Symantec Security Expressions Server manual Notifications

Page 47

Audit-On-Connect

Audits can detect systems on the network using the following methods: DHCP, EVENTLOG, NAC, self-service (for self-service audits).

A system matches this scope if the connection monitor used to connect to it matches the value entered.

Device Type Scopes

Lets you indicate a kind of system to audit. Choices are Windows, UNIX, or Unknown.

A system matches this scope if it's the kind of system selected. Selecting Unknown includes all systems.

IP Range Scopes

A system matches this scope if its IP address is in the range. Use - or : to indicate an IP range.

Ex.:192.168.10.1-62

Use / to indicate an IP range expressed using netmask length.

Ex.: 10.0.3.0/24

You can also enter single IP addresses.

Machine List Scopes

If your organization uses the console application and someone created one or more database machine lists (also known as global machine lists) on it, you may use this scope. Type the names of database machine lists from the console.

A system matches this scope if it's in the machine list.

If a global machine list has Windows Group Results Access restricted in the ML Access page, the restrictions do not affect viewing audit results when a scope is a machine list scope. Only

the Windows Group Results Access setting for the scope applies.

Windows Domain Scopes

A system matches this scope if its fully qualified domain name matches the value entered. Type domains in either Netbios (SYMANTEC) or DNS (symantec.com) format.

This scope only works if you are using the Active Directory connection monitor.

Notifications

Notifications

You can opt to receive email or program-output notifications when audits occur. Notifications apply to Audit-On-Schedule or Audit-On-Connect results and each audit can have one or more notification actions upon completion.

You may use notifications created in SecurityExpressions console in addition to the ones created in SecurityExpressions server. This application lets you select notifications created in

both applications in the Schedules Tasks page and the Scopes page.

The Notifications table displays the notification Name, Type, and Values. From this page you create an email or command notification that you can edit or delete.

39

Image 47

Contents SecurityExpressions Server User Guide Page Table Of Contents Page Table Of Contents Page Vii Page Contacting Us Page Contacting Technical Support Technical SupportPage SecurityExpressions Console Other ProductsPage About SecurityExpressions Audit & Compliance Server OverviewPage How to Audit your Local Computer Self-Service AuditWhat is Self-Service Auditing? Self-Service Audit AgreementDisplays on the page. No detailed audit results appear Pages with Role Settings Configure ServersAbout Server Configuration Local Server SettingsDatabase Connection SetupViewing Audit Results Windows 2000 Servers Secure ConnectionCreating Credential Stores Click OK on the Default Web Site Properties windowCredential Store User Site Preferences Enable Web ServicesSecurityExpressions Console Credential Stores Software RegistrationAccess Item Rights Global Machine List Access User RolesCheck the Synchronize with a policy file library box Policy File LibraryLibrary Synchronization How System Scores are Calculated About Policy FilesTarget Options Agent & Service ConfigurationDefault method for remote execution on Windows SSH Agent Authentication Database Cleanup Add Task Update TaskCancel PoliciesClick Use the Following Agreement Agent DownloadsSite Preferences Allow Remediation Page Policies Table What is Audit-on-Connect?Audit-On-Connect PoliciesPage Adding Policies Editing Policies Deleting Policies Configuring with Run-Time Policy VariablesPage Add a New Scope ScopesScopes Page Edit a Scope Scopes Table Supported Operators Deleting ScopesDNS Domain Name Scopes Expression ScopesDetection Method Scopes Supported FunctionsOrg Unit Scopes Notifications Editing Notifications Creating New Command NotificationsCreating New Email Notifications Click Add NewClick Add New Creating New Command Notifications Notification Variables Deleting NotificationsAdding Exceptions ExceptionsExceptions Exceptions Table Column DescriptionConnection Monitors Specify Password and Encrypted PasswordConnection Monitors Deleting ExceptionsEnabling Connection Monitors Configuring Connection MonitorsRemove IP Range Section Connection Monitor Configuration FileOptions DefaultActive Directory Active Directory Connection Monitor only Processing the Configuration FileConfiguration File Syntax Slow Links NetworkInitial Token Trace Route InformationNetwork Admissions Control Unmanaged SystemsRedirection Web HealthyQuarantined/Unknown Reaudit if quarantinedAudit on Connect Tracing Audit on Connect TracingRedirection Web Page Behavior Page Page Audit-On-Schedule What is Audit-on-Schedule?Page Adding Policies Editing Policies Deleting Policies Page Notifications Click Add New Click Add New Deleting Notifications My Machine Lists My Machine ListsEditing Machine Lists Adding Machine ListsScheduled Tasks Scheduled TasksDeleting Machine Lists Editing Global Machine ListsAdding Scheduled Tasks Basic SettingsSchedule Settings Hosts Not Connected Settings Credentials Settings Other Options SettingsEditing Scheduled Tasks Windows Group AccessSchedule Settings Notifications Other Options Settings Deleting Scheduled Tasks Page Adding a New Audit-On-Connect Report Profile View Audit-On-Connect ActivityBrowse Audit-On-Connect Activity Audit-On-Connect Activity Table Column DescriptionDeleting Report Profiles Editing Report ProfilesAudit-On-Connect Exceptions Report Audit-On-Connect Error Log ReportPage Adding a New Audit Results Report Profile View Audit ResultsBrowse Audit Results Page Deleting Audit Report Results Profiles Scheduled Audits Log ReportAdding Custom Reports to the Server Application Editing Audit Report Results ProfilesPage Glossary Page Index ConfigureIP address 33, 44, 45 Rule weights