cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
arnieos
Level 7

Report for Activity During Client's Off-hours

Hello,

I'm trying to create a scheduled report that will be sent every morning containing events that were done during off hours.

Our client's business hours is from 8am-6pm and we wanted to make a report that will show kind suspicious events done from 6:01pm-7:59AM.

I just want to ask for some help on what rules I need to include in order to make the report useful. Maybe others already made the similar report.

Thanks in advance and more power to the group!

0 Kudos
8 Replies
kmc
Level 12

Re: Report for Activity During Client's Off-hours

  Hi You can do that in reporting only

Go to reports->create report and fill all the required details, in the layout section you need to chose either of the below

and in time range specify your time requirements.

0 Kudos
arnieos
Level 7

Re: Report for Activity During Client's Off-hours

Hi kmc,

Thank you for looking into this. I cannot seem to find that option in the layout section. Should I need to enable it first somewhere?

I have Compliance, Executive Reports, McAfee ADM, DAM, DEM, McAfee Event Reporter. All of those have subcategories and 'Outside of business hours activity is not there'.

Thanks again.

0 Kudos
kmc
Level 12

Re: Report for Activity During Client's Off-hours

You can create report with the help of normalized ID 806354944/12 in the filter, this normalized ID represents off-hours events.

0 Kudos
kmc
Level 12

Re: Report for Activity During Client's Off-hours

initially search for the events with this normalized id so you will get overall idea what you can include in your report.

Cheers

KMC

0 Kudos
abanaru
Level 11

Re: Report for Activity During Client's Off-hours

, I'm curios on why you've added the /12 near the normalization ID 806354944. Can you please detail that ?

BTW, I think we should add that the correlation rules for normalization id 806354944 should be modified to reflect the working hours and days.

0 Kudos
kmc
Level 12

Re: Report for Activity During Client's Off-hours

when i filtering for the off-hours suspicious activity i have chosen normalization below normalization, this one has given the that id.

just to clear i have given directly a normalized id instead of normalization name.

0 Kudos
kmc
Level 12

Re: Report for Activity During Client's Off-hours

did it worked well for you??????

0 Kudos
arnieos
Level 7

Re: Report for Activity During Client's Off-hours

No it didn't. The data generated was not the data our client wanted. We just created a report based from normalization that has kind of suspicious activity outside office hours like password reset, account creation, etc. And the report only includes source ip, source user, and total event count.

0 Kudos