NOTE: If you are searching for host-local application debug logs, see Accessing Log Data.
The SSProtect product suite provides a great deal of functionality directed at minimizing the impact of complex security events, whether through the loss of sensitive IP, the cost of Incident Response and Recovery, or the impact of disruptions due to sabotage and/ or data loss/ availability.
In the progression of managed data usage, KODiAC Cloud Services provides a central point of coordination for all information - configuration data, runtime data access, and detection information from distributed Honeypots.
All of this information flows to the single source that stores and makes available information suitable for audit access reports that provide deterministic information useful in assessing disclosure risk, attacker presence, and retained protections at any stage of a threat dynamic.
To display a report of this information, choose the Usage Reports context menu from the notification icon and, depending on configuration, utilize Quick Access commands for a recent (2-day, GMT) file activity detail, file sequence report, user/ Admin activity, and/ or Integrated file and user/ Admin Activity (for Privileged Organization Users):
All reports utilize cloud data that's sent back to the host which then transforms the data into one of several formatted Excel spreadsheets holding specifics.
There are ten different Reports you can generate, though only eight Excel templates. Three Reports are specific to :Respond, described in the :Respond Topic, and there are an additional six Reports available using the menu noted above - two each for Unprivileged and Privileged Users , as follows:
- User (Admin) - includes User Activities such as Login, Logout, and Update
- File - details managed Data Access and Conversion Activities
- Integrated (Admin) - combines User and File Activities
Privileged Users see all Administrative (Admin) and User Activity, while Unprivileged User Reports do not include Administrative actions. File details are fine-grained aspects of Conversion, which include each step of a managed file transaction (protect/ access/ release).
The tenth Report is the File Sequence Report, which consolidates fine-grained details into simple line items.
From the Usage Reports context menu item, use the Manage submenu to display the Data Management interface shown below:
To generate a report:
- Choose from the User (Admin) and/or File type to scope event categories
- Choose Seq if you prefer the Sequence Report; User (Admin) will not be available
- Choose the end date of the report, often (and by default) the present day
- Choose the number of Days to show, including the chosen date
- Choose Acquire; processing is automatic, using Excel to display formatted results
Acquire sends the requested parameters to the cloud and, with authentication information (2nd-factor supplementing an active user Login session) acquires the scoped event categories across the requested timeframe. This data is then, at the host, saved in .csv format and fed to Excel templates (with signed macros) that format the information into a matching set of columns for review. The software queries the user for the target location and filename, then saves the raw .csv information as specified before displaying the final result. You may wish to save the formatted result in a convenient location, though the .xlsm results are stored using a date/ time suffix, to the following location:
...where <WinUsername> is your Windows Profile/ Username.
Report content contains date, time, unique host ID, user, private and public IP address, event detail, status (pass/fail), along with file details (when appropriate) that include size, version, plaintext hash (useful in Forensic reconstruction or correlation), unique system file ID, along with the containing application and all associated follow-up events to create a complete picture of host-based event activity.
This article was updated w/ v9.1.3 of the :Foundation Client