Admin Account Usage Workflow v2 Sanitized

Summary:

Based on the provided description, it appears that there is a specific configuration in place for monitoring events within a retail environment, focusing on account management and logon activities. The report is designed to track user logons and includes filters targeting particular accounts as defined by their usernames in uppercase format. Here's a breakdown of what was described: ### Report Setup Overview - **Purpose**: To monitor user logons within the retail environment, particularly focusing on specific accounts identified by their usernames in uppercase. - **Accounts Included**: Accounts like CAMBRIDGE, COOPER1, COOPER14, FUJITSU32, ESERVICE, PATR10TS, ROADMIN, SMECLNT, and YANK00KS are included in the filter settings for monitoring logon activities. - **Data Sources**: The report utilizes data from various sources including Active Lists, Windows LogonTypes, and custom strings associated with device events to track user activity. ### Variables and Filters - **UpperSourceUsername** and **UpperDestinationUsername**: These variables convert the source and destination usernames into uppercase for uniformity in matching against predefined account usernames. - **LogonType**: This variable retrieves the type of logon from a list of active Windows LogonTypes, providing additional context about the logon events. - **InactiveList**: Matches Source User Name (UpperSourceUsername) and Destination User Name (UpperDestinationUsername) against predefined account usernames in uppercase to identify restricted or specific accounts. ### Report Details - **Title and Path**: The report is titled "TEST Retail - ". It follows a specific path under the "/All Reports/Public/TEST/Account Management/Retail/" directory. - **Template**: Utilizes a Simple Table Landscape template for displaying data. - **Header and Footer**: Includes details like page number, total pages, proprietary notes, and confidential information. - **SubTitle**: Displays the start and end times of the report period to provide context on when the logon events occurred. - **TableTitle**: Implied but not explicitly mentioned; typically intended to list detailed information about user logons related to account management. ### Query and Alias - **Device Custom String 2** is linked to "Event Type" for further analysis of device interactions. - **LogonType.Descripttion** provides a description of the logon type, enhancing the report's clarity. ### Jobs and Archive - The job schedule, format, and distribution are detailed in internal specifications or protocols (not fully described here). - All archived reports related to this account management retail report under TEST are stored in a specified folder path for future reference and audit purposes. ### Filter Configuration - **Event Conditions**: Combines logical operations like AND, OR, NOT to define specific conditions based on user names, device vendors, host names, etc., ensuring targeted monitoring of events related to the specified accounts. ### Conclusion The described report setup is part of a broader system aimed at managing user access rights in the retail environment effectively while maintaining security and compliance with internal policies. The filters help in pinpointing critical activities and are crucial for network administrators who oversee devices such as HEWSON50, ensuring that only relevant events are logged and reported.

Details:

The document titled "Admin Account Usage Reports" provides detailed information on creating custom resources for monitoring shared admin accounts within an IT environment. It outlines the development process, reporting structure, and distribution list for these reports. Key steps include: 1. **Version History**: Describes version updates from 0.5 to 1.1 with changes made by Keith Stover regarding report distribution, resource creation, and filtering improvements. 2. **Documentation Reference**: Includes references to related ArcSight documentation such as "ESM 101 – Concepts for ArcSight ESM v4.5" and "ESM Administrators Guide." 3. **Solution Summary**: Explains the purpose of creating custom resources for monitoring shared admin accounts, with a focus on identifying high-value accounts and translating logon types into meaningful business values. 4. **Report Column Headings** (Figure 1): Lists the columns expected in the final reports to monitor account usage effectively. 5. **Active List Creation**: Describes how to create two active lists: one for high value admin accounts and another to map Windows logon types to logical business terms, as detailed in Table 1 and Table 2 respectively. 6. **Resource Tree Visualization** (Figure 2): Provides a visual representation of the resource tree related to PALMBEACH. 7. **Solution Workflow** (Figure 3): Illustrates the workflow for implementing the solution. 8. **Report Distribution List**: Includes a table with details on who receives the reports, as outlined in Table 3. 9. **Custom Resource Parameters**: Details the parameters for custom resources used in this report setup, found in Table 4. This document serves as a comprehensive guide for understanding and implementing monitoring and reporting mechanisms specifically tailored for admin account usage within an organization's IT infrastructure. The article outlines a method for generating reports using ArcSight to track admin accounts and Windows logon types. It involves creating "active lists" of relevant data sources that can be updated as business needs evolve. These active lists are crucial for future-proofing the system by ensuring it remains adaptable to new information requirements. To extract specific event data, a query is developed to filter events where the username appears either as the source or destination within the event. This subset of data is stored and can be queried later to generate reports tailored to individual admin accounts. Graphical representations of resource trees for each report are used to visualize the connections between admin accounts, aiding in the reporting process. The workflow concludes with a description of how reports are distributed according to a predefined schedule and format. The distribution list includes details on when, how often, to whom, and in what format the reports should be sent, as well as specifying an archive folder for stored reports. The document outlines a series of reports related to retail accounts, which are archived under the "All Archived Reports" folder within the "TEST" section. These reports cover various retailers and have different frequencies (weekly or daily) and delivery times (4:00 AM on Saturday). Each report is associated with specific email addresses for distribution and is available in PDF format. Here's a summary of each retail account mentioned in the document: 1. **COOPER14** - A weekly report distributed via email to ML-SS_Software_Management, ML-SS_Production_Support, ML-SYSTEMS_-_Service_Desk, john_doe@test.com, and jane_doe@test.com in PDF format. It is located under /All Archived Reports/TEST/Account Management/Retail/COOPER14. 2. **ESERVICE** - Similar to COOPER14, this weekly report is also distributed via email to the same recipients mentioned above and can be found at /All Archived Reports/TEST/Account Management/Retail/ESERVICE. 3. **FUJITSU32** - A weekly report sent to ML-SYSTEMS_-_IMPPROJECTS, ML-SYSTEMS_-_IMPNEWSTORES, ML-SS_Production_Support, john_doe@test.com, and jane_doe@test.com in PDF format, located under /All Archived Reports/TEST/Account Management/Retail/FUJITSU32. 4. **HEWSON50** - Weekly report recipients include john_doe@test.com and jane_doe@test.com, found at /All Archived Reports/TEST/Account Management/Retail/HEWSON50. 5. **PALMBEACH** - A daily report distributed to TEST_Service_Desk_Report_Distribution@test.com, john_doe@test.com, and jane_doe@test.com, available in both PDF and CSV formats at /All Archived Reports/TEST/Account Management/Retail/PALMBEACH. 6. **PATR10TS** - Weekly report recipients are ML-SS_Software_Management, john_doe@test.com, and jane_doe@test.com, found under /All Archived Reports/TEST/Account Management/Retail/PATR10TS. 7. **RICE14** - A weekly report sent to john_doe@test.com and jane_doe@test.com, located at /All Archived Reports/TEST/Account Management/Retail/RICE14. 8. **ROADMIN** - Weekly distribution includes ML-SS_Software_Management, ML-SS_Production_Support, ML-SYSTEMS_-_Service_Desk, john_doe@test.com, and jane_doe@test.com in PDF format at /All Archived Reports/TEST/Account Management/Retail/ROADMIN. 9. **SMECLNT** - Weekly report recipients are ML-SS_Software_Management and the mentioned individuals, available as a PDF under /All Archived Reports/TEST/Account Management/Retail/SMECLNT. The document outlines the distribution of reports for various retail accounts, including SNOWBIRD and YANK00KS, with specific times and recipients. It also details custom resources such as restricted retail user accounts and Windows logon types, specifying their paths, capacity, TTL (time to live), data type, and parameters like field names and types. This document outlines two queries related to account management and user logon activities within a system. The first query is designed for monitoring retail accounts, specifically targeting the specified account name (in uppercase) across various fields including timestamp, destination host name, destination user name, source host name, source user name, and logon type description. It runs every hour at 0 minutes past the hour without an end date. The query selects specific data such as end time, names, messages, source host name, source, destination host name, destination user name, device custom string 2, and logon type description, ordering them in ascending order by these fields. The conditions filter results to include entries where the destination or source user name matches the specified account name, case-insensitively. The second query is focused on monitoring admin accounts. It gathers data for a single hour before the current time, using the end time as the timestamp. This query selects similar data fields including name, message, source host name, source, destination host name, destination user name, device custom string 2, and logon type description. Results are ordered similarly to the first query but only include entries where the account is either in an inactive list of restricted retail user accounts or matches specific admin filters. This document outlines a report setup for account management within a retail environment, specifically designed for the "TEST" account. The report is aimed at monitoring user logons and includes specific filters to target particular accounts as defined by their usernames in uppercase format. The report utilizes data from various sources including Active Lists, Windows LogonTypes, and custom strings associated with device events. **Variables:**

• **UpperSourceUsername**: Converts the Source User Name into uppercase for uniformity.

• **UpperDestinationUsername**: Converts the Destination User Name into uppercase for consistency.

• **LogonType**: Retrieves the type of logon from a list of active Windows LogonTypes.

**InActiveList:**

• **Name: Useraccount**, **Field: UpperSourceUsername** and **Field: UpperDestinationUsername**: These fields are used to match against predefined account usernames in uppercase.

**Report Details:**

• **Title:** TEST Retail -

• **Path:** /All Reports/Public/TEST/Account Management/Retail/TEST Retail -

• **Template:** Simple Table Landscape

• **Header and Footer:** Includes page number, total pages, proprietary and confidential note.

• **SubTitle:** Displays the start and end times for the report period.

• **TableTitle:** Not specified but implied to list details of user logons as per the account management context.

**Query and Alias:**

• **Alias: Device Custom String 2** is linked to "Event Type."

• **LogonType.Descripttion** provides a description of the logon type from the LogonType variable.

**Jobs:**

• The job schedule, format, and distribution are detailed in Table 3 as per internal specifications or protocols.

**Archive Folder:**

• All archived reports related to this account management retail report under TEST are stored in a specified folder path.

**Filter:**

• Applies filters for specific accounts including CAMBRIDGE, COOPER1, COOPER14, FUJITSU32, ESERVICE, PATR10TS, ROADMIN, SMECLNT, and YANK00KS.

**Event Conditions:**

• Events are triggered based on:

• **Destination User Name** or **Source User Name** matching a specified account username (case insensitive).

• The conditions are combined using an OR statement within the broader AND structure involving event1.

This report setup is part of a larger system designed to monitor and manage user access rights in the retail environment, ensuring compliance with internal policies and security protocols. The provided text outlines several filters and their associated conditions for different administrators in a security system. Each filter is named after an administrator (SNOWBIRD, PALMBEACH, RICE14, and THORNTON). These filters are used to define specific event conditions based on various criteria related to user names, device vendors, host names, and other parameters. For each administrator's filter:

• **Event Conditions** consist of a combination of logical operations such as AND, OR, NOT, and equality checks (e.g., Destination User Name = or Device Vendor = Microsoft).

• The criteria can include case-insensitive comparisons (e.g., ), ensuring that the conditions apply regardless of how the text is capitalized.

• Some conditions are more specific, such as excluding certain host names starting with "xxxx" for Destination Host Name and certain user names starting with "JCIFS", "RICE14", or other predefined terms in a case-insensitive manner.

The purpose of these filters seems to be to identify and monitor events that meet the specified conditions across different systems, potentially related to network activities or system interactions involving users named after the administrators overseeing each filter. This document outlines a filter configuration for monitoring events on the network, specifically designed to capture activities related to devices managed by Unix and Microsoft. The filter is applied to communication between users named HEWSON50 and any device vendor other than Unix or Microsoft should be excluded from the event log. Additionally, it excludes events where the destination host name contains "xxxx", source user names are Rice14 (regardless of case), and ensures that only activities involving HEWSON50 as a user on either end of the communication are considered. This setup is tailored for network administrators using the device with the hostname HEWSON50.