FUJITSU
Horizon Event Logging Process for
Ref: RS/PRO/049
Operational Securit Version: 03
y-in-Confidence Date: 03-Feb-2009
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Originator & Dept:
Contributors
External Distribution:
Ayoval witids:
Horizon Event Logging Process for Operational Security
PRD
DRAFT
This document summarises the Operat
for Event logging
Process
WITHDRAWN — REPLACE] i "UMENT
SVM/SDM/PRO/0032
William Membery
Operational Security
Deborah Haworth CIs
Tivoli, Davg
Meoy ISD,
Shaun Pinder
ISD,
Ryonneely, Brian Gallacher
Solutfons Architect, Marie Clare
y)) Unix, Andy Gibson ISD UNIX,
fos Gosnold CSA Security, Jo Booth
Maagement to distribute following approval)
(See CM/ION/078 for Approval roles)
Name
Role
Signature Date
Howard Pritchard
Chief Information Security Officer
(cis)
Pete Sewell
Operations Security Manager
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 1 of 199
FUJ00155413
FUJ00155413
FUIITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
0.0 Document Control
0.1 Document History
VersionNo. I Date Reason for Issue Associated
CP/PEAK/PPRR
Reference
01 14/12/2007 I Process required for Event Logging A
02 18/01/2008 I Amended following comments
03 03-Feb- WITHDRAWN AND REPLACED BY 1
2009 DOCUMENT — SVM/SDM/PRO/0032.
Membery email of Mon 02/02/2009 16,
0.2 Review Details
Review Comments by
Thursday, 14° J
Review Comments to im
Mandatory Review
Role
ciso ritchard
Service Delivery Manager (Ops)
Lead Architect ean Kerrin
Operational Security Manay Peter Sewell
Graham Welsh [I
‘Sheila Bamber *
Peter Thompson
‘Alex Kemp
Mik Peach *
Brian Pinder
" lan Bowen [I
ISD Team Manager IS Operations (KA) ‘Adrienne Thompson
ISD POA UNIX Administrator IS Operations KA Andrew Gibson *
ISD NT Senior Systems Engineer IS Operations KA _I Warren Welsh
ISD Practice Head - Implementations North Dave Jackson
IS Operations Manager Jerry Acton *
Principal Consultant Mike Conneely *
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 2 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confiden
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
Optional Review
Role Name
Principal Security Consultant Jim Sweeting
SIASS Designer ‘Alan Hodgkinson
CS Service Release Manager John Budworth
Si Test Designer Peter Robinson
Si Release Manager James Stanton A
CS Business Continuity Manager Tony Wicks
Design & Development Manager Roy Birkenshaw
Software Configuration Management (PO) Tariq Arain XY Yy
Si Team Leader Peter Ambrose
SIASS Designer Tan Devereux
Si Technical Designer Chris Bede
Programme Office Manager David Coope!
CS Major Release Manager
Boyne Nor GoMerin
Service Delivery Manager (OBC)
Service Management Manager
Customer Solutions Architect
Technical Design Authority
Technical Consultant MSS, SMC.
Solutions Group - Service & 7, fames Gosnold
Assurance
Release Controller John Boston
Lead Test Engineer,
Graham Jennings
‘Adam Bowe
Lionel Higman
‘Asad Sheikh
Nigel Taylor
Eveline Bunce
Leader
Service Delivery Manager - Data File Transfer Kirsty Gallacher
Product Specialist Mark Wright
Issued for Information — Please restrict this
distribution list to. a minimum
Position Name
©Copyright Fujitsu Services Ltd 2007
Page: 3 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
(*) = Reviewers that retumed comment sheets and/or attended a Group Review (Meeting Review)
0.3. Associated Documents &,
Reference Version I Date I Tite Source
PA/TEM/001 Fujitsu Services POM] PVCS
(DO NOT REMOVE)
RS/POL/002 PVCS
SER/O16 rvice Description for the I PVCS
ecurity Management
Service
SVM/SDM/PRO/ RMGA Customer Service Dimensions
oo1s Incident Management
Process
FSSL OL 01/2008 Security Information & Fujitsu Services
Event Management
Supported Devices and
Standard Reports
Unless afc version is referred to above, reference should be made to the current
approved versions of the documents.
N.B. Printed versions of this document are not under change control.
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 4 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
0.4 Abbreviations/Definitions
Abbreviation Definition
ARQ Audit Request ~ this is a service provided by RMGA Security to PO Ltd
Athene Metro’s Performance Management, Capacity aman Capacity
Forecasting software specialist tool for Unix
Centera EMC Secure Storage Solution
Cisco Works Ciseo’s Network Management Tool
ISO Chief Information Security Officer Ly
cp Change Proposal
DNS Domain Name Server — way of translating nati io IP addresses
HNG-X I Horizon Next Generation — the ne oping Solution for Post Office Ltd
Horizon Royal Mail Groups Current Solutio ice Limited
HP Openview Hewlett Packard’s N
Insight Manager
Iso
KMA Logs s 1¢ KJ Management Administration System
Maestro
ional Level Agreement — agreement defining what is required from
.¢ Operational part of an organisation providing a service
Out of Hours Access Solution for Support Teams
I Relational Database Management System
Software Innovations Unix Applications Monitoring Too!
PO Ltd Post Office Ltd
Radius Remote Authentication Dial in User Service
RMGA Royal Mail Group Account
RSA Tokens Tokens used for ensuring two factor authentication prior to access to
systems
©Copyright Fi
wu Services Ltd 2007 Company-in-Confidence Page: 5 of 199
FUJ00155413
FUJ00155413
FUIITSU
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Operational Security
Company-in-Confidence Date: 03-Feb-2009
Rules of Evidence
Rules required by the Courts to ensure that any evidence used in
prosecution is admissible
Secure Access Servers — used for remote access logging
ServerView
Flowerfires Log Analysis Tool
Service Delivery Unit - unit of an organisation delivering a
service
Fujitsu’s Fault and performance Management son Fujitsu
Windows Platforms
SIEM Security Incident and Event Monitoring
SI I Fujitsu Systems Integration Group
SLA Service Level Agreement — agreement level of service is
expected
SLT’s Service Level Targets
SMC Systems Management Cg
Sophos
SSH fat ensures data is exchanged between
syslog sages in an IP Network
TACACS+ fentication and Audit Tool
Tivoli and Configuration Tool
VPN
©Copyright Fu
isu Services Ltd 2007 Company-in-Confidence
6 0f 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Vern ts
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
0.5 Changes Expected
Changes
Expect changes following the definition of PO Lid requirements
Expect changes following review process.
Expect changes following production of Fujitsu Services Security and Controf I
Expect changes once SIEM tools are agreed and finalised
Expect changes following SI Designs
Expect changes once asset details requiring log analysis are avj
Expect changes once Event test Criterion are agreed
YS
&
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
7 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
0.6 Table of Contents
1.0 SCOPE OF DOCUMENT... 5
11 PoLiricat BACKGROUND 5
2 TECHNICAL BACKGROUND 5
Tivoli 5
‘Networks NMS and Syslog Server ad
Serv ry Unit Analyses. 5
5
3.0 PROCESS FLOW.
HoRIZON SECURITY AND CONTROL FRAMEWORK
EVENT AUDIT SECURITY CONTROL AND FRAMEWO!
EVENT AUDIT FRAMEWORK AND CURRENT VIEW
OPERATIONAL SECURITY FRAMEWORK IMPLE
Tests
ReporTS
‘Summary Reports
Compliance Report
jerational Security Mana;
5.116 Domains...
S117 Loginids
5.118 Login types.
5.119 Auth pkgs.
iy Un tn a a nn Un Un Un tn Un Un i tn tn ta tn dn nn
5.1.20 Filenames
5.121 Messages..
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 8 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.2 SUMMARY ANALYSIS OF A WINDOW 2K/XP_CSV LOG EXPORT
Summary.
Overview
Years/months/days
Days.
Day of weeks
Hour of days
Sources,
Types
Categories
Events...
Users
Computers
Descriptions
SUMMARY ANALYSIS OF A CISCO FIREWALL/ROUTER/
‘Summary
Overview
Years/months/days.
Days.
Day of weeks
Hour of days
Logging Devices
Operations
Messages
Message codes
Protocols
Source IPs
Destination IPs...
53.36 Lists.
5.3.37 Sessions overview
J Us Un Un Un Un Un Un Un Un Un Un a Un Un Un tn nn nn Un Un Un Gn Un in Un tn Un tn Un tn Un Un Un Un Un Un tn tn tn td tn te
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 9 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Vern ts
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.4.6 Logging devices
5.47 — Syslog messages
6.0 APPENDIX B
5338 Entry pages 5
3.39 Fxit pages 5
5.3.40 Session pages 5
53.41 Session users 5
3.4 SUMMARY ANALYsIs OF A UNIX SOLARIS 9.0 SYSLOG. 5
S41 Overview 5
5.4.2 — Years/months/days. 5
343 5
544 5
545 Hourof days 5
5
5
5
7.0 APPENDIX C
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 10 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
1.0 Scope of Document
This document defines the process to be followed by the operational security team to meet its
obligations under RS/POL/002 Horizon Security Policy and CS/SER/016 the Service
Description for the Security Management Service and applies to Horizon only.
This process is concerned with those actions that the operational security team yndertake, all
other processes, guidelines and work instructions are outside the remit of Kg document,
although a historical background has been included to assist in establishing who Ng what is
required to enable us to establish this process going forward.
1.1 Political Background
ISO 27001
gen paid for).
compliance contractual statements no requirement existsI
1.2. Technical Background
1.2.1 Tivoli
Analysis of incidents in Horizon re ction of logs,
with the exception of network dgeice§ atéd by applications and databases are only
collected if they are written td Fisiem Logs, the one exception being Radius
Server Logs
Those platforms whic . adapter, e.g, the data centre servers; counters and
The Tivoli pr : mn availability and historically the placement of Event
adapters hasgfotei sk assessment or an asset register and therefore any future
processes akeMhis into account.
are forwarded from them. For example in the past an assessment of the
pf more information (files) on the counter, was made and if such data was
collected apMMyximately “a million events per day occurred, if such events are excluded then
there were about 150,000.
All events collected by Tivoli are initially buffered for about 1 hour and are available for
view, and these details are then sent to the archive server to ensure that rules of evidence are
maintained.
A summarised version of the events is maintained online for approximately 10 days and
analysis of availability events is undertaken by SMC. This summary removes all background
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 11 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
noise (redundant, repetitive and uninteresting events) and only events identified as interesting
are retained.
From a security perspective, only log on and log off data is retained as no requests or analysis
has been made for any other requirements and these are therefore seen as background noise.
If an increase in the Event collection of Security events is required as shown in section 4.0
then it must be noted that the volume of data collected and the capacity ofthe platform
holding this information (disk space and memory) and software revision use manage and
analyse it are key. The current Tivoli version in Horizon is Framework 3,71 and Wg and the
Oracle Server storing the data may also need upgrading, both of which ING-
1.2.2 Networks NMS and Syslog Server
age is currently
being moved to a new DNS and syslog server in the Bgotle and Wigt@Qata centres from the
old NMS and no analysis is currently undertaken of th¥gjges, although CP 4410 has been
approved and is currently going through the release
Sawmill to analyse Firewall logs. These log ve are Rurrently not analysed or
included as part of Tivoli
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 12 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
1.2.3 Service Delivery Unit Analys
In addition to Tivoli, each of the service delivery units has its own toolsets used for
monitoring the areas of service it is required to provide. On initial investigation this again
mainly covers the area of availability.
¢ centralised
provided
The information from these tools is not all currently fed into Tivoli or any o
SIEM to manage and monitor security events or incidents neither are regular repo
to Operational Security from these units.
Examples of these tools are:
© HP Openview is used for monitoring the Network
© Cisco Works and TACACS+ are used for managing’ ithentication to
network devices
* Athene is used for performance gathering. TH
performance monitoring team within the account
etc. from it but the database is in Bracy IX team have no direct access)
© Patrol is used for Unix Operating Ss
into the Tivoli event managei Somevevents will be raised as TES calls
by SMC and some events y In the event archives. As previously
© Insight Manager is 6 main Zand monitoring Compaq platforms running
Windows
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 13 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
2.0 Dependencies
To achieve an effective and efficient Event Management solution Operational Security is
dependent on the following
1, Requirements of reports that PO Ltd want to monitor Operational Secuy
and documented.
2. Reports required by RMGA to prove operational security complig ced and
documented.
3. A Fujitsu Services Horizon Security and Control Fran by the
Information Governance Team are provided to SI for
4. The Fujitsu Horizon Security and Control Framework
Governance Team must ensure that any non RM
used to support RMGA systems and devices mee!
5. SI use items 1,
and any Operational,
for Operational § /
‘ecurity Incident and,
a. SI designs ensure that detéils'
documented and are pay
b. SI designs ensure
the Release Ma
agents required for SIEM go through
and are included in any Physical Platform
s include scheduling to push logs to Central Collection Point
SIEM system.
SI designs ensure that Maestro or alternative scheduler is set to schedule the
push of logs to Central Repository as part of the SIEM system and audit report
of failures is available.
h. SI designs ensure that Central Collection platform (or platforms assuming
resilience is required) has sufficient storage capacity for log storage based on
the retention requirements defined in Fujitsu Services Horizon Security and
Control Framework
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 14 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
i, SI designs include a method of log retention so that the rules of Evidence
requirement cannot be questioned if used in legal proceeding.
j. SI designs ensure the Central Collection platform have accountability;
authentication; and audit of any access.
k. SI designs ensure that the platforms that are used to analyse, and process logs
have sufficient processing power, storage and memory to allow
summarisation, trending and ad hoc queries when required.
1. SI designs ensure that platforms used to analyse or
accountability, authentication and audit of both the pl
analysed.
m. SI designs ensure that platforms used to anal
information are networked and fire-walled
analysis and reporting required
6. Service Delivery Units requirements for Event e and everlogging are defined
in SLA’s or OLA’s and should include :
requirements
a. Service Delivery Units con ices to meet the requirements
defined in the Si Design
b. Service Delivery Un
format as defined in the SI designs and
p resend any failed log pushes.
IEM Tool allows a series of tests to be run against standardised logs to
produce results
d. SIEM Tool permits Operational Security to print and export files to Microsoft Office
or alternate tool for summarisation and graphing.
e. SIEM Tool permits scheduling of both analysis and summary reports against
the key headings in the Fujitsu Services Horizon Security and Control Framework.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 15 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
£ SIEM Tool allows trending, summarisation and ad hoc queries when required
by authorised users.
g. SIEM Tool permits management of SIEM tool users and their rights
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 16 of 199
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Securit Version 03)
Company-in-Confidence Date: 03-Feb-2009
3.0 Process Flow
aa
NB. Key processes from other areas have been included to illustrate the integration of all
areas in producing and analysing event logs
Figure 1 Process Flow for Event Logging
1. Items in Red are PO Ltd Process
2. Items in green are non Operational Security Process
3. Items in grey are Operational Security Processes
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 17 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refs RSEROWA
(oe) i i Versi 0.3
Operational Security
FUJITSU Company-in-Confidence Date: 03-Feb-2009
3.1 Horizon Security and Control Framework
In the absence of a Horizon Security Framework the principles adopted by other Fujitsu
Service Account Security Frameworks (e.g. NHS), have been provided by the CISO and will
be adopted until one is ready for Horizon and HNG-X and their key points are documented
below to provide a background to this process.
The overall frameworks is split into manageable areas that are in line with Sgvurity Policy
sections,
This comprises five main work strands and twenty separate task areas, or conty
been identified as outlined in the table below. These allow the sets of cop
addressed to the audiences who need to work with them, in a more logical. andW
: BI. Operating Systems C.Access EL. Change
Personnel Management Control
Security B2. Backup and Media
Management 2. Service
A2 Delivery
Training & —_B3. Networks Processes
Awareness
D2. Poliey; E3.Business
Security Continuity
Management
and Compliance E4. Security
Incident
C2 ti
Design’
D3. Legal & Management
Contractual
Responsibilities ES. Physical
Qr Security
D4. Information
Classification
and Handling
DS. Third Party
Issues
D6. Security
Culture &
Leadership
B4, Event Audit
Figure 2 Security and Control Framework Overview
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 18 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refs RSEROWA
FUJITSU Operational Security Versions: 03
Company-in-Confidence Date: 03-Feb-2009
3.2. Event Audit Security Control and Framework Requirements
Event Audit is part of the overall control framework and cannot be considered in isolation in
particular it relates to other key controls shown below and these are keys areas that
Operational Security needs to report back to both the CISO and PO Ltd on.
Operating Systems;
Back-up and Media Management;
Off-site Issues;
Networks;
Access Management;
Solutions Design;
Risk Management;
Legal & Contractual, and;
Security Incident Management.
The controls in the framework are not intended to be detailed
specific security or build standards ~ these will be drafted by s]
technical teams, hence this operational process. An ig,
Tivoli staff to assess whether the information is g
would be required in Horizon and this is shown!
ing procedutes or technology-
The controls in the framework outline
comply with the security requiremer
Security Management Service.
countermeasures. They also ¢
br S/SER/016 Service Description for the
. fi are not simply technical security
fated controls, in-built to systems and applications, controlling
tivity — these help ensure consistent operation of
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
19 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for x
FUIITSU Operational Security
Company-in-Confidence Da
Version
03-Feb-2009
3.3. Event Audit Framework and current view
Control Group B.4 Event Audit
7799 Ref 27001 Ref Control Responses
Gathering of Event Information
bred Tivoli/HP Openview / Athene/PatrolNetwork
syslogs / Insight Manager and Server
view/Sophos AV Logs /RSA Token and
KMA logs
868 9.72 10.102. Monitoring of Activity Operational activity $
Monitoring of Availability is undertaken by
Tivoli and the SDU’s tools, but Security
‘monitoring is not undertaken
869 9.12 10.102. Monitoring of Activity
Security Awareness program and policy to do
870 9.72 10.10.2. Monitoring of Acti iy
this needs to be put in place for Horizon
871 9.72 10.102 fegular inspection of console and operations This takes place for availability by SMC and
logs SDU’s but no Security Monitoring
794 955 1154 System logging will be enabled to provide This is undertaken via RSA Log’s and SSH
audit of all attempts to gain access to system logs, but analysis of these by security is not
utilities, undertaken
989 1043 3 fol to Program All accesses to the program source libraries to This is not done by Tivoli, or any of the
be audited Management tools above
©Copyright Fujitsu Services Ltd 2007 Page: 20 of 199
I FUjiTsu
Horizon Event Logging Process for
Ref: RS/PRO/049
Operational Securit Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
1037
1205
1206
1207
1208
1209
1210
1213
©Copyright Fujitsu Services Ltd 2007
105.6
12.1.7
12.1.7
1010.2 Control. of Access to the Generate a continuous
System Managers Accounts commands issued by the
Administrator's account
13.2.3. Collection of Evidence Sufficient evidence to
an action against an individual o
13.2.3. Collection of Evidence For intemal disc
necessary to
procedures
13.2.3 Collection of Evidence Ey to comply with
13.2.3 Collection of Ev dat court should be
13.2.3 Collection of Evide fn systems to comply with code of
con the production of admissible
Tt should be possible to demonstrate the
quality and completeness of evidence
A strong evidence trail to be provided
Outside organisations brought in as soon as
egal action is contemplated
Lawyers to be consulted on possible actions
tobe taken
‘Company-in-Confidence Page: 21 of 199
service but not other areas.
Not at present,
Fine for ARQ's but not other areas
Fine for ARQ’s bur not other areas
Fine for ARQ's bur not other areas
Fine for ARQ’s bur not other areas
Fine for ARQ's bur not other areas
Policy and processes required here
internal but Fine for ARQ’s
Policy and processes required here
internal but Fine for ARQ’s
Auditing tools under takes this
dependent but none of this is centralised
the only logs of commands made is on
This is possible for counters through the ARQ
for
for
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Hef) RAERO
FUJITSU Operational Security Version: 65
Company-in-Confidence Date: 03-Feb-2009
rary 12.4.7 1323 Collection of Evidence Police to be informed as soon as possi processes required here for
ntemal but Pine for ARQ’s
\
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 22 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
Logging Events
821 974 10.10.1 Event Logging Audit logs recording ©
security relevant events
kept for an agreed period, in aed
policy or guidayge. to assist re
82a 974 10.10.1 Event Logging
Fes on support systems, logs
ivileged users on support systems
for privileged users on RMGA
hems.
5. Whogs for PO Lid users
822 974 1010.1 Ey Loy Access to Audit Logs shall be strictly
controlled and shall be protected from
deletion, disablement, modification or
fabrication. Wherever possible, there shall be
a segregation of duties between overall
system security and Audit Logs security
Audit Logs shall be analysed and
administered only by appropriately trained
stat.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 23 of 199
Policy and processes required here for
internal but Fine for ARQ’s,
1. Remote Access is picked up via the SAS
servers,
Events on Web Pages are not covered by
Tivoli for any Management information
accessed
3. Users outside RMGA network and
access and SAS are not covered but
these should be picked up by Policies on
Core,
4. Privileged users on support systems are
not picked up by Tivoli in particular
Network Team,
Access to Tivoli Audit logs is controlled by
Role
Access to other management systems is also
controlled by role,
analysis of the logs does not take
FUJ00155413
FUJ00155413
I FUjiTsu
Horizon Event Logging Process for
Operational Securit
Compan:
Ref: RS/PRO/049
Version: 0.3
in-Confidence Date: 03-Feb-2009
824
825
826
927
828
829
831
832
833
834
835
971
974
971
971
971
971
974
971
971
971
10.101
10.10.1
10.10.1
10.10.1
10.10.1
10.10.1
10.10.1
10.10.1
10.103
10.103
10.19.
©Copyright Fujitsu Services Ltd 2007
Event Logging The amount of data to be recorded
configurable
Event Logging Record the User ID
Event Logging Record the date and time
Event Logging
Event Logging
Event Logging
Event Logging
need to be accounted for
configurable and should include
alerts of when Personal Data is
Event Logging
Mg without consent
Event Ly fcount forall failed log-on attempts
Ev ge Account for all privileged operations
Ever geing Account for all og-ons
t Logging Account for all log-offs
‘Company-in-Confidence Page: 24 of 199
one within Tivoli via Filters,
This is done
This is manipulated in Tivoli
This is not done due to the volume
This is not done as no one has requested
This is only done when access is through the
SAS server
not been viewed as required by Tivoli.
This is done
This will be picked up by Tivoli if the SDU
set the log to capture this information. Logs
Managing Tivoli access do
This will be picked up by Tivoli if the SDU
set the log to capture this information, Believe
yes in most cases
This will be picked up by Tivoli if the SU
FUJ00155413
FUJ00155413
I FUjiTsu
Horizon Event Logging Process for
Operational Securit
Compan:
-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
836 971
837 971
838 974
839 971
840 971
84 971
842 9.71
©Copyright Fujitsu Services Ltd 2007
10.103
10.103
10.103
10.103
10.103
10.103
10.103
Event Logging Account for all workstation ti
Event Logging Account for all upd
Event Logging
Event Logging
Event Logging
A
‘Company-in-Confidence
Fount for every print-out
Monitor known covert channels
Page: 25 of 199
time application software
e afile is viewed
Lo capture this information, Believe
Il be picked up by Tivoli if the SDU
fe log to capture this information. Only
exception is local log on where the local lo;
will store this and it will not be picked up by
Tivoli
This depends on the Audit Policy set on the
platform if the SDU has set this requirement
then it will be and will be captured by Tivoli
Tivoli staff is not aware of any standard
This is not done.
This is not done.
This is not done.
This is not done.
Tivoli staffs do not believe this is done within
Tivoli, only where anything is recorded to the
SAS server and in the Corporate VPN OOH
solution. Further clarification is required from
Mare Jarosz in Network Team
FUJ00155413
FUJ00155413
Ref:
Horizon Event Logging Process for
Version:
Operational Securit
RS/PRO/O49
0.3
(oe)
FUJITSU
Compan:
in-Confidence
Date: 03-Feb-2009
vent Logging Facilities/Utilities
rivileged users
Intable
ie raising of an audit alarm to be reported
All attempts to delete, write or append the
Accounting files to be accountable
A range of facilities for analysing Accounting
857 971 10.103 ‘Trusted Facilities Management Accor
Facilities
858 971 1010.3 Trusted Facilities Management Separate accounts!
859 971 1010.3 Trusted Facilities Management Aceg
860 971 1010.3 Trusted Facilities Management
861 971 10.103
862 971 10.103
‘on specific workstations
863 971 10.103
1245 123.1 153.1
Logs should be provided
1246 123.1 153.1 liting Tools
©Copyright Fujitsu Services Ltd 2007
‘Company-in-Confidence
Able to export Accounting Log information
into Database and Spreadsheet formats
Page: 26 of 199
No“ answer to this yet needs more
investigation with SDU’s
‘This does not occur within Tivoli unless the
SDU has set the log to do so and the Tivoli
staff do not think this has happened
This occurs based on roles
‘The collection of events is made but
accountability is never reviewed within Tivoli
aS comparisons to roles against actions are not
made,
Alarms are raised for failed logons and bad
passwords only
This does not occur
This does not occur
This does not occur
This does not occur
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
Operational Securit
Compan:
I FUjiTsu
-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
1247 123.1 153.1 Auditing Tools
1248 123.1 153.1 Auditing Tools
1249 123.1 123.1 Auditing Tools.
1250 123.1 153.1 Auditing Tools
1251 123.1 153.1 Auditing Tools.
123.1 153.1
123.1 153.1
1254 123.1 153.1
1255 123.1
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
into Word-Processing formats
Able to select particular typ.
the Accounting Log
Able to select the actions of 4
including the idgyification of
custom
nts thal took place
y dates and times
‘of all system users
Coe modified a given
Is gver a given period of time.
ject Combinations of events
fe to sort the Accounting Log records
Automatic report generation facilities
Use of automated monitoring tools that raise
alarms on recording suspicious events or
suspicious trends in events
Able to combine Accounting Log information
with information received from other sources
Page: 27 of 199
oceur
‘This does not occur
This does not occur
This can, be undertaken for availability issues
by SMC, but they do not see successful
events
This does not occur
This does not occur
This does not occur
This is only possible from the ARQ area
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
Operational Securit
Compan:
I FUjiTsu
in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
864 974 10.103 Accounting Log Capacity
865 974 10.103 Accounting Log Capacity
867 974 10.10.3 Accounting Log Capacity
872 973 10.10.2 Clock Synchronisation
873 973 10.10.2 Clock Synchronisation
874 973 10.10.2 Clock Synchronisatio
1274 123
1282
1236 123.1
1237 1231 em Audit Controls
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
When the Account
secondary Accounti
hronisation to be automated
5 ‘audit tools (programs and log files)
wifenly be available to authorised personnel
id will be protected to prevent any possible
Misuse or compromise
Release, use and return of system audit tools
tobe logged
Audit requirements and activities should be
planned to minimise the risk of disruption to
the business
Audit requirement to be agreed with system
Page: 28 of 199
Tivoli unless the
SDU has set the log to do so and the Tivoli
‘do not think this has happened
‘Thi€ does not occur within Tivoli unless the
SDU has set the log to do so, SDU’s need to
confirm if they have
This does not occur within Tivoli unless the
SDU has set the log to do so. SDU"s need to
confirm if they have
This is done via a network Time Server
This is done via a network Time Server
This is done via a network Time Server
This is Role Based, but analysis of tools
against roles needs reviewing in Horizon and
definitive storage place for this information
kept
This is not done,
This is carried out for availability only
Historically 10/11 years ago but System
Owners are not clearly identified in the
FUJ00155413
FUJ00155413
(oe)
FUJITSU
Horizon Event Logging Process for
Operational Securit
Compan:
Ref: RS/PRO/049
Version: 0.3
-in-Confidence Date: 03-Feb-2009
1238 123.1
1239 1
1240 123.1
1241 123.1
123.1
©Copyright Fujitsu Services Ltd 2007
153.1
153.1
153.1
153.1
System Audit Controls The scope of the checks to be,agre
controlled
Checks to be limited to ‘rea
software and data
System Audit Controls
Updating of inform] erformed only
on isolated copies
System Audit Controls
System Audit Controls
System Audit Controls gent special or additional
‘identified and agreed
ss to be monitored and logged to
fea reference trail
System Audit ContIS
All procedures, requirements. and
responsibilities to be documented
‘Company-in-Confidence Page: 29 of 199
izon solution.
itorically 10/11 years ago but System
gy are not clearly identified in the
Horizon solution.
This applies to availability only as other
checks are not carried out,
This is not done
This is done through roles and needs to be
reviewed,
This is not done
This is not done within Tivoli, though other
SDU tools may do this and not feed the
information to Tivoli
This is dependent where one sits in the
RMGA account and it needs a Sei
Framework and policy to pull together
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUJITSU Operational Securit
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
Log Retention
1256 123.1 153.1 ntion of Accounting Log
1287 123.1 153.1 Retention of Accounting Log
1258 123.1 153.1 Retention of Agcounting Log
1259 123.1 153.1 Retention of Accounting Lg
1260 123.1 15.3.1 Retention of
1261 123.1 15.3.1
1262 123.1 153.1
1263 123.1 1 ation of Accounting Log
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
The Accounting Log shy
enable investigations to
necessary
Accounting Logs hnology support
systems (e.g. fire
Accounting Log to be securely disposed of,
by logical crasure/physical destruction, when
no longer required
Use integrity checking countermeasures to
ensure that the Log has been archived
successfully
Accounting Log for infrastructure on which
RMGA systems are run to be kept for 6
Page: 30 of 199
This can be done through Tivoli and SDU
tools and backups to the Centera are made
and tapes taken,
This is currently the case for the old NNM
and it is expected to be the case with the new
syslog server
This occurs on the Centera
This does occur
‘This is dependent on the SDU unit, in all
cases patching and vulnerability management
isan issue.
‘This doe not occur except when platform is
decommissioned and networks operations
degauss the disk.
This does occur with archives to the Audit
Server.
This is not done
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
0.3
FUJITSU Operational Security
Company-in-Confidence Da
Version
03-Feb-2009
months on
archived
30 months off-ling,
1264 123.1 153.1 Retention of Accounting Log ce e' gel € not done
1265 123.1 153.1 Retention of Accounting Log This is not done
relate
1266 123.1 153.1 Retention of Account Replace A yen they This is not done
reach J Fectance
\
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 31 of 199
FUJ00155413
FUJ00155413
I FUjiTsu
Horizon Event Logging Process for
Operational Securit
Compan:
-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
843
845
846,
847
848
849)
850
851
852
853
971
971
971
971
974
971
971
971
971
971
971
vent Auditing/Reviewing Processes
10.103
10.103
10.103
10.103
10.103
10.103
10.103
10.103
10.103,
©Copyright Fujitsu Services Ltd 2007
Review Event Log
Review Event Log,
Review Event Log,
Review Event Log
Review Event Log,
Review Event Log,
‘Company-in-Confidence
The types of events that
should be specified
fk number of occasions accounts are
# out of normal hours
few trends in the usage of specific
‘ounts
Review trends in the use of the system from
remote workstations
Track selected transactions
Review trends in the reports that are being
printed
Review trends in the changes in labels
Page: 32 of 199
This has not beet
years ago
This is not done
This is not done
‘This is not done
This is not done
‘This is not done
This is not done
‘This is not done
This is not done
This is not done
This is not done
defined recently but 10/11
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence
RS/PRO/O49
0.3
03-Feb-2009
854 971 10.103 Review Event Log
855 971 1010.3 Review Event Log
\
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
associated with IT resources
The frequency with which the Secou\Log gis requires agreement with SDU’s and a
should be reviewed should be :
With the current toolsets and volume of data
this is una
Events Log to be revig,
week
Page: 33 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
3.4 Operational Security Framework implementation.
The first process that the Operational Security team undertake prior to running any reports is
a check that all logs are present and available.
are undertaken for each platform and log type to assess whether r fal Wy particular
control requirement on that individual log,
Bach test is
© Given a unique number,
© Given a description,
¢ Given a test definition,
© Given a successful test criteria
© Validated
¢ Result of Yes or No forg
Est 1.1 could be a test for a successfull logon
the log was a Windows, UNIX, Application,
Dependent on the type of ¢
and this would apply w
Database or Network
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 34 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for 7 Refi io ROR
ersion: 0.
re) 4 :
Operational Securit
FUJITSU y-in-Confidence Date: 03-Feb-2009
The results of each control requirement test are then recorded with the following details:
© The platform concerned including the owner
© The type of log analysed (see below for initial thoughts on types)
© Windows Operating System (OS),
© Unix (OS)
© Router syslog
© Switch syslog
© Firewall syslog
o SAP Log
© Oracle/SQL database log
© Anti Virus log
© Active Directory Log
o RSA Token Authentication Log
o Radius Log
© IDSIIPS log
o DNS log
o SSH Log
o SAS Log
© The day and dg
the log was analysed
failure (including no data available).
Incident Mangement Process.
(DN. The process to do this will need further investigation as some SDU teams do not have
ace to PEAK which would be the RMGA preferred option)
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
3.5 Tests
Within Horizon currently no event testing is undertaken and therefore an initial baseline of
test has been obtained from another Fujitsu account as a starting point for discussion with the
relevant Service Delivery Managers, Operation Unit Managers and ISD SDU units and will
be expanded once discussion this has taken place
3)
RMGA collection
valdation samplexts
3.6 Reports
3.6.1 Summary Reports
‘The CISO and Operational Security Team agr
reports required for PO Ltd and those that are
management.
regulal dates for agreed summary
3.6.2 Compliance Report
Those required for compliance m . sent to Information Governance as
Audit Records
Initially the intention is to y
fails, collected based on : ‘and Control Framework criterion and the ISO
27001 reference this wypmwee ag With Information Governance.
@s for the reports detailed below. RMGA CISO in
p decide which of these they will require, and Information
Operational Security also needs to agree which they want. I
elieve are not applicable to RMGA and have included the full set
s. In addition I have
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 36 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
1 Compliance Reports - Basel II Yes as is ISO 17799/27001
enVision includes the following standard compliance reports for BASEL II
1. Computer Account Logon Activity
1SO 17799/27001 Section A.9.5.2Lists all local and remote logon activity for all monitored ws, IX Unix, Sun Solaris and Red Hat Linux
systems
2. Computer Account Logon Activity - Windows Detail
ISO 17799/27001 Section A.9.5.2Lsts all logon activity for all monitored Windows dom:
systems, but provides a greater level of detail than the Computer Account Li
ms. This report is specific to monitored Windows
3. Computer Account Status by Account - Windows
1SO 17799/27001 Section A.9.5.3Lists all logon activity for specific r accounts in question should be listed as run-time
parameters
4. Control of Collected Evidence
ISO 17799/27001 Section A.12.1.7.1
Lists all changes and object level access events to all is report requires that all evidence be contained within directories included
in the Rules for Evidence device group, and that
5. Control of Collected Evidence - Windows,
ISO 17799/27001 Section A.12.1.7.1
ISO 17799/27001 Section A.1
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 37 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
Lists all changes and object level access events to the HR device group. This report requires that all s Relation data be contained
7. Control of Human Resources Data - Windows Detail
ISO 17799/27001 Section A.12.1.3
within directories included in the HR device group, and that object level auditing be qua ectories. This report is specific to monitored
Windows systems, but provides a greater level of detail than the standard Control of
8. Control of Operational Software
1SO 17799/27001 Section A.10.4.1
Lists all changes and object level access events to the Operational Sof a jis report requires that all operational software be
contained within the Operational Software device group, and that obj ’ fenabled on the directories containing the Operational
Software and data
9. Control of Operational Software - Windows Detail
1SO 17799/27001 Section A.10.4.1
Lists all changes and object level access events to th
contained within the Operational Software device
Software and data. This report is specific to Win
device group. This report requires that all operational software be
level auditing be enabled on the directories containing the Operational
10. Control of System Audit Data
ISO 17799/27001 Section A.12.3.2
Lists all changes and object level ai
data and result data be contained.
11. Control of System Audi
ISO 17799/27001 Section
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 38 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
Lists all changes and object level access events to the software and data used to perform system aud
data and result data be contained within a device group, and object level auditing be enabled on the
Windows devices but provides more detail that the standard Control of System Audit Data report
res that the software, source
This report is specific to
12. Control of System Test Data
ISO 17799/27001 Section A.10.4.2
Lists all changes and object level access events to the systems and data used in the I Software security. This report requires that
all system test data be contained in the Operational Software device group, and obje! ‘auditing be enabled on the directories containing the
system test software, source data and test results.
13. Control of System Test Data - Windows Detail
ISO 1799/2701 Section A.10.4.2
Lists all changes and object level access events to the systems andg
all system test data be contained in the Operational Software de
system test software, source data and test results.
ig of Operational Software security. This report requires that
level auditing be enabled on the directories containing the
14, External Contractors Report
ISO 17799/27001 Section A.8.1.6
Lists all changes and object level access events t
source data and result findings be contained wi
for Access device group. This report requires that all computers, software,
fd object level auditing be enabled on the directories containing this data
1SO 17799/27001 Section A.8.1.6
Lists all changes and object level a:
source data and result findings
fernal Contractor Access device group. This report requires that all computers, software,
a levice group, and object level auditing be enabled on the directories containing this data.
16. Financial Data Access,
ISO 17799/27001 Section A.128
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 39 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Lists all successful and failed access attempts for all financial data. This report requires that all financi
object level auditing be enabled on the directories containing the financial data
.d within a device group, and
17. Financial Data Access - Windows Detail
ISO 17799/27001 Section A.12.1.4
Lists all successful and failed access attempts for all financial data. This report requires that all
e contained within a device group, and
object level auditing be enabled on the directories containing the financial data.
18. Malicious Software Activity Report
1SO 17799/27001 Section A.8.1.2
Lists all malicious software activity for all monitored devices.
19. Operation Change Control Report
1SO 17799/27001 Section A.8.1.2
Lists all configuration and policy changes for the Financial Oped ctu
20. Operation Change Control Report - Windows Detail
1SO 17799/27001 Section A.8.1.2
Lists all configuration and policy changes for the Fj rastructure. This report is specific to Windows, but gives a greater level of
detail than the standard Operation Change Con,
21. Password Changes and Expirations
1SO 17799/27001 Section A.9.2.3
Lists all manual and automatic passw&&d chi
systems.
ration events. This includes Windows, Sun Solaris, Red Hat Linux, HP-UX and AIX operating
22. Source Code Access
ISO 17799/27001 sec. A.10.4.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 40 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
Lists all changes and object level access events to the Source Code device group. This report requires
commercial software customization be contained within a device group, and object level auditing be:
code.
de for all custom software and
the direttories containing the source
23. Source Code Access - Windows Detail
ISO 17799/27001 sec. A.10.4.3
Lists all changes and object level access events to theSource Code device group.
commercial software customization be contained within a device group, and object le'
code.
eport requiresiMat the source code for all custom software and
ing be enabled on the directories containing the source
24. User Activity from External Domains - Windows
SO 17799/27001 Section A.9.4.3
Lists all activities of non-domain authenticated users. All authenticat
fed in run time parameters, and multiple domains can be
contained within single quotes and separated by commas.
Reports: 24
Compliance Reports - PC! Data Security Standard
enVision includes the following standard complian; ent Card Industry (PC!) Data Security Standard.
1. Access to All Audit Trails
PCI Section 10.2.3.
Lists all successful logins to enVision.
PCI Section 10.1
Lists all successful adminis}
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 41 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
3. All Actions by Individuals with Root or Administrative Privileges - Unix & Linux
PCI Section 10.2.2
Lists all actions taken by users logged in as root. Modify the report to include any additional use;
privileges in your environment.
been granted full administrative
4. All Actions by Individuals with Root or Administrative Privileges - Windows
PCI Section 10.2.2
Lists all actions taken by users logged in as administrator. Modify the report to includ
administrative privileges in your environment.
iditional user names that have been granted full
5. Anti-Virus Update Procedures
PCI Section 5.2
Lists all update procedures for anti-virus systems.
6. Encrypted Transmission Failures
PCI Section 4.1
Lists all cryptographic operations where use of the crypto
disabled by the user.
7. Encryption Key Generation and Changes
PCI Section 3.6.1 and 3.6.4
Lists all the generation and period changing din the secure storage and transfer of card data.
8. Firewall Configuration Changes
PCI Section 1.1.1, 1.1.8
Lists all configuration changes mgge to YewallS@jithjn the PCI device group.
9. Inbound Network Traffic,
PCI Section 1.3.1, 1.3.2
ports - Detail
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 42 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Lists all inbound internet traffic not on ports 80, 22, 443, and 1723.
10. Inbound Network Traffic on non-standard ports - Summary
PCI Section 1.3.1, 1.3.2
Lists all inbound internet traffic not on ports 80, 22, 443, and 1723, summarized by the des} n
11, Individual User Accesses to Cardholder Data - Windows
PCI Section 10.2.1
Lists all successful file access attempts to file objects in the Cardholder Data device gi ‘>,
12. Initialization of Audit Logs
PCI Section 10.2.6
Lists all access attempts that have been denied due to access conty
13. Invalid Logical Access Attempts - ACL Denied Summary
PCI Section 10.2.4
Lists the initialization of audit logs in Windows, Unix, Linu,
erating systems.
14, Outbound Network Traffic - Detail
PCI Section 1.3.6
Lists all outbound traffic for a specific intern: t enter the IP address as a run-time parameter.
15. Outbound Network Traffic - Summ,
PCI Section 1.3.6
Lists a summary of all outbound
16. Router Configuration G
PCI Section 1.1.9
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 43 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
rsion: 0.3
Company-in-Confidence Date: 03-Feb-2009
Lists all configuration changes made to routers within the PCI device group.
17. Traffic to Non-Standard Ports - Detail
PCI Section 1.1.6
Lists all firewall traffic on ports other than 80, 22, 443 and 1723 o the IP address specifi ru rameter. This report can be modified to
include the ports not directly justified by PCI.
18, Traffic to Non-Standard Ports - Summary
PCI Section 1.1.6
Summarizes all firewall traffic not on ports 80, 22, 443 and 1723 to the dest ion comer where the port used is not directly justified by PCI.
Compliance - PCI Data Security Standard
Reports: 18
Standard Reports - Alerts
Reports module includes the following standard system re
1. Alert Notes by Date and Time
Lists all alert notes in the database sorted by the
2. Alert Notes by View
Lists all alert notes for a specific view. (TI 1 MRMnodify Re report query to specify the view.)
3. Alerts per Hour
Displays the distribution of all ale hour intervals.
4. Alerts Status Summary
Lists a count of alerts within a jed by status: new alert, under investigation, resolved.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 44 of 199
FUJ00155413
FUJ00155413
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
5. Alerts Under Investigation by Date/Time
Lists all alerts under investigation in the database. Sorted by the time the alerts occurred. Use tt alerts under investigation.
6. Alerts Under Investigation by View
Lists all alerts under investigation in the database for a specific view.
viewname here with the name of the view.)
7. Available Alerts by Date/Time
Lists all alerts and the status of each alert in the database. Sorted by the,
8. New Alerts by Date/Time
Lists all new alerts in the database. Sorted by the time the alerts,
9. New Alerts by View
Lists all new alerts in the database for a specific view.
You must modify this report prior to running it. (On thgreate/Ngity REPS - Specify Report Selection Criteria window, replace the text type
viewname here with the name of the view.)
10. Percentages of Alerts by NIC Category,
Displays the distribution of alerts by NIC ogteory.
11. Percentages of Alerts by Alert
Displays the distribution of alerts gy aleNJevels’
12. Percentages of Alerts,
Displays the distribution of ale!
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 45 of 199
FUJ00155413
FUJ00155413
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
13, Resolved Alerts by Date/Time
Lists all resolved alerts in the database. Sorted by the time the alerts occurred. Use this report t. that have been resolved.
14. Resolved Alerts by View
Lists all resolved alerts in the database for a specific view.
15. Top 20 Alert Categories
Displays the top alert categories by number of alerts.
Reports: 15,
Standard Reports - Apache HTTP Server
Reports module includes the following standard reports for the Ag
1. Top 20 Client IP Addresses by Connection Requests
Displays the top 20 client IP addresses that had the mostsUN@gssful
2. Total Bytes by Apache Device Address
Displays total bytes passed by Apache device agfres:
3. Total Bytes by Client IP Address
Displays total bytes passed by client a:
Reports: 3
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 46 of 199
FUJ00155413
FUJ00155413
I FUJITSU Operational Security
in-Confidence Date: 03-Feb-2009
Horizon Event Logging Process for
Version: 0.3
Company
Ref: RS/PRO/049
Standard Reports - Firewall Device Categories
Reports module includes the following standard reports for reporting on firewalls by categories.
1. Firewalls - Top Events by Category
Displays the top events by category from all firewall devices.
2. Top 20 Firewall Categories
Displays the top 20 firewall categories that generate the highest number of events fro}
Reports: 2
Standard Reports - IDS Device Categories
Reports module includes the following standard reports for reportin S Wage:
1. IDS Top Alarms by Category
Standard Reports - Statistics
Reports module includes the followit
Important! To gather the data for,
Displays the top signatures by categories from all IDS devigs.
2. Top 20 IDS Categories
Displays the top 20 IDS categories that generate tee h fu vents from all IDS devices.
Reports: 2
reports Jor
tan statistics.
ese ports st start the Alerter Service.
1. Daily Event Counts
Displays the total event count
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 47 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
2. Hourly Event Counts
Displays the total event counts by hour.
3. Percentage of Events by Device Class
Displays the percentage of the total number of events by device class.
4, Percentage of Events by Device Type
Displays the percentage of total number of events by device type.
5. Percentage of Events by NIC Category
Displays the percentage of the total number of events by NIC Category:
6. Syslog Collection Statistics
‘Summarizes syslog message quantity and byte count on an
Use this report to identify the periods of highest activity.
‘device. Assesses log host system and disk space requirements.
7. Top 20 Devices
Displays the top 20 devices generating events dur
8. Top 20 Devices Generating Unknown Eve;
9. Top 20 Device Types Generating
Displays the top 20 device types gun events during the selected time period
10. Top 20 Event Categori
Displays the top 20 event cat e selected time period
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 48 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refi RS/ERONS?
Version: 0.3
oO .
Operational Security
Company-in-Confidence
11. Top 20 Events
Displays the top 20 event IDs collected during the selected time period.
Reports: 11
23 Standard Reports - Cisco Access Control Server
Reports module includes the following standard reports for the Cisco Access Control
1. ACS Backup And Restore
Displays all backup and restore operations. Sorted by descendingtime.
2. ACS Service Monitoring
Tracks messages and activities internal to Cisco ACS.
3. Administration Audit
Displays an Administrative Report of all activity carried ot e CN fire ACS HTML Management Interface. Sorted by descendingtime.
4, Database Replication
Tracks ACS database replication activity. Sorteg@by descaling ti
5. Failed Authentications
Displays a list of all failed login attempt Led in deMpging order by descending time.
6. Failed Authentications Count
Displays a count of all failed I y descendingtime.
7. Passed Authentications
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 49 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
Displays a list of all users that have successfully logged in. Sorted by descending time
8. Passed Authentications Count
Displays a count of all users that have successfully logged in. Sorted by descendingtime.
9. TACACS+ Accounting
Tracks all login and log out traffic.
10. TACACS+ Administration - Permanent Configuration Changes
Tracks configuration changes that have been executed using the write mem Py running start (copy run) commands.
11. Top 10 Users
Counts the number of successful logins (successful authentications) aa se rs them by username.
12. Top 10 Users by Duration
Calculates the total amount of time that users have spent I evices and lists them in descending order by time.
Reports: 12
25 Standard Reports - Cisco ASA (Firewall)
Reports module includes the following standard ports 1% ‘ASA (firewall) device.
1. AAA User Authentications
Displays AAA user authentications thr
isco AS lls, sorted by date/time sequence. This report requires AAA user authentication
2. Bandwidth Usage by Address
‘Summarizes bandwidth usag
Talkers" on your company;
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 50 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
3. Bandwidth Usage by Department
Displays bandwidth usage by department through ASA firewalls. It is used to determine quickly whi
4, Bandwidth Usage by Port
‘Summarizes bandwidth usage by port for traffic passing through Cisco ASA firewalls. Sort
applications are consuming the most bandwidth. Other common TCP/IP words used synonym apPNcations are port and services. Only ASA
firewalls with debug level logging on are reported
5. Bandwidth Usage per Hour
Displays bandwidth usage per hour through ASA firewalls. It is used to spot, Jige trends occurring during specific time periods.
Each tick mark on vertical hourly axes represents accumulated usage for
6. Bandwidth Utilization
This combination of a graph and a report displays the bandwiatt
7. Blocked URL Events
Displays the blocked URL events of internal IP addresses“al
by Date/Time. Websense Enterprise software must
8. Configuration Changes
Listing of configuration change messages fr
to Cisco ASA Firewalls. Only ASA firewall log
9. Connection Limit Exceeded
Details exceeded connection limij
10. CPU Over-Capacity d Time
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 51 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
Listing of all instances of ASA Firewall CPU utiizations rising above 100%. This is generally consider;
frequently it may be necessary to contact Cisco Systems.
ndition and if it happens
11, Denied Connections per Hour
Displays the number of denied connections per hour through ASA firewalls. It is used to s}
time periods. Each tick mark on vertical hourly axes represents accumulated denied connecti jous hour.
12. Denied Inbound IP Spoofing
report tracks when a ASA Firewall receives a external packet wit the IP source addre:
the source port sorted by the destination address. This indicates a spoofed
Attack.
13, Denied Inbound Traffic by Address
‘Summarizes denied inbound traffic filtered through Cisco ASA fig
foreign hosts are being denied access to your company's inte
malicious network reconnaissance, or simply point out ah
14, Denied Inbound Traffic by Port
‘Summarizes denied inbound traffic filtered throu,
and/or applications. Quickly determines which
breach, malicious network reconnaissance I
logging on are reported
15. Denied Outbound Traffic by Ad
‘Summarizes denied outbound tr
addresses are possibly attem s your Pompany’s security policy, Only ASA firewalls with logging on are reported
16. Denied Outbound Traffic D
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 52 of 199
threat trends occurring during specific
e IP destination and the destination port equal to
ack systems, This attack is referred to as a Land
fonnections could represent an attempted security policy breach,
f configuration issue. Only ASA firewalls with logging on are reported
‘denied access; denied connections could represent an attempted security policy
ply point out a host or network device configuration issue. Only ASA firewalls with
d thr isco ASA firewalls by local address. Sorted by connection count. Quickly determines which local
FUJ00155413
FUJ00155413
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
‘Summarizes denied outbound traffic filtered through Cisco ASA firewalls by port. Sorted by conneeti
services or applications. Quickly determines which outbound applications are being denied; these d
attempted security policy breach, malicious network reconnaissance like a port scan, or simply
Only ASA firewalls with logging on are reported.
sare used to represent
ges could very well represent an
network device configuration issue.
17. Email Security
Listing of ASA MailGuard messages received from Cisco ASA firewalls. Sorted in da uickly views possible email security breach
attempts that were prevented by ASA firewalls. Only ASA firewalls with logging on ar
18. Failover Messages
Displays a list of failover messages from Cisco ASA firewalls by date/tim
19. FTP Requests by Date/Time
Displays a list of FTP requests through Cisco ASA Firewalls by
20. FTP Requests by Department
Displays FTP requests for each department through Cisct
21. FTP Requests by Foreign Address
Displays FTP requests to foreign sites by local
22. FTP Requests by Local Address
Displays FTP requests by each local a
23. Inbound E-mail Recipients
Displays inbound emails and #
24. Inbound E-mail Senders
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 53 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
Displays inbound emails and the senders.
25. Inbound Email Traffic
Displays bandwidth usage of inbound email traffic through Cisco ASA firewalls, Sorted by totgl“col
Email Senders’ if your email servers are located on an internal or DMZ interface. Summari
sitting on an external ASA interface. Only ASA firewalls with logging on are reported. The sys
the 302002 traffic logged on local port 25.
fuickly determines ‘Top Foreign
m your own email gateways if they are
bound email traffic by summarizing all
26. Inbound FTP Traffic
Displays bandwidth usage of inbound FTP traffic through Cisco ASA firewal
users use FTP most frequently in your company. Only ASA firewalls withgdf
summarizing all the 302002 traffic logged on local ports 20 and 21
5. SPrted by total connection count. Quickly assesses which foreign
lls with logging on are reported. The system calculates inbound http
ial coMnection count. Quickly determines which external
@gosted. The system calculates inbound FTP traffic by
27. Inbound HTTP Traffic
Displays bandwidth usage of inbound HTTP traffic through C)
users are accessing your internal web servers most frequi
traffic by summarizing all the 302002 traffic logged on Io
28. Inbound IP Fragmentation Alert
The ASA Firewall limits the number of IP frag
under abnormal network conditions. The rep,
be in progress
rently reassembled. This restriction prevents memory depletion at the firewall
by foreign address. If this message persists, a DoS (denial of service) attack might
29. Inbound Telnet Traffic
Displays bandwidth usage of inbgfnd T
Telnet users. Only ASA firew.
logged on local port 23.
et tral ‘ough Cisco ASA firewalls. Sorted by total connection count. Quickly determines top external
1g on J reported. The system calculates inbound Telnet traffic by summarizing all the 302002 traffic
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 54 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
30. Management Access from External Source
Details all of the device management events on the ASA firewall sorted by Date/Time.
31. Outbound E-mail Recipients
Displays outbound emails and the emai's intended recipient(s)
32. Outbound E-mail Senders
Displays outbound emails and the email's sender.
33. Outbound Email Traffic
‘Summarizes bandwidth usage of outbound email traffic through Cisco Ag
Talkers’ in your company if your email gateway is located on an extend
on the ASA's internal interface network. Only ASA firewalls with lo
all the 302002 traffic logged on foreign port 25.
py total connection count. Quickly determines ‘Top Email
feflects "Top Email Gateways" if your mail gateways are
he system calculates outbound email traffic by summarizing
34, Outbound FTP Traffic
‘Summarizes bandwidth usage of outbound FTP traffic
internal users use FTP most frequently in your comp: fs with logging on are reported. The system calculates outbound FTP traffic
35. Outbound HTTP Traffic
‘Summarizes bandwidth usage of outbour
Talkers’ in your company. Only ASA fi
traffic logged on foreign port 80.
Cisco ASA firewalls. Sorted by total connection count. Quickly determines Top HTTP
are reported. The system calculates outbound http traffic by summarizing all the 302002
36. Outbound IP Fragmentati
The ASA Firewall limits the,
under abnormal network condn
ments that can be concurrently reassembled. This restriction prevents memory depletion at the firewall
is sorted by count by local address.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 55 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
37. Outbound Telnet Traffic
‘Summarizes bandwidth usage of outbound Telnet traffic through Cisco ASA firewalls. Sorted b’
Telnet users. Only ASA firewalls with logging on are reported. The system calculates outbout
logged on foreign port 23.
nt. Quickly determines top local
marizing all the 302002 traffic
38. Permitted Connections per Hour
Displays the number of connections per hour through ASA firewalls. It is used to spot tion trends occurring during specific time periods. Each
tick mark on vertical hourly axes represents accumulated permitted connections for th
39. RIP External Security Alert
Displays the ASA Firewall events for received internal RIP reply messages autheyication sorted by the local address. This could be due to
misconfiguration on the router or the ASA Firewall or it could be a upgweces: "
40. RIP Internal Security Alert
Displays he ASA Firewall events for received external RIP,
misconfiguration on the router or the ASA Firewall or it o« Jul attempt to attack the ASA Firewall unit's routing table.
41. SiteTrack Detection
Listing of network traffic through Cisco ASA fire ite Track keywords. Sorted in date/time sequence. Keyword match is identified
with parenthesis characters ( ) preceding th sage column. The SiteTrack feature performs a text string comparison of the DNS
host name lookup of source and destinat eS, as Well as accessed URL pages and FTP file names. The DNS Resolver service must be
on, and ASA firewall logging must be
42. Top 10 Requested URL/FTP pestit
Displays the top 10 requested
foreign sites.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 56 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
43. Top 20 Bandwidth Ports
Displays the top 20 ports of bandwidth usage through ASA firewalls. It is used to identify quickly whi
bandwidth.
nsuming the most
44, Top 20 Bandwidth Users
Displays the top 20 bandwidth users through ASA firewalls.
45, Top 20 Connections by Address
Displays the top 20 users of connections through ASA firewalls. It is used to determine\ users are consuming the most connections.
46. Top 20 Connections by Port
Displays the top 20 ports with the most connections through ASA firewé fy quickly which applications are consuming the most
connections.
47. Top 20 Denied Inbound by Address
Displays the top 20 foreign addresses that were denied in!
attempting to gain unauthorized access to your network,
nd ae AMA firewalls. It is used to spot quickly foreign hosts that may have been
48. Top 20 Denied Inbound by Port
Displays the top 20 ports with the most denied jgfound col rough ASA firewalls. It is used to identify quickly which applications are the top
sources of inbound denied connections.
49. Top 20 Denied Outbound by Addr
Displays the top 20 local addresses
nied oufbound access by ASA firewalls, Itis used to identify quickly the top internal hosts that may
possibly have been attempting topreac!
apy's outbound internet security policy
50. Top FTP Destinations
Displays FTP requests to forel rough Cisco ASA firewalls, it is sorted by the number of requests.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 57 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
51. Top URL Destinations
Displays URL requests to foreign addresses through Cisco ASA firewalls, itis sorted by the nui
52. Total Connections by Global / Translated Address
Displays the activity for each global address going through the ASA firewall sorted by Percen ‘ections within a specific time period
53. Translation Activity by Connection ID
Lists build-up and teardown messages for connections through a ASA. These events
54. URL Requests by Date/Time
Listing of URL and FTP requests through Cisco ASA Firewalls. Sorted ge. (Only ASA firewalls with logging on are reported.)
55. URL Requests by Department
‘Summarizes the outbound URL and FTP requests for each de
determines which departments are downloading the most
Bo ASA firewalls. Sorted by number of requests. Quickly
Only ASA firewalls with logging on are reported
56. URL Requests by Foreign Address
‘Summarizes outbound URL and FTP requests to
the most common URL and FTP destinations in,
ugh Cisco ASA firewalls. Sorted by total connections. It can determine quickly
‘SA firewalls with logging on are reported.
57. URL Requests by Local Address
‘Summarizes the outbound URL and
URLI/FTP requests. Quickly determi ‘URL and FTP destinations by local address for your company. Only ASA firewalls with
logging on are reported,
58, URL Requests by User,
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 58 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
‘Summarizes the outbound URL and FTP requests by authenticated user name through Cisco ASA fir
URLIFTP requests. Requires that AAA user authentication be configured on the firewall. Quickly det
destinations on a user name basis for your company. Only ASA firewalls with logging on are repgrted
ser name and the number of
mon URL and FTP
Reports: 58
28 Standard Reports - Cisco Content Services Switch
Reports module includes the following standard reports for the Cisco Content Servi
1. Down Links
Displays all messages associated with a down link in a given time period
2. Reboots
Displays all messages associated with device reboots in a given,
3. Top 50 Users by Number of Connections
Displays the total number of connections to the Content, fe associated username.
4, Total Attacks by Attack Type
Displays the total number of attacks recognizedy the dal fi by the attack type
5. Total Attacks by Destination Address
Displays the total number of attacks re; by th grouped by the destination address.
6. Total Attacks by Destination P,
Displays the total number of a ized bye device grouped by the destination port.
7. Total Attacks by Source A‘
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 59 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
30
Displays the total number of attacks recognized by the device grouped by the source address,
8. Total Logins by Source Address
Displays the total number of successful logins by source address.
Reports: 8
Standard Reports - Cisco PIX - Firewall
Reports module includes the following standard reports for the Cisco PIX (firewall) de\
1. AAA User Authentications
Displays AAA user authentications through Cisco PIX firewalls, sorted E. This report requires AAA user authentication
2. Bandwidth Usage by Address
Summarizes bandwidth usage by local address for all traffic p
Talkers" on your company's network. Only PIX firewalls wit
IX firewalls. Sorted by total byte usage. Quickly determines “Top
19 On are reported.
3. Bandwidth Usage by Department
Displays bandwidth usage by department through g
4, Bandwidth Usage by Port
‘Summarizes bandwidth usage by port fogfathc p gh Cisco PIX firewalls. Sorted by total byte usage count. Quickly determines which
applications are consuming the most ymon TCP/IP words used synonymously with applications are port and services. Only PIX
firewalls with debug level logging on
IX firewalls. Itis used to spot quickly bandwidth usage trends occurring during specific time periods.
Each tick mark on vertical houl nts accumulated usage for the previous hour.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 60 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
6. Bandwidth Utilization
This combination of a graph and a report displays the bandwidth utilization on the network
7. Blocked URL Events
8. Configuration Changes
Listing of configuration change messages from Cisco PIX firewalls, sorted by
Cisco PIX Firewalls. Only PIX firewalls with logging on are reported
9. Connection Limit Exceeded
Details exceeded connection limits by static addresses.
10. CPU Over-Capacity Events by Date and Time
Listing of all instances of PIX Firewall CPU utilizations sing’ 's is generally considered to be an error condition and if it happens
11, Denied Connections per Hour
Displays the number of denied connections irewalls. It is used to spot quickly security threat trends occurring during specific
time periods. Each tick mark on vertical hi ‘accumulated denied connections for the previous hour.
12. Denied Inbound IP Spoofing
report tracks when a PIX Firewaligeceivl
the source port sorted by the
Attack
packet with the IP source address equal to the IP destination and the destination port equal to
is indicates a spoofed packet designed to attack systems. This attack is referred to as a Land
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 61 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
13, Denied Inbound Traffic by Address
‘Summarizes denied inbound traffic filtered through Cisco PIX firewalls by foreign address. Sorted by
foreign hosts are being denied access to your company's internal network; denied connections
malicious network reconnaissance, or simply point out a host or network device configuration j
luickly determines which
attempted security policy breach,
ls with logging on are reported
14, Denied Inbound Traffic by Port
‘Summarizes denied inbound traffic filtered through Cisco PIX firewalls by port. Sorte
and/or applications. Quickly determines which applications are being denied access:
breach, malicious network reconnaissance like a port scan, or simply point out a host
logging on are reported,
i. Portis used synonymously with services
connections could represent an attempted security policy
Pigigsice configuration issue. Only PIX firewalls with
15. Denied Outbound Traffic by Address
Summarizes denied outbound traffic filtered through Cisco PIX fire
addresses are possibly attempting to bypass your company's seg
Sorted by connection count. Quickly determines which local
firewalls with logging on are reported
16, Denied Outbound Traffic by Port
Summarizes denied outbound traffic filtered through Ci
services or applications. Quickly determines which
attempted security policy breach, malicious networ
rt, Sorted by connection count. Port numbers are used to represent
re being denied; these denied messages could very well represent an
a port scan, or simply point out a host or network device configuration issue.
17. Email Security
Listing of PIX MailGuard messages re
attempts that were prevented by PI: fewalls with logging on are reported
18. Failover Messages
Displays a list of failover m: PIX firewalls by date/time.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 62 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
19. FTP Requests by Date/ Time
Displays a list of FTP requests through Cisco PIX Firewalls by Date/Time.
20. FTP Requests by Department
Displays FTP requests for each department through Cisco PIX firewalls by number of req
21. FTP Requests by Foreign Address
Displays FTP requests to foreign sites by local users through Cisco PIX firewalls by {0
Q
address and the number of requests
VV
addres§\and number of requests.
22. FTP Requests by Local Address
Displays FTP requests by each local address through Cisco PIX firewalls
23. Inbound E-mail Recipients
Displays inbound emails and the intended recipients.
24. Inbound E-mail Senders
Displays inbound emails and the senders.
25. Inbound Email Traffic
Displays bandwidth usage of inbound email tr. firewalls. Sorted by total connection count. Quickly determines 'Top Foreign
Email Senders’ if your email servers are lo« IMZ interface. Summarizes email traffic from your own email gateways if they are
sitting on an external PIX interface. Only ng on are reported. The system calculates inbound email traffic by summarizing all the
302002 traffic logged on local port 25.
26. Inbound FTP Traffic
Displays bandwidth usage of
users use FTP most freque
summarizing all the 302002 tr.
A\ratfic tJough Cisco PIX firewalls. Sorted by total connection count. Quickly determines which external
any. Only PIX firewalls with logging on are reported. The system calculates inbound FTP traffic by
pcal ports 20 and 21
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 63 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
27. Inbound HTTP Traffic
Displays bandwidth usage of inbound HTTP traffic through Cisco PIX firewalls. Sorted by total
are accessing your internal web servers most frequently. Only PIX firewalls with logging on ay
summarizing all the 302002 traffic logged on local port 80.
ickly assesses which foreign users
calculates inbound http traffic by
28. Inbound IP Fragmentation Alert
The PIX Firewall limits the number of IP fragments that can be concurrently reassemDI
under abnormal network conditions. The report is sorted by count by foreign address. !
be in progress.
restriction prevents memory depletion at the firewall
gge persists, a DoS (denial of service) attack might
29. Inbound Telnet Traffic
Displays bandwidth usage of inbound Telnet traffic through Cisco Py
Telnet users. Only PIX firewalls with logging on are reported. TI
on local port 23,
M total connection count. Quickly determines top external
bound Telnet traffic by summarizing all the 302002 traffic logged
30. Management Access from External Source
Details all of the device management events on the Bate/Time.
31. Outbound E-mail Recipients
Displays outbound emails and the email's in
32. Outbound E-mail Senders
Displays outbound emails and the ew@jI's seer.
33. Outbound Email Traffic
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 64 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
‘Summarizes bandwidth usage of outbound email traffic through Cisco PIX firewalls. Sorted by total lickly determines "Top Email
the 302002 traffic logged on foreign port 25.
34, Outbound FTP Traffic
‘Summarizes bandwidth usage of outbound FTP traffic through Cisco PIX firewalls. tion count. Quickly determines which internal
users use FTP most frequently in your company. Only PIX firewalls with logging on ai led. The system calculates outbound FTP traffic by
summarizing all the 302002 traffic logged on foreign ports 20 and 21.
35. Outbound HTTP Traffic
Summarizes bandwidth usage of outbound HTTP traffic through Cisco y total connection count. Quickly determines "Top HTTP.
Talkers in your company. Only PIX firewalls with logging on are rey fulates outbound http traffic by summarizing all the 302002
traffic logged on foreign port 80
36. Outbound IP Fragmentation Alert
The PIX Firewall limits the number of IP fragments that
under abnormal network conditions. This report is soj
assembled. This restriction prevents memory depletion at the firewall
\ddress
37. Outbound Telnet Traffic
‘Summarizes bandwidth usage of outbound
Telnet users. Only PIX firewalls with logg
logged on foreign port 23
isco PIX firewalls. Sorted by total connection count. Quickly determines top local
¢ system calculates outbound Telnet traffic by summarizing all the 302002 traffic
38, Permitted Connections per gur
Displays the number of conn,
tick mark on vertical hourly A
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 65 of 199
thro PIX firewalls. It is used to spot connection trends occurring during specific time periods. Each
accumulated permitted connections for the previous hour.
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
39. RIP External Security Alert
Displays the PIX Firewall events for received internal RIP reply messages with bad authentication s
misconfiguration on the router or the PIX Firewall or it could be a unsuccessful attempt to attac
ess. This could be due to
Unit's routing table.
40. RIP Internal Security Alert
Displays he PIX Firewall events for received external RIP reply messages with bad authentical reign address. This could be due to
Firewall unit's routing table.
41. SiteTrack Detection
Listing of network traffic through Cisco PIX firewalls that contained SiteTra fed in’date/time sequence. Keyword match is identified with
parenthesis characters ( ) preceding the message in the Message columy
name lookup of source and destination IP addresses, as well as access6d
PIX firewall logging must be on.
42. Top 10 Requested URL/FTP Destinations
Displays the top 10 requested URL and FTP destinations
foreign sites.
43, Top 20 Bandwidth Ports
Displays the top 20 ports of bandwidth usage thigh’ PI
44. Top 20 Bandwidth Users
Displays the top 20 bandwidth users tly IX fire
45, Top 20 Connections by Addyess
Displays the top 20 users of cor rough WK firewalls. Itis used to determine quickly which users are consuming the most connections.
46. Top 20 Connections by
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 66 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
Displays the top 20 ports with the most connections through PIX firewalls. It is used to identify quickly, are consuming the most
connections.
47. Top 20 Denied Inbound by Address
Displays the top 20 foreign addresses that were denied inbound access by PIX firewalls. I
attempting to gain unauthorized access to your network.
ickly foreign hosts that may have been
48, Top 20 Denied Inbound by Port
Displays the top 20 ports with the most denied inbound connections through PIX firewé
sources of inbound denied connections.
to identify quickly which applications are the top
49. Top 20 Denied Outbound by Address
Displays the top 20 local addresses that were denied outbound acog
Possibly have been attempting to breach your company's outbot
Ms used to identify quickly the top intemal hosts that may
olicy.
50. Top FTP Destinations
Displays FTP requests to foreign addresses through Cis
51. Top URL Destinations
Displays URL requests to foreign addresses thr
Lists the build-uUp and teardo
54, URL Requests by Date/Ti
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 67 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
Listing of URL and FTP requests through Cisco PIX Firewalls. Sorted in Date/Time sequence. This al
view which URLs and FTP files were accessed during a certain date/time range. Only PIX firewalls
uery report can be used to.
55. URL Requests by Department
Summarizes the outbound URL and FTP requests for each department through Cisco Pl
57. URL Requests by Local Address
‘Summarizes the outbound URL and FTP requests by each local a
URL/FTP requests. Quickly determines the most common URL
logging on are reported.
Fix firewalls. Sorted by local address and number of
by local address for your company. Only PIX firewalls with
58. URL Requests by User Name
‘Summarizes the outbound URL and FTP requests by use@fame through Cisco PIX firewalls. Sorted by user name and the number of
URL/FTP requests. Requires that AAA user authegigal on the firewall. Quickly determines the most common URL and FTP
destinations on a user name basis for your congényOn Is with logging on are reported.
Reports: 58
34 Standard Reports - Cisco Router
Reports module includes the foll nda ts for the Cisco Router device.
1. Bandwidth Usage by Ad
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 68 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
Summarizes the number of permitted packets per source address for all network traffic through Cisco,
traffic from Cisco router interfaces with access control lists applied and logging turned on is reporte
address depending on which router interface the access list is applied and in which direction,
jacket count. Only network
be an Internet or intranet
2. Bandwidth Usage by Department
‘Summarizes the number of permitted packets per source address for all network traffic through Sorted by packet count. Only network
traffic from Cisco router interfaces with access control lists applied and logging turneg ce address can be an Internet or intranet
3. Bandwidth Usage by Port
Summarizes the number of permitted packets passing through Cisco roy
interfaces with access control lists applied and logging turned on is repd
which router interface the access list is applied and in which directigg,
py packet count. Only network traffic from Cisco router
RS can be an Internet or intranet address depending on
4. Denied Packets per Hour
Displays the number of denied packets per hour by Cisco, Ispot possibly security threat trends over time ranges. Each tick mark on
jour.
5. Denied Traffic by Address
Summarizes the number of denied packets per
router interfaces with access control lists ap}
on which router interface the access list i
fgh Cisco routers. Sorted by denied packet count. Only network traffic from Cisco
on is reported. Source address can be an internal or external address depending
6. Denied Traffic by Port
Summarizes denied traffic filteregghroudy Cis ters by port. Sorted by packet count, Only network traffic from Cisco router interfaces with access
control lists applied and loggin
7. Inbound Email Traffic
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 69 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
‘Summarizes the number of inbound email packets permitted through Cisco routers by destination ad: ter address, access control
assumes traffic is inbound
8. Inbound FTP Traffic
Summarizes permitted inbound FTP packet usage through Cisco routers. Sorted by
network traffic from Cisco router interfaces with access control lists applied and loggi
inbound or outbound from the information entered in its IPADDR.TAB file located in th
assumes traffic is inbound
ler address, aeWess control list, and number of sessions. Only
on is reported, The system determines whether traffic is
rectory. If this file is not configured, the system
9. Inbound HTTP Traffic
Summarizes the number of permitted packets transferred by desti find HTTP traffic through Cisco routers. Sorted by router
f router interfaces with access control lists applied and logging
turned on is reported. The system determines whether traffic is from the information entered in its IPADDR.TAB file located in the
10. Inbound Telnet Traffic
Summarizes the number of inbound Telnet packe
cogs control lists applied and logging turned on is reported. The system determines
inbound or outbound traffic from the networ the IPADDR.TAB file. If this file is not configured, the system assumes traffic is
inbound,
11, Outbound Email Traffic
Summarizes the number of outby
list, and number of sessions. traffic (Jom Cisco router interfaces with access control lists applied and logging turned on is reported. The
system determines inboun ic from the network information entered in the IPADDR. TAB file, If this file is not configured, the system
assumes traffic is inbound,
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 70 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
12. Outbound FTP Traffic
Summarizes the number of permitted packets transferred per source and destination address p; , sessions through Cisco routers. It
faces with access control lists
the information entered in its
bound.
13, Outbound HTTP Traffic
‘Summarizes the number of permitted packets transferred by destination address for oul
address, access control list, and number of sessions. Only network traffic fr
turned on is reported. The system determines whether traffic is inbound g .
Program directory. If this file is not configured, the system assumes trai
interf€ices with access control lists applied and logging
g information entered in its IPADDR. TAB file located in the
14, Outbound Telnet Traffic
‘Summarizes the number of outbound Telnet packets permitted
sessions, Only network traffic from Cisco router interfaces
inbound or outbound traffic from the network informatiot
inbound,
15. Permitted Packets by Address
Displays the number of permitted packets by,
16. Permitted Packets per Hour
Displays the number of permitted padMts peN@gur by CBco routers. It is used to spot peak packet usage trends over time ranges, Each tick mark on
vertical hourly axes represents ageumuled p packets for the previous hour.
17. Permitted Packets by
Displays the number of permil ort through Cisco routers. It is used to spot top bandwidth applications running across your router.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 71 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Securi
Company-in-Confidence Date: 03-Feb-2009
18. SiteTrack Detection
Listing of packets that have been permitted or denied through Cisco routers with host name lool
SiteTrack keyword list. Sorted in date/time sequence. Keyword match is listed in the report
field. Keywords need to be entered in the SiteTrack, and its DNS Resolver service must bg
performs a host name lookup of both source and destination IP addresses in every packet it
pf the keywords entered in the
() pi&ceding the message in the Message
fe to function. The DNS Resolver service
isco routers.
19. System Critical Events
Listing of Router system status messages received from Cisco routers. Sorted in date/
reported
Only Cisco routers with logging tured on are
20. System Interface Events
Listing of system interface status messages from Cisco routers. Sorfagbin dat nce. Only Cisco routers with logging turned on are reported,
21. Top 20 Bandwidth Users
Displays the top 20 bandwidth users by address through Gj Jed to spot top bandwidth hogs through the router.
22. Top 20 Denied Packets by Address
Displays the top 20 addresses of denied packets tyagu fo Itis used to spot quickly foreign addresses that are possibly attempting to
breach your security policy.
23. Top 20 Denied Packets by Port
Displays the top 20 ports with the mos}
an attempted security breach
packet: Igh Cisco routers. It is used to spot quickly which applications may possibly being used for
24, Call Data - Call Informatio
Displays all information as:
Origin, Connection Speed, an:
ified calls within a time period. Information includes: Setup Time, Username, Number Called/Calling,
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 72 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
25. Call Data - Top 10 Total Duration By Number Called
Displays the total call time duration associated with the Top 10 Numbers Called. The call time di
26. Call Data - Top 10 Total Duration By Username
Displays the Top 10 Usernames based upon call duration time for the specified time period,
27. Call Data - Total Disconnects by Error for Each Device
Displays the number of events that present an error in the disconnect code for each cal
28. Call Data - Total Usage By Device
Displays the Call Traffic associated with each device. This is an executi¥é inistrators,
29. Call Data - Total Usage By Username
Queries the Call Data Record for all associated Call informatioA@@gg ‘username associated with calls.
Reports: 29
38 — Standard Reports - Cisco VPN 3000 Concentrator,
Reports module includes the following standard
Cis@® VPN 3000 Concentrator device.
1. Bandwidth Usage per Hour
Displays the VPN bandwidth usage pe;
2. Connection Statistics by Usey
Lists the Date/Time Stamp, Us Devicy¥Kddresses associated with each successful connection attempt.
3. Denied Connections
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 73 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
Displays the number of denied connections by VPN gateway.
4. Denied Connections by Date/Time
Displays the VPN denied connections by Date/Time for the entire group of VPN gateways.
5. Denied Connections by Username
Displays the VPN denied connections by Username for the entire group of VPN gat by denied connections
6. Denied Connections per Hour
Displays the VPN denied connections per hour.
7. Successful Authentications by Date/Time
Queries the database for messages that report successful authentigaiigs ports back information such as Date/Time, Device Address,
Username, Local PortName, and Groupname.
8. Successful Authentications by GroupName
Queries the database for messages that report successful
9. Successful Authentications by UserName
Queries the database for messages that report
10. Successful Connections by Device
Total of all successful connections to a,
11. Systems Events by Device
Lists each system event (confi
12. Top 20 Bandwidth Users
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 74 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refi RS/ERONS?
Version: 0.3
oO .
Operational Security
Company-in-Confidence
Displays the top 20 users for all VPN gateways by total bytes.
13. Top 20 Users by Durations
Displays the top 20 tunnel connections for all VPN. gateways.
14, Top 20 Users by Number of Connections
Displays the top 20 users by connections for all VPN gateways.
15. Total Bytes by UserName
Lists the total bytes by local address for all VPN gateways, Data is sorted b
byte entries for each Local Address.
Yytes. The total bytes are calculated by adding up the
16. Total Duration by Username
Lists the total duration for all users of VPN gateways. Data is soy " total duration. The total duration is calculated by adding up the
duration entries for each Local Address.
Reports: 16
39 Standard Reports - Correlated Alerts
Reports module includes the following standard @potts fONgprrelatfe alerts.
1. Correlated Alerts Details
Lists all the alerts that caused a correl:
2. Correlated Alerts List
Lists all correlated alerts in a
3. Correlated Alerts Summan
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 75 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref: Ane mons?
ion: 0.
oO rs rsi
Operational Security
Company-in-Confidence
Displays the top 20 correlated alerts in descending order.
Reports: 3
40 Standard Reports - Correlated Multi-Device Reports
Reports module includes the following standard reports for the multi-device reports.
1, IDS devices - Top 10 Source Addresses of Alarms
Displays the top 10 source addresses of intrusion detection alarms.
2. IDS devices - Top 10 Alarms
Displays the top 10 alarms (by signature id) that have been generated
3. IDS devices - Top 10 Destinations of Alarms
Displays the top 10 destination IP addresses that have been fed for atimsk
4. Top 10 Requested URL/FTP Destinations
Displays the top 10 URLIFTP destinations by internal gers
5. Top 20 Bandwidth Ports
Displays the top 20 ports of bandwidth usagi
6. Top 20 Bandwidth Users
Displays the top 20 bandwidth users.
7. Top 20 Connections by Ad
Displays the top 20 users of
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 76 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
rsion: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
8. Top 20 Connections by Port
Displays the top 20 ports with the most connections.
9. Top 20 Denied Inbound by Address
Displays the top 20 foreign addresses that were denied inbound access.
10. Top 20 Denied Inbound by Port
Displays the top 20 ports with the most denied connections.
11. Top 20 Denied Outbound by Address
Displays the top 20 local addresses that were denied outbound access
Reports: 11
42 Standard Reports - DHCP
Reports module includes the following standard system repts (ON pessing
1. DHCP Lease Change
Lists the lease time of DHCP IP addresses.
Database Tables
DHCP Support
Reports: 1
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 77 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
66
Standard Reports - Linux
Reports module includes the following standard reports for the Novell Linux and Red Hat Lit vi
1. Linux - Failed Authentications by Device
Displays the failed Authentication attempts for each monitored device by Date/Time.
2. Linux - Failed SuperUser Attempts
Displays the failed attempts to use the Switch User command and the username assoc! attempt.
3. Linux - Successful Connections
Displays the successful connection information
4, Linux - Successful SuperUser Attempts
Displays the successful attempts to utilize the Switch User \d thie username associated with the attempt.
5. Linux - Total Connections by Address
Displays the total connections by foreign address.
6. Linux - Total Connections by Username
Displays the total connections for each useg thine specifigprime range.
Reports: 6
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 78 of 199
FUJ00155413
FUJ00155413
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
in-Confidence Date: 03-Feb-2009
Company
68
Standard Reports - McAfee IntruShield
Reports module includes the following standard reports for the McAfee IntruShielddevice.
1. Alarm Destination Report
Displays alarms sorted by the Destination IP Address that generated the alarm.
2. Alarm Levels
Displays the number of alarms for each alarm level
3. Alarm Report
Lists alarms based on signature names, sorted by alarms and signature na
4. Alarms by Hour
Displays the number of alarms by hour for a given time peri
5. Alarms by Sensor
Lists the alarm count for each sensor.
6. Alarms by Sensor Device
Displays the total number of alarms gener. r device. The report is sorted by total number of alarms.
7. Top 10 Sources of Alarms
Lists the top 10 source IP addresses th have
eratef! the most events/alarms.
8. Top 20 Alarms
Displays the top 20 alarms: thave been generated
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 79 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refi RS/ERONS?
Version: 0.3
oO —
Operational Security
Company-in-Confidence
9. Top 20 Alarms by Port
Displays the Top 20 alarms based on the destination port.
10. Top 20 Destinations of Alarms
Displays the top 20 destination IP addresses that have been targeted for attack.
11, Top 20 Source-Destination Pairs of Alarms
Displays the top 20 sourceldestination pair that have generated the most alarms.
12. Top 20 Sources of Alarms
Lists the top 20 source IP addresses that have generated the most eve
Reports: 12
69 Standard Reports - McAfee VirusScan Enterprise
The Reports module includes the following standard repofts Wy M fsScan Enterprise.
1. Top 20 infected systems
Displays top 20 infected systems found on the ”
2. Top 20 Viruses Detected
Displays top 20 viruses found on the n
3. Virus Detection Details
Lists all the detected viruses, se
time.
Reports: 3
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 80 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
71 Standard Reports - Microsoft Exchange Server
Reports module includes the following standard reports for Microsoft Exchange Server.
1. MS Exchange - Exchange Error Condition
Displays all Exchange error events.
2. MS Exchange - Failed Logons Attempts to Mailboxes
Displays failed logons to mailboxes in Microsoft Exchange environment,
3. MS Exchange - Failed Mailbox Creation/Deletion
Displays failed mailbox creation and deletion.
4. MS Exchange - Internet Traffic by Email Accounts
Displays the inbound and outbound Internet traffic to email acco,
Displays successful logons to mailboxes in Microsoft Exchal by users who have administrator privileges on the mailboxes.
9. MS Exchange - Top 10°E
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 81 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Displays the top 10 email accounts receiving the most messages.
10. MS Exchange - 10 Email Accounts Receiving Messages Volume
Displays the top 10 email accounts receiving the most message volume.
11. MS Exchange - Top 10 Email Accounts Sending Messages
Displays the top 10 email accounts sending the most messages.
12. MS Exchange - Top 10 Email Account Sending Messages Volume
Displays the top 10 email accounts sending the most message volume.
13. MS Exchange - Top 10 Sender-Receiver Pairs
Displays top 10 pairs of email accounts sending messages to, and rg 5 m, each other.
14. MS Exchange - Top 10 Sender-Receiver Pairs within the
16. MS Exchange - Use of Send Privileges
Displays users who grant users permissig,
Reports: 16
72 Standard Reports - Microsoft Ii
Reports module includes t lowir rd reports for Microsoft IIS.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 82 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref! RSFROM
Version: 0.3
oO .
Operational Security
Company-in-Confidence
1. Access Denied Attempts (500)
Displays page access attempts that were denied over time. If multiple sites were chosen, an additio
attempts were displayed cumulatively, or comparatively.
to select if the access denied
2. Browser Versions
Displays the percentage of browser types to the sites selected.
3. Hits per Day
Displays the number of requested pages for the sites chosen during run time. An addit
information for multiple sites summed together or compared against each o
4. Top 20 Page not Found (404)
Displays the top 20 requested files that were not found. If multiple BM time, the site where the file was requested from is also
included in the report.
5. Top 20 Referring Domains
Displays the top 20 referring domains. If multiple sites arc! f the name the site is referred to is also in the report
6. Top 20 Referring Pages
Displays the top 20 referring URLs, as well as t
referred to is also in the report.
ch URL provided. If multiple sites are chosen at run time, the name the site is
7. Top 20 Requested Content
Displays a summary of the top 20 re
of the web site. If there are mult
I directory in which the file is contained. This provides a summary of the most active areas
tyn time, the name of the site where the directory resides will also be included in the report.
8. Top 20 Requested Pag;
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 83 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
73
Displays a summary of the top 20 most requested pages for the sites chosen during run time. If multi
name of the site the requested page is served from is also included in the report.
at run time for this report, the
9. Top 20 Script Errors (501)
Displays the top 20 requested page, script error combinations. A page may appear on this
errors. If multiple sites are chosen at run time for inclusion in the report, the site the page resi
es if the page has different multiple script
ied in the report.
10. Visitors per Day
Displays of the number of unique IP addresses of visitors for the sites chosen during r address is only counted the first time is appears
during the chosen time period.
Reports: 10
Standard Reports - Microsoft ISA
Reports module includes the following standard reports for 0
1. Attacks
Displays all of the attacks that were identified by the
2. Firewall Errors
Displays the Firewall Error messages as rec all Service
3. Total Bytes by Client IP
Displays the total bytes of all conne:
s asMBiated to Fpecific Client IPs.
4, Total Duration by Client IP
Displays the total duration associated to specific Client IPs.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 84 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5. Total Number of Connections by Domain Name
Displays the number of connections associated to each Domain Name during a given time period.
6. Total Number of Connections by Server IP
Displays number of connections associated to each Server IP during a given time period
Reports: 6
74 — Standard Reports - Microsoft SQL Server
1. Configuration changes
Displays configuration changes made to MS SQL Server systems
2. Database backups
Displays backup events from MS SQL Server systems.
3. Errors that can be corrected by a user
Displays all error conditions from MS SQL Server sy; scted by a user.
4. Failed Logons
Displays all failed logons events to MS SQL
5. Fatal Errors
Displays fatal errors from MS SQL S@#er s\ s.
6. Insufficient Resources
Displays insufficient resourg@geven! IS SQL Server systems.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 85 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refi RS/ERONS?
Version: 0.3
oO —
Operational Security
Company-in-Confidence
7. Logon/Logoff Events
Displays all logons and logoff events to MS SQL Server systems.
8. Nonfatal Internal Errors
Displays nonfatal internal errors from MS SQL Server systems.
9. Object events
Displays object trace events from MS SQL Server systems
Reports: 9
75 — Standard Reports - Account Management
Reports module includes the following standard reports for Window
1. Account Changes Details
List of all account changes.
2. Account Changes Summary
Shows the number of account changes by event I!
3. Computer Account Changes
List of all computer account changes.
4. Global Group Account Changes
List of all global group account ci
5. Local Group Account C,
List of all local group accouint
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 86 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
76
7
6. Universal Group Account Changes
List of all universal group account changes.
7. User Group Account Changes
List of all user account changes.
Reports: 7
Standard Reports - Application Errors
Reports module includes the following standard reports for Windows.
1. Errors Reported by Dr. Watson
List of errors reported by Dr. Watson.
2. Top 20 Application Errors
Displays the top 20 application errors collected from all Ivers,
3. Top 20 Errors-Logging Applications
Displays the top 20 applications logging appli rosoft Windows servers.
Reports: 3
Standard Reports - Disk and Memor
Reports module includes the foll nda tts for Windows.
1. Bad Blocks
List of system events reportin
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 87 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
2. Disk at Near Capacity
List of system events reporting disk at near capacity.
3. Out of Virtual Memory
List of system events reporting out of virtual memory.
Reports: 3
78 Standard Reports - Files/Objects Access
Reports module includes the following standard reports for Windows.
1. Access to Files
List of all files accessed in folders monitored for access auditing
2. Registry Access
List of all accesses to registry files and keys.
3. Write Access to System Files
List of all files opened with write access rights igffe SysteN@ge fold
Reports: 3
79 Standard Reports - Logon/Logoff
Reports module includes the foll ndar ts for Windows.
D
1. Failed Logons
List of all failed logon events i reason, user name, domain name and workstation.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 88 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
2. Local Logons/logoffs by User
List of all local logon and logoff activities sorted by user name.
3. Logons/logoffs by User
List of all logon and logoff activities sorted by user name.
Reports: 3
80 Standard Reports - Policy Changes and Audit Logs
Reports module includes the following standard reports for Windows.
1. Audit Log Cleared
List of audit log cleared events
2. Audit Log Full
List of audit log is full events.
3. Audit Policy Changes
List of all audit policy changes.
4. Policy Changes Details
List of all policy changes events.
5. Policy Changes Summary
Shows the number of policy chi cent ID IWdescending order.
6. Trusted Domain Changes
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 89 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
81
82
List of all trusted domain changes.
7. User Rights Changes
List of all user rights changes.
Reports: 7
Standard Reports - Restart/Shutdown
Reports module includes the following standard reports for Windows.
1. System Restarts/Shutdowns
List of all system restarts and shutdowns
Reports: 1
Standard Reports - Summary Reports
Reports module includes the following standard reports 6F
1. Application Log Activity per Computer
Total count of application events per computer j
2. Application Log Activity per User
Total count of application events per u
3. Security Log Activity per Co
Total count of security events
4. Security Log Activity per
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 90 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Total count of security events per user in descending order.
5. System Log Activity per Computer
Total count of system events per computer in descending order.
Reports: 5
83 Standard Reports - Trend Reports
Reports module includes the following standard reports for the Windows devices
1. Application Log Activity
Displays the number of application events over time.
2. Security Account Logon Activity
Displays the number of security account logon events over ti
3. Security Account Management Activity
Displays the number of security account managemeny
4. Security Detailed Tracking Activity
Displays a number of security detailed tracki
5. Security Log Activity
Displays the number of security even@pver
6. Security Logon/Logoff Acti
Displays the number of seg events over time.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 91 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refi RS/ERONS?
Version: 0.3
oO .
Operational Security
Company-in-Confidence
7. Security Object Access Activity
Displays the number of security object access events over time.
8. Security Policy Change Activity
Displays the number of security policy change events over time.
9. Security Privilege Use Activity
Displays the number of security privilege use events over time.
10. Security System Event Activity
Displays the number of security system event events over time.
11. System Log Activity
Displays the number of system events over time.
Reports: 11
84 Standard Reports - User Activity
Reports module includes the following standard ragért Ind
1. Applications by Users
List of applications running on computers gvMthe Meyork, soMed by user name.
2. Print Jobs by Users Summary
‘Summary of print jobs by users, srowin\user Myo, number of print jobs and total pages and total bytes.
3. Privileged Activities by
List of activities invoking right
ies, Sted by user name.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 92 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
in-Confidence Date: 03-Feb-2009
Company
88
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page:
Reports: 3
Standard Reports - Audit
Reports module includes the following standard system reports for the system auditing fun,
1. Configuration Changes by Action
Lists all the configuration changes with the specified Action
Runtime parameters - Action.
2. Configuration Changes by Date/Time
Lists all configuration changes made to enVision.
3. Configuration Changes by Object Type
Lists all configuration changes made against the specified obj
Runtime parameters - Object Type.
4. Configuration Changes by User
Lists all configuration changes made by the specifi
Runtime parameters - User ID.
5. Report Access Activity by Date/Time
Lists all reports that have been either e by whom (usernames)
6. Report Access Activity by Usi
List all reports that the specifies
Runtime parameters - User,
3 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
7. Report Emailing Activity by Date/Time
Lists all reports that have been e-mailed and by whom (usernames).
8. Report Emailing Activity by User
List all reports that the specified user has e-mailed.
Runtime parameters - User ID.
9. Report Viewing Activity by Date/Time
Lists all reports that have been viewed and by whom (usernames).
10. Report Viewing Activity by User
List all reports that the specified user has viewed.
Runtime parameters - User ID.
11. User Session Activity by Date/Time
Lists all the successful and failed enVision log in/log out at
12. User Session Activity by User
Lists all the successful and failed enVision log in/I
Runtime parameters - User ID.
‘specified user.
Reports: 12
89 Standard Reports - System
Reports module includes the foll ndarORQIC System reports
1. Appliance Disk Errors
Lists all the application disk er
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 94 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
2. Appliance Operating Environment Errors
Lists all the appliance operating environment errors
3. Failed Terminal Server Logins to the Appliance
Lists all failed terminal server login attempts to the appliance.
4. Failed enVision Logins
Lists all failed attempts to log in to enVision
5. Monitored Device Collection Errors
Lists all errors in collection of data from monitored devices.
NIC System Device
Reports: 5
94 Standard Reports - Oracle
Reports module includes the following standard reporg{or the PRycle cape
1. Audit Details by Action
Displays detailed audit actions by action
2. Audit Details by Database Process
Displays detailed audit actions by dat@gase PMgess ID
3. Audit Details by System
e.
Displays detailed audit acti B
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page:
5 of 199
I FUJITSU Operational Security
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
in-Confidence Date: 03-Feb-2009
Company
95
4. Audit Details by User
Displays detailed audit actions by user name.
Standard Reports
Reports: 4
Standard Reports - RSA Security SecurlD
Reports module includes the following standard reports for the RSA Security Securll
1. Deleted Agent Hosts
Displays any new agent hosts added to the existing users in the RSA dat the spAVfied time period.
2. Failed Authentication Attempts
Displays all of the failed authentication attempts by Username.
3. Group Modifications
Displays any modifications to the existing groups in the ba’ specified time period
4. New Agent Hosts
Displays any new agent hosts added to the exigylg UsersM@ine RSM database in the specified time period
5. New Groups Added
Displays all of the new groups added t in the specified time period
6. New Users Added
Displays all of the new users ai ‘SA daptbase in the specified time period.
7. Successful Authentication
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 96 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refi RS/ERONS?
Version: 0.3
oO —
Operational Security
Company-in-Confidence
Displays all of the successful authentication attempts by Username.
8. User Modifications
Displays any modifications to the existing users in the RSA database in the specified time peri
Reports: 8
97 — Standard Reports - SNORT
Reports module includes the following standard reports for the SNORT device.
1. Alarm Destination Report
Lists alarms sorted by the Destination IP Address that generated the alfff
2. Alarm Levels
Displays the number of alarms for each alarm level
3. Alarm Report
Lists alarms based on signature names, sorted by al es.
4. Alarms by Hour
Displays the number of alarms by hour for a gfe
5. Alarms by Sensor
Lists the alarm count for each sensoi
6. Alarms by Sensor Device
Displays the alarm count foy@fgch s ice.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 97 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
rsion: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
7. Top 10 Alarm Signatures
Lists the top 10 alarms (by signature name) that have been generated.
8. Top 10 Destinations of Alarms
Lists the top 10 destination IP addresses that have been targeted for attack.
9. Top 10 Source-Destination Pairs of Alarms
Lists the top 10 source/destination pair that have generated the most alarms.
10. Top 10 Sources of Alarms
Displays the top 10 sources of alarms by source IP address.
Reports: 10
99 Standard Reports - Sun Solaris
Reports module includes the following standard reports forge SUN@golaris BM device.
1. Kernel-Level Events
Lists kernel-level events generated by system call
2. Login and Logout Events
Lists login and logout audit events
3. Nonattributable Events
rel ter upg)
Lists the events that occur at the,
4. Permission Changes
Lists permission changes by a
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 98 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5. Privileged Operations
Lists the use of privelege capabilities or role-based access control
6. User-Level Events
Lists the user-level events generated by application software.
Reports: 6
100 Standard Reports - Sun Solaris
Reports module includes the following standard reports for the Sun Solar, vice.
1. Failed Super User Attempts
Displays users who attempted to Switch User to "root" and was g
2. Percentage of Connections by Service
Queries for messages with a message ID of 317013 ai
logs all connections by service (for example: login, f
Jy agent (service). This message is created by the inetd daemon and
3. Super User Access
Queries for messages with message ID of 3 's which users Switched User to "root" and at what time.
4. Total Connections by Foreign Addre;
Displays the total connections by so
5. Total Connections by Port
Displays the Total number uped by port number.
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 99 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref: RS/PRO/049
Version: 0.3
oO —
Operational Security
Company-in-Confidence
Reports: 5
110 Standard Reports - Tripwire Enterprise
Reports module includes the following standard reports for the Tripwire Enterprise device.
1. Changes
Lists the nodes with detected changes sorted by time of change occurrence.
2. Changes by Severity
Lists the nodes with detected changes sorted by detected severity.
3. Change Rates
Lists changes detected sorted by frequency of occurrence.
4. Nodes
Lists all Tripwire unique nodes.
5. System Access
Lists user logon and logoff
Reports: 5
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 100 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Vem ws
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 101 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
3.6.3 Operational Security Management and ad hoc Reports
Currently the only Security Event analysis reports that Operational Security can produce are
ad hoc reports when provided with a correctly formatted log.
Managed and scheduled Event and Incident Summary Reports need to bepagreed with
Operational Security Manager and initially these reports need to highligf&preaches in
Confidentiality, Integrity or availability by ‘ cilities if
required.
type of log analysed are
* Date and time Summaries
© Log Source summaries
«Types of Event Summaries
* Event Categorisation Summaries
Event Number Summaries
© Event User Summaries
© Computer or device summg
«Event Description Sum
Trended Summary,
output logs for Windows 2000 Events
* Syslogs fiom Solaris
* Syslogs fiom Cisco Routers
© Syslogs fiom Cisco Firewalls
To assess whether this is feasible and summary results are documented as an appendix to this
document.
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 102 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
An attempt has taken place to analyse a limited set of Tivoli logs using a specialised
configuration file developed, by Sawmill’s proprietor and this is also shown in Appendix A
shows details
3.7 Sawmill Process
© To initially access Sawmill you need to log on with the user name and password given
by the administrator: a
mill Le
—_
Passwors: [
=I
ave [1 fe tenet 4
Figure 3 Sawmill Logon Scr, y
¢ Once you hay en yA need to set a profile up this is done by clicking the
Create ne
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 103 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
[cece = June a 7rvrnindest Glcoereymrevent Glamunseinis e)rrechome! @)itzne gl oecesst
I Gooale[C- BE I Oy coon G Hoesed I Forms = > =
C5 Profies esate Mew rote
== — iReocia Siew conta Diet
© 2007 Flowerfire I
a [a internet 4]
Figure 4 Profile Creation Screen’ v
© You then need to select the locatio ce oPFour log, note that log patterns
and subdirectories can be select s and by ticking the process sub
folders .
New Profile Wizard Bask Next cancel
Log source
ee en et
Patnname owe
7 Process suptolaers (oes folaers ont)
TF Pater is 2 regular expression
‘Show tatching Fes
A
I
(eben feo tenet
Figure 5 File or Directory Path Selection
© Ifyou chose to use the browse button to select the log you are presented with a screen
as shown below.
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 104 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
‘OK Cancel Show Root ‘Show Dive =] Network Shares
=> rata ©:
=> [New (3)
=>Q [system (c:)]
=> [use pIsk (F) 1
D Adventnet 17M
O auroexec.so1 17M
1 autoexec.sp2 17M
QO bats 17™
1D msocache 17M
D ntuser.dat 17™
1D ntuser.dat.Loc 17M
O profites 17M
D Program Files 17M
O recycier 17M
system volume Information 17M
wutemp 17M
Figure 5 Browse the Selection Menu
* Once you have clicked and selected the galt direcry th following screen appears
to show the log is being processed.
Pos conta cond T]
New Profile Wizard Back Newt cancel
> Detecting log format, please wait.
Reaaing log fle: D\profiesimemberywilly Documents\Sawmiliogs trom Unix Teamisysiog tt
Elapsed time: 00:00:08
4
Figure 6 Log Detection Screen
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 105 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refs RSEROWA
Version: 0.3
ee) ; ;
Operational Security
FUJITSU Company-in-Confidence Date: 03-Feb-2009
© If the log format is not recognised then the following screen appears, if you know the
format of the log click next otherwise cancel and check with the SDU you have
received the correct log format.
a
New Profile Wizard Back Next cance!
No log format detected
‘You may conunue and choose a tog format on the next wizard page, though we recommend that you consider
Irthe 199 format is one which is listed a8 “supported. bul Sawmill da not recognize t,o its one which you
"e send a sample oft (compressed, up to 1010) to
roade documentation describing te log format.
The next window all to fe log format you wish to analyse and press
next
a
New Profile Wizara ace New cancet
Manual log format selection
[Symantec System Consors Log Fonnat ETA =I
nog {an separated) Lag roma
$Yalog NG Log Fermat (no date in log data: yyyymmed date in flename)
[icpdump Lag Format =
=
Figure 8 Manual log format Selection
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 106 of 199
PS) Horizon Event Logging Process for nee BERG
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
© Some formats will give you a secondary screen choice such as syslog, as there are not
agreed common standards between manufacturers for the format of a syslog log, once
satisfied press next.
pn
New Profile Wizard a)
Manual logging device selection
Select an appropriate logging device for Syslog (ryyymmadd hhmmss),
[Dovecot Secure IMAP/POPS Server Log Format =z
[Event Roporter Logs (version 7)
[Exam 4 Log Format (BETA)
Firebox Log Format
Firepass Log Format (BETA)
FortiGate Comma Separated Log Format
FortiGate Log Format
FortiGate Log Format (BETA)
FortiGate Space Separated Log Format
Figure 9 Log type of Device Selected
© Each log type selected 48
- Pinan —
Figure 10 Name of new Profile
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 107 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
© Once the Finish button is pressed then the log is analyzed and a report and can be
drilled through by using date ranges and selection criteria for the data from the task
bar on the left hand side. Samples of some summary reports for which suitable logs
have been available are included in the appendix A.
4.0 Audit
This process is subject to
Governance Team.
However, in order,
yhetheY™ Security Incident has occurred the following areas are
considered k; shows other sources of base data that needs to be used to
only authorised platforms (ie. Names and IP’s) access the network —
jocumentation, Networks IP List and Event logs
3. Identify any unauthorised use of ports and protocols ~ Analysis of Event logs and
PVCS documentation
4, Identify any changes that take place without a Change Control - e.g. CP or OCP both
to Operating Systems and Applications ~ Audits and check against CP and OCP data
for any actions taken and Nessus passive scans to see what is still outstanding
5. Identify any vulnerabilities on platforms particularly those identified by the supplier
as Critical or High - MBSA and OVAL runs on targeted at risk platforms
©Copyright Fi
isu Services Ltd 2007 ‘Company-in-Confidence Page: 108 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Securit
y-in-Confidence Date: 03-Feb-2009
6. Identify any unauthorised changes to users rights based on their roles ~ PVC
documentation and access to Event logs and CP, OCPS and Audit
7. Identify any unauthorised changes to permissions on files dependent on the role and
rights allocated to that role ~ Alerts, Audits Event logs, CP, OCP’s and alerts
8. Identify any unauthorised File or Data Transfers particularly to CD, DVD or USB or
unauthorised networks — Audits, Alerts and CP, OCP’s and Event logs
9. Identify any AV alerts ~ Alerts, Event logs,
10. Identify any unauthorised changes to Router, Switch, Firewall ange Nyitches
in particular Configuration, Access Lists and Rulebases — AudyAl s,
CP.OCP,
11. Identify any unauthorised changes to Audit Logs and of a y Audit,
ocr, CP
12. Identify any unauthorised changes to passwords or passwor force attacks —
13. Identify any buffer overflow attacks — Alerts, Aud!
14, Identify any unauthorised shares or escalation of privilege or
network hopping — Audit, Event lo;
15, Identify any unauthorised use ofgamabts ls to hide attacks ~ Alerts, Event
logs, Audit, OCP, CP’s
16. Identify any unauthoriseg@c tcl! jobs — Alerts , Audit, Event logs, PVCS
Documentation
17. Identify any unau ferts, Audit, PVCS Documentation, Event Logs
Mal ogs: PVCS documentation
2. Check for the use of available exploit code for a DOS or DDOS ~ Event Log
3. Alert on any traffic patterns that indicate that a potential hack is being prepared for
(not so much Horizon but will be required as migrate to HNG-X and RMG Network
is more open)
©Copyright Fi
tsu Services Ltd 2007 Company-in-Confidence Page: 109 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for Vern ts
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.0 Appendix A
5.1 Tivoli Event Log Summary by Sawmill
5.1.1 Summary
[7] Statistics for /0ct2007 - 141Decr2007, 67 days Dowie iter Hillier Retest
L A
5.1.2 Overview \
Alldays Average per day
Events 781,488 11,684.00
YS
&
©Copyright Fujitsu Se ‘Company-in-Confidence Page: 110 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Proc Rel io ROW
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
5.1.3 Years/months/days
Events
900,000
600,000
300,000
°
2007
ADateltime Events.
a
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 111 of 199
FUJ00155413
FUJ00155413
(Formatted: Font coor Ato
FUJ00155413
FUJ00155413
Fe) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.14 Days
Events
600,000 768%
400,000 512%
200,000 255%
0 hh 0%
01 Nov 2007 01 Dec
(Formatted: Font color: Auto )
a Dateltime Events b ) 15/Oct 2
+ 0940/2007 2 8 16/0cv2007 2
7
2 10/Oct/2007 2 9 17/0cv2007 2
3 11/0cv72007 L 40. 18/00v2007 2
4 12/0207 29other items 787,468
6 14/0cv72007 2
™
12 of 199
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
FUJ00155413
FUJ00155413
Fe) Horizon Event Logging Process for RS/PROMAD
FUJITSU Operational Security Ld
Company-in-Confidence Date: 03-Feb-2009
5.1.5 Day of weeks
Events
600,000
400,000
200,000
su Moo TuWe Fra
(Formatted: Font color: Auto )
ADay of week Events
o~” 178,759
2. Monday oH 7 seursy oa
3 Tuesday ron Total 701,408
4 Wednesday 413,302
a’
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 13 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.1.6 Hour of days
Events
60,000 17%
40,000 _ _ 8.1%
20,000 2,
° %
0:00 3:00 am 6:00.am 9:00am 12:00 3:00pm 6:00pm 9:00 pm
min,
Hour of day Events 4:00 PM - 2:00
139 14 PM 34.119
midnight - 1:00
aM 29,408 A 7-00 AM - 8:00
8IaM
1 2:00 PM - 3:00
y} 31,939 15 PM 34.316
r
4:00 AM - 2:00 f
2 AM 30,670 00 AM - 9:00 3:00 PM - 4:00
37,383 16 PM 4728
~ N
2:00 AM {00
3 AM 547 900 AM 4:00 PM - 5:00
Wa 40 10:00 AM 36,130 17 PM 34,343
3:00 AM - 4:00
4AM 39,781 10:00 AM 5:00 PM - 6:00
14 11:00 AM 31,501 18 PM 31,433
™~
4:00 AM - 5:00
5 AM 28,783 11:00 AM - 6:00 PM - 7:00
412 noon 19,275 19 PM 31,982
5:00 AM - 6:00
6 AM 28,608 13. noon- 1:00PM 28.076 7.00 PM - 8:00
20 PM 30,932
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 14 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
2 Horizon Event Logging Process for at RSEROISS
I FUjITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
8:00 PM - 9:00 10:00 PM Total 781,488
21 PM 33,689 23. 11:00 PM 39,580
00 PM - 14:00 PM
22 10:00PM 43,928 24 midnight 33,198
5.1.7 Console hostnames
(Formatted: Font color: Auto, Not Hidden }
«Default report view on zoom when clicking on a table
{ Formatted: Font color: Auto, Not Hidden }
{ Formatted: Font color: Auto, Not Hidden )
Console_hostna 54535 70%
me
E a 37,983 49% 1
I I 34495 44%
i i 100,383 14.0% mm
i i 7 32,720 42% 1
HIRRELEVANT! a
I H Gotheritems 57,446 7.4% mh
i H 86,109 11.0% fm
i ' Lg Total 781,488 100%
H H 101%
I a!
i H 71468 99%
~
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence 15 of 199
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
5.1.8 Log sources
2
( Formatted: Fort clr Auto, Not Hidden
(Formatted: Font cbr: Auto, Not Hidden
Log_source events __9 - 100 4
aNT 670,964 59%
2EACRR 66.287 85% ff
3VPN 19872 25% I 4
_,
4TIvoul 14644 19% I
SSSCMonitor 8,837 1.1 y “ASN
6PATROL 478 0.1%
x 7
AntiVirus < 01%
8sNMP 4 00%
100%
16 of 199
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.1.9 Log source types
P (Formatted: Font color Auto, Not Hidden }
“
. *<—_[ Fermatted: Fort color: Auto, Not Hidden )
Log_source_ty
pes vevents __0 ~ 1004
1Seourity 335,554 429%
2VPN_LOOPBACK 197,504 25.3%
SEACRR 66287 85%
4vPNKeymg «35657 46% 4 I
Snr 19872 ANY
Ws
scum 17569 22% 1
RoLLouTsgxc 4
mH 1 Ie
erivaDMIN ars 12%
esscMonter S887 11% I
{OSeniceMontor 5,898.07 %
2604 other
items 72688 93% m
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 17 of 199
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
Total 781,488 100%
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 118 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.1.10 Event origins
P (Formatted: Font color Auto, Not Hidden }
“
. *<—_[ Fermatted: Fort color: Auto, Not Hidden )
Event_origin events __9 ~ 100%
H 105,416 135%
I 405267 135% mm
I 15.17 19% I A
H 114274 18% I )
I IRRELEVANT! a
i 10.753 14% I
i ves 7
H 335 1 \
H 7997 1.0%
i 7,995 1.0%
i 7115 09%
8451 other
items 495,016 621%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence 19 of 199
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
Total 781,488 100%
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 120 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence
Ref:
Version:
Date:
5.1.11 Hostnames
Default-report view on zoom when clicking-on-a table iter: i
Hostname v Events g - 100 %
“os.a16 135% mm
me
14274 1.8%
\
;
N
~~
I 1907 10%
17,995 1.0%
17,115 09%
9140 other
items 485,016 621%
IRRELEVANT a>
7
3
FUJ00155413
FUJ00155413
(Formatted: Font cor Auto, Not Hidden
©Copyright Fujitsu Services Ltd 2007
Company-in-Confidence
Page: 121 of 199
(Formatted: Font clr Auto, Not Hidden
( Formatted: Font cor Ato, Not Hidden
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
Total 781,488 100%
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 122 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refi io ROW
ersion: 0.
Fe) ; :
Operational Security
FUJITSU Company-in-Confidence Date: 03-Feb-2009
5.1.12 Severities
2
[een] _ Formatted: Font oor: Ato, Not Haden )
. - nt color: Auto, Not Hiden
ont color: Auto,Not Hidden)
Severity Yevents __9~ 100 #
0 ke 2
200 eosT 11.1% om
50 40790 52% 4
440 530.1%
i]
Total 781,488 100 % N
\
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 123 of 199
FUJITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
5.1.13 Event codes
Default-report view on zoom when clicking-on-a table item:
Event code events __9 - 400 4
1938 231,157 301%
a 210.241 27.4% am
_
4528 30747 40% 9 )
54308 21,095 KKDVY
6576 20897 27% I
N 7
76969 < 872 2 1
8540 18361 24% I
9577 22% I
10490 14,085 1.8%
372 other
items 117,440 153% mm
FUJ00155413
©Copyright Fujitsu Services Ltd 2007
Company-in-Confidence
Page: 124 of 199
FUJ00155413
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
(Formatted: Font clr: Auto, Not Hidden )
2
[een] _ Formatted: Font olor: Ato, Not Haden )
( Formatted: Font clr: Auto, Not Hidden
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref; RE/PROM49)
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
Total 766,844 100%
©Copyright Fujitsu Se Company-in-Confidence Page: 125 of 199
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for Ref RSPROI
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.1.14 Actions
P (Formatted: Font color Auto, Not Hidden }
“
*<—_[ Fermatted: Fort color: Auto, Not Hidden )
‘Action events __9 = 490 4
User Logotf 108471 6%
28uccessful Logon 27695 11.2%
Successful Network Logon 18,361 7.5%
”
4File Open 11,663 4.7% 1 y
Total oe
5.1.15 ermal
‘ont color: Auto, Not Hidden
I: Font color: Auto, Not Hidden
ont color: Auto, Not Hidden
1 17%
Username yevents __0- 100% 9,035 1
IRRELEVANT 15646 64%
‘Administrator 174007 71.0% mmm I
H 7.421 30% 4
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 126 of 199
FUJITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
4,490
4,207
1.8%
17%
1.0%
08%
485 other items
Total
©Copyright Fujitsu Se
‘Company-in-Confidence
Page: 127 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for Ref RSPROI
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.1.16 Domains
P (Formatted: Font color Auto, Not Hidden }
“
*<—_[ Fermatted: Fort color: Auto, Not Hidden )
Domain events __9 - 400 4
17.538 75%
10341 44% 4
_
6940 30% I )
IRRELEVAN’
17% I
r
»y \
15% I
3421 15%
1 3409 15%
410 other
items 168,753 720%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 128 of 199
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
Total 234,527 100 %
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 129 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for Ref RSPROI
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.1.17 Login ids
P (Formatted: Font color Auto, Not Hidden }
Pa }
ont color Aut, Not Hidden
Default report view on zoom when clicking on a table iter: I a J
Login_id Vevents __9 ~ 100%
2 00% mf
1 00% m
IRRELEVANT
7
.
00% om
00% om
00% om
46045 other
items 46,045 100.0%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 130 of 199
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
Total 46,056 100%
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 131 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
5.1.18 Login types
(Formatted: Font color: Auto, Not Hidden )
2
[een] _ Formatted: Font olor: Ato, Not Haden )
. + Fermatted: Font eal: Auto, Not Hidden
Login type events __9 - 100%
2 193,160 45%
2 31776 135%
34 3.986 1.7% 4
_
47 39 02%
“>
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 132 of 199
FUJ00155413
FUJ00155413
2 Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.1.19 Auth pkgs
. (Formatted: Font color Auto, Not Hidden )
2
[een] _ Formatted Font olor: Ato, Not Haden )
Defauit report view on zoom when licking on a table tem: I
{ Formatted: Font color: Auto, Not Hidden ]
‘Auth_pkg vevents __{ ~ 100
—
2NTLM 10,361 999% =
—_
Negotiate 37 08% a
\
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 133 of 199
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence
FUJ00155413
5.1.20 File names
Default report view on zoom when clicking-on-a table O—
File name Events
1CAWINNTsystem32\RedPike.dll 4,525 38.8 %
C:\Cryptography\bin\kMAgent IN
ar 342
C:\Cryptography\bin\CryptoAPL.i
3ni
4C:\Cryptography'keys
287%
35%
Loe
5C:\Cryptographyibin axY 1
6C:\sshadmin
a < s\SM y. 50
‘8C:\Support\Tools\SSCSUP 50
9C:\Support\Tools\SYSMANSUP 50
C:\Support\Tools\Generic\NTRes
410kit 50
56 other items 285
0.4%
0.4%
0.4%
24% I
FUJ00155413
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
(Formatted: Font clr: Auto, Not Hidden )
foe
(Formatted: Font clr: Auto, Not Hidden )
( Formatted: Font clr: Auto, Not Hidden
©Copyright Fujitsu Services Ltd 2007
Company-in-Confidence
Page: 134 of 199
FUJ00155413
FUJ00155413
2 Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
Total 11,663. 100%
5.1.21 Messages
. (Formatted: Font color: Auto, Not Hidden }
{ Formatted: Font color: Auto, Not Hidden )
*<—_ Formatted: Font col: Aut, Not Hidden ]
Message v Events Q - 400 %
JEACRR spostemsg 66,283 12.4% a
2VPN Server Ping Success monid:vpn_route monsev:G 16,560 3.1% t
Riposte function ‘RiposteComnesy’ fal The Mi solr is unavailable.
3(0x6BA) 11821 22% 1
~
The authentication string 7L=P /0=3221" for IP address
not match /C=44 /CN=E ISTA=65535 /L=P /PN=1000. 3014 06%
sroncyehe 4 2a 05%
@MONID:APOP.BO.SVR MONSEV:G 2,463 0.5% i I
8MONID:BBND.BO.SVR MONSEV:G 2462 05% a
9MONID:MGRM.B002.SVR MONSEV:G 2460 05%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
Page: 135 of 199
Horizon Event Logging Process for Ref RSPROWS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
10MONID:BBND.B001.SVR MONSEV:G 2459 05%
416113 other items 22669 7.0%
Total 535,116 100% <
© 2008 Flowerfire
5.2. Summary Analysis of a Window 2K/XP CS export
5.2.1 Summary
Statistics for 09/0ct/2002 - 15/Nov/2007, 1864 days
5.2.2 Overview
Alldays Average per day
Events 2,130 Fo,
5.2.3 's/mol jays
Events,
600 282%
300 14.4%
” 2002 20032004 2005 2006 2007
(Formatted: Fort clr: Auto
FUJ00155413
FUJ00155413
A Dateltime Events
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 136 of 199
FUJ00155413
FUJ00155413
Pe) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
1 2002 59
2 2003 a
3 2004 118
4 2005 ar9
5 2006 ore
6 2007 41s
Total 2,130
5.2.4 Days
Events
00 282%
400 = 108%
200 94%
° 0%
14.01 Nov 2002 01 Nov 2008 01 Nov geod 01 MA\z005 $06 01 Nov 2007
(Formatted: Font clr Auto }
x
A Datertime Events
cwoggor\, NM y
2 1410ct2002 38
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 137 of 199
Horizon Event Logging Process for Ref RSPROWS
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
7 o51Jan/2003, 2
8 o9iJan/2003, 5
9 29/Mar!2003 1
40 141Aug/2003 5
531 otheritems 2,058
Total 2,130
5.2.5 Day of weeks
Events
300 a%
600 aia 282%
300 14.41%
o 0%
A Day ofweek Events
‘soa.\ <Y
2 Monday 854
3 Tuesday 237
4 Wednesday 281
5 Thursday 246
6 Friday ant
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 138 of 199
FUJ00155413
FUJ00155413
(Formatted: Fort ebro
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
7 Saturday 167
Total 2,130
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 139 of 199
FUJITSU
Horizon Event Logging Process for
Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
5.2.6 Hour of days
Events
600
400
200
°
i
000 3:00 am 6:00am 9:00am
mica oon
Hour of day Events
4. midnight - 1:00 AM 19
2. 1:00 AM- 2:00 AM 3
3. 2:00 AM- 3:00 AM
3:00 AM - 4:00 AM
4:00 AM - 5:00 AM Ve
’
10 9:00 AM - 10:00 AM 58
12:00 2:00 pm 6:00 pm 9:00 pm
;
28.2%
oe
14 1:00 PM- 2:00 PM
18 5:00 PM- 6:00 PM
19 6:00 PM- 7:00 PM
20 7:00 PM - 8:00 PM
21 8:00 PM- 9:00 PM
22. 9:00 PM - 10:00 PM
23 10:00 PM- 11:00 PM
24 11:00 PM- midnight
Total
95
110
143
212
215
25
©Copyright Fujitsu Services Ltd 2007
Company-in-Confidence
Page: 140 of 199
FUJ00155413
FUJ00155413
(Formatted: Font clr Ato
FUJ00155413
FUJ00155413
PS) Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
5.2.7 Sources
‘ (Formatted: Font color Auto, Not Hidden }
Shale page Summary Hera = i:
“polaucep von anon hen seting on ata ane [=P EIRROTTINT To] Formatied Foto: Ao Nat den }
(Formatted: Font color: Auto, Not Hidden 5)
Source Y Events
Application Popup 581 27.3%
2Automatic Updates 394 18.5%
Removable Storage Service 392 18.4%
7
te" 2.190 100%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 141 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.2.8 Types
(Formatted: Font color: Auto, Not Hidden
(Formatted: Font color: Auto, Not Hidden
{ Formatted: Font cbr Auto, Not Hidden
ae
ZL i ia a a ae
Type vevents __9 = 100 #
Information 1,491 70.0%
2Waming «563 26.4% =
3Error 7 36% I
Total 2,130 100%
5.2.9 Categories
(Formatted: Font cbr: Ato, Not Hidden 7)
. aa TE] (Formatted: Fort color: Ato, Not Hidden )
Fan ; (Formatted: Font color: Auto, Not Hidden )
Category ——_¥ Events
2Download 394 185% im
™~
3CRM 02% mf
SDevices 301% mf
Firing Agent = 1 00% =m
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 142 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref; RE/PROM49)
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
Total 2,130 100%
©Copyright Fujitsu Se Company-in-Confidence Page: 143 of 199
FUJ00155413
FUJ00155413
2 Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.2.10 Events
. (Formatted: Font color: Auto, Not Hidden }
Overview (Formatted: Font color: Auto, Not Hidden }
Default report viewon zoom when clicking-on a table ter:
(Formatted: Font color: Auto, Not Hidden ]
Event ‘WEvents 9 = 100 %
126 581 273% am
216 304 185% = mm
3135 173 81%
4104 172 81%
5105 41% 8
62018 8 38% 1
82006 78 37% I
101000 50 23% I
7
42 othggitems\ 371 >=
te" ‘0%
™
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 144 of 199
Horizon Event Logging Process for
Operational Security
FUJITSU
Company-in-Confidence
FUJ00155413
5.2.11 Users
Default-report view on zoom when clicking on a table iter:
User Wevents __ - 100%
21244 97
IRRELEVANT I
! 03% om
Total 2430 100%
5.2.12 Computers
Defauit Ww OF A
4
‘Computer events __?- 40 4
164 77%
7
IRRELEVANT \ 3%
i 6 03% om
} 402% mf
Total 2,130 100%
FUJ00155413
Ref: RS/PRO/049
Version: 03
Date: 03-Feb-2009
(Formatted: Font color: Auto, Not Hidden }
FPeeniew (Formatted: Font color: Auto, Not Hidden )
* (Formatted: Font color: Auto, Not Hidden ]
Fenner
on atableiten:}
(Formatted: Font clr: Auto, Not Hidden )
(Formatted: Font clr: Auto, Not Hidden
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
Page: 145 of 199
FUJ00155413
FUJ00155413
2 Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confiden Date: 03-Feb-2009
5.2.13 Descriptions
. (Formatted: Font color Auto, Not Hidden }
Preven I ont color: Auto, Not Hidden a]
Default report viewon zoom when clicking-on a table ter: I
ot color Ato, Not Hidden )
Description ‘VW Events 9 - 100 %
Application popup: ping.exe - DLL Initialization Failed : The application failed to
‘initialize because the window statio, 7 ay %
Unable to connect: Windows is unable to connect to the Automatic Updates
2service and therefore cannot download and insta, 304 185%
Received a device interface ARRIVAL notification for device Ree a1%
4Received a device interface REMOVAL notification for device: 173 81%
SThe service was started Yo” 85 40% I
SNMP Event Log Extension Agent is starting a 38% I
‘The description for Event ID ( 209g ) in Sys (R ) cannot be found
Tie local computer may not hayden 737% 1
a~
aService started, 6 30% 1
The desorti 1D (20 ip Source ( RCONSVC ) cannot be found
10Received Handle Query Remove notfcation 43 20% 1
435 448 21.0% mam
Total 2.130 100 %
©Copyright Fujitsu Services Ltd 2007
Page: 146 of 199
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
5.3. Summary Analysis of a Cisco Firewall/Router/Switches
syslog
5.3.1 Summary
Statistics for 16/Jan/2008, 1 day
5.3.2 Overview
Alldays Average per day
Events 5.590
Pegs ews 5.520
A
Unique source Ps 98
Bytes Ob
Destination bytes 0 VON ,
Duration 08:53:42 -
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 147 of 199
FUJ00155413
FUJ00155413
Fe) Horizon Event Logging Process for RS/PROMAD
FUJITSU Operational Security Ld
Company-in-Confidence Date: 03-Feb-2009
5.3.3 Years/months/days
Events
6,000 108.5%
4,000 723%
2,000 I 362%
°
2008
Yearsimonthsidays.
“
‘A Dateltime Events Page views Unique source IPs Bytes Destination bytes. Duration
> ob Ob 08:53:42
1 2008 5,530 5,529
Tote 5.500 aS % ob ob osssaz
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 148 of 199
FUJ00155413
FUJ00155413
Fe) Horizon Event Logging Process for RS/PROMAD
FUJITSU Operational Security Ld
Company-in-Confidence Date: 03-Feb-2009
5.3.4 Days
Events
6,000 108.5%
4,000 723%
2,000 I 362%
°
We 16 Jan 2008
Days
“
A Dateltime Events Page views Unique source IPs Bytes Destination bytes. Duration
Total 5,530 529 9% 0b Ob 08:53:42
o
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 149 of 199
FUJ00155413
FUJ00155413
Fe) Horizon Event Logging Process for RS/PROMAD
FUJITSU Operational Security Ld
Company-in-Confidence Date: 03-Feb-2009
5.3.5 Day of weeks
Events
6,000 108.5%
4,000 723%
2,000 I 362%
°
We
Day of weeks
“
A Day of week Events Page views Unique source IPs Bytes Destination bytes Duration
+ Wednesday 5,530 5,525 > Ob Ob 08:53:42
Total 5,530 5,525 96 Ob Ob — 08:53:42
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 150 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Refs RSEROWA
FUJITSU Operational Security Version: 0.3
Company-in-Confiden Date: 03-Feb-2009
5.3.6 Hour of days
Events
6,000 108.5%
4,000 723%
2,000 362%
°
8:00 am 10:00 am'1:00.am 12:00 1:00 pm 2:00 pm 3:00 pm 4:00 pm
Hour of days
Fo)
4 Hour of day Events Page views Unique source IPs Bytes Destination bytes Duration
7
©Copyright Fujitsu Services Ltd 2007
‘Confidence Page: 151 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.7 Logging Devices
Logging devices
\™
ar
Unique
Logging Page source Destination
device v Events 9 - 100 % views: IPs Bytes bytes Duration
' 504 91% om 504 Ly we Ob 00:00:00
I 0 78% 8 0 1b ob 00.0000
i —
I ae 17% KNY. ob ob —0000:00
I 409 74% 4092 op ob 00:00:00
[IRRELEVANT] 3693 Kaj NY 362 3. ob ob 00:00:00
fois 57% 8 315 1 ob ob 00:00:00
' 295 1 ob Ob 00:00:00
H 289 52% 4 289 1 ob Ob 00:00:00
' 270 49% 4 270 32 ob Ob 00:00:00
emacs 233 42% 4 233 7 Ob Ob — 08:44:48.
361,904 36.1% 1,994 : ob Ob —00108:54
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 152 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for Ref RSPROWS
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
other
items
Total 5,530 100% 5,529 96 Ob Ob 08:53:42
5.3.8 Operations
_
Le
Unique
Qe rage source Destination
Operation —_Y Events TPs Bytes bytes Duration
tTeardown 2,230 547% ——— SS rd Ob 08:53:42
meu 1,704 44.0% ob ob 00.0000
ery 41.1% Ky. 5 ob ob —00:00100
Accessed
aur 5 01% 4 3 op ob 00.0000
x ,
Total gogo % 40494 ob 08:52:42
Messages
‘Oreniow
Default-report view.on zoom when clicking on a table ter:
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 153 of 199
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
eee
Message ¥ Events ___9 ~ 100 # views sourcelPs Bytes
Total 0 100% o ° Ob
YS
&
Destination
ytes Duration
Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 154 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
03
03-Feb-2009
5.3.10 Message codes
Message codes
Cente
Default -eport view-on-zoom when clicking-on-atable-toms \ Ne ~
Message oen7 Page I 327 5.%stination
code vw Events = views I Bytes: .
I ' 326 59% 4
I a 8 mcievanT fv wats
i I 24 44% 4
I ain A
I 236 4.3% 1
' up vo uw
i 6 176% MMob 00:00:00
I Total 5530 100%
' 1 ob 0b 00:00:00
i 1 Ob Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 155 of 199
327
326
244
236
975
5,529
ob
ob
ob
ob
ob
ob
FU,
ob
ob
ob
ob
ob
ob
FUJ00155413
}J00155413
00:00:00
00:00:00
00:00:00
00:00:00
08:53:42
08:53:42
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.11 Protocols
Protocols
Oanuee
Defaut report view-on zoom wher-clcking-on-atable dem aN Ne =
Unique
too 4 Page source I Destination
Protocol Events __9~ views IPs_—_Bytes bytes Duration
~
‘TCP 2726 67.0% 2,726 : 0b 00:00:00
2uDP (978 240% = mm a eT) ob 00:00:00
simp 339 83% ew my o> 0b 00:00:00
local-
ahost 21-05% a 19 ob ob 08:53:42
stati 5 01% y 5 + ob ob 00:00:00
° AM
Gdynamic 10.0% 1 + ob ob 00:00:00
x 7
Total 4.9 407 = 92S ob 08:53:42
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 156 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.12 Source IPs
‘Source IPs
“Single-page SummaryHlearchy
Default report. view-on-zoom-whon-cicking-on-a-table iter \ NX =
Unique
mA Page source Destination
Source IP y Events 2h views IPs Bytes bytes Duration
~
i i140 229% am 140 Ob 00:00:00
$38 62% © 38 1 ob Ob 00:00:00
137 60% & —_ ob Ob 00:00:00
137 60% 8 37 1 Ob Ob 00:00:00
HIRRELEVANT!
H i34 56% 8 34 1 ob Ob 00:00:00
ENC ew wwe
y -
$20 33% 41 20 1 ob Ob 00:00:00
Nw “4 19 1 ob ob 00:00:00
i ite 26% I 16 1 ob Ob 00:00:00
85 other
items. 200 327% 199 " Ob Ob 08:53:42
Total 612 100% et 95 ob Ob 08:53:42
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 157 of 199
2 Horizon Event Logging Process for at RSEROISS
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.3.13 Destination IPs
Destination IPs
Denton I
Defauitcepor-view-onzoom.when clcking-on 2 table-tors
Unique
nem Page source Destination
v Events views IPs Bytes bytes Duration
i ~
i = 6 b Ob 00:00:00
' = 2 2 ob 0b 00:00:00
' 2 91% mf ye ob Ob 00:00:00
I 145% 4 + 1 ob ob 00.0000
I IRRELEVANT
' 1 45% 4 1 1 ob Ob 00:00:00
EN cre
i 11 45% 4 1 1 ob 0b 00:00:00
4 ft 45% 4 1 1 ob 0b 00:00:00
Aotheritems 4 18.2% mm 4 - ob 0b 00:00:00
Total 22 100% a 9 ob 0b 00:00:00
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
Page: 158 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.14 Source hostnames
‘Source hostnames
Default report view on zoom when clicking-on-atable tem:
LVN
Unique
Source nent) Page source Destination
hostname Events = views IPs Bytes bytes Duration
~
Total 0 100% t) Ob 00:00:00
wv
5.3.15 Destination hostnames
Destination hostnames
Oreniew
a
Unique
Destination 5 Page source Destination
hostname Events __0 = 400 views IPs Bytes bytes Duration
7
% ° 0 ob 0b 00:00:00
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 159 of 199
Fe) Horizon Event Logging Process for ae
FUJITSU Operational Security ‘Version:
} Company-in-Confidence Date:
RS/PRO/049
03
03-Feb-2009
5.3.16 Source ports
Defaut report view on zoom-when clicking-on-a table tem:
‘Source ports
Source
port vEvents __9 = 400 4
17561 140 243% = am
5
1 ao
seer
,
1034195 407%
154
other
tems 263 45.7% Sa
Total 576 100%
Page
views.
263
576
Unique
source Destination
IPs Bytes bytes
~
Ob
55 ob Ob
ob
Ob
Ob
Ob
Ob
2 ob Ob
2 ob Ob
1 ob ob
- ob ob
70 ob Ob
Z\N
Duration
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
©Copyright Fujitsu Services Ltd 2007
Company-in-Confidence
Page: 160 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Pe) Horizon Event Logging Process for _R
FUJITSU Operational Security Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.3.17 Destination ports
Destination ports
Cente
Detault-oport view-on-zoomwhen clicking-on-atable-tons \ Ne ~
Unique
Destination nore ar Page source Destination
port events f views IPs Bytes bytes Duration
~
1138 6 857% a 6 Ob 00:00:00
2949 1 143% = 1 1 Ob Ob 00:00:00
Total 7 100% aww ww Ob 00:00:00
eo
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 161 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.18 Source sides
Source sides
Brenton
Default seport mew on. zoom when clicking-of a table der \ Ne =
Unique
Source er Page source Destination
side vevents __9 = views IPs Bytes bytes Duration
~
I 528 834% 528 Ob 00:00:00
i 39 65% 6 39 9 ob Ob 00:00:00
! 25% I v™ 0b Ob 00:25:02
i 08% 5 3 ob Ob 00:00:00
i 07% > 4 2 0b Ob — 00:00:00
I 3 05% 3 3 ob o> 00:08:54
I y 3 3 ob ob onte46
% 597 89 ob Ob 08:53:42
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 162 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.19 Destination sides
Destination sides
Greniew
Default report view.on-zoom-whor-clicking-on-a table ter: \ Ne =
Unique
Destination pom7e Page source Destination
side vevents __9~ views IPs_——Bytes. bytes Duration
~
imever? = 7 100.0% = 7 Ob 00:00:00
Total = 7-—100% b Ob 00:00:00
7 Ae
5.3.20 mong .
Geographic locations
Single-page Summary Hierarchy.
Lon zoom-when-clicking-on a table item:
Unique
Geographic ona Page source
location veEvents =o views IPs Bytes Duration
Total \ 100% ° 0 ob Ob 00:00:00
5.3.21 Interfaces
Interfaces
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 163 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Oeniow
Default-report view.on zoom when clicking on-a table ter
Unique
Pi Page source Destination
Interface ¥ Events __? = 199 views IPs Bytes bytes Duration
tdmz 1 100.0% = 1 1 ob 00:00
Total 1 100% 1 an I Ny 00.00:00
5.3.22 Directions
Directions
Default report view on zoom when clicking.
Direction Y Events views IPs. Bytes bytes Duration
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 164 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
$3.23 Foreign IPs
Foreign IPs
Defaut report view on zoom-when clicking-on-a table tem:
Z\N
Unique
pent Page source Destination
y Events - views IPs Bytes bytes Duration
~
152 109% 152 b 0b 00:00:00
9% 69% ff 6 1 ob Ob 00:00:00
59 42% 8 ~~” ob Ob 00:00:00
52 37% 1 52 1 ob Ob 00:00:00
37 27% I 37 1 ob Ob 00:00:00
37 27% I 37 1 ob Ob 00:00:00
34.24% I 4 1 ob Ob 00:00:00
457 other
items 88 537% 818 - ob Ob 00:00:00
Total 1,384 100% 1,394 1 ob Ob 00:00:00
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 165 of 199
Horizon Event Logging Process for
I FUJITSU Operational Security
Company-in-Confidence
Ref:
Version:
Date:
RS/PRO/049
03
03-Feb-2009
5.3.24 Foreign ports
Foreign ports
Duero
Default report view.on-zoom-whor-clicking-on-a table ter: \ Ne =
Unique
Foreign near Page source Destination
port vEvents __9 ~ views. IPs Bytes bytes Duration
~
1161 233 167% =m 233 Ob 00:00:00
2 222 159% mm 222 1 ob Ob 00:00:00
37328156 11.2% =m Ob Ob 00:00:00
42732498 70% 98 1 ob Ob 00:00:00
e1g191 49 35% 49 1 ob Ob 00:00:00
7123 if ~ ’ 35 1 ob Ob 00:00:00
Z -
at772 34.24% I 34 1 ob Ob 00:00:00
7% 10 1 ob Ob 00:00:00
101315 6 04% 6 1 ob Ob 00:00:00
215
other
items 484 34.7% mm 484 : ob Ob 00:00:00
Total 1,304 100% 1,304 1 ob Ob 00:00:00
‘©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 166 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.25 Global IPs
Global IPs
Orentew. S}
Default report view on zoom-when-clicking-on-a table Hem:
Global none gol cep Destination
1P VEvents = views sourcelPs Bytes bytes Duration
Total 0 100% 0 Rw” Nas oncoon
5.3.26 Global ports
Global ports
aaa
RK" Kiow oN Wen when cicking on a table dem
Global tm Page Unique Destination
port V Events views source IPs Bytes bytes Duration
5.3.27 ocal IPs
Local IPs
Oeniow
Default-report view.on zoom when clicking on.a table item
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 167 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
Local Page Unique
P vevents __9~ 409 § views sourcelPs Bytes
Total 0 100% ° ° ob
YS
&
Destination
bytes Duration
0b 00:00:00
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 168 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.28 Local ports
Local ports
‘renin
Defaut report view on zoom-when clicking-on-a table tem: \ NX =
1 gama ge Unique Destination
port —-¥ Events views sourceIPs Bytes bytes Duration
Total 0 100% 0 Rw Nas oncoon
5.3.29 Service names
Service names
I y, a Kiow oN Wen when cicking on a table dem
Unique
Service Renny Page source Destination
name Y Events a views IPs Bytes bytes Duration
Tigger 7% » 6 1 ob Ob 00:00:00
2949 (empty) 1 14.3% = 1 1 Ob Ob 00:00:00
Total 7 100% 7 92 ob Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 169 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Operational Security
Company-in-Confidence
FUJITSU
Date: 03-Feb-2009
5.3.30 URLs/directories
[DurLsidirectories
zrNn
Unique
Page source
URL Yevents __9 - 400 4 views IPs Bytes
I 11 200% Db 1 1 ob
i -_
i 11 200% = mm 1 1 op
i = o 4 op
I i = 1 1 op
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 170 of 199
Destination
bytes
ob
ob
ob
ob
ob
ob
Duration
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.31 URLs
URLs
Denton
efauit seporview-on.zoom-when clcking-on-atable-tery =
~XN
Unique
Page source
URL events __9 = 100 4 views IPs_—Bytes,
~
1 1 ob
= 1 1 ob
= ° 1 ob
= 1 1 ob
4 3 ob
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 171 of 199
Destination
ytes
ob
ob
ob
Duration
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
00:00:00
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.32 Flags
Flags
‘renin
Default report view-on-zoom-when clicking on-atable item: \ NX =
nem Page Unique Destination
Flags Events = views sourcelPs Bytes bytes Duration
Total 0 100% ° Re” \ ob 00:00:00
5.3.33 Users
Users
— I
7 < RQ 01 on won clicking on.atable tom:
ee Page Unique Destination
User = Events = views source IPs Bytes: bytes Duration
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 172 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
I FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.34 Commands
‘Commands
‘renin
Delauit reno yew oF 2008 when Gicking 68 a table Aen \ NX =
Unique
Qemrye Page source Destination
Command ¥ Events views IPs Bytes bytes Duration
~
Total 0 100% ° a Ob 00:00:00
5.3.35 Types
Types
a
Unique
x Page source Destination
Type vevents __? = 100 views IPs Bytes bytes Duration
7
patho
‘from ‘ST; 28 3 Ob Ob 00:00:00
2sre 9 243% mm 9 1 Ob Ob 00:00:00
Total 37 100% a7 3 Ob Ob 00:00:00
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 173 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUJITSU Operational Securit Version: 03
Company-in-Confidence Date: 03-Feb-2009
5.3.36 Lists
Lists
Oanuee
Defaut report view-on zoom wher-clcking-on-atable denn \ Ne =
ae Page Unique Destination
List V Events = views source IPs Bytes: bytes Duration
Total 0 100% b 00:00:00
s
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 174 of 199
Ref: RS/PRO/049
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confiden: Date: 03-Feb-2009
5.3.37 Sessions overview
Alldays Average per« Four-time users 0 .
I
Sessions by one-time users 83 - Total orally OTR, 00:43:44 -
v
Repeat users AN y Maximum concurrent sessions 2 =
Two-time users ‘Average session duration 00:00:24 =
2
vw » .
Na
©Copyright Fujitsu Services Ltd 2007
‘Confidence Page: 175 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for Vern ts
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.3.38 Entry pages
Entry pages
Page sessions __9 = 400
IRRELEVANT ~~ -
H a
5.3.39 Exit pages
Forel y sessions __9~ 400 4
7 92%
1 09% wm
A
A
m
r~
<
>
z
=
1 09% mt
Total 109 100%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 176 of 199
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence
Version
Ref: RS/PRO/049
0.3
Da
03-Feb-2009
5.3.40 Session pages
‘Session pages
O - 100 z
Page ¥ Sessions
1 09%m
1 09% m
H 7
» 09% m
111 100%
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
—~
107 96.4 Lay 109
1
IRRELEVANT 6X
1
1
113
Page: 177 of 199
100 z
Events
65%
09% m
09% my
09% m
09% mt
100 %
O- 100 z
Time spent
00:43:44
00:00:00
00:00:00
00:00:00
00:00:00
00:43:44
100.0 %
0.0%
00%
0.0%
0.0%
100%
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUIITSU Operational Security
Version: 0.3
Ref: RS/PRO/049
Company-in-Confidence Date: 03-Feb-2009
5.3.41 Session users
Session users
ra
aut apo town acer ton chkirg anata tr =
2XNn
User wsSessions __9- 2004 Events __9- 4004 Time spent
18% I 2 18% Ny \ 00:00:00 0.0%
18%I 2 18%I 00:00:00 0.0%
18%) 2 18%I 00:00:00 0.0%
IRRELEVANTI2 18%) AN » rey 00:00:00 0.0%
s
18% I 2 18%I 00:00:00 0.0%
7
1 2 18%I 00:00:00 0.0%
4
18% I 2 18%I 00:00:00 0.0%
\ Yy 2 18%! 00:00:00 0.0%
1.8%I 6 53% 00:43:44 100.0%
1
items 89 817% = 89 788% 00:00:00 0.0%
Total 109 100% 143 100% 00:43:44 100%
0 - 100 %
a a ae
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 178 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Vern ts
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
5341.1 Loading document, please wait.
5.4 Summary Analysis of a UNIX Solaris 9.0 syslog
5.4.1 Overview
Alldays Average per day
Messages 4714 213.88
5.4.2 Years/months/days
Messages
2,000 A 116.9%
,
oe y
A Dateltime Messages
1 2008 471
Total 4714
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 179 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Vem ws
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 180 of 199
Horizon Event Logging Process for
FUIITSU Operational Security
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
5.4.3 Days
Messages
300 75%
200 17%
100 II > 58%
*y II = a
y y y
Tu08 Weod ThiO Frit Sa12 Su13 Mota Tuts
‘Jan 2008 Jan 2008 Jan 2008 Jan 2008 Jan 2008Jan 2008 Jan 2008 Jan 2008
Days
A Dat Messages
+ osiiani2008 189
2 09tlanv2008
3. tollarv2008
4 ‘1ian/2008 265 Y
6 13arv2008 251
™~
7 t4uani2 234
8 15\larv2008 58
Total 4m
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence
Page: 181 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Ae
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Vel
5.4.4 Day of weeks
Messages
300
Day of weeks
Monday 234 {
4 Wednesday 251 y
5
6 Friday 265
7 Saturday 216
Total 4714
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 182 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
5.4.5 Hour of days
0:00 3:00. am 6:00am 9:00am 12:00 3:00 pm 6:00 pm 9:00 pm
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 183 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confiden: Date: 03-Feb-2009
Hour of days
3 2:00 AM - 3:00 AM re 16 3:00 PM - 4:00 PM 64
4 3:00 AM - 4:00 AM 67 Ry 0K 4 63
©Copyright Fujitsu Services Ltd 2007
‘Confidence Page: 184 of 199
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence
Ref: RS/PRO/049
Version: 0.3
Date: 03-Feb-2009
5.4.6 Logging devices
Logging devices
Logging device Y Messages 9 - 100 %
1711 100.0%
Total 1711 100%
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence
Page: 185 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.4.7 Syslog messages
‘Syslog messages
‘Syslog message Messages __9 ~ 100
10 06% om
7 04% m
7 04%
183 10.7% mi
Total 1711 100%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 186 of 199
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Version: 0.3
5.5 Summary Analysis of Windows NT Event Logs
5.5.1 Overview
Alldays Average per day
Events 53,096 21.03,
5.5.2 Years/months/days
Events
40000 jw 153%
° I -
hearttnouthldgs
v4
n~
=
:
oe
2 2003 Wy
3 200: "7
4 2005 2,381
5 2006 4,867
6 2007 30,601
7 2008 14,796
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 187 of 199
Ref: RS/PRO/049
FUJ00155413
FUJ00155413
Horizon Event Logging Process for
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
Version: 0.3
Total 53,096
5.5.3 Days
Events
A Date/time Events
oaner2002 1 y
5
6 o4/Jun/2002 333
7 08/Aug/2002 4
8 10/Sep/2002 1
9 12/0¢v2002 26
10 08/Deci2002 122
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 188 of 199
Ref: RS/PRO/049
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Version: 0.3
Horizon Event Logging Proc
FUJITSU Operational Securit
Company-in-Confidence Date: 03-Feb-2009
381 other items 52,574
Total 53,096
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 189 of 199
Fe) Horizon Event Logging Process for RS/PROMAD
FUJITSU Operational Security Ld
Company-in-Confidence Date: 03-Feb-2009
5.5.4 Day of weeks
Events
20,000 37.7%
10,000 188%
° I 0%
su. Mo Tu We wh Fr Sa
Day of weeks
ADay of week Events
\
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 190 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
5.5.5 Hour of days
Events
10,000 188
5,000 94%
° a
0:00 3:00am 6:00am 9:00am 1200 3:00pm 6:00 pm 2:00 pm
man,
Hour of days
Hour of day Gos 42. 11:00 AM- noon 2.499
2. 1:00 AM- 2:00 AM 14 1:00 PM- 2.00 PM 2.267
3 2.00 AM- 3:00 AM 15. 2:00 PM- 3:00PM 2,944
4 3:00AM - 4:00 AM 16 3:00 PM- 4:00PM 9.458
5 4:00AM AN » 47 4:00 PM - 5:00 PM 6,050
6 5:00 AM- 6:00AM 1926 18 5:00 PM- 6:00PM 20084
8 7:00 AM - 8:00 AM 4,629 20. 7:00 PM- 8:00 PM 4,383
9 8:00 AM - 9:00 AM 1,888 21 8:00 PM - 9:00 PM 1,239
10 9:00 AM - 10:00 AM 2,567 22 9:00 PM - 10:00 PM 1,340
11 10:00 AM - 11:00 AM 2,366 23 10:00 PM - 11:00 PM 1,347
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 191 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
24. 11:00 PM- midnight 4,285
Total 53,096
5.5.6 Sources
Sources
Source Y Events
1TimeServ 27,602 520%
2NETLOGON 12,496 23.5%
3Security 10,930 20.6%
4SweepNT 1,008 19% I >
6100 122 02%
7PM A ™~ 2 ws,
aE ventLog % 02% mf
soRCONSVC 401%
49 other items 304 07% m
Total 53.096 100%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 192 of 199
Horizon Event Logging Process for Ref RSPROWS
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
5.5.7 Types
Types
Type Vv Events g - 400 %
tiformation 40,172 757%
2Success Audit 10.961 206% mm
3Warning 1,043 20%
4€ ror om 17%
‘SFailure Audit 6 00% wm
Tod 5006 100% )
55.8 Cate RS
Categories
ete Seo o-100% ALogon/Logof 383.07 %
None 40,838 76.9% Senco aid 04K
2Object Access 10,493 198% mm 28 EJ Shs
Tsystem Event 290.1%
38weepinfo 1,008 19%
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 193 of 199
FUJ00155413
FUJ00155413
FUJITSU
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
Operational Security
Company-in-Confidence Date: 03-Feb-2009
‘Account 4 other
aManagement 250.0%. items 32 01% m
9vPN 23 00% Total 53,096 100 %
10Events 15 00%
5.5.9 Events
Events
Event events __9~ 100 &
10 26,858 506%
25711 11,807 22.2% am
wa sr oon
4562 5246 99%
9538
10528 189 04%
BAother items 1,260 24% I
Total 53,096 100 %
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 194 of 199
FUJ00155413
FUJ00155413
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Vem ws
FUJITSU Operational Security
Company-in-Confidence Date: 03-Feb-2009
YS
&
©Copyright Fujitsu Services Ltd 2007 ‘Company-in-Confidence Page: 195 of 199
Ref: RS/PRO/049
Horizon Event Logging Process for ene
FUJITSU ane Securit -
Date: 03-Feb-2009
5.5.10 Users
Users
vevents __ 274004
1.388 73.9%
102%
102% m
0.2%
86 02% m
53,096 100 %
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 196 of 199
FUJ00155413
FUJ00155413
re] Horizon Event Logging Process for Rel BSIFROOG
FUJITSU Operational Security Version: 0.3
Company-in-Confidence Date: 03-Feb-2009
5.5.11 Computers
Computers
‘Computer events __9- 100%
$7210 70.1%
15,886 299% am
Total 53,096 100%
YS
&
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 197 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for
Version: 0.3
FUIITSU Operational Security
Company-in-Confiden: Date: 03-Feb-2009
5.5.12 Details
Details
Detail
Time set (offset < 5 second)
2Object Open:
3Handle Closed:
‘The partial synchronization request from the servert
successfully. 1 changes(s) has(have) been retu...
The partial synchronization requeg@@from servelB IRRELEVANT!
tuff -) 3,
Scompleted successtly. 1 changes) Me) 602 68%
The partial synchronization request from the server {ij
6completed successfully. 1 changes(s) has(have) been retu... 3595 68% ff
Ttrespond a N” 304 07% om
y
8The specitied NTPServer supports RFC-868(Time) 303 07% om
Dp” “an nization request from the server
acon cs, 2 changes(s) has(have) been ret. 219 04%
The partial synchronization request from the server I IRRELEVANT
Ocompleted successfully. 2 changes(s) has(have) been retu... © + 216 04% mt
‘582 other items 3762 71% ©
Total 53,089 100%
©Copyright Fujitsu Services Ltd 2007
‘Confidence Page: 198 of 199
FUJ00155413
FUJ00155413
Ref: RS/PRO/049
Horizon Event Logging Process for Vern ts
FUJITSU Pesce Security
Date: 03-Feb-2009
6.0 Appendix B
This appendix includes details of the prioritisation that platforms are given based on their
urity Tier and Domain for HNG-X and is to be used as a guideline for Horizon. The
Analysis of logs and Events will be prioritised based on this
2)
dewgenspe0007 01.
os
7.0 Appendix C
Appendix C summarizes the Security events that Windows plg ‘will need
to be included as a basis for analysis. Linux and Solaris eve
of this document.
a)
Windows Events
8.0 Appendix D
Appendix D gives full details of thy ed
3)
TRIOLE_ Seauity tnt
‘orrmation ‘Event Mone
fujitsu Services recommended
©Copyright Fujitsu Services Ltd 2007 Company-in-Confidence Page: 199 of 199
FUJ00155413
FUJ00155413