Showing results for 
Search instead for 
Did you mean: 
Level 11

IPS reports - Looking for information rather than data whilst in adaptive mode


Is there a way to produce a meaningful report for groups who need to review IPS events and/or client generated rules during adaptive mode?  At present if I produce a report, we get a lot of data that doesnt really mean anything without sitting down in front of the ePO console.  We need to produce a report that can be sent to, and understood by, groups who do not have ePO console access.  To use one of the more simple examples (sanitised):

Sig ID: 2621

Full Executable name: <drive>:\Program files (x86)\Internet Explorer\iexplore.exe

User name: <computer>\userA

If that is presented to a client, they are not going to know what sig 2621 means, what has actually happened, what the impact would be of generating an exception etc.  Looking in the Policy Catlog, however, we can find a nice description:

"This event indicates an attempt by Internet Explorer to modify an executable file.  In most situations, the browser should not directly modify executables, and such an operation might suggest that the browser is compromised... etc... etc...".  Although in this case it would be nice to know what executable IE has attempted to modify, I will leave that for another discussion.  You can see, however, that the description gives a lot more insight into what has happened, but I can see no way of getting that description into the report.

Another quick example is a client rule for signature 1226, for which there are notes "This event is triggered when the web server application modifies resources that do not belong to it", yet in the client rule details I cannot tell what is is that the web application has tried to modify....

Apologies if I am missing something - I have been dealing with a number of products recently!

Assistance and comment appreciated as always!


0 Kudos