About Network Threat Protection reports and logs

Article:TECH95542  |  Created: 2009-01-14  |  Updated: 2010-01-07  |  Article URL http://www.symantec.com/docs/TECH95542
Article Type
Technical Solution


Issue






Solution



About the information in the Network Threat Protection reports and logs

    Network Threat Protection logs allow you to track a computer's activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections.

    Network Threat Protection logs contain details about attacks on the firewall, such as the following information:
    • Denial-of-service attacks
    • Port scans
    • Changes that were made to executable files

    Network Threat Protection logs collect information about intrusion prevention. They also contain information about the connections that were made through the firewall (traffic), the registry keys, files, and DLLs that are accessed. They contain information about the data packets that pass through the computers. The operational changes that were made to computers are also logged in these logs. This information may include when services start and stop or when someone configures software. Among the other types of information that may be available are items such as the time and the event type and the action taken. It can also include the direction, host name, IP address, and the protocol that was used for the traffic involved. If it applies to the event, the information can also include the severity level.

    The table below describes some typical uses for the kind of information that you can get from Network Threat Protection reports and logs.

    Report or logTypical uses
    Top Targets AttackedUse this report to identify which groups, subnets, computers, or ports are attacked most frequently. You may want to take some action based on this report. For example, you might find that the clients that attach through a VPN are attacked much more frequently. You might want to group those computers so that you can apply a more stringent security policy.
    Top Sources of AttackUse this report to identify which hosts attack your network most frequently.
    Top Types of AttackUse this report to identify the types of attack that are directed at your network most frequently. The possible types of attack that you can monitor include port scans, denial-of-service attacks, and MAC spoofing.
    Top Blocked Applications
    Blocked Applications Over Time
    Use these reports together to identify the applications that are used most frequently to attack your network. You can also see whether or not the applications being used for attacks have changed over time.
    Attacks over TimeUse this report to identify the groups, IP addresses, operating systems, and users that are attacked most frequently in your network. Use it to also identify the most frequent type of attack that occurs.
    Security Events by SeverityUse this report to see a summary of the severity of security events in your network.
    Top Traffic Notifications
    Traffic Notifications Over Time
    These reports show the number of attacks that violated the firewall rules that you configured to notify you about violations. You configure this data to be reported by checking the Send Email Alert option in the Logging column of the Firewall Policy Rules. Use Traffic Notifications Over Time to see how the attacks increase or decrease or affect different groups over time. Use them to see which groups are most at risk of attack through the firewall.
    Full ReportUse this report to see the information that appears in all the Network Threat Protection quick reports in one place.
    Traffic logUse this log if you need more information about a specific traffic event or type of traffic that passes through your firewall.
    Packet logUse this log if you need more information about a specific packet. You may want to look at packets to more thoroughly investigate a security event that was listed in a report.
    Attacks logUse this log if you need more detailed information about a specific attack that occurred.


    The Traffic, Packet, and Attacks logs are accessed from the SEPM's Monitors tab, Logs, Network Threat Protection.
    The other reports can be accessed through the SEPM's Reports tab, Quick Reports, Network Threat Protection.


References
2009081409151448 - About the different types of Symantec Endpoint Protection Manager Reports





Legacy ID



2009081410460448


Article URL http://www.symantec.com/docs/TECH95542


Terms of use for this information are found in Legal Notices