IT Analytics™

Symantec Endpoint Protection™ Content Pack

Administrator Guide

Version 2.1
IT Analytics Symantec Endpoint Protection Content Pack
Administrator Guide
Product version 2.1
Documentation version: 2
This document was last updated on: May 9, 2018.

Legal Notice
Copyright © 2018 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo, Enterprise Vault, Compliance Accelerator, and Discovery
Accelerator are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution to
the third party (“Third Party Programs”). Some of the Third Party Programs are available under open source or
free software licenses. The License Agreement accompanying the Software does not alter any rights or
obligations you may have under those open source or free software licenses. Please see the Third Party Software
file accompanying this Symantec product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and
decompilation/reverse engineering. No part of this document may be reproduced in any form by any means
without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE
EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION
SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE
FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN
THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR
12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software -
Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer
Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction
release, performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation, 350 Ellis Street, Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to
specific queries about product features and functionality. The Technical Support group also creates content for
our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas
within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works
with Product Engineering and Symantec Security Response to provide alerting services and virus definition
updates.
Symantec’s support offerings include the following:
 A range of support options that give you the flexibility to select the right amount of service for any size
organization
 Telephone and/or Web-based support that provides rapid response and up-to-the-minute information
 Upgrade assurance that delivers software upgrades
 Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis
 Premium service offerings that include Account Management Services
For information about Symantec’s support offerings, you can visit our Web site at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement and the then-current enterprise
technical support policy.

Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL:
www.symantec.com/business/support/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in
your product documentation. Also, you should be at the computer on which the problem occurred, in case it is
necessary to replicate the problem.
When you contact Technical Support, please have the following information available:
 Product release level
 Hardware information
 Available memory, disk space, and NIC information
 Operating system
 Version and patch level
 Network topology
 Router, gateway, and IP address information
 Problem description:
 Error messages and log files
 Troubleshooting that was performed before contacting Symantec
 Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the
following URL:
www.symantec.com/business/support/

Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the following types of issues:
 Questions regarding product licensing or serialization
 Product registration updates, such as address or name changes
 General product information (features, language availability, local dealers)
 Latest information about product updates and upgrades
 Information about upgrade assurance and support contracts
 Information about the Symantec Buying Programs
 Advice about Symantec's technical support options
 Nontechnical presales questions
 Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement
administration team for your region as follows:
 Asia-Pacific and Japan [email protected]

Europe, Middle-East, and Africa [email protected]

North America and Latin America [email protected]


 Contents

IT Analytics Symantec Endpoint Protection Content Pack Administrator Guide ........... 2

Technical Support.......................................................................................................... 3
Contacting Technical Support ............................................................................... 3
Licensing and registration ..................................................................................... 3
Customer service .................................................................................................. 3
Support agreement resources ............................................................................... 3

Chapter 1 About this guide ............................................................................ 9

Foreword ....................................................................................................................... 9
Style Conventions ......................................................................................................... 9

Chapter 2 System Requirements ................................................................ 11

Deployment Infrastructure ........................................................................................... 11

Chapter 3 Installing and Configuring the Content Pack ............................ 12

Configuring the Content Pack ..................................................................................... 12
Configure the Content Pack ................................................................................ 12
Cubes Installation ................................................................................................ 12
Reports Installation .............................................................................................. 13

Chapter 4 Content Pack Reporting Examples ........................................... 14

Example 1: Using the Cube Browser with the Symantec Endpoint Protection
Content Pack ............................................................................................................... 14
Creating a cube view using the SEP Clients Cube ............................................. 14
Example 2: Creating a Key Performance Indicator (KPI) with the
Symantec Endpoint Protection Content Pack ............................................................. 15
Creating a Key Performance Indicator using the SEP Clients Cube ................... 15

Chapter 5 Content Pack Description .......................................................... 17

Cubes .......................................................................................................................... 17
SEP Access Rights Cube .................................................................................... 17
SEP Agent Behavior Events Cube ...................................................................... 17
SEP Agent Security Events Cube ....................................................................... 18
SEP Agent System Events Cube ........................................................................ 18
SEP Agent Traffic Events Cube .......................................................................... 19
SEP Alerts Cube ................................................................................................. 19
SEP AntiVirus Policies Cube ............................................................................... 20
SEP App and Device Control Policies Cube ....................................................... 20
SEP Clients Cube ................................................................................................ 21
SEP Event Summary Cube ................................................................................. 21
SEP Exception Policies Cube ............................................................................. 21
SEP Firewall Policies Cube ................................................................................. 22
SEP Host Integrity Events Cube ......................................................................... 22
SEP Host Integrity Policies Cube ........................................................................ 23
SEP Insight Detections Cube .............................................................................. 23
SEP Intrusion Prevention Policies Cube ............................................................. 24
SEP LiveUpdate Policies Cube ........................................................................... 24
SEP Policies Cube .............................................................................................. 25
SEP Scans Cube ................................................................................................. 25
SEP Security Virtual Appliances ......................................................................... 25
SEP Server Admin Events Cube ......................................................................... 26
SEP Server System Events Cube ....................................................................... 26
SEP SONAR Events Cube .................................................................................. 26
Reports ........................................................................................................................ 27
Client Version Details .......................................................................................... 27
Host Integrity Event Details ................................................................................. 27
Insight Detection Details ...................................................................................... 27
Intrusion Prevention Detection Details ................................................................ 27
Intrusion Prevention Detection Trend .................................................................. 27
Intrusion Prevention Signature Details ................................................................ 27
Scan Trend .......................................................................................................... 27
Security Virtual Appliance Details ....................................................................... 27
SONAR Detection Details ................................................................................... 27
Virus Alert Details ................................................................................................ 28
 Virus Alert Trend ................................................................................................. 28
Virus Definition Distribution Details ..................................................................... 28
Dashboards ................................................................................................................. 28
Symantec Endpoint Protection Client Dashboard ............................................... 28
Symantec Endpoint Protection Host Integrity Event Dashboard ......................... 28
Symantec Endpoint Protection Insight Detection Dashboard.............................. 28
Symantec Endpoint Protection IPS Dashboard ................................................... 28
Symantec Endpoint Protection IPS Detection Event Dashboard ........................ 28
Symantec Endpoint Protection Risk Dashboard ................................................. 28
Symantec Endpoint Protection SONAR Detection Dashboard ........................... 28
Symantec Endpoint Protection SVA Client Dashboard ....................................... 28
Dimension Attributes ................................................................................................... 29
EP Access Right .................................................................................................. 29
EP Administrator ................................................................................................. 29
EP Agent Behavior Event Action ......................................................................... 29
EP Agent Behavior Event Alert ........................................................................... 29
EP Agent Behavior Event Caller Return Module Name ...................................... 29
EP Agent Behavior Event Description ................................................................. 29
EP Agent Behavior Event Process Name ........................................................... 29
EP Agent Behavior Event Description ................................................................. 29
EP Agent Behavior Event Process Name ........................................................... 29
EP Agent Behavior Event Rule Name ................................................................. 29
EP Agent Behavior Event Send SNMP Trap ....................................................... 29
EP Agent Behavior Event Severity ...................................................................... 30
EP Agent Behavior Event Test Mode .................................................................. 30
EP Agent Behavior Event Type ........................................................................... 30
EP Agent Behavior Event User Name................................................................. 30
EP Agent Behavior Event VAPI Name ................................................................ 30
EP Agent Security Event Alert ............................................................................. 30
EP Agent Security Event App Name ................................................................... 30
EP Agent Security Event Hack Type ................................................................... 30
EP Agent Security Event Local Host IP............................................................... 30
EP Agent Security Event Location Name ............................................................ 30
EP Agent Security Event Network Protocol......................................................... 30
EP Agent Security Event Remote Host IP........................................................... 30
EP Agent Security Event Remote Host MAC ...................................................... 30
EP Agent Security Event Remote Host Name .................................................... 30
EP Agent Security Event Send SNMP Trap ........................................................ 31
EP Agent Security Event Severity ....................................................................... 31
EP Agent Security Event Traffic Direction ........................................................... 31
EP Agent Security Event Type ............................................................................ 31
EP Agent Security Event User Name .................................................................. 31
EP Agent System Event Category ...................................................................... 31
EP Agent System Event Send SNMP Trap ......................................................... 31
EP Agent System Event Severity ........................................................................ 31
EP Agent System Event Source.......................................................................... 31
EP Agent System Event Type ............................................................................. 31
EP Agent Traffic Event Alert ................................................................................ 31
EP Agent Traffic Event Application Name ........................................................... 31
EP Agent Traffic Event Blocked .......................................................................... 31
EP Agent Traffic Event Local Port ....................................................................... 31
EP Agent Traffic Event Location Name ............................................................... 32
EP Agent Traffic Event Network Protocol............................................................ 32
EP Agent Traffic Event Remote Host IP.............................................................. 32
EP Agent Traffic Event Remote Port ................................................................... 32
EP Agent Traffic Event Rule Name ..................................................................... 32
EP Agent Traffic Event Send SNMP Trap ........................................................... 32
EP Agent Traffic Event Severity .......................................................................... 32
EP Agent Traffic Event Traffic Direction .............................................................. 32
EP Agent Traffic Event Type ............................................................................... 32
EP Agent Traffic Event User Name ..................................................................... 32
EP Alert ............................................................................................................... 32
EP Alert Date ....................................................................................................... 32
EP AntiVirus Policy Download Advisor................................................................ 33
EP AntiVirus Policy Global Scan Options............................................................ 33
EP AntiVirus Policy Mac Admin Defined Common.............................................. 33
EP AntiVirus Policy Mac Admin Defined Scans .................................................. 33
EP AntiVirus Policy Mac Auto Protect ................................................................. 33
EP AntiVirus Policy Mac Miscellaneous .............................................................. 34
EP AntiVirus Policy Sonar Settings ..................................................................... 34
EP AntiVirus Policy Windows Admin Defined Advanced .................................... 34
EP AntiVirus Policy Windows Admin Defined Scans .......................................... 34
EP AntiVirus Policy Windows Auto Protect ......................................................... 35

 EP AntiVirus Policy Windows Miscellaneous ...................................................... 35
EP AntiVirus Policy .............................................................................................. 35
EP Application and Device Control Policy ........................................................... 35
EP Application and Device Control Rule ............................................................. 35
EP Blocked Device .............................................................................................. 36
EP Blocked Target .............................................................................................. 36
EP Client ............................................................................................................. 36
EP Computer ....................................................................................................... 36
EP Creation Date ................................................................................................ 37
EP Domain .......................................................................................................... 37
EP Event Action Taken ....................................................................................... 37
EP Event Date ..................................................................................................... 37
EP Event Description .......................................................................................... 37
EP Event Detection ............................................................................................. 37
EP Event Direction .............................................................................................. 37
EP Event Local IP Address ................................................................................. 37
EP Event Remote IP Address ............................................................................. 37
EP Event Time .................................................................................................... 37
EP Exception Client Restriction ........................................................................... 37
EP Exception Item ............................................................................................... 38
EP Exception Policy ............................................................................................ 38
EP Excluded Device ............................................................................................ 38
EP Firewall Policy Rule ....................................................................................... 38
EP Firewall Policy Security Settings .................................................................... 38
EP Firewall Policy ................................................................................................ 38
EP Group ............................................................................................................. 38
EP Host Integrity Check Action ........................................................................... 38
EP Host Integrity Check Criteria .......................................................................... 39
EP Host Integrity Check Description ................................................................... 39
EP Host Integrity Check Result ........................................................................... 39
EP Host Integrity Check Rule Name ................................................................... 39
EP Host Integrity Check Rule Type ..................................................................... 39
EP Host Integrity Check Target ........................................................................... 39
EP Host Integrity Event Location ......................................................................... 39
EP Host Integrity Event Severity ......................................................................... 39
EP Host Integrity Event Type .............................................................................. 39
EP Host Integrity Event User Name .................................................................... 39
EP Host Integrity Policy Advanced ...................................................................... 39
EP Host Integrity Policy Requirement ................................................................. 40
EP Host Integrity Policy ....................................................................................... 40
EP Insight Detection ............................................................................................ 40
EP Intrusion Prevention Policy ............................................................................ 40
EP Intrusion Prevention Signature ...................................................................... 40
EP IPS Detection Event Name ............................................................................ 40
EP IPS Detection Event SID ............................................................................... 40
EP IPS Detection Event Type ............................................................................. 40
EP Last Checkin Date ......................................................................................... 40
EP Last Scan Date .............................................................................................. 41
EP Last Virus Date .............................................................................................. 41
EP Live Update Policy Explicit GUP Mapping ..................................................... 41
EP Live Update Policy Mac Advanced ................................................................ 41
EP Live Update Policy Mac Schedule ................................................................. 41
EP Live Update Policy Server Mac ..................................................................... 41
EP Live Update Policy Mac Server Settings ....................................................... 42
EP Live Update Policy Proxy Settings................................................................. 42
EP Live Update Policy Windows Advanced ........................................................ 42
EP Live Update Policy Windows Schedule ......................................................... 42
EP Live Update Policy Server Windows.............................................................. 42
EP Live Update Policy Windows Server Settings................................................ 42
EP Live Update Policy ......................................................................................... 43
EP Location ......................................................................................................... 43
EP Policy ............................................................................................................. 43
EP Protection Technology ................................................................................... 43
EP Scan Client User ............................................................................................ 43
EP Scan Start Date ............................................................................................. 43
EP Scan Status ................................................................................................... 43
EP Security Virtual Appliance.............................................................................. 43
EP Server ............................................................................................................ 44
EP Server Admin Event Admin Name ................................................................. 44
EP Server Admin Event Description.................................................................... 44
EP Server Admin Event Error Code .................................................................... 44
EP Server Admin Event Message ID .................................................................. 44
EP Server Admin Event Severity......................................................................... 44

 EP Server Admin Event Type .............................................................................. 44
EP Server System Event Error Code .................................................................. 44
EP Server System Event Message ID ................................................................. 44
EP Server System Event Severity ....................................................................... 44
EP Server System Event Type ............................................................................ 44
EP Site ................................................................................................................ 44
EP SONAR Detection .......................................................................................... 44
EP Virus .............................................................................................................. 45
EP Virus Definition .............................................................................................. 45


 Chapter 1
About this guide
Foreword
IT Analytics complements and expands upon the reporting and analytics offered by Symantec Endpoint
Protection. The capabilities provided within the IT Analytics Symantec Endpoint Protection Content Pack allow
customers to extract maximum value from the data contained within their Symantec Endpoint Protection Manager
database(s). This product relies on a functional implementation of the IT Analytics Server version 2.1. The IT
Analytics Server is the underlying technology that serves as a foundation for all the IT Analytics Content Packs.
By implementing the IT Analytics Symantec Endpoint Protection Content Pack, you attain the following benefits:
 Unified view of data from multiple Symantec Endpoint Protection Manager databases
 Powerful on-the-fly forensic analysis through ad-hoc reports and charts, with pivot tables
 Out-of-the-box visually informative KPI scorecards, dashboards, and reports
 Replace time-consuming & complex custom reporting
For more information about the IT Analytics Server version 2.1 installation guidelines, refer to the IT Analytics
Server Administrator Guide. For more information about using the IT Analytics Portal, refer to the IT Analytics
Portal User Guide.
This document provides guidance on how to install the IT Analytics Symantec Endpoint Protection Content Pack
into an IT Analytics Server. For additional assistance with the deployment of IT Analytics, please contact Support.

Style Conventions
This guidance uses the style conventions that are described in the following table.

Table 1-1 Style conventions for this document

Element Meaning

Bold font Signifies characters typed exactly as shown, including commands, switches,
and file names. User interface elements also appear in bold.

Italic font Titles of books and other substantial publications appear in italic.

Italic Placeholders set in italic represent variables.

Monospace font Defines code and script samples.

NOTE Alerts the reader to supplementary information.

 Chapter 2
System Requirements
Deployment Infrastructure
IT Analytics Symantec Endpoint Protection Content Pack requires a functional implementation of the IT Analytics
Server version 2.1. For more information about the IT Analytics Server installation guidelines, please refer to the
IT Analytics Server Administrator Guide. The IT Analytics Symantec Endpoint Protection Content Pack supports
existing implementations of Symantec Endpoint Protection version 12.x and 14.x, with the Symantec Endpoint
Protection Manager database as the source of report data.
 Chapter 3
Installing and Configuring the
Content Pack
Configuring the Content Pack
Configure the Content Pack
To take advantage of your Content Pack you now have to configure it using the IT Analytics Portal and create at
least one data source to associate with the Content Pack.

Adding a Connection
1. To configure connections to the Content Packs open the IT Analytics Portal in a browser at:
http://servername:port/ITAnalytics/, where servername is the name of the IT Analytics Server.

1. Clicking on the Setting button in the toolbar, navigate to Settings > Data Sources. Under the Symantec
Endpoint Protection Content Pack, you should see the following text:

IT Analytics Symantec Endpoint Protection requires a connection to a Symantec Endpoint Protection

Database as data source before related cubes can be installed. A Connection to a SEP 12 or higher
database will give you access to Insight SONAR cubes.

2. To the right of that text, click the Settings button and then Add Connection to access the connection
wizard, then click Next.
3. On the Database Settings Page, enter the SQL Server Host Name and Database Name where the SEP
Manager database is being hosted and change the default port if necessary. Choose Windows
Authentication if your logged in account has the appropriate rights, or if you prefer use SQL Server
Authentication with the proper credentials.
4. Review the information on the Summary Page before clicking Next to create the connection.
5. Verify that the connection has been configured successfully and click Finish.
6. You can now install cubes and reports from the Symantec Endpoint Protection Content Pack. To do so,
please refer to the Cubes Installation and Reports Installation sections of this guide.
7. To add additional connections to other Symantec Endpoint Protection Databases, click the Settings button
to the right of the SEP Connections dropdown menu and select Add Connection. Follow steps 3 through 5
above to add an additional connection.
For more information about installing cubes and reports and processing cubes, please refer to the IT Analytics
Server Administrator Guide.

Removing a Connection
1. To remove connections to the Content Packs open the IT Analytics Portal and navigate to Settings > Data
Sources.
2. In the SEP Connections dropdown menu, select the connection you want to remove then click the Settings
button to the right and click Remove Connection.
3. Click OK to confirm the removal of that connection and the data sources page should refresh. Verify that
connection is no longer displaying on the data sources page.

Note that removing a data source connection does not remove the cubes or cube data (if cubes are already
installed and processed). However, if you have any processing jobs scheduled to run that utilize a connection that
has been deleted, the processing jobs will fail.

Cubes Installation
Now that a connection to the Symantec Endpoint Protection Manager database has been established, you will
need to install the cubes from the Symantec Endpoint Protection Content Pack.

Installing Cubes from the Content Pack

 Installing and Configuring the Content Pack 13
Configuring the Content Pack

1. Once the appropriate data source connections have been established, you can install cubes available from
the Content Packs you have already implemented. To install cubes in the IT Analytics Portal, navigate to
Settings > Cubes Installation.
2. Select the Symantec Endpoint Protection cubes you would like to install from the Not Installed section, or
click Select All to specify all available cubes. You can select multiple cubes by holding down CTRL or
SELECT and clicking on the cubes you want to install.
3. Click the Install to begin the installation the selected cubes.
4. You can monitor the progress of cube installation in the IT Analytics Event Viewer. When the status
message Cube install process has completed appears, click Close.
5. On the Cube Installation tab, review that the selected cubes now appear in the Installed section. Click the
Refresh button if necessary to ensure the latest update. Once installed, there should be a message next to
each cube that states they require processing.

Reports Installation
Similar to installing the cubes, the out-of-the-box reports and dashboards can also be installed from the Symantec
Endpoint Protection Content Pack.

Installing Reports from a Content Pack

1. Once the appropriate data source connections have been established, you can install reports available from
the Content Packs you have already implemented. To install reports in the IT Analytics Portal, navigate to
Settings > Reports Installation.
2. Select the Symantec Endpoint Protection reports you would like to install from the Available for installation
section, or click Select All to choose all available reports. You can select multiple reports by holding down
CTRL or SELECT and clicking on the reports you want to install.
3. Click the Install button to install the selected reports.
4. Monitor the progress of reports installation in the IT Analytics Event Viewer. When the status message
Report install process has completed appears, click Close.
5. On the Report Installation tab, review that the selected reports now appear in the Installed section. Click
the Refresh button if necessary to ensure the latest update. Once installed, there should be a message next
to each report that states it is installed.
For more information about processing cubes, please refer to the IT Analytics Server Administrator Guide.


 Chapter 4
Content Pack Reporting Examples
This section is intended to provide step-by-step examples of using IT Analytics reporting specifically for the
Symantec Endpoint Protection Content Pack. Note that these examples do not cover all the reporting features of
the IT Analytics Portal. For more information about using the IT Analytics Portal, refer to the IT Analytics Portal
User Guide.

Example 1: Using the Cube Browser with the Symantec

Endpoint Protection Content Pack
The IT Analytics Cube Browser provides an interactive view of an OLAP cube. You can use it to dynamically
analyze data from within the IT Analytics Portal and create views by easily dragging and dropping fields in place.
The cube browser lets you view, organize, and summarize data into on-demand, personalized reports.

Creating a cube view using the SEP Clients Cube

You can easily create a SEP Clients table that displays computers by client version, firewall status, and infected
status as shown in the example below. Additionally, you can leverage some of the robust charting and detail views
that are native to IT Analytics.

NOTE: To follow this example you must have IT Analytics Symantec Endpoint Protection Content Pack installed
on your system and all cubes must be processed. While this is just one example, you can apply similar
configuration tactics to create any cube views.

To create a SEP Clients cube view

1. Open the IT Analytics Portal in a browser at: http://servername:port/ITAnalytics/, where servername is the
name of the IT Analytics Server.
2. In the left navigation, expand the Cubes folder.
3. Choose the SEP Clients cube to load the cube in the browser.

4. In the Field List section on the right, expand Measures (denoted by the icon) and then expand Client.
5. Click Client Count to select the measure value and drag it to the left-hand portion of the window, where it
states “Add measures from the field list to view data from this cube.” Measures, or totals, are the aggregate
summary counts for each cube. Alternatively, you can drag the Client Count measure into the Measures
window in the Cube View Configuration Section at the bottom of the screen.

6. From the Field List, expand the Client dimension (denoted by the icon) then click Client - Infected,
and drag it over the value cell for the Client Count measure you displayed in the previous step to display
these values across rows. This field indicates whether the computer is infected. Alternatively, you can drag
the Client – Infected dimension to the Rows window in the Cube View Configuration section.
7. From the Field List, expand the Computer dimension click Computer – Computer Name, and drag it in
between Client – Infected and Client Count in the cube viewer window. Alternatively, you can drag
Computer – Computer Name to the Rows window in the Cube View Configuration section, underneath
Client – Infected.
8. Because you already have an existing field (Client - Infected), you have the option to place the new field
before or after the existing field. Simply click on the column header and move it in front, or rearrange the
order in the Cube View Configuration section below. You can move the field to different places in order to
dynamically change how your data is presented.
9. From the Field List, click Client - Firewall Status, and then drag it over the Client Count header to display
values across columns. This field displays the status of the firewall. Alternatively, you can drag Client –
Firewall Status to the Columns window in the Cube View Configuration section.
10. From the Field List, click Client - Version, and drag it to the Filters window in the Cube View Configuration
section. This field displays the version of the SEP client installed. Dropping it into the Filter area allows you to
filter the report by client version.
11. To filter on a specific value, right-click on the Client – Version dimension in the Filters window and select
Manage Filters. Choose to include or exclude specific client versions by checking or unchecking specific
values, then click OK. The data in the cube view will refresh to reflect your filter selection.
12. Expand the Client - Infected row by clicking the plus sign (+) next to the ‘Yes’ or ‘No’ value. You can now
view which specific computers have an agent installed for the version you filtered on, and whether the
firewall is currently turned on.
 Content Pack Reporting Examples 15
Example 2: Creating a Key Performance Indicator (KPI) with the Symantec Endpoint Protection Content Pack

Using additional features of the cube browser

1. Using the example above, you can hover your mouse over any value cell in the report to display a
contextually aware pop-up chart to get a different view of your data.
2. For more robust charting options, right-click on the cell that represents the total number of clients in the
report (lower-right hand corner) and select a chart format (pie, bar, column, etc.). This will pop-up a new
window to display the chart and that window can be minimized and saved within the cube view for easy
access.
3. To display the data in the report in a more grid like fashion (rather than expanding each dimension to see the
data) you can opt for a details view. For example, expand the Virus Definition dimension and click on Virus
Definition – Version and drag it to the Details window of the Cube View Configuration section.
4. Right-click on the cell that represents the total number of clients in the report (lower-right hand corner) and
select View Details. This will pop-up a new window to display the data in a more tabular or grid format, and
you have the ability to sort columns, search for data strings or export this data to Excel or as a CSV file. As
with the chart windows, you can minimize this details view to the cube view or convenient access.
For more information on additional features within the IT Analytics Portal, refer to the IT Analytics Portal User
Guide.

Example 2: Creating a Key Performance Indicator (KPI)

with the Symantec Endpoint Protection Content Pack
IT Analytics Symantec Endpoint Protection Content Pack lets you create Key Performance Indicators (KPIs) by
manually defining them in the cube viewer. KPIs are defined as quantifiable measures that represent a critical
success factor in an organization. The emphasis is on the action of quantifying something in the environment. For
example, the KPIs must be measurable to successfully be monitored and compared against a given objective.

Creating a Key Performance Indicator using the SEP Clients Cube

In the IT Analytics Symantec Endpoint Protection Content Pack, KPIs are created from existing measures.
However, not all measures are good candidates for KPI utilization. A measure should be leveraged in a KPI only
if it represents a critical success factor to gauge performance. Besides being measurable and
performance-oriented, KPIs should be used to track progress against the strategic and typically long-term goals
that remain fairly static in nature.

NOTE: To follow this example you must have IT Analytics Symantec Endpoint Protection Content Pack installed
on your system and all cubes must be processed. While this is just one example, you can apply similar
configuration tactics to create other KPIs.

The steps below provide an example of creating KPIs for computers without active firewalls defined through the
SEP Clients cube. The example highlights how this procedure automatically populates some of the MDX code
that is needed to define the KPI.

To create Key Performance Indicators

1. Open the IT Analytics Portal in a browser at: http://<servername:port>/ITAnalytics/, where <servername> is
the name of the IT Analytics Server.
2. In the left navigation, expand the Cubes folder.
3. Choose the SEP Clients cube to load the cube in the browser.
4. In the Field List section on the right, expand Measures (denoted by the icon) and then expand Client Count.
5. Click Client Count to select the measure value and drag it to the left-hand portion of the window, where it
states “Add measures from the field list to view data from this cube.” Measures, or totals, are the aggregate
summary counts for each cube. Alternatively, you can drag the Client Count measure into the Measures
window in the Cube View Configuration Section at the bottom of the screen.
6. From the Field List, expand the EP Client dimension (denoted by the icon) then click Client – Firewall
Status, and drag it over the value cell for the Client Count measure you displayed in the previous step to
display these values across rows. This field indicates whether the computer has its firewall on, off, or not
installed. Alternatively, you can drag the Client – Firewall Status dimension to the Rows window in the Cube
View Configuration section.
7. Right-click the cell in the cube view that represents the value of Client - Firewall Status as “On” and click
Create KPI from Selected Cell.
8. In the resulting New KPI pop-up window, you will see the following options:
 Selected value with no goal - Select this KPI if you simply want to tag a value and watch it.
 Selected value with a goal of zero - Select this KPI if the goal is for the selected value to equal zero.
 Percentage of a selected value with a goal of zero percent - Select this KPI if the goal is for the
selected value to be as close to zero percent as possible. If you select this KPI you will be asked to
select another cell to use as the denominator in order to determine the percentage.
 Percentage of a selected value with a goal of 100% - Select this KPI if the goal is for the selected value
to be equal to hundred percent. If you select this KPI you will be asked to select another cell to use as
the denominator in order to determine the percentage.

 Content Pack Reporting Examples 16
Example 2: Creating a Key Performance Indicator (KPI) with the Symantec Endpoint Protection Content Pack

9. For this example, we will choose Percentage of a selected value with a goal of 100% since our goal is to
have all machines with firewall enabled, then click Next.
10. We now need to choose a second value, which will represent the total number of machines in our
environment. Click Select Second Cell and then right-click the value for total Client Count and select Add
selected cell to new KPI definition. You should see a confirmation that the second cell was successfully
selected, then click Next.
11. For the status graphic, select Gauge – Ascending. You can leave the threshold values as is, or modify the
percentages as needed, then click Next.
12. (OPTIONAL) For the trend indicator, select Compare Current Period to Previous Period, then ensure the
following are filled out:
 Date Attribute: Last Checkin Date - Date
 Number of Days in Period Comparison: 30
 Graphic: Standard Arrow – Ascending (this denotes that you want the trend to be going up, and as
such the arrow will be colored accordingly – red for decreasing, green for increasing)
13. To name the KPI, enter the following text: Percent of Computers with Firewall On, then click Next.
14. Review the KPI settings and if satisfied, click Next.
15. Verify the KPI has been saved successfully and click Finish to close the wizard.
16. On the left navigation menu, click Key Performance Indicators. The new KPI should now display in the list
under the SEP Clients cube, with the current value, goal and status graphic already defined.
For more information on additional features within the IT Analytics Portal, refer to the IT Analytics Portal User
Guide.


 Chapter 5
Content Pack Description
Cubes
The following is a list of default cubes provided within the IT Analytics Symantec Endpoint Protection Content
Pack, with their associated fields and KPIs (if applicable) as reference.

SEP Access Rights Cube

Provides the data about the rights a given user has at the group or the computer level. This cube is useful in
understanding the rights users have access to specific groups and computers. It is also useful in understanding
the level of access each user has (Read, Full, or None).

Dimensions
 Access Right
 Administrator
 Computer
 Domain
 Group
 Server
 Site

Measures
 Administrator Count: The number of administrators.
 Computer Count: The number of rights that are assigned to computers. For a given user, a computer can have
one of three rights: Read, Full, or No Access.
 Group Count: The number of rights that a group has.

SEP Agent Behavior Events Cube

Contains the information about the Agent Behavior Events that the computers with the Symantec Endpoint
Protection client generated. Information specific to this cube includes the total number of events, how many
computers generated events, and details of those behavior events.

Dimensions
 Agent Behavior Event Action
 Agent Behavior Event Alert
 Agent Behavior Event Caller Return Module
 Agent Behavior Event Description
 Agent Behavior Event Process Name
 Agent Behavior Event Rule Name
 Agent Behavior Event Send SNMP Trap
 Agent Behavior Event Severity
 Agent Behavior Event Test Mode
 Agent Behavior Event Type
 Agent Behavior Event User Name
 Agent Behavior Event VAPI Name
 Computer
 Domain
 Event Date
 Group
 Server
 Site

Measures
 Content Pack Description 18
Cubes

 Event Count: The number of events.

 Computer Count: The number of computers.

SEP Agent Security Events Cube

Contains the information about the Agent Security Events that the computers with the Symantec Endpoint
Protection client generated. Information specific to this cube includes the total number of events, how many
computers generated events, and details of those security events.

Dimensions
 Agent Security Event Alert
 Agent Security Event App Name
 Agent Security Event Hack Type
 Agent Security Event Local Host IP
 Agent Security Event Location Name
 Agent Security Event Network Protocol
 Agent Security Event Remote Host IP
 Agent Security Event Remote Host MAC
 Agent Security Event Remote Host Name
 Agent Security Event Send SNMP Trap
 Agent Security Event Severity
 Agent Security Event Traffic Direction
 Agent Security Event Type
 Agent Security Event User Name
 Client
 Computer
 Domain
 Event Date
 Group
 IPS Detection Event SID
 IPS Detection Event Name
 IPS Detection Event Type
 Server
 Site

Measures
 Event Count: The number of events.
 Computer Count: The number of computers.

Key Performance Indicators

Number of IPS Detections in Last 30 Days: The number of IPS detection events in the last 30 days.

SEP Agent System Events Cube

Contains the information about the Agent System Events that the computers with the Symantec Endpoint
Protection client generated. Information specific to this cube includes the total number of events, how many
computers generated events, and details of those system events.

Dimensions
 Agent System Event Category
 Agent System Event Send SNMP Trap
 Agent System Event Severity
 Agent System Event Source
 Agent System Event Type
 Computer
 Domain
 Event Date
 Group
 Server
 Site


 Content Pack Description 19
Cubes

Measures
 Event Count: The number of events.
 Computer Count: The number of computers.

SEP Agent Traffic Events Cube

Contains the information about the Agent Traffic Events that the computers with the Symantec Endpoint
Protection client generated. Information specific to this cube includes the total number of events, how many
computers generated events, and details of those traffic events.

Dimensions
 Agent Traffic Event Alert
 Agent Traffic Event Application Name
 Agent Traffic Event Blocked
 Agent Traffic Event Local Port
 Agent Traffic Event Location Name
 Agent Traffic Event Network Protocol
 Agent Traffic Event Remote Host IP
 Agent Traffic Event Remote Port
 Agent Traffic Event Rule Name
 Agent Traffic Event Send SNMP Trap
 Agent Traffic Event Severity
 Agent Traffic Event Traffic Direction
 Agent Traffic Event Type
 Agent Traffic Event User Name
 Computer
 Domain
 Event Date
 Group
 Server
 Site

Measures
 Event Count: The number of events.
 Computer Count: The number of computers.

SEP Alerts Cube

Contains the information about the alerts that the computers with the Symantec Endpoint Protection client
generated. The information that is specific to this cube includes: total number of alerts, how many computers
generated alerts, actions taken, categorization, and details of the viruses and risks that caused the alerts to be
generated.

Dimensions
 Alert
 Alert Date
 Computer
 Domain
 Group
 Server
 Site
 Virus
Measures
 Alerts: The number of alerts that match the given criteria.
 Computers: The number of computers that match the given criteria.
 Viruses: The number of viruses that match the given criteria.
 Blocked: The number of viruses that were blocked that match the given criteria.
 Cleaned: The number of viruses that were cleaned that match the given criteria.
 Deleted: The number of viruses that were deleted that match the given criteria.
 Quarantined: The number of viruses that were quarantined that match the given criteria.
 Suspicious: The number of suspicious viruses that were detected that match the given criteria.


 Content Pack Description 20
Cubes

Key Performance Indicators

 Percent of Virus Infections Cleaned: The percentage of virus infections that have been cleaned in the last 30
days.
 Number of Alerts in Last 30 Days: The number of alerts in the last 30 days.

SEP AntiVirus Policies Cube

Contains the information that provides insight into the AntiVirus policies, which can be applied to groups and/or
machines.

Dimensions
 AntiVirus Policy
 Client
 Computer
 Domain
 Download Advisor
 Global Scan Options
 Group
 Last Checkin Date
 Location
 Mac Admin Defined Common
 Mac Admin Defined Scans
 Mac Auto Protect
 Mac Miscellaneous
 Server
 Site
 Sonar Settings
 Virus Definition
 Windows Admin Defined Advanced
 Windows Admin Defined Scans
 Windows Auto Protect
 Windows Miscellaneous

Measures
 Computer Count: The number of computers.
 Group Count: The number of groups.

SEP App and Device Control Policies Cube

Contains the information that provides insight into the Application and Device Control policies which can be
applied to groups and/or machines.

Dimensions
 Application and Device Control Policy
 Application and Device Control Rule
 Blocked Device
 Blocked Target
 Client
 Computer
 Domain
 Excluded Device
 Group
 Last Checkin Date
 Location
 Server
 Site
 Virus Definition

Measures
 Computer Count: The number of computers.
 Group Count: The number of groups.

 Content Pack Description 21
Cubes

SEP Clients Cube

Contains the information about computers with the Symantec Endpoint Protection client. Information unique to
this cube includes virus definition information and client settings. It also contains several important date elements
that are meaningful when you manage the deployment and maintenance of Symantec Endpoint Protection
clients.

Dimensions
 Client
 Computer
 Creation Date
 Domain
 Group
 Intrusion Prevention Signature
 Last Checkin Date
 Last Scan Date
 Last Virus Date
 Security Virtual Appliance
 Server
 Site
 Virus Definition

Measures
 Client Count: The number of Symantec Endpoint Protection clients that match the given criteria.

Key Performance Indicators

 Percent of Clients with Virus Infection: The percentage of clients with a virus infection in the last 30 days.
 Percent of Clients with Scan Completed in Last 30 Days: The percentage of the clients that have completed a
scan in the last 30 days.

SEP Event Summary Cube

Contains detection event information across all protection technologies within SEP.

Dimensions
 Client
 Computer
 Domain
 Event Action Taken
 Event Date
 Event Description
 Event Detection
 Event Direction
 Event Local IP Address
 Event Remote IP Address
 Event Time
 Group
 Protection Technology
 Server
 Site

Measures
 Client Count: The number of Symantec Endpoint Protection clients that match the given criteria.
 Event Count: The number of events.

SEP Exception Policies Cube

Contains the information that provides insight into the Exception policies which can be applied to groups and/or
machines.

Dimensions
 Client


 Content Pack Description 22
Cubes

 Client Restrictions
 Computer
 Domain
 Exception Item
 Exception Policy
 Group
 Last Checkin Date
 Location
 Server
 Site
 Virus Definition

Measures
 Computer Count: The number of computers.
 Group Count: The number of groups.

SEP Firewall Policies Cube

Contains the information that provides insight into the Firewall policies which can be applied to groups and/or
machines.

Dimensions
 Client
 Computer
 Domain
 Firewall Policy
 Firewall Policy Rule
 Group
 Last Checkin Date
 Location
 Security Settings
 Server
 Site
 Virus Definition

Measures
 Computer Count: The number of computers.
 Group Count: The number of groups.
 Rule Count: The number of firewall rules.

SEP Host Integrity Events Cube

Contains the information about the Host Integrity Events that the computers with the Symantec Endpoint
Protection client generated. The information that is specific to this cube includes: total number of Host Integrity
events and the breakdown of pass vs. failure of those events, total number of checks and the breakdown of pass
vs. failure for those checks, how many computers generated events, and details of the events.

Dimensions
 Client
 Computer
 Domain
 Event Date
 Group
 Host Integrity Check Action
 Host Integrity Check Criteria
 Host Integrity Check Description
 Host Integrity Check Result
 Host Integrity Check Rule Name


 Content Pack Description 23
Cubes

 Host Integrity Check Rule Type

 Host Integrity Check Target
 Host Integrity Event Location
 Host Integrity Event Severity
 Host Integrity Event Type
 Host Integrity Event User Name
 Server
 Site

Measures
 Checks Failed: The number of Host Integrity checks that failed.
 Checks Passed: The number of groups.
 Host Integrity Check Count: Total number of Host Integrity checks.
 Passed Count: The number of Host Integrity policies passed.
 Failed Count: The number of Host Integrity policies failed.
 Event Count: The number of Host Integrity events.
 Computer Count: The number of computers.

Key Performance Indicators

 Percent of Host Integrity Checks Failed in Last 30 Days: The number of Host Integrity checks that failed in the
last 30 days.

SEP Host Integrity Policies Cube

Contains the information that provides insight into the Host Integrity policies which can be applied to groups
and/or machines.

Dimensions
 Advanced
 Client
 Computer
 Domain
 Group
 Host Integrity Policy
 Last Checkin Date
 Location
 Requirement
 Server
 Site
 Virus Definition

Measures
 Computer Count: The number of computers that are subject to the policies.
 Group Count: The number of groups.

SEP Insight Detections Cube

Contains the information about the Insight Detections that the computers with the Symantec Endpoint Protection
client generated. The information that is specific to this cube includes: total number of detections, how many
computers generated detections, the number of risks detected, and details of the detections and risks that caused
the event to be generated.

Dimensions
 Alert
 Alert Date
 Computer
 Domain
 Group
 Insight Detection
 Server
 Site


 Content Pack Description 24
Cubes

 Virus

Measures
 Computer Count: The number of computers that are subject to the policies.
 Detection Count: The number of detections.
 Risk Count: The number of risks.

Key Performance Indicators

 Number of Insight Detections in Last 30 Days: The number of Insight detections in the last 30 days.
 Percent of Insight Detections Permitted by User in Last 30 Days: The number of Insight Detections that were
permitted by users in the last 30 days.

SEP Intrusion Prevention Policies Cube

Contains the information that provides insight into the Intrusion Prevention policies which can be applied to
groups and/or machines.

Dimensions
 Client
 Computer
 Domain
 Group
 Intrusion Prevention Policy
 Last Checkin Date
 Location
 Server
 Site
 Virus Definition

Measures
 Computer Count: The number of computers that are subject to the policies.
 Group Count: The number of groups.

SEP LiveUpdate Policies Cube

Contains the information that provides insight into the LiveUpdate policies which can be applied to groups and/or
machines.

Dimensions
 Client
 Computer
 Domain
 Explicit GUP Mapping
 Group
 Last Checkin Date
 LiveUpdate Policy
 Location
 Mac Advanced
 Mac LiveUpdate Server
 Mac Schedule
 Mac Server Settings
 Proxy Settings
 Server
 Site
 Virus Definition
 Windows Advanced
 Windows LiveUpdate Server
 Windows Schedule
 Windows Server Settings

Measures


 Content Pack Description 25
Cubes

 Computer Count: The number of computers that are subject to the policies.
 Group Count: The number of groups.

SEP Policies Cube

Contains the information that provides insight into the various Symantec Endpoint Protection policies which can
be applied to groups and/or machines.

Dimensions
 Client
 Computer
 Domain
 Group
 Last Checkin Date
 Location
 Policy
 Server
 Site
 Virus Definition

Measures
 Computer Count: The number of computers that are subject to the policies.
 Group Count: The number of groups.

SEP Scans Cube

Contains the information about the actual scans that were performed on computers with the Symantec Endpoint
Protection client. The information that is specific to this cube includes: total number of scans performed, how
many computers were scanned, how many infections and threats the scans detected, total number of files
scanned, the files that were omitted from the scans, and the duration of the scans.

Dimensions
 Computer
 Domain
 Group
 Scan Client User
 Scan Start Date
 Server
 Site
 Status

Measures
 Computers: The total number of computers that were scanned that match the given criteria.
 Duration: The total duration to complete a scan that matched the given criteria.
 Infected: The total number of infections that were detected that matched the given criteria.
 Omitted: The total number of files that were omitted from the scans that matched the given criteria.
 Scans: The total number of scans that were performed that matched the given criteria.
 Threats: The total number of threats that were detected that matched the given criteria.
 Total Files: The total number of files that were scanned that matched the given criteria.

Key Performance Indicators

 Percent of Scans Cancelled in Last 30 Days: The percentage of the scans that have been canceled in the last
30 days.

SEP Security Virtual Appliances

Contains the information about the Security Virtual Appliances that exist within the Symantec Endpoint Protection
Managers. Information specific to this cube includes the detailed information about the Security Virtual
Appliances, how many systems are connected to them and the total size and request details about the Shared
Insight Cache.

Dimensions
 Creation Date


 Content Pack Description 26
Cubes

 Domain
 Group
 Last Checkin Date
 Last Reboot Date
 Security Virtual Appliance
 Server
 Site

Measures
 SVA Count: The number of Security Virtual Appliances.
 Client Count: The number of clients connected to SVAs
 Shared Insight Cache Size: The size of the Shared Insight Cache
 Shared Insight Request Count: The number of Shared Insight requests
 Shared Insight Submit Count: The number of submits to the Shared Insight Cache

SEP Server Admin Events Cube

Contains the information about the Server Admin Events that the Symantec Endpoint Protection Managers
generated. Information specific to this cube includes the total number of events and details of those events.

Dimensions
 Domain
 Event Date
 Server
 Server Admin Event Admin Name
 Server Admin Event Description
 Server Admin Event Error Code
 Server Admin Event Message ID
 Server Admin Event Severity
 Server Admin Event Type
 Site

Measures
 Event Count: The number of events.

SEP Server System Events Cube

Contains the information about the Server System Events that the Symantec Endpoint Protection Managers
generated. Information specific to this cube includes the total number of events and details of those events.

Dimensions
 Domain
 Event Date
 Server
 Server System Event Error Code
 Server System Event Message ID
 Server System Event Severity
 Server System Event Type
 Site

Measures
 Event Count: The number of events.

SEP SONAR Events Cube

Contains the information about the SONAR Detections that the computers with the Symantec Endpoint Protection
client generated. The information that is specific to this cube includes: total number of detections, how many
computers generated detections, the number of risks detected, and details of the detections and risks that caused
the event to be generated.

Dimensions
 Alert


 Content Pack Description 27
Reports

 Alert Date
 Computer
 Domain
 Group
 Server
 Site
 SONAR Detection
 Virus

Measures
 Detection Count: The number of detections.
 Risk Count: The number of risks.
 Computer Count: The number of computers.

Key Performance Indicators

 Number of High Sensitivity SONAR Detections in Last 30 Days: The number of SONAR detections in the last
30 days that have a high sensitivity.
 Percent of SONAR Risks Confirmed in Last 30 Days: The number of SONAR Detections in the last 30 days
where the detection type is Confirmed Risk.

Reports
The following is a list of default reports provided within the IT Analytics Symantec Endpoint Protection Content
Pack, with their associated descriptions as reference.

Client Version Details

Displays the details of the Symantec Endpoint Protection client versions that are in the environment.

Host Integrity Event Details

Displays the details of Host Integrity events the Symantec Endpoint Protection clients generated over a
designated period of time.

Insight Detection Details

Displays the details of Insight detections the Symantec Endpoint Protection clients generated over a designated
period of time.

Intrusion Prevention Detection Details

Displays the details of IPS detection events the Symantec Endpoint Protection clients generated over a
designated period of time.

Intrusion Prevention Detection Trend

Displays a count of IPS detection events over time in a table form. It includes a graphical trend of IPS detection
events for a designated period of time.

Intrusion Prevention Signature Details

Displays the details of the intrusion prevention signatures for the Symantec Endpoint Protection clients.

Scan Trend
Displays a count of computers, scans, threats, and the total files that were scanned over time in a table form. It
also includes a graphical trend of computers, scans, and threats for a designated period of time.

Security Virtual Appliance Details

Displays the details of the Security Virtual Appliances that exist within the Symantec Endpoint Protection
Managers.

SONAR Detection Details

Displays the details of SONAR detections the Symantec Endpoint Protection clients generated over a designated
period of time.

 Content Pack Description 28
Dashboards

Virus Alert Details

Displays the details of alerts that the Symantec Endpoint Protection clients generated over a designated period of
time.

Virus Alert Trend

Displays a count of blocked, cleaned, quarantined, deleted, suspicious, and still infected alerts over time in a table
form. It includes a graphical trend of virus alerts for a designated period of time.

Virus Definition Distribution Details

Displays the details of virus definition distribution for the Symantec Endpoint Protection clients.

Dashboards
The following is a list of default dashboards provided within the IT Analytics Symantec Endpoint Protection
Content Pack, with their associated description as reference.

Symantec Endpoint Protection Client Dashboard

Displays a graphical representation of the current Symantec Endpoint Protection clients that are in the
environment. Specific charts also include the following information:
 Client version, virus definition version
 Intrusion prevention signatures
 The number of days since clients last connected to the Endpoint Protection Manager

Symantec Endpoint Protection Host Integrity Event Dashboard

Displays a graphical representation of the Top five Host Integrity rules that have had failed checks. It also contains
the Host Integrity checks broken down by Rule Type and Location.

Symantec Endpoint Protection Insight Detection Dashboard

Displays a graphical representation of the following information:
 Top five detections that users allowed
 Top five detections by broken down by the reason for the detection
 Top download detections by user
 The top download detections by web domain

Symantec Endpoint Protection IPS Dashboard

Displays a graphical representation that includes the following information:
 Distinct computers with intrusion prevention events by traffic direction
 Top intrusion prevention events by application and traffic direction
 Top inbound source and destination IP addresses, with event count
 Top outbound source and destination IP addresses, with event count

Symantec Endpoint Protection IPS Detection Event Dashboard

Displays a graphical representation that includes the following information:
 Top five IPS detection events by application name
 Top five IPS detection events by group
 Top five IPS detection events by location
 Top five IPS detection events by user

Symantec Endpoint Protection Risk Dashboard

Displays a graphical representation of the threat types and specific virus names. It also contains the remediation
actions that the Symantec Endpoint Protection clients have taken over a period of time.

Symantec Endpoint Protection SONAR Detection Dashboard

Displays a graphical representation of the top applications that SONAR detected, the top detections by type, and
the top download detections by sensitivity.

Symantec Endpoint Protection SVA Client Dashboard

Displays a graphical representation of the current Security Virtual Appliances that are in the environment. Specific
charts also include the following information:

 Content Pack Description 29
Dimension Attributes

 Client version, virus definition version

 Clients connected vs. not connected
 The number of days since clients last connected to the Endpoint Protection Manager

Dimension Attributes
The following is a list of default cube dimensions and their associated attributes provided within the IT Analytics
Symantec Endpoint Protection Content Pack, as reference.

EP Access Right
EP Access Right contains the following dimension attributes:
 Access Right - Type

EP Administrator
EP Administrator contains the following dimension attributes:
 Administrator - Account Name
 Administrator - Authentication Method
 Administrator - Domain
 Administrator - Full Name
 Administrator - Status
 Administrator - Type
 Administrator - User Name

EP Agent Behavior Event Action

EP Agent Behavior Event Action contains the following dimension attributes:
 Agent Behavior Event - Action

EP Agent Behavior Event Alert

EP Agent Behavior Event Alert contains the following dimension attributes:
 Agent Behavior Event - Alert

EP Agent Behavior Event Caller Return Module Name

EP Agent Behavior Event Action Caller Return Module Name contains the following dimension attributes:
 Agent Behavior Event - Caller Return Module Name

EP Agent Behavior Event Description

EP Agent Behavior Event Description contains the following dimension attributes:
 Agent Behavior Event – Description

EP Agent Behavior Event Process Name

EP Agent Behavior Event Process Name contains the following dimension attributes:
 Agent Behavior Event – Process Name

EP Agent Behavior Event Description

EP Agent Behavior Event Description contains the following dimension attributes:
 Agent Behavior Event – Description

EP Agent Behavior Event Process Name

EP Agent Behavior Event Process Name contains the following dimension attributes:
 Agent Behavior Event – Process Name

EP Agent Behavior Event Rule Name

EP Agent Behavior Event Rule Name contains the following dimension attributes:
 Agent Behavior Event – Rule Name

EP Agent Behavior Event Send SNMP Trap

EP Agent Behavior Event Send SNMP Trap contains the following dimension attributes:


 Content Pack Description 30
Dimension Attributes

 Agent Behavior Event – Send SNMP Trap

EP Agent Behavior Event Severity

EP Agent Behavior Event Severity contains the following dimension attributes:
 Agent Behavior Event - Severity

EP Agent Behavior Event Test Mode

EP Agent Behavior Event Test Mode contains the following dimension attributes:
 Agent Behavior Event – Test Mode

EP Agent Behavior Event Type

EP Agent Behavior Event Type contains the following dimension attributes:
 Agent Behavior Event - Type

EP Agent Behavior Event User Name

EP Agent Behavior Event User Name contains the following dimension attributes:
 Agent Behavior Event – User Name

EP Agent Behavior Event VAPI Name

EP Agent Behavior Event VAPI Name contains the following dimension attributes:
 Agent Behavior Event – VAPI Name

EP Agent Security Event Alert

EP Agent Security Event Alert contains the following dimension attributes:
 Agent Security Event - Alert

EP Agent Security Event App Name

EP Agent Security Event App Name contains the following dimension attributes:
 Agent Security Event - App Name

EP Agent Security Event Hack Type

EP Agent Security Event Hack Type contains the following dimension attributes:
 Agent Security Event – Hack Type

EP Agent Security Event Local Host IP

EP Agent Security Event Local Host IP contains the following dimension attributes:
 Agent Security Event – Local Host IP

EP Agent Security Event Location Name

EP Agent Security Event Location Name contains the following dimension attributes:
 Agent Security Event – Location

EP Agent Security Event Network Protocol

EP Agent Security Event Network Protocol contains the following dimension attributes:
 Agent Security Event – Network Protocol

EP Agent Security Event Remote Host IP

EP Agent Security Event Remote Host IP contains the following dimension attributes:
 Agent Security Event – Remote Host IP

EP Agent Security Event Remote Host MAC

EP Agent Security Event Remote Host MAC contains the following dimension attributes:
 Agent Security Event – Remote Host MAC

EP Agent Security Event Remote Host Name

EP Agent Security Event Remote Host Name contains the following dimension attributes:


 Content Pack Description 31
Dimension Attributes

 Agent Security Event – Remote Host Name

EP Agent Security Event Send SNMP Trap

EP Agent Security Event Send SNMP Trap contains the following dimension attributes:
 Agent Security Event – Send SNMP Trap

EP Agent Security Event Severity

EP Agent Security Event Severity contains the following dimension attributes:
 Agent Security Event – Severity

EP Agent Security Event Traffic Direction

EP Agent Security Event Traffic Direction contains the following dimension attributes:
 Agent Security Event – Traffic Direction

EP Agent Security Event Type

EP Agent Security Event Type contains the following dimension attributes:
 Agent Security Event – Type

EP Agent Security Event User Name

EP Agent Security Event User Name contains the following dimension attributes:
 Agent Security Event – User Name

EP Agent System Event Category

EP Agent System Event Category contains the following dimension attributes:
 Agent System Event – Category

EP Agent System Event Send SNMP Trap

EP Agent System Event Send SNMP Trap contains the following dimension attributes:
 Agent System Event – Send SNMP Trap

EP Agent System Event Severity

EP Agent System Event Severity contains the following dimension attributes:
 Agent System Event – Severity

EP Agent System Event Source

EP Agent System Event Source contains the following dimension attributes:
 Agent System Event – Source

EP Agent System Event Type

EP Agent System Event Type contains the following dimension attributes:
 Agent System Event - Type

EP Agent Traffic Event Alert

EP Agent Traffic Event Alert contains the following dimension attributes:
 Agent Traffic Event – Alert

EP Agent Traffic Event Application Name

EP Agent Traffic Event Application Name contains the following dimension attributes:
 Agent Traffic Event – Application Name

EP Agent Traffic Event Blocked

EP Agent Traffic Event Blocked contains the following dimension attributes:
 Agent Traffic Event – Blocked

EP Agent Traffic Event Local Port

EP Agent Traffic Event Local Port contains the following dimension attributes:


 Content Pack Description 32
Dimension Attributes

 Agent Traffic Event – Local Port

EP Agent Traffic Event Location Name

EP Agent Traffic Event Location Name contains the following dimension attributes:
 Agent Traffic Event – Location

EP Agent Traffic Event Network Protocol

EP Agent Traffic Event Network Protocol contains the following dimension attributes:
 Agent Traffic Event – Network Protocol

EP Agent Traffic Event Remote Host IP

EP Agent Traffic Event Remote Host IP contains the following dimension attributes:
 Agent Traffic Event – Remote Host IP

EP Agent Traffic Event Remote Port

EP Agent Traffic Event Remote Host Port contains the following dimension attributes:
 Agent Traffic Event – Remote Port

EP Agent Traffic Event Rule Name

EP Agent Traffic Event Rule Name contains the following dimension attributes:
 Agent Traffic Event – Rule Name

EP Agent Traffic Event Send SNMP Trap

EP Agent Traffic Event Send SNMP Trap contains the following dimension attributes:
 Agent Traffic Event – Send SNMP Trap

EP Agent Traffic Event Severity

EP Agent Traffic Event Severity contains the following dimension attributes:
 Agent Traffic Event – Severity

EP Agent Traffic Event Traffic Direction

EP Agent Traffic Event Traffic Direction contains the following dimension attributes:
 Agent Traffic Event – Traffic Direction

EP Agent Traffic Event Type

EP Agent Traffic Event Type contains the following dimension attributes:
 Agent Traffic Event – Type

EP Agent Traffic Event User Name

EP Agent Traffic Event User Name contains the following dimension attributes:
 Agent Traffic Event – User Name

EP Alert
EP Alert contains the following dimension attributes:
 Alert - Actual Action
 Alert – Detection Method
 Alert - File Path
 Alert - Requested Action
 Alert - Secondary Action
 Alert - Source
 Alert - User Name
 Alert - Virus Type

EP Alert Date
EP Alert Date contains the following dimension attributes:
 Alert Date – Date
 Alert Date – Date Range

 Content Pack Description 33
Dimension Attributes

 Alert Date - Day of Week

 Alert Date - Quarter
 Alert Date – Month
 Alert Date – Week Number
 Alert Date - Year

EP AntiVirus Policy Download Advisor

EP AntiVirus Policy Download Advisor contains the following dimension attributes:
 Download Advisor - Enabled
 Download Advisor - Enabled Lock
 Download Advisor - First Seen Days Threshold
 Download Advisor - First Seen Days Threshold Enabled
 Download Advisor - Prevalence Threshold
 Download Advisor - Prevalence Threshold Enabled
 Download Advisor - Threshold
 Download Advisor - Threshold Lock
 Download Advisor - Trust Intranet
 Download Advisor - Trust Intranet Lock

EP AntiVirus Policy Global Scan Options

EP AntiVirus Policy Global Scan Options contains the following dimension attributes:
 Global Scan Options – Bloodhound Enabled
 Global Scan Options – Bloodhound Enabled Lock
 Global Scan Options – Bloodhound Level
 Global Scan Options – Scan Less Enabled
 Global Scan Options – Scan Less Enabled Lock
 Global Scan Options – Scan Less For

EP AntiVirus Policy Mac Admin Defined Common

EP AntiVirus Policy Mac Admin Defined Common contains the following dimension attributes:
 Mac Admin Defined Common – Allow Scan Can Cancel
 Mac Admin Defined Common – Allow Scan Can Snooze
 Mac Admin Defined Common – Auto Repair Infected Files
 Mac Admin Defined Common – Quarantine unrepairable Files
 Mac Admin Defined Common – Scan Inside Compressed Files
 Mac Admin Defined Common – Scan Results Display

EP AntiVirus Policy Mac Admin Defined Scans

EP AntiVirus Policy Mac Admin Defined Scans contains the following dimension attributes:
 Mac Admin Defined Scans – Description
 Mac Admin Defined Scans – Enabled
 Mac Admin Defined Scans – Scan Name

EP AntiVirus Policy Mac Auto Protect

EP AntiVirus Policy Mac Auto Protect contains the following dimension attributes:
 Mac Auto Protect – Allow Can Cancel
 Mac Auto Protect – Allow Can Snooze
 Mac Auto Protect – Auto Repair Infected Files
 Mac Auto Protect – Disk Type All
 Mac Auto Protect – Disk Type All Others
 Mac Auto Protect – Disk Type Audio Video
 Mac Auto Protect – Disk Type Data Disk
 Mac Auto Protect – Disk Type IPOD
 Mac Auto Protect – Enable Auto Protect
 Mac Auto Protect – Enable Auto Protect Lock
 Mac Auto Protect – Mount Disk Scan Options Enabled
 Mac Auto Protect – Quarantine Unrepairable Files
 Mac Auto Protect – Scan Compressed Files

 Content Pack Description 34
Dimension Attributes

 Mac Auto Protect – Scan Files In Folder

 Mac Auto Protect – Scan Option

EP AntiVirus Policy Mac Miscellaneous

EP AntiVirus Policy Mac Miscellaneous contains the following dimension attributes:
 Mac Miscellaneous – Display Outdated Message
 Mac Miscellaneous – Warn After Days

EP AntiVirus Policy Sonar Settings

EP AntiVirus Policy Sonar Settingscontains the following dimension attributes:
 Sonar Settings - Display Alert
 Sonar Settings - Display Alert Lock
 Sonar Settings - DNS Change Action
 Sonar Settings - DNS Change Locked
 Sonar Settings - Enabled
 Sonar Settings - Enabled Lock
 Sonar Settings - High Risk
 Sonar Settings - High Risk Lock
 Sonar Settings - Host File Change Action
 Sonar Settings - Host File Change Locked
 Sonar Settings - Low Risk
 Sonar Settings - Low Risk Lock
 Sonar Settings - Prompt Stop Service
 Sonar Settings - Prompt Stop Service Lock
 Sonar Settings - Prompt Terminate Process
 Sonar Settings - Prompt Terminate Process Lock
 Sonar Settings - SB High Risk
 Sonar Settings - SB High Risk Lock
 Sonar Settings - SB Low Risk
 Sonar Settings - SB Low Risk Lock
 Sonar Settings - System Changes Enabled
 Truscan - Can For Keyloggers
 Truscan - Incremental Scan Interval
 Truscan - Lock Incremental Scan Interval
 Truscan - Lock Scan New Processes
 Truscan - Lock Use Default Scan Frequency
 Truscan - Scan For Trojans And Worms
 Truscan - Scan New Processes
 Truscan - Use Default Scan Frequency

EP AntiVirus Policy Windows Admin Defined Advanced

EP AntiVirus Policy Windows Admin Defined Advanced contains the following dimension attributes:
 Windows Admin Defined Advanced - Allow Pause Or Delay Scan
 Windows Admin Defined Advanced - Allow Scan Without User Log On
 Windows Admin Defined Advanced - Allow User Modify Startup Scans
 Windows Admin Defined Advanced - Allow User Stop Scan
 Windows Admin Defined Advanced - Close Window When Done
 Windows Admin Defined Advanced - Delay Scan When On Batteries
 Windows Admin Defined Advanced - Progress Display Option
 Windows Admin Defined Advanced - Run Scan On Login
 Windows Admin Defined Advanced - Run Scan When New Defs Arrive
 Windows Admin Defined Advanced - Threat Submission Process

EP AntiVirus Policy Windows Admin Defined Scans

EP AntiVirus Policy Windows Admin Defined Scans contains the following dimension attributes:
 Windows Admin Defined Scans – Description
 Windows Admin Defined Scans - Enabled
 Windows Admin Defined Scans – Scan Name

 Content Pack Description 35
Dimension Attributes

EP AntiVirus Policy Windows Auto Protect

EP AntiVirus Policy Windows Auto Protect contains the following dimension attributes:
 Windows Auto Protect - Back Up File Before Repair
 Windows Auto Protect - Enable Floppy Drive
 Windows Auto Protect - Enable Network Drive
 Windows Auto Protect - File System Auto Protect
 Windows Auto Protect - Internet Email Auto Protect
 Windows Auto Protect - Lock Back Up File Before Repair
 Windows Auto Protect - Lock Block Security Risk Install
 Windows Auto Protect - Lock Enable Floppy Drive
 Windows Auto Protect - Lock Enable Network Drive
 Windows Auto Protect - Lock File System Auto Protect
 Windows Auto Protect - Lock File Types
 Windows Auto Protect - Lock Macro Virus First Action
 Windows Auto Protect - Lock Macro Virus Second Action
 Windows Auto Protect - Lock Non Macro Virus First Action
 Windows Auto Protect - Lock Non Macro Virus Second Action
 Windows Auto Protect - Lock Scan Security Risks
 Windows Auto Protect - Lock Security Risks First Action
 Windows Auto Protect - Lock Security Risks Second Action
 Windows Auto Protect - Lock Stop Services Automatically
 Windows Auto Protect - Lock Terminate Processes Automatically
 Windows Auto Protect - Lotus Notes Auto Protect
 Windows Auto Protect - Macro Virus First Action
 Windows Auto Protect - Macro Virus Second Action
 Windows Auto Protect - Microsoft Outlook Auto Protect
 Windows Auto Protect - Non Macro Virus First Action
 Windows Auto Protect - Non Macro Virus Second Action
 Windows Auto Protect - Scan All Files
 Windows Auto Protect - Scan Security Risks
 Windows Auto Protect - Security Risks First Action
 Windows Auto Protect - Security Risks Second Action
 Windows Auto Protect - Stop Services Automatically
 Windows Auto Protect - Terminate Processes Automatically

EP AntiVirus Policy Windows Miscellaneous

AntiVirus Policy Windows Miscellaneous contains the following dimension attributes:
 Windows Miscellaneous – Disable AV Alerts In Windows Security Center
 Windows Miscellaneous – Display Windows Security center Msg When Defs Are Outdated
 Windows Miscellaneous – Windows Security Center Disabled

EP AntiVirus Policy
EP AntiVirus Policy contains the following dimension attributes:
 AntiVirus Policy - Description
 AntiVirus Policy - Enabled
 AntiVirus Policy - Name

EP Application and Device Control Policy

EP Application and Device Control Policy contains the following dimension attributes:
 Application and Device Control Policy - Description
 Application and Device Control Policy - Enabled
 Application and Device Control Policy - Name

EP Application and Device Control Rule

EP Application and Device Control Rule contains the following dimension attributes:
 Rule - Name


 Content Pack Description 36
Dimension Attributes

EP Blocked Device
EP Blocked Device contains the following dimension attributes:
 Blocked Device – Name

EP Blocked Target
EP Blocked Target contains the following dimension attributes:
 Blocked Target – Name

EP Client
EP Client contains the following dimension attributes:
 Client - Antivirus Engine Status
 Client - Auto-Protect Status
 Client – Deployment Message
 Client – Deployment Running Version
 Client – Deployment Status
 Client – Deployment Target Version
 Client - Firewall Status
 Client - Free Disk
 Client - Free Memory
 Client – Group Update Provider
 Client - Host Integrity Status
 Client - Infected
 Client - Major Version
 Client - Minor Version
 Client - Online Status
 Client - Profile Serial Number
 Client - Profile Version
 Client - Reboot Required
 Client – Shared Insight Cache Status
 Client - Tamper Protection Status
 Client - Time Zone
 Client - Type
 Client - Version

EP Computer
EP Computer contains the following dimension attributes:
 Computer - BIOS Version
 Computer - Computer Name
 Computer - Current Login User
 Computer - DHCP Server
 Computer - Disk Drive
 Computer - Disk Total
 Computer - DNS Server
 Computer - Domain
 Computer - IP Address
 Computer - Memory Total
 Computer - Operating System
 Computer - OS Language
 Computer - Processor Clock Speed
 Computer - Processor Count
 Computer - Processor Type
 Computer – Resource Manager URL
 Computer - Service Pack
 Computer - TPM Device
 Computer – Virtual
 Computer – Virtual Vendor
 Computer - WINS Server


 Content Pack Description 37
Dimension Attributes

EP Creation Date
EP Creation Date contains the following dimension attributes:
 Creation Date – Date
 Creation Date – Date Range
 Creation Date - Day of Week
 Creation Date - Month
 Creation Date – Quarter
 Creation Date – Week Number
 Creation Date - Year

EP Domain
EP Domain contains the following dimension attributes:
 Domain

EP Event Action Taken

EP Event Action Taken contains the following dimension attributes:
 Event – Action Taken

EP Event Date
EP Event Date contains the following dimension attributes:
 Event Date – Date
 Event Date – Date Range
 Event Date - Day of Week
 Event Date - Month
 Event Date – Quarter
 Event Date – Week Number
 Event Date - Year

EP Event Description
EP Event Description contains the following dimension attributes:
 Event - Description

EP Event Detection
EP Event Detection contains the following dimension attributes:
 Event – Detection

EP Event Direction
EP Event Direction contains the following dimension attributes:
 Event – Direction

EP Event Local IP Address

EP Event Local IP Address contains the following dimension attributes:
 Event – Local IP Address

EP Event Remote IP Address

EP Event Remote IP Address contains the following dimension attributes:
 Event – Remote IP Address

EP Event Time
EP Event Time contains the following dimension attributes:
 Event – Hour
 Event – Minute
 Event – Second
 Event - Time

EP Exception Client Restriction

EP Exception Client Restriction contains the following dimension attributes:

 Content Pack Description 38
Dimension Attributes

 Client Restriction - Add Application Exceptions

 Client Restriction - Add Extension Exceptions
 Client Restriction - Add File Exceptions
 Client Restriction - Add Folder Exceptions
 Client Restriction - Add Known Risk Exceptions
 Client Restriction - Add Security Risk Exceptions
 Client Restriction - Add SONAR Exceptions
 Client Restriction - Add Trusted Web Domain Exceptions

EP Exception Item
EP Exception Item contains the following dimension attributes:
 Exception Item - Action
 Exception Item - Platform
 Exception Item - Type
 Exception Item - Value

EP Exception Policy
EP Exception Policy contains the following dimension attributes:
 Exception Policy - Description
 Exception Policy - Enabled
 Exception Policy - Name

EP Excluded Device
EP Excluded Device contains the following dimension attributes:
 Excluded Device - Name

EP Firewall Policy Rule

EP Firewall Policy Rule contains the following dimension attributes:
 Rule - Enabled
 Rule - Name

EP Firewall Policy Security Settings

EP Firewall Policy Security Settings contains the following dimension attributes:
 Security Settings - Anti MAC Spooling
 Security Settings - Disable Windows Firewall
 Security Settings - Net BIOS Protection
 Security Settings - OS Fingerprint Masquerading
 Security Settings - Reverse DNS
 Security Settings - Smart DHCP
 Security Settings - Smart DNS
 Security Settings - Smart WINS
 Security Settings - Stealth Mode Browsing
 Security Settings - TCP Resequencing
 Security Settings - Token Ring Traffic

EP Firewall Policy
EP Firewall Policy contains the following dimension attributes:
 Firewall Policy - Description
 Firewall Policy - Enabled
 Firewall Policy - Name

EP Group
EP Group contains the following dimension attributes:
 Group

EP Host Integrity Check Action

EP Host Integrity Check Action contains the following dimension attributes:


 Content Pack Description 39
Dimension Attributes

 Host Integrity Check - Action

EP Host Integrity Check Criteria

EP Host Integrity Check Criteria contains the following dimension attributes:
 Host Integrity Check – Criteria

EP Host Integrity Check Description

EP Host Integrity Check Description contains the following dimension attributes:
 Host Integrity Check – Description

EP Host Integrity Check Result

EP Host Integrity Check Result contains the following dimension attributes:
 Host Integrity Check – Result

EP Host Integrity Check Rule Name

EP Host Integrity Check Rule Name contains the following dimension attributes:
 Host Integrity Check – Rule Name

EP Host Integrity Check Rule Type

EP Host Integrity Check Rule Type contains the following dimension attributes:
 Host Integrity Check – Rule Type

EP Host Integrity Check Target

EP Host Integrity Check Target contains the following dimension attributes:
 Host Integrity Check - Target

EP Host Integrity Event Location

EP Host Integrity Event Location contains the following dimension attributes:
 Host Integrity Event – Location

EP Host Integrity Event Severity

EP Host Integrity Event Severity contains the following dimension attributes:
 Host Integrity Event – Severity

EP Host Integrity Event Type

EP Host Integrity Event Type contains the following dimension attributes:
 Host Integrity Event – Type

EP Host Integrity Event User Name

EP Host Integrity Event User Name contains the following dimension attributes:
 Host Integrity Event – User Name

EP Host Integrity Policy Advanced

EP Host Integrity Policy Advanced contains the following dimension attributes:
 Advanced - Allow User to Cancel Remediation Max
 Advanced - Allow User to Cancel Remediation Max Number Of Times
 Advanced - Allow User to Cancel Remediation Min
 Advanced - Check HI Every
 Advanced - Continue Check Alter Fail
 Advanced - Display Notification When HI Check Fails
 Advanced - Display Notification When HI Check Fails Additional Text
 Advanced - Display Notification When HI Check Passes Alter Fail
 Advanced - Display Notification When HI Check Passes Alter Fail Additional Text
 Advanced - Keep Results For
 Advanced - Notification On Snooze Additional Text
 Advanced - Show Verbose Host Integrity Logging
 Advanced - User Must Log On Before Apps And HI Notifications Appear

 Content Pack Description 40
Dimension Attributes

EP Host Integrity Policy Requirement

EP Host Integrity Policy Requirement contains the following dimension attributes:
 Requirement - Enabled
 Requirement - Name
 Requirement - When HI Checks Run

EP Host Integrity Policy

EP Host Integrity Policy contains the following dimension attributes:
 Host Integrity Policy - Description
 Host Integrity Policy - Enabled
 Host Integrity Policy - Name

EP Insight Detection
EP Insight Detection contains the following dimension attributes:
 Insight Detection - Application
 Insight Detection - Application Version
 Insight Detection - Company
 Insight Detection - Detection Reason
 Insight Detection - Domain
 Insight Detection - File Path
 Insight Detection - Risk
 Insight Detection - Sensitivity
 Insight Detection - URL
 Insight Detection - User
 Insight Detection - Whitelist Reason

EP Intrusion Prevention Policy

EP Intrusion Prevention Policy contains the following dimension attributes:
 IDS Policy - Active Response Block IP
 IDS Policy - Denial Of Service Protection
 IDS Policy - Enabled
 IDS Policy - Exceptions Exist
 IDS Policy - Intrusion Prevention
 IDS Policy - Name
 IDS Policy - Port Scan Detection

EP Intrusion Prevention Signature

EP Intrusion Prevention Signature contains the following dimension attributes:
 Intrusion Prevention Signature - Pattern Date
 Intrusion Prevention Signature - Revision
 Intrusion Prevention Signature - Sequence Number
 Intrusion Prevention Signature - Version

EP IPS Detection Event Name

EP IPS Detection Event Name contains the following dimension attributes:
 IPS Detection Event - Name

EP IPS Detection Event SID

EP IPS Detection Event SID contains the following dimension attributes:
 IPS Detection Event - SID

EP IPS Detection Event Type

EP IPS Detection Event Type contains the following dimension attributes:
 IPS Detection Event - Type

EP Last Checkin Date

EP Last Checkin Date contains the following dimension attributes:


 Content Pack Description 41
Dimension Attributes

 Last Checkin Date – Date

 Last Checkin Date – Date Range
 Last Checkin Date - Day of Week
 Last Checkin Date - Month
 Last Checkin Date – Quarter
 Last Checkin Date – Week Number
 Last Checkin Date - Year

EP Last Scan Date

EP Last Scan Date contains the following dimension attributes:
 Last Scan Date – Date
 Last Scan Date – Date Range
 Last Scan Date - Day of Week
 Last Scan Date - Month
 Last Scan Date – Quarter
 Last Scan Date – Week Number
 Last Scan Date - Year

EP Last Virus Date

EP Last Virus Date contains the following dimension attributes:
 Last Virus Date – Date
 Last Virus Date – Date Range
 Last Virus Date - Day of Week
 Last Virus Date - Month
 Last Virus Date – Quarter
 Last Virus Date – Week Number
 Last Virus Date - Year

EP Live Update Policy Explicit GUP Mapping

EP Live Update Policy Explicit GUP Mapping contains the following dimension attributes:
 GUP Explicit Mapping – Client Subnet
 GUP Explicit Mapping – Mapping Type
 GUP Explicit Mapping – Mapping Value
 GUP Explicit Mapping – Port

EP Live Update Policy Mac Advanced

EP Live Update Policy Mac Advanced contains the following dimension attributes:
 Mac Settings – Download SEP Updates Using LU Server

EP Live Update Policy Mac Schedule

EP Live Update Policy Mac Schedule contains the following dimension attributes:
 Mac Settings - Download Updates Day
 Mac Settings - Download Updates Frequency
 Mac Settings - Download Updates Frequency Interval
 Mac Settings - Download Updates Start Time
 Mac Settings - Randomization Enabled
 Mac Settings - Randomization Time
 Mac Settings - Retry Window
 Mac Settings - Retry Window Enabled

EP Live Update Policy Server Mac

EP Live Update Policy Server Mac contains the following dimension attributes:
 Mac Live Update Server – Description
 Mac Live Update Server – Name
 Mac Live Update Server – Protocol
 Mac Live Update Server – Url
 Mac Live Update Server – Username


 Content Pack Description 42
Dimension Attributes

EP Live Update Policy Mac Server Settings

EP Live Update Policy Mac Server Settings contains the following dimension attributes:
 Mac Settings - Live Update Server Type

EP Live Update Policy Proxy Settings

EP Live Update Policy Proxy Settings contains the following dimension attributes:
 Proxy Settings - Ftp Proxy
 Proxy Settings - Ftp Proxy Mode
 Proxy Settings - Ftp Proxy Mode Lock
 Proxy Settings - Ftp Proxy Port
 Proxy Settings - Http Proxy
 Proxy Settings - Http Proxy Https Port
 Proxy Settings - Http Proxy Mode
 Proxy Settings - Http Proxy Mode Lock
 Proxy Settings - Http Proxy Port
 Proxy Settings - Http Proxy Require Authentication
 Proxy Settings - Http Proxy User Name

EP Live Update Policy Windows Advanced

EP Live Update Policy Windows Advanced contains the following dimension attributes:
 Windows Settings - Download Updated by LiveUpdate Enabled
 Windows Settings - Manual LiveUpdate Enabled
 Windows Settings - Modify LiveUpdate Schedule Enabled
 Windows Settings - Require Http Headers Enabled

EP Live Update Policy Windows Schedule

EP Live Update Policy Windows Schedule contains the following dimension attributes:
 Windows Settings - Download Updates Day
 Windows Settings - Download Updates Interval
 Windows Settings - Download Updates Frequency
 Windows Settings - Download Updates Start Time
 Windows Settings - Enable LiveUpdate Scheduling
 Windows Settings - Idle Detection Enabled
 Windows Settings - Randomization Enabled
 Windows Settings - Randomization Time
 Windows Settings - Retry Window
 Windows Settings - Retry Window Enabled

EP Live Update Policy Server Windows

EP Live Update Policy Server Windows contains the following dimension attributes:
 Windows Live Update Server – Description
 Windows Live Update Server – Name
 Windows Live Update Server – Protocol
 Windows Live Update Server – Url
 Windows Live Update Server - Username

EP Live Update Policy Windows Server Settings

EP Live Update Policy Windows Server Settings contains the following dimension attributes:
 Windows Settings - 3rd Party Server
 Windows Settings - Group Update Client Throttling
 Windows Settings - Group Update Delete Unused Contents Days
 Windows Settings - Group Update Host
 Windows Settings - Group Update Max Disk Cache Allowed
 Windows Settings - Group Update Max Simul Client Down Loads
 Windows Settings - Group Update Port
 Windows Settings - Live Update Server Type
 Windows Settings - Use Group Update Provider


 Content Pack Description 43
Dimension Attributes

 Windows Settings - Use Live Update Server

 Windows Settings - Use Management Server

EP Live Update Policy

EP Live Update Policy contains the following dimension attributes:
 Live Update Policy - Description
 Live Update Policy - Enabled
 Live Update Policy - Name

EP Location
EP Location contains the following dimension attributes:
 Location - Description
 Location - Name

EP Policy
EP Policy contains the following dimension attributes:
 Policy - Description
 Policy - Enabled
 Policy - Name
 Policy - Type

EP Protection Technology
EP Protection Technology contains the following dimension attributes:
 Event – Protection Technology

EP Scan Client User

EP Scan Client User contains the following dimension attributes:
 Scan - Client User

EP Scan Start Date

EP Scan Start Date contains the following dimension attributes:
 Scan Start Date - Date
 Scan Start Date – Date Range
 Scan Start Date - Day of Week
 Scan Start Date - Month
 Scan Start Date – Quarter
 Scan Start Date – Week Number
 Scan Start Date - Year

EP Scan Status
EP Scan Status contains the following dimension attributes:
 Scan – Status

EP Security Virtual Appliance

EP Security Virtual Appliance contains the following dimension attributes:
 SVA – Computer Name
 SVA – DNS Server
 SVA – Gateway
 SVA – Heartbeat Interval
 SVA – IP Address
 SVA – Memory
 SVA – Processor Clock
 SVA – Processor Count
 SVA – Processor Type
 SVA – Status
 SVA – Subnet Mask
 SVA – Version


 Content Pack Description 44
Dimension Attributes

EP Server
EP Server contains the following dimension attributes:
 Server

EP Server Admin Event Admin Name

EP Server Admin Event Admin Name contains the following dimension attributes:
 Server Admin Event - Admin Name

EP Server Admin Event Description

EP Server Admin Event Description contains the following dimension attributes:
 Server Admin Event – Description

EP Server Admin Event Error Code

EP Server Admin Event Error Code contains the following dimension attributes:
 Server Admin Event – Error Code

EP Server Admin Event Message ID

EP Server Admin Event Message ID contains the following dimension attributes:
 Server Admin Event – Message ID

EP Server Admin Event Severity

EP Server Admin Event Severity contains the following dimension attributes:
 Server Admin Event – Severity

EP Server Admin Event Type

EP Server Admin Event Type contains the following dimension attributes:
 Server Admin Event - Type

EP Server System Event Error Code

EP Server System Event Error Code contains the following dimension attributes:
 Server System Event – Error Code

EP Server System Event Message ID

EP Server System Event Message ID contains the following dimension attributes:
 Server System Event – Message ID

EP Server System Event Severity

EP Server System Event Severity contains the following dimension attributes:
 Server System Event - Severity

EP Server System Event Type

EP Server System Event Type contains the following dimension attributes:
 Server System Event - Type

EP Site
EP Site contains the following dimension attributes:
 Site

EP SONAR Detection
EP SONAR Detection contains the following dimension attributes:
 SONAR Detection - Application Name
 SONAR Detection - Application Version
 SONAR Detection - Company
 SONAR Detection - File Path
 SONAR Detection - Risk
 SONAR Detection - Score


 Content Pack Description 45
Dimension Attributes

 SONAR Detection - Sensitivity

 SONAR Detection - Type
 SONAR Detection - User
 SONAR Detection - Whitelist Reason

EP Virus
EP Virus contains the following dimension attributes:
 Virus - Name
 Virus - Risk Category
 Virus - Threat Location
 Virus - Threat Type

EP Virus Definition
EP Virus Definition contains the following dimension attributes:
 Virus Definition - Content Type
 Virus Definition - Date
 Virus Definition - Revision
 Virus Definition - Sequence Number
 Virus Definition - Version