Hitachi

JP1 Version 13 JP1/IT Desktop Management 2 Overview and System Design Guide

2.10.1 Types of operation logs that can be collected

The table below shows the types of operation logs that can be collected in JP1/IT Desktop Management 2.

Tip

When you configure the settings in a security policy so that suspicious operations can be detected, whether an operation is a suspicious operation is judged based on operation logs. Only a part of operation log types related to suspicious operations are used for such a judgment. If you select Only operations that divulge information (recommended) in a policy for operation logs, you can collect only the operation logs related to suspicious operations.

Types of operation logs

Operation Type

Operation Type (Detail)

Description

Behavior when Only operations that divulge information (recommended) is selected in a policy for operation logs

Power ON/Shut Down/Log On/Log Off

Power ON

A user started the computer.

Y

Shut Down

A user shut down the computer.

Y

Log On

A user logged on to Windows.

Y

Log Off

A user logged off from Windows.

Y

Program Execution/Termination

Program Execution

A user started a program.

N

Program Termination

A user stopped a program.

N

File Operation/Print Operation

Copy file#1

A user copied a file.

C

Move file#1

A user moved a file.

C

Rename file#1

A user renamed a file.

C

Create file#1

A user created a file.

C

Delete file#1

A user deleted a file.

C

Web Access (Upload)#2

A user uploaded a file via a web browser.

C

Web Access (Download)#2

A user downloaded a file via a web browser.

C

FTP (Send File)#2

A user sent a file to an FTP server via a web browser.

C

FTP (Receive File)#2

A user received a file from an FTP server via a web browser.

C

Send Mail (Attachment File)#3

A user sent an email with attachment.

C

Receive Mail (Attachment File)#3

A user received an email with attachment.

C

Save Attached File#3

A user saved a file that was attached to a received email.

C

Print#4

A user submitted a print job.

N

Folder Operation#1

Copy folder

A user copied a folder.

N

Move folder

A user moved a folder.

N

Rename folder

A user renamed a folder.

N

Create folder

A user created a folder.

N

Delete folder

A user deleted a folder.

N

Device operation

Device connection

A user connected a device to the computer.

Y

Device disconnection

A user disconnected a device from the computer.

Y

Permitting device connection

A device connection was permitted when usable devices are set for prohibited operations.

Y

Web Access

Web Access#5

A user accessed a web service via a web browser.

N

Window Operation

Change active window

A user changed the active window.

N

Console Operation

Commands executed in Command Prompt

The command was executed at the command prompt.

N

Commands executed in PowerShell

The command was executed on PowerShell.

N

Executed batch files

The batch file was executed.

N

Executed PowerShell script files

PowerShell script file was executed.

N

Deterrence Log

Block Program Activation

Startup of a program was blocked (when prohibited software programs are set).

Y

Block Printing#4

Printing was blocked (when prohibited operations are set).

Y

Block Device Connections

Use of a device was blocked (when prohibited operations are set).

Y

Legend: Y: Collected. C: Collected when the conditions for determining that the operation is a suspicious file movement are satisfied. N: Not collected.

For details about the conditions for determining that an operation is a suspicious file movement, see 2.10.4 Conditions for determining whether a file is to be monitored for suspicious file movements.

#1

Operation logs can be collected only when the operations are performed using Windows Explorer.

Important

Operation logs cannot be collected when the operations are performed from the command prompt or in application programs.

#2

Operation logs can be collected only when Internet Explorer 9, 10, or 11 and Microsoft Edge (IE mode) is used.

Important

If you launch an application from Internet Explorer and Microsoft Edge (IE mode) and then perform an operation in the application that was launched, you will not be able to collect operation logs.

#3

Operation logs can be collected when one of the following email clients is used:

  • Microsoft Outlook 2002, 2003, 2007, 2010, 2013, 2016, and 2019

  • Windows Live Mail 2009, 2011, and 2012

#4

Operation logs can be collected when the following types of printers are used:

  • Local printers

  • Network shared printers

  • Virtual printers

Important

Operation logs cannot be collected for printers connected via the Internet. Also, if the File port is used on a local printer, operation logs for Block Printing cannot be collected. When a LAN Manager port is used, operation logs for Print and Block Printing cannot be collected.

#5

Operation logs can be collected only when using Internet Explorer 9, 10, or 11, Microsoft Edge, or Google Chrome.

Tip

For details about the items of the HIBUN operation logs when these logs are imported, see 2.10.8 Importing HIBUN logs into the management server.

Related Topics:

Organization of this subsection

(1) Information collected for each type of operation log

The following shows information collected for each type of operation log. For details about the information collected for individual information items, see Details about the information items to be collected. The following legend is used for the tables below:

Legend: Y: Collected. M: Might not be collected depending on the device or disk status. N: Not collected.

Power ON/Shut Down/Log On/Log Off

The following table shows the information items to be collected when Power ON/Shut Down/Log On/Log Off is the target operation type.

Operation Details

Information to be collected

Source

Operation Date/Time#

User Name

Power ON

Y

Y

N

Shut Down

Y

Y

N

Log On

Y

Y

Y

Log Off

Y

Y

Y

#: Operation Date/Time information includes Operation Date/Time (Browser), Operation Date/Time (Source), and Time Zone.

Program Execution/Termination

The table below shows the information items to be collected when Program Execution/Termination is the target operation type. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Source), Time Zone, and User Name are collected for every operation.

Operation Details

Information to be collected

User Name

File Version#

File Name

Command Line

Program Execution

Y

Y

Y

Y

Program Termination

Y

Y

Y

Y

#: This item is collected only when the program (execution file) has a version number.

File Operation/Print Operation

The table below shows the information items to be collected when File Operation/Print Operation is the target operation type. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Browser), Time Zone, and User Name are collected for every operation.

Operation Details

Information to be collected

File Created Date/Time

File Last Modified Date/Time

File size

Original File Drive Type / Original File Created Date/Time

Original File Name / Drive type

Destination File Name / Drive Type

Copy file

Y

Y

Y

Y

Y

Y

Move file

Y

Y

Y

Y

Y

Y

Rename file

Y

Y

Y

Y

Y

Y

Create file

Y

Y

Y

Y

Y

N

Delete file

Y #1

Y #1

Y #1

Y

Y

N

Web Access (Upload)

Y

Y

Y

Y

Y

Y

Web Access (Download)

Y

Y

Y

Y

Y

Y

FTP (Send File)

Y

Y

Y

Y

Y

Y

FTP (Receive File)

Y

Y

Y

Y

Y

Y

Send Mail (Attachment File)

Y

Y

Y

Y

Y

Y

Receive Mail (Attachment File)

N

N

N

Y

Y

Y

Save Attached File

Y

Y

Y

Y

Y

Y

Print#2

N

N

N

N

N

N

#1: It might not be possible to collect File Created Date/Time, File Last Modified Date/Time, or File Size information depending on how the file is deleted.

#2: Only Printer Name, Printed Document Name, and Printed Page Count can be collected.

Folder Operation

The table below shows the information items to be collected when Folder Operation is the target operation type. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Source), Time Zone, and User Name are collected for every operation.

Operation Details

Information to be collected

Original File Name

Source File Drive Type

Destination File Name

Destination File Drive Type

Copy folder

Y

Y

Y

Y

Move folder

Y

Y

Y

Y

Rename folder

Y

Y

Y

Y

Create folder

Y

Y

N

N

Delete folder

Y

Y

N

N

Device connection or disconnection

The table below shows the information items to be collected when Device connection or disconnection is the target operation type. Some information might not be collected depending on the device. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Source), Time Zone, and User Name are collected for every operation.

Operation Details

Information to be collected

Drive Type#1

Drive Name#2

Device Name

Serial #

Device Instance ID

Device Type#3

Device category

Device connection

Y

Y

Y

Y

Y

Y

Y

Device disconnection

M

M

M

M

M

M

M

Permitting device connection

Y

Y

Y

Y

Y

Y

Y

#1: Others is output in the case of a built-in FD drive, Bluetooth device, imaging device, or Windows portable device.

#2: Information cannot be collected in the case of a built-in FD drive, Bluetooth device, imaging device, or Windows portable device.

#3: Information can be collected only in the case of a USB device.

Web Access

The table below shows the information items to be collected when Web Access is the target operation type. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Source), Time Zone, and User Name are collected for every operation.

Operation Details

Information to be collected

Web Page Title

URL

Web Access

Y

Y

Window Operation

The table below shows the information items to be collected when Window Operation is the target operation type. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Source), Time Zone, and User Name are collected for every operation.

Operation Details

Information to be collected

Execute Account

File Version#

File Name

Window Title

Window Operation

Y

Y

Y

Y

#: This item is collected only when the execution file has a version number.

Console Operation

Console operation includes Commands executed in Command Prompt, Commands executed in PowerShell, Executed batch files, and Executed PowerShell script files. The tables below show information items to be collected when those are the target operations. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Source), Time Zone, and User Name are collected for every operation.

Operation Details

Information to be collected

Execute Account

Command Line

Execution Results

Execution Script

Content of Execution Script

Commands executed in Command Prompt

Y

Y

Y

N

N

Commands executed in PowerShell

Y

Y

Y

N

N

Executed batch files

Y

N

N

Y

Y

Executed PowerShell script files

Y

N

N

Y

Y

Deterrence Log

Deterrence Log includes three types of operations: Block Program Activation, Block Printing, and Block Device Connections. The tables below show information items to be collected when those are the target operations. Note that Source, Operation Date/Time (Browser), Operation Date/Time (Source), Time Zone, and User Name are collected for every operation.

Block Program Activation

Operation Details

Information to be collected

Software Name

Software Version

User Name

File Version#

File Name

Block Program Activation

Y

Y

Y

Y

Y

#: This item is collected only when the execution file has a version number.

Block Printing

Operation Details

Information to be collected

Printer Name

Printed Document Name

Printed Page Count

Block Printing

Y

Y

N

Block Device Connections

Operation Details

Information to be collected

Drive Type#1

Drive Name#2

Device Name

Serial #

Device Instance ID

Device Type#3

Device category

Block Device Connections

Y

Y

Y

Y

Y

Y

Y

#1: Others is output in the case of a built-in FD drive, Bluetooth device, imaging device, or Windows portable device.

#2: Information cannot be collected in the case of a built-in FD drive, Bluetooth device, imaging device, or Windows portable device.

#3: Information can be collected only in the case of a USB device.

Details about the information items to be collected

The following table shows the details about the information items to be collected for operation logs.

Item

Description

Source

The fully qualified domain name (FQDN) of the computer on which operation logs were collected.

Display example: dmp530

Host ID

A unique ID to identify a computer in a system.

Operation Date/Time (Browser)

Date and time the operation was performed. The displayed value is converted to the local time of the computer on which operation logs are displayed.

Display example: 2011/10/01 22:00:01

Operation Date/Time (Source)

Date and time the operation was performed. The displayed value is converted to the local time of the computer on which operation logs were collected.

Display example: 2011/10/02 17:11:51

Operation Date/Time (UTC)

Date and time the operation was performed. The displayed value is the UTC time on which operation logs were collected.

Display example: 2011/10/02 08:11:51

Time Zone

Time zone of the computer on which the operation was performed. The difference with UTC is displayed. In the Log Details dialog box, this value is displayed in the Operation Date/Time (Source) item.

Display example: GMT+09:00

User Name

Account name of the user who was logged on to the source computer.

Display example: Hostname\user1

Execute Account

Account name of the user who executed the source program.

Display example: Hostname\user1

File Version

File version displayed on the Version tab of the Properties dialog box for the operation-target file.

Display example: 1.0.0.111

File Name

Name of the operation-target file including the file path.

Display example: C:\TEMP\game.exe

File Created Date/Time

Date and time the operation-target file was created.

Display example: 2011/10/01 22:00:01

File Last Modified Date/Time

Date and time the operation-target file was updated.

Display example: 2011/10/02 22:00:01

File Size

Size of the operation-target file.

Display example: 10.2KB

Original File Drive Type

When a suspicious file operation is detected, this item indicates where the original file was located.

  • Other

  • Local Disk

  • Network Drive

  • Removable Disk

  • CD-ROM

  • RAM Disk

  • Web

  • FTP

  • E-mail

Display example: RAM Disk

Original File Created Date/Time

Date and time the operation-target file was first detected after collection of operation logs started.

Display example: 2011/10/01 22:00:01.159

Source File Name

Full path to the source file (or folder), or URL of the website to which the file was uploaded or from which the file was received via FTP. For a network drive, the name is indicated in UNC format. If an email with attachment was received, this item indicates the email header. If an attached file was saved, this item indicates the attached file name without a path name.

Display example: \\dmp110\share

Source File Drive Type

Type of drive in which the source file was stored.

  • Other

  • Local Disk

  • Network Drive

  • Removable Disk

  • CD-ROM

  • RAM Disk

  • Web

  • FTP

  • E-mail

Display example: Local Disk

Destination File Name

Full path to the destination file (or folder), or URL of a website to which the file was uploaded or sent via FTP. For a network drive, the name is indicated in UNC format. If an email with attachment was sent, this item indicates the email header. If an email with attachment was received, this item indicates the attached file name without a path name.

Display example: c:\work\program

Destination File Drive Type

Type of the drive in which the destination file was stored.

  • Other

  • Local Disk

  • Network Drive

  • Removable Disk

  • CD-ROM

  • RAM Disk

  • Web

  • FTP

  • E-mail

Display example: Network Drive

Printer Name

Name of the printer used for printing.

Display example: printserver01

Printed Document Name

Name of the printed document.

Display example: FunctionalSpecification.doc

Printed Page Count

Total number of printed pages. This item is not displayed if it cannot be collected.

Display example: 5

Drive Type

Type of the drive connected to the computer. Information is displayed as a number.

  • Other

  • Local Disk

  • Network Drive

  • Removable Disk

  • CD-ROM

  • RAM Disk

  • Web

  • FTP

  • E-mail

Display example: Network Drive

Drive Name

Name of the drive connected to the computer. Indicated as A: to Z:.

Display example: G:

Device Name

Name of the connected device.

Display example: Hitachi USB xxxxx

Serial #

Serial number of the connected device.

Display example: 1234567890ABCD

Device Type

Type of connected device.

Display example: Disk Drive

Device category

Type to distinguish a device.

Display example: Built-in SD card

Device Instance ID

Device instance ID of the connected device.

Display example: USB\VID_xxxx&PID_xxxx\1234567890ABCD

Web Page Title

Title of the web page the user accessed.

Display example: Hitachi

URL

URL of the web page the user accessed.

Display example: http://www.hitachi.co.jp/

Window Title

Caption of the active window.

Display example: game

Software Name

Name of the software program for which startup was blocked. Displays the name of the blocked software program set in the security policy.

Display example: game

Software Version

Version of the software program for which startup was blocked. Displays the version of the blocked software program set in the security policy.

Display example: 5.1.2600.5512

Execution Account

The name of the account that execute the command prompt, PowerShell, or script files.

Command Line

On Starting/adding a program, the command line of the process is output.

For console actions, the command line that was executed at the command prompt or PowerShell is output.

Execution Results

This is the content output to the command prompt or PowerShell by the command

Execution Script

The absolute path of the executed script file. The sequential number of the script file to be split is added to the end in the format of "(Sequential number/Parameter)".

Content of Execution Script

The contents of the script file.

To Page Top

Copyright (C) 2023, 2024, Hitachi, Ltd.

Copyright (C) 2023, 2024, Hitachi Solutions, Ltd.