# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. trend_micro_control_manager = { plugin_version = "1.0.1" # 2007-09-14 - 1.0 - KBB - Added version number and changed file name from # beta_trend_micro_control_manager.cfg. # 2008-08-06 - 1.1 - KBB - Added support for new variant of totals header. # 2011-07-21 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "Trend Micro" info.1.device = "Control Manager" info.1.version.1 = "" # The name of the log format log.format.format_label = "Trend Micro Control Manager" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "other" log.format.ignore_format_lines = true # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` # csv_content (volatile.log_data_line eq 'Received Generated Computer Name Message ID Sender Recipient Subject Policy Name Policy Settings Action on Content Action on Message Generation Time Zone ') or # csv_emails (volatile.log_data_line eq 'Received Generated Computer Name Infect Source Infect Destination Virus Product Pattern Engine First Action First Action Result Second Action Second Action Result Generation Time Zone ') or # csv_files (volatile.log_data_line eq 'Received Generated Computer Name Infect Source Infect Destination Virus Product File Name File Path First Action First Action Result Second Action Second Action Result Generation Time Zone ') or # csv_totals (volatile.log_data_line eq 'Received Generated at entity Computer Name Login User Name Virus File Name File Path Product First Action First Action Result Second Action Second Action Result ') or (volatile.log_data_line eq 'Received Generated Computer Name Login User Name Virus File Name File Path Product First Action First Action Result Second Action Second Action Result Generation Time Zone ') or # csv_webcontent (volatile.log_data_line eq 'Received Generated Computer Name Object Name URL Client IP File Name Blocking Type Blocking Rule Generation Time Zone ') or # csv_events (volatile.log_data_line eq 'Received Generated Severity Event Product Computer Name Description Generation Time Zone ') or # CSV_Download (volatile.log_data_line eq 'Received Generated Computer Name Login User Name Infect Source Infect Destination Virus Product Pattern Engine First Action First Action Result Second Action Second Action Result Generation Time Zone ') ` log.format.autodetect_lines = 1 # All log field parsing will be done using the parsing filters # log.format.parse_only_with_filters = "true" # Log fields log.fields = { date = "" time = "" event_type = "" received = "" generated = "" computer_name = "" message_id = "" sender = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # sender recipient = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } # recipient subject = "" policy_name = "" policy_settings = "" action_on_content = "" action_on_message = "" generation_time_zone = "" # email infect_source = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } infect_destination = { type = "hierarchical" hierarchy_dividers = "@" left_to_right = false leading_divider = false } virus = "" product = "" pattern = "" engine = "" first_action = "" first_action_result = "" second_action = "" second_action_result = "" # files file_name = "" file_path = { type = "hierarchical" hierarchy_dividers = "\\" left_to_right = true leading_divider = false } # totals login_user_name = "" # webcontent object_name_url.type = "page" client_ip.type = "host" blocking_type = "" blocking_rule = "" # events event = "" severity = "" description = "" malicious_events = "" virus_events = "" workstation_virus_events = "" web_virus_events = "" email_virus_events = "" spyware_events = "" workstation_spyware_events = "" web_spyware_events = "" web_filtering_events = "" email_filtering_events = "" admin_events = "" } # log.fields # Declare filter variables log.filter_initialization = ` v.line_format = ""; ` # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); # If this is a format line, set v.line_format appropriately, so we know what data layout to expect if (v.line eq 'Received Generated Computer Name Message ID Sender Recipient Subject Policy Name Policy Settings Action on Content Action on Message Generation Time Zone ') then v.line_format = "content"; else if (v.line eq 'Received Generated Computer Name Infect Source Infect Destination Virus Product Pattern Engine First Action First Action Result Second Action Second Action Result Generation Time Zone ') then v.line_format = "emails"; else if (v.line eq 'Received Generated Computer Name Infect Source Infect Destination Virus Product File Name File Path First Action First Action Result Second Action Second Action Result Generation Time Zone ') then v.line_format = "files"; else if ((v.line eq 'Received Generated Computer Name Login User Name Virus File Name File Path Product First Action First Action Result Second Action Second Action Result Generation Time Zone ') or (v.line eq 'Received Generated at entity Computer Name Login User Name Virus File Name File Path Product First Action First Action Result Second Action Second Action Result ')) then v.line_format = "totals"; else if (v.line eq 'Received Generated Computer Name Object Name URL Client IP File Name Blocking Type Blocking Rule Generation Time Zone ') then v.line_format = "webcontent"; else if (v.line eq 'Received Generated Severity Event Product Computer Name Description Generation Time Zone ') then v.line_format = "events"; else if (v.line eq 'Received Generated Computer Name Login User Name Infect Source Infect Destination Virus Product Pattern Engine First Action First Action Result Second Action Second Action Result Generation Time Zone ') then v.line_format = "download"; # If this isn't a format line, extract data according to the format else ( event_type = v.line_format; # Handle events line if (v.line_format eq "events") then ( if (matches_regular_expression(v.line, '^([0-9-]+) ([0-9:]+) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)')) then ( date = $1; time = $2; severity = $4; event = $5; product = $6; computer_name = $7; description = $8; generation_time_zone = $9; admin_events = 1; event_type = "admin"; ); # if regexp matches ); # if events line # Handle all non-events lines else if (matches_regular_expression(v.line, '^([0-9-]+) ([0-9:]+) ([^ ]*) ([^ ]*) (.*)$')) then ( date = $1; time = $2; computer_name = $4; v.remainder = $5; # Handle content line if (v.line_format eq "content") then ( if (matches_regular_expression(v.remainder, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)')) then ( message_id = $1; sender = $2; recipient = $3; subject = $4; policy_name = $5; policy_settings = $6; action_on_content = $7; action_on_message = $8; generation_time_zone = $9; malicious_events = 1; email_filtering_events = 1; event_type = "email_content"; ); # if regexp matches ); # if content line # Handle emails line else if (v.line_format eq "emails") then ( if (matches_regular_expression(v.remainder, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)')) then ( infect_source = $1; infect_destination = $2; virus = $3; product = $4; pattern = $5; engine = $6; first_action = $7; first_action_result = $8; second_action = $9; second_action_result = $10; generation_time_zone = $11; email_virus_events = 1; virus_events = 1; malicious_events = 1; event_type = "email_content"; ); # if regexp matches ); # if emails line # Handle files line else if (v.line_format eq "files") then ( if (matches_regular_expression(v.remainder, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)')) then ( infect_source = $1; infect_destination = $2; virus = $3; product = $4; file_name = $5; file_path = $6; first_action = $7; first_action_result = $8; second_action = $9; second_action_result = $10; generation_time_zone = $11; workstation_virus_events = 1; virus_events = 1; malicious_events = 1; event_type = "content"; ); # if regexp matches ); # if files line # Handle totals line else if (v.line_format eq "totals") then ( if (matches_regular_expression(v.remainder, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)[ ]*([^ ]*)')) then ( login_user_name = $1; virus = $2; file_name = $3; file_path = $4; product = $5; first_action = $6; first_action_result = $7; second_action = $8; second_action_result = $9; generation_time_zone = $10; # This must remain optional because there is a variant without it. # Categorize as virus or spyware based on rules if ((matches_regular_expression(virus, '^COOKIE')) or (matches_regular_expression(virus, '^ADW')) or (matches_regular_expression(virus, '^SPY')) or (matches_regular_expression(virus, '^TSPY')) or (matches_regular_expression(virus, '^HKTL')) or (matches_regular_expression(virus, '^RAP')) or (matches_regular_expression(virus, '^APP')) or (matches_regular_expression(virus, '^DIAL')) or (matches_regular_expression(virus, '^JOKE')) or (matches_regular_expression(virus, '^CRCK'))) then ( spyware_events = 1; if (starts_with(product, 'InterScan Web')) then ( event_type = "spyware_web"; web_spyware_events = 1; ); else if (starts_with(product, 'OfficeScan')) then ( event_type = "spyware_workstation"; workstation_spyware_events = 1; ); else event_type = "spyware"; ); # Reject virus event lines; we get those from csv_download else ( 'reject'; # virus_events = 1; # if (starts_with(product, 'InterScan Web')) then ( # event_type = "virus_web"; # web_virus_events = 1; # ); # else if (starts_with(product, 'InterScan Messaging')) then ( # event_type = "virus_email"; # email_virus_events = 1; # ); # else if (starts_with(product, 'ScanMail')) then ( # event_type = "virus_email"; # email_virus_events = 1; # ); # else if (starts_with(product, 'OfficeScan')) then ( # event_type = "virus_workstation"; # workstation_virus_events = 1; # ); ); malicious_events = 1; ); # if regexp matches ); # if totals line # Handle webcontent line else if (v.line_format eq "webcontent") then ( if (matches_regular_expression(v.remainder, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)')) then ( object_name_url = $1; client_ip = $2; file_name = $3; blocking_type = $4; blocking_rule = $5; generation_time_zone = $6; web_filtering_events = 1; malicious_events = 1; event_type = "web_content"; ); # if regexp matches ); # if webcontent line # Handle download line else if (v.line_format eq "download") then ( if (matches_regular_expression(v.remainder, '^([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)')) then ( login_user_name = $1; infect_source = $2; infect_destination = $3; virus = $4; product = $5; pattern = $6; engine = $7; first_action = $8; first_action_result = $9; second_action = $10; second_action_result = $11; generation_time_zone = $12; # Categorize as virus or spyware based on rules if ((matches_regular_expression(virus, '^COOKIE')) or (matches_regular_expression(virus, '^ADW')) or (matches_regular_expression(virus, '^SPY')) or (matches_regular_expression(virus, '^TSPY')) or (matches_regular_expression(virus, '^HKTL')) or (matches_regular_expression(virus, '^RAP')) or (matches_regular_expression(virus, '^APP')) or (matches_regular_expression(virus, '^DIAL')) or (matches_regular_expression(virus, '^JOKE')) or (matches_regular_expression(virus, '^CRCK'))) then ( # Reject this entry; we track spyware in csv_totals now. 'reject'; # event_type = "spyware_web"; # spyware_events = 1; # web_spyware_events = 1; ); else ( event_type = "virus_web"; virus_events = 1; web_virus_events = 1; ); malicious_events = 1; event_type = "virus_web"; ); # if regexp matches ); # if download line ); # if not events line, and matches headers ); # if not format line ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" event_type = "" computer_name = "" message_id = "" sender = "" recipient = "" subject = "" policy_name = "" policy_settings = "" action_on_content = "" action_on_message = "" infect_source = "" infect_destination = "" virus = "" product = "" pattern = "" engine = "" first_action = "" first_action_result = "" second_action = "" second_action_result = "" file_name = "" file_path = "" login_user_name = "" object_name_url = "" file_type = "" client_ip = "" location = "" blocking_type = "" blocking_rule = "" event = "" severity = "" description = "" generation_time_zone = "" } # database.fields database.numerical_fields = { malicious_events = { label = "$lang_stats.field_labels.malicious_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # malicious_events virus_events = { label = "$lang_stats.field_labels.virus_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # virus_events workstation_virus_events = { label = "$lang_stats.field_labels.workstation_virus_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # workstation_virus_events web_virus_events = { label = "$lang_stats.field_labels.web_virus_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # web_virus_events email_virus_events = { label = "$lang_stats.field_labels.email_virus_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # email_virus_events spyware_events = { label = "$lang_stats.field_labels.spyware_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # spyware_events web_spyware_events = { label = "$lang_stats.field_labels.web_spyware_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # web_spyware_events workstation_spyware_events = { label = "$lang_stats.field_labels.workstation_spyware_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # workstation_spyware_events web_filtering_events = { label = "$lang_stats.field_labels.web_filtering_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # web_filtering_events email_filtering_events = { label = "$lang_stats.field_labels.email_filtering_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # email_filtering_events admin_events = { label = "$lang_stats.field_labels.admin_events" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # admin_events } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu manual_reports_menu = true report_groups = { overview.type = "overview" date_time_group = { items = { date_time = { label = "$lang_stats.miscellaneous.years_months_days" graph_field = "malicious_events" only_bottom_level_items = false } days = { label = "$lang_stats.miscellaneous.days" database_field_name = "date_time" graph_field = "malicious_events" } hour_of_day = { graph_field = "malicious_events" } day_of_week = { graph_field = "malicious_events" } } } # date_time_group viruses_group = { items = { computer_name_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.computer_name.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "computer_name" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } graph_field = "virus_events" graphs.graph_type = "pie" } infect_source_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.infect_source.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "infect_source" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } infect_destination_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.infect_destination.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "infect_destination" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } virus_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.virus.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "virus" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } product_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.product.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "product" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } pattern_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.pattern.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "pattern" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } file_name_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.file_name.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "file_name" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } file_path_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.file_path.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "file_path" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } first_action_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.first_action.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "first_action" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } first_action_result_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.first_action_result.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "first_action_result" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } second_action_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.second_action.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "second_action" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } second_action_result_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.second_action_result.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "second_action_result" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } login_user_name_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.login_user_name.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "login_user_name" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } engine_virus = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.engine.label)))=}" # filter = "(event_type within 'virus') or (event_type within 'virus_web') or (event_type within 'virus_email') or (event_type within 'virus_workstation')" columns = { 0.field_name = "engine" 1.field_name = "virus_events" 2.field_name = "web_virus_events" 3.field_name = "workstation_virus_events" 4.field_name = "email_virus_events" } } } # items } # viruses_group spyware_group = { items = { computer_name_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.computer_name.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "computer_name" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } infect_source_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.infect_source.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "infect_source" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } infect_destination_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.infect_destination.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "infect_destination" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } virus_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.virus.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "virus" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } product_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.product.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "product" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } pattern_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.pattern.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "pattern" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } file_name_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.file_name.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "file_name" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } file_path_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.file_path.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "file_path" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } first_action_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.first_action.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "first_action" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } first_action_result_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.first_action_result.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "first_action_result" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } second_action_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.second_action.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "second_action" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } second_action_result_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.second_action_result.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "second_action_result" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } login_user_name_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.login_user_name.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "login_user_name" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } engine_spyware = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.engine.label)))=}" # filter = "(event_type within 'spyware_web') or (event_type within 'spyware_workstation')" columns = { 0.field_name = "engine" 1.field_name = "spyware_events" 2.field_name = "web_spyware_events" 3.field_name = "workstation_spyware_events" } } } # items } # spyware_group email_content_security_group = { items = { computer_name_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.computer_name.label)))=}" filter = "event_type within 'email_content'" columns.0.field_name = "computer_name" } message_id_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.message_id.label)))=}" # filter = "event_type within 'email_content'" columns = { 0.field_name = "message_id" 1.field_name = "email_filtering_events" } } sender_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.sender.label)))=}" # filter = "event_type within 'email_content'" columns = { 0.field_name = "sender" 1.field_name = "email_filtering_events" } } recipient_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.recipient.label)))=}" # filter = "event_type within 'email_content'" columns = { 0.field_name = "recipient" 1.field_name = "email_filtering_events" } } policy_name_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.policy_name.label)))=}" # filter = "event_type within 'email_content'" columns = { 0.field_name = "policy_name" 1.field_name = "email_filtering_events" } } policy_settings_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.policy_settings.label)))=}" # filter = "event_type within 'email_content'" columns = { 0.field_name = "policy_settings" 1.field_name = "email_filtering_events" } } action_on_content_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.action_on_content.label)))=}" # filter = "event_type within 'email_content'" columns = { 0.field_name = "action_on_content" 1.field_name = "email_filtering_events" } } action_on_message_email_message = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.action_on_message.label)))=}" # filter = "event_type within 'email_message'" columns = { 0.field_name = "action_on_message" 1.field_name = "email_filtering_events" } } subject_email_content = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.subject.label)))=}" # filter = "event_type within 'email_content'" columns = { 0.field_name = "subject" 1.field_name = "email_filtering_events" } } } # items } web_security_group = { items = { computer_name_web = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.computer_name.label)))=}" # filter = "event_type within 'web_content'" columns = { 0.field_name = "computer_name" 1.field_name = "web_filtering_events" } } client_ip_web_security = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.client_ip.label)))=}" columns = { 0.field_name = "client_ip" 1.field_name = "web_filtering_events" } } location_web_security = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.location.label)))=}" columns = { 0.field_name = "location" 1.field_name = "web_filtering_events" } } object_name_url_web_security = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.object_name_url.label)))=}" columns = { 0.field_name = "object_name_url" 1.field_name = "web_filtering_events" } } file_type_web_security = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.file_type.label)))=}" columns = { 0.field_name = "file_type" 1.field_name = "web_filtering_events" } } file_type_web_security = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.file_type.label)))=}" columns = { 0.field_name = "file_type" 1.field_name = "web_filtering_events" } } blocking_type_web_security = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.blocking_type.label)))=}" columns = { 0.field_name = "blocking_type" 1.field_name = "web_filtering_events" } } blocking_rule_web_security = { reports_menu_label = "{=capitalize(pluralize(print(database.fields.blocking_rule.label)))=}" columns = { 0.field_name = "blocking_rule" 1.field_name = "web_filtering_events" } } } # items } # web_security group admin_group = { items = { event = { columns = { 0.field_name = "event" 1.field_name = "admin_events" } } severity = { columns = { 0.field_name = "severity" 1.field_name = "admin_events" } } description = { columns = { 0.field_name = "description" 1.field_name = "admin_events" } } } # reports } # admin_group other_group = { items = { # computer_name = true event_type = true generation_time_zone = true } # reports } log_detail = true single_page_summary = true } # report_groups } # create_profile_wizard_options } # trend_micro_control_manager