The most important features you need to lookout,when you short list a network security forensic product is the ability to archive the raw records. This is a major factor when it comes to acts and laws. So in the court of law, the original record has to be produced as proof and not the custom format of the vendor. The next one to lookout for is the ability to create alerts, i.e the ability to notify whenever some criteria happens ex: when 3 unsuccessfull login attempts mail me kind of stuff, or better still if there is a virus attack for from the same host more than once, notify me etc. This will reduce the lot of manual intervention needed in keeping the network secure. Moreover the ability to schedule reports is a big plus. You don't have to check the reports daily. Once you have done your ground work as to configure some basic alerts and some scheduled reports. It should be a cakewalk from then on. All you need to do is check out the information(alerts/reports) you get in your inbox. It is recommended that you configure reports on a weekly basis. So that it is never too late to react to a potential threat. And finally a comprehensive list of reports is a vital feature to lookout for. Here is a list of reports that might come in handy for any enterprise:
Reports to expect from edge devices such as a firewall:
1. Live monitoring
2. Security reports
3. Virus reports
4. Attack reports
5. Traffic reports
6. Protocol usage reports
7. Web usage reports
8. Mail usage reports
9. FTP usage reports
10. Telnet usage reports
11. VPN reports
12. Inbound/Outbound traffic reports
13. Intranet reports
14. Internet reports
15. Trend reports
Reports to expect from compliance and internal monitoring: ( see compliance sub-heading for reports on compliance)
1. User Audit reports (successfull/unsuccessful login attempts)
2. Audit policy changes (ex: change in privileges etc)
3. Password changes
4. Account Lockout
5. User account changes
6. IIS reports
7. DHCP reports
8. MSI reports( lists the products installed/uninstalled)
9. Group policy changes
10. RPC reports
11. DNS reports
12. Active directory reports
The gating factor for choosing a monitoring product is to cross verify whether the devices you have in your network are supported by the vendor you choose. There are quite a number of products which address this market, you might want to search for "firewall analyzer" and "eventlog analyzer" in google.