Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Command Center for Security 6.2.

Audit reports

The Reports > Audit function is a simple but powerful audit facility that generates reports based upon several commonly required specifications, in particular, specifications related to security compliance standards such as PCI-DSS and HIPAA (but also others).

Audit reports generate at midnight each night, or on demand. The report generator parses raw message data to create reports that can subsequently be download in HTML format, CSV format, or text format through a Report Viewer. Administrators can e-mail audit reports to end users.

Audit reports come ready-to-use and usually require no configuration by an operator. However, several configuration items exist that expand the role of audit reports to include more specialized reporting appropriate to specific administrators (that may not want or need access to all data on the system.) Operators can create alternate Report Viewers (through AddNew option on each screen) that limits the data to certain columnar match patterns and can hide columns of a report.

Example

The operator can create a Database User Lockout report that is a small subset of the User Activity report, limiting the report to only those database users that have a lockout condition. Likewise, an operator can create a Critical UNIX Events report from the Device Activity audit reports, that lists only those UNIX platforms experiencing a certain number of critical and higher errors.

As an important side-function of Audit reports, the report information can be loaded automatically into ODBC compliant databases for use with third-party report writers, or to support complex SQL queries. You configure the ODBC functions of each report type through Advanced option found at the top of the various Audit reports.

Audit report types

The following Audit reports are accessible through the Reports > Audit facility of the system. Each report type is intended to satisfy a particular common audit requirement supporting good security for the enterprise.

  • User Activity—This type of report lists all users of the system, demonstrating (in compliance with most security standards) that all users are being monitored. The report directly supports PCI-DSS and HIPAA specifications to track user access, but also provides a useful indication of user activity and possible insider threat.
  • Device Activity—This type of report lists all the managed devices of the system, demonstrating (in compliance with most security standards) that all critical systems are being monitored. The report directly supports PCI-DSS and HIPAA specifications to track access to managed platforms. The report also provides a good indication of the amount of logging and activity associated with certain devices.
  • Perimeter—This type of report lists all external IP addresses of the enterprises detected by router or firewall messages. The report collates all messages and their counts that contain two IP addresses (at least one of that is external to the enterprise). This unique report tabulates the country code associated with IP addresses, useful for determining external attacks or data exfiltration.
  • Account Management—This type of report lists all the changes detected by Active Directory with regard to adding, modifying and deleting users and adding, modifying and deleting user groups. The report is mainly intended to support Microsoft AD implementations but may have application in other LDAP applications (where LDAP is used to authenticate enterprise users.) This report demonstrates compliance with most security standards that account changes are monitored and managed.
  • Tickets—This type of report lists all tickets opened and closed on the system, demonstrating (in compliance with most security standards) that threats are being managed and reviewed. The report also provides a useful indication of ticket activity on the system, that is a high-level summary of BMC Defender Servers effectiveness in monitoring threats and security events.
  • Score Cards—This type of report is mainly useful in demonstrating compliance to a security standard such as PCI-DSS, or demonstrating good security practices. The report maps thread counts (that represents the amount of data tabulated by the system) with respect to user selected threads and data categories. In particular, the report demonstrated data collection and organization, that is the most basic function required for any compliance standard or any good security management. As such, this type of report is often the starting point for any security audit.

In particular, the Score Cards report may be sufficient to simplify audit operations for certain types of regulatory compliance standards, since these types of reports illustrate the basic areas of coverage for the enterprise, and can be used to map specific BMC Defender Server configuration elements to certain compliance standard specifications such as PCI-DSS, HIPAA, SOX. 


Related topics

BMC-Defender-Server-reporting

BMC-Defender-Audit-Report-facility

Audit-tab


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*