NOTE: If you are searching for host-local application debug logs, see Accessing Log Data.
The SSProtect product suite provides a great deal of functionality all directed at protecting sensitive information. In the progression of events, the cloud service component serves as a central coordinator for all information - configuration data, runtime data access, and detection information from distributed Honeypot endpoints.
All of this information flows to the single source that stores and makes available information suitable for audit access reports that provide deterministic information useful in assessing disclosure risk, attacker presence, and retained protections at any stage of a threat dynamic.
To display a report of this information, users can choose the Reporting and Logs context menu from the notification icon and, depending on their configuration, utilize the Quick Access commands to see a recent (2-day, GMT) summary for file activity, user/Admin activity or Integrated Organization Activity (privileged users in an Organization):
All reports result from cloud data that's sent back to the host, which transforms the data into one of several Excel spreadsheets to show formatted event information details.
There are six different reports - two each, one for privileged and one for non-privileged users:
- User - all user activity such as login, logout, and update
- File - all data access and conversion activity such as protect, release, open/close
- Integrated - shows user and file activity in one single report
Privileged users see Administrative activities while non-privileged users do not. Privileged users also see the activity of all others in their Organization, while non-privileged users only see their own event data. As such, there are 6 different reports though they use only two different formats - the user format, and the flie format - either independently or combined.
NOTE: Additional Reports specific to data disclosure risks are available with :Respond. See the article, Using :Respond, for more information.
From the Reporting and Logs context menu item, the Manage submenu brings up the Data Management interface shown below:
To generate a report:
- Choose from the User and/or File type to scope event categories
- Choose the end date of the report, often the present day
- Choose the number of Days to show, including the chosen date
- Choose Acquire; all remaining processing is automatic, leading to display
Acquire sends the requested parameters to the cloud and, with authentication information (2nd-factor supplementing an active user Login session) acquires the scoped event categories across the requested timeframe. This data is then, at the host, saved in .csv format and fed to Excel spreadsheets with signed macros that format the information into a matching set of columns for review. The software queries the user for the target location and filename, then saves the raw .csv information as specified before displaying the final result. You may wish to save the formatted result in a convenient location, though the .xlsm results are stored using a date/ time suffix, to the following location:
...where <WinUsername> is your Windows Profile/ Username.
Report content contains date, time, user, private and public IP address, event detail, status (pass/fail), along with file details (when appropriate) that include size, version, plaintext hash (useful in Forensic reconstruction or correlation), unique system file ID, along with the containing application and all associated follow-up events creating a complete picture of host-based even activity that can be critical when assessing security incident details.
For more report specifics, consult the printable online .PDF SSProtect :Assess guide indexed in the Documentation reference.
For More Information
If you have questions or comments, you can post in the forum or email firstname.lastname@example.org anytime.