5 Replies Latest reply on Feb 1, 2016 5:52 AM by duberyy_wotsit

    AMC Reports - Which ones do you use?

    GaryMcAllister Employee
      Hi guys,

      We recently released some SQL Reporting Models on AppSense Exchange to help people who use SSRS to create their own custom reports.

      I'm now potentially looking at creating/re-creating/improving on some of the standard AMC reports by creating a set of reports that can be used with SQL Report Builder.

      So, which reports in the AMC do you use? Do you use them at all? If so, what are the most common ones that you see being used?

      Any feedback would be appreciated!

      Cheers,
        • 1. Re: AMC Reports - Which ones do you use?
          gregf SupportEmployee
          I've never used them.

          AMC reports that we run using SQL include:

          Application Manager
          • Event 9015 – Allowed Execution (aggregated)
          • Event 9015 – Allowed Execution (with endpoint)
          • Event 9015 – Most Recent Execution
          • Event 9023 – Self-Elevation
          • Event 9023 – Self-Elevation (Top 20 most-frequently elevated, last 28 days)
          • Event 9000 – Blocked Access (DLL/EXE, aggregated, last 60 days)
          • Event 9000 – Blocked Access (with detail)
          • Event 9013 – Network Access Blocked
          Enterprise Auditing Statistics
          • Total Events (last 7 days)
          • Total Events (last 24 hours, by group)
          • Total Events by ID (last 24 hours)
          • Number of Events vs. Machine Count vs. Enabled Event IDs
          • Number of Events by ID for a Specific Group (last 24 hours)
          Issues to Investigate
          • Agent Crashes (last 7 days)
          • Agent Crashes by Machine (last 28 days)
          • Failed Logon Actions (last 7 days)
          AMC Information
          • Config Revision History
          • Management Center View
          • Config Versions and MSI Product IDs (Package Versions)
          • Latest Config Assigned to Each Deployment Group
          • Deployment Group Info (inc. Installation Settings)
          • Machines by Oldest Poll Time

          As for Personalization:

          Most Useful
          • Users By Size
          • Apps By Size
          • Largest App Size by user/app
          • Paths Responsible for the Most Data
          Unused Profiles
          • Profiles Older than x Days, Including Size (SQLite – for PSExportViewer)
          • Application Profiles Older than x Days (SQL Server)
          Size of Data
          • Session Data By User
          • Total Data by Personalization Group
          • Total Data by Personalization Group and Application
          • Size Savings Based on File Type
          • Largest Average Cache by Application
          • Folder Paths Containing Data
          • Archives
          • Size of Every Archive
          User Activity
          • Most Recently Modified Application Profiles for Specific Application Groups
          • Users Who Haven’t Accessed Data in >60 Days
          • Unique user accounts accessing EMP data over last 28 days
          • Number of Files per Active User for a Specific Application Group
          • Application Configuration
          • Applications Whitelisted by Standalone Executable
          • Non-standard Global Includes
          • Non-standard Global Excludes
          EM Browser Interface
          • All Audit Activity

          Here's example output of one of those AMC queries: Most recent execution, based on 9015:



          Here's example output of one of the EMP queries: Paths responsible for the most data:



          I'll e-mail you a copy of the docs we us to keep track of these queries.
          • 2. Re: AMC Reports - Which ones do you use?
            Landon Winburn Expert
            We use the self-elevation reports pretty heavily to identify what needs elevation. The idea there is when a user runs into an application that didn't work without admin rights they can self-elevate it. Once a week the admin would look at the reports and blacklist each executable from self-elevation and optionally add it as an elevated item so the user doesn't have to right click it any more. After a period of time the report should shrink to nothing at which point the admin can disable self-elevation. The report in the AMC is quite nice as it lists all the metadata associated with the executable as well as the standard stuff like user and computer.

            Landon.
            • 3. Re: AMC Reports - Which ones do you use?
              Landon Winburn Expert
              Application Activity is another good one if running in audit only mode. Again any of these reports need to return the full metadata so they can be used to build rules. Just returning the exe isn't of much use as you have to go find the exe to build a rule for it.

              Landon.
              • 4. Re: AMC Reports - Which ones do you use?
                Roger1 Apprentice
                I would love to see a thread throttling PM report for 9120 events.  9104/9105s are nice but don't give any information about the actual application/process pegging the CPU. To be able to present a neat report to management and say - "Here, I told you this <insert security software x> was hammering our PCs", would be nice.
                • 5. Re: AMC Reports - Which ones do you use?
                  duberyy_wotsit Apprentice
                  Is there a link to these reports?  I'd like to use these to report on execution denials.