.png)
Reporting
Summary
Reporting and intelligence are essential components to a successful information security program. PK Protect’s data security intelligence allows enterprise security teams and audit/risk personnel to track which files were encrypted, the users who accessed them, what devices they were on, and where these events took place. This data can be reported on directly through the data security intelligence interface in the PK Endpoint Manager, picked up by a SIEM agent or retrieved via API for transformation and load to a customer data-mart.
Config
| Field | Description |
|---|---|
| Name | A name that can be defined by the administrator. |
| Target Type | Location that will store all events generated by the PEM |
| Scope | Select active directory groups of users that will re-direct their reports dictated by this policy |
| Agent Options |
|
Events
| Event | Event Description |
|---|---|
Account Transfer | Account Transfer is an event triggered when an account is logged into a new device on the first login. This event is different than a normal login because this event transfers the user's encrypted metadata to the device to be decrypted by the PK Protect Agent for use with PK Protect. |
Add Certificate | When a System Administrator or Security Administrator adds a new contingency key into the system to be used with a policy, the Add Certificate event is stored by the PK Endpoint Manager. |
Add Smartkey | When a user creates a new Smartkey on any device, the event is captured in the Data Security Intelligence reporting. |
Allow | When a user requests access to a Smartkey, an access request is posted (and emailed) to the owner of the Smartkey. When the owner responds with an allow (giving the participant access to the Smartkey and thus decryption/encryption abilities), this event is stored noting the access being given. |
| Classification | Generated when a user makes any kind of classification interaction with a file. These classification events (30+) are stated in the classification policies. |
Create Account | When a new user accesses PK Protect for the first time, the PK Endpoint Manager needs to create an account for the user. The account is created by the PK Endpoint Manager and this event captures the date and time when it occurred. |
| Create Assignment | A System Administrator and Security Administrator can create an Assignment for a PK Protect user to create a protected folder on a device. Data Security Intelligence captures this event to show when the assignment was created by the administrator and assigned to a PK Protect User. |
Create Community | System Administrators and Security Administrators can create Community Keys within the PK Endpoint Manager based on groups of individual user objects stored in Active Directory. The event is stored in the system to capture the creation of a new Community Key being available in the system. Learn more about Community Keys here. |
Create Locker | A System Administrator and Security Administrator can create a Locker on a PK Protect Device to create a protected folder on a device. Data Security Intelligence captures this event to show when a folder started being protected. Learn more about Lockers here. |
Create Policy | A System Administrator and Security Administrator can create a policy to control how users will interact with the PK Protect product deployed on their desktops/servers. A Create Policy event shows the time, date, and the login information for the Administrator who defined the policy. Learn more about policies here. |
| Delete Assignment | A System Administrator and Security Administrator can delete an Assignment for a PK Protect User. Data Security Intelligence captures this event to show when a folder is stopped from being protected. |
Delete Community | System Administrators and Security Administrators can delete Community keys within the PK Endpoint Manager. This is very dangerous activity to do because existing data encrypted with the community key will no longer be able to be decrypted by the Community key. This event will capture what Administrator deleted the Community Key as well as the date and time. Learn more about Community Keys here. |
Delete Locker | A System Administrator and Security Administrator can delete a Locker on a PK Protect Device. This event does not cause the data to be decrypted in the locker, but only stops the automatic encryption from occurring on the next plain-text file discovered in the locker. Data Security Intelligence captures this event to show when a folder stopped being protected. Learn more about Lockers here. |
Delete Policy | A System Administrator and Security Administrator can remove an existing policy from the system. This will remove the controls in place for the defined set up uses that were using the PK Protect application. The event stores the date, time and login name of the Administrator who deleted the policy. Learn more about policies here. |
Deny | When a user requests access to a Smartkey, an access request is posted (and emailed) to the owner of the Smartkey. When the owner responds with Deny (blocking the participant access to the Smartkey and thus not allowing decryption/encryption abilities), this event is stored noting the access is being denied. |
| Discovery | When any Assignment or Locker running on a user machine discovers sensitive data, the Data Security Event captures information about the discovery of that file. Attributes included are filename, policy controlling user, device information, date and time of the event. |
| Discovery Classify | When any Assignment or Locker running on a user machine discovers sensitive data, the file is classified, and the Data Security Event captures information about the discovery of that file. Attributes included are filename, policy controlling user, device information, date and time of the event. |
| Discovery Command | When any Assignment or Locker running on a user machine discovers sensitive data, a command declared in the assignment or locker is run, and the Data Security Event captures information about the discovery of that file. Attributes included are filename, policy controlling user, device information, date and time of the event. |
| Discovery Encrypt | When any Assignment or Locker running on a user machine discovers sensitive data, the sensitive data is encrypted, and the Data Security Event captures information about the discovery of that file. Attributes included are filename, archive name, method of decryption, policy controlling user, device information, date and time of the event. |
Issue Access Token | PK Protect clients need to be authenticated to communicate with the PK Endpoint Manager. The application will take care of this behavior for the user by getting an access token. The server can refuse to give any device an access token, which will force the device to be disabled. This event captures the event of a specific device communicating with the PK Endpoint Manager and receiving a token for access. |
Login | When a user logs in on a device (not first time login, that is called "Account Transfer"). This event proves the user is accessing the device and authenticating with the PK Endpoint Manager. |
| Redaction | When any Assignment or Locker running on a user machine discovers sensitive data, the sensitive data is redacted, and the Data Security Event captures information about the redaction of that file. Attributes included are filename, archive name, method of decryption, policy controlling user, device information, date and time of the event. |
PK Protect Show Passphrase | To allow Smartkey-encrypted archives to be decrypted by an external third-party application, a passphrase can be extracted from the archive to enable the archive to be decrypted and extracted. This event captures the user, device, time and date when the passphrase was generated for a given archive. |
PK Protect Decrypt | When any user decrypts an archive, the Data Security Event captures information about the decryption. Attributes included are filename, archive name, method of decryption, policy controlling user, device information, date and time of the event. |
PK Protect Encrypt | When any user encrypts an archive, the Data Security Event captures information about the encryption. Attributes included are filename, archive name, method of encryption, policy controlling user, device information, date and time of the event. |
Update Community | System Administrators and Security Administrators can create Community keys within the PK Endpoint Manager based on individual user objects stored in Active Directory. Over time, access to the Community Key can change which will result in a PK Protect Update event being stored logging the change. Learn more about Community Keys here. |
Update Locker | A System Administrator and Security Administrator can update a Locker on a PK Protect Device to create a protected folder on a device. The update could include which key to be used, or even what folder path to protect. Data Security Intelligence captures this event to show when a folder started being protected. Learn more about Lockers here. |
Update Policy | A System Administrator and Security Administrator can update an existing policy from the system. This action has the potential to remove the controls in place for the defined setup users that were using the PK Protect application, or add controls to different users who were added to be incorporated into the policy. The event stores the date, time and login name of the Administrator who updated the policy. Learn more about policies here. |
| Allow TDE | When adding a Smartpoint to a TDE agent, the Allow event is reported. SMDS allows a TDE agent access to a Smartpoint recently created for that TDE agent. |
| Copy TDE Agent | System and Security Administrators can copy the configuration of a TDE agent. Learn more about TDE agents here. |
| Create TDE Smartpoint | System and Security Administrators can create Smartpoints for a specific path within a TDE agent. Learn more about adding Smartpoints here. |
| Create TDE Smartpoint Policy | System and Security Administrators can add Smartpoint policies for groups where they are administrators. Click here for more information on adding Smartpoint policies. |
| Create TDE Agent | System and Security Administrators can create a TDE agent by installing the agent through the PK Endpoint Manager. The server on which the TDE agent was created will be reported along with group to which it belongs. Learn more about installing a TDE Agent here. |
| Create TDE Group | System and Security Administrators can create TDE groups with PK Endpoint Manager. Administrator(s) may be assigned to a TDE group. These administrator(s) will now maintain control of the group. The event records the date and time of creation as well as the creator of the group. Learn more about TDE Groups here. |
| Create TDE Key | System and Security Administrators can create TDE keys with PK Endpoint Manager. The creator of the key and time of creation will be stored in the event in PK Protect TDE Manager. Learn more about adding TDE Keys here. |
| Delete Smartpoint | A Smartpoint may be deleted by system and security administrators within PK Endpoint Manager. The user who deletes the Smartpoint will be recorded as well as when the Smartpoint was deleted. Click here to learn more about the effects of deleting a Smartpoint. |
| Delete TDE Smartpoint Policy | System and Security Administrators may delete a Smartpoint policy within PK Protect TDE Manager. The user who deletes the policy and when the user deletes the Smartpoint policy will be reported. Go here to learn more about deleting Smartpoint policies. |
| Delete TDE Agent | System and Security Administrators may delete a TDE agent. The deletion of the TDE agent will be reported in DSI. Learn more about TDE agents here. |
| Delete TDE Group? | A TDE group may be deleted by system and security administrators within PK Endpoint Manager. |
| Delete TDE Key | TDE keys may be deleted by System and Security Administrators within PK Endpoint Manager. When the key was deleted as well as who deleted it will be reported in the event. Learn more about the effects of deleting a TDE key here. |
| Deny TDE | When deleting a Smartpoint from a TDE agent, the Deny event is reported. SMDS denies a TDE agent access to a Smartpoint recently deleted from that TDE agent. |
Rename TDE Group | A System or Security Administrator can rename a previously created TDE group.The event records the new name of the TDE group as well as its previous name. Learn more about TDE groups here. |
| Update TDE Smartpoint Policy | An administrator of a Smartpoint Policy can update Policy default actions, groups, and exceptions. Updates to Smartpoint Policies are recorded as events. To learn more about Smartpoint policies go here. |
| Update TDE Group | A System or Security Administrator can update a TDE group to change the administrators who control and maintain access to the group. The change in administration will be reported. Learn more about TDE groups here. |
Possible Events: Enabling/Disabling TDE Agent Encrypt/Decrypt (Not sure if this is how the events appear) |
Event