Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Advanced SEP Reporting

Created: 24 Apr 2011 • Updated: 25 Apr 2011
Govardhan's picture
0 0 Votes
Login to vote

It’s the security officers responsibility to overview the firm’s infrastructure risk exposure and trends in real time. Unfortunately, none of the industry leading security products has a feature to create a consolidated risk report that can help the top security officers to review and keep track with risk events.

As I’ve great exposure into SEP DB schema, I’ve developed a SQL query that generates a consolidated report in a high level format classifying the risk events into below categories:

if user name matches *admin*, report it as "Admin account access"
if user name matches "system", report it as "SYSTEM account access"
if file name matches "unavailable", report it as "unavailable"
if file name matches "*Program Files*|*C:/Winnt*", report it as "System Folders"
if file name matches "*Temporary Internet Files*|*Mozilla/Firefox/Cache*", report it as "Web browsing"
if file name matches "*[HNP]:*", report it as "Network drive"
if file name matches "*D:*", report it as "Optical removable drive"
if file name matches "*[^CDA]:*", report it as "USB removable drive"
if file name matches "*Local Settings/Temp*", report it as "User Profile Temp Folder"
if file name matches "*Documents and Settings*", report it as "Local User Profile"
if file name matches "*C:*", report it as "Local drive"
if NONE of the above conditions exists, report it as "-". This possibly indicates a scenario that isn't covered above and should be checked further. 
 

Refer to http://gunnalag.blogspot.com/2011/04/sep-reporting-sql-stored-procedure-to.html for a detailed SQL stored procedure that generates the high level consolidated report.