BMC Defender Audit Report facility

This section provides reference information about the reporting data items available on a per-report basis. Each report consists of multiple metrics and values for key items that are selected in a report viewer. In a report viewer, you can match data items or hide them from the report.

Related topics

Audit-tab


Note

The data items are intended to summarize the general activity of a particular aspect of the program and are not intended for detailed forensic analysis (except perhaps as a starting point.) The report features of BMC Defender, unlike other aspects of the program, are not real-time functions and are mainly useful for post-analysis of events and performance, or for validating the configuration of the BMC Defender Server. This is a potential point of confusion for users.

The essential purpose value of the BMC Defender Audit report facility is to provide an easy indication of some aspect of the data, such as general user activity, device activity, perimeter activity, changes to active directory, and tickets generated. This information is typically of strong interest to auditors that want to verify the SIEM is configured and working properly.

Although Audit reports might ALSO be useful for forensics, these reports are intended to provide evidence that BMC Defender Server is actively gathering data to permit forensic activities IF NECESSARY.

For that reason, Audit reports consist mainly of key metric data and counts that should be interpreted as relative values, rather than diagnostic values, and this should be understood and taken into consideration by end-users of the system.

Summary and additional notes of generation function

  • The main purpose of Audit reports is to furnish evidence to auditors that data is being collected in compliance with good security practices and standards such as PCI-DSS and HIPAA.
  • Audit reports are also often used as a high-level indication of the types and amounts of data being collected, useful to managers and analysts.
  • Each type of report in the Reports > Audit tab is designed to cover a certain area of security compliance:
    1. Tracking user access; 
    2. Tracking device performance; 
    3. Tracking Perimeter and Firewall Devices; 
    4. Tracking Changes to authentication; 
    5. Tracking incidents.
  • Each reporting tab generates reports at midnight, or on demand. When a report is generated, it collects all the data for the tab. The operator can then look at some aspect of the data (or all the data) with a Report Viewer.
  • The system comes with several default Report Viewers, and the operator can create new types of report viewers by filtering rows and selecting columns (using AddNew or Edit options on the reporting tab).
  • Report data items are intended to summarize the general activity of a particular aspect of the program and are not necessarily useful for detailed forensic analysis (except perhaps as a starting point).
  • The report features of BMC Defender, unlike other aspects of the program, are not real-time functions and are mainly useful for post-analysis of events and performance, or for validating the configuration of the BMC Defender Server.
  • Each report has specific audit items, and Advanced features specific to the report. For more information, see Advanced-correlation-using-actions.
  • Each report can be entered into an ODBC database for use by third-party reporting tools.
  • Each report can be e-mailed to one or more users using the Reports > E-Mail tab. This provides an easy way of distributing specific reports to interested parties.
  • The reporting facility has various extensibility features; the operator can modify the header and footer of audit HTML reports and can process reports using command line utilities and external formatters.
  • Report data spans midnight of the current day, backward in time for the number of days indicated by the Span Days or Max Records setting, found in the Advanced tab of the system.
  • The operator can manually run a report for a previous day by adjusting the Report Data Start Time value on the Generate Report Database confirmation screen. This provides a mechanism for generating a historical report (reporting on a day other than the previous day).
  • You can collect reports by e-mailing reports to an account to save reports for an indefinite period of time.

Where to go from here

To generate audit reports, see Audit-tab.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*