Audit Report generation function

This application note provides a detailed discussion and overview of operation for the BMC Defender Audit Report facility. This is a standard function of all BMC Defender Server and allows the operator to analyze and summarize certain types of log data. The Audit reporting facility is particularly useful for creating summary data suitable for analysis by auditors, to provide evidence of data items monitored by the system (such as users and devices and firewalls). This provides a direct mechanism necessary to satisfy PCI-DSS, HIPAA, and various other security compliance standards. Generally, each audit report satisfies a particular aspect of common compliance standards. The application note furnishes information not otherwise covered in those sections, including a description of all screen components and features of the Audit report configuration and processes, as well as the database interface to the Audit report facility, that allows report data to be entered into an operator specified database table for analysis by third-party report generators.

General description of Audit report generation function

The operator accesses Audit reports through the Reports > Audit screen. The top-level screen shows the various categories of Audit reports, where each report meets a specific objective of providing auditable information on the configuration and operation of the system.

Each category satisfies specific requirements of common compliance standards. These include the following:

• User-Activity-report—This report category provides information on users, useful for verifying that user access is being tracked in compliance with various standards. The User Activity reports demonstrate each user being monitored (referenced by user name) and show useful statistics for each user.
• User-Sessions-report—This report category provides information on user sessions (by default Windows sessions) that shows a record of logon times, locations, users, and other information in a time card format. This report complements the User Activity report as described but contains a different type of information, associated logon sessions to managed devices.
• Device activity report— This report category furnishes information on managed devices, useful for verifying that critical servers and assets are being tracked in compliance with various standards. The Device Activity reports list devices (referenced by IP address) showing the various message counts being received for each managed device.

• Perimeter-report—This report category shows perimeter activity. Specifically, each perimeter report consists of message counts and data for those messages that contain both a local IP address and an external IP address. This typically includes message counts from firewalls and routers, but might also contain counts from items such as web servers. The report lists the internal address, external address, the country code for the external address, and various metrics for each external address. 

  Warning

  Note

  A variety of compliance standards generally require this report.

• Account-management-report—This report category shows the activity associated with adding, removing, or modifying active directory groups. The report is tailored for Microsoft Active Directory implementations (but can be used to monitor local login authentication.) The report provides essential visibility to the authentication of users on the network in compliance with a variety of security standards.

• Tickets-report—This report category provides information on the activity of tickets and actionable data on the system. This satisfies various compliance standards requiring users to monitor threats and anomalies on the system. These reports furnish evidence that BMC Defender is actively monitoring threats and anomalies.

• Score-Cards-report—This special report category consists of reports that map BMC Defender thread activity to various compliance standards, useful in furnishing evidence that BMC Defender is configured to meet and satisfy a particular compliance standard. The Score Cards report category is the only Audit report that does not have a Generate Report Database or Generate function.

In addition to the preceding report categories, other types of reporting specific to certain customer requirements might be available from BMC Support channels. Not all the previously mentioned reporting functions might exist at all BMC Defender Server implementations.

Each of the discussed reporting areas is suitable for use by auditors and analysts and are designed to satisfy the reporting requirements of PCI-DSS, HIPAA, and many other security standards.