Professional Documents
Culture Documents
1
Users Guide
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com
Trademarks
RSA, the RSA Logo, RSA enVision, RSA Event Explorer and EMC are either registered trademarks or trademarks of EMC
Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective
owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to
third-party software in this product may be viewed in the thirdpartylicenses.pdf file.
Portions of this application include technology used under license from Visual Mining, Inc. 2000 - 2010.
Portions of this application include iAnywhere technology, 2001 - 2010.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Copyright 2011 EMC Corporation. All Rights Reserved. Published in the USA.
September 2011
Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5
RSA enVision Documentation............................................................................................ 5
Related Documentation....................................................................................................... 6
Support and Service ............................................................................................................ 6
Before You Call Customer Support............................................................................. 7
Contents
Enterprise Dashboard................................................................................................. 37
Enterprise Dashboard Modes..................................................................................... 37
Collection and View Icons in Enterprise Dashboard................................................. 39
Monitor Peak Severity Using Map Mode .................................................................. 40
Monitor Peak Severity Using a List........................................................................... 41
Toggle Between Modes ............................................................................................. 42
Monitor Incoming Alerts .................................................................................................. 42
Monitor Alerts in the Database ......................................................................................... 44
Review Alert Details......................................................................................................... 44
Glossary ............................................................................................................................. 65
Index ..................................................................................................................................... 71
Contents
Preface
About This Guide
This guide contains information that helps users to get started using the RSA enVision
platform. It is designed to be used with the enVision Help. This guide includes
instructions for performing the most common end-user tasks.
Preface
RSA continues to assess and improve the documentation. Check RSA SecurCare
Online for the latest documentation.
Related Documentation
For information about the RSA enVision Event Explorer module, see the following
documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues.
Installation Guide. Provides instructions on installing the RSA enVision Event
Explorer module on your client machine in separate guides for Microsoft
Windows and Apple Macintosh operating systems. Intended audience is the end
user.
RSA enVision Event Explorer Help. Provides comprehensive instructions on
setting up and using the RSA enVision Event Explorer module.
For information about the RSA enVision EventSource Integrator, see the following
documentation:
Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues.
Overview Guide. Provides an introduction to RSA enVision EventSource
Integrator features and capabilities.
RSA enVision EventSource Integrator Help. Provides comprehensive
instructions on using RSA enVision Event Source Integrator.
https://knowledge.rsasecurity.com
www.rsa.com/support
www.rsasecured.com
Preface
Preface
Internal Auditor
Description
Monitor EPS
You can monitor the events per second (EPS) rate of the
enVision Collector to ensure that the EPS rate remains within
the licensed range. If you consistently have an EPS rate over
your limit, enVision drops messages.
For more information, see Chapter 3, Monitoring the
System Performance.
Tasks
Description
You can monitor events and alerts using reports and graphs
on the Dashboard.
For more information, see Chapter 5, Monitoring Events
and Alerts.
Manage alerts
User/Password pair message may appear when you log on for the first time after the
upgrade. Contact your enVision administrator for assistance.
To log on to enVision:
enVision the first time. For instructions, see Modify Your User Information.
3. Click Log In.
Note: If you use a Web browser, such as Internet Explorer, to access RSA enVision
from the appliance, you may receive a number of warning messages. RSA
recommends that you access RSA enVision only from a client machine.
10
11
User Information
User Information
Every RSA enVision user has an individual user account and is assigned a unique user
ID, created by the enVision administrator. User account passwords are stored securely
to prevent unauthorized access and data corruption.
As a user, you can modify only your first name, last name, enVision password, and
description in your user account.
First name
Last name
Password
Description
For information on the fields, see the Help topic Add/Modify User Window.
13
This example shows the fields that user sjohn can modify.
3. Click Apply.
14
If the EPS rate exceeds by 10 percent of the maximum EPS, enVision generates a
warning message (NIC-4-400019).
If the EPS rate exceeds by 30 percent of the maximum EPS, enVision generates an
alert message (NIC-1-400020) indicating the condition and number of events
dropped.
If you consistently receive these warning and alert messages, notify the enVision
administrator.
15
Peak is the highest number of events received in a one-second period since the
event source started.
At Peak is when the event source is currently at that highest recorded level of
EPS.
The RSA enVision administrator sets the refresh rate for the gauges (between one and
ninety-nine seconds).
RSA recommends that you monitor the EPS rate for your enVision appliance. Based
on the EPS gauges, you can determine the health of the enVision system. If you are
consistently exceeding the EPS limit, events will not be collected by the specified
Collector. If the EPS rate is between 80 and 90 percent of the enVision license limit,
you should notify the enVision administrator.
This example shows EPS rates from the Collector named Doc-ES that are all in the
normal range.
Collector list
EPS rate
16
This example shows the EPS rates from the Collector named Doc-ES that are
exceeding the enVision license limit. The red highlights indicate that if this condition
continues, events may be lost.
Collector list
EPS rate
17
the Performance Monitor tool on Windows. Therefore, the values displayed for the
fields on the Process Statistics window will correspond to the values in the
Performance Monitor and may not be the same as the values displayed on the Task
Manager for the same fields.
This example shows process statistics from an enVision system ESUpgrade.
multiple sites with appliances using versions 4.1, 4.0, and 3.7 of enVision, note that
the Process Statistics window is not available for enVision appliance versions 4.0 and
3.7.
18
19
Incoming Events
Event Viewer
Incoming Events
RSA enVision enables you to view the incoming events in real time. You can view the
raw events in their entirety as collected from the event sources. The severity of the
incoming events is identified by color and the severity levels are indicated by the
message content.
Event Viewer
The Event Viewer is part of the Analysis module, which allows you to perform
analysis on collected events. Using the Event Viewer, you can perform the following
tasks:
Graph the incoming events based on either the event type or event time
21
22
The following table describes the severity levels and the corresponding color coding.
Level
Color
Description
0, 1
Red
Red
Red
Error conditions.
Blue
Warning conditions.
Blue
Grey
Informational events.
Grey
Debugging events.
23
24
To select a range of events, press SHIFT and click the first and the last events.
1. Click Analysis > Event Viewer > Graph View > Events by Event Type.
2. From the Site drop-down list, select the site.
3. From the Device Type drop-down list, select the device type.
4. From the Device drop-down list, select the event source.
5. From the Event types drop-down list, select the type of the event.
6. From the Timeframe drop-down list, select the time frame of event collection.
7. From the Time zone drop-down list, select the time zone.
8. Click Update Now.
25
This example shows events collected from Cisco Pix Firewall over the past sixty
minutes. Moving the cursor over the chart displays the event ID and the Y axis value
in a pop-up window.
1. Click Analysis > Event Viewer > Graph View > Events Types by Time.
2. From the Site drop-down list, select the site.
3. From the Device Type drop-down list, select the device type.
4. From the Device drop-down list, select the event source.
5. From the Event types drop-down list, select the type of the event.
6. From the Timeframe drop-down list, select the time frame of event collection.
7. From the Time zone drop-down list, select the time zone.
26
8. To configure the graph options, select Display Advanced Graph Options, and do
any of the following:
From the Graph Type drop-down list, select either Bar or Line to choose
which type of graph to create.
From the Data Type drop-down list, select the data type.
From the Y Axis drop-down list, select the value to display on the Y axis.
From the X Axis drop-down list, select the value to display on the X axis. The
default value is Auto, which displays the time interval of the events.
27
Dashboard
Dashboard Reports
Dashboard Examples
Dashboard
The Dashboard opens when you log on to RSA enVision. The Dashboard shows the
reports and graphs that you select, providing an immediate summary of events that
you choose to monitor.
You can customize your Dashboard in real-time to show the dashboard items (reports
and graphs) of your choice. However, the enVision administrator selects the dashboard
items from which you can select and sets up the parameters for the dashboard items.
29
This example shows the default Dashboard with user-selected dashboard items.
Dashboard Reports
The Dashboard has standard reports and graphs that display as Dashboard items.
Standard reports and graphs for the Dashboard are available in the following
categories:
30
Alerts
Antivirus
Firewall
Host
IDS
Network
Proxy
Task Triage
VAM
For detailed information on the Dashboard standard reports, see the Help topic
Dashboard Standard Reports.
For detailed information on creating and modifying the Dashboard reports, see the
Help topic Dashboard Reports.
31
Dashboard Examples
You can use the dashboard to review multiple dashboard items. This section includes
some examples of Dashboards designed for different purposes.
The following figure shows a default Dashboard that displays the following reports:
32
Alerts - Trends
The following figure shows a Dashboard that is set up for the purpose of monitoring
alerts, threats, and network traffic and displays the following reports:
Alerts - Trends
33
The following figure shows a Dashboard that is set up for the purpose of monitoring
organizational threats and displays the following reports:
34
Managing Alerts
Alert Management
Alert Management
An alert is a notification that a specific event or set of events, as defined by the
RSA enVision administrator, has occurred that requires further investigation. One of
the following conditions can generate an alert:
A string within an event, such as content that matches a configured list of known
spammers
RSA enVision analyzes all incoming events and issues an alert immediately when a
set of circumstances that an administrator has specified is met. The alert is reported in
the enVision GUI and can be directed to other destinations, such as e-mail, instant
message, or a text file stored on the local system. An alert can also be configured to
automatically generate an incident-response task.
6: Managing Alerts
35
Use the Enterprise Dashboard window to monitor the peak status information of
multiple views (called a Collection) concurrently from a single screen. For more
information, see Monitoring Peak Status of Multiple Views Concurrently.
Use the Real-Time Details window to monitor the alerts as they occur in real time
for a single view. For more information, see Monitor Incoming Alerts.
Views
A view defines the event sources, events, correlated alerts, and user-defined criteria
for which enVision issues alerts. An enVision administrator creates views and assigns
users access to the views. Within a view, an administrator can set up filters and
thresholds, such as a percentage increase of activity above the baseline, to rate the
severity of the events and focus on those of highest priority. Views can also use
watchlists, which filter events by string, IP address, port, protocol, or regular
expressions.
Views can include correlation rules for alerts. A correlation rule specifies a set of
events within a time period and a set of conditions that will generate an alert. The
correlation rule includes a message ID and message text for the alert.
Collections
A collection is an aggregation of view data that can contain information from multiple
sites. A collection can include other collections. A collection must contain at least one
item, a view or another collection. The collection inherits the status of the highest peak
alert severity status of all the views contained in the collection or collections that roll
up into that collection. A view can be assigned only to a single collection. Each
collection has attributes, such as collection name, description, and the collection map
that is used in map mode.
36
6: Managing Alerts
Enterprise Dashboard
The Enterprise Dashboard allows you to monitor the peak status information of
multiple views at the same time and quickly drill down into a view to display detailed
information.
You can use the Enterprise Dashboard to:
Drill down using the Real-Time Detail tool in the Alerts module to display
detailed information about the current view
You have access to the views depending on the permission that the enVision
administrator sets for each view. If you display a collection containing a view to which
you do not have access, no information about that view is visible. The alert severity
status for that collection is calculated as if the restricted view did not exist.
6: Managing Alerts
37
The following figures show the Enterprise Dashboard in Map mode and List mode.
38
6: Managing Alerts
Collection
View
Host
Network
Security
Storage
The icons change color as the alert status of the collection and view changes. The
status indicates the peak security level of any of the event sources represented by the
icon. The following table defines the severity level of the icon colors.
Color
Severity Level
Green
Low
Blue
Guarded
Yellow
Elevated
Orange
High
Red
Severe
6: Managing Alerts
39
does not have an assigned map, or the specified map cannot be found, the Enterprise
Dashboard window opens in List mode.
To monitor peak severity using a map:
40
6: Managing Alerts
3. To display information about a collection, click on the collection icon in the All
Collections and Views area.
4. Click on a collection row to display the secondary collections and views in List
mode.
5. Click on a view row to display the Real-Time Details window for the view.
For more information on using list mode, see the Help topic Use List Mode on
Enterprise Dashboard.
6: Managing Alerts
41
From the Map Mode display, click the List Mode icon
Mode display.
From the List Mode display, click the Map Mode icon
Mode display.
42
6: Managing Alerts
6: Managing Alerts
43
You can modify the display of the Alert History window from the Set Up Alert
History option on the Alert Configuration pane. For more information, see the Help
topic Set Up Alert History Tool Display Options.
44
6: Managing Alerts
6: Managing Alerts
45
4. In the New note field, enter the notes for this alert, including the reason for a
change of status or the status of the investigation.
This example shows the details of the alert selected from the message column in
the Alert History window.
46
6: Managing Alerts
Historical Data
Query
Reports
Historical Data
RSA enVision analyzes the events and stores the original events along with the
descriptive metadata for those events in the RSA enVision Internet Protocol Database
(IPDB). The IPDB secures the data from tampering and protects the data with access
authentication. As a result, enVision provides a complete and verifiable repository of
IT information.
RSA enVision creates temporary database tables as needed to generate reports and
queries. The tables exist only for the time required to create the report.
Purpose
Event Viewer Use the Event Viewer to graph historical data and drill down into the details.
You can also display incidents as they occur in real time in a stream or
represent the data in graphs.
For more information, see Event Viewer.
Query
Use a query to quickly access specific information from the database. You
can use a query to perform research or analysis, to fine-tune a report
definition, or to quickly look up information.
For more information, see Query.
Reports
Use reports to access large amounts of data for analysis and compliance
reporting. You can use these reports to:
Audit security and compliance policies
Allocate system usage back-charges
Track employee network usage
For more information, see Reports.
47
Query
You can use a query to retrieve and examine any data collected by RSA enVision. You
can use queries in forensic analysis, for example, to drill quickly into an alert or other
condition discovered in RSA enVision Event Explorer or to audit a past event.
Queries use temporary database tables created from the data stored in the IPDB.
Because they retrieve smaller amounts of data, queries execute faster than reports.
Queries return data only in tabular form. Queries run on an ad hoc basis. Only you can
view and save your queries.
Query results can be based on IP addresses, dates and times, event message types, and
other criteria.
Queries use SQL syntax to construct statements for accessing database tables for
conditions and events including:
A simple query is a single logical statement (a single row in the Edit query table).
A complex query consists of multiple statements (multiple rows in the Edit query
table) logically joined using AND or OR. Multiple statements can narrow a query
or extract a more accurate set of results for given criteria.
You can run a newly created query or a query saved from a previous session. When
you run a query, you can save the results to a .csv file so that you can import the
results to other applications, such as Microsoft Excel.
48
Edit query
Select device
group
Select time
range
Run the query
49
Create a Query
To create a query:
3. Click Save.
4. In the Saved query file name field, enter the name for the query.
5. Click Apply.
50
Note: You can modify the filter information of the saved query and run the
query.
51
Reports
The Reports module provides standard network and traffic analysis reports and
graphs. You can copy and modify these reports, or create your own custom reports to
meet specific reporting needs. You can run the reports immediately or schedule them
to run at specific times.
Standard Reports
RSA enVision provides over 1,200 standard reports.
The following table shows the available report categories.
52
Report Category
Report Contents
Archer
Compliance
Correlated alerts
Host
Insider Threat
Mitigation
Network
Security
Storage
Task Triage
Statistics and data drawn from incident open and closure rate, status
of open incidents across the enterprise, and average time to
acknowledge and time to close incidents.
VAM (Vulnerabilities
and Asset
Management)
1. Click Reports > Ad Hoc Reports, and expand the report types to see the
available reports.
The example shows the Compliance > HIPAA reports menu.
53
Note: The options that appear in the navigation panel may differ depending
54
55
Schedule a Report
You can schedule a report to run at a specified time and at recurring intervals, only if
the RSA enVision administrator has granted you permission to perform this operation.
You can schedule reports to and access reports from only those folders that are
available to the groups to which you belong. You can only use device groups to which
you or the groups you belong to have been given access.
You can also schedule the deletion or archival of multiple report folders and manage
the processing status through the Schedule Report Delete/Archive and Manage
Report Delete/Archive options in the Report Configuration panel. For more
information, see the Help.
To schedule a report:
56
3. Set when and how often a recurring report should run. Click Apply.
The example shows setting the report to run every day at 7:00 p.m.
57
5. Click Manage Scheduled Reports to display the list of reports scheduled to run.
58
59
4. Click the report that you want to view. RSA enVision displays the report.
60
Troubleshooting
Logon Issues
Dashboard Issues
Query Issues
Report Issues
Logon Issues
Problem
Resolution
A: Troubleshooting
61
Resolution
The events used for the Message View window are stored in
memory. If you select a high value in the Number of
buffered events field, Internet Explorer may run out of
memory. If this occurs, click OK in the Internet Explorer Out
of Memory message pop-up window and select a lower value
for the Number of buffered events field on the Message
View window.
Dashboard Issues
Problem
Resolution
Enterprise Dashboard
Either the map has not been assigned to the collection or the
displays List mode by default specified map image for the site cannot be found. Contact
your enVision administrator.
Icon for a view is displayed
as
Icon for a collection is
displayed as
62
A: Troubleshooting
Resolution
Query Issues
Problem
Resolution
Need to distinguish between Use the device address, or create and use a device group for
two event sources that are the the required device if you are monitoring multiple event
same type
sources of the same type, for example, if you want to
distinguish between Cyberguard Firewall and Cisco PIX
firewall.
The RSA enVision administrator must select Resolve
Resolve IP addresses is
selected, however query does Hostname on the Set Up DNS Resolver Service window in
order to resolve hostnames.
not show DNS resolved
names
A: Troubleshooting
63
Report Issues
Problem
Resolution
Ensure that you are using the correct database table. For
information on selecting database tables, see the Help topic
When to Use Each Database Table.
Ensure that the report specifies the correct time frame.
Ensure that the SQL where clause for the report includes the
messages that you are expecting.
64
A: Troubleshooting
Glossary
A-SRV
See Application Server.
ad hoc report
An unscheduled report that runs immediately.
ADB
See Asset Database.
administrator
A user responsible for setting up and maintaining the RSA enVision platform. An
administrator has access to all enVision functions.
alert
An indication that an event, or a sequence of events, requires further investigation.
The enVision platform sends alerts based on messages received under a configured set
of circumstances such as filters. The administrator defines alerts for each view.
Alert History tool
The RSA enVision tool that is used to display alerts from the events database.
Alerts module
The RSA enVision module that provides tools to monitor, display, and configure
alerts.
Analysis module
The RSA enVision module that provides tools to view, query, and analyze collected
data.
appliance
The hardware on which RSA enVision software is deployed. See single appliance site
and multiple appliance site.
Application Server (A-SRV)
The appliance or component of the RSA enVision platform that supports interactive
users and runs the suite of enVision analysis tools. In a single appliance site, the
Application Server (A-SRV) is a component of the enVision system. In a multiple
appliance site, the A-SRV is installed on its own appliance. See single appliance site
and multiple appliance site.
asset
A system, such as a host, software system, workstation, or device, that is within a
network and makes up the enterprise environment.
Asset Database (ADB)
A unified view of assets created by merging data from supported vulnerability
assessment (VA) tools and imported asset information in the asset tracking tools. The
ADB provides security managers with insight into their operations.
Glossary
65
attribute category
A group of categories defined by the RSA enVision platform for device and asset
attributes. The nine categories are properties, location, organization, owner, physical,
function, importance, vulnerability, and zone. Users can define custom categories.
bind report
A group of reports that can be scheduled to run as a single report.
collection
The process of collecting, analyzing, and storing logs from event sources. the
RSA enVision platform stores the logs, with descriptive metadata, in the Log Smart
Internet Protocol Database (IPDB).
Collector
The appliance or component of the RSA enVision platform that captures incoming
events. In a single appliance site, the Collector is a component of the enVision system.
In a multiple appliance site, the Collector is installed on its own appliance.
Common Storage Directory (CSD)
A single directory that contains the configuration and statistical information for data
collected on a site. The Common Storage Directory (CSD) can be located on a single
appliance site, on the Database Server of a multiple appliance site, or on the Remote
Collector of a distributed system.
computer name
See node.
confidence level filtering
A filter defined by the administrator to determine if a supported intrusion detection
system (IDS) or an intrusion prevention system (IPS) can be trusted for its truthfulness
and applicability. The confidence level detects if a message from an IDS or an IPS
should be considered an alert.
Configuration database (nic.db)
A repository that stores a users configuration settings such as user information,
permissions, and views.
correlation
A relationship between a set of events and a set of specific conditions.
D-SRV
See Database Server.
Database Server (D-SRV)
The appliance or component of the RSA enVision platform that manages access and
retrieval of captured events. In a single appliance site, the Database Server (D-SRV) is
a component of the enVision system. In a multiple appliance site, the D-SRV is
installed on its own appliance. See single appliance site and multiple appliance site.
device
See event source.
device class
Identifies the classification of the event source. A device class provides a framework
for organizing event sources by their general function.
66
Glossary
Glossary
67
message category
A group of messages. Message categories are hierarchical, consisting of up to five
levels: a NIC category, an alert category, and up to three levels of event category.
message variable
Defines a type of data that is extracted from message payloads. Message variables are
useful when analyzing and reporting on data.
monitored device
A supported event source that has been configured to send event messages to the
RSA enVision platform. The enVision platform collects and stores events from
monitored devices.
multiple appliance site
An RSA enVision site in which each enVision component (Application, Collector, and
Database) is on its own appliance.
NIC
The acronym used to label many essential RSA enVision components, services, and
tools.
NIC database
See Configuration database (nic.db).
NIC domain
A group of multiple appliance sites that constitute an organization's entire deployment
of the RSA enVision platform. One site acts as the NIC domain master site.
NIC message ID
A number that identifies a message. This number may or may not be the same as the
vendor message ID.
NIC System device
Generates event messages to indicate the health and activity of the RSA enVision
platform, such as disk space usage, current EPS, data retrieval statistics, and user
activity messages.
NIC_View
Allows users to monitor the health of the RSA enVision system. The NIC_View alerts
users to problems within the enVision software environment.
node
An appliance in an RSA enVision site.
output action
Configured notification method for alerts. The primary output actions are SMTP,
SNMP, SNPP, Instant Messenger, syslog, run a command, text file, and task triage.
Overview module
The RSA enVision module that provides tools to configure the enVision platform and
monitor system health and performance.
RC
See Remote Collector.
68
Glossary
Glossary
69
70
Glossary
Index
A
alerts
accessing in database, 44
Alert History tool, 4446
described, 35
history, 44
in Enterprise Dashboard, 37
managing alerts, 35
monitoring incoming alerts, 4243
Real-Time Details, 42
reviewing details, 4446
severity levels, 4243
status, changing, 4546
troubleshooting, 63
C
changing your password, 1314
collections
described, 36
icons, 39
Customer Support, 6
G
graphing events
by time, 26
by type, 25
H
help desk, 6
historical data
accessing, 47
alerts, 44
described, 47
queries, 4851
reports, 5260
tools, 47
D
Dashboard
customizing, 31
described, 29
designing, 31
examples, 3234
report categories, 30
troubleshooting, 62
E
Enterprise Dashboard tool
described, 37
icons, 39
list mode, 41
map mode, 40
toggling between modes, 42
EPS. See events per second
Event Viewer tool
described, 21
severity levels, 23
troubleshooting, 62
Index
I
incoming events
copying, 25
described, 21
displaying, 24
graphing by time, 26
graphing by type, 25
severity levels, 23
Internet Protocol Database (IPDB), 47
IPDB. See Internet Protocol Database
issues, 61
L
log off, 11
log on, 10
logon issues, 61
M
modifying user information, 1314
71
monitoring
EPS rates, 17
incoming alerts, 4243
incoming events, 24
peak severity, 4041
peak status, 42
P
passwords, changing, 1314
peak status
described, 37
of a collection, 37
of a view, 42
Q
queries
creating, 50
described, 4849
running, 51
troubleshooting, 63
Query tool
described, 4849
troubleshooting, 63
R
Real-Time Details
described, 42
severity levels, 4243
troubleshooting, 63
real-time events, 24
reports
ad hoc, 5355
categories, 52
described, 52
displaying, 5960
running, 5355
scheduled, 5960
scheduling, 56
standard reports, 52
troubleshooting, 64
unscheduled, 5355
viewing, 5960
Reports tool
described, 52
troubleshooting, 64
S
severity levels
icons, 39
in Enterprise Dashboard, 39
in Event Viewer, 23
Real-Time Alert Details, 4243
support, technical, 6
System Performance tool, 15
T
technical support, 6
troubleshooting, 61
U
user tasks, 910
users
changing passwords, 1314
described, 9
modifying information, 1314
tasks, 910
V
views
described, 36
icons, 39
72
Index