86992345 EnVision Users Guide

RSA enVision 4.1 Users Guide

Contact InformationGo to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

TrademarksRSA, the RSA Logo, RSA enVision, RSA Event Explorer and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.

License agreementThis software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-party licensesThis product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file. Portions of this application include technology used under license from Visual Mining, Inc. 2000 - 2010. Portions of this application include iAnywhere technology, 2001 - 2010.

Note on encryption technologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

DistributionUse, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright 2011 EMC Corporation. All Rights Reserved. Published in the USA. September 2011


ContentsPreface................................................................................................................................... 5About This Guide................................................................................................................ 5 RSA enVision Documentation............................................................................................ 5 Related Documentation....................................................................................................... 6 Support and Service ............................................................................................................ 6 Before You Call Customer Support............................................................................. 7

Chapter 1: RSA enVision Users and User Tasks ........................................ 9RSA enVision Users ........................................................................................................... 9 RSA enVision User Tasks................................................................................................... 9 Log On to RSA enVision .................................................................................................. 10 Log Off of RSA enVision ..................................................................................................11

Chapter 2: Managing Your User Information .............................................. 13User Information ............................................................................................................... 13 Modify Your User Information......................................................................................... 13

Chapter 3: Monitoring the System Performance ...................................... 15Events Per Second............................................................................................................. 15 Collector EPS Rates................................................................................................... 15 Monitor the EPS Rates............................................................................................... 17 Monitor Process Statistics................................................................................................. 17 Monitor Data Server Session Details and Usage Information .......................................... 18

Chapter 4: Viewing Incoming Events ............................................................... 21Incoming Events ............................................................................................................... 21 Event Viewer..................................................................................................................... 21 Display Incoming Events .................................................................................................. 24 Copy Events for Further Analysis ............................................................................. 25 Graph Events by Event Type ............................................................................................ 25 Graph Event Types by Time ............................................................................................. 26

Chapter 5: Monitoring Events and Alerts ...................................................... 29Events and Alerts .............................................................................................................. 29 Dashboard ......................................................................................................................... 29 Dashboard Reports............................................................................................................ 30 Design and Use Your Dashboard...................................................................................... 31 Dashboard Examples......................................................................................................... 32

Chapter 6: Managing Alerts ................................................................................... 35Alert Management............................................................................................................. 35 Views and Collections ...................................................................................................... 36 Views ......................................................................................................................... 36 Collections ................................................................................................................. 36 Monitoring Peak Status of Multiple Views Concurrently ................................................ 37

Contents

3


Enterprise Dashboard................................................................................................. 37 Enterprise Dashboard Modes..................................................................................... 37 Collection and View Icons in Enterprise Dashboard................................................. 39 Monitor Peak Severity Using Map Mode .................................................................. 40 Monitor Peak Severity Using a List........................................................................... 41 Toggle Between Modes ............................................................................................. 42 Monitor Incoming Alerts .................................................................................................. 42 Monitor Alerts in the Database ......................................................................................... 44 Review Alert Details......................................................................................................... 44

Chapter 7: Accessing Historical Data .............................................................. 47Historical Data .................................................................................................................. 47 Tools for Accessing Data.................................................................................................. 47 Query................................................................................................................................. 48 Create a Query ........................................................................................................... 50 Run a Saved Query .................................................................................................... 51 Reports .............................................................................................................................. 52 Standard Reports........................................................................................................ 52 Run an Ad Hoc Report............................................................................................... 53 Schedule a Report ...................................................................................................... 56 Display Generated Scheduled Reports ...................................................................... 59

Appendix A: Troubleshooting .............................................................................. 61Logon Issues ..................................................................................................................... 61 Event Viewer Issues.......................................................................................................... 62 Dashboard Issues............................................................................................................... 62 Real-Time Details and History Issues............................................................................... 63 Query Issues ...................................................................................................................... 63 Report Issues ..................................................................................................................... 64

Glossary ............................................................................................................................. 65 Index ..................................................................................................................................... 71

4

Contents


PrefaceAbout This GuideThis guide contains information that helps users to get started using the RSA enVision platform. It is designed to be used with the enVision Help. This guide includes instructions for performing the most common end-user tasks.

RSA enVision DocumentationFor information about the RSA enVision platform, see the following documentation: Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. The latest version of the Release Notes is available on RSA SecurCare Online at https://knowledge.rsasecurity.com. Overview Guide. Provides an introduction to RSA enVision platform features and capabilities. Hardware Setup and Maintenance Guide. Provides instructions on setting up and maintaining RSA enVision appliances. Intended audience is the system administrator. Configuration Guide. Provides instructions on configuring an RSA enVision site. Intended audience is the system administrator. Migration Guide. Provides instructions on migrating data from a previous version of the RSA enVision platform to the current version. Virtual Deployment Guide. Provides instructions on installing an RSA enVision single appliance site or Remote Collector on a virtual infrastructure. Administrators Guide. Provides instructions on the basic setup and maintenance of the RSA enVision platform. Includes instructions for the most common administrator tasks. Users Guide. Provides information that helps users to get started using the RSA enVision platform. Includes instructions for the most common user tasks. Backup and Recovery Guide. Provides instructions on backing up an RSA enVision system and recovering from a hardware failure. Security Configuration Guide. Provides an overview of security configuration settings in the RSA enVision platform. Universal Device Support Guide. Describes how to add log collection and analysis support for event sources that the RSA enVision platform does not support. RSA enVision Help. Provides comprehensive instructions on setting up RSA enVision processing options and using RSA enVision analysis tools.

Preface

5


RSA continues to assess and improve the documentation. Check RSA SecurCare Online for the latest documentation.

Related DocumentationFor information about the RSA enVision Event Explorer module, see the following documentation: Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. Installation Guide. Provides instructions on installing the RSA enVision Event Explorer module on your client machine in separate guides for Microsoft Windows and Apple Macintosh operating systems. Intended audience is the end user. RSA enVision Event Explorer Help. Provides comprehensive instructions on setting up and using the RSA enVision Event Explorer module. For information about the RSA enVision EventSource Integrator, see the following documentation: Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. Overview Guide. Provides an introduction to RSA enVision EventSource Integrator features and capabilities. RSA enVision EventSource Integrator Help. Provides comprehensive instructions on using RSA enVision Event Source Integrator.

Support and ServiceRSA SecurCare Online Customer Support Information RSA Secured Partner Solutions Directory https://knowledge.rsasecurity.com www.rsa.com/support www.rsasecured.com

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. SecureCare Online also offers information on new releases, important technical news, and software downloads. The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

6

Preface


Before You Call Customer SupportMake sure that you have direct access to the computer running the RSA enVision software. Please have the following information available when you call: One of the following: On a 60-series appliance, the serial number of the appliance. You can find the seven-character serial number on the chassis tag on the back of the appliance, or open a Dell Openmanage Server Administrator session, and click System > Properties > Summary to find the serial number in the chassis service tag field. On a virtual appliance, the serial number of the RSA enVision software. Open the C:\WINDOWS\system32\drivers\etc\Nie-oe.dat file, and locate the line that begins with S/N=.

RSA enVision software version number. The name and version of the operating system under which the problem occurs. On a virtual appliance, the VMware ESX or ESXi server details.

Preface

7


1

RSA enVision Users and User Tasks RSA enVision Users RSA enVision User Tasks Log On to RSA enVision Log Off of RSA enVision

RSA enVision UsersRSA enVision users perform tasks in the RSA enVision system. An enVision administrator creates the user account and assigns the relevant permissions for these tasks based on the role that the user performs. Some examples of roles that enVision users can perform in the organization include the following: Security, Compliance, and Network Analyst Security, Compliance, and Network Engineer Security and Compliance Manager Event source owner Internal Auditor

RSA enVision User TasksYou can perform the following tasks depending on the permissions that the RSA enVision administrator assigns to your user account.Tasks Modify user information Description You can modify your own user information. For more information, see Chapter 2, Managing Your User Information. Monitor EPS You can monitor the events per second (EPS) rate of the enVision Collector to ensure that the EPS rate remains within the licensed range. If you consistently have an EPS rate over your limit, enVision drops messages. For more information, see Chapter 3, Monitoring the System Performance.

1: RSA enVision Users and User Tasks

9


Tasks View incoming events

Description You can view incoming events in real time. You can graphically represent the incoming events based on event type or event time. For more information, see Chapter 4, Viewing Incoming Events.

Monitor events and alerts

You can monitor events and alerts using reports and graphs on the Dashboard. For more information, see Chapter 5, Monitoring Events and Alerts. You can manage the alerts generated by enVision for the events. For more information, see Chapter 6, Managing Alerts. You can access historical data stored in enVision using the Event Viewer, queries, and reports. For more information, see Chapter 7, Accessing Historical Data.

Manage alerts

Access historical data

Log On to RSA enVisionYou can log on to RSA enVision from your computer.Note: If you have upgraded to RSA enVision 4.1 from an earlier version, an Invalid

User/Password pair message may appear when you log on for the first time after the upgrade. Contact your enVision administrator for assistance.To log on to enVision:

1. Go to the URL that your enVision administrator provided, for example, http://. If you connect through HTTPS and your browser displays a certificate validation message, click Continue to open the Log In page. 2. Enter your user name and password.Note: RSA recommends that you change your password after you log on to

enVision the first time. For instructions, see Modify Your User Information. 3. Click Log In.Note: If you use a Web browser, such as Internet Explorer, to access RSA enVision

from the appliance, you may receive a number of warning messages. RSA recommends that you access RSA enVision only from a client machine.

10



Log Off of RSA enVisionTo log off of RSA enVision:

Click Log Out in the bottom left of the window.


11


2

Managing Your User Information User Information Modify Your User Information

User InformationEvery RSA enVision user has an individual user account and is assigned a unique user ID, created by the enVision administrator. User account passwords are stored securely to prevent unauthorized access and data corruption. As a user, you can modify only your first name, last name, enVision password, and description in your user account.

Modify Your User InformationTo modify your user information:

1. Click Overview > System Configuration > Modify User Information. The window displays the information that you can modify. 2. Update any of the following information as necessary: First name Last name Password

Description For information on the fields, see the Help topic Add/Modify User Window.

2: Managing Your User Information

13


This example shows the fields that user sjohn can modify.

3. Click Apply.

14

2: Managing Your User Information


3

Monitoring the System Performance Events Per Second Monitor Process Statistics Monitor Data Server Session Details and Usage Information

Events Per SecondThe events per second (EPS) rate measures the average number of events collected by the RSA enVision Collector per second. RSA enVision collects events at your licensed EPS rate and provides a buffer of 10 to 30 percent to allow for an occasional excess of events: If the EPS rate exceeds by 10 percent of the maximum EPS, enVision generates a warning message (NIC-4-400019). If the EPS rate exceeds by 30 percent of the maximum EPS, enVision generates an alert message (NIC-1-400020) indicating the condition and number of events dropped.

If you consistently receive these warning and alert messages, notify the enVision administrator.

Collector EPS RatesYou can monitor the EPS rates for the Collector using the System Performance window. The System Performance window provides the following information about event collection: EPS licenses. Displays the aggregate number of EPS licenses for the collectors that are currently displayed. Collector. Displays the name of the Collector. If you have multiple Collectors, select the Collector for which you want to view EPS rates. Collection gauges. Display the percentage of the EPS license being used, in total and for each collection protocol. The colors of the gauges indicate the rate of event collection as a percentage of the EPS license limit as follows: Green: Less than or equal to 80 percent Orange: Between 80 and 90 percent Red: Greater than 90 percent Instant is the running average of the last ten seconds. Average is the average number of events per second since the event source started.

The gauges also provide the following information:

3: Monitoring the System Performance

15


Peak is the highest number of events received in a one-second period since the event source started. At Peak is when the event source is currently at that highest recorded level of EPS.

The RSA enVision administrator sets the refresh rate for the gauges (between one and ninety-nine seconds). RSA recommends that you monitor the EPS rate for your enVision appliance. Based on the EPS gauges, you can determine the health of the enVision system. If you are consistently exceeding the EPS limit, events will not be collected by the specified Collector. If the EPS rate is between 80 and 90 percent of the enVision license limit, you should notify the enVision administrator. This example shows EPS rates from the Collector named Doc-ES that are all in the normal range.

Collector list

EPS rate

16



This example shows the EPS rates from the Collector named Doc-ES that are exceeding the enVision license limit. The red highlights indicate that if this condition continues, events may be lost.Collector list

EPS rate

Monitor the EPS RatesTo monitor the EPS rates of a Collector:

1. Click Overview > System Performance. 2. If you have multiple sites, select the site for which you want to view the EPS rates. 3. If you have multiple Collectors, from the Collector drop-down list, select the Collector for which you want to view the EPS rates.

Monitor Process StatisticsYou can view the statistics of the different RSA enVision processes in the site from the Process Statistics window. The process Statistics window is displayed only on RSA enVision 4.1. If you have multiple sites with appliances using versions 4.1, 4.0, and 3.7 of enVision, note that the Process Statistics window is not available for enVision appliance versions 4.0 and 3.7.


17


To view the statistics of the different enVision processes of a site:

1. Click Overview > System Performance. If you have multiple sites, select the site for which you want to view the process statistics. 2. Click Process Statistics.Note: The data in the Process Statistics window is derived from the data generated in

the Performance Monitor tool on Windows. Therefore, the values displayed for the fields on the Process Statistics window will correspond to the values in the Performance Monitor and may not be the same as the values displayed on the Task Manager for the same fields. This example shows process statistics from an enVision system ESUpgrade.

For information on each of the fields, see the enVision Help.

Monitor Data Server Session Details and Usage InformationThe Data Server window displays the session details and usage information for the Data Server (D-SRV). In single appliance setups, it shows the session details of the NIC Server.Note: The Data Server window is displayed only on RSA enVision 4.1. If you have

multiple sites with appliances using versions 4.1, 4.0, and 3.7 of enVision, note that the Process Statistics window is not available for enVision appliance versions 4.0 and 3.7.

18



To view the statistics of the different enVision processes in a site:

1. Click Overview > System Performance. If you have multiple sites, select the site for which you want to view the process statistics. 2. Click Data Server. For a multiple appliance site with multiple D-SRVs, clicking Data Server shows a summary page with details for each of the D-SRVs. Use this window to compare the values of the D-SRVs. Click on the specific D-SRV to display related session details. The following example shows the Data Server Window from an enVision system MS4041M. For information on each of the fields, see the enVision Help.


19


4

Viewing Incoming Events Incoming Events Event Viewer Display Incoming Events Graph Events by Event Type Graph Event Types by Time

Incoming EventsRSA enVision enables you to view the incoming events in real time. You can view the raw events in their entirety as collected from the event sources. The severity of the incoming events is identified by color and the severity levels are indicated by the message content.

Event ViewerThe Event Viewer is part of the Analysis module, which allows you to perform analysis on collected events. Using the Event Viewer, you can perform the following tasks: Display the incoming events in real time Graph the incoming events based on either the event type or event time Display historical data for a specified time frame

4: Viewing Incoming Events

21


This example shows incoming events.

22



The following table describes the severity levels and the corresponding color coding.Level 0, 1 Color Red Description Emergency or panic conditions that should be corrected immediately. Critical conditions that should be looked at immediately. Error conditions. Warning conditions. Notification events. Events that are not error conditions, but may require special handling. Informational events. Debugging events.

2 3 4 5

Red Red Blue Blue

6 7

Grey Grey


23


Display Incoming EventsTo display the incoming events in the Event Viewer:

1. Click Analysis > Event Viewer > Message View. 2. From the Site drop-down list, select the site. 3. From the Device Type drop-down list, select the device type. 4. From the Device drop-down list, select the event source. 5. From the Event types drop-down list, select the type of the event. 6. From the Timeframe drop-down list, select the time frame of event collection. 7. From the Time zone drop-down list, select the time zone. 8. To update the list of events, click Update now. This example shows the events that RSA enVision collected from Cisco Pix Firewall over the past ten minutes.

24



Copy Events for Further AnalysisYou can copy the events in the Event Viewer to a comma-separated .csv file to analyze them. Further analysis of events could assist: Administrators to create a new correlation rule to alert on a specific set of events in a specific time frame Report administrators to determine what data is available to include in reports

To copy events for analysis:

1. Click Analysis > Event Viewer > Message View. 2. Display the events of interest, as described in Display Incoming Events. 3. Click anywhere within the messages pane. 4. Depending on the events that you want to select, do one of the following: To select all events, press CTRL+A. To select a range of events, press SHIFT and click the first and the last events. To select individual events, press CTRL and click individual events.

5. To copy the selected events, press CTRL+C. 6. Open the program into which you want to paste the events. 7. To paste the events, press CTRL+V.

Graph Events by Event TypeTo graph events by event type:

1. Click Analysis > Event Viewer > Graph View > Events by Event Type. 2. From the Site drop-down list, select the site. 3. From the Device Type drop-down list, select the device type. 4. From the Device drop-down list, select the event source. 5. From the Event types drop-down list, select the type of the event. 6. From the Timeframe drop-down list, select the time frame of event collection. 7. From the Time zone drop-down list, select the time zone. 8. Click Update Now.


25


This example shows events collected from Cisco Pix Firewall over the past sixty minutes. Moving the cursor over the chart displays the event ID and the Y axis value in a pop-up window.

Graph Event Types by TimeTo graph event types by time:

1. Click Analysis > Event Viewer > Graph View > Events Types by Time. 2. From the Site drop-down list, select the site. 3. From the Device Type drop-down list, select the device type. 4. From the Device drop-down list, select the event source. 5. From the Event types drop-down list, select the type of the event. 6. From the Timeframe drop-down list, select the time frame of event collection. 7. From the Time zone drop-down list, select the time zone.

26



8. To configure the graph options, select Display Advanced Graph Options, and do any of the following: To set the graph to automatically update, select Update on selection change or Update every 5 minutes. From the Graph Type drop-down list, select either Bar or Line to choose which type of graph to create. From the Data Type drop-down list, select the data type. From the Y Axis drop-down list, select the value to display on the Y axis. From the X Axis drop-down list, select the value to display on the X axis. The default value is Auto, which displays the time interval of the events.

9. Click Update Now. This example shows events collected from Cisco Pix Firewall for thirty minutes. Moving the cursor over the chart displays the event ID and the Y axis value in a pop-up window.


27


5

Monitoring Events and Alerts Events and Alerts Dashboard Dashboard Reports Design and Use Your Dashboard Dashboard Examples

Events and AlertsRSA enVision collects events that occur on monitored event sources. An event or set of events, such as a disk failure, an unexpected spike in network traffic, or the signature of a known threat, may warrant further investigation. Your enVision administrator configures enVision to recognize these specific events and issue real-time alerts. You can monitor events and alerts using the Dashboard.

DashboardThe Dashboard opens when you log on to RSA enVision. The Dashboard shows the reports and graphs that you select, providing an immediate summary of events that you choose to monitor. You can customize your Dashboard in real-time to show the dashboard items (reports and graphs) of your choice. However, the enVision administrator selects the dashboard items from which you can select and sets up the parameters for the dashboard items.

5: Monitoring Events and Alerts

29


This example shows the default Dashboard with user-selected dashboard items.

Dashboard ReportsThe Dashboard has standard reports and graphs that display as Dashboard items. Standard reports and graphs for the Dashboard are available in the following categories: Alerts Antivirus E-mail Firewall Host IDS Network

30



Proxy Task Triage VAM

For detailed information on the Dashboard standard reports, see the Help topic Dashboard Standard Reports. For detailed information on creating and modifying the Dashboard reports, see the Help topic Dashboard Reports.

Design and Use Your DashboardYou can select the reports and graphs that display on your Dashboard. You can also select whether the reports will be displayed in a large version or a small version. The selections are saved as your default settings when you leave the window.To design your dashboard:

1. Click Overview > Dashboard. 2. From the left pane of the Dashboard window, select the reports that you want to display.Note: The RSA enVision administrator assigns permission for you to view the

reports that you need to monitor based on your role. 3. To set the size of the visual display, select either Large report view or Small report view.


31


Dashboard ExamplesYou can use the dashboard to review multiple dashboard items. This section includes some examples of Dashboards designed for different purposes. The following figure shows a default Dashboard that displays the following reports: Alerts - Top Categories Alerts - Trends Alerts - Weighted Average Alerts - Recent Alert

32



The following figure shows a Dashboard that is set up for the purpose of monitoring alerts, threats, and network traffic and displays the following reports: Alerts - Top Categories Alerts - Trends Alerts - Weighted Average Alerts - Recent Alerts IDS - Recent Threats Network - Bandwidth by Department Host - Top Failed Login Accounts


33


The following figure shows a Dashboard that is set up for the purpose of monitoring organizational threats and displays the following reports: IDS - Top Threats Network - Activity by Category Task Triage - Open Tasks by Priority VAM - Most Vulnerable Assets by Severity

34



6

Managing Alerts Alert Management Views and Collections Monitoring Peak Status of Multiple Views Concurrently Monitor Incoming Alerts

Alert ManagementAn alert is a notification that a specific event or set of events, as defined by the RSA enVision administrator, has occurred that requires further investigation. One of the following conditions can generate an alert: A single event, such as one reporting an asset malfunction A string within an event, such as content that matches a configured list of known spammers A specified combination of events within a given time frame, such as a series of logon attempts that suggest a possible denial-of-service attack

RSA enVision analyzes all incoming events and issues an alert immediately when a set of circumstances that an administrator has specified is met. The alert is reported in the enVision GUI and can be directed to other destinations, such as e-mail, instant message, or a text file stored on the local system. An alert can also be configured to automatically generate an incident-response task.

6: Managing Alerts

35


Views and CollectionsRSA enVision manages alerting using views and collections. To monitor alerts in real time, you can use the following tools in the Alerts module: Use the Enterprise Dashboard window to monitor the peak status information of multiple views (called a Collection) concurrently from a single screen. For more information, see Monitoring Peak Status of Multiple Views Concurrently. Use the Real-Time Details window to monitor the alerts as they occur in real time for a single view. For more information, see Monitor Incoming Alerts.

ViewsA view defines the event sources, events, correlated alerts, and user-defined criteria for which enVision issues alerts. An enVision administrator creates views and assigns users access to the views. Within a view, an administrator can set up filters and thresholds, such as a percentage increase of activity above the baseline, to rate the severity of the events and focus on those of highest priority. Views can also use watchlists, which filter events by string, IP address, port, protocol, or regular expressions. Views can include correlation rules for alerts. A correlation rule specifies a set of events within a time period and a set of conditions that will generate an alert. The correlation rule includes a message ID and message text for the alert.

CollectionsA collection is an aggregation of view data that can contain information from multiple sites. A collection can include other collections. A collection must contain at least one item, a view or another collection. The collection inherits the status of the highest peak alert severity status of all the views contained in the collection or collections that roll up into that collection. A view can be assigned only to a single collection. Each collection has attributes, such as collection name, description, and the collection map that is used in map mode.

36

6: Managing Alerts


Monitoring Peak Status of Multiple Views ConcurrentlyYou can monitor the peak status of a collection of views using the Enterprise Dashboard in the Alerts module. Peak status is the highest severity level of the alerts in the alert category, based on the current alert synchronization.

Enterprise DashboardThe Enterprise Dashboard allows you to monitor the peak status information of multiple views at the same time and quickly drill down into a view to display detailed information. You can use the Enterprise Dashboard to: View a map-based report View the hierarchy and statuses of views and collections View the high-level information as well as detailed information within the Enterprise Dashboard Drill down using the Real-Time Detail tool in the Alerts module to display detailed information about the current view View detailed alert status information for any item

You have access to the views depending on the permission that the enVision administrator sets for each view. If you display a collection containing a view to which you do not have access, no information about that view is visible. The alert severity status for that collection is calculated as if the restricted view did not exist.

Enterprise Dashboard ModesThe Enterprise Dashboard window has two modes: Map mode. Displays alert information for each collection on a background image or geographical map. List mode. Displays the alert details for all collections and views in a list format to allow for more details about the alert status to be displayed. Each collection or view is displayed in its own row.

6: Managing Alerts

37


The following figures show the Enterprise Dashboard in Map mode and List mode.

38

6: Managing Alerts


Collection and View Icons in Enterprise DashboardCollections and views are represented by device class icons on the Enterprise Dashboard. The following table describes the icons.Device Class Host Collection View

Network

Security

Storage

The icons change color as the alert status of the collection and view changes. The status indicates the peak security level of any of the event sources represented by the icon. The following table defines the severity level of the icon colors.Color Green Blue Yellow Orange Red Severity Level Low Guarded Elevated High Severe

6: Managing Alerts

39


Monitor Peak Severity Using Map ModeNote: If the defined starting point collection for the site to which you are logged on

does not have an assigned map, or the specified map cannot be found, the Enterprise Dashboard window opens in List mode.To monitor peak severity using a map:

1. Click Alerts > Enterprise Dashboard. This example shows the status of the West Coast Operations collection in Map mode.

2. Click on a collection icon on the map to display the secondary collections or views that make up the collection. Click on a view icon on the map to display the Real-Time Details window for the view. For more information on using Map mode, see the Help topic Monitor Alerts Using Map Mode on Enterprise Dashboard.

40

6: Managing Alerts


Monitor Peak Severity Using a ListTo monitor peak severity using a list:

1. Click Alerts > Enterprise Dashboard. 2. Click the List Mode icon in the tool bar. The Enterprise Dashboard is displayed in List mode. This example shows the West Coast Operations collection in List mode.

3. To display information about a collection, click on the collection icon in the All Collections and Views area. 4. Click on a collection row to display the secondary collections and views in List mode. 5. Click on a view row to display the Real-Time Details window for the view. For more information on using list mode, see the Help topic Use List Mode on Enterprise Dashboard.

6: Managing Alerts

41


Toggle Between ModesTo toggle between modes:

Do one of the following: From the Map Mode display, click the List Mode icon Mode display. From the List Mode display, click the Map Mode icon Mode display. to toggle to the List

to toggle to the Map

Monitor Incoming AlertsYou can monitor the incoming alerts in a single view on the Real-Time Detail window.To monitor incoming alerts:

1. Click Alerts > Real-Time Detail. 2. From the left pane of the Real-Time Detail window, select the view. 3. From the Show drop-down list, select the type of alerts to display. RSA enVision displays the status of the NIC Global Alerts categories, the status of each of the alert levels, and the status of the selected alert category. 4. To display the resolved name in the Top Source and Top Destination drop-down lists, select Resolve IP Addresses. 5. To sort the alert details, click a column heading. RSA enVision continues to sort alerts in this order until you close the Real-Time Detail window.

42

6: Managing Alerts


This example shows the real-time details of the Compliance view.

6: Managing Alerts

43


Monitor Alerts in the DatabaseYou can access alerts from the database on the Alert History window. Each row on the window displays information on one alert.To access alerts in the database:

1. Click Alerts > Alert History. 2. From the left pane of the Alert History window, select the view. RSA enVision displays the list of alerts available in the system. Each row on the window displays information on one alert. This example shows the alerts in the database for the view Data Center Observance.

You can modify the display of the Alert History window from the Set Up Alert History option on the Alert Configuration pane. For more information, see the Help topic Set Up Alert History Tool Display Options.

Review Alert DetailsYou can review the details of an alert using the Alert Details window. The window provides details such the alert status, the vendor's suggested resolution action, and your organization's suggested resolution action. You can add notes to an alert and change the status. For example, you might note information regarding how you are investigating an alert or how you resolved an alert. You can add as many notes as you need to each alert. Each time you add a note to the alert, the system adds it to the scrolling list on the window. Notes on an alert are only available while the alert is visible in the Real-Time Details tool. After the associated alert has been resolved, you can no longer access the note.

44

6: Managing Alerts


To review alert details:

1. Click Alerts > Alert History. 2. From the left pane of the Alert History window, select the view. RSA enVision displays the list of alerts available in the system. Each row on the window displays information on one alert. This example shows the alerts in the database Data Center Observance. Clicking a message displays the alert details.Click a message to display alert details

3. In the Message column, click the corresponding message. The Alert Detail window opens.

6: Managing Alerts

45


4. In the New note field, enter the notes for this alert, including the reason for a change of status or the status of the investigation. This example shows the details of the alert selected from the message column in the Alert History window.

46

6: Managing Alerts


7

Accessing Historical Data Historical Data Tools for Accessing Data Query Reports

Historical DataRSA enVision analyzes the events and stores the original events along with the descriptive metadata for those events in the RSA enVision Internet Protocol Database (IPDB). The IPDB secures the data from tampering and protects the data with access authentication. As a result, enVision provides a complete and verifiable repository of IT information. RSA enVision creates temporary database tables as needed to generate reports and queries. The tables exist only for the time required to create the report.

Tools for Accessing DataThe following table lists the tools that you can use to access historical data in RSA enVision.Tool Purpose

Event Viewer Use the Event Viewer to graph historical data and drill down into the details. You can also display incidents as they occur in real time in a stream or represent the data in graphs. For more information, see Event Viewer. Query Use a query to quickly access specific information from the database. You can use a query to perform research or analysis, to fine-tune a report definition, or to quickly look up information. For more information, see Query. Reports Use reports to access large amounts of data for analysis and compliance reporting. You can use these reports to: Audit security and compliance policies Allocate system usage back-charges Track employee network usage For more information, see Reports.

7: Accessing Historical Data

47


QueryYou can use a query to retrieve and examine any data collected by RSA enVision. You can use queries in forensic analysis, for example, to drill quickly into an alert or other condition discovered in RSA enVision Event Explorer or to audit a past event. Queries use temporary database tables created from the data stored in the IPDB. Because they retrieve smaller amounts of data, queries execute faster than reports. Queries return data only in tabular form. Queries run on an ad hoc basis. Only you can view and save your queries. Query results can be based on IP addresses, dates and times, event message types, and other criteria. Queries use SQL syntax to construct statements for accessing database tables for conditions and events including: General traffic flows and events that were allowed Accesses that were denied or prevented from happening based on policy Status and health parameters URL information indicating where users have visited A simple query is a single logical statement (a single row in the Edit query table). A complex query consists of multiple statements (multiple rows in the Edit query table) logically joined using AND or OR. Multiple statements can narrow a query or extract a more accurate set of results for given criteria.

You can compose simple or complex queries:

You can run a newly created query or a query saved from a previous session. When you run a query, you can save the results to a .csv file so that you can import the results to other applications, such as Microsoft Excel.

48



The following figure shows the Create New Query window.

Edit query

Select device group

Select time range Run the query


49


Create a QueryTo create a query:

1. Click Analysis > Query > Create New Query. 2. Enter the query criteria. This example shows a query requesting data on NIC performance for message IDs 260000 and 500022, for severity levels 3 and 7.

3. Click Save. 4. In the Saved query file name field, enter the name for the query. 5. Click Apply.

50



Run a Saved QueryTo run a saved query:

1. Click Analysis > Query > Saved Queries. 2. Click the query that you want to run. 3. Click Run. RSA enVision finds the records that match the saved query filter information and displays the information. This example shows the results of running the query.

Note: You can modify the filter information of the saved query and run the

query.


51


ReportsThe Reports module provides standard network and traffic analysis reports and graphs. You can copy and modify these reports, or create your own custom reports to meet specific reporting needs. You can run the reports immediately or schedule them to run at specific times.

Standard ReportsRSA enVision provides over 1,200 standard reports. The following table shows the available report categories.Report Category Archer Report Contents Control procedure reports for event sources such as Check Point Firewall-1, SharePoint Server, Oracle WebLogic, and VMware. Security statistics and data for a variety of regulations, including Sarbanes-Oxley and Gramm-Leach-Bliley. Statistics for correlated alerts and for multiple event sources. Correlated alerts reports provide statistics and data on event combinations. Multiple event source reports contain statistics and data for multiple event sources from the same IP address. Statistics and data for application servers, load balancers, mail servers, mainframes, midrange systems, UNIX systems, web logs, and Windows hosts. Standard system reports for insider threats. Insider threat mitigation reports include UNIX, database reports and Windows reports. Configuration management and traffic analysis statistics and data for routers, switches, systems, and wireless event sources. Network security statistics and data for access control systems, antivirus deployments, firewalls, intrusion detection systems, intrusion prevention systems, physical security controllers, and virtual private network systems. Statistics for storage and database systems. Statistics and data drawn from incident open and closure rate, status of open incidents across the enterprise, and average time to acknowledge and time to close incidents. Statistics for vulnerability occurrence, vulnerability severity, and business rank and importance for the most vulnerable assets in the enterprise.

Compliance

Correlated alerts

Host

Insider Threat Mitigation Network

Security

Storage Task Triage

VAM (Vulnerabilities and Asset Management)

52



Run an Ad Hoc ReportYou can run a report using the Ad Hoc Reports tool in the Reports tab that provides access to all the standard and custom reports. You can run a standard or custom report whenever necessary. This section provides basic steps for running reports. For detailed steps and explanations of report parameters, see the Help.To run an Ad Hoc report:

1. Click Reports > Ad Hoc Reports, and expand the report types to see the available reports. The example shows the Compliance > HIPAA reports menu.


53


Note: The options that appear in the navigation panel may differ depending

on user permission settings.

54



2. Select a report, and click Run. This example shows selecting the HIPAA - Access Authorization report.

RSA enVision displays the completed report in a separate browser window.


55


Schedule a ReportYou can schedule a report to run at a specified time and at recurring intervals, only if the RSA enVision administrator has granted you permission to perform this operation. You can schedule reports to and access reports from only those folders that are available to the groups to which you belong. You can only use device groups to which you or the groups you belong to have been given access. You can also schedule the deletion or archival of multiple report folders and manage the processing status through the Schedule Report Delete/Archive and Manage Report Delete/Archive options in the Report Configuration panel. For more information, see the Help.To schedule a report:

1. Click Reports > Reports Configuration > Schedule Report.

2. Schedule a standard report as follows: a. In the Task name field, enter a unique task name. b. From the Report name pop-up window, select the report that you want to schedule. c. From the Folder name pop-up window, select the output folder for the report. d. (Optional) Set any other runtime parameters.

56



e. Click Set Recurrence. This example shows setting the report Alerts Under Investigation by View to run as the task AlertsByView and to be output to the Default folder name.

3. Set when and how often a recurring report should run. Click Apply. The example shows setting the report to run every day at 7:00 p.m.


57


4. Click Apply to save the settings.

5. Click Manage Scheduled Reports to display the list of reports scheduled to run.

58



Display Generated Scheduled ReportsAn RSA enVision administrator can give you permission to view generated reports without giving you permission to schedule reports. If the Display Options Save results as a PDF file or Save results as a CSV file were selected at runtime, you can export the displayed results of a scheduled report to a PDF or to a comma-separated (.csv) file, which you can export to other applications such as Microsoft Excel.To display a generated scheduled report:

1. Click Reports > Scheduled Reports. 2. If the system has multiple report folders, click the name of the folder containing the report that you want to view. 3. In the calendar, click the date to see available reports for that date. RSA enVision stores reports in the month corresponding to the data contained in the report and not the date on which the report ran.


59


4. Click the report that you want to view. RSA enVision displays the report.

60



A

Troubleshooting Logon Issues Event Viewer Issues Dashboard Issues Real-Time Details and History Issues Query Issues Report Issues

Logon IssuesProblem Cannot log on to RSA enVision Resolution If the message is Invalid User/Password pair, ensure that you entered the correct user name and password. The values are case sensitive. Ensure that the Caps Lock button has not been engaged. This message may appear when you log on for the first time after you upgrade to RSA enVision 4.1 from an earlier version. Contact your enVision administrator for assistance. If the message is The login is disabled for this user, contact your enVision administrator to ensure that your user ID is enabled. Forgot your user ID or password Contact your enVision administrator.

A: Troubleshooting

61


Event Viewer IssuesProblem Unexpected event source listed in the Device drop-down list Resolution The Device drop-down list contains all event sources for which RSA enVision has data and for which you have access and viewing rights. Some event sources may not have been selected for monitoring in enVision. Contact your enVision administrator for more information. Select the site to which the RC forwards the data. The RC collects the data and forwards the data to another site for storage. For more information, contact your enVision administrator. The events used for the Message View window are stored in memory. If you select a high value in the Number of buffered events field, Internet Explorer may run out of memory. If this occurs, click OK in the Internet Explorer Out of Memory message pop-up window and select a lower value for the Number of buffered events field on the Message View window.

RC site not available in Site drop-down list (Message View)

Out of Memory (Message View)

Dashboard IssuesProblem Resolution

Enterprise Dashboard Either the map has not been assigned to the collection or the displays List mode by default specified map image for the site cannot be found. Contact your enVision administrator. Icon for a view is displayed as Icon for a collection is displayed as RSA enVision cannot retrieve the information from the A-SRV. Contact your enVision administrator. RSA enVision cannot retrieve information from the A-SRV for one or more views in the collection. Contact your enVision administrator.

62

A: Troubleshooting


Real-Time Details and History IssuesProblem Alerts are no longer displayed on the Real-time Detail tool or the History tool, but are displayed in Query results (for the Alerts table) Resolution Periodically, RSA enVision resynchronizes the alerts in the event database so that only the more recent alerts display on the Real-time Detail and History windows. If Alerts do not get displayed because of this resynchronization, the issue can be resolved by configuring the timeframe with which the Alert History works, in the Set Up Alert History window. For more information on alert synchronization, see the enVision Help. Contact your enVision administrator for information on the alert synchronization maximum for the NIC Alerter Service. Alert indicator and severity levels are not correct Click the recalculate icon. RSA enVision recalculates the severity levels and sets the alert indicators back to green.

Query IssuesProblem Query takes too long to complete Resolution A query that retrieves a large number of rows can be very costly in terms of processing time and disk space. If you do not define any specific filter information, a query displays all records in the selected table. Consider restricting your query using the filtering capabilities. For example, specify a range or list of message IDs, or specify a particular event source. You may also want to consider specifying a time range.

Need to distinguish between Use the device address, or create and use a device group for two event sources that are the the required device if you are monitoring multiple event same type sources of the same type, for example, if you want to distinguish between Cyberguard Firewall and Cisco PIX firewall. The RSA enVision administrator must select Resolve Resolve IP addresses is selected, however query does Hostname on the Set Up DNS Resolver Service window in order to resolve hostnames. not show DNS resolved names

A: Troubleshooting

63


Report IssuesProblem Report doesnt contain any data (messages) Resolution Ensure that you are using the correct database table. For information on selecting database tables, see the Help topic When to Use Each Database Table. Ensure that the report specifies the correct time frame. Ensure that the SQL where clause for the report includes the messages that you are expecting. Create New Report option does not display in the menu You do not have permission to create a report. Contact your enVision administrator.

64

A: Troubleshooting


GlossaryA-SRV See Application Server. ad hoc report An unscheduled report that runs immediately. ADB See Asset Database. administrator A user responsible for setting up and maintaining the RSA enVision platform. An administrator has access to all enVision functions. alert An indication that an event, or a sequence of events, requires further investigation. The enVision platform sends alerts based on messages received under a configured set of circumstances such as filters. The administrator defines alerts for each view. Alert History tool The RSA enVision tool that is used to display alerts from the events database. Alerts module The RSA enVision module that provides tools to monitor, display, and configure alerts. Analysis module The RSA enVision module that provides tools to view, query, and analyze collected data. appliance The hardware on which RSA enVision software is deployed. See single appliance site and multiple appliance site. Application Server (A-SRV) The appliance or component of the RSA enVision platform that supports interactive users and runs the suite of enVision analysis tools. In a single appliance site, the Application Server (A-SRV) is a component of the enVision system. In a multiple appliance site, the A-SRV is installed on its own appliance. See single appliance site and multiple appliance site. asset A system, such as a host, software system, workstation, or device, that is within a network and makes up the enterprise environment. Asset Database (ADB) A unified view of assets created by merging data from supported vulnerability assessment (VA) tools and imported asset information in the asset tracking tools. The ADB provides security managers with insight into their operations.

Glossary

65


attribute category A group of categories defined by the RSA enVision platform for device and asset attributes. The nine categories are properties, location, organization, owner, physical, function, importance, vulnerability, and zone. Users can define custom categories. bind report A group of reports that can be scheduled to run as a single report. collection The process of collecting, analyzing, and storing logs from event sources. the RSA enVision platform stores the logs, with descriptive metadata, in the Log Smart Internet Protocol Database (IPDB). Collector The appliance or component of the RSA enVision platform that captures incoming events. In a single appliance site, the Collector is a component of the enVision system. In a multiple appliance site, the Collector is installed on its own appliance. Common Storage Directory (CSD) A single directory that contains the configuration and statistical information for data collected on a site. The Common Storage Directory (CSD) can be located on a single appliance site, on the Database Server of a multiple appliance site, or on the Remote Collector of a distributed system. computer name See node. confidence level filtering A filter defined by the administrator to determine if a supported intrusion detection system (IDS) or an intrusion prevention system (IPS) can be trusted for its truthfulness and applicability. The confidence level detects if a message from an IDS or an IPS should be considered an alert. Configuration database (nic.db) A repository that stores a users configuration settings such as user information, permissions, and views. correlation A relationship between a set of events and a set of specific conditions. D-SRV See Database Server. Database Server (D-SRV) The appliance or component of the RSA enVision platform that manages access and retrieval of captured events. In a single appliance site, the Database Server (D-SRV) is a component of the enVision system. In a multiple appliance site, the D-SRV is installed on its own appliance. See single appliance site and multiple appliance site. device See event source. device class Identifies the classification of the event source. A device class provides a framework for organizing event sources by their general function.

66

Glossary


device type (dtype) An assigned internal name for an event source that is used by RSA enVision tools and utilities. The dtype value is displayed on the enVision interface, reports, and queries. EA See Enhanced Availability. Enhanced Availability (EA) A site with Enhanced Availability (EA) is a multiple appliance site where the Local Collector (LC) functionality runs on Cluster Appliances (CAs). EPS See events per second. event category System-defined or administrator-defined group of messages for alerting and reporting that is assigned across device classes. Event Explorer RSA enVision module that provides advanced tools for analysis of real-time and historical data. These tools allow users to sift through logged data and apply security forensics. event source An asset such as a physical device, software, or appliance that produces a message (log) and is configured to send the log to the RSA enVision platform. Event sources include firewalls, VPNs, antivirus software, operating systems, security platforms, routers, and switches. events per second (EPS) Events captured per second by the RSA enVision platform. incident escalation See task escalation. incident management See task triage. IPDB See LogSmart IPDB. LC See Local Collector. Local Collector (LC) A component of an RSA enVision multiple appliance site that captures incoming events. A multiple appliance site can have up to three Local Collectors (LCs). See multiple appliance site. LogSmart IPDB The LogSmart Internet Protocol Database (IPDB) stores internet protocol-based information, storing each source element in a separate container. Each log data message is identified by the IP address of the event source from which the message originated. The LogSmart IPDB maps this IP address to the originating event source and determines the format of the incoming message. The log message is the metadata that describes the event.

Glossary

67


message category A group of messages. Message categories are hierarchical, consisting of up to five levels: a NIC category, an alert category, and up to three levels of event category. message variable Defines a type of data that is extracted from message payloads. Message variables are useful when analyzing and reporting on data. monitored device A supported event source that has been configured to send event messages to the RSA enVision platform. The enVision platform collects and stores events from monitored devices. multiple appliance site An RSA enVision site in which each enVision component (Application, Collector, and Database) is on its own appliance. NIC The acronym used to label many essential RSA enVision components, services, and tools. NIC database See Configuration database (nic.db). NIC domain A group of multiple appliance sites that constitute an organization's entire deployment of the RSA enVision platform. One site acts as the NIC domain master site. NIC message ID A number that identifies a message. This number may or may not be the same as the vendor message ID. NIC System device Generates event messages to indicate the health and activity of the RSA enVision platform, such as disk space usage, current EPS, data retrieval statistics, and user activity messages. NIC_View Allows users to monitor the health of the RSA enVision system. The NIC_View alerts users to problems within the enVision software environment. node An appliance in an RSA enVision site. output action Configured notification method for alerts. The primary output actions are SMTP, SNMP, SNPP, Instant Messenger, syslog, run a command, text file, and task triage. Overview module The RSA enVision module that provides tools to configure the enVision platform and monitor system health and performance. RC See Remote Collector.

68

Glossary


Remote Collector (RC) An optional component of an RSA enVision multiple appliance site that captures incoming events at a remote location. A Remote Collector (RC) runs on its own appliance. Up to 16 RCs can be associated with a site. Reports module The RSA enVision module that provides tools to run standard network security and traffic analysis reports, or create and run custom reports. single appliance site An RSA enVision site in which all enVision components (Application, Collector, and Database) are on one appliance. site The basis on which the RSA enVision platform is deployed. Each site consists of three main components: Application Server, Collector, and Database Server. site name The name of the site, defined during the configuration of the RSA enVision platform. standard report Reports that are supplied within the RSA enVision platform for compliance, correlated alerts, event sources, as well as for task triage, and vulnerability and asset management. task escalation A function that allows users to send tasks to an external application, such as a ticketing system, for offline investigation. task triage A feature that allows users to group events into tasks for the purpose of investigation. Tasks can be further analyzed in the RSA enVision Event Explorer module, escalated to an external ticketing system, or both. trace view A set of parameters that define the information that is displayed in the form of tables and charts. The two forms of trace views are standard and advanced trace views. UDC See Universal Device Collection. Universal Device Collection (UDC) Allows the RSA enVision platform to collect log data from any event source that logs through SNMP, ODBC, or File Reader. VAM See vulnerability and asset management. VDB See Vulnerability Knowledge Database. view An administrator-defined set of event sources, messages, correlation rules, and criteria, within a single site, for which the RSA enVision platform issues alerts.

Glossary

69


vulnerability and asset management A feature that provides unified management of assets and vulnerability incident analysis. Vulnerability Knowledge Database (VDB) An embedded repository of vulnerability information derived from the National Vulnerability Database (NVD). watchlist A named collection of strings that represent a list of like-values. A watchlist can easily function as a filter for events in reporting and alerting.

70

Glossary


IndexAalerts accessing in database, 44 Alert History tool, 4446 described, 35 history, 44 in Enterprise Dashboard, 37 managing alerts, 35 monitoring incoming alerts, 4243 Real-Time Details, 42 reviewing details, 4446 severity levels, 4243 status, changing, 4546 troubleshooting, 63 events per second (EPS) Collector EPS rates, 15 described, 15 limits, 15 monitoring rates, 17 peak, 16 events. See incoming events

Ggraphing events by time, 26 by type, 25

Hhelp desk, 6 historical data accessing, 47 alerts, 44 described, 47 queries, 4851 reports, 5260 tools, 47

Cchanging your password, 1314 collections described, 36 icons, 39 Customer Support, 6

DDashboard customizing, 31 described, 29 designing, 31 examples, 3234 report categories, 30 troubleshooting, 62

Iincoming events copying, 25 described, 21 displaying, 24 graphing by time, 26 graphing by type, 25 severity levels, 23 Internet Protocol Database (IPDB), 47 IPDB. See Internet Protocol Database issues, 61

EEnterprise Dashboard tool described, 37 icons, 39 list mode, 41 map mode, 40 toggling between modes, 42 EPS. See events per second Event Viewer tool described, 21 severity levels, 23 troubleshooting, 62

Llog off, 11 log on, 10 logon issues, 61

Mmodifying user information, 1314

Index

71


monitoring EPS rates, 17 incoming alerts, 4243 incoming events, 24 peak severity, 4041 peak status, 42

Ppasswords, changing, 1314 peak status described, 37 of a collection, 37 of a view, 42

Qqueries creating, 50 described, 4849 running, 51 troubleshooting, 63 Query tool described, 4849 troubleshooting, 63

reports ad hoc, 5355 categories, 52 described, 52 displaying, 5960 running, 5355 scheduled, 5960 scheduling, 56 standard reports, 52 troubleshooting, 64 unscheduled, 5355 viewing, 5960 Reports tool described, 52 troubleshooting, 64

Sseverity levels icons, 39 in Enterprise Dashboard, 39 in Event Viewer, 23 Real-Time Alert Details, 4243 support, technical, 6 System Performance tool, 15

RReal-Time Details described, 42 severity levels, 4243 troubleshooting, 63 real-time events, 24

Ttechnical support, 6 troubleshooting, 61

Uuser tasks, 910 users changing passwords, 1314 described, 9 modifying information, 1314 tasks, 910

Vviews described, 36 icons, 39

72

Index

86992345 EnVision Users Guide

Documents

cisco pix

suggested

ad hoc report

accessing

rsa envision

captures incoming

event viewer

click overview