Vsoc Portal Reports User Guide

Virtual Security Operations Center (VSOC)
Portal Reports User Guide

December 2017
© Copyright IBM Corporation 2010-2016 Virtual SOC Portal Reports User Guide
Page 1 of 28
Table of Contents
OVERVIEW ............................................................................................................................................................................. 3
REPORTING HIGHLIGHTS ................................................................................................................................................... 3
REPORT DASHBOARD ......................................................................................................................................................... 4
GENERATING REPORTS ...................................................................................................................................................... 6
SCHEDULE REPORTS .......................................................................................................................................................... 7
CUSTOMIZING REPORTS WITH CSV .................................................................................................................................. 8
GENERAL SERVICE RELATED REPORTS ......................................................................................................................... 9
SERVICE LEVEL AGREEMENT REPORT ............................................................................................................................... 9
SERVICE OVERVIEW REPORT .......................................................................................................................................... 10
SECURITY MANAGER OVERVIEW REPORT ........................................................................................................................ 11
IDS/IPS DEVICE REPORTS................................................................................................................................................. 12
ATTACK METRICS ........................................................................................................................................................... 12
GLOBAL ATTACK METRICS .............................................................................................................................................. 12
YOUR ATTACK METRICS .................................................................................................................................................. 13
EXPLANATION OF ATTACK TYPES ..................................................................................................................................... 13
ATTACKS ON VULNERABLE ASSETS.................................................................................................................................. 17
PREVENTED ATTACK REPORT ......................................................................................................................................... 18
EVENT COUNTS REPORTING............................................................................................................................................ 19
IDS/IPS EVENT TREND ................................................................................................................................................... 20
CONTENT MANAGEMENT.................................................................................................................................................. 21
URL FILTERING CATEGORY............................................................................................................................................. 21
FIREWALL ............................................................................................................................................................................ 23
FIREWALL SERVICE OVERVIEW ........................................................................................................................................ 23
TRAFFIC ANALYSIS DENIED ............................................................................................................................................. 24
TRAFFIC ANALYSIS EMAIL................................................................................................................................................ 25
TRAFFIC ANALYSIS W EB ACTIVITY BY W EBSITE ................................................................................................................ 25
SUSPICIOUS HOST CORRELATION REPORT ...................................................................................................................... 26
SECURITY EVENT AND LOG MANAGEMENT DEVICES (SELM) – ......................................................................................... 27
CROSS LOG TYPE REPORTS ........................................................................................................................................... 27
ALERT-BASED REPORTS ................................................................................................................................................. 27
Page 2 of 28
Overview
This document enables you take advantage of the Reporting features in the IBM Security Services Managed
Security Services (MSS) Customer Portal, sometimes referred to as the Virtual Security Operations Center
(VSOC).
Use this guide to learn about basic navigation of the Report Dashboard, or to facilitate in-depth analysis to
support your Security organization. Report templates include descriptions and use cases to help you better
understand the various industry standard templates and best practices available to you.
Reporting Highlights
 Security Event and Trend Statistics
 Firewall Traffic and Utilization Statistics
 Threat and Vulnerability Research
 Threat and Vulnerability Mitigation
 Audit Compliancy
 Workload Prioritization
 Suspicious Host Detection
 IP Intelligence (security analytics)
 Statistical Overview of Your Services
Note: Feature sets may vary based on the MSS services you have subscribed to. Appropriate Service and
Service level subscription is required.
Page 3 of 28
Report Dashboard
The Portal Report Dashboard contains many industry standard report templates that you can customize by
device, device groups, and time intervals. Click a report template hyperlink to configure report criteria and
generate a report. The report templates can facilitate research, vulnerability assessment, threat mitigation,
workload prioritization and delegation, and help address audit compliancy requirements.
Page 4 of 28
The report templates are grouped into several categories:
 General Service Related – Reports on statistics associated with your subscribed services
 IDS/IPS Devices – Reports on device statistics
 Content Management Devices – Reports related to web content, anti-virus, and anti-spam
 Security Event & Log Management
 Cross Log Type Reports
 Firewall Devices– Reports on FW statistics
 Alerts-based Reports – Report of the alerts and counts associated with your SELM Service
The VSOC allows you to save report criteria for future use, and to export a report in PDF and CSV formats.
You can schedule reports at fixed time intervals by selecting one of the calendar icons shown below.
The scheduling feature also allows you to email reports automatically to various members in your organization.
Page 5 of 28
Generating Reports
Step 1: Select the desired time interval from the drop down. Note you also have the option to select from a
saved report.
Step 2: Select the desired device or device group. Note you also have the option to report on inactive devices.
Step 3: Select the desired report options including amount and format. Note you also have options to enable,
Resolve DNS, Trending and Group by Network.
Note: To save the report, check the box entitled “Save this criteria.”
Step 4: Select, “Submit Query” on the lower right-hand side.
Page 6 of 28
Schedule Reports
After you have customized (named) and saved your reports you can set up auto reporting.
Step 1: Select the desired report name.
Step 2: Schedule the report by selecting the appropriate recurrence pattern (Hourly, Daily, etc.).
Step 3: Schedule the appropriate recurrence range.
Note the calendar icons for specific end date assistance.
Step 4: Select the appropriate report format (PDF, HTML or CSV).
Step 5: Verify and / or edit the recipient fields.
Step 6: Click “Create Schedule” on the lower right.
Best Practice Tip: If you need to delegate work within your security team, or adhere to audit
compliancy requirements, use the report delivery options to archive reports to a centralized mailbox.
Page 7 of 28
Customizing Reports with CSV
You can open a CSV (comma separated value) report in Microsoft Excel. It is a powerful and versatile format.
It allows you to combine data from multiple sources, and use macros and other Excel tools to manipulate the
data and create multiple views of it.
Using Excel Pivot Tables to Create Custom Reports from a CSV File
The pivot table feature in Microsoft Excel allows you to manipulate report data in many different ways,
essentially creating multiple reports from one exported CSV file. For more information about how to use Excel
to manipulate portal report data, refer to the video, “Exporting Portal Data and Using Excel to Manipulate Data
and Create Pivot Tables (10 minutes),” which is available in the Portal Media Library .
Page 8 of 28
General Service Related Reports
General Service Related reports can help you research, track, and document ticketing information, including
Service Level Agreement bound tickets and security incident details. These reports can assist in audit
compliancy initiatives. There are three types of service related reports: Service Level Agreement, Service
Overview and Security Manager Report
Service Level Agreement Report

Report shows charts and statistics on SLA eligible tickets and associated response time. Graphs will track
various types of tickets including suspected outages, maintenance and general inquires.
*additional SLA levels available in full report
Page 9 of 28
Service Overview Report
The Service Overview report shows graphs and charts summarizing SLA eligible tickets, ticket type breakdown
and a six-month trend.
*example below. Additional report contents available in full report
Page 10 of 28
Security Manager Overview Report
The Security Manager Overview report shows the total security event count and security incident statistics. The
report also includes a detailed Security Incident (ticket) breakdown, which can assist in organization and
workload prioritization.
Page 11 of 28
IDS/IPS Device Reports
IDS/IPS device reports provide statistical threat analysis information about security event threats impacting
your network. Use these reports to gather statistics on security events by source and destination, as well as
assist in researching attack trends. You also can use these reports for tuning initiatives.
Attack Metrics
This report requires security events from IBM appliances. It displays several graphs of data, detailing the
numbers and types of attacks detected during the past 30 days. This report can help identify abnormalities
within your network. It is available as Global Attack Metrics as well as Your Attack Metrics. To view more
detailed information, click a graph and plot points to generate drill-in reporting.
Global Attack Metrics
Click a graph for drill-in

research capabilities.
Page 12 of 28
Your Attack Metrics
Explanation of Attack Types

The attack types included in the Attack Metrics report, along with brief descriptions and examples, are listed
below.
• Protocol Signature
A large number of these events in a short time period could indicate an attack.
Example: TLS_Weak_Cipher_Suite
Servers and clients use X.509 certificates when establishing communication using Secure Sockets Layer
(SSL). An SSL server that allows weak ciphers (with key-lengths less than 128-bits) could allow a remote
attacker to obtain sensitive information.
Suggested Action: Consult server documentation to disable weak ciphers.
• Pre-Attack Probe
An attempt to gain access to a computer and its files through a known or probable weak point in the
computer system.
Example: Ping_Sweep
As a prelude to an attack, subnets are often swept with ICMP or other packets that elicit known responses
from active hosts. This sort of probe is used to enumerate active hosts on the subnet, and identify potential
attack targets. Normal hosts on a network should never engage in sweeps unless they are performing
network monitoring or management tasks.
Suggested Action: Always filter inbound ICMP (other than replies to outbound requests) through your
firewall or filtering router, if possible. If a stateful inspection filter is not available inbound, then block all
ICMP outbound to prevent replies from reaching the attacker.
Page 13 of 28
• Unauthorized Access Attempt
This usually denotes suspicious activity on a system, or failed attempts to access a system, by a user or
who does not have access.
Example: SSH_Brute_Force
This event detects an excessive number of very short SSH sessions initiated by a single client to one or
more servers within a specified timeframe. It may indicate a username/password guessing attack, or a DoS
attack. To qualify as this type of attack, a session must have completed encryption negotiations so that a
login may be attempted, and the time elapsed from the first encrypted client data until the TCP session
ends with a TCP FIN or server RST must be less than the setting for pam.login.ssh.short.session.time
(default 4 seconds). The signature is tunable via the pam.login.ssh.count p (default 12) and the
pam.login.ssh.interval setting (default 60 seconds).
This signature also detects an excessive number of SSH Server Identifications from an SSH server within a
specified timeframe. This may indicate a username/password guessing attack. The signature is tunable via
the pam.login.ssh.count, pam.login.ssh.interval and pam.ssh.server.bruteforce.chars settings.
• Backdoors
Hidden programs that attackers use to access your computer without your knowledge or consent.
Example: RDP_Brute_Force
This signature detects worms, such as Win32/Morto, that allow unauthorized access to an affected
computer. These worms spread by trying to compromise administrator passwords for Remote Desktop
connections on a network.
Example: NetController_TCP_Request
This signature detects a request on port 6969/TCP that may indicate a NetController backdoor running on
your network.
Suggested Action: Use an up-to-date antivirus program to scan the target computer to determine if it is
infected with a backdoor program. If the program detects a backdoor, follow its instructions to disinfect and
repair the computer.
• Denial of Service
An attack that attempts to prevent legitimate users from accessing information or services. By targeting a
user’s computer and its network connection, or the computers and network of the site a user is trying to
access, an attacker may be able to prevent a user from accessing email, websites, or online accounts for
banking or other services that rely on the affected computer or network.
Example: Smurf_Attack
In a Smurf denial-of-service (DoS) attack, ICMP echo request (ping) packets addressed to an IP broadcast
address cause a large number of responses. When each host on the subnet replies to the same ping
request, the large number of responses can consume all available network bandwidth, especially if data is
appended to the ping request. This can prevent legitimate traffic from being transmitted during the attack.
This attack is frequently used against third parties, where an attacker forges the target's source address in
a Smurf attack against a different target. At the extreme, this attack can simultaneously disable both
targets.
Windows systems do not respond to broadcast pings. However, this does not mean that all Microsoft
networks are invulnerable to Smurf attacks.
Suggested Action: Reconfigure your perimeter router or firewall to block ICMP echo requests on the
internal network, and block ICMP echo replies from entering the network. This prevents an internal attacker
Page 14 of 28
from using your network to mount a SMURF attack against another target. It also prevents an external
attacker from targeting your hosts. However, neither of these actions will stop internal SMURF attacks.
 Network
An attack that uses various types of network traffic and protocols for malicious activities.
Example: HTTP_eDirectory_Multiple_Connection
Novell eDirectory is vulnerable to a denial of service, caused by an error in the dhost.exe service when
processing Connection headers. By sending multiple HTTP requests containing specially-crafted
"Connection" headers, a remote attacker could exploit this vulnerability to consume all available CPU
resources, resulting in a denial of service.
Suggested Action: Refer to Novell Security Alert Document ID: 3829452 for patch, upgrade or suggested
workaround information.
Example: ICMP_Redirect
ICMP redirects detected on a network or targeted at hosts with weak TCP/IP stack implementations have
been shown to cause system failures and other adverse effects. Some versions of NetWare, Windows, and
embedded systems like Microware OS-9 have been shown to be susceptible to attacks using ICMP
redirects. An attacker could forge ICMP Redirect packets, and possibly alter the host routing tables and
subvert security, by causing traffic to flow on a path the network manager did not intend.
Caution: Various networked, embedded controllers may hang or shut down, if they receive an ICMP
redirect with an invalid Code. If your network contains controllers attached to automation equipment,
manufacturing equipment, HVAC (Heating, Ventilation, and Air Conditioning) equipment, and medical
equipment, do not perform ICMP redirects.
 Host Sensor
Exploits and general host activity that is only visible from the local host and not through the analysis of
network traffic.
Example: Security_disabled_local_group_changed
This signature detects a Windows event log message indicating that the local distribution group has been
changed.
Suggested Action: Please check whether the changes that were made to the local distribution group are
allowed.
 Status/Control Messages
Information related to the operation of the security product.
Example: License_Notice
This event indicates that something of notice has happened to the current license state of one or more of
the licensable modules. This could be generated by the installation of a license or change to any part of a
license, including count, usage or maintenance dates.
Suggested Action: For information events, no particular action is required.
Page 15 of 28
 Suspicious Activity
Activity that indicates unusual system behavior or network traffic, due to various causes, such as possible
threats by attackers, user errors, or malfunctioning equipment.
Example: Suspicious_ActiveX_Installer
This signature detects attempts to install suspicious ActiveX controls. This may indicate an attempt to
install spyware on the victim's computer. This signature may be configured to ignore specific vendors by
using the pam.activex.whitelist tuning parameter.
Suggested Action: If the indicated software is found to be installed and not desired, uninstall it from your
system. Use an up-to-date antivirus or spyware removal program to determine if the target computer is
host to a spyware program.
Page 16 of 28
Attacks on Vulnerable Assets
The Attacks on Vulnerable Assets report requires subscription to the Vulnerability Management Service (VMS)
and allows you to view correlated vulnerability and IDPS data for greater insight into potential security risk
areas in your network. The report summarizes the timeframe, asset and source IP, CVE / NIST database links
and vulnerability severity. Access the IP intelligence feature by clicking on the, “Source or Asset IP” hyperlinks.
CVE (Common Vulnerabilities and Exposures)
NIST (National Vulnerability Database within the National Institute of Standards and Technology)
This report can further assist with documenting vulnerabilities and workload prioritization.
Note: Customers with IDPS only can run the report but they will be prompted that this report is only
available if vulnerability scan (VMS) data is available.
The Attacks on Critical Assets report also includes security event names, an event count summary and the
source, or “Attacker,” IP address.
To generate more information on the event and threat, click a security event name link. Clicking the Source IP
hyperlink generates the IP Intelligence report.
Page 17 of 28
Prevented Attack Report
The Prevented Attacks report provides statistics on blocked security events, including a graph and a list of
associated signatures. This report is useful for showing how your devices are protecting your network, as well
as potentially flagging legitimate blocked traffic. Clicking a signature hyperlink gives you access to research
options, including security information, the sources and destinations, and the associated sensors.
Vulnerability Impact Report

By running this report and adding in a specific event name that was occurring at that time (for example a Brute
Force attack or Failed Login Attempt), the report will notify you of what devices were being impacted by that
event.
Page 18 of 28
Event Counts Reporting
The various Event Counts reports are excellent for threat analysis investigation. They can help you quickly
identify trends by sensors, and by top sources and destinations, impacting your network. You also can
generate reports based on Security events. The example listed below is Event Counts by Source IP. Other
report counts include: Destination IP’s, Event Names, Sensors, and Sensors, Event Names, and IP’s.
Page 19 of 28
IDS/IPS Event Trend
The Event Trend report compares events and trends for the current period with the previous period, and lists
any security incidents. Clicking a signature hyperlink provides access to additional research options.
Side-by-side event trending
Page 20 of 28
Content Management
URL Filtering Category
Content Management templates allow you to research and document a summary of your network’s top web
traffic by Category and Client (IP address). Each category will chart Blocked (red) and Allowed (green) traffic.
The reports are useful for identifying inappropriate and unauthorized Internet use.
Page 21 of 28
Below is the full view of the URL Filtering Category Summary, including trending information. To view logs,
click a category name hyperlink and select, View these logs. This generates a log query, with the associated
traffic, and allows you to further research and document web traffic.
Page 22 of 28
Firewall
Firewall reporting will assist you in traffic analysis, rule analysis and policy optimization. This will not only
improve the performance of your network, but alert you to suspicious activity that warrants further investigation.
Firewall Service Overview

The Firewall Service Overview report shows a list of top sources and destinations, including top web- and
nonweb-related traffic. There is also a connections table that can help you identify anomalies.
Page 23 of 28
Traffic Analysis Denied
The traffic analysis denied report details the top source and destination IPs, with port, count, and trending
percentage. Spikes in dropped traffic may represent various types of scanning or other malicious intent.
Page 24 of 28
Traffic Analysis Email
Use the Traffic Analysis Email report to identify high trending valid and invalid email traffic. Invalid traffic could
potentially be spambot traffic. A spike in email traffic from workstations could be a sign of an infection.
Traffic Analysis Web Activity by Website

Traffic analysis by web activity (by website) report will detail top outbound web destinations by source and
destination IP with trending information. In today’s world, port 80 is used for many types of malicious traffic,
including infections and C&C control of botnets. Attackers use this port because it is one of the most open TCP
ports in any corporate firewall. Using our traffic analysis report, you can help keep an eye on the most popular
websites visited, and also the country they belong to. For example, if you are a US company and notice a large
amount of traffic to a server in China, it would be something worth investigating.
Page 25 of 28
Protocol Usage
helps to breakdown top firewall traffic and may identify suspicious protocol usage. This can be useful in detecting new
outbreaks.
Suspicious Host Correlation Report

The Suspicious Host Correlation report uses logs from your devices to identify suspicious communication from
within your network to known malicious or botnet hosts. The intelligence used to identify this traffic comes from
IBM X-Force Research, IP reputation data, and trusted third parties. For the Suspicious Host dashboard, your
logs are analyzed and referenced with IBM’s suspicious host intelligence near-real-time results. Use this report
to help flag potential threats, and the Suspicious Host dashboard for further research and mitigation
assistance.
Page 26 of 28
Security Event and Log Management Devices (SELM) –
Log storage reporting across all devices including: SELM Server Device Listing by Site, Event Counts by Device or Log
Aggregator, System Activity Events, Event Details, and By User.
Cross Log Type Reports

With the Cross Log Type Report, locate malicious IP addresses across all log types to help determine what a certain IP
address does across multiple log types.
Alert-Based Reports
Based on subscribed services, this report is available to run to provide a summary of Alerts. These Alerts are pre-established
and set up within the Alerts drop down Located as an option at the top of the VSOC Portal.
Page 27 of 28
© Copyright IBM Corporation 2006-2017
IBM Global Services

Route 100
Somers, NY 10589 U.S.A.
Produced in the United States of America

April 2017
IBM, the IBM logo and ibm.com, X-Force,

Express and Express Advantage are
trademarks or registered trademarks of
International Business Machines Corporation
in the United States, other countries, or both.
If these and other IBM trademarked terms
are marked on their first occurrence in this
information with a trademark symbol (® or
™), these symbols indicate U.S. registered or
common law trademarks owned by IBM at
the time this information was published. Such
trademarks may also be registered or
common law trademarks in other countries. A
current list of IBM trademarks is available on
the Web at “Copyright and trademark
information” at
ibm.com/legal/copytrade.shtml.
Other company, product or service names

may be trademarks or service marks of
others. References in this publication to IBM
products or services do not imply that IBM
intends to make them available in all
countries in which IBM operates.
The customer is responsible for ensuring
compliance with legal requirements. It is the
customer’s sole responsibility to obtain
advice of competent legal counsel as to the
identification and interpretation of any
relevant laws and regulatory requirements
that may affect the customer’s business and
any actions the reader may have to take to
comply with such laws. IBM does not provide
legal advice or represent or warrant that its
services or products will ensure that the
customer is in compliance with any law or
regulation.
© Copyright IBM Corporation 2006-2017 VSOC Portal User Guide

Page 28 of 28

Vsoc Portal Reports User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vsoc Portal Reports User Guide

Uploaded by

Copyright:

Available Formats

Virtual Security Operations Center (VSOC)

Portal Reports User Guide

 Firewall Traffic and Utilization Statistics

 Threat and Vulnerability Research

 Threat and Vulnerability Mitigation

 Suspicious Host Detection

 IP Intelligence (security analytics)

 Statistical Overview of Your Services

Service Level Agreement Report

Global Attack Metrics

Click a graph for drill-in

Explanation of Attack Types

Vulnerability Impact Report

Side-by-side event trending

Firewall Service Overview

Traffic Analysis Web Activity by Website

Suspicious Host Correlation Report

Cross Log Type Reports

IBM Global Services

Produced in the United States of America

IBM, the IBM logo and ibm.com, X-Force,

Other company, product or service names

© Copyright IBM Corporation 2006-2017 VSOC Portal User Guide

You might also like