Reports
The Reports section in the EPAS service is structured into three main categories:
-
Password Audit Reports: direct results of audit jobs, these type of reports are typically composed of all the results from an audit job and contain recovered accounts information. Each password audit report is structured in three or four areas:
- Executive Summary: summary information about the audit report, including report, job, target and profile metadata, report options, password audit statistics - strength level, length, character composition and reason distribution - and, if enabled, password policy information and group / OU selection criteria.
- Executive Summary (PDF): all of the above information, statistics and selections, in a printable PDF format.
- Historical Data: if previous reports exist for the same target, this view allows the EPAS operator to inspect, compare and generate statistics for the previous job runs; compared statistics include strength level, length, reason distribution, password policy information.
- Historical Data (PDF): all of the above information, statistics and selections, in a printable PDF format.
- Password Audit Report Data: this area contains detailed information about the recovered accounts: user names, full names, password recovery reasons, policy compliance, strength levels and additional information such as group / OU information for certain target types (Microsoft Windows Active Directory groups and OU / containers, RACF groups and flags). The information is also available as a raw CSV export, for external processing purposes.
- Email Notification Status (optional): this area is specific to audit jobs which allow email notification of users - jobs for Microsoft Windows Active Directory and IBM Domino Lotus Notes target types, which have their user notification option enabled. The area contains status information about the email sending process: sent notifications, failed notifications and other miscellaneous data.
-
Aggregated Report Data: direct results of report aggregations, defined by aggregate queries - detailed in the section Aggregate Queries; these type of reports are typically composed of all the results from one or more audit reports and contain recovered accounts information. Each aggregated report is structured in three main areas:
- Executive Summary: summary information about the audit report, including report, job, target and profile metadata, report options, password audit statistics - strength level and reason distribution - and, if enabled, password policy information and group / OU selection criteria.
- Executive Summary as PDF: all of the above information, statistics and selections, in a printable PDF format.
- Password Audit Report Data: this area contains detailed information about the recovered accounts: report dates, job names, target names, user names, full names, password recovery reasons, policy compliance, strength levels and additional information such as group / OU information for certain target types (Microsoft Windows Active Directory groups and OU / containers, RACF groups and flags). The information is also available as a raw CSV export, for external processing purposes.
-
Password Reuse Reports: direct results of password reuse queries - detailed in in section Password Reuse Queries; these type of reports are typically composed of all the reused passwords from one or more reports/targets. Each password reuse is structured in three main areas:
- Executive Summary: summary information about the password reuse report, including report or target metadata, query options, password reusage statistics - single and cross-system password reuses.
- Executive Summary as PDF: all of the above information, statistics and selections, in a printable PDF format.
- Password Reuse Report Data: this area contains detailed information about the reused passwords across the selection criteria (one or more reports/targets), usage count and account listing per each reused password. The information is also available as a raw CSV export, for external processing purposes.
Audit Reports Recovery Reasons¶
A CSV export function is available for every audit report, normal or aggregated. The CSV export contains valuable information about the recovered accounts: username, fullname, description, other attributes such as last logon date (for specific system types) and the password recovery criteria, which includes password strength and password recovery reasons. Find below a table reference for explanations of the password recovery reasons:
| Recovery Reason | Description |
|---|---|
| EMPTY | The password is empty. |
| REVERSIBLE | The password is stored using reversible encryption or in a clear text format (not encrypted). |
| COMPROMISED | The password was found in the compromised credentials database. |
| INITIAL | The password was found in the initial or default passwords list. |
| KNOWN_INFO | The password was found in the known account information (complete user name, e-mail address, description, etc.). |
| SITE_INFO | The password was found in the site information (collected known accounts information, collected passwords). |
| KNOWN_INFO_SIM | The password was found by applying derivation rules to the known account information. OR The password was found by applying hybrid rules to the known account information. |
| SITE_INFO_SIM | The password was found by applying derivation rules to the site information. OR The password was found by applying hybrid rules to the site information. |
| WEAK_HASH | The password was found by brute forcing the weaker hashes and, if applicable, character case toggling. |
| DICTIONARY | The password was found in the chosen dictionary or dictionary list. |
| DICTIONARY_SIM | The password was found by applying derivation rules to the chosen dictionary or dictionary list. OR The password was found by applying hybrid rules to the chosen dictionary or dictionary list. |
| BRUTE_FORCE_Q | The password was found by fast brute forcing short password candidates. |
| BRUTE_FORCE | The password was found by trying all possible combinations up to a given length. |
| AI | The password was found by leveraging artificial intelligence and machine learning models |
CSV Export Column Headers¶
A CSV export function is available for every audit report, normal or aggregated. The CSV export contains valuable information about the recovered accounts: username, full name, description, other attributes such as last logon date (for specific system types) and the password recovery criteria, which includes password strength and password recovery reasons. Find below a table reference for explanations of some of the dynamic and / or special columns used in the CSV export:
| CSV Header | Description | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| description | For all other systems, the description column holds the user's comment or description. For RACF targets, the column holds the default group assigned to that particular username. | ||||||||||||||||||||||||||||||
| extra_text | Field used for general text information about the user, other than the full name, email or description. For RACF targets, the column holds the account owner. | ||||||||||||||||||||||||||||||
| Field used in Microsoft Active Directory targets and IBM Lotus Domino targets and stores the user email. | |||||||||||||||||||||||||||||||
| admin | Field used for systems which generically identify administrative accounts by certain flags: UNIX based systems, RACF, Windows Local Accounts built-in administrators. This field does not apply to Active Directory targets or systems which have a complex authorization system, and should not be taken as a selection criteria for auditing privileged users. | ||||||||||||||||||||||||||||||
| reason | The reason for the password recovery. For a detailed list of reasons, please refer to section Audit Report Recovery Reasons. | ||||||||||||||||||||||||||||||
| policy_ok | Field used to identify if the password complies with the password policy selected. The accepted values are 't' (true), 'f' (false), and '' (no policy selected). |
||||||||||||||||||||||||||||||
| pw_change_date | For systems that support this parameter, the column shows the last password change date. Currently, the supported systems are Microsoft Windows targets, Linux, BSD, Solaris and RACF targets. | ||||||||||||||||||||||||||||||
| last_logon_date | For systems that support this parameter, the column shows the last logon date. Currently, the supported systems are Microsoft Windows targets and RACF targets. | ||||||||||||||||||||||||||||||
| no_expiration | Field used to identify if the password for the particular user accounts is not set to expire - useful in identifying service accounts or non-policy compliant accounts. The accepted values are 't' (true), 'f' (false), and '' (no information available). Currently, the supported systems are Microsoft Windows targets and RACF targets. |
||||||||||||||||||||||||||||||
| spare_int_1 | Spare column used for: - Microsoft Windows Active Directory - the field holds a value of either 0 or 1, corresponding to whether the user has an LM hash value stored in the Active Directory database. - RACF - value which holds the flags of the user, obtained by binary AND operations. The current flag operators are:
|
||||||||||||||||||||||||||||||
| spare_int_2 | Spare column used for RACF targets, defining the password expiration time (in days) of the current user. | ||||||||||||||||||||||||||||||
| spare_int_3 | For Microsoft Active Directory targets, has the value of 0 if the account is able to logon, and the value of 1 if the account is disabled or locked. |
||||||||||||||||||||||||||||||
| spare_int_4 | For Microsoft Active Directory targets, has the value of 1 if the password hash was found in the compromised credentials database only as a hash, without recovering the clear text value, and the value of 0 in all other cases. |
||||||||||||||||||||||||||||||
| spare_big_1 | For Microsoft Active Directory targets, this column holds the UAC value of the account. This parameter is used for debugging or advanced purposes, and the documentation for this value is available in the Microsoft knowledge base. For Linux, BSD and Solaris, this column holds the uid value of the account. |
||||||||||||||||||||||||||||||
| spare_big_2 | For Linux, BSD and Solaris targets, this column holds the gid value of the account. |
||||||||||||||||||||||||||||||
| spare_chr_1 | For Microsoft Active Directory targets, has the value of the optional key attribute, if one is defined in the target configuration. For Microsoft SQL Mass targets, has the value of the instance name or port name attributes, if one is defined in the target configuration. For Microsoft SQL Single targets, has the value of the port name attribute. For Linux, BSD and Solaris targets, this column holds the shell value of the account. |
||||||||||||||||||||||||||||||
| spare_chr_2 | For database system accounts targets, including mass targets, has the value of the SID, name, instance, depending on the database type. For Microsoft Windows Active Directory accounts, has the value of the object expiry date. |
||||||||||||||||||||||||||||||
| spare_chr_3 | For Microsoft Windows Active Directory accounts, has the value of the object creation date. | ||||||||||||||||||||||||||||||
| spare_chr_4 | For Microsoft Windows Active Directory accounts, has the value of the object change date. | ||||||||||||||||||||||||||||||
| spare_chr_5 | Specifies the algorithm(s), comma separated, for the password hashes found for the respective user account. |