EEFF v4.2 FAQs : Auditing & Reporting

Version 2

    NOTE : EEFF will henceforth be referred to as "File & Removable Media Protection".

    The necessary changes for the new product name will be incorporated in the next release v4.3.

     

     

     

    Auditing & Reporting: ePO Administrators

     

    Q: Are there any audit logs which capture (EEFF related) ePO Administrator actions?

    Starting EEFF v4.2, ePO Administrators actions are captured in ePO Audit logs. Actions related to EEFF Role Creations, Key Management, Policy Assignment etc. are logged.

     

    Q: Where do I find these audit logs on ePO?

    The logs can be found at Menu -> User Management -> Audit Log

     


     

    Auditing & Reporting: USB Media

     

    Q: When a user chooses to encrypt a USB Drive, is an event sent back to ePO showing the encryption status of the media and the system/username that initiated the encryption?

    StartingEEFF v4.1, the following end user decisions are captured, and events sent to ePO.

    Removable Media Device Insert Event: Generated whenever any removable USB media device is inserted

    Removable Media User Response Event: Generated whenever user makes a decision “YES/NO” to initialize/create an encrypted container on the device

    Removable Media Initialization Start Event: Generated whenever user selects Initialize/Cancel in the Initialization window

    Removable Media Initialization End Event: Generated whenever initialization process ends

     

    In EEFF v4.2, an additional event is added, Removable Media Device Ejection Event: Generated whenever a Removable media device is ejected from the client machine

     

    Note: “Removable Media User Response Event”, “Removable Media Initialization Start Event” and “RemovableMedia Initialization End Event” are related to “Allow/Enforce Encryption with offsite access” Protection level (formerly known as EERM)


     

    Q: What is the information that is captured when Removable USB Media events are generated?

    • Event ID
      • Event
    • System
      • User information (DomainName, UserName)
      • Timestamp
      • Agent GUID
    • Initialization
      • Initialization state (Failed, Cancelled, Successful)
      • Backup state (None, Failed, Cancelled,Successful)
      • Time taken for initialization
      • Time taken for backup
      • Backupsize
      • Size
    • Device
      • Size
      • File system of device
      • Vendor name
      • Product name
      • Exempted (Yes, No, Unknown)
      • Protected (Yes,No, Unknown) (Note that in this case, only removable USB Media protected by “Allow/Enforce Encryption with offsite access” Protection Level are considered “Protected”)

    Note: Only relevant information is captured in each event. For example, Device Insert Event willnot contain “Initialization State” field

     

     

     

    Q: Where do I find Removable Media USB queries/reports on ePO?

    Go to Queries & Reports, and under “Shared Groups”, you will find EEFF queries


     

     

    Q: What are the queries/reports related to Removable USB Media that are available on ePO?

    Protection Status Removable Media: Displays the Protection Status of Removable USB Media in the company’s environment, and lists the latest status (event) specific to each removable USB media device

    Removable Media Device Events: Lists all events related to removable USB media


     

     

    Q: What information does the query Protection Status: Removable Media give?

    Protection Status Removable Media: A canned query which gives information on the “Device compliance”status in the company (% of removable USB media devices in protected state)


     

     

    Q: Can I run custom queries on the generated queries/reports on ePO?

    Yes, it is possible to use the ePO infrastructure to run custom queries (to track devices,users etc.) The query/report “Removable Media Device Events” exposes the entire database of events related to Removable USB Media, and can be used for this purpose


     

     

    Q: Can I purge events related to Removable USB Media?

    Yes, the Administrator is given a provision to purge the events based on age by choosing the action “Purge Client Events” after running any of the queries. The Administrator can purge the events by days, weeks, months, years

     


     

    Auditing & Reporting: CD/DVD/ISO Media

     

    Q: When a user chooses to create an encrypted CD/DVD/ISO, is an event sent back to ePO showing the encryption status of the media and the system/username that initiated  the encryption?

    Yes,starting EEFF v4.2, the following end user decisions are captured, and events sent to ePO.

    CD/ DVD/ISO Initialization Start Event: Generated during the start of creation of an encrypted CD/DVD/ISO

    CD/ DVD/ISO Initialization End Event: Generated when creation of an encrypted CD/DVD/ISO ends (either through successful completion, terminal error or user cancellation)

    CD/DVD/ISO Insertion Event: Generated on Inserting a CD or other optical disk (whether or not it's a protected disk), or mounting of an ISO onto a volume (drive letter)

    CD/DVD/ISO Ejection Event: Generated on ejecting a CD or other optical disk (or unmounting an ISO from its volume)

     

    Note: “CD/DVD/ISO Initialization Start Event” and “CD/DVD/ISO Initialization End Event” are related to “Allow/Enforce Encryption with offsite access” Protection level (formerly known as “Encryption for CD/DVD/ISO”)

     


     

    Q: What is the information that is captured when CD/DVD/ISO events are generated?

    • Event ID
      • Event
    • Computer
      • Name of the computer
      • User name
      • IP address
      • Operating system type
    • Media type
      • For CD/DVD/ISO Initialization Start Events, the smallest disktype that can hold archived data (ISO, CD, DVD or DVDDL)
          • CD/DVD/ISO Initialization End Events, the physical media detected (for example, CDROM)
          • CD/DVD/ISO Insertion and Ejection Events, "Optical"
          • Device
            • Disk globally unique identifier (GUID): Each optical disk which has been initializedby EEFF 4.2 (and above) is given a globally-unique identified (GUID). This appears in the "Disk GUID" column and can be used to track that disk as it is inserted and removed from any EEFF managed machines in the network
            • Protected (Yes, No, Unknown) (Note that in this case, only removable USB Media protected by“Allow/Enforce Encryption with offsite access” Protection Level are considered “Protected”)
            • Protected size
          • Event description
            • Description of the event
            • Event
          • Event specific fields
            • Initialization state (Failed, Cancelled, Successful) (CD/DVD/ISO Insertion and Ejection Events only)

          Note: Only information relevant to the event is captured

           

           

           

          Q: Where do I find CD/DVD/ISO queries/reports on ePO?

          Go to Queries & Reports, and under “Shared Groups”, you will find EEFF queries

           

           

           

          Q: What are the queries/reports related to CD/DVD/ISOs that are available on ePO?

          Protection Status: Displays the Protection Status of CD/DVD/ISO Media in the company’s environment, lists the latest status (event) specific to each optical device (or ISO)

          CD/DVD/ISO Events: Lists all events related to CD/DVD/ISOs

           

           

           

          Q: Can I run custom queries on the generated queries/reports on ePO?

          Yes, it is possible to use the ePO infrastructure to run custom queries (to track devices,users etc.) The query/report “CD/DVD/ISO Events” exposes the entire database of events

           

           

           

          Q: Can I purge events related to CD/DVD/ISOs?

          Yes, the Administrator is given provision to purge the events based on age by choosing the action “Purge Client Events” after running any of the queries. The Administrator can purge the events by days, weeks, months, years