pvcs
Security and Control
Framework (New Document)
RS/POL/002 Fujitsu Services Security pvcs
Policy
CS/SER/O16 Service Description for the I PVCS
Security Management
Service
SVM/SDM/PRO/ RMGA Customer Service _ I Dimensions
0018 Incident Management
Process
FSSL 10.01 — I 14/01/2008 Security Information & Fujitsu Services
Event Management
Supported Devices and
Standard Reports
ific version is referred to above, reference should be made to the current
approved versions of the documents.
.B. Printed versions of this document are not under change control.
‘Company-in-Confidence Page: 4 of 199
FUJ00155214
FUJ00155214
FUIITSU
Ref: RS/PRO/049
Horizon Event Logging Process for Ae
Operational Security
Company-in-Confidence Date: 22-Jan-2008
Versi
0.4 Abbreviations/Definitions
Abbreviation Definition
ARQ Audit Request — this is a service provided by RMGA Security to PO Ltd.
Athene Metro’s Performance Management, Capacity Planning and Capacity
Forecasting software specialist tool for Unix
Centera EMC Secure Storage Solution
Ciseo Works Cisco’s Network Management Tool
cIso) Chief Information Security Officer
cp Change Proposal
DNS Domain Name Server ~ way of translating names into IP addresses
HNG-X Horizon Next Generation — the new developing Solution for Post Office Ltd
Horizon Royal Mail Groups Current Solution for Post Office Limited
HP Openview Hewlett Packard’s Network Management Tool
Insight Manager Compaq’s Fault and Performance Management Tool used on Compaq
Windows Platforms in RMGA.
Iso International Standards Organisation
KMA Logs Logs produced by the Key Management Administration System
Maestro Tivoli’s Scheduling Tool
NHS Fujitsu's National Health Service Account
NMS Network Management Server
NNM ‘Network Node Manager
OLA Operational Level Agreement — agreement defining what is required from
the Operational part of an organisation providing a service
oon Out of Hours Access Solution for Support Teams
Oracle Relational Database Management System
Patrol Software Innovations Unix Applications Monitoring Tool
PO Lid Post Office Lid
Radius Remote Authentication Dial in User Service
RMGA Royal Mail Group Account
RSA Tokens Tokens used for ensuring two factor authentication prior to access to
systems
‘Company-in-Confidence Page: 5 of 199
FUJ00155214
FUJ00155214
FUIITSU
Ref: RS/PRO/049
Horizon Event Logging Process for Ae
Operational Security
Company-in-Confidence Date: 22-Jan-2008
Versi
Rules of Evidence
Rules required by the Courts to ensure that any evidence used in
prosecution is admissible
SAS Secure Access Servers — used for remote access logging
Sawmill Flowerfires Log Analysis Tool
sDU Service Delivery Unit - unit of an organisation delivering a
service
ServerView Fujitsu’s Fault and performance Management Tool used on Fujitsu
Windows Platforms
SIEM Security Incident and Event Monitoring Tool
st Fujitsu Systems Integration Group
SLA Service Level Agreement — agreement defining what level of service is
expected
SLT’s Service Level Targets
SMC Systems Management Centre
Sophos Anti Virus and Anti Spam product
SSH Secure Shell — a network protocol that ensures data is exchanged between
two computers over a secure channel
syslog Standard for forwarding log messages in an IP Network
TACACS+ Cisco’s Accounting, Authentication and Audit Tool
Tivoli IBM Event Monitoring and Configuration Tool
VPN Virtual Private Network
‘Company-in-Confidence Page: 6 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
0.5 Changes Expected
Changes
Expect changes following the definition of PO Lid requirements
Expect changes following review process.
Expect changes following production of Fujitsu Services Security and Control Framework
Expect changes once SIEM tools are agreed and finalised
Expect changes following SI Designs
Expect changes once asset details requiring log analysis are available
Expect changes once Event test Criterion are agreed
‘Company-in-Confidence Page: 7 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
0.6 Table of Contents
10 SCOPE OF DOCUMENT..
L1 POLITICAL BACKGROUND
‘TECHNICAL BACKGROUND
121 Tiv eine .
1 ‘Networks NMS and Syslog Server.
1.23 Service Delivery Unit Analyses.
2.0 I DEPENDENCIES
3.0 I PROCESS FLOW
HoriZOn SECURITY AND CONTROL FRAMEWORK - —_——
EVENT AubIT SECURITY CONTROL AND FRAMEWORK REQUIREMENTS .
EVENT AUDIT FRAMEWORK AND CURRENT VIEW
OPERATIONAL SECURITY FRAMEWORK IMPLEMENTATION.
Tests.
REPORTS .
‘Summary Reports...
Compliance Report... . ee
Operational Security Management and ad hoe Reports,
3.7 SAWMILL Process
40 AUDIT.....
5.0 APPENDIX A
5.1 Tivott Event Loc SuMMARY B*
Sl Summary.
S.2 OVERVIEW ocr
Years/months/days.
File names
Messages
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Horizon Event Logging Process for
Version: 0.2
Ref: RS/PRO/049
5.2.13 Descriptions
53.
$3.1
SUMMARY ANALYSIS OF A WINDOW 2K/XP_CSV LOG EXPORT...
Overview
‘Years/months/days..
Days..
Day of weeks...
Hour of days...
Computers...
SUMMARY ANALYSIS OF A CISCO FIREWALL/ROUTER/SWITCHES SYSLOG..... 1
SUMMALY reste
Overview
Years/months/days.
Days...
Day of weeks
Hour of days ...
Destination IPs...
Source hostnames.
Destination hostnames
Source ports.
Destination ports .
Foreign ports
Global IPs
Global ports.
Local IPs
Local ports
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Entry pages..
Exit pages
Session pages
Session users
5.4 SUMMARY ANALYSIS OF A UNIX SOLARIS 9.0 SYSLOG..
Overview
‘Years/months/days..
Days.
Day of weeks
Hour of days
Logging devices..
Syslog messages
6.0 APPENDIX B
UU
7.0 APPENDIX C
‘Company-in-Confidence Page: 10 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
1.0 Scope of Document
This document defines the process to be followed by the operational security team to meet its
obligations under RS/POL/002 Horizon Security Policy and CS/SER/OI6 the Service
Description for the Security Management Service and applies to Horizon only.
This process is concerned with those actions that the operational security team undertake, all
other processes, guidelines and work instructions are outside the remit of this document,
although a historical background has been included to assist in establishing who and what is
required to enable us to establish this process going forward.
1.1 Political Background
Horizon does not currently analyse logs or events from a security compliance perspective and
concentrates only on availability incidents. This therefore means that the other two areas of
Operational Security Reporting, Confidentiality and Integrity are not picked up. (N.B. this is
because PO Ltd has not set any SLT’s in this area and apart from a generic ISO 27001
compliance contractual statements no requirement exists or has been paid for),
1.2. Technical Background
1.21 Tivoli
Analysis of incidents in Horizon relies mainly on Tivoli Events and not the collection of logs,
with the exception of network devices. Events created by applications and databases are only
collected if they are written to the Operating System Logs, the one exception being Radius
Server Logs
‘Those platforms which have a Tivoli Event adapter, e.g. the data centre servers; counters and
branches forward events through Tivoli Event Consoles to a master Oracle database.
The Tivoli process concentrates on availability and historically the placement of Event
adapters has not been based on risk assessment or an asset register and therefore any future
processes would need to take this into account.
It must also be noted that due to the volume and cost of managing events from the Counter
estate only errors are forwarded from them. For example in the past an assessment of the
impact of auditing of more information (files) on the counter, was made and if such data was
collected approximately 4 a million events per day occurred, if such events are excluded then
there were about 150,000.
All events collected by Tivoli are initially buffered for about 1 hour and are available for
view, and these details are then sent to the archive server to ensure that rules of evidence are
maintained.
A summarised version of the events is maintained online for approximately 10 days and
analysis of availability events is undertaken by SMC. This summary removes all background
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 11 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
noise (redundant, repetitive and uninteresting events) and only events identified as interesting
are retained.
From a security perspective, only log on and log off data is retained as no requests or analysis
has been made for any other requirements and these are therefore seen as background nois
If an increase in the Event collection of Security events is required as shown in section 4.0
then it must be noted that the volume of data collected and the capacity of the platform
holding this information (disk space and memory) and software revision used to manage and
analyse it are key. The current Tivoli version in Horizon is Framework 3.71 and this and the
Oracle Server storing the data may also need upgrading, both of which are planned for HNG-
1.2.2 Networks NMS and Syslog Server
The retention of syslogs is used for network devices. The location of this storage is currently
being moved to a new DNS and syslog server in the Bootle and Wigan data centres from the
old NMS and no analysis is currently undertaken of these logs, although CP 4410 has been
approved and is currently going through the release management process for the use of
Sawmill to analyse Firewall logs. These logs and events are currently not analysed or
included as part of Tivoli.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 12 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
1.2.3 Service Delivery Unit Analyses
In addition to Tivoli, each of the service delivery units has its own toolsets used for
monitoring the areas of service it is required to provide. On initial investigation this again
mainly covers the area of availability.
The information from these tools is not all currently fed into Tivoli or any other centralised
SIEM to manage and monitor security events or incidents neither are regular reports provided
to Operational Security from these units.
Examples of these tools are:
© HP Openview is used for monitoring the Network
* Cisco Works and TACACS+ are used for managing access and authentication to
network devices
* Athene is used for performance gathering. The Athene data is analysed by the
performance monitoring team within the account (the UNIX team can request reports
etc. from it but the database is in Bracknell and the UNIX team have no direct access)
© Patrol is used for Unix Operating System monitoring - Patrol events are actually fed
into the Tivoli event management systems. Some events will be raised as TFS calls
by SMC and some events may just be stored in the event archives. As previously
stated they are not analysed for Security events and are mainly around availability.
© Insight Manager is used for managing and monitoring Compaq platforms running
Windows
© Server View is used for monitoring Fujitsu platforms running Windows
© Sophos is used for managing Anti Virus
© RSA Tokens are used to manage two factor authentication
© KMA is used for manage key management
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 13 of 199
FUJ00155214
FUJ00155214
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
2.0 Dependencies
To achieve an effective and efficient Event Management solution Operational Security is
dependent on the following
1.
Requirements of reports that PO Ltd want to monitor Operational Security, are agreed
and documented.
Reports required by RMGA to prove operational security compliances are defined and
documented.
. A Fajitsu Services Horizon Security and Control Framework is provided by the
Information Governance Team are provided to SI for Designs.
. The Fujitsu Horizon Security and Control Framework provided by the Information
Governance Team must ensure that any non RMGA support and management systems
used to support RMGA systems and devices meet all Framework requirements.
. SLuse items 1, 2, 3 and any Operational requirements (see below) to provide Design
for Operational Security Incident and Event Monitoring (SIEM) system.
a. SI designs ensure that details of all platforms that require log analysis is
documented and are part of the SIEM system.
b. SI designs ensure that any adapters or agents required for SIEM go through
the Release Management Process and are included in any Physical Platform
Designs
c. SI designs ensure that details of all users, their rights of access and their roles
are documented are easily correlated and are part of the SIEM system.
d. SI designs ensure system owners are identified and documented as part of the
SIEM system
e. SL ensures designs include scheduling to push logs to Central Collection Point
as part of the SIEM system.
£. SI designs ensure Firewalls are configured to accept log pushes
SIEM system,
g. SI designs ensure that Maestro or alternative scheduler is set to schedule the
push of logs to Central Repository as part of the SIEM system and audit report
of failures is available.
part of the
h. SI designs ensure that Central Collection platform (or platforms assuming
resilience is required) has sufficient storage capacity for log storage based on
the retention requirements defined in Fujitsu Services Horizon Security and
Control Framework.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 14 of 199
FUJ00155214
FUJ00155214
FUIITSU
Horizon Event Logging Process for
Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
Ref: RS/PRO/049
SI designs include a method of log retention so that the rules of Evidence
requirement cannot be questioned if used in legal proceeding.
SI designs ensure the Central Collection platform have accountability;
authentication; and audit of any access,
. SI designs ensure that the platforms that are used to analyse, and process logs
have sufficient processing power, storage and memory to allow
summarisation, trending and ad hoc queries when required.
SI designs ensure that platforms used to analyse or process reports have
accountability, authentication and audit of both the platform and data/reports
analysed.
SI designs ensure that platforms used to analyse, process or report Event
information are networked and fire-walled and permitted to undertake all
analysis and reporting required
6. Service Delivery Units requirements for Event Capture and event logging are defined
in SLA’s or OLA’s and should include the following Operational Security
requirements :
a.
Service Delivery Units configure endpoint devices to meet the requirements
defined in the SI Design
Service Delivery Units ensure logs are pushed to a Central Collection point
and are in a standardised log analysis format as defined in the SI designs and
ensure that processes are in place to resend any failed log pushes.
Network ‘Teams configure Firewalls and Network equipment to permit the
pushing of logs to the Central Collection Point.
I. Service delivery Units will ensure that they do not manually analysis of logs
will be undertaken by and thus ensure that the segregation of duties between
Operations and Audit takes place.
7. An SIEM Tool is available at all required locations Operational Security work and
permits the following:
a.
b.
C
SIEM Tool details any logs that are missing from any reports undertaken.
SIEM Tool converts logs into a standard format
SIEM Tool allows a series of tests to be run against standardised logs to
produce results
SIEM Tool permits Operational Security to print and export files to Microsoft Office
or alternate tool for summarisation and graphing.
SIEM Tool permits scheduling of both analysis and summary reports against
the key headings in the Fujitsu Services Horizon Security and Control Framework.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 15 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
£ SIEM Tool allows trending, summarisation and ad hoc queries when required
by authorised users.
g. SIEM Tool permits management of SIEM tool users and their rights
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 16 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
3.0 Process Flow
ca
N.B. Key processes from other areas have been included to illustrate the integration of all
areas in producing and analysing event logs
1. Items in Red are PO Ltd Process
Figure 1 Process Flow for Event Logging
2. Items in green are non Operational Security Process
3. Items in grey are Operational Security Processes
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 17 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
3.1 Horizon Security and Control Framework
In the absence of a Horizon Security Framework the principles adopted by other Fujitsu
Service Account Security Frameworks (e.g. NHS), have been provided by the CISO and will
be adopted until one is ready for Horizon and HNG-X and their key points are documented
below to provide a background to this process.
The overall frameworks is split into manageable areas that are in line with Security Policy
sections,
This comprises five main work strands and twenty separate task areas, or control groups, which have
been identified as outlined in the table below. ‘These allow the sets of controls to be organised and
addressed to the audiences who need to work with them, in a more logical and focused way.
AL. BI. Operating Systems C.Access DL.Risk EL. Change
Personnel Management Management Control
Security B2. Backup and Media including
Management C2a.Solutions Preventiveand 2. Service
A2. Design Corrective Delivery
Training & —_B3. Networks Requirements ‘Actions Processes
Awareness
C2, Solutions D2. Policy; E3.Business
Design Processes Security Continuity
Management
and Compliance 4. Security
Incident
D3. Legal & Management
Contractual
Responsibilities ES. Physical
Security
D4. Information
Classification
and Handling
DS. Third Party
Issues
D6. Security
Culture &
Leadership
B4. Event Audit
Figure 2 Security and Control Framework Overview
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 18 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
3.2. Event Audit Security Control and Framework Requirements
Event Audit is part of the overall control framework and cannot be considered in isolation in
particular it relates to other key controls shown below and these are keys areas that
Operational Security needs to report back to both the CISO and PO Ltd on.
Operating Systems;
Back-up and Media Management;
Off-site Issues;
Networks;
Access Management;
Solutions Design;
Risk Management;
Legal & Contractual, and;
Security Incident Management.
‘The controls in the framework are not intended to be detailed operating procedures or technology-
specific security or build standards ~ these will be drafted by specific operational, delivery or
technical teams, hence this operational process. An initial assessment has been undertaken with the
Tivoli staff to assess whether the information is currently available or whether development work
would be required in Horizon and this is shown in the last column.
‘The controls in the framework outlined are not therefore exhaustive and do not remove the need to
comply with the security requirements in the contract or CS/SER/O16 Service Description for the
Security Management Service. ‘The controls proposed are not simply technical security
countermeasures. They also cover:
© Organisational controls (roles, responsibilities, structures, reporting lines, etc);
© Procedural (prescribed, documented standardised methods and processes for performing
functions, aimed at ensuring consistency and repeatability of performance, potentially
reinforced by training and awareness);
© Technical controls (automated controls, in-built to systems and applications, controlling
logical or physical access, or monitoring activity — these help ensure consistent operation of
the control by placing less reliance on the human element for their deployment and use);
© People-based controls (vetting/clearances, awareness, supervision, review).
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 19 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU
Opera
tional Security
Company-in-Confidence
RS/PRO/4D
0.2
22-Jan-2008
3.3. Event Audit Framework and current view
7799 Ref
Gathering of Event Information
B.4 Event Audit
27001 Ref Control
Counte
Responses
868 9.72 10.10.2. Monitoring of Activity ‘Operational activity should be monitored Tivoli/HP Openview / Athene/Patrol/Network
syslogs / Insight Manager and Server
vview/Sophos AV Logs /RSA Token and
KMA logs
869 9.72 10.10.2. Monitoring of Activity Monitor operator interaction via system log Monitoring of Availability is undertaken by
reports Tivoli and the SDU’s tools, but Security
‘monitoring is not undertaken.
870 9.72 10.102. Monitoring of Activity Inform operations staff that their activities are Security Awareness program and policy to do
being monitored this needs to be put in place for Horizon
871 10.102. Monitoring of Activity Regular inspection of console and operations This takes place for availability by SMC and
logs SDU’s but no Security Monitoring
794 955 1154 Use of system utilities System logging will be enabled to provide This is undertaken via RSA Logs and SSH
audit of all attempts to gain access to system logs, but analysis of these by security is not
utilities undertaken
989 104.3, 124.3 Access Control to Program All accesses to the program source libraries to This is not done by Tivoli, or any of the
Source be audited Management tools above
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 20 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
1037 105.6 10.10.2 Control _of Access to the Generate a continuous record of all Each of the Auditing tools under takes this
System Managers Accounts commands issued by the ‘System independently but none of this is centralised
Administrator's account and the only logs of commands made is on
the Secure Shell
1205 12.7 13.2.3 Collection of Evidence Sufficient evidence to be collected to support This is possible for counters through the ARQ
an action against an individual or organisation service but not other areas.
1206 12.4.7 13.2.3 Collection of Evidence For internal disciplinary matters the evidence Not at present.
necessary to be described by internal
procedures
1207 12.7 13.23 Collection of Evidence Evidence presented at court to comply with Fine for ARQ’s but not other areas
the rules of evidence
1208 12.7 13.23 Collection of Evidence Evidence presented at court should be Fine for ARQ's bur not other areas
admissible
1209 12.7 13.2.3 Collection of Evidence Information systems to comply with code of Fine for ARQ’s bur not other areas
practice on the production of admissible
evidence
1210 12.1.7 13.2.3 Collection of Evidence It should be possible to demonstrate the Fine for ARQ’s bur not other areas
‘quality and completeness of evidence
1 12.7 13.2.3 Collection of Evidence A strong evidence trail to be provided Fine for ARQ’s bur not other areas
1212 12.1.7 13.2.3 Collection of Evidence Outside organisations brought in as soon as Policy and processes required here for
legal action is contemplated intemal but Fine for ARQ’s
1213 12.1.7 13.23 Collection of Evidence Lawyers to be consulted on possible actions Policy and processes required here for
to be taken intemal but Fine for ARQ’s
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 21 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
1214 12.1.7 13.2.3 Collection of Evidence Police to be informed as soon as possible Policy and processes required here for
internal but Fine for ARQ’s
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 22 of 199
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
FUJITSU
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
Logging Events
821 971 10.10.1 Event Logging
82a 971 10.10.1 Event Logging
822 974 10.10.1 Event Logging
Audit logs recording exceptions and other
security relevant events shall be produced and
kept for an agreed period, in accordance with
policy or guidance, to assist in future
investigations and access control monitoring.
Audit logs shall be produced for different
categories of system access and event, such
as:
1, Logs for remote access.
2. Logs for standard user access to
‘management information.
3. Logs for users on support systems, logs
for Privileged users on support systems.
4, Logs for privileged users on RMGA
systems.
5. Logs for PO Ltd users,
Access to Audit Logs shall be strictly
controlled and shall be protected from
deletion, disablement, modification or
fabrication. Wherever possible, there shall be
a segregation of duties between overall
system security and Audit Logs security.
Audit Logs shall be analysed and
administered only by appropriately trained
stat.
Policy and processes required here for
internal but Fine for ARQ's.
1, Remote Access is picked up via the SAS
servers.
Events on Web Pages are not covered by
Tivoli for any Management information
accessed.
3. Users outside RMGA network and
access and SAS are not covered but
these should be picked up by Policies on
Core.
4, Privileged users on support systems are
not picked up by Tivoli in particular
Network Team.
Access to Tivoli Audit logs is controlled by
Role.
Access to other management systems is also
controlled by role.
Security analysis of the logs does not take
place.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 23 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
823 974 10.10.1 Event Logging The amount of data to be recorded should be This can be done within Tivoli via Filters.
configurable
824 974 10.1.1 Event Logging Record the User ID This is done
825 974 10.10.1 Event Logging Record the date and time of the event This is done
826 974 10.10.1 Event Logging Record the type of event This is manipulated in Tivoli
827 974 10.1.1 Event Logging Record the files accessed This is not done due to the volume
828 974 10.1.1 Event Logging Record the programs/uilities used This is not done as no one has requested
829 974 10.10.1 Event Logging Record the workstation ID This is only done when access is through the
SAS server
831 97d 10.10.1 Event Logging The events that need to be accounted for As the definition has been set in Horizon only
should be configurable and should include recently and currently is obfuscated. This has
recording alerts of when Personal Data is not been viewed as required by Tivoli.
accessed without consent
832 974 10.103 Event Logging Account for all failed log-on attempts This is done
833 O74 10.103 Event Logging Account for all privileged operations ‘This will be picked up by Tivoli if the SDU
set the log to capture this information. Logs
Managing Tivoli access do
834 974 10.103 Event Logging Account for all og-ons This will be picked up by Tivoli if the SDU
set the log to capture this information, Believe
‘yes in most cases
835 974 10.103 Event Logging Account for all log-ofis This will be picked up by Tivoli if the SDU
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 24 of 199
FUJ00155214
FUJ00155214
FUJITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
RS/PRO/4D
0.2
22-Jan-2008
set the log to capture this information. Believe
‘yes in most cases
836 97d 10.103 Event Logging Account for all workstation time-outs This will be picked up by Tivoli if the SDU
set the log to capture this information. Only
exception is local log on where the local log
will store this and it will not be picked up by
Tivoli.
837 974 10.103 Event Logging Account for all updates of access rights ‘This depends on the Audit Policy set on the
platform if the SDU has set this requirement
then it will be and will be captured by Tivoli
Tivoli staff is not aware of any standard here
838 974 10.103 Event Logging Account for all updates to files This is not done.
839 974 10.103 Event Logging Account for every time application software This is not done.
is used
840 974 10.103 Event Logging Account for every time a file is viewed This is not done.
sa 974 10.103 Event Logging Account for every print-out This is not done.
842 974 10.103 Event Logging Monitor known covert channels Tivoli staffs do not believe this is done within
Tivoli, only where anything is recorded to the
SAS server and in the Corporate VPN OOH
solution, Further clarification is required from
Mare Jarosz in Network Team
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 25 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Event Logging Facilities/Utilities
857 974 10.10.3 ‘Trusted Facilities Management Accounting should be carried out by Trusted
Facilities
858 974 10.10.3 Trusted Facilities Management Separate accounts for Management Functions
859 97d 10.10.3 Trusted Facilities Management Accounts to be limited to privileged users
860 974 10.10.3 Trusted Facilities Management All operations to be accountable
861 974 10.10.3 Trusted Facilities Management Audit alarms to be generated
862 974 10.103 Trusted Facilities Management The raising of an audit alarm to be reported
‘on specific workstations
No answer to this yet needs more
investigation with SDU’s
‘This does not occur within Tivoli unless the
SDU has set the log to do so and the Tivoli
staff do not think this has happened
‘This occurs based on roles
‘The collection of events is made but
accountability is never reviewed within Tivoli
as comparisons to roles against actions are not
made,
‘Alarms are raised for failed logons and bad
passwords only.
This does not occur
863 974 10.103 Trusted Facilities Management All attempts to delete, write or append the This does not occur
Accounting files to be accountable
1245 123.1 153.1 Auditing Tools A range of facilities for analysing Accounting This does not occur
Logs should be provided
1246 123.1 153.1 Auditing Tools Able to export Accounting Log information This does not occur
into Database and Spreadsheet formats
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 26 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
1247 123.1 153.1 Auditing Tools Able to export Accounting Log information This does not occur
into Word-Processing formats
1248 123.1 153.1 Auditing Tools Able to select particular type of event from This does not occur
the Accounting Log
1249 123.1 123.1 Auditing Tools Able to select the actions of an individual This does not occur
including the identification of all PO. Ltd
customers whose records have been accessed
‘or modified over a given period of time.
1250 123.1 153.1 Auditing Tools Able to select the events that took place This does not occur
within a specific range of dates and times
including the identification of all system users
who have accessed or modified a given
customer records over a given period of time.
12s1 123.1 153.1 Auditing Tools Able to select combinations of events ‘This can. be undertaken for availability issues
by SMC, but they do not see successful
events
1282 123.1 153.1 Auditing Tools Able to sort the Accounting Log records This does not occur
1 153.1 Auditing Tools Automatic report generation facilities This does not occur
1284 123.1 153.1 Auditing Tools Use of automated monitoring tools that raise This does not occur
alarms on recording suspicious events or
suspicious trends in events
1285 123.1 153.1 Auditing Tools Able to combine Accounting Log information ‘This is only possible from the ARQ area
With information received from other sources
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 27 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
Operational Security
FUJITSU
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
864 974 10.103 Accounting Log Capacity Accounting should be operational at all times This does not occur within Tivoli unless the
SDU has set the log to do so and the Tivoli
staff do not think this has happened
865 974 10.103 Accounting Log Capacity An alarm to be raised when the Accounting This does not occur within Tivoli unless the
Log reaches 75% of its maximum permitted —SDU has set the log to do so. SDU’s need to
size ‘confirm if they have
867 971 10.103 Accounting Log Capaci ‘When the Accounting Log is full, switch to a This does not occur within Tivoli unless the
secondary Accounting Log file SDU has set the log to do so. SDU’s need to
confirm if they have
872 9.73 10.10.2 Clock Synchronisation System clocks should be synchronised This is done via a network Time Server
873 9.73 10.10.2 Clock Synchronisation Clocks to be synchronised with a common This is done via a network Time Server
clock
874 9.73 10.102. Clock Synchronisation (Clock synchronisation to be automated This is done via a network Time Server
1274 12.3.2 153.2 Protection of Audit Trails, System audit tools (programs and log files) This is Role Based, but analysis of tools,
will only be available to authorised personne! against roles needs reviewing in Horizon and
and will be protected to prevent any possible definitive storage place for this information
‘misuse or compromise kept
1282 123.2 153.2 Protection of System Audit Release, use and retum of system audit tools This is not done.
Tools to be logged
1236 123.1 153.1 System Audit Controls Audit requirements and activities should be This is carried out for availability only
planned to minimise the risk of disruption to
the business
1237 123.1 153.1 System Audit Controls Audit requirement to be agreed with system Historically 10/11 years ago but System
Owners are not clearly identified in the
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 28 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
1238 123.1
1240 123.1
1241 123.1
1242 123.1
1243 123.1
1244 123.1
153.1
153.1
153.1
153.1
System Audit Controls
System Audit Controls
System Audit Controls
System Audit Controls,
System Audit Controls
System Audit Controls
System Audit Controls
‘owner
‘The scope of the checks to be agreed and
controlled
Checks to be limited to ‘read-only’ access to
software and data
Updating of information to be performed only
‘on isolated copies of system files, which
should be erased when the audit is complete
IT resources required to perform the checks to
bbe explicitly identified
Requirements for special or additional
processing to be identified and agreed
All access to be monitored and logged to
produce a reference trail
All procedures, requirements and
responsibilities to be documented
current Horizon solution.
Historically 10/11 years ago. but. System
Owners are not clearly identified in the
current Horizon solution,
‘This applies to availability only as other
checks are not carried out,
This is not done
‘This is done through roles and needs to be
reviewed.
This is not done
‘This is not done within Tivoli, though other
SDU tools may do this and not feed the
information to Tivoli
This is dependent where one sits in the
RMGA account and it needs a Security
Framework and policy to pull together.
©Copyright Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 29 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
Operational Security
FUJITSU
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
Log Retention
1256 123.1
s7 123.1
1258 123.1
1259 131
1260 123.1
1261 123.1
1262, 131
Re 123.1
153.1
153.1
1531
153.1
153.1
Retention of Accounting Log
Retention of Accounting Log
Retention of Accounting Log
Retention of Accounting Log
Retention of Accounting Log
Retention of Accounting Log
Retention of Accounting Log
Retention of Accounting Log
The Accounting Log should be retained to
‘enable investigations to be carried out when
necessary
Accounting Logs for technology support
systems (e.g. firewalls, IDS ete) to be kept for
‘6 months, 6 months off-line then discard
A copy of the Accounting Log to be kept on
removable media
Physical access to copy of the Accounts Log
to be restricted to people not granted system
‘management privileges
Accounting Log to be protected against
corruption
Accounting Log to be securely disposed of,
by logical crasure/physical destruction, when
no longer required
Use integrity checking countermeasures. to
ensure that the Log has been archived
successfully
Accounting Log for infrastructure on which
RMGA systems are run to be kept for 6
‘This can be done through Tivoli and SDU
tools and backups to the Centera are made
and tapes taken,
‘This is currently the case for the old NNM
and it is expected to be the case with the new
syslog server
‘This occurs on the Centera
‘This does occur
‘This is dependent on the SDU unit, in all
cases patching and vulnerability management
isan issue.
This doe not occur except when platform is
decommissioned and networks operations
degauss the disk.
This does occur with archives to the Audit
Server.
This is not done
©Copyright Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 30 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
1264 123.1 153.1 Retention of Accounting Log
1265 123.1 153.1 Retention of Accounting Log
1266 123.1 153.1 Retention of Accounting Log
months on line, 30. months off-line then
archived
At least once every 12 months check that the
Accounting Log tapes can be read,
Accounting Logs for the application to be
kkept for the life of the record to which they
relate
Replace Accounting Log tapes when they
reach 75% of their normal life expectance
‘This is not done
This is not done
This is not done
©Copyright Fujitsu Services Ltd 2007
Page: 31 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
Event Auditing/Reviewing Processes
843 974 10.103 Review Event Log. The types of events that need to be inspected This has not been defined recently but 10/11
should be specified ‘years ago
844 974 10.103 Review Event Log. Review number of unsuccessful log-ons ‘This is not done
845 97d 10.103 Review Event Log. Review allocation of accounts with privileged This is not done
access capability
846 974 10.103 Review Event Log. Review access failures ‘This is not done
847 974 10.103 Review Event Log Review trends in numbers of successful log- This is not done
ons
848 974 10.103 Review Event Log Review the number of occasions accounts are This is not done
being used out of normal hours
849 974 10.103 Review Event Log Review trends in the usage of specific This is not done
accounts
850 974 10.103 Review Event Log Review trends in the use of the system from This is not done
remote workstations
851 974 10.103 Review Event Log ‘Track selected transactions ‘This is not done
852 974 10.103 Review Event Log Review trends in the reports that are being This is not done
printed
853 974 10.103 Review Event Log Review trends in the changes in labels This is not done
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 32 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Versio 0.2
FUIITSU Operational Security
Company-in-Confidence Da
22-Jan-2008
associated with IT resources
854 971 10.10.3 Review Event Log The frequency with which the Account Log This requires agreement with SDU’s and a
should be reviewed should be specified Process
855 974 10.103 Review Event Log Events Log to be reviewed at least once a With the current toolsets and volume of data
week, this is unachievable
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 33 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
3.4 Operational Security Framework implementation.
The first process that the Operational Security team undertake prior to running any reports is
a check that all logs are present and available.
If these logs are unavailable then the Service Delivery Manager responsible for that SDU is
informed and a Security incident is raised.
Dependent on the control requirements established in the Security Framework a series of tests
are undertaken for each platform and log type to assess whether it passes or fails a particular
control requirement on that individual log.
Each test is:
Given a unique number,
¢ Given a description,
¢ Given a test definition,
© Given a successful test criteria
« Validated
¢ Result of Yes or No fora successful test
Dependent on the type of control for example test 1.1 could be a test for a successfull logon
and this would apply whether the source of the log was a Windows, UNIX, Application,
Database or Network device.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 34 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
The results of each control requirement test are then recorded with the following details:
«The platform concerned including the owner
© The type of log analysed (see below for initial thoughts on types)
o Windows Operating System (OS),
Unix (OS)
Router syslog.
Switch syslog
Firewall syslog
SAP Log
Oracle/SQL database log
Anti Virus log
Active Directory Log
RSA Token Authentication Log
Radius Log
IDSIIPS log
DNS log
SSH Log
SAS Log
© The day and date of the log
¢ The number of the test
© 000000000
©0000
© Whether it passed or failed
© The day, date and time the log was analysed
© The reason for any failure (including no data available)
Ifa failure occurs the Service Delivery Manager for that SDU is informed as is the platform
owner and a Security Incident is raised under SVM/SDM/PRO/0018 RMGA Customer Service
Incident Management Process.
(DN. The process to do this will need further investigation as some SDU teams do not have
access to PEAK which would be the RMGA preferred option)
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 35 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
3.5 Tests
Within Horizon currently no event testing is undertaken and therefore an initial baseline of
test has been obtained from another Fujitsu account as a starting point for discussion with the
relevant Service Delivery Managers, Operation Unit Managers and ISD SDU units and will
be expanded once discussion this has taken place
3)
RMGA collection
valdation samplexts
3.6 Reports
3.6.1 Summary Reports
‘The CISO and Operational Security Team agree regular delivery dates for agreed summary
reports required for PO Ltd and those that are required for intemal RMGA compliance
management.
3.6.2 Compliance Report
Those required for compliance management are to be sent to Information Governance as
Audit Records.
Initially the intention is to summarise the compliance test results to the number of pass or
fails, collected based on the Horizon Security and Control Framework criterion and the ISO
27001 reference this will need to be agreed with Information Governance.
The Fujitsu Services guideline document shows that the recommended SIEM solution
provides COTS off the shelf templates for the reports detailed below. RMGA CISO in
conjunction with PO Ltd needs to decide which of these they will require, and Information
Governance in conjunction with Operational Security also needs to agree which they want. I
have deleted those cells I believe are not applicable to RMGA and have included the full set
as an appendix, but this area is open to debate, by all interested parties. In addition I have
included those platforms which will be introduced as part of the migration to HNG-X.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 36 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
1 Compliance Reports - Basel II Yes as is ISO 17799/27001
enVision includes the following standard compliance reports for BASEL II
1. Computer Account Logon Activity
ISO 17799/27001 Section A.9.5.2Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX Unix, Sun Solaris and Red Hat Linux
systems
2. Computer Account Logon Activity - Windows Detail
ISO 17799/27001 Section A.9.5.2Lists all logon activity for all monitored Windows domains and systems. This report is specific to monitored Windows
systems, but provides a greater level of detail than the Computer Account Logon Activity report
3. Computer Account Status by Account - Windows
ISO 17799/27001 Section A.9.5.3Lists all logon activity for specific user accounts. The user accounts in question should be listed as run-time
parameters
4. Control of Collected Evidence
ISO 17799/27001 Section A.12.1.7.1
Lists all changes and object level access events to all collected evidence. This report requires that all evidence be contained within directories included
in the Rules for Evidence device group, and that object level auditing be enabled on these directories.
5. Control of Collected Evidence - Windows Detail
ISO 17799/27001 Section A.12.1.7.1
Lists all changes and object level access events to all collected evidence. This report requires that all evidence be contained within directories included
in the Rules for Evidence device group, and that object level auditing be enabled on these directories. This report is specific to monitored Windows
systems, but provides a greater level of detail than the standard Control of Collected Evidence report.
6. Control of Human Resources Data
ISO 17799/27001 Section A.12.1.3
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 37 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Lists all changes and object level access events to the HR device group. This report requires that all software and Human Relation data be contained
within directories included in the HR device group, and that object level auditing be enabled on these directories.
7. Control of Human Resources Data - Windows Detail
ISO 17799/27001 Section A.12.1.3
Lists all changes and object level access events to the HR device group. This report requires that all software and Human Relation data be contained
within directories included in the HR device group, and that object level auditing be enabled on these directories. This report is specific to monitored
Windows systems, but provides a greater level of detail than the standard Control of Human Resources Data report.
8. Control of Operational Software
ISO 17799/27001 Section A.10.4.1
Lists all changes and object level access events to the Operational Software device group. This report requires that all operational software be
contained within the Operational Software device group, and that object level auditing be enabled on the directories containing the Operational
Software and data
9. Control of Operational Software - Windows Detail
ISO 17799/27001 Section A.10.4.1
Lists all changes and object level access events to the Operational Software device group. This report requires that all operational software be
contained within the Operational Software device group, and that object level auditing be enabled on the directories containing the Operational
Software and data. This report is specific to Windows devices but provides more detail than the standard Control of Operational Software report.
10. Control of System Audit Data
ISO 17799/27001 Section A.12.3.2
Lists all changes and object level access events to the software and data used to perform system audits. This report requires that the software, source
data and result data be contained within a device group, and object level auditing be enabled on the containing directories.
11. Control of System Audit Data - Windows Detail
ISO 17799/27001 Section A.12.3.2
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 38 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Lists all changes and object level access events to the software and data used to perform system audits. This report requires that the software, source
data and result data be contained within a device group, and object level auditing be enabled on the containing directories. This report is specific to
Windows devices but provides more detail that the standard Control of System Audit Data report.
12. Control of System Test Data
ISO 17799/27001 Section A.10.4.2
Lists all changes and object level access events to the systems and data used in the testing of Operational Software security. This report requires that
all system test data be contained in the Operational Software device group, and object level auditing be enabled on the directories containing the
system test software, source data and test results.
13. Control of System Test Data - Windows Detail
ISO 17799/27001 Section A.10.4.2
Lists all changes and object level access events to the systems and data used in the testing of Operational Software security. This report requires that
all system test data be contained in the Operational Software device group, and object level auditing be enabled on the directories containing the
system test software, source data and test results.
14, External Contractors Report
ISO 17799/27001 Section A.8.1.6
Lists all changes and object level access events to the External Contractor Access device group. This report requires that all computers, software,
source data and result findings be contained within a device group, and object level auditing be enabled on the directories containing this data
15. External Contractors Report - Windows Detail
ISO 17799/27001 Section A.8.1.6
Lists all changes and object level access events to the External Contractor Access device group. This report requires that all computers, software,
source data and result findings be contained within a device group, and object level auditing be enabled on the directories containing this data.
16. Financial Data Access
ISO 17799/27001 Section A.12.1.4
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 39 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Lists all successful and failed access attempts for all financial data. This report requires that all financial data be contained within a device group, and
object level auditing be enabled on the directories containing the financial data.
17. Financial Data Access - Windows Detail
ISO 17799/27001 Section A.12.1.4
Lists all successful and failed access attempts for all financial data. This report requires that all financial data be contained within a device group, and
object level auditing be enabled on the directories containing the financial data
18. Malicious Software Activity Report
ISO 17799/27001 Section A.8.1.2
Lists all malicious software activity for all monitored devices.
19. Operation Change Control Report
ISO 17799/27001 Section A.8.1.2
Lists all configuration and policy changes for the Financial Operational infrastructure.
20. Operation Change Control Report - Windows Detail
ISO 17799/27001 Section A.8.1.2
Lists all configuration and policy changes for the Financial Operational infrastructure. This report is specific to Windows, but gives a greater level of
detail than the standard Operation Change Control Report.
21. Password Changes and Expirations
ISO 17799/27001 Section A.9.2.3
Lists all manual and automatic password change and expiration events. This includes Windows, Sun Solaris, Red Hat Linux, HP-UX and AIX operating
systems.
22. Source Code Access
ISO 17799/27001 sec. A.10.4.3
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 40 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Lists all changes and object level access events to the Source Code device group. This report requires that the source code for all custom software and
commercial software customization be contained within a device group, and object level auditing be enabled on the directories containing the source
code.
23. Source Code Access - Windows Detail
ISO 17799/27001 sec. A.10.4.3
Lists all changes and object level access events to theSource Code device group. This report requires that the source code for all custom software and
commercial software customization be contained within a device group, and object level auditing be enabled on the directories containing the source
code.
24. User Activity from External Domains - Windows
ISO 17799/27001 Section A.9.4.3
Lists all activities of non-domain authenticated users. All authenticated domains are identified in run time parameters, and multiple domains can be
contained within single quotes and separated by commas.
Reports: 24
8 Compliance Reports - PC! Data Security Standard
enVision includes the following standard compliance reports for the Payment Card Industry (PCI) Data Security Standard
1. Access to All Audit Trails
PCI Section 10.2.3.
Lists all successful logins to enVision.
2. Administrative Privilege Escalation - Unix & Linux
PCI Section 10.1
Lists all successful administrative privilege escalations on monitored Unix and Linux systems.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 41 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
3. All Actions by Individuals with Root or Administrative Privileges - Unix & Linux
PCI Section 10.2.2
Lists all actions taken by users logged in as root. Modify the report to include any additional user names that have been granted full administrative
privileges in your environment.
4. All Actions by Individuals with Root or Administrative Privileges - Windows
PCI Section 10.2.2
Lists all actions taken by users logged in as administrator. Modify the report to include any additional user names that have been granted full
administrative privileges in your environment.
5. Anti-Virus Update Procedures
PCI Section 5.2
Lists all update procedures for anti-virus systems.
6. Encrypted Transmission Failures
PCI Section 4.1
Lists all cryptographic operations where use of the cryptography failed or was disabled by the user.
7. Encryption Key Generation and Changes
PCI Section 3.6.1 and 3.6.4
Lists all the generation and period changing of encryption keys used in the secure storage and transfer of card data
8. Firewall Configuration Changes
PCI Section 1.1.1, 1.1.8
Lists all configuration changes made to firewalls within the PCI device group.
9. Inbound Network Traffic on non-standard ports - Detail
PCI Section 1.3.1, 1.3.2
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 42 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Lists all inbound internet traffic not on ports 80, 22, 443, and 1723.
10. Inbound Network Traffic on non-standard ports - Summary
PCI Section 1.3.1, 1.3.2
Lists all inbound internet traffic not on ports 80, 22, 443, and 1723, summarized by the destination IP address.
11. Individual User Accesses to Cardholder Data - Windows
PCI Section 10.2.1
Lists all successful file access attempts to file objects in the Cardholder Data device group.
12. Initialization of Audit Logs
PCI Section 10.2.6
Lists all access attempts that have been denied due to access control list restrictions.
13. Invalid Logical Access Attempts - ACL Denied Summary
PCI Section 10.2.4
Lists the initialization of audit logs in Windows, Unix, Linux, AIX and HPUX operating systems.
14, Outbound Network Traffic - Detail
PCI Section 1.3.6
Lists all outbound traffic for a specific internal IP address. You must enter the IP address as a run-time parameter.
15. Outbound Network Traffic - Summary
PCI Section 1.3.6
Lists a summary of all outbound traffic by destination.
16. Router Configuration Changes
PCI Section 1.1.9
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 43 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
Lists all configuration changes made to routers within the PCI device group.
17. Traffic to Non-Standard Ports - Detail
PCI Section 1.1.6
Lists all firewall traffic on ports other than 80, 22, 443 and 1723 to the IP address specified as a run time parameter. This report can be modified to
include the ports not directly justified by PCI.
18. Traffic to Non-Standard Ports - Summary
PCI Section 1.1.6
‘Summarizes all firewall traffic not on ports 80, 22, 443 and 1723 to the destination computer where the port used is not directly justified by PCI
Compliance - PCI Data Security Standard
Reports: 18
Standard Reports - Alerts
Reports module includes the following standard system reports for alerts.
1. Alert Notes by Date and Time
Lists all alert notes in the database sorted by the time they occurred
2. Alert Notes by View
Lists all alert notes for a specific view. (The user must modify the report query to specify the view.)
3. Alerts per Hour
Displays the distribution of all alerts over time, in 1 hour intervals,
4. Alerts Status Summary
Lists a count of alerts within a time range, sorted by status: new alert, under investigation, resolved.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 44 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5. Alerts Under Investigation by Date/Time
Lists all alerts under investigation in the database. Sorted by the time the alerts occurred. Use this report to track alerts under investigation.
6. Alerts Under Investigation by View
Lists all alerts under investigation in the database for a specific view.
You must modify this report prior to running it. (On the Create/Modify Report - Specify Report Selection Criteria window, replace the text type
viewname here with the name of the view.)
7. Available Alerts by Date/Time
Lists all alerts and the status of each alert in the database. Sorted by the time the alerts occurred.
8. New Alerts by Date/Time
Lists all new alerts in the database. Sorted by the time the alerts occurred.
9. New Alerts by View
Lists all new alerts in the database for a specific view.
You must modify this report prior to running it. (On the Create/Modify Report - Specify Report Selection Criteria window, replace the text type
viewname here with the name of the view.)
10. Percentages of Alerts by NIC Category
Displays the distribution of alerts by NIC category.
11. Percentages of Alerts by Alert Levels
Displays the distribution of alerts by alert levels.
12. Percentages of Alerts by Severity Levels
Displays the distribution of alerts by severity levels.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 45 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
13, Resolved Alerts by Date/Time
Lists all resolved alerts in the database. Sorted by the time the alerts occurred. Use this report to identify the alerts that have been resolved.
14. Resolved Alerts by View
Lists all resolved alerts in the database for a specific view.
15. Top 20 Alert Categories
Displays the top alert categories by number of alerts.
Reports: 15
13 Standard Reports - Apache HTTP Server
Reports module includes the following standard reports for the Apache HTTP Server.
1. Top 20 Client IP Addresses by Connection Requests
Displays the top 20 client IP addresses that had the most successful web site connections.
2. Total Bytes by Apache Device Address
Displays total bytes passed by Apache device address.
3. Total Bytes by Client IP Address
Displays total bytes passed by client address.
Reports: 3
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 46 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
Standard Reports - Firewall Device Categories
Reports module includes the following standard reports for reporting on firewalls by categories.
1. Firewalls - Top Events by Category
Displays the top events by category from all firewall devices.
2. Top 20 Firewall Categories
Displays the top 20 firewall categories that generate the highest number of events from all firewall devices.
Reports: 2
Standard Reports - IDS Device Categories
Reports module includes the following standard reports for reporting on IDS devices by categories.
1. IDS Top Alarms by Category
Displays the top signatures by categories from all IDS devices.
2. Top 20 IDS Categories
Displays the top 20 IDS categories that generate the highest number of events from all IDS devices.
Reports: 2
Standard Reports - Statistics
Reports module includes the following standard reports for statistics.
Important! To gather the data for these reports, you must start the Alerter Service.
1. Daily Event Counts
Displays the total event counts by day.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 47 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
2. Hourly Event Counts
Displays the total event counts by hour.
3. Percentage of Events by Device Class
Displays the percentage of the total number of events by device class.
4, Percentage of Events by Device Type
Displays the percentage of total number of events. by device type.
5. Percentage of Events by NIC Category
Displays the percentage of the total number of events by NIC Category.
6. Syslog Collection Statistics
Summarizes syslog message quantity and byte count on an hourly basis by logging device. Assesses log host system and disk space requirements.
Use this report to identify the periods of highest activity.
7. Top 20 Devices
Displays the top 20 devices generating events during the selected time period.
8. Top 20 Devices Generating Unknown Events
Displays the top 20 devices generating unknown events during the selected time period.
9. Top 20 Device Types Generating Unknown Events
Displays the top 20 device types generating unknown events during the selected time period.
10. Top 20 Event Categories
Displays the top 20 event categories during the selected time period
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 48 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
11. Top 20 Events
Displays the top 20 event IDs collected during the selected time period
Reports: 11
23 Standard Reports - Cisco Access Control Server
Reports module includes the following standard reports for the Cisco Access Control Server device.
1. ACS Backup And Restore
Displays all backup and restore operations. Sorted by descendingtime.
2. ACS Service Monitoring
Tracks messages and activities internal to Cisco ACS.
3. Administration Audit
Displays an Administrative Report of all activity carried out via the Cisco Secure ACS HTML Management Interface. Sorted by descendingtime.
4, Database Replication
Tracks ACS database replication activity. Sorted by descending time.
5. Failed Authentications
Displays a list of all failed login attempts. Sorted in descending order by descending time.
6. Failed Authentications Count
Displays a count of all failed login attempts. Sorted by descendingtime
7. Passed Authentications
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 49 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
25
Displays a list of all users that have successfully logged in. Sorted by descending time
8. Passed Authentications Count
Displays a count of all users that have successfully logged in. Sorted by descendingtime.
9. TACACS+ Accounting
Tracks all login and log out traffic.
10. TACACS+ Administration - Permanent Configuration Changes
Tracks configuration changes that have been executed using the write memory (write mem), or copy running start (copy run) commands.
11. Top 10 Users
Counts the number of successful logins (successful authentications) and sequentially orders them by username.
12. Top 10 Users by Duration
Calculates the total amount of time that users have spent logged into network devices and lists them in descending order by time.
Reports: 12
Standard Reports - Cisco ASA (Firewall)
Reports module includes the following standard reports for the Cisco ASA (firewall) device,
1. AAA User Authentications
Displays AAA user authentications through Cisco ASA firewalls, sorted by date/time sequence. This report requires AAA user authentication.
2. Bandwidth Usage by Address
‘Summarizes bandwidth usage by local address for all traffic passing through Cisco ASA firewalls, Sorted by total byte usage. Quickly determines "Top
Talkers" on your company's network. Only ASA firewalls with debug level logging on are reported.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 50 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
3. Bandwidth Usage by Department
Displays bandwidth usage by department through ASA firewalls. It is used to determine quickly which departments are your bandwidth hogs.
4, Bandwidth Usage by Port
Summarizes bandwidth usage by port for traffic passing through Cisco ASA firewalls. Sorted by total byte usage count. Quickly determines which
applications are consuming the most bandwidth. Other common TCP/IP words used synonymously with applications are port and services. Only ASA.
firewalls with debug level logging on are reported
5. Bandwidth Usage per Hour
Displays bandwidth usage per hour through ASA firewalls. It is used to spot quickly bandwidth usage trends occurring during specific time periods.
Each tick mark on vertical hourly axes represents accumulated usage for the previous hour.
6. Bandwidth Utilization
This combination of a graph and a report displays the bandwidth utilization on the network.
7. Blocked URL Events
Displays the blocked URL events of internal IP addresses attempting to connect to external web sites that have been restricted by the company sorted
by Date/Time. Websense Enterprise software must be installed to activate the URL blocking capability,
8. Configuration Changes
Listing of configuration change messages from Cisco ASA firewalls, sorted by date/time sequence. Monitors when configuration changes were made
to Cisco ASA Firewalls. Only ASA firewalls with logging on are reported.
9. Connection Limit Exceeded
Details exceeded connection limits by static addresses.
10. CPU Over-Capacity Events by Date and Time
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 51 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Listing of all instances of ASA Firewall CPU utiizations rising above 100%. This is generally considered to be an error condition and if it happens
frequently it may be necessary to contact Cisco Systems.
11, Denied Connections per Hour
Displays the number of denied connections per hour through ASA firewalls. It is used to spot quickly security threat trends occurring during specific
time periods. Each tick mark on vertical hourly axes represents accumulated denied connections for the previous hour.
12. Denied Inbound IP Spoofing
report tracks when a ASA Firewall receives a external packet with the IP source address equal to the IP destination and the destination port equal to
the source port sorted by the destination address. This indicates a spoofed packet designed to attack systems. This attack is referred to as a Land
Attack.
13, Denied Inbound Traffic by Address
‘Summarizes denied inbound traffic filtered through Cisco ASA firewalls by foreign address. Sorted by connection count. Quickly determines which
foreign hosts are being denied access to your company's internal network; denied connections could represent an attempted security policy breach,
malicious network reconnaissance, or simply point out a host or network device configuration issue. Only ASA firewalls with logging on are reported
14, Denied Inbound Traffic by Port
‘Summarizes denied inbound traffic filtered through Cisco ASA firewalls by port. Sorted by connection count. Port is used synonymously with services
and/or applications. Quickly determines which applications are being denied access; denied connections could represent an attempted security policy
breach, malicious network reconnaissance like a port scan, or simply point out a host or network device configuration issue. Only ASA firewalls with
logging on are reported
15. Denied Outbound Traffic by Address
‘Summarizes denied outbound traffic filtered through Cisco ASA firewalls by local address, Sorted by connection count. Quickly determines which local
addresses are possibly attempting to bypass your company's security policy. Only ASA firewalls with logging on are reported
16, Denied Outbound Traffic by Port
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 52 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
‘Summarizes denied outbound traffic filtered through Cisco ASA firewalls by port. Sorted by connection count. Port numbers are used to represent
services or applications. Quickly determines which outbound applications are being denied; these denied messages could very well represent an
attempted security policy breach, malicious network reconnaissance like a port scan, or simply point out a host or network device configuration issue.
Only ASA firewalls with logging on are reported.
17. Email Security
Listing of ASA MailGuard messages received from Cisco ASA firewalls. Sorted in date/time sequence. Quickly views possible email security breach
attempts that were prevented by ASA firewalls. Only ASA firewalls with logging on are reported.
18. Failover Messages
Displays a list of failover messages from Cisco ASA firewalls by date/time.
19. FTP Requests by Date/ Time
Displays a list of FTP requests through Cisco ASA Firewalls by Date/Time.
20. FTP Requests by Department
Displays FTP requests for each department through Cisco ASA firewalls by number of requests
21. FTP Requests by Foreign Address
Displays FTP requests to foreign sites by local users through Cisco ASA firewalls by foreign address and the number of requests.
22. FTP Requests by Local Address
Displays FTP requests by each local address through Cisco ASA firewalls by local address and number of requests.
23. Inbound E-mail Recipients
Displays inbound emails and the intended recipients.
24. Inbound E-mail Senders
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 53 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Displays inbound emails and the senders
25. Inbound Email Traffic
Displays bandwidth usage of inbound email traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly determines 'Top Foreign
Email Senders’ if your email servers are located on an internal or DMZ interface. Summarizes email traffic from your own email gateways if they are
sitting on an external ASA interface. Only ASA firewalls with logging on are reported. The system calculates inbound email traffic by summarizing all
the 302002 traffic logged on local port 25.
26. Inbound FTP Traffic
Displays bandwidth usage of inbound FTP traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly determines which external
users use FTP most frequently in your company. Only ASA firewalls with logging on are reported. The system calculates inbound FTP traffic by
summarizing all the 302002 traffic logged on local ports 20 and 21.
27. Inbound HTTP Traffic
Displays bandwidth usage of inbound HTTP traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly assesses which foreign
users are accessing your internal web servers most frequently. Only ASA firewalls with logging on are reported. The system calculates inbound http
traffic by summarizing all the 302002 traffic logged on local port 80.
28. Inbound IP Fragmentation Alert
The ASA Firewall limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the firewall
under abnormal network conditions. The report is sorted by count by foreign address. If this message persists, a DoS (denial of service) attack might
be in progress.
29. Inbound Telnet Traffic
Displays bandwidth usage of inbound Telnet traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly determines top external
Telnet users. Only ASA firewalls with logging on are reported. The system calculates inbound Telnet traffic by summarizing alll the 302002 traffic
logged on local port 23.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 54 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
30. Management Access from External Source
Details all of the device management events on the ASA firewall sorted by Date/Time.
31. Outbound E-mail Recipients
Displays outbound emails and the email's intended recipient(s)
32. Outbound E-mail Senders
Displays outbound emails and the email's sender
33. Outbound Email Traffic
‘Summarizes bandwidth usage of outbound email traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly determines 'Top Email
Talkers’ in your company if your email gateway is located on an external or DMZ interface. Reflects "Top Email Gateways” if your mail gateways are
on the ASA's internal interface network. Only ASA firewalls with logging on are reported. The system calculates outbound email traffic by summarizing
all the 302002 traffic logged on foreign port 25.
34, Outbound FTP Traffic
Summarizes bandwidth usage of outbound FTP traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly determines which
internal users use FTP most frequently in your company. Only ASA firewalls with logging on are reported. The system calculates outbound FTP traffic
by summarizing all the 302002 traffic logged on foreign ports 20 and 21
35. Outbound HTTP Traffic
Summarizes bandwidth usage of outbound HTTP traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly determines ‘Top HTTP
Talkers' in your company. Only ASA firewalls with logging on are reported, The system calculates outbound http traffic by summarizing all the 302002
traffic logged on foreign port 80.
36. Outbound IP Fragmentation Alert
The ASA Firewall limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the firewall
under abnormal network conditions. This report is sorted by count by local address.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 55 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
37. Outbound Telnet Traffic
Summarizes bandwidth usage of outbound Telnet traffic through Cisco ASA firewalls. Sorted by total connection count. Quickly determines top local
Telnet users. Only ASA firewalls with logging on are reported. The system calculates outbound Telnet traffic by summarizing all the 302002 traffic
logged on foreign port 23.
38. Permitted Connections per Hour
Displays the number of connections per hour through ASA firewalls. It is used to spot connection trends occurring during specific time periods. Each
tick mark on vertical hourly axes represents accumulated permitted connections for the previous hour.
39. RIP External Security Alert
Displays the ASA Firewall events for received internal RIP reply messages with bad authentication sorted by the local address. This could be due to
misconfiguration on the router or the ASA Firewall or it could be a unsuccessful attempt to attack the ASA Firewall unit's routing table.
40. RIP Internal Security Alert
Displays he ASA Firewall events for received external RIP reply messages with bad authentication sorted by foreign address. This could be due to
misconfiguration on the router or the ASA Firewall or it could be a unsuccessful attempt to attack the ASA Firewall unit's routing table.
41. SiteTrack Detection
Listing of network traffic through Cisco ASA firewalls that contained SiteTrack keywords. Sorted in date/time sequence. Keyword match is identified
with parenthesis characters ( ) preceding the message in the Message column. The SiteTrack feature performs a text string comparison of the DNS
host name lookup of source and destination IP addresses, as well as accessed URL pages and FTP file names. The DNS Resolver service must be
on, and ASA firewall logging must be on.
42. Top 10 Requested URL/FTP Destinations
Displays the top 10 requested URL and FTP destinations by internal users through ASA firewalls. It is used to spot quickly trends of the most popular
foreign sites.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 56 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
43. Top 20 Bandwidth Ports
Displays the top 20 ports of bandwidth usage through ASA firewalls. It is used to identify quickly which applications are consuming the most
bandwidth
44. Top 20 Bandwidth Users
Displays the top 20 bandwidth users through ASA firewalls.
45. Top 20 Connections by Address
Displays the top 20 users of connections through ASA firewalls. It is used to determine quickly which users are consuming the most connections.
46. Top 20 Connections by Port
Displays the top 20 ports with the most connections through ASA firewalls. It is used to identify quickly which applications are consuming the most,
connections.
47. Top 20 Denied Inbound by Address
Displays the top 20 foreign addresses that were denied inbound access by ASA firewalls. It is used to spot quickly foreign hosts that may have been
attempting to gain unauthorized access to your network.
48. Top 20 Denied Inbound by Port
Displays the top 20 ports with the most denied inbound connections through ASA firewalls. It is used to identify quickly which applications are the top
sources of inbound denied connections.
49. Top 20 Denied Outbound by Address
Displays the top 20 local addresses that were denied outbound access by ASA firewalls. Itis used to identify quickly the top internal hosts that may
Possibly have been attempting to breach your company's outbound internet security policy.
50. Top FTP Destinations
Displays FTP requests to foreign addresses through Cisco ASA firewalls, itis sorted by the number of requests.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 57 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
51. Top URL Destinations
Displays URL requests to foreign addresses through Cisco ASA firewalls, itis sorted by the number of requests.
52. Total Connections by Global / Translated Address
Displays the activity for each global address going through the ASA firewall sorted by Percentage of total connections within a specific time period
53, Translation Activity by Connection ID
Lists build-up and teardown messages for connections through a ASA. These events are sorted using the Connection ID field.
54. URL Requests by Date/Time
Listing of URL and FTP requests through Cisco ASA Firewalls. Sorted in Date/Time sequence. (Only ASA firewalls with logging on are reported.)
55. URL Requests by Department
Summarizes the outbound URL and FTP requests for each department through Cisco ASA firewalls. Sorted by number of requests. Quickly
determines which departments are downloading the most URLs and FTP files. Only ASA firewalls with logging on are reported.
56. URL Requests by Foreign Address
Summarizes outbound URL and FTP requests to foreign addresses through Cisco ASA firewalls. Sorted by total connections. It can determine quickly
the most common URL and FTP destinations in your company. Only ASA firewalls with logging on are reported.
57. URL Requests by Local Address
‘Summarizes the outbound URL and FTP requests by each local address through Cisco ASA firewalls. Sorted by local address and number of
URLIFTP requests. Quickly determines the most common URL and FTP destinations by local address for your company. Only ASA firewalls with
logging on are reported.
58, URL Requests by User Name
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 58 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Summarizes the outbound URL and FTP requests by authenticated user name through Cisco ASA firewalls. Sorted by user name and the number of
URLIFTP requests. Requires that AAA user authentication be configured on the firewall. Quickly determines the most common URL and FTP
destinations on a user name basis for your company. Only ASA firewalls with logging on are reported
Reports: 58
28 — Standard Reports - Cisco Content Services Switch
Reports module includes the following standard reports for the Cisco Content Services Switch device.
1. Down Links
Displays all messages associated with a down link in a given time period.
2. Reboots
Displays all messages associated with device reboots in a given time period.
3. Top 50 Users by Number of Connections
Displays the total number of connections to the Content Switch grouped by the associated username.
4, Total Attacks by Attack Type
Displays the total number of attacks recognized by the device grouped by the attack type.
5. Total Attacks by Destination Address
Displays the total number of attacks recognized by the device grouped by the destination address.
6. Total Attacks by Destination Port
Displays the total number of attacks recognized by the device grouped by the destination port
7. Total Attacks by Source Address
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 59 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
30
Displays the total number of attacks recognized by the device grouped by the source address.
8. Total Logins by Source Address
Displays the total number of successful logins by source address.
Reports: 8
Standard Reports - Cisco PIX - Firewall
Reports module includes the following standard reports for the Cisco PIX (firewall) device.
1. AAA User Authentications
Displays AAA user authentications through Cisco PIX firewalls, sorted by date/time sequence. This report requires AAA user authentication.
2. Bandwidth Usage by Address
‘Summarizes bandwidth usage by local address for all traffic passing through Cisco PIX firewalls. Sorted by total byte usage. Quickly determines "Top
Talkers" on your company's network. Only PIX firewalls with debug level logging on are reported.
3. Bandwidth Usage by Department
Displays bandwidth usage by department through PIX firewalls. It is used to determine quickly which departments are your bandwidth hogs.
4, Bandwidth Usage by Port
Summarizes bandwidth usage by port for traffic passing through Cisco PIX firewalls. Sorted by total byte usage count. Quickly determines which
applications are consuming the most bandwidth. Other common TCP/IP words used synonymously with applications are port and services. Only PIX
firewalls with debug level logging on are reported
5, Bandwidth Usage per Hour
Displays bandwidth usage per hour through PIX firewalls. Itis used to spot quickly bandwidth usage trends occurring during specific time periods.
Each tick mark on vertical hourly axes represents accumulated usage for the previous hour.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 60 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
6. Bandwidth Utilization
This combination of a graph and a report displays the bandwidth utilization on the network.
7. Blocked URL Events
Displays the blocked URL events of internal IP addresses attempting to connect to external web sites that have been restricted by the company sorted
by Date/Time. Websense Enterprise software must be installed to activate the URL blocking capability.
8. Configuration Changes
Listing of configuration change messages from Cisco PIX firewalls, sorted by date/time sequence. Monitors when configuration changes were made to
Cisco PIX Firewalls. Only PIX firewalls with logging on are reported.
9. Connection Limit Exceeded
Details exceeded connection limits by static addresses.
10. CPU Over-Capacity Events by Date and Time
Listing of all instances of PIX Firewall CPU utiizations rising above 100%. This is generally considered to be an error condition and if it happens
frequently it may be necessary to contact Cisco Systems.
11, Denied Connections per Hour
Displays the number of denied connections per hour through PIX firewalls. It is used to spot quickly security threat trends occurring during specific
time periods. Each tick mark on vertical hourly axes represents accumulated denied connections for the previous hour.
12. Denied Inbound IP Spoofing
report tracks when a PIX Firewall receives a external packet with the IP source address equal to the IP destination and the destination port equal to
the source port sorted by the destination address. This indicates a spoofed packet designed to attack systems. This attack is referred to as a Land
Attack
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 61 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
13. Denied Inbound Traffic by Address
‘Summarizes denied inbound traffic filtered through Cisco PIX firewalls by foreign address. Sorted by connection count. Quickly determines which
foreign hosts are being denied access to your company's internal network; denied connections could represent an attempted security policy breach,
malicious network reconnaissance, or simply point out a host or network device configuration issue. Only PIX firewalls with logging on are reported,
14, Denied Inbound Traffic by Port
Summarizes denied inbound traffic filtered through Cisco PIX firewalls by port. Sorted by connection count. Port is used _synonymously with services
and/or applications. Quickly determines which applications are being denied access; denied connections could represent an attempted security policy
breach, malicious network reconnaissance like a port scan, or simply point out a host or network device configuration issue. Only PIX firewalls with
logging on are reported
15. Denied Outbound Traffic by Address
‘Summarizes denied outbound traffic filtered through Cisco PIX firewalls by local address. Sorted by connection count. Quickly determines which local
addresses are possibly attempting to bypass your company’s security policy. Only PIX firewalls with logging on are reported
16, Denied Outbound Traffic by Port
‘Summarizes denied outbound traffic filtered through Cisco PIX firewalls by port. Sorted by connection count. Port numbers are used to represent
services or applications. Quickly determines which outbound applications are being denied; these denied messages could very well represent an
attempted security policy breach, malicious network reconnaissance like a port scan, or simply point out a host or network device configuration issue.
Only PIX firewalls with logging on are reported.
17. Email Security
Listing of PIX MailGuard messages received from Cisco PIX firewalls. Sorted in date/time sequence. Quickly views possible email security breach
attempts that were prevented by PIX firewalls. Only PIX firewalls with logging on are reported
18. Failover Messages
Displays a list of failover messages from Cisco PIX firewalls by date/time.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 62 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
19. FTP Requests by Date/ Time
Displays a list of FTP requests through Cisco PIX Firewalls by Date/Time.
20. FTP Requests by Department
Displays FTP requests for each department through Cisco PIX firewalls by number of requests.
21. FTP Requests by Foreign Address
Displays FTP requests to foreign sites by local users through Cisco PIX firewalls by foreign address and the number of requests.
22. FTP Requests by Local Address
Displays FTP requests by each local address through Cisco PIX firewalls by local address and number of requests.
23. Inbound E-mail Recipients
Displays inbound emails and the intended recipients.
24. Inbound E-mail Senders
Displays inbound emails and the senders.
25. Inbound Email Traffic
Displays bandwidth usage of inbound email traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly determines ‘Top Foreign
Email Senders’ if your email servers are located on an internal or DMZ interface. Summarizes email traffic from your own email gateways if they are
sitting on an external PIX interface. Only PIX firewalls with logging on are reported. The system calculates inbound email traffic by summarizing all the
302002 traffic logged on local port 25.
26. Inbound FTP Trafic
Displays bandwidth usage of inbound FTP traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly determines which external
users use FTP most frequently in your company. Only PIX firewalls with logging on are reported. The system calculates inbound FTP traffic by
summarizing all the 302002 traffic logged on local ports 20 and 21.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 63 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
27. Inbound HTTP Traffic
Displays bandwidth usage of inbound HTTP traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly assesses which foreign users
ate accessing your internal web servers most frequently. Only PIX firewalls with logging on are reported. The system calculates inbound http traffic by
summarizing all the 302002 traffic logged on local port 80.
28. Inbound IP Fragmentation Alert
The PIX Firewall limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the firewall
under abnormal network conditions. The report is sorted by count by foreign address. If this message persists, a DoS (denial of service) attack might
be in progress.
29. Inbound Telnet Traffic
Displays bandwidth usage of inbound Telnet traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly determines top external
Telnet users. Only PIX firewalls with logging on are reported. The system calculates inbound Telnet traffic by summarizing all the 302002 traffic logged
on local port 23.
30. Management Access from External Source
Details all of the device management events on the PIX firewall sorted by Date/Time.
31. Outbound E-mail Recipients
Displays outbound emails and the email’s intended recipient(s).
32. Outbound E-mail Senders
Displays outbound emails and the email's sender.
33. Outbound Email Traffic
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 64 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
‘Summarizes bandwidth usage of outbound email traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly determines "Top Email
Talkers' in your company if your email gateway is located on an external or DMZ interface. Reflects "Top Email Gateways" if your mail gateways are
on the PIXs internal interface network. Only PiX firewalls with logging on are reported. The system calculates outbound email traffic by summarizing all
the 302002 traffic logged on foreign port 25.
34, Outbound FTP Traffic
‘Summarizes bandwidth usage of outbound FTP traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly determines which internal
users use FTP most frequently in your company. Only PIX firewalls with logging on are reported. The system calculates outbound FTP traffic by
summarizing all the 302002 traffic logged on foreign ports 20 and 21.
35. Outbound HTTP Traffic
‘Summarizes bandwidth usage of outbound HTTP traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly determines 'Top HTTP
Talkers’ in your company. Only PIX firewalls with logging on are reported. The system calculates outbound http traffic by summarizing all the 302002
traffic logged on foreign port 80
36. Outbound IP Fragmentation Alert
The PIX Firewall limits the number of IP fragments that can be concurrently reassembled. This restriction prevents memory depletion at the firewall
under abnormal network conditions. This report is sorted by count by local address.
37. Outbound Telnet Traffic
Summarizes bandwidth usage of outbound Telnet traffic through Cisco PIX firewalls. Sorted by total connection count. Quickly determines top local
Telnet users. Only PIX firewalls with logging on are reported. The system calculates outbound Telnet traffic by summarizing all the 302002 traffic
logged on foreign port 23.
38. Permitted Connections per Hour
Displays the number of connections per hour through PIX firewalls. It is used to spot connection trends occurring during specific time periods, Each
tick mark on vertical hourly axes represents accumulated permitted connections for the previous hour.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 65 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
39. RIP External Security Alert
Displays the PIX Firewall events for received internal RIP reply messages with bad authentication sorted by the local address. This could be due to
misconfiguration on the router or the PIX Firewall or it could be a unsuccessful attempt to attack the PIX Firewall unit's routing table.
40. RIP Internal Security Alert
Displays he PIX Firewall events for received external RIP reply messages with bad authentication sorted by foreign address. This could be due to
misconfiguration on the router or the PIX Firewall or it could be a unsuccessful attempt to attack the PIX Firewall unit's routing table.
41. SiteTrack Detection
Listing of network traffic through Cisco PIX firewalls that contained SiteTrack keywords. Sorted in date/time sequence. Keyword match is identified with
parenthesis characters ( ) preceding the message in the Message column. The SiteTrack feature performs a text string comparison of the DNS host
name lookup of source and destination IP addresses, as well as accessed URL pages and FTP file names, The DNS Resolver service must be on, and
PIX firewall logging must be on.
42. Top 10 Requested URL/FTP Destinations
Displays the top 10 requested URL and FTP destinations by internal users through PIX firewalls. It is used to spot quickly trends of the most popular
foreign sites.
43. Top 20 Bandwidth Ports
Displays the top 20 ports of bandwidth usage through PIX firewalls. It is used to identify quickly which applications are consuming the most bandwidth.
44. Top 20 Bandwidth Users
Displays the top 20 bandwidth users through PIX firewalls.
45. Top 20 Connections by Address
Displays the top 20 users of connections through PIX firewalls. It is used to determine quickly which users are consuming the most connections.
46. Top 20 Connections by Port
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 66 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Displays the top 20 ports with the most connections through PIX firewalls. It is used to identify quickly which applications are consuming the most
connections.
47. Top 20 Denied Inbound by Address
Displays the top 20 foreign addresses that were denied inbound access by PIX firewalls. It is used to spot quickly foreign hosts that may have been
attempting to gain unauthorized access to your network.
48. Top 20 Denied Inbound by Port
Displays the top 20 ports with the most denied inbound connections through PIX firewalls. It is used to identify quickly which applications are the top
sources of inbound denied connections.
49. Top 20 Denied Outbound by Address
Displays the top 20 local addresses that were denied outbound access by PIX firewalls. It is used to identify quickly the top internal hosts that may
possibly have been attempting to breach your company's outbound internet security policy
50. Top FTP Destinations
Displays FTP requests to foreign addresses through Cisco PIX firewalls, it is sorted by the number of requests.
51. Top URL Destinations
Displays URL requests to foreign addresses through Cisco PIX firewalls, it is sorted by the number of requests.
52. Total Connections by Global / Translated Address
Displays the activity for each global address going through the PIX firewall sorted by Percentage of total connections within a specific time period
53. Translation Activity by Connection ID
Lists the build-uUp and teardown messages for connections through a PIX. These events are sorted using the Connection ID field
54, URL Requests by Date/Time
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 67 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Listing of URL and FTP requests through Cisco PIX Firewalls. Sorted in Date/Time sequence. This and the HTTP/FTP query report can be used to
view which URLs and FTP files were accessed during a certain date/time range. Only PIX firewalls with logging on are reported.
55. URL Requests by Department
Summarizes the outbound URL and FTP requests for each department through Cisco PIX firewalls. Sorted by number of requests. Quickly determines
which departments are downloading the most URLs and FTP files. Only PIX firewalls with logging on are reported
56, URL Requests by Foreign Address
‘Summarizes outbound URL and FTP requests to foreign addresses through Cisco PIX firewalls. Sorted by total connections. It can determine quickly
the most common URL and FTP destinations in your company. Only PIX firewalls with logging on are reported
57. URL Requests by Local Address
‘Summarizes the outbound URL and FTP requests by each local address through Cisco PIX firewalls. Sorted by local address and number of
URLIFTP requests. Quickly determines the most common URL and FTP destinations by local address for your company. Only PIX firewalls with
logging on are reported,
58. URL Requests by User Name
‘Summarizes the outbound URL and FTP requests by authenticated user name through Cisco PIX firewalls. Sorted by user name and the number of
URL/FTP requests. Requires that AAA user authentication be configured on the firewall. Quickly determines the most common URL and FTP
destinations on a user name basis for your company. Only PIX firewalls with logging on are reported.
Reports: 58
34 Standard Reports - Cisco Router
Reports module includes the following standard reports for the Cisco Router device.
1. Bandwidth Usage by Address
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 68 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Summarizes the number of permitted packets per source address for all network traffic through Cisco routers. Sorted by packet count. Only network
traffic from Cisco router interfaces with access control lists applied and logging turned on is reported. Source address can be an Internet or intranet
address depending on which router interface the access list is applied and in which direction,
2. Bandwidth Usage by Department
Summarizes the number of permitted packets per source address for all network traffic through Cisco routers. Sorted by packet count. Only network
traffic from Cisco router interfaces with access control lists applied and logging turned on is reported. Source address can be an Internet or intranet
address depending on which router interface the access list is applied and in which direction.
3. Bandwidth Usage by Port
Summarizes the number of permitted packets passing through Cisco routers by port. Sorted by packet count. Only network traffic from Cisco router
interfaces with access control lists applied and logging tuned on is reported. Source address can be an Internet or intranet address depending on
which router interface the access list is applied and in which direction
4. Denied Packets per Hour
Displays the number of denied packets per hour by Cisco routers. It is used to spot possibly security threat trends over time ranges. Each tick mark on
vertical hourly axes represents accumulated denied packets for the previous hour.
5. Denied Traffic by Address
‘Summarizes the number of denied packets per source address through Cisco routers. Sorted by denied packet count. Only network traffic from Cisco
router interfaces with access control lists applied and logging turned on is reported. Source address can be an internal or extemal address depending
on which router interface the access list is applied and in which direction
6. Denied Traffic by Port
‘Summarizes denied traffic filtered through Cisco routers by port. Sorted by packet count. Only network traffic from Cisco router interfaces with access
control lists applied and logging turned on is reported
7. Inbound Email Traffic
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 69 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
‘Summarizes the number of inbound email packets permitted through Cisco routers by destination address. Sorted by router address, access control
list, and number of sessions. Only network traffic from Cisco router interfaces with access control lists applied and logging turned on is reported. The
system determines inbound or outbound traffic from the network information entered in its IPADDR.TAB file. If this file is not configured, the system
assumes traffic is inbound
8. Inbound FTP Traffic
Summarizes permitted inbound FTP packet usage through Cisco routers. Sorted by router address, access control list, and number of sessions. Only
network traffic from Cisco router interfaces with access control lists applied and logging turned on is reported. The system determines whether traffic is
inbound or outbound from the information entered in its IPADDR. TAB file located in the Program directory. If this file is not configured, the system
assumes traffic is inbound.
9. Inbound HTTP Traffic
Summarizes the number of permitted packets transferred by destination address for inbound HTTP traffic through Cisco routers. Sorted by router
address, access control list, and number of sessions. Only network traffic from Cisco router interfaces with access control lists applied and logging
turned on is reported. The system determines whether traffic is inbound or outbound from the information entered in its IPADDR.TAB file located in the
Program directory. If this file is not configured, the system assumes traffic is inbound.
10. Inbound Telnet Traffic
Summarizes the number of inbound Telnet packets permitted through Cisco routers. Sorted by router address, access control list, and number of
sessions. Only network traffic from Cisco router interfaces with access control lists applied and logging turned on is reported. The system determines
inbound or outbound traffic from the network information entered in the IPADDR.TAB file. If this file is not configured, the system assumes traffic is
inbound
11, Outbound Email Traffic
‘Summarizes the number of outbound email packets permitted through Cisco routers by destination address. Sorted by router address, access control
list, and number of sessions. Only network traffic from Cisco router interfaces with access control lists applied and logging turned on is reported. The
system determines inbound or outbound traffic from the network information entered in the IPADDR. TAB file. If this file is not configured, the system
assumes traffic is inbound,
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 70 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
12. Outbound FTP Traffic
‘Summarizes the number of permitted packets transferred per source and destination address pair for outbound FTP sessions through Cisco routers. It
is sorted by router address, access control list, and. number of sessions. Only network traffic from Cisco router interfaces with access control lists
applied and logging turned on is reported. The system determines whether traffic is inbound or outbound from the information entered in its
IPADDR. TAB file located in the Program directory. If this file is not configured, the system assumes traffic is inbound
13. Outbound HTTP Traffic
Summarizes the number of permitted packets transferred by destination address for outbound HTTP traffic through Cisco routers. Sorted by router
address, access control list, and number of sessions. Only network traffic from Cisco router interfaces with access control lists applied and logging
turned on is reported. The system determines whether traffic is inbound or outbound from the information entered in its PADDR. TAB file located in the
Program directory. If this file is not configured, the system assumes traffic is inbound.
14, Outbound Telnet Traffic
Summarizes the number of outbound Telnet packets permitted through Cisco routers. Sorted by router address, access control list, and number of
sessions. Only network traffic from Cisco router interfaces with access control lists applied and logging turned on is reported. The system determines
inbound or outbound traffic from the network information entered in the IPADDR. TAB file. If this file is not configured, the system assumes traffic is
inbound
15. Permitted Packets by Address
Displays the number of permitted packets by address through Cisco routers. It is used to spot top packet users through your router.
16. Permitted Packets per Hour
Displays the number of permitted packets per hour by Cisco routers. It is used to spot peak packet usage trends over time ranges. Each tick mark on
vertical hourly axes represents accumulated permitted packets for the previous hour.
17. Permitted Packets by Port
Displays the number of permitted packets by port through Cisco routers. It is used to spot top bandwidth applications running across your router.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 71 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
18. SiteTrack Detection
Listing of packets that have been permitted or denied through Cisco routers with host name lookups that match any of the keywords entered in the
SiteTrack keyword list. Sorted in date/time sequence. Keyword match is listed in the report with parentheses ( ) preceding the message in the Message
field. Keywords need to be entered in the SiteTrack, and its DNS Resolver service must be on for this feature to function. The DNS Resolver service
performs a host name lookup of both source and destination IP addresses in every packet it receives from Cisco routers.
19. System Critical Events
Listing of Router system status messages received from Cisco routers. Sorted in date/time sequence. Only Cisco routers with logging turned on are
reported.
20. System Interface Events
Listing of system interface status messages from Cisco routers. Sorted in date/time sequence. Only Cisco routers with logging turned on are reported.
21. Top 20 Bandwidth Users
Displays the top 20 bandwidth users by address through Cisco routers, It is used to spot top bandwidth hogs through the router.
22. Top 20 Denied Packets by Address
Displays the top 20 addresses of denied packets through Cisco routers. It is used to spot quickly foreign addresses that are possibly attempting to
breach your security policy.
23. Top 20 Denied Packets by Port
Displays the top 20 ports with the most denied packets through Cisco routers. It is used to spot quickly which applications may possibly being used for
an attempted security breach.
24. Call Data - Call Information By Call ID
Displays all information associated with specified calls within a time period. Information includes: Setup Time, Username, Number Called/Calling,
Origin, Connection Speed, and Traffic Passed
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 72 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
38
25. Call Data - Top 10 Total Duration By Number Called
Displays the total call time duration associated with the Top 10 Numbers Called. The call time displays in seconds.
26. Call Data - Top 10 Total Duration By Username
Displays the Top 10 Usernames based upon call duration time for the specified time period
27. Call Data - Total Disconnects by Error for Each Device
Displays the number of events that present an error in the disconnect code for each call.
28. Call Data - Total Usage By Device
Displays the Call Traffic associated with each device. This is an executive level report for Administrators.
29. Call Data - Total Usage By Username
Queries the Call Data Record for all associated Call information. Results display by username associated with calls.
Reports: 29
Standard Reports - Cisco VPN 3000 Concentrator
Reports module includes the following standard reports for the Cisco VPN 3000 Concentrator device.
1. Bandwidth Usage per Hour
Displays the VPN bandwidth usage per hour.
2. Connection Statistics by Username
Lists the Date/Time Stamp, Username, and Device Addresses associated with each successful connection attempt.
3. Denied Connections
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 73 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Displays the number of denied connections by VPN gateway.
4. Denied Connections by Date/Time
Displays the VPN denied connections by Date/Time for the entire group of VPN gateways.
5. Denied Connections by Username
Displays the VPN denied connections by Username for the entire group of VPN gateways. Data is sorted by denied connections.
6. Denied Connections per Hour
Displays the VPN denied connections per hour
7. Successful Authentications by Date/Time
Queries the database for messages that report successful authentication requests, and reports back information such as Date/Time, Device Address,
Username, Local PortName, and Groupname.
8. Successful Authentications by GroupName
Queries the database for messages that report successful authentication requests and reports successful connection counts by Groupname.
9. Successful Authentications by UserName.
Queries the database for messages that report successful authentication requests and reports successful connection counts by Username.
10. Successful Connections by Device Address
Total of all successful connections to a monitored Cisco VPN 3000 concentrators. It is sorted by Device Address.
11. Systems Events by Device
Lists each system event (configuration changes, hardware errors, etc) for each device. Data is sorted by date/time and VPN device.
12. Top 20 Bandwidth Users By Total Bytes
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 74 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for Bet EsEEOnA?
Version: 0.2
FUNITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Displays the top 20 users for all VPN gateways by total bytes
13. Top 20 Users by Durations
Displays the top 20 tunnel connections for all VPN. gateways.
14. Top 20 Users by Number of Connections
Displays the top 20 users by connections for all VPN gateways.
15. Total Bytes by UserName
Lists the total bytes by local address for all VPN gateways. Data is sorted by username and total bytes. The total bytes are calculated by adding up the
byte entries for each Local Address.
16. Total Duration by Username
Lists the total duration for all users of VPN gateways. Data is sorted by IP address and total duration. The total duration is calculated by adding up the
duration entries for each Local Address.
Reports: 16
39 — Standard Reports - Correlated Alerts
Reports module includes the following standard reports for correlated alerts.
1. Correlated Alerts Details
Lists all the alerts that caused a correlated alert.
2. Correlated Alerts List
Lists all correlated alerts in a given time period.
3. Correlated Alerts Summary
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 75 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Displays the top 20 correlated alerts in descending order.
Reports: 3
40 Standard Reports - Correlated Multi-Device Reports
Reports module includes the following standard reports for the multi-device reports.
1. IDS devices - Top 10 Source Addresses of Alarms
Displays the top 10 source addresses of intrusion detection alarms.
2. IDS devices - Top 10 Alarms
Displays the top 10 alarms (by signature id) that have been generated
3. IDS devices - Top 10 Destinations of Alarms
Displays the top 10 destination IP addresses that have been targeted for attack.
4. Top 10 Requested URL/FTP Destinations
Displays the top 10 URL/FTP destinations by internal users.
5. Top 20 Bandwidth Ports
Displays the top 20 ports of bandwidth usage.
6. Top 20 Bandwidth Users
Displays the top 20 bandwidth users.
7. Top 20 Connections by Address
Displays the top 20 users of connections.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 76 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
8. Top 20 Connections by Port
Displays the top 20 ports with the most connections.
9. Top 20 Denied Inbound by Address
Displays the top 20 foreign addresses that were denied inbound access.
10. Top 20 Denied Inbound by Port
Displays the top 20 ports with the most denied connections.
11. Top 20 Denied Outbound by Address
Displays the top 20 local addresses that were denied outbound access.
Reports: 11
42 Standard Reports - DHCP
Reports module includes the following standard system reports for DHCP processing
1. DHCP Lease Change
Lists the lease time of DHCP IP addresses.
Database Tables
DHCP Support
Reports: 1
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 77 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
66
‘Standard Reports - Linux
Reports module includes the following standard reports for the Novell Linux and Red Hat Linux devices.
1. Linux - Failed Authentications by Device
Displays the failed Authentication attempts for each monitored device by Date/Time.
2. Linux - Failed SuperUser Attempts
Displays the failed attempts to use the Switch User command and the username associated with the attempt.
3. Linux - Successful Connections
Displays the successful connection information.
4, Linux - Successful SuperUser Attempts
Displays the successful attempts to utilize the Switch User command to root and the username associated with the attempt.
5. Linux - Total Connections by Address
Displays the total connections by foreign address.
6. Linux - Total Connections by Username
Displays the total connections for each user within the specified time range.
Reports: 6
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 78 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
68 Standard Reports - McAfee IntruShield
Reports module includes the following standard reports for the McAfee IntruShielddevice
1. Alarm Destination Report
Displays alarms sorted by the Destination IP Address that generated the alarm
2. Alarm Levels
Displays the number of alarms for each alarm level.
3. Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.
4. Alarms by Hour
Displays the number of alarms by hour for a given time period
5. Alarms by Sensor
Lists the alarm count for each sensor.
6. Alarms by Sensor Device
Displays the total number of alarms generated by the each sensor device. The report is sorted by total number of alarms
7. Top 10 Sources of Alarms
Lists the top 10 source IP addresses that have generated the most events/alarms.
8. Top 20 Alarms
Displays the top 20 alarms by signature ID that have been generated
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 79 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
9. Top 20 Alarms by Port
Displays the Top 20 alarms based on the destination port,
10. Top 20 Destinations of Alarms
Displays the top 20 destination IP addresses that have been targeted for attack
11. Top 20 Source-Destination Pairs of Alarms
Displays the top 20 source/destination pair that have generated the most alarms.
12. Top 20 Sources of Alarms
Lists the top 20 source IP addresses that have generated the most events/alarms.
Reports: 12
69 Standard Reports - McAfee VirusScan Enterprise
The Reports module includes the following standard reports for McAfee VirusScan Enterprise.
1. Top 20 infected systems
Displays top 20 infected systems found on the network
2. Top 20 Viruses Detected
Displays top 20 viruses found on the network
3. Virus Detection Details
Lists all the detected viruses, sorted by date/time.
Reports: 3
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 80 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
n
Standard Reports - Microsoft Exchange Server
Reports module includes the following standard reports for Microsoft Exchange Server.
1. MS Exchange - Exchange Error Condition
Displays all Exchange error events
2. MS Exchange - Failed Logons Attempts to Mailboxes
Displays failed logons to mailboxes in Microsoft Exchange environment
3. MS Exchange - Failed Mailbox Creation/Deletion
Displays failed mailbox creation and deletion.
4. MS Exchange - Internet Traffic by Email Accounts
Displays the inbound and outbound Internet traffic to email accounts.
5. MS Exchange - Logons to Mailbox with Administrator Privileges
Displays successful logons to mailboxes in Microsoft Exchange environment by users who have administrator privileges on the mailboxes.
6. MS Exchange - Mailboxes with the most logon failures
Displays users responsible for the greatest number of failed logons.
7. MS Exchange - Non-owner Mailbox Access
Displays users who connect to Exchange mailboxes apart from their primary user accounts.
8. MS Exchange - Successful Logons to Mailboxes
Displays successful logons to mailboxes in Microsoft Exchange environment.
9. MS Exchange - Top 10 Email Accounts Receiving Messages
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 81 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Horizon Event Logging Process for Bet EsEEOnA?
Version: 0.2
FUNITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Displays the top 10 email accounts receiving the most messages.
10. MS Exchange - 10 Email Accounts Receiving Messages Volume
Displays the top 10 email accounts receiving the most message volume.
11. MS Exchange - Top 10 Email Accounts Sending Messages
Displays the top 10 email accounts sending the most messages.
12. MS Exchange - Top 10 Email Account Sending Messages Volume
Displays the top 10 email accounts sending the most message volume.
13. MS Exchange - Top 10 Sender-Receiver Pairs
Displays top 10 pairs of email accounts sending messages to, and receiving messages from, each other.
14. MS Exchange - Top 10 Sender-Receiver Pairs within the Organization
Displays the top 10 email accounts receiving the most messages.
15. MS Exchange - Top 10 Email Accounts mailing most with the Internet
Displays the top 10 email accounts responsible for the most Internet traffic.
16. MS Exchange - Use of Send Privileges
Displays users who grant users permissions to Send As privileges.
Reports: 16
72 Standard Reports - Microsoft IIS
Reports module includes the following standard reports for Microsoft IIS.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 82 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
1. Access Denied Attempts (500)
Displays page access attempts that were denied over time. If multiple sites were chosen, an additional run time option is to select if the access denied
attempts were displayed cumulatively, or comparatively.
2. Browser Versions
Displays the percentage of browser types to the sites selected
3. Hits per Day
Displays the number of requested pages for the sites chosen during run time. An additional run time option allows you to select if you want the
information for multiple sites summed together or compared against each other.
4. Top 20 Page not Found (404)
Displays the top 20 requested files that were not found. If multiple sites were chosen at run time, the site where the file was requested from is also
included in the report.
5. Top 20 Referring Domains
Displays the top 20 referring domains. If multiple sites are chosen at run time, the name the site is referred to is also in the report.
6. Top 20 Referring Pages
Displays the top 20 referring URLs, as well as the number of refers each URL provided. If multiple sites are chosen at run time, the name the site is
referred to is also in the report.
7. Top 20 Requested Content
Displays a summary of the top 20 requests by the root level directory in which the file is contained. This provides a summary of the most active areas
of the web site. If there are multiple sites chosen at run time, the name of the site where the directory resides will also be included in the report.
8. Top 20 Requested Pages
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 83 of 199
Horizon Event Logging Process for , Ref:
FUJITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/4D
0.2
22-Jan-2008
73
Displays a summary of the top 20 most requested pages for the sites chosen during run time. If multiple sites are chosen at run time for this report, the
name of the site the requested page is served fromis also included in the report.
9. Top 20 Script Errors (501)
Displays the top 20 requested page, script error combinations. A page may appear on this report multiple times if the page has different multiple script
errors. If multiple sites are chosen at run time for inclusion in the report, the site the page resides on is included in the report
10. Visitors per Day
Displays of the number of unique IP addresses of visitors for the sites chosen during run time. An IP address is only counted the first time is appears
during the chosen time period
Reports: 10
‘Standard Reports - Microsoft ISA
Reports module includes the following standard reports for Microsoft ISA.
1. Attacks
Displays alll of the attacks that were identified by the ISA Firewall Service.
2. Firewall Errors
Displays the Firewall Error messages as recorded by the ISA Firewall Service.
3. Total Bytes by Client IP
Displays the total bytes of all connections associated to specific Client IPs.
4. Total Duration by Client IP
Displays the total duration of all connections associated to specific Client IPs.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 84 of 199
FUJ00155214
FUJ00155214
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Horizon Event Logging Process for
Version: 0.2
Ref: RS/PRO/049
74
5. Total Number of Connections by Domain Name
Displays the number of connections associated to each Domain Name during a given time period
6. Total Number of Connections by Server IP
Displays number of connections associated to each Server IP during a given time period
Reports: 6
Standard Reports - Microsoft SQL Server
1. Configuration changes
Displays configuration changes made to MS SQL Server systems.
2. Database backups
Displays backup events from MS SQL Server systems.
3. Errors that can be corrected by a user
Displays all error conditions from MS SQL Server systems that can be corrected by a user.
4. Failed Logons
Displays all failed logons events to MS SQL Server systems.
5. Fatal Errors
Displays fatal errors from MS SQL Server systems.
6. Insufficient Resources
Displays insufficient resources events from MS SQL Server systems.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 85 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for , Ref:
FUJITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/4D
0.2
22-Jan-2008
75
7. Logon/Logoff Events
Displays all logons and logoff events to MS SQL Server systems.
8. Nonfatal Internal Errors
Displays nonfatal internal errors from MS SQL Server systems.
9. Object events
Displays object trace events from MS SQL Server systems.
Reports: 9
Standard Reports - Account Management
Reports module includes the following standard reports for Windows.
1. Account Changes Details
List of all account changes.
2. Account Changes Summary
Shows the number of account changes by event ID in descending order.
3. Computer Account Changes
List of all computer account changes.
4. Global Group Account Changes
List of all global group account changes.
5. Local Group Account Changes
List of all local group account changes,
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 86 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
6. Universal Group Account Changes
List of all universal group account changes.
7. User Group Account Changes
List of all user account changes.
Reports: 7
76 — Standard Reports - Application Errors
Reports module includes the following standard reports for Windows.
1. Errors Reported by Dr. Watson
List of errors reported by Dr. Watson.
2. Top 20 Application Errors
Displays the top 20 application errors collected from all Microsoft Windows servers.
3. Top 20 Errors-Logging Applications
Displays the top 20 applications logging application errors from all Microsoft Windows servers
Reports: 3
77 — Standard Reports - Disk and Memory
Reports module includes the following standard reports for Windows.
1. Bad Blocks
List of system events reporting bad blocks.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 87 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
78
79
2. Disk at Near Capacity
List of system events reporting disk at near capacity.
3. Out of Virtual Memory
List of system events reporting out of virtual memory.
Reports: 3
Standard Reports - Files/Objects Access
Reports module includes the following standard reports for Windows.
1. Access to Files
List of all files accessed in folders monitored for access auditing.
2. Registry Access
List of all accesses to registry files and keys.
3. Write Access to System Files
List of all files opened with write access rights in the system32 folder.
Reports: 3
Standard Reports - Logon/Logoft
Reports module includes the following standard reports for Windows.
1. Failed Logons
List of all failed logon events including failure reason, user name, domain name and workstation.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 8 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for , Ref:
I FUJITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/4D
0.2
22-Jan-2008
80
2. Local Logons/logoffs by User
List of all local logon and logoff activities sorted by user name.
3. Logons/logotfs by User
List of all logon and logoff activities sorted by user name.
Reports: 3
Standard Reports - Policy Changes and Audit Logs
Reports module includes the following standard reports for Windows.
1. Audit Log Cleared
List of audit log cleared events
2. Audit Log Full
List of audit log is full events.
3. Audit Policy Changes
List of all audit policy changes.
4. Policy Changes Details
List of all policy changes events.
5. Policy Changes Summary
Shows the number of policy changes by event ID in descending order.
6. Trusted Domain Changes
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 89 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for , Ref:
FUJITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/4D
0.2
22-Jan-2008
81
82
List of all trusted domain changes.
7. User Rights Changes
List of all user rights changes.
Reports: 7
Standard Reports - Restart/Shutdown
Reports module includes the following standard reports for Windows.
1. System Restarts/Shutdowns
List of all system restarts and shutdowns.
Reports: 1
Standard Reports - Summary Reports
Reports module includes the following standard reports for Windows.
1. Application Log Activity per Computer
Total count of application events per computer in descending order.
2. Application Log Activity per User
Total count of application events per user in descending order.
3. Security Log Activity per Computer
Total count of security events per computer in descending order.
4. Security Log Activity per User
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 90 of 199
FUJ00155214
FUJ00155214
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
83
Total count of security events per user in descending order.
5. System Log Activity per Computer
Total count of system events per computer in descending order.
Reports: 5
Standard Reports - Trend Reports
Reports module includes the following standard reports for the Windows devices.
1. Application Log Activity
Displays the number of application events over time.
2. Security Account Logon Activity
Displays the number of security account logon events over time.
3. Security Account Management Activity
Displays the number of security account management events over time.
4. Security Detailed Tracking Activity
Displays a number of security detailed tracking events over time.
5. Security Log Activity
Displays the number of security events over time.
6. Security Logon/Logoff Activity
Displays the number of security logon/logoff events over time.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 91 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
7. Security Object Access Activity
Displays the number of security object access events over time.
8. Security Policy Change Activity
Displays the number of security policy change events over time
9. Security Privilege Use Activity
Displays the number of security privilege use events over time.
10. Security System Event Activity
Displays the number of security system event events over time.
11. System Log Activity
Displays the number of system events over time.
Reports: 11
84 Standard Reports - User Activity
Reports module includes the following standard reports for Windows.
1. Applications by Users
List of applications running on computers over the network, sorted by user name.
2. Print Jobs by Users Summary
‘Summary of print jobs by users, showing user name, number of print jobs and total pages and total bytes
3. Privileged Activities by User
List of activities invoking right of privileges, sorted by user name.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 92 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
88
Reports: 3
Standard Reports - Audit
Reports module includes the following standard system reports for the system auditing function.
1. Configuration Changes by Action
Lists all the configuration changes with the specified Action
Runtime parameters - Action
2. Configuration Changes by Date/Time
Lists all configuration changes made to enVision.
3. Configuration Changes by Object Type
Lists all configuration changes made against the specified object,
Runtime parameters - Object Type.
4. Configuration Changes by User
Lists all configuration changes made by the specified user.
Runtime parameters - User ID.
5. Report Access Activity by Date/Time
Lists all reports that have been either e-mailed or viewed and by whom (usernames),
6. Report Access Activity by User
List all reports that the specified user has e-mailed or viewed.
Runtime parameters - User ID.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 93 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for , Ref:
FUJITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/4D
0.2
22-Jan-2008
89
7. Report Emailing Activity by Date/Time
Lists all reports that have been e-mailed and by whom (usernames).
8. Report Emailing Activity by User
List all reports that the specified user has e-mailed.
Runtime parameters - User ID.
9. Report Viewing Activity by Date/Time
Lists all reports that have been viewed and by whom (usernames)
10. Report Viewing Activity by User
List all reports that the specified user has viewed.
Runtime parameters - User ID.
11. User Session Activity by Date/Time
Lists all the successful and failed enVision log in/log out attempts.
12. User Session Activity by User
Lists all the successful and failed enVision log in/log out attempts by the specified user.
Runtime parameters - User ID.
Reports: 12
Standard Reports - System
Reports module includes the following standard NIC System reports.
1. Appliance Disk Errors
Lists all the application disk errors.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 94 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
2. Appliance Operating Environment Errors
Lists all the appliance operating environment errors
3. Failed Terminal Server Logins to the Appliance
Lists all failed terminal server login attempts to the appliance.
4, Failed enVision Logins
Lists all failed attempts to log in to enVision.
5. Monitored Device Collection Errors
Lists all errors in collection of data from monitored devices.
NIC System Device
Reports: 5
94 — Standard Reports - Oracle
Reports module includes the following standard reports for the Oracle device.
1. Audit Details by Action
Displays detailed audit actions by action.
2. Audit Details by Database Process ID
Displays detailed audit actions by database process ID.
3. Audit Details by System
Displays detailed audit actions by system name.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 95 of 199
FUIITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
95
4. Audit Details by User
Displays detailed audit actions by user name.
Standard Reports
Reports: 4
Standard Reports - RSA Security SecurlD
Reports module includes the following standard reports for the RSA Security SecurlD
1. Deleted Agent Hosts
Displays any new agent hosts added to the existing users in the RSA database in the specified time period.
2. Failed Authentication Attempts
Displays all of the failed authentication attempts by Username.
3. Group Modifications
Displays any modifications to the existing groups in the RSA database in the specified time period.
4. New Agent Hosts
Displays any new agent hosts added to the existing users in the RSA database in the specified time period,
5. New Groups Added
Displays all of the new groups added to the RSA database in the specified time period.
6. New Users Added
Displays alll of the new users added to the RSA database in the specified time period,
7. Successful Authentication Attempts
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 96 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for , Ref:
FUJITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/4D
0.2
22-Jan-2008
97
Displays all of the successful authentication attempts by Username.
8. User Modifications
Displays any modifications to the existing users in the RSA database in the specified time period.
Reports: 8
‘Standard Reports - SNORT
Reports module includes the following standard reports for the SNORT device.
1. Alarm Destination Report
Lists alarms sorted by the Destination IP Address that generated the alarm.
2. Alarm Levels
Displays the number of alarms for each alarm level.
3. Alarm Report
Lists alarms based on signature names, sorted by alarms and signature names.
4. Alarms by Hour
Displays the number of alarms by hour for a given time period.
5. Alarms by Sensor
Lists the alarm count for each sensor.
6. Alarms by Sensor Device
Displays the alarm count for each sensor device.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 97 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
7. Top 10 Alarm Signatures
Lists the top 10 alarms (by signature name) that have been generated.
8. Top 10 Destinations of Alarms
Lists the top 10 destination IP addresses that have been targeted for attack.
9. Top 10 Source-Destination Pairs of Alarms
Lists the top 10 source/destination pair that have generated the most alarms.
10. Top 10 Sources of Alarms
Displays the top 10 sources of alarms by source IP address.
Reports: 10
99 Standard Reports - Sun Solaris
Reports module includes the following standard reports for the Sun Solaris BSM device.
1. Kemel-Level Events
Lists kernel-level events generated by system calls.
2. Login and Logout Events
Lists login and logout audit events
3. Nonattributable Events
Lists the events that occur at the kernel-interrupt level or before user is identified and authenticated.
4. Permission Changes
Lists permission changes by a process or user.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 98 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5. Privileged Operations
Lists the use of privelege capabilities or role-based access control
6. User-Level Events
Lists the user-level events generated by application software.
Reports: 6
100 Standard Reports - Sun Solaris
Reports module includes the following standard reports for the Sun Solaris BSM device.
1. Failed Super User Attempts
Displays users who attempted to Switch User to "root" and was denied.
2. Percentage of Connections by Service
Queries for messages with a message ID of 317013 and counts them sorted by agent (service). This message is created by the inetd daemon and
logs all connections by service (for example: login, ftp, telnet, etc.)
3. Super User Access
Queries for messages with message ID of 366847:01, and displays which users Switched User to “root” and at what time.
4, Total Connections by Foreign Address
Displays the total connections by source address.
5. Total Connections by Port
Displays the Total number of connections grouped by port number.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 99 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
I FUJITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Reports: 5
110 Standard Reports - Tripwire Enterprise
Reports module includes the following standard reports for the Tripwire Enterprise device.
1. Changes
Lists the nodes with detected changes sorted by time of change occurrence.
2. Changes by Severity
Lists the nodes with detected changes sorted by detected severity.
3. Change Rates
Lists changes detected sorted by frequency of occurrence.
4. Nodes
Lists all Tripwire unique nodes.
5. System Access
Lists user logon and logoffs.
Reports: 5
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 100 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 101 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
3.6.3 Operational Security Management and ad hoc Reports
Currently the only Security Event analysis reports that Operational Security can produce are
ad hoc reports when provided with a correctly formatted log.
Managed and scheduled Event and Incident Summary Reports need to be agreed with
Operational Security Manager and initially these reports need to highlight breaches in
Confidentiality, Integrity or availability by Service Delivery Unit with drill down facilities if
required.
Key areas that these and ad hoc reports need to consider for summarisation dependent on the
type of log analysed are
* Date and time Summaries
* Log Source summaries
«Types of Event Summaries
¢ Event Categorisation Summaries
« Event Number Summaries
ent User Summaries
© Computer or device summaries
* Event Description Summaries
© Trended Summary
© Overall Summary of each of above category
The use of Sawmill a tool which Operational Security already has would give much of the
required output on an ad hoc basis if original logs were available and an audit plan of
platforms based on risk provided.
Sawmill Proof of Concept
A proof of concept into its use has been undertaken with
© CSV output logs for Windows NT Events
* CSV output logs for Windows 2000 Events
* Syslogs fiom Solaris
* Syslogs fiom Cisco Routers
© Syslogs fiom Cisco Firewalls
To assess whether this is feasible and summary results are documented as an appendix to this
document.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 102 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
An attempt has taken place to analyse a limited set of Tivoli logs using a specialised
configuration file developed, by Sawmill’s proprietor and this is also shown in Appendix A
shows details
3.7 Sawmill Process
© To initially access Sawmill you need to log on with the user name and password given
by the administrator:
Sawmill Login
Username: [—
Passwors: [
sj
4
jane ieee Cc
Figure 3 Sawmill Logon Screen
* Once you have logged in then you need to set a profile up this is done by clicking the
Create new profile text.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 103 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
[re tite nines” ab
[cece = *IJinte 7rernensesk alecoereymrevent Glamunseinis e)rrectome! @)itzne -)oecesst
I
Goose [C= Je PO B= I Fy netmtne Gi saeced I amc a
Profiles create New Prone
bsysinv01 application MewReoots wewConta Delete
Deysinvo1 Secuty Mew Resse Yaw Conta Deste
Devwinvo1 System MewReoorts View Conta Date
(Cisco Router and Switch Syslog Test View Reners View Conta Delete
Windows 2k tom Data Cente MewResoris View Conta Delete
wsysinv01 secunty MewResors View Conta Delete
© 2007 Flowertire I
ieee ro Al
Figure 4 Profile Creation Seren
* You then need to select the location of the source of your log, note that log patterns
and subdirectories can be selected by using wildcards and by ticking the process sub
folders...
New Profile Wizard Eres New Cancet
Log source
Please specity where you would lke Sawrnille get your log data from. More information
Log source: [Local ek =]
Patnname: [ Browse
1M Process subtolders (local folders ont)
TF Pater is @regutar expression
“show Matching Files
I
[ibn See ema I
Figure 5 File or Directory Path Selection
© Ifyou chose to use the browse button to select the log you are presented with a screen
as shown below.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 104 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Fe) ; og
FUJITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
‘OK Cancel Show Root ‘Show Dive =] Network Shares
arrows to expand, click on folder or file name to select it
Root
=>@ [pata ©) 1
2a
2
1
> [ system (c:) ]
=> [use Disk (F:) 1
D Adventnet 17M
D avroexec.sp1 17M
1 autoexec.sp2 17M
Dats 17M
Q msocache 17M
D ntuser.dat 17M
DB ntuser.dat.tos 17M
O profites 17M
D Program Files 17M
O recycier 17M
system volume Information 17M
DB wuremp 17M
Figure 5 Browse the Selection Menu
* Once you have clicked and selected the file or directory the following screen appears
to show the log is being processed.
j—-—— I
New Profile Wizard Bate Nee cancel
, Detecting log format, please wait.
Reaaing log fle: D\profiesimemberywilly Documents\Sawmiliogs trom Unix Teamisysiog tt
Elapsed time: 00:00:08
Figure 6 Log Detection Screen
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 105 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for Ae
Operational Security
Versi
ee)
FUJITSU Company-in-Confidence Date: 22-Jan-2008
If the log format is not recognised then the following screen appears, if you know the
format of the log click next otherwise cancel and check with the SDU you have
received the correct log format.
a
New Profile Wizard Back Nex =
No log format detected
Sorry, Sawmill dié not recognize the specified tog data.
‘You may continue and choose a log format on the next wizard page, though we recommend that you consider
tre og format one which sed ax “supported put Sawn id not acognize ori one which you
would fend a sample of (compressed, up to 10MB) 10
possible, provide documentation describing te log format.
Figure 7 Log Format not recognised
The next window allows you to select the log format you wish to analyse and press
next
ack next cancet
New Profile wizard
Manual log format selection
=
[Symantec System Consors Log Fonnat ETA
ystog Ne (am separated) Log roman
web
[tcpdump Log Format
Figure 8 Manual log format Selection
‘Company-in-Confidence Page: 106 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for Refs RSPROWA
I FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jan-2008
© Some formats will give you a secondary screen choice such as syslog, as there are not
agreed common standards between manufacturers for the format of a syslog log, once
satisfied press next.
al
New Profile Wizard I Ee] oSsoaeI
Manual logging device selection
Select an appropriate logging device for Syslog (ymrmmdd hhmnmss)
[Dovecot Secure IMAP/POPS Server Log Format =z
[Event Roporter Logs (version 7)
[Exam 4 Log Format (BETA)
FortiGate Log Format (BETA)
FortiGate Space Separated Log Format
Figure 9 Log type of Device Selected
Each log type selected requires a Name for the profile it sets up and this screen does
this, enter the name you have chosen, I recommend platform and latest date of the log
e.g. mboinv01 121107 and click the finish button.
New Profile Wizard
Figure 10 Name of new Profile
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 107 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
© Once the Finish button is pressed then the log is analyzed and a report and can be
drilled through by using date ranges and selection criteria for the data from the task
bar on the left hand side. Samples of some summary reports for which suitable logs
have been available are included in the appendix A.
Figure 11 Log Report with Analysis options on Left
4.0 Audit
This process is subject to PCI and ISO 27001 Audit which is arranged by the Security and
Governance Team.
However, in order to provide some guidelines as to the key areas that Operational Security
needs to analyse to assess whether a Security Incident has occurred the following areas are
considered key, the item also shows other sources of base data that needs to be used to
confirm the validity of the output:
1. Identify that only authorised users are accessing the platforms their roles permit them
to do so — Event log Analysis and PVCS documentation
2. Identify that only authorised platforms (i.e. Names and IP’s) access the network —
PVCS documentation, Networks IP List and Event logs
3. Identify any unauthorised use of ports and protocols — Analysis of Event logs and
PVCS documentation
4. Identify any changes that take place without a Change Control - e.g. CP or OCP both
to Operating Systems and Applications — Audits and check against CP and OCP data
for any actions taken and Nessus passive scans to see what is still outstanding
5. Identify any vulnerabilities on platforms particularly those identified by the supplier
as Critical or High - MBSA and OVAL runs on targeted at risk platforms
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 108 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
6. Identify any unauthorised changes to users rights based on their roles - PVCS
documentation and access to Event logs and CP, OCPS and Audit
7. Identify any unauthorised changes to permissions on files dependent on the role and
rights allocated to that role ~ Alerts, Audits Event logs, CP, OCP’s and alerts
8. Identify any unauthorised File or Data Transfers particularly to CD, DVD or USB or
unauthorised networks — Audits, Alerts and CP, OCP’s and Event logs
9. Identify any AV alerts ~ Alerts, Event logs,
10. Identify any unauthorised changes to Router, Switch, Firewall and Contents Switches
in particular Configuration, Access Lists and Rulebases ~ Audit, Alerts, Event logs,
CP.OCP,
11. Identify any unauthorised changes to Audit Logs and other key files~ Alerts, Audit,
ocp, CP
12. Identify any unauthorised changes to passwords or password brute force attacks —
Alerts, Audits, RSA, OCP, CP and PVCS documentation
13. Identify any buffer overflow attacks ~ Alerts, Audits
14. Identify any unauthorised shares or trusts that permit escalation of privilege or
network hopping — Audit, Event logs, PVCS documentation, OCP, CP’s
15. Identify any unauthorised use of rootkits or other tools to hide attacks — Alerts, Event
logs, Audit, OCP, CP’s
16. Identify any unauthorised scheduling of batch jobs ~ Alerts , Audit, Event logs, PVCS
Documentation
17. Identify any unauthorised services ~ Alerts, Audit, PVCS Documentation, Event Logs
18. Identify any unauthorised remote control services — Alerts, Audit, PVCS
Documentation, Event Logs
19. Identify any unauthorised installed monitoring mechanisms ~ Alerts, Audits, Event
logs, PVCS Documentation
20. Identify any Infected startup files or Trojans— Alerts, Audit, PVCS documentation,
Event logs
21. Check for any default users or manufacturers default settings used — Alerts, Audit,
Event Logs, PVCS documentation
2. Check for the use of available exploit code for a DOS or DDOS — Event Log
Alert on any traffic patterns that indicate that a potential hack is being prepared for
(not so much Horizon but will be required as migrate to HNG-X and RMG Network
is more open)
RV
8
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 109 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
y-in-Confidence Date: 22-Jan-2008
5.0 Appendix A
5.1 Tivoli Event Log Summary by Sawmill
5.1.1 Summary
[7] Statist for ontoct2007 - 14/06/2007, 67 days ate Fiter Filer Refresh
5.1.2 Overview
Alldays Average per day
Events 781,488 11,664.00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 110 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for Refi RSPROMMS
I FUJITSU Operational Security Vers Ld
I Company-in-Confidence Date: 22-Jun-2008
5.1.3 Years/months/days
Events
900,000 115.2%
600,000 _ 768%
300,000 384%
° 0%
2007
~(Formatted: Font color: Auto )
ADateltime Events
1 2007 781,488
Total 781,488
‘Company-in-Confidence Page: 111 of 199
FUJ00155214
FUJ00155214
Fe) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
Company-in-Confidence Date: 22-Jan-2008
5.1.4 Days
Events
600,000 768%
400,000 _ 512%
200,000 256%
° i on
01 Nov 2007 01 Dee
-(Formatted: Font color: Auto }
A Date/time Events: 7 15/Oct/2007 2
1 09/0ct/2007 2 8 16/Oct/2007 2
2 10/0ct/2007 2 9 17/0ct/2007 2
3 11/0cv2007 2 40. 18/0207 2
4 12100v2007 2 29otheritems 787,468
5 13/Oct/2007 2 Total 781,488
6 14/Oct/2007 2
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Horizon Event Logging Process for
FUJ00155214
FUJ00155214
FUIITSU Operational Security Version:
Company-in-Confidence Date:
5.1.5 Day of weeks
Events
600,000 768%
400,000 _ 512%
200,000 258%
° 0%
— tT
su Mo Tu We othr Sa
~~ ~{Formatted: Font color: Auto
A Day of week Events ‘5 Thursday 178,759
1 Sunday 9,898 6 Friday 96
2 Monday 31 7 Saturday 94
3 Tuesday 179,028 Total 781,488
4 Wednesday 413,302
©Copyright Fujitsu Services Ltd 2007
‘Company-in-Confidence
FUJ00155214
FUJ00155214
Pe) Horizon Event Logging Process for Refs RSPROWA
I FUJITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
5.1.6 Hour of days
Events
60,000 17%
40,000 _ 54%
20,000 26%
° 0%
0:00 2:00am 600 am 8:00am 1200 3:00pm 6:00pm 9:00 pm
men noon
A Hour of day Events 6:00 AM - 7:00 1:00 PM - 2:00
7 AM 29,139 14 PM 34,119
midnight - 1:00
1 AM 29,408 7:00 AM - 8:00 2:00 PM - 3:00
8 AM 31,939 15 PM 34316
1:00 AM - 2:00
2 AM 30,670 8:00 AM - 9:00 3:00 PM - 4:00
9 AM 37,383 16 PM 34,728
2:00 AM - 3:00
3 AM 28,547 9:00 AM - 4:00 PM - 5:00
10 10:00 AM 36,130 17 PM 34,343
3:00 AM - 4:00
4 AM 39,781 10:00 AM - 5:00 PM - 6:00
11 11:00 AM 31,501 18 PM 31,433
4:00 AM - 5:00
5 AM 28,783 4400 AM - 6:00 PM - 7:00
12 noon 19,275 19 PM 31,982
5:00 AM - 6:00
6 AM 28,608 13. noon- 1:00PM 28.076, 7:00 PM - 8:00
20 PM 30,932
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 114 of 199
FUJ00155214
FUJ00155214
79,280 101%
71468 99%
2 Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
8:00 PM - 9:00 1000 PM - Total 781,488
21 PM 33,689 23 11:00PM 39,580
900 PM - 11:00 PM
22 10:00PM 43,928 24 midnight 33,198
5.1.7 Console hostnames
etait esac vencleingontnie tem, f OP" ————] [Formatted Fat cor Ao, Not den )
. <—[ Formatted: Font color Ait, Not Hidden J
Formatted: Font color Auto, Not Hidden
Console _hostna I 84595 70%
me events 9 ~ $0 4 I
I 37983 49% 4
I 120608 154% mm i
H ' IRRELEVANT!
i i {34435 44%
I I 409363 140% mm i
! i I 32700 42% 4
i $ 91431 14.7% om i
I IRRELEVANT; Sotheritems 57.446 74% mh
H {86,109 110% =m
H i Total 781488 100%
Coy
ight Fujitsu Services Ltd 2007
‘Company-in-Confidence
FUJ00155214
FUJ00155214
2 Horizon Event Logging Process for Venn perKoee
FUJITSU Operational Security
Company-in-Confidence Date: 22-Jun-2008
5.1.8 Log sources
coisa ae [overiew 5] _-[ Formatted Fort cor: Ao, Not Hidden )
‘ ont cxor Auto, Not Hidden 5]
fe Font coor: Auto, Not Hidden )
Log_source events __9 = 400%
aNT 670.964 859%
2EACRR 66,287 85% ff
3VPN 19872 25% I
4TIVOLL 14,644 1.9% I
5SSCMonitor 8837 1.1% i}
PATROL 478 0.1%
AntiVirus 402 0.1%
8sNMP 4 00%
Total 781,488 100%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jun-2008
5.1.9 Log source types
A (Formatted: Fort cor Ato, Not Hidden )
ett esac — snetan, OH] _-[ Formatted: Fort color: Ato, ot Hiden )
—[ Formatted: Font cbr: Auto, Not Hidden
Log_source_ty
pes vevents __9~ 100 4
1Security 335,554 429%
2VPN_LOOPBACK 197,504 25.3% lm
SEACRR 66287 85%
VPN Keymg 35657 46% 9
SNT 19872 25% 1
6cNIM 17,569 22% I
ROLLOUTSYNC
7H 11,961 15% I
8TIVADMIN 9723 12% I
9SSCMonitor 8837 11% I
10ServiceMonitor 5,836. 0.7%
2604 other
items 72688 93% m
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
Total 781,488 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 118 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jun-2008
5.1.10 Event origins
i (Formatted: Font color Auto, Not Hidden }
ett esac vec cleng oe tante tam OPPO] _-[ Format Fort clr Ao, Not Hen )
—[ Formatted: Font cbr: Auto, Not Hidden
Event_origin wevents __9 ~ 100 4
105.416 135% fm
105267 135% mm
15117 19% I
14274 18%
14203 18% I
IRRELEVANT
10,753 1.4%
8335 1.1%
7997 10% I
7995 10% I
I TAS 09%
8451 other
items 485016 621%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
Total 781,488 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 120 of 199
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
FUIITSU
FUJ00155214
5.1.11 Hostnames
FUJ00155214
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008.
(Formatted: Font clr: Auto, Not Hidden )
wevents __9 ~ 100 4
5416 135%
105,267 135% mm
15117 19% I
14274 18%
14203 18% I
IRRELEVANT
10,753 1.4%
8335 1.1%
7997 10% I
7995 10% I
17415 09% mf
9140 other
items 485016 621%
[overew 5] Formatted Fort or: Ao, Not Hidden )
—[ Formatted: Font cbr: Auto, Not Hidden
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 121 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
Total 781,488 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 122 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for Refs RSPROWA
Version: 0.2
ee) ; ;
Operational Security
FUJITSU Company-in-Confidence Date: 22-Jan-2008
5.1.12 — Severities
ont cao Auo, Not Hiden
Font col Auto, Not Peden )
etsit esas exces oe tante tam, OVO] _-[ Formatted Fort clr Ao, Not Hien )
: )
Severity Yevents __9 ~ 100%
120 65364 36%
230 86571 11.1%
350 40730 52% 8
440 543 01%
Total 781,488 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 123 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for Refs RSPROWA
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jan-2008
5.1.13 Event codes
i (Formatted: Font color Auto, Not Hidden }
ee en ceting ou atest teu FORO" _-[ Formatted: Font color: Auto, Nat Hiden }
*-<—(Fermatted: Font ea: Auto, Not Hidden
Event code WeEvents __0- 100%
1598 291,157 301% im
a 210241 274% =
332 66.288 86%
4528 30,747 4.0% !
54308 21,095 28% I
6576 20807 27% I
76960 19872 26% I
8540 13361 24% 1
9577 16,661 2.2% I
40490 14005 18% I
372 other
items 117,440 15.3% Mm
OCoy ight Fujitsu Services Ltd 2007 Company-in-Confidence Page: 124 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
Total 766,844 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 125 of 199
FUJ00155214
FUJ00155214
2 Horizon Event Logging Process for Refs RSPROWA
FUJITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
5.1.14 Actions
. (Formatted: Font color: Auto, Not Hidden }
ett esac vec cleng oe tante tam OPPO] _-[ Format Fort clr Ao, Not Hen )
4 *<—_( Formatted: Font color Ait, Not Hidden ]
Action Yevents __9~ 100 4
1User Logotf 128471 1
28uccesstul Logon 27605 1.2%
Successful Network Logon 18,361 75%
4File Open 11,663 4.7% 1
Total 246,190 100%
5.1.15 I Usernames
——— I ont ear: Auto, Not Hidden }
. op "¢ + f Font color Auto, Not Hidden }
ent clo Auto, Not Hidden ]
19095. 77
Username ‘vEvents Eid J :
174,867 71.0% 15646 64%
4maestro 7a21 30%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 126 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
(oe) 7 7
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
18% i i177 08% om
IIRRELEVANT I
17% i [tem 08% om
10% om 4185 other items 12,400
Tota 246,190 100%
08%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 127 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
2 Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
5.1.16 Domains
(Formatted: Font color: Auto, Not Hidden }
ett esac vec cleng oe tante tam OPPO] _-[ Format Fort clr Ao, Not Hen )
*<—_( Formatted: Font color Ait, Not Hidden ]
Domain events 9 ~ 100 #
' I 17838 75%
40381 44% 1
872 37% 1
6.940 3.0% I
4094 1.7% =I
IRRELEVANT
3,968 1.7%
3,902 1.7%
3421 15% I
3421 15% I
3400 15% I
440 other
items 168,753 720%
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 128 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
Total 234,527 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 129 of 199
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
FUJ00155214
5.1.17 Login ids
FUJ00155214
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008.
(Formatted: Font clr: Auto, Not Hidden )
Login_id events __9 = 400
~ 2 00% m=
+ 00% m=
+ 00% m
1 0.0% a
1 00%
IRRELEVANT :
+ 00% m
+ 00%
1 0.0% a
1 00%
+ 00%
46045 other
items 46,045 100.0%
[overew 5] Formatted Fort or: Ao, Not Hidden )
—[ Formatted: Font cbr: Auto, Not Hidden
Coy
ight Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 130 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
Total 46,056 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 131 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jan-2008
5.1.18 Login types
(Formatted: Font color: Auto, Not Hidden }
ett esac vec cleng oe tante tam OPPO] _-[ Format Fort clr Ao, Not Hen )
t *-<—(Fermatted: Font ea: Auto, Not Hidden
Login_type events __9 - 100%
12 198,100 45%
23 31776 135% =
4 3986 17% I
47 396 02% om
55 209 01% om
Total 234,527 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 132 of 199
FUJ00155214
FUJ00155214
2 Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
5.1.19 Auth pkgs
. (Formatted: Font color: Auto, Not Hidden }
ett esac vec cleng oe tante tam OPPO] _-[ Format Fort clr Ao, Not Hen )
4 *<—_( Formatted: Font color Ait, Not Hidden ]
Ceo events __ 0 100%,
1MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 18.922 41.1% mm
2NTLM 10361 399% am
STivolAP 2406 183% mm
4Negotiate 367 (0.8% a
Total 46,056 100%
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 133 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for Refs RSPROWA
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jan-2008
5.1.20 File names
i (Formatted: Font color Auto, Not Hidden }
ss — sete tam. OO" ————e]_-{ Formatted: Fort coor: Auto, Not Hiden }
s *-<—_( Fermatted: Fort color: Auto, Not Hidden ]
File name Events
1CAWINNTisystem32\RedPike.dll 4,525 38.8%
C:\Cryptography\bin\KMAgent.IN
a 342 287%
C:\Cryptography\bin\CryptoAPLi
3ni 2648 227%
4C:\Cryptography\keys 404 35% 1
5C:\Cryptographyibin 162 14% I
6C:\sshadmin 97 08% fm
7C:\Support\Tools\SMCSUP 50 04%
8C\Support\ToolsiSSCSUP 50 04% mm
9C:\Support\Tools\SYSMANSUP 500.4% =
C:\Support\Tools\Generic\NTRes
t0kit 50 04% ml
‘56 other items 285 24% I
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 134 of 199
FUJ00155214
FUJ00155214
Pe) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version 022
I Company-in-Confidence Date: 22-Jun-2008
Total 11,663 100%
5.1.21 Messages
. __—{Formatted: Font color: Auto, Not Hidden J
7 ‘ont color: Auto, Not Hidden )
’ ont color: Auto, Not Hidden ]
Message vevents __9~ 4004
1EACRR spostemsg 66283 124%
2VPN Server Ping Success monid:vpn_route monsev:G 16560 31% 1
Riposte function ‘RiposteConnect’ failed - The RPC server is unavailable,
3(0x6BA), 11,821 22% I
The authentication string /L=P /0=3221" for IP address! IRRELEVANT Hoes
4not match JC=44 ICN=E /STA=65535 /L=P /PN=1000,
3014 06% mm
SMONID:APOP 8001.SVR MONSEV:G 2463 05% fm
6MONID:APOP.BO.SVR MONSEV:G 2463 05%
7MONID:APOP 8002.SVR MONSEV:G 2462 05% fm
8MONID:BBND.BO.SVR MONSEV:G 2462 05% im
‘SMONID:MGRM,B002. SVR MONSEV:G 2460 05% fm
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 135 of 199
Horizon Event Logging Process for Refs RSPROWA
FUIITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
10MONID:BBND.8001.SVR MONSEV:G 2459 05% ml
416113 other items 42.669 790% —
Total 535,116 100 %
© 2008 Flowerfire
5.2. Summary Analysis of a Window 2k/XP CSV log export
5.2.1 Summary
Statistics for 09/0ct/2002 - 15/Novi2007, 1864 days
5.2.2 Overview
Alldays Average per day
Events 2,130 1.14
5.2.3 Years/months/days
Events
900 423%
600 28.2%
300 14.1%
° 0%
r T ' u
2002 20032008 2005 2008 2007
FUJ00155214
FUJ00155214
ADateltime Events
©Copyright F
u Services Ltd 2007 ‘Company-in-Confidence Page: 136 of 199
(Formatted: Font color: Auto
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
2002
2003
3 2004
4 2005
2007
Total
5.2.4
Events
600
400
200
°
59
4a
118
879
618
415
2,130
Days
Tt
‘4.01 Nov 2002 01 Nov 2008 01 Nov 2004 01 Nov 2005 01 Nev 2006 01 Nov 2007
282%
188%
94%
0%
FUJ00155214
FUJ00155214
A Datertime Events
1 09/00v2002 9
2. 14/0cv2002 38
3. 21/0cv2002 6
4. 05iNovi2002 1
5 14/Nov/2002 4
6 16/Deci2002 1
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 137 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for Refs RSPROWA
FUJITSU Operational Security Version 022
I Company-in-Confidence Date: 22-Jan-2008
7 05/Jan/2003 2
8 09/Jan/2003 5
9 29/Mar/2003 1
10 14/Aug/2003 5
531 otheritems 2,058
Total 2.130
5.2.5 Day of weeks
423%
_ 782%
14.41%
0%
aT '
- su Mo Tu We = Fr sa
(Formatted: Fort color Auto }
ADayofweek Events
1. Sunday 134
2 Monday 854
3 Tuesday 237
4 Wednesday 281
5 Thursday 246
6 Friday an
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 138 of 199
Horizon Event Logging Process for
FUJITSU Operational Securit
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
7 Saturday 167
Total 2,130
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 139 of 199
FUJ00155214
FUJ00155214
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.2.6 Hour of days
Events
28.2%
_ 188%
94%
0%
y i
0:00 3:00am 6:00am 9:00am 12:00 3:00 pm 6:00 pm 9:00 pm
ign
a Hour of day
midnight - 1:00 AM
41:00 AM - 2:00 AM
2:00 AM - 3:00 AM
a
3:00 AM - 4:00 AM
4:00 AM - 5:00 AM
°
5:00 AM - 6:00 AM
6:00 AM - 7:00 AM
o
7:00 AM - 8:00 AM
©
8:00 AM - 9:00 AM
40 9:00 AM - 10:00 AM
10:00 AM - 11:00 AM
42. 11:00AM - noon
Events
48
58
592
58
7
85
20
2
22
2
24
noon - 1:00 PM
4:00 PM - 2:00 PM
2:00 PM - 3:00 PM
3:00 PM - 4:00 PM
4:00 PM - 5:00 PM
5:00 PM - 6:00 PM
6:00 PM - 7:00 PM
7-00 PM - 8:00 PM
8:00 PM - 9:00 PM
9:00 PM - 10:00 PM
10:00 PM - 11:00 PM
11:00 PM - midnight
Total
95
110
212
215
25
20
2,130
©Copyright Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 140 of 199
FUJ00155214
FUJ00155214
(Formatted: Font color: Auto
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jan-2008
5.2.7 Sources
Z (Formatted: Fort coir Auto, Not Hidden }
‘Single-page Summary Herarchy I ‘ont color: Auto, Not Hidden )
a - 100%
Source events
‘Application Popup 581 273%
2Automatic Updates 394 185% am
3Removable Storage Service 392 184% lm
4RCONSVC 158 73% ©
5WMDM PMSP Service 85 40% 4
6EvntAgnt 8 39% 4
7EventLog 17 36% 4
8Active Server Pages 64 30% 1
9Msilnstaller 34 16%
40FTPCtrs 34 16%
27 other items 29 108% mm
Total 2,130 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 141 of 199
FUJ00155214
FUJ00155214
Pe) Horizon Event Logging Process for Refs RSPROWA
FUJITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
5.2.8 Types
‘Overview- ‘ont color: Auto, Not Hidden )
Font color: Auto, Not Hidden ]
"ant color: Auto, Not Hidden )
Type VeEvents __9~ 100 2
Information 1,491 70.0%
2Waming 563. 26.4% =
3Error 76 36% 1
Total 2,130 100%
5.2.9 Categories
rn (Formatted: Font color: Auto, Not Hidden )
7 (Formatted: Font color: Auto, Not Hidde
Defaut report view-on zoom when clicking ona table tem:I “oem Hf Forest Fo 2 J
——~{ Formatted: Font color: Auto, Not Hidden )
Category Events
tNone 1,723 809%
2Download 394 185% = mm
3CRM 5 02% m
4svc 402% m
SDevices 301% om
GFiring Agent = 1 0.0% mt
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 142 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
Total 2,130 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 143 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for Venn perKoee
FUJITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.2.10 Events
Z (Formatted: Fort coir Auto, Not Hidden }
ee ec =I ont color: Aut, Not Hidden }
a i: Font calor: Auto, Not Hidden )
Event Vevents __9 - 100%
126 581 273% fm
216 304 185% = mm
3135 173 8.1% Lj
4134 173 8.1% '
5105 88 41%
62018 80 38% I
72004 73 37% I
82006 78 37% I
93 64 30% I
101000 50 23% I
42other items 371 17.4% mm
Total 2,130 100%
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 144 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jan-2008
5.2.11 Users
Z (Formatted: Fort coir Auto, Not Hidden }
cctut tet onsoanwnenccingonatecen I 2] = A ee
: a i: Font calor: Auto, Not Hidden )
User vevents __9 ~ 100 %
12.124 997%
IRRELEVANT I
} 6 03% m
Total 2,130 100%
5.2.12 Computers
‘Computer yevents __9 - 300 #
25%
mS 0
IRRELEVANT) 50 23% 1
6 Oo
402%
Total 2.130 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 145 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for Refs RSPROWA
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jan-2008
5.2.13 Descriptions
Z (Formatted: Font clr Ato, No Hidden }
vst patient cago sitar] 2 = A ee
: ont clo: Auto, Not Hidden ]
Description
Application popup: ping.exe - DLL Initialization Failed : The application failed to
‘initialize because the window statio. 547 257% =
Unable to connect: Windows is unable to connect to the Automatic Updates
2service and therefore cannot download and insta. 304 185% = mm
Received a device interface ARRIVAL notification for device: 173 81%
4Received a device interface REMOVAL notfication for device: 173 81%
She service was started 85 40%
‘6SNMP Event Log Extension Agent is starting 80 38%
‘The description for Event ID ( 2006 ) in Source ( RCONSVC ) cannot be found.
TThe local computer may not have the necessa 78 37%
Service started. 64 30%
‘The description for Event ID ( 2004 ) in Source ( RCONSVC ) cannot be found.
‘The local computer may not have the necessa. 45 21%
10Received Handle Query Remove notification, 43 20%
135 other items 44821.0% am
Total 2130 100%
right Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 146 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
I FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3. Summary Analysis of a Cisco Firewall/Router/Switches
syslog
5.3.1 Summary
Statistics for 16/Jan/2008, 1 day
5.3.2 Overview
Alldays Average per day
Events 5,530
Page views 5,529
Unique source IPs 96
Bytes ob
Destination bytes ob
Duration 08:53:42
©Copyright F
Wu Services Ltd 2007 ‘Company-in-Confidence Page: 147 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.3 Years/months/days
Events
6,000 108.5 %
4,000 _ na%
2,000 ~ 362%
° 0%
2008
Yearsimonthsidays
‘ADateltime Events Page views Unique source IPs Bytes Destination bytes Duration
1 2008 5,530 5,529 9 Ob Ob — 08:53:42
Total 5,530 5529 96 Ob Ob 08:53:42
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 148 of 199
FUJ00155214
FUJ00155214
FUIITSU
Horizon Event Logging Process for
Operational Security
Ref: RS/PRO/049
Version: 0.2
Company-in-Confidence Date: 22-Jan-2008
5.3.4 Days
Events
6,000 108.5%
4,000 _ 3%
2,000 262%
° 0%
We 16 Jan 2008
Days
‘ADateltime Events Page views
Unique source IPs Bytes Destination bytes Duration
1 16lan/2008 5,530 5,529 9% ob Ob — 08:53:42
Total 5,530 5,529 9 Ob Ob 08:53:42
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 149 of 199
FUJ00155214
FUJ00155214
PS) Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jun-2008
5.3.5 Day of weeks
Events
6.000 108.5%
4,000 _ 23%
2.000 > 262%
° 0%
We
Day of weeks
ADayofweek Events Page views Unique source IPs Bytes Destination bytes Duration
1 Wednesday 5,530 5,529 9% 0b Ob 08:53:42
Total 5,530 5,529 9 0b Ob 08:53:42
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 150 of 199
FUJ00155214
FUJ00155214
2 Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
5.3.6 Hour of days
Events
6.000 108.5%
4,000 _ 23%
2.000 7 62%
° I_I “
9:00 am 10:00 amt1:00 am 12100 1:00 pm 2:00 pm 3:00 pm 4:00 pm
Hour of days
A Hour of day Events Page views Unique source IPs Bytes Destination bytes Duration
1 9:00 AM - 10:00 AM 233 233 17 Ob Ob 08:44:48
2 2:00 PM - 3:00 PM. ral ral 4 Ob Ob 00:00:00
3 300PM-4:00PM 5,116. 5,118 80 ob ob — 00108:54
44:00 PM -5:00 PM +10 110 7 ob > 00:00:00
Total 5530 5,529 9% ob Ob 08:53:42
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 151 of 199
FUJ00155214
FUJ00155214
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.3.7. Logging Devices
Logging devices
Peveriew —]}
Unique
Logging 1 Page source Destination
device events __9 ~ 100 views IPs Bytes, bytes Duration
91% 504 1 ob Ob 00:00:00
78% © 430 1 ob Ob 00:00:00
7% © 428 1 ob Ob 00:00:00
74% 409 2 ob Ob 00:00:00
66% 362 3 ob Ob 00:00:00
57% 315 1 ob 0b 00:00:00
53% 295 1 ob Ob 00:00:00
52% 0 289 1 ob Ob 00:00:00
49% 4 270 32 ob Ob 00:00:00
42% 4 233 7 ob Ob 08:44:48
361,994 36.1% mm 1,994 - ob Ob — 00:08:54
ight Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 152 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
other
items
Total 5,530 100% 5,529 96 Ob Ob — 08:53:42
5.3.8 Operations
Operations
Unique
Pi Page source Destination
Operation —-W Events __ ~ 190 views IPs Bytes bytes Duration
‘Teardown 2.230 547% 223090 ob Ob 08:53:42
2Bult 1,794 44.0% = 4,794 1 ob Ob 00:00:00
3Deny 461.1% 46 5 ob Ob 00:00:00
Accessed
4URL 5 01% 4 3 ob Ob 00:00:00
Total 4,075 100% 4076 ot ob Ob — 08:53:42
5.3.9 Messages
Messages
Default report iinet teh emo
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 153 of 199
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
Qemph co US Destination
Message ¥ Events - views source IPs Bytes bytes Duration
Total 0 100% ° ° ob Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 154 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
I Fujitsu
Ref:
Version:
Date:
RS/PRO/049
0.2
22-Jan-2008
Default report view-on zoom when clicking. on a table iter: : a
5.3.10 Message codes
Message codes:
Message
code ‘Events 9 = 400 4
B54 154% 9 mm
154%
88%
36
other
85% ff 469 items 996
Total 5,530
77% 444 ob
61% 8 so 4 ob
5.®éstinatibn
178% Mob
op
Ob
327
326
vu.w.u
244
236
vu.w.ve
00:00:00 975
5.529
00:00:00
00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 155 of 199
ob
ob
ob
ob
Ob
ob
FU,
ob
ob
ob
ob
ob
ob
FUJ00155214
}J00155214
00:00:00
00:00:00
00:00:00
00:00:00
08:53:42
08:53:42
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
I FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.11 Protocols
Protocols
eS
Unique
aaty Page source Destination -
Protocol _¥ Events views IPs Bytes bytes Duration
Top 2.726 670% 2726 19 ob Ob 00:00:00
2UDP 978 240% am 978 65 ob Ob 00:00:00
3icCMP 339 83% om 339 5 ob Ob 00:00:00
local-
host 21 05% a 19 ob Ob 08:53:42
Sstatic 5 01% 5 1 ob Ob 00:00:00
Gdynamio «10.0% 1 1 ob Ob 00:00:00
Total 4,070 100% 4,070 92 ob Ob 08:53:42
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 156 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.12 Source IPs
‘Source IPs
-Default report view on zoom when clicking on a table tem Sing paae Surry Hereroty 3]
Unique
me) Page source Destination
‘Source IP Y Events = views IPs Bytes bytes Duration
0 229% mm 140 1 ob Ob 00:00:00
62% 8 38 1 ob Ob 00:00:00
60% 8 7 1 ob Ob 00:00:00
60% 8 37 1 ob Ob 00:00:00
60% oF 37 1 ob Ob 00:00:00
IRRELEVANT
B4 56% © 34 1 ob Ob 00:00:00
56% 0 34 1 op Ob 00:00:00
33% 1 20 1 ob Ob 00:00:00
31% 19 1 ob Ob — 00:00:00
! 26% I 16 1 ob Ob 00:00:00
85 other
items 200 32.7% mm 199 : ob Ob 08:53:42
Total 612 100% en 95 ob ob 08:53:42
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 157 of 199
2 Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
Company-in-Confidence Date: 22-Jan-2008
5.3.13 Destination IPs
Destination IPs
a
Unique
0-100 % Page source Destination
Destination IP ‘Events views: IPs Bytes bytes Duration
6 273% = 6 1 Ob Ob 00:00:00
3 13.6% = 2 2 Ob Ob 00:00:00
2 91% i] 2 1 Ob Ob 00:00:00
1 45% 1 1 1 Ob Ob 00:00:00
145% 4 + 4 ob 0b 00:00:00
IRRELEVANT
145% 4 + 4 ob 0d 00:00:00
145% 4 + 4 ob > 00:00:00
145% 4 + 4 ob > 00:00:00
145% 4 + 4 ob > 00:00:00
145% 4 + 4 ob > 00:00:00
4other items 4 18.2% lam 4 = ob > 00:00:00
Total 22 100% 2 9b 0b 00:00:00
Coy
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 158 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
I FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.14 Source hostnames
Source hostnames
Default report view-on zoom when clicking. on a table iter: Sve I
Unique
Source Qennn Page source Destination
hostname _¥ Events = views. IPs Bytes bytes Duration
Total 0 100% 0 ° ob Ob 00:00:00
5.3.15 Destination hostnames
Destination hostnames
‘Overview i
Default report view on zoom when clicking on a table iter
Unique
Destination 3 Page source Destination
hostname Events _9 ~ 490 views IPs Bytes bytes Duration
Total 0 100% ° o ob ©b 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 159 of 199
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
0.2
22-Jan-2008
5.3.16 Source ports
Source ports
eS
Unique
‘Source Page = source Destination
port events 9 - 190 4 views IPs Bytes bytes Duration
17561 140 24.3% = 140 1 Ob Ob 00:00:00
2161 129 224% = 129 55 Ob Ob 00:00:00
3123, 16 28% 1 16 12 Ob Ob 00:00:00
41786 4 07% 4 2 Ob Ob 00:00:00
51783 407% 4 2 ob Ob 00:00:00
61789 407% 4 2 ob Ob 00:00:00
rire 4 07% 4 2 ob Ob 00:00:00
817804 (07% 4 2 ob Ob 00:00:00
77 4 07% 4 2 ob Ob 00:00:00
1034195 © 407% 4 1 ob Ob 00:00:00
151
other
items 263 457% 263 - Ob Ob 00:00:00
Total 576 100% 576 70 ob Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
I FUIITSU Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
0.2
22-Jan-2008
5.3.17 Destination ports
Destination ports
Default report view on zoom when clicking on a table dem Sven I
Unique
Destination Qarryt} Page source Destination
port Y Events views IPs Bytes bytes Duration
1138 657s 6 1 ob Ob 00:00:00
2949 1143% mm 1 1 ob Ob 00:00:00
Total 7 100% 7 1 ob Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 161 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
0.2
22-Jan-2008
5.3.18 Source sides
Source sides
Default report view-on zoom when clicking. on a table iter: : I
Source
events 9 = 100 4
39 65% of
15 25% I
5 08%
4 07%
3 05%
3 05%
Total 597
Unique
Page source
views IPs Bytes
528 56 ob
39 9 ob
15 13 ob
5 3 ob
4 2 ob
3 3 ob
3 3 ob
597 89 ob
Destination
bytes
ob
ob
ob
ob
ob
ob
ob
Ob
Duration
00:00:00
00:00:00
00:25:02
00:00:00
00:00:00
00:08:54
08:19:46
08:53:42
ight Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 162 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.3.19 Destination sides
Destination sides
Default report view-on zoom when clicking. on a table iter: : I
Unique
Destination gene Page source Destination
side Y Events = views IPs Bytes bytes Duration
PRREEVANT! §=§7 100% 7 1 ob 0b 00:00:00
Total 7 100% 7 1 Ob 0b 00:00:00
5.3.20 Geographic locations
Geographic locations
Je-page Survmary Herarohy a
Default repo view-on zoom when clicking ona table iter: °° i .
Unique
Geographic z Page source
location —-Y Events ,_9 ~ 300 views IPs Bytes
Total © 100% ° ° ob
5.3.21 Interfaces
Interfaces
Destination
Duration
Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 163 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Default report reroll able tern Oe
Unique
Page source Destination
Interface Events, _9 ~ 100 % views IPs Bytes bytes Duration
tdmz 1 100.0% = 1 1 ob 0b 00:00:00
Total 1 100% 1 1 ob 0b 00:00:00
5.3.22 Directions
Directions
ree —— - Peverew —}
Unique
oan Page source Destination
Direction Events views —IPs_—Bytes bytes Duration
toubound 891 563% 891 1 ob Ob 00:00:00
2inbound 691 437% = 691 1 ob Ob 00:00:00
Total 1,582 100% 41,582 1 ob b 00:00:00
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.23 Foreign IPs
Foreign IPs
eS
Unique
Page source Destination
Foreign IP events __9 = 190 4 views IPs Bytes, bytes Duration
52 109% 152 1 ob Ob 00:00:00
96 69% § 6 1 ob 0b 00:00:00
59 42% 4 59 1 ob 0b 00:00:00
52 37% 1 52 1 ob 0b 00:00:00
38 27% 1 38 1 ob Ob 00:00:00
37 27% 1 37 1 ob Ob 00:00:00
37 27% 1 37 1 ob Ob 00:00:00
37 27% 1 37 1 ob Ob 00:00:00
34-24% 1 34 1 ob Ob 00:00:00
fa4 24% 1 34 1 ob Ob 00:00:00
457 other
items 218 587% 818 : ob Ob 00:00:00
Total 1,384 100% 1,394 1 ob 0b 00:00:00
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 165 of 199
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
0.2
22-Jan-2008
5.3.24 Foreign ports
Default report view-on zoom when clicking. on a table iter: : I
Foreign ports
Unique
Foreign Page source
port events 9 = 100 # views. Ps By
1161 233 167% am 233 1
2 222159% mm 222 1
37328186 112% «om 156 1
427324 98 7.0% = 98 1
580 67 48% 4 67 1
ete191 49 35% 49 1
7123, 35 25% 1 35 1
ate 34 24% 1 34 1
9230951007 % 10 1
101315 6 04% 6 1
215
other
items 484 34.7% mm 44 -
Total 1,384 100% 1,394 1
ob
ob
ob
Ob
Ob
Ob
ob
ob
Ob
ob
ob
Ob
Destination
bytes
ob
ob
ob
ob
ob
Ob
ob
ob
ob
ob
ob
Duration
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.25 Global IPs
Global IPs
Defauit report view on zoom wher clicking on-a table item I
Global none Page Unique Destination
IP VEvents = views sourcelPs Bytes bytes Duration
Total 0 100% ° 0 ob Ob 00:00:00
5.3.26 Global ports
Global ports
Global goat Page Unique Destination
port Events views sourceIPs Bytes bytes Duration
Total 0 100% 0 ° ob 0b 00:00:00
5.3.27 Local IPs
Local IPs
Default report view on zoom when clicking on a table item: I
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 167 of 199
Coy
FUJ00155214
FUJ00155214
2 Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
Company-in-Confidence Date: 22-Jan-2008
cal Fa Page Unique Destination
P weEvents __9 ~ 100 views source IPs Bytes. bytes Duration
Total 0 100% ° 0 © ob 0b 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
FUJ00155214
FUJ00155214
I Fujitsu
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
0.2
22-Jan-2008
§.3.28 Local ports
Local ports
Default report view-on-zoom when clicking. on-a table item: : a
por yevents __2= 100 jan
Total 0 100% °
5.3.29 Service names
Unique
views source IPs
Destination
Bytes bytes
0b Ob
Duration
00:00:00
Service names
Unique
Service Qeery ey Page source Destination
name Y Events views IPs Bytes Duration
1138_(emply) 6 85.7% 6 1 ob Ob 00:00:00
2949_(emply) 1 143% mm 1 1 ob Ob 00:00:00
Total 7 100% 7 92 ob 0b 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 169 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.3.30 URLs/directories
[Slurtsidirectories
URL
11 20.0%
11 20.0%
11 200%
11 200%
11 200%
Hy
Total 5 100%
Unique
Page source
views IPs Bytes
1 1 ob
1 1 ob
1 1 ob
° 1 ob
1 1 ob
4 3 ob
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 170 of 199
Destination
bytes
ob
ob
ob
ob
ob
ob
Duration
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.31 URLs
URLs
Default report view-on zoom when clicking. on a table iter: : I
Unique
Page source
Yevents _9 - 100 views IPs Bytes,
' 200% mm 1 1 ob
; 41 200% mm 1 4 ob
i 200% mz 1 1 Ob
i 200% mm ot Ob
; 200% mm 1 4
Total 5 100% 4 3 ob
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 171 of 199
Destination
bytes
ob
ob
ob
ob
ob
ob
Duration
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
I FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.32 Flags
Flags
Default report view-on zoom when clicking. on a table iter: : I
nem Page Unique Destination
Flags Events = views sourcelPs Bytes bytes Duration
Total 0 100% C) ° ob 0b 00:00:00
5.3.33 Users
Users
I
Nom age ‘Unique Destination
User Events = ws source IPs Bytes. bytes Duration
Total 0 100% ° ° ob Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 172 of 199
I Fujitsu
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.3.34 Commands
Default report view-on zoom when clicking. on a table iter: : I
‘Commands
Page
Command ¥ Events ,_9 ~ 100 4 views
Total 0 100% °
5.3.35 Types
Types
Unique
source
IPs Bytes
0 Ob
‘Overview
Default report view on zoom when clicking on-a table. iter
Page
Type events __9 ~ 400 # views,
reverse
path check
tron 857% 28
2ste 9 243% mm 9
Total 37 100% 37
Unique
source
IPs Bytes
3 Ob
1 Ob
3 Ob
Destination
bytes Duration
Ob 00:00:00
Destination
bytes Duration
0b 00:00:00
0b 00:00:00
Ob — 00:00:00
ight Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 173 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
I FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.36 Lists
Lists
Default report view-on-zoom when clicking-on a table item: : I
nem Page Unique Destination
Listy Events = views sourcelPs Bytes bytes Duration
Total 0 100% C) ° ob 0b 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 174 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.3.37 Sessions overview
Alldays Average per « Four-time users °
Total accesses 113 z Five-time users °
Total sessions 109 Sixt-time users °
Sessions by one-time users 83 - Total duration of all sessions 00:43:44
Sessions by repeat users 26 ‘Average accesses per session 1.04
Total session users 96 _ Average sessions per user 414
One-time users 83 Median sessions per user 4.00
Repeat users 13 Maximum concurrent sessions 2
Two-time users 13 ‘Average session duration 00:00:24
Three-time users ° -
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 175 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU Operational Securit
y-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.3.38 Entry pages
Entry pages
H 107 = 98.2%
i 1 09%
H 1 09%
109 100%
5.3.39 Exit pages
Ext pages
oe ¥ Sessions
lor 902%
IRRELEVANT I: =:
4 oom
Tota 109 100%
0 - 100%
a - 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 176 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for , Ref:
FUJITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/4D
0.2
22-Jan-2008
5.3.40 Session pages
‘Session pages
¥ Sessions 9 - 100 2
I 107 96.4% Sa
} 1 09%m
IRRELEVANT: «=
i 1 09% m
4 09% m
Tota 111 100%
109
1
1
1
1
113
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 177 of 199
Events __9 > 100 #
65%
09% m
09% my
09% m
09% m
100 %
O- 100 z
Time spent
00:43:44 100.0 %
00:00:00
00:00:00
00:00:00
00:00:00
00:43:44
0.0%
00%
0.0%
0.0%
100%
FUJ00155214
FUJ00155214
I Fujitsu
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
0.2
22-Jan-2008
5.3.41 — Session users
0 - 100 %
a a ae
Session users
Default epot iw on zoom-in lng on tbl tem art
User ‘WSessions Events oa
~ 12 tem 2 18%:
Ha oes) 2 18%)
ba em) 2 18%)
2 tem 2 18%)
H I a 1.8% I 2 18% I
‘oemy) 218% 6 53%8
other
fons p17, 60 700%
Tot 109 «100% 113 100%
Time spent
00:00:00 0.0%
00:00:00 0.0%
00:00:00 0.0%
00:00:00 0.0%
00:00:00 0.0%
00:00:00 0.0%
00:00:00 0.0%
00:00:00 0.0%
00:00:00 0.0%
00:43:44 100.0%
00:00:00 00%
00:43:44 100%
Coy
ight Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 178 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
© 2008 Flowerfire
5341.1 Loading document, please wait.
5.4 Summary Analysis of a UNIX Solaris 9.0 syslog
5.4.1 Overview
Alldays Average per day
Messages 474 213.88,
5.4.2 Years/months/days
Messages
2,000
4,000
i
2008
Yearsimonthsidays
A Dateltime Messages
1 2008 cea)
Total 474
116.9%
58.4%
0%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 179 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 180 of 199
Horizon Event Logging Process for Ref:
FUIITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/049
0.2
22-Jan-2008
5.4.3 Days
Messages
300 75%
200 _ 17%
100 _ 58%
° 0%
y y y y y y 1
Tuo Weod ThiO Frit Sai2 Sui3 Mold Tuts
‘Jan 2008 Jan 2008.Jan 2008 Jan 2008 Jan 2008 Jan 2008 Jan 2008 Jan 2008
Days
ADateltime Messages
1 08/Janv2008 189
2 09ianv2008 251
3 t0Wan/2008 247
4 11idani2008 265
5 12Nan/2008 216
6 13/anv2008 251
7 14)anv2008 234
8 15ian/2008 58
Total 471
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 181 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.4.4 Day of weeks
Message
300
200
100
°
Day of weeks
‘ADayofweek Messages
1 Sunday 251
2 Monday 234
3 Tuesday 247
4 Wednesday 251
5 Thursday 247
6 Friday 265
7 Saturday 216
Total 47
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 182 of 199
Horizon Event Logging Process for Refs
FUIITSU Operational Security Version:
Company-in-Confidence Date:
RS/PRO/049
0.2
22-Jan-2008
5.4.5 Hour of days
Messages
150 aa%
100 58%
50 29%
° 0%
T i
0:00 3:00am 6:00am 9:00am 12:00 3:00 pm 6:00 pm 9:00 pm
mien,
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 183 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Hour of days
A Hour of day Messages 13. noon - 1:00 PM 63
4. midnight - 1:00 AM 4 14 1:00 PM - 2:00 PM 70
2. 1:00 AM - 2:00 AM 68 15 2:00 PM -3:00 PM 73
3. 2:00 AM-3:00 AM 75 16 3:00 PM - 4:00 PM 64
4 3:00 AM - 4:00 AM 67 17 4:00 PM - 5:00 PM 63
5 4:00 AM - 5:00 AM 63 18 5:00 PM - 6:00 PM 63
6 5:00 AM - 6:00 AM 67 19 6:00 PM- 7:00 PM 63
7 6:00 AM - 7:00 AM 63 20. 7:00 PM - 8:00 PM 60
8 7.00 AM - 8:00 AM 79 24 8:00 PM - 9:00 PM 105
9 8:00 AM - 8:00 AM 83 22 9:00 PM - 10:00 PM 72
10 9:00 AM - 10:00 AM 98 23 10:00 PM - 11:00 PM 56
41 10:00 AM - 11:00 AM 93 24 11:00 PM - midnight 63
42. 11:00AM - noon 66 Total 17t
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 184 of 199
Fe) Horizon Event Logging Process for Refs
FUJITSU Operational Securit ‘Versions
} Company-in-Confidence Date:
RS/PRO/049
0.2
22-Jan-2008
5.4.6 Logging devices
Logging devices
Logging device ¥ Messages __9 ~ 409 #
[IRRELEVANT 1711 100.0%
Total 1711 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 185 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.4.7 Syslog messages
‘Syslog messages
‘Syslog message Y Messages
754
523
192
2
IRRELEVANT I;
7
126 other items 183
Total 4711
44.1%
30.6 %
112%
07%
06 %
05%
0.4%
0.4%
0.4%
0.4%
107 %
100%
0 - 100%
(ie ety
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 186 of 199
FUJ00155214
FUJ00155214
2 Horizon Event Logging Process for ne BSFROG
FUJITSU Operational Security Version: @.2
I Company-in-Confidence Date: 22-Jun-2008
5.5 Summary Analysis of Windows NT Event Logs
5.5.1 Overview
Alldays Average per day
Events 53,096 21.03
5.5.2 Years/months/days
Events
40,000 153%
20.000 a7%
of I 0%
2002 20032004 2005 200620072008,
Yearsimonthsidays
ADateltime Events
1 202 522
2 2003 112
3 2004 7
4 2005 2,381
5 2006 4,967
6 2007 30,601
7 2008 14,796
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 187 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
Total 53,096
5.5.3 Days
Events
18,000 28.3%
10,000 188%
5,000 24%
° 0%
TTT TTT TTT
O1Fed OiFed O1Fed O1Fed OiFed OiFed 01 Feb
2002 © 2008«=«« 20042005 «2008-2007.
Days
‘A Dateltime Events
1 03iJan/2002 20
2 o8ian/2002 2
3. 08/Feb/2002 10
4 08/Mar!2002 1
5 03/May/2002 3
6 o4/Juni2002 333
7 0g/Aug/2002 4
8 10/Sep/2002 1
9 12/0c"2002 26
10 08/Deci2002 122
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 188 of 199
FUJ00155214
FUJ00155214
Horizon Event Logging Process for
FUJITSU Operational Securit
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
381 otheritems 52,574
Total 53,096
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 189 of 199
FUJ00155214
FUJ00155214
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.5.4 Day of weeks
Events
Day of weeks.
Day of week
‘Sunday
Monday
Tuesday
ES
Wednesday
Thursday
Friday
Saturday
Total
Events
5.681
7.214
6.499
5544
5.538
5,965
16,655
53,096
©Copyright Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 190 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Horizon Event Logging Process for Refi RS/PROWS
FUIITSU Operational Security Version 022
Company-in-Confidence Date: 22-Jan-2008
SSS Hour of days
Events
10,000 188%
5,000 94%
° a ~
0:00 2:00am 600 am 9:00am 1200 3:00pm 6:00pm 9:00 pm
mica, oon
Hour of days
A Hour of day Events 412. 11:00 AM- noon 2,439
1. midnight - 1:00 AM 4,301 13 noon - 1:00 PM 1,810
2 1:00 AM-2:00 AM 4,382 14 1:00 PM - 2:00 PM 2,267
3. 2.00 AM-3:00 AM 1,239 15. 2:00 PM-3:00 PM 2,944
4. 3:00 AM - 4:00 AM 1,338 16 3:00 PM - 4:00 PM 9458
5 4:00 AM-5:00 AM 4,346 17 4:00 PM -5:00 PM 6,050
6 5:00 AM - 6:00 AM 1,326 18 5:00 PM -6:00 PM 2,041
7 6:00 AM-7:00 AM 4,348 19 6:00 PM -7:00 PM 4,763
8 7:00 AM- 8:00 AM 1,629 20. 7:00 PM - 8:00 PM 1,383
9 8:00 AM -9:00 AM 1,888 21 8:00 PM -9:00 PM 4,239
10 9:00 AM - 10:00 AM 2,567 22 9:00 PM - 10:00 PM 4,340
11 10:00AM-11:00AM 2,366 23 1000PM-11:00PM 1,347
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 191 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
24 11:00 PM - midnight 1,285
Total 53,096
5.5.6 Sources
Sources
Source events __9 ~ 100 #
‘TimeServ 27602 520%
2NETLOGON 12496 235% am
38ecurity 10930 206% fm
4SweepNT 1,008 1.9%
SBROWSER 199 04%
N10 122 0.2%
7PMC 101 02% m
8EventLog 9% 02% m
‘Service Control Manager 94 02% © i
40RCONSVC 54 01% ff
19 other items 394 07% Mm
Total 53,096 100%
ight Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 192 of 199
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.2
Date: 22-Jan-2008
5.5.7. Types
Types
Type VEvents
Information 40,172 75.7 %
2Success Audit 10,961 20.6 %
3Waming 1,043 2.0%
4E ror 914 17%
‘Failure Audit 6 00%
Total 53,096 100%
5.5.8 Categorie:
Categories
Category Events
‘1None 40,838 76.9%
2Object Access 10.493 19.8 %
3Sweepinfo 1,008 1.9%
9 - 100%
Ss
0-100 %
pS
4Logon/Logoff
SService
‘Debug
7System Event
214
36
29
0.4%
0.1%
0.1%
©Copyright Fujitsu Services Ltd 2007
‘Company-in-Confidence
Page: 193 of 199
FUJ00155214
FUJ00155214
FUIITSU
Horizon Event Logging Process for
Ref: RS/PRO/049
Operational Security Version: @.2
Company-in-Confidence Date: 22-Jan-2008
\coount 4 other
aManagement 250.0%. items 32 01%
9vPN 23 0.0% Total 53,096 100%
10Events 15 0.0%
5.5.9 Events
Events
Event events __9 = 409 #
10 26858 506%
25711 11,807 22.2% mm
3560 5247 99%
4562 5246 99% mf
55810 904 1.7%
65722 609 11% I
m™ 394 07% om
864 393 07% mt
9538 199 04%
10528 189 04%
B84 otheritems 1,260 2.4%
Total 53,096 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 194 of 199
FUJ00155214
FUJ00155214
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 195 of 199
I Fujitsu
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.5.10 Users
Users
User ‘Events g - 100 %
19 other items
Total
11888 739%
102% m
102% fm
0.2%
0.2%
0.1%
0.0%
0.0%
10 00% m
86 0.2% ml
53,096 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 196 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
(oe) 7 7
FUJITSU Operational Securit
Company-in-Confidence Date: 22-Jan-2008
5.5.11 Computers
Computers
‘Computer events __9 ~ 100 4
i ly210 70.1%
HIRRELEVANT!
H 115,886 29.9 % =
Total 53,096 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 197 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
5.5.12 Details
Details
Detail ‘VW Events Q = 100 %
‘Time set (offset < 5 second) 26,806 50.5% =
2Object Open: 5,247 99% .
Handle Closed 52 99%
‘The pert syntronizaton request fram the server
‘secenahthe 1 atangoatel serie sean eo 3600 68% 8
‘The partial synchronization request tom the server
jearolaad sancomay.} steronels) haolneal bow tote 68% 8
The partal synchronization request from the sewer f 4
6completed successfully. 1 changes(s) has(have) been retu. IRRELEVANT.
3.595 68% §
Tt respond 304 07%
8The specified NTPServer supports RFC-868(Time) 393 07% mm
The partial synchronization request from the server!
‘Scompleted sucessfully. 2 changes(s) has(have) been retu. 219 04% fm
The partial synchronization request from the server I IRRELEVANT
40completed successfully. 2 changes(s) has(have) been retu..
216 04%
582 other items 3762 71% Bf
Total 53,089 100%
right Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 198 of 199
FUJ00155214
FUJ00155214
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.2
FUIITSU Operational Security
Company-in-Confidence Date: 22-Jan-2008
6.0 Appendix B
This appendix includes details of the prioritisation that platforms are given based on their
Security Tier and Domain for HNG-X and is to be used as a guideline for Horizon. The
Analysis of logs and Events will be prioritised based on this
el
dewgenspe0007 01.
os
7.0 Appendix C
Appendix C summarizes the Security events that Windows platforms generate and will need
to be included as a basis for analysis. Linux and Solaris events will follow in a later version
of this document.
Windows Events,
8.0 Appendix D
Appendix D gives full details of the Reports created by Fujitsu Services recommended SIEM.
3)
TRIOLE Seautty inf
‘orrmation ‘Event Mone
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 199 of 199
FUJ00155214
FUJ00155214