This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Control - Notification

We implemented Data Control policy in our network. Any one transfer data  to USB device will create logs in SEC

My questions is

  • Scenario:  A staffperson is offloading a significant amount of sensitive information
  • Questions:
  • Would (or could) this activity be highlighted in a fashion on the Sophos console so that it would be brought to our attention?  Or, do we simply need to review the detailed logs?
  • Can we implement thresholds that would provide us notification based on:
    • The frequency with which a specific staffperson is offloading data.
    • The amount of data being transferred
    • The type of data being transferred.
:24327


This thread was automatically locked due to age.
  • Hi,

    It's not available in SEC but the data is in the database, so a small script (maybe running once an hour) could do it.

    Rather than just going for the tables directly, I would suggest doing it offiically using the Sophos Reporting Interface (SRI).  This will ensure it keeps working in future versions.  The SRI seems to be installed by default in SEC 5.1 (soon to be released), prior to that it's a separate download available through here for V5.0 and V4.x:
    http://www.sophos.com/en-us/why-sophos/our-people/reporting-interface.aspx .  Note: you only need to install the interface not the logwriter.


    More informaiton can be found on the forum here: /search?q= 8285

    The "Views" you are probably interested in are:
    [Sophos Reporting Interface].[vEventsDataControlData]

    [Sophos Reporting Interface]. [vComputerHostData ]

    and if you want SEC group information in the report:
    [Sophos Reporting Interface]. [vComputerGroupMapping ]

    [Sophos Reporting Interface]. [vGroupPathAndNameData ]

     E.g. to get all of this data in a single query (I'm using SEC 5.1 as I have it on a test machine):

    SELECT *
      FROM [SOPHOS51].[Sophos Reporting Interface].[vEventsDataControlData] as ed
      inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerHostData] as hd on hd.computerid = ed.ComputerID
      inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerGroupMapping] as cm on cm.ComputerID = hd.ComputerID
      inner join [SOPHOS51].[Sophos Reporting Interface].[vGroupPathAndNameData] as gpn on gpn.GroupID = cm.GroupID

    So I would call that data and limit it by:

    "UserName"

    "FileSize"  (SEC 5.0+ only)

    "EventTime"

    "TrueFileType"  e.g. "Plain text"

    So you could say, in psudo code: for UserName = 'x' where EventTime is within the last day. sum all the FileSize.

    If sum all the FileSize > 5MB, send email.

    One example query might look like

    SELECT SUM(ed.FileSize) as DataInK
      FROM [SOPHOS51].[Sophos Reporting Interface].[vEventsDataControlData] as ed
      inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerHostData] as hd on hd.computerid = ed.ComputerID
      inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerGroupMapping] as cm on cm.ComputerID = hd.ComputerID
      inner join [SOPHOS51].[Sophos Reporting Interface].[vGroupPathAndNameData] as gpn on gpn.GroupID = cm.GroupID
      where ed.UserName ='domain\user1'
      and ed.EventTime > dateadd(dd, -1, GETUTCDATE())
      

    This will give the total data in the last day for user 'domain\user1'.  So the script calling the SQL, could use this returned number to descide on if to alert based on on some value such as (1024*5) for an example 5MB limit threshold. 

    Hope this gives you some ideas.

    Regards,

    Jak

    :24335
  • Thanks Jak .. we will be using SSRS to get the report.

    :24345