Support Center

Acquiring Data Access Reports

Last Updated: Mar 26, 2019 12:16AM PDT
This article shows you how to request, receive, and review Organization Data Access reports.

NOTE: If you are searching for host-local application debug logs, see Accessing Log Data.

Introduction
The SSProtect product suite provides a great deal of functionality directed at minimizing the impact of complex security events, whether through the loss of sensitive IP, the cost of Incident Response and Recovery, or the impact of disruptions due to sabotage and/ or data loss/ availability.

In the progression of managed data usage, KODiAC Cloud Services provides a central point of coordination for all information - configuration data, runtime data access, and detection information from distributed Honeypots.

All of this information flows to the single source that stores and makes available information suitable for audit access reports that provide deterministic information useful in assessing disclosure risk, attacker presence, and retained protections at any stage of a threat dynamic.

Report Generation
To display a report of this information, choose the Usage Reports context menu from the notification icon and, depending on configuration, utilize Quick Access commands for a recent (2-day, GMT) file activity detail, file sequence report, user/ Admin activity, and/ or Integrated file and user/ Admin Activity (for Privileged Organization Users):



All reports utilize cloud data that's sent back to the host which then transforms the data into one of several formatted Excel spreadsheets holding specifics.

Report Types
There are ten different Reports you can generate, though only eight Excel templates. Three Reports are specific to :Respond, described in the :Respond Topic, and there are an additional six Reports available using the menu noted above - two each for Unprivileged and Privileged Users , as follows:

 
  • User (Admin) - includes User Activities such as Login, Logout, and Update
  • File - details managed Data Access and Conversion Activities
  • Integrated (Admin) - combines User and File Activities

Privileged Users see all Administrative (Admin) and User Activity, while Unprivileged User Reports do not include Administrative actions. File details are fine-grained aspects of Conversion, which include each step of a managed file transaction (protect/ access/ release).

The tenth Report is the File Sequence Report, which consolidates fine-grained details into simple line items.

Report Generation
From the Usage Reports context menu item, use the Manage submenu to display the Data Management interface shown below:



To generate a report:

  • Choose from the User (Admin) and/or File type to scope event categories
  • Choose Seq if you prefer the Sequence Report; User (Admin) will not be available
  • Choose the end date of the report, often (and by default) the present day
  • Choose the number of Days to show, including the chosen date
  • Choose Acquire; processing is automatic, using Excel to display formatted results

Acquire sends the requested parameters to the cloud and, with authentication information (2nd-factor supplementing an active user Login session) acquires the scoped event categories across the requested timeframe. This data is then, at the host, saved in .csv format and fed to Excel templates (with signed macros) that format the information into a matching set of columns for review. The software queries the user for the target location and filename, then saves the raw .csv information as specified before displaying the final result. You may wish to save the formatted result in a convenient location, though the .xlsm results are stored using a date/ time suffix, to the following location:

  
C:\Users\<WinUsername>\AppData\Local\DefiniSec\Config\Reports

  ...where <WinUsername> is your Windows Profile/ Username.

Content
Report content contains date, time, unique host ID, user, private and public IP address, event detail, status (pass/fail), along with file details (when appropriate) that include size, version, plaintext hash (useful in Forensic reconstruction or correlation), unique system file ID, along with the containing application and all associated follow-up events to create a complete picture of host-based event activity.

For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to support@definisec.com.
 


This article was updated w/ v9.1.3 of the :Foundation Client

Contact Us

ed5301d112e75fde24d469c55568f50b@definisec.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete