cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Report for Activity During Client's Off-hours

Hello,

I'm trying to create a scheduled report that will be sent every morning containing events that were done during off hours.

Our client's business hours is from 8am-6pm and we wanted to make a report that will show kind suspicious events done from 6:01pm-7:59AM.

I just want to ask for some help on what rules I need to include in order to make the report useful. Maybe others already made the similar report.

Thanks in advance and more power to the group!

8 Replies
Reliable Contributor kmc
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Report for Activity During Client's Off-hours

  Hi You can do that in reporting only

Go to reports->create report and fill all the required details, in the layout section you need to chose either of the below

and in time range specify your time requirements.

Re: Report for Activity During Client's Off-hours

Hi kmc,

Thank you for looking into this. I cannot seem to find that option in the layout section. Should I need to enable it first somewhere?

I have Compliance, Executive Reports, McAfee ADM, DAM, DEM, McAfee Event Reporter. All of those have subcategories and 'Outside of business hours activity is not there'.

Thanks again.

Reliable Contributor kmc
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Report for Activity During Client's Off-hours

You can create report with the help of normalized ID 806354944/12 in the filter, this normalized ID represents off-hours events.

Reliable Contributor kmc
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: Report for Activity During Client's Off-hours

initially search for the events with this normalized id so you will get overall idea what you can include in your report.

Cheers

KMC

abanaru
Level 11
Report Inappropriate Content
Message 6 of 9

Re: Report for Activity During Client's Off-hours

, I'm curios on why you've added the /12 near the normalization ID 806354944. Can you please detail that ?

BTW, I think we should add that the correlation rules for normalization id 806354944 should be modified to reflect the working hours and days.

Reliable Contributor kmc
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: Report for Activity During Client's Off-hours

when i filtering for the off-hours suspicious activity i have chosen normalization below normalization, this one has given the that id.

just to clear i have given directly a normalized id instead of normalization name.

Reliable Contributor kmc
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Report for Activity During Client's Off-hours

did it worked well for you??????

Re: Report for Activity During Client's Off-hours

No it didn't. The data generated was not the data our client wanted. We just created a report based from normalization that has kind of suspicious activity outside office hours like password reset, account creation, etc. And the report only includes source ip, source user, and total event count.

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.