FIM Reports
Establishing clear rules for report generation can significantly enhance your grasp of change events within your file system. Properly configured rules ensure to identify which rules have triggered the maximum number of events. This insight allows you to refine your rules further, narrowing down the event generation scope for improved efficiency.
You can also create consolidated asset reports to gain visibility into your asset system. Knowing your assets at a granular level is crucial, especially for PCI compliance because as per PCI-DSS guidelines, all assets in scope must have FIM actively running on them.
With FIM, you can create a variety of reports to capture events and incidents occurring in your files as well as to capture details on assets. You can either leverage the QQLs from Qualys Query Library or make use of the saved searches, or even enter your own custom queries, based on which, change event data would be filtered and included in the FIM reports.
After a report is generated, you can download the report in PDF, CSV, or HTML format.
Important: As per PCI DSS guidelines, event data is retained for 13 months on the Qualys platform. Hence, the on-demand reports can be generated for the data collected in the past one year. Once generated, reports are purged from the Qualys platform after seven days from the day of generation.
Reports that are not marked as 'Completed' can be run again. This functionality applies to all types of data sources, including event-based, asset-based, and incident-based reports.
Widgets in PDF Reports
You can download the report in PDF, CSV, or HTML format. PDF reports have Report Statistics widgets. You can view a graphical representation of key statistics when you download reports in PDF format, which offers a visual understanding of the data. The widgets include Changes By Action, Changes By Severity, Changes By Type, Events on Assets, and Changes by Users.
To view Legitimate Process and User Event Count you can use the query
(actor.process: [`msiexec.exe`, `svchost.exe`, `poqexec.exe`, `SYSTEM`, `sppsvc.exe`, `TiWorker.exe`, `lsass.exe`, `MicrosoftEdgeUpdate.exe`] and actor.userName:`NT AUTHORITY SYSTEM`) or (actor.process: [`yum`, `apt-get`, `Python`, `Prelink`] and actor.userName: `root`)