User Manual

ABG Computer Systems Ltd.

2 OREV User Manual

OREV User Manual

Introduction

The User Manual contains all essential information for the user to make full use of OREV system.
This manual includes a description of OREV system functions and capabilities, contingencies and
alternate modes of operation, and step-by-step procedures for system access and use.

Architecture
OREV proprietary data collection agents are placed at all network endpoints, continuously collecting
information on all events and operations at each and every endpoint.

Data collected by the Surveillance Technology agents throughout the network is encrypted and then
transmitted to the OREV Server where the data goes through a multi-level analysis to generate
intelligent insights about each endpoint and about the network as a whole.

Copyright © 1998 – 2018

3 OREV User Manual

Table of Contents
Introduction ............................................................................................................................................2
Architecture ............................................................................................................................................2
System overview ....................................................................................................................................4
Login .......................................................................................................................................................5
Entrance Menu .......................................................................................................................................6
Dashboard ..............................................................................................................................................7
Counter Tree.......................................................................................................................................8
Default Counters ............................................................................................................................9
Account Audit .............................................................................................................................. 10
Files and Media Activity............................................................................................................... 10
Network ....................................................................................................................................... 10
General Security .......................................................................................................................... 10
Software ...................................................................................................................................... 10
Hardware ..................................................................................................................................... 10
Special Web Activity .................................................................................................................... 10
Drill-Down........................................................................................................................................ 10
Prevention ................................................................................................................................... 11
Favorites .......................................................................................................................................... 12
Reports ................................................................................................................................................ 12
Report types .................................................................................................................................... 12
General Guidance for Reports ......................................................................................................... 13
Report Structure .......................................................................................................................... 13
Settings ................................................................................................................................................ 15
Units and Hosts............................................................................................................................ 16
Users ............................................................................................................................................ 16
Notifications ................................................................................................................................ 19
Support and Troubleshoot .................................................................................................................. 21
Troubleshoot ................................................................................................................................... 21
Contact Us ....................................................................................................................................... 22
Glossary ............................................................................................................................................... 23

Copyright © 1998 – 2018

4 OREV User Manual

System overview

General

OREV system employs a proprietary Surveillance Technology that includes an agent program,
distributed to all endpoints. The OREV agent monitors the endpoint and continuously collects
information about all events such as logins, new processes, sensitive file access, etc. Data collected
is encrypted and transferred to OREV Server, where the data is consolidated and analyzed.

Each event throughout the network goes through five levels of analysis – 2 at the endpoint itself,
and another 3 on the server:
LEVEL ONE - Instant detection of an event in real time as captured by the local endpoint agent
and defined by it.
LEVEL TWO - determining if the event is new or is a deviation from its profile, based on an
established profile of the specific endpoint and the Dynamic Rules Engine.
LEVEL THREE - determining if the specific event has been detected previously anywhere
throughout the organization's network.
LEVEL FOUR - correlating the event to any related or specific event throughout the network,
both concurrent and past ones. This analysis generate insights about event trends, understanding of
endpoint behavior, identification of security issues and potential risks, as well as forecasting future
threats.
LEVEL FIVE - Is the past and present cross-section of related events to the specific event being
analyzed, this is an all-encompassing analysis report of timing and events or related events that
occurred either now or in the past. This analysis enables management to create complex data filters
for efficient network monitoring, optimal security and best operational performance.
The following are examples of various types of event analysis:
1. First detection¹ of Software, Process, Driver, Service, USB, Hardware - The total amount of all
the elements detected for the first time all across the organization.
2. Malicious Processes Identification - derived from Malicious Processes Identification layer via
YARA rules and threat exchange information.
3. Sensitive Data Accessed- Shared/USB/Local - The total amount of shared files/USB/Local files
classified as sensitive and used by the operator of an endpoint.
4. New Remote IP/ New share session - The total amount of computers that attempted or
established a shared connection.
5. New Listener Detection - The total amount of endpoints with new listeners or new ports
opened.
6. Process Hash Changes - Total amount of processes that their hash changed.
7. Unconventional Working Hours - Total amount of active endpoints that are operating beyond
normal hours as defined in their profiles.

Copyright © 1998 – 2018

5 OREV User Manual

8. Lack of required software - The total amount of computers that not to have mandatory
Antivirus, Anti-Spyware, Firewall, Windows updates, etc. (according to corporate guidelines).

Login
To enter OREV System you must login.
OREV login screen consists of:

 USER – your username.

 Password – password for the username.
 Language – the desired language for OREV to be displayed in.
 Change Password – shows two more fields, to enter a new password and confirm it (old
password is still required).
 Login Button – continue with the login.
 Cancel Button – cancel the “Change Password” fields.

Copyright © 1998 – 2018

6 OREV User Manual

Entrance Menu
This is the first screen after the login.

Via this screen, you can quickly navigate to all the system sections.

 Dashboard – Base Dashboard – navigates to a basic dashboard with no added counters¹.

 Dashboard – Favorites – a list of saved favorite dashboards (if there are any).
 Report – navigates to the Reports section.
 Settings – navigates to the Settings section.
 - indicates that this favorite is set to system default (default can be changed in favorites
menu)

 Organization-Tree button - this will open the organization tree, selecting the desired
units and clicking apply will open the selected dashboard with the selected units.
 The checkbox “Don’t show this dialog again” – checking this will skip the Entrance menu
dialog in future logins, and navigate automatically to the favorite dashboard configured as

default. To re-enable the Entrance menu dialog, click the icon in the dashboard’s top
right corner and click “Restore Entrance Menu Dialog from next login”.

Copyright © 1998 – 2018

7 OREV User Manual

Dashboard
The dashboard is the main section of OREV, and is where all events data is presented in real-time.
An event will be shown in the followings:

1. On the counter¹ tree.

2. On counter¹ widgets in the main dashboard area.
3. In the notifications area.

Counters are graphical representation of events data over time, and they are sorted into categories.

Counters can be dragged from the counter-tree to the main dashboard area and organized as
desired to create a dashboard customized to your needs. Each counter¹ can be zoomed (dragging
the mouse over the timeline) and every event can be clicked.

Every counter has its default form (size, graph type, and more individual properties). Changing the

counter properties is available by hovering on the three dots icon on the corner of the counter.

Copyright © 1998 – 2018

8 OREV User Manual

The counter menu consists of the following (the counter menu might change from counter to
counter):

- remove the counter¹ from the main dashboard area.

- open the corresponding report for this counter¹ with overview of the last 12 hours of
data.

- open a submenu containing additional graph types for this counter¹ (area, bar, line,
and value).

NOTE: Value graph type is the smallest in size (takes less screen space) but does not offer
history, it will only show the current value.

- change the default timeline period shown in this graph.

Counter Tree
The counter¹ tree is located on the left side of the dashboard and contains all counters¹ sorted into
categories.

The Counter Tree has visual indicators of the current severity level¹, both on the category name and
on the counter name.

Main category indicators

Counter¹ indicators

Copyright © 1998 – 2018

9 OREV User Manual

The category indicators are based on the counter ones. For example, if a counter shows a red
severity level, its main category will show the same severity level as well.

NOTE: Each counter¹ has a tooltip (mouse hover) explaining what it represents.

The top buttons on the Counter Tree are:

- Minimize the Counter Tree to small icons representing the main categories and their severity
level¹.

- Change the organization units viewed in this dashboard. This will impact the entire
dashboard and events received. Unselected units will not be shown.

- Overall info button will open the default counters¹ menu. This allows enabling or disabling
the default counters¹.

Default Counters
 Recent Events - a summary counter, which represents the severity¹ for all events that
are occurring/occurred in the current dashboard layout. This counter is taking in
account only the currently dragged counters.
 Current events summary - a summary counter, which represents the severity¹ for all
events that are occurring in the whole dashboard and the counter tree. This counter
doesn’t have any history, and is only showing the current Time-Slice¹.
 Online/Offline Status – This counter¹ represents the current online/offline status for
machines and servers.
 Login – This counter¹ represents the currently logged-in users across the organization
(OS logins). It also contains a graph to visualize the login events.

Copyright © 1998 – 2018

10 OREV User Manual

Counter Tree Categories

Account Audit
Counters¹ related to user accounts, log on and off.

Files and Media Activity

Counters¹ related to removable media, mobile device, network access and activity, and
sensitive data access in USB, network and local disk.

NOTE: the definition of what is considered ‘sensitive’ is configurable in the OREV client.

Network
Counters¹ related to network adapters, network activity, and network connectivity.

General Security
Counters¹ related to OS security infrastructures like anti-virus and updates.

Software
Counters¹ related to software and software-related components, such as services, drivers,
DLLs, processes, scheduler tasks and autoruns.

Hardware
Counters¹ related to hardware and CPU performance.

Special Web Activity

Counters¹ related to web activities, such as webmail, social network sites, cloud storage and
general suspicious URLs.

Drill-Down
Each Counter¹ on the main dashboard area shows data about events that occur. Those events can
be clicked to drill down to view detailed information about the event and correlating information.

Copyright © 1998 – 2018

11 OREV User Manual

Clicking the event opens a new window, presenting all relevant information about this event.
In most cases, drill-down can show more detailed data by clicking the highlighted values, like
numbers, users, and processes etc.

Prevention
Prevention in OREV can be done in response to real-time and historical events occurring
across the dashboard.

Prevention in response to an event starts by drilling-down into the event. If Prevention

option is available, it will be marked with a prevention icon¹.
To perform prevention, right-click on the desired event (a row of unique data), which opens
the prevention window with all the prevention options.

Copyright © 1998 – 2018

12 OREV User Manual

There are item-related actions (USB, process etc.) and machine/user-related actions. Select
an option and press the ‘Execute Action’ button. The action will be sent immediately to the
designated machine/user.
There is a Prevention report in the report section that shows every action with all details
that was sent to execution.

Favorites
Once completing the configuration of the dashboard with the required counters¹, the dashboard can
be saved as a favorite. At time of logging in to OREV, you can select a saved favorites from the
Entrance menu.

To save a favorite click the icon in the dashboard’s toolbar, and click “add new
favorite”. When saving a favorite dashboard, a name must be provided. You can also select “Set As
Default” if you want this dashboard to be saved as the system’s default dashboard.

Reports
All data flowing across OREV is accessible via the reports. Those reports are sorted into sections and
categories with powerful filters capabilities so users can easily navigate to their desired data output.

Report types
The left toolbar consists of icons containing the different categories of reports., cClicking each icon
will open the corresponding report -tree, in most cases containing sub-categories.

Copyright © 1998 – 2018

13 OREV User Manual

General Guidance for Reports

OREV reports are using a sophisticated engine to output a wide variety of data types., tThe structure
of the reports is the same for all reports with minor changes from report to report.

The next section will provide information about searching, filtering and using the reports, reports
structure, search criteria, filters types and result table.

Report Structure
A report screen includes a heading, a search bar, a graph, and a results table.

Heading
The heading is the top section of the report screen.

Report heading contains:

 Report name\title
 Default search parameters or Favorites saved search parameters (some reports are
automatically executed when opened)
 Export to Excel
 Print
 Log out from System

Search Bar
The search bar section allows selecting search parameters, such as dates, machines, etc.

Search bar contains (from left to right):

 Saved Search queries

Reusing previously saved queries for this report. When selecting a saved query, the report
search parameters will change to the saved parameters.

‘All Results’ option will show the default parameters for the report.
 Report Saving – open the report saving menu:

Copyright © 1998 – 2018

14 OREV User Manual

o Query Name – input the desired Query Name.

o Dynamic Current Date – the query will be saved with date changing according to
the current date.
o Last ‘X’ days until current – the query will be saved with last ‘X’ days until the
current date.
o Date/Dynamic Date as selected - the query will be saved with the date as it was
when saved (will not change).

All other parameters like units and filters will be saved with the report as well.

 Add Filter – open the filters extension:

o Add Criteria – add fields to the filter, with the operator to use between the fields.
Once you select the fields, you can select the filter type (by clicking ‘Equals’) for
each field and input your text to filter at the text box.
o Add display fields – add and remove columns from the report.
 Group by – show a sub-menu to group the fields by. You can also drag fields up or down to
change the group-by order and combine them (not all fields can be combined).
 Free text box – general search box for searching within all columns (approximate search).
 Organization – filtering the search for specific machines/groups.
 Date/Date range – a few date filter types are available:
o Range – show all changes within the date range (changes between).
o Single date – show the last state received up until the selected date (state).
o Events of - show all events (data) in the selected time period. Date range and time
range are customizable.
Time range can be:
From Time to Time – use the selected time frame as from point to point. For
example, from date and time to date and time.
Time Window per day – use the selected time frame as fixed for every date
selected. For example, for every date within the date range search only from time
to time.
 Server and Client – filtering the different types of machines (toggle).
 Run – run button to run the query.

Copyright © 1998 – 2018

15 OREV User Manual

Graph
The graph shows a visual representation of the results. It is refreshed each time there is a change in
the results.

Graph contains:

 Aggregate function (top left) – determines how to aggregate the results in the graph. In the
screenshot above, Aggregate is set to Count.
 Resize button – enlarge or shrink the graph.
 Show/Hide button – show or hide the graph.

Result Table
The result table shows the output data for all selected parameters and filters. Columns in the result
table can be ordered as descending or ascending by clicking the column name.

You can further filter the result table by inputting a text at the blank textbox at the top of each
column.

Settings
The settings section allows creating and editing users and user levels, editing the organization tree
and editing and creating notification rules.

Use the left toolbar to navigate in the settings section.

Copyright © 1998 – 2018

16 OREV User Manual

Units and Hosts

The units and hosts section is where you can add, edit and remove organizational units, as well as
move and remove hosts.

Units & Hosts Left Toolbar

The left toolbar shows the layout of the current organization tree. You can navigate between the
organization units. Right-click on a unit opens a menu with the following options:
 Create a new unit on the same level as the currently selected unit.
 Create a new Sub-unit under the currently selected unit (current unit will become the father
unit).
 Rename this unit.
 Delete this unit. Note that a unit with hosts cannot be deleted. To delete it, first move the
hosts to a different unit.
 Move this unit.

NOTE: some of the actions are available only if the unit has no hosts.

Organizational Units & Hosts

This area of the window will show the hosts that are present in the selected unit.
To move or remove hosts, first check them with the checkbox and then select your desired action.
Selecting different units from the left organization tree will change the hosts table according to the
selected unit.

NOTE: selecting the top unit “Organizational Units & Hosts” will show all hosts across the entire
organization tree.

Users
The Users section is where you add, edit and delete users, as well as define grouping levels and
assign users to them.

Manage Levels

Managing levels is done via the left toolbar under “Manage Levels”. The user levels are the
following:

 Master Admin – Highest level, capable of any action and cannot be restricted.
 Prevention Admin – can only create Admins and Users. Cannot be restricted due to being a
prevention user.
 Admin – can only create lowest level users. Cannot use prevention. Can be restricted.
 User – lowest level user. Cannot use prevention. Restricted only to reports and dashboard
(no settings).

Copyright © 1998 – 2018

17 OREV User Manual

Adding/Editing a Level
To create a new level, right click on “Manage Levels” and click “Create a New Level”. This opens
the Add Level window.

Or use the Top toolbar

Select the desired level type.

Input a level name and select the desired restriction for this level (all counters, reports, and
settings in the system. Can also exclude a whole section like dashboard, report, etc.).

For example, if you want to create an admin level with no settings, create a new level under the
admin tree and do not check the settings from the modules tree for this level.
Now all admins assigned to this level will not be able to enter the settings.

NOTE: editing a user level is the same as creating a new one, and is accessible by right-clicking
the specific level and selecting Edit.

Copyright © 1998 – 2018

18 OREV User Manual

Managing Users
This is done by clicking the “Manage Users” in the left toolbar.
This will show all users as a list in the main Users window area.

Adding/Editing a User
To add a new user, click Add at the top toolbar. This opens the Add User window.

This window contains:

 Login Name – the login name used to log in with.

 First Name – user first name.
 Last Name – user last name.
 E-mail – user E-mail (will be used for notifications).
 Password – user password.
 Confirm Password – repeat the password.
 “User Must Change Password” option – selecting this will require the user to create
a new password at first login.
 Permission Level – select one of the created permission levels. This will impact the
user level.
 Manage Level Group – allow the user to manage all/different users:
o Let this User manage all users – this user can manage all users
(restricted only to levels below his level).
o Restrict this User to manage the groups – restrict the user to manage
all users assigned to the selected user level only (users below his user
level, and only users assigned to the selected level from the level tree)
 Organization Unit – restrict a user to specific parts of the organization tree (this will
also impact the user’s dashboard and reports).

Copyright © 1998 – 2018

19 OREV User Manual

 “Allow Global View” option – if the user is restricted to a part of the organization
tree, selecting this option will change all “First Detection¹” events for this user to
consider all the organization and not only the restricted organizational tree.
 Expire Date – a date on which this user will automatically expire and will not be able
to log in.

To edit an existing user, check the desired user from the list and click on edit at the top
toolbar.
This will open a window for editing the user, which is similar to the Add User window with
the following additional fields:

 Account Status – shows the status of this user and the last time the user details
were updated.
 Account Activity – deactivate or reactivate this user.

Notifications
The notifications section is where you add, edit and delete notification rules.

SMTP and Mail configuration

It is important to configure the email settings. Without it, the email notification will not work and no
email will be delivered.

To configure the email settings, click on the settings icon at the top of the notifications left
toolbar. Configure the SMTP server and the email address the notifications will be sent from.

Adding/Editing new Rule

Clicking add/edit opens a window with the following fields:

 Enabled – this toggle is to enable or disable this rule.

 Rule Name – rule name.
 Destination E-mail – the email address (or multiple email addresses) the notification will
be sent to. This field uses auto-complete.
 E-mail Subject – the E-mail subject for this notification (text).
 E-mail Body Header – the E-mail body (text).
 Rule Condition:
o Add Criteria – add a new criteria row (OR operator is used between rows).

Copyright © 1998 – 2018

20 OREV User Manual

o Counters - open a window with all counters. Select all required counters for this
notification.
You can add more criteria rows if you want different severity for different counters
(OR operator is used between counters).
o Severity – open a menu to select the desired event severity for the notifications.
“Info & up” notifies on all events, “warning & up” notifies only on warnings, and
critical notifies only on critical events.

To remove a row click the “minus” icon

 Frequency – determine the time interval in which notifications will be sent. For example, 30
minutes interval will accumulate all events that happen in a 30 minutes timeframe and send
them as one notification containing all events (per rule).

To add additional notification recipients outside of OREV system, click the ‘Add new mail’ icon .
This will open a window with emails of all OREV users and other (not OREV users) added email
addresses (OREV users cannot be removed from this menu).

To add a new email address or a group of contacts, click Add:

 new contact – open a form to enter details for the new contact. This is only an email
contact and not a system user.
 new contact group – open a form to enter the name of the group, contact name, and email
address. To add more members click the ‘+ Add member’ to add another row.

Dashboard Notifications
OREV users can view notifications they receive in the dashboard (in addition to email). Notifications

can be accessed in the dashboard via the bell icon . The number of unviewed notifications
is shown next to it.

Clicking the Bell icon will open the notification panel with all the notification received ordered in
categories.

Copyright © 1998 – 2018

21 OREV User Manual

To view a notification, click the expand icon and then click details
Viewing a notification reduces the total number of unviewed notifications left.
To mark all notifications as viewed, click ‘clear all’. You can clear all notifications under a specific
category by clicking ‘clear all’ next to the category.

Support and Troubleshoot

This section is to help maintain and troubleshoot problems around the system.

Troubleshoot
The troubleshooting section is to fix or diagnose basic problems that can occur in the
system.
Here you can find popular problems and how to fix them. In any case, you can contact the
OREV team for additional help.

Cannot reach the system via a browser

 Check that the internet information service (IIS) is running on OREV server.
 Ping/connection check to the server to see if you are not blocked (if so contact your
network admin).
 Check if the internet information service (IIS) fits OREV requirements (as in the
requirement document).

Copyright © 1998 – 2018

22 OREV User Manual

Visual distortion in the system

 Test with a different browser. OREV currently supports Chrome and Explorer).
 Check your screen resolution. OREV is best viewed in a resolution of 1920x1080.
 Check if the browser has zoom in/out active or if the browser text size configured
other than recommended by the browser.
 Clear the browser saved cookies.

A machine is not reporting to the server

 Check to see if OREV processes are running on the machine or if the OREV Agent
service is running.
 Try to ping from the machine to OREV server.
 Try to temporarily disable the firewall and check if it causes the problem.
 Try to reinstall the OREV client with the latest version on the machine. In some
cases, the server rejects old clients.

OREV System is not updated with new data

 Check if the OREV server service is running and all processes are running.
 Check the connection between the OREV server and SQL server and that SQL is
running properly.
 Check the OREV collector log for license status.
 Check in the OREV server logs if your license expired or reached the client limit.

A significate lack of data in the system

 Contact your application administrator. There might be a performance problem

with OREV/SQL server.

Contact Us
Please contact us for any problem or question at:

E-Mail: support@abgsystems.com
Office Number: +97239508055

Copyright © 1998 – 2018

23 OREV User Manual

Glossary
C
Counter
A screen object which visualizes specific events in real-time. Can be a value type or graph type.

F
First Detection (FD)
An event which indicates that it is the first time an object is detected in the entire organization
(object: process, port, software, driver, service and so on...).

M
Magnifier Glass
An overview feature. Clicking this icon will provide an overview of the relevant data.

P
Prevention Icon
This icon indicates that prevention options are available on this drill-down.

S
Severity Level
A predefined risk level for events, indicating the amount of risk each event has.
The higher the risk, the more it can potentially harm the organization.
Severity level can be info, warnings or critical.

T
Time-Slice
A predefined period of time., This time is how often the system will send collected data

Copyright © 1998 – 2018