1.8.1 General procedure for investigating a detected suspicious operation
To investigate a suspicious operation that can lead to information leakage in a timely manner, you (administrator) need to immediately recognize the occurrence of a suspicious operation and quickly investigate the situation.
To immediately recognize the occurrence of a suspicious operation, by using JP1/IT Desktop Management 2, set the configuration in such a way as to automatically notify you of a suspicious operation by email if a suspicious operation is detected. Also, according to the operation logs collected from each computer, you can check the location from which the data was brought out and the user who brought out the data first.
To investigate a detected suspicious operation:
- 1. Set the automatic notification of a suspicious operation.
-
Set the configuration in such a way as to notify you of a suspicious operation by email when a suspicious operation is detected.
- 2. Investigate a suspicious operation.
-
If a suspicious operation is detected, check the detected details. If there is any problem, also check operation logs.
You can check whether there is any problem by investigating the details of the detected suspicious operation.
To have JP1/IT Desktop Management 2 detect a suspicious operation, you need to set the configuration in such a way as to collect operation logs and setting the conditions for detection in a security policy.
Related Topics:
- Organization of this subsection
(1) Setting the automatic notification of a suspicious operation
Set the configuration in such a way as to notify you of a suspicious operation by email when a suspicious operation is detected.
If a suspicious operation is detected, an event with Suspicious Operation set for Type is generated. Set the configuration in such a way that an email is sent to you when this event is generated.
To set the automatic notification of a suspicious operation:
-
Display the Settings module.
-
In the menu area, select Events and then Event Notifications.
-
Specify the mail notification target events.
At this time, select the Suspicious Operations check box for each severity.
-
Check the user ID of the mail notification destination.
If no address is set in the field, select the user ID to set the email address.
-
Click the Apply button.
If a suspicious operation is detected and a Suspicious Operation event is generated, an email is sent to the specified email address.
The following figure shows the content of an email to be sent:
![[Figure]](GRAPHICS/Z070016J.GIF)
If you confirm that the event written in the email occurred, start the operation view of JP1/IT Desktop Management 2 from the URL written in the email, check the security status, and take necessary measures.
Related Topics:
(2) General procedure for investigating a suspicious operation
If a suspicious operation is detected, check the detected details. If there is any problem, also check operation logs.
For a suspicious bringing-out file operation, investigate that suspicious operation by following the procedure described below. For a suspicious printing operation, investigate that suspicious operation by checking operation logs. For details about investigation by checking operation logs, see (1) Checking operation logs.
- 1. Check the detected details.
-
If a suspicious operation is detected, an event with Suspicious Operation set for Type is generated. For the occurrence status of this event, you can check the number of occurrences for Suspicious displayed in the Not Ack Event Summary panel of the Home module.
In the Not Ack Event Summary panel, click the number of occurrences enclosed in parentheses to move to the Events module and check events with Suspicious Operation for Type and Not Ack for Status.
Click the link in the Description column in the list of events. In the displayed dialog box, you can check the operation log for the detected operation. Based on the details displayed here, judge whether investigation of information leakage is necessary. If you judge that an investigation is necessary, in the list of events, click the link in the Source column. You can navigate to the Operation Logs view of the Security module, and then check the related operation logs.
- 2. Investigate operation logs by data tracing.
-
In the Operation Logs view of the Security module, you can investigate operation logs by data tracing.
To investigate operation logs by data tracing, click the Trace button for the operation you want to investigate by data tracing, and then check the information in the displayed Trace Operation Log dialog box. Note that operation logs with the corresponding Trace button disabled are excluded from the investigation targets.
In the Trace Operation Log dialog box, you can check the first and last operations of a series of operations including the selected operation log. For example, if it is detected that a file was copied to a USB device, you can identify which stored data was brought out (first operation) and whether the data was eventually copied to a USB device (last operation). By checking the first and last operations, you can check whether important data was brought out.
An investigation of a suspicious operation by data tracing is complete.
If the investigation finds that information leakage might have occurred, check with the user who performed the suspicious operation about the circumstances, and then consider measures to be taken.