Generate reports about alerts and other activity

Deep Security Manager produces reports in PDF or RTF formats. Most of the reports have configurable parameters such as date range or reporting by computer group. Parameter options are disabled for reports to which they do not apply. You can set up a one-time report (see Set up a single report) or set up a schedule to run a report on a regular basis (see Set up a scheduled report ).

Set up a single report

  1. In the Deep Security Manager, go to the Events & Reports tab and then in the left pane, click Generate Reports > Single Report.
  2. In the Report list, select the type of report that you want to generate. Depending on which protection modules you are using, the following reports may be available:
    • Alert Report: List of the most common alerts.
    • Anti-Malware Report: List of the top 25 infected computers.
    • Attack Report: Summary table with analysis activity, divided by mode. See About attack reports.
    • AWS Metered Billing Report: Summary table of AWS Metered Billing consumption in hours per day by instance size.
    • Azure Metered Billing Report: Summary table of Azure Metered Billing consumption in hours per day by instance size.
    • Computer Report: Summary of each computer listed on the Computer tab.
    • DPI Rule Recommendation Report: Intrusion prevention rule recommendations. This report can be run for only one security policy or computer at a time.
    • Firewall Report: Record of firewall rule and stateful configuration activity.
    • Forensic Computer Audit Report: Configuration of an agent on a computer
    • Integrity Monitoring Baseline Report 1: Baseline of the computers at a particular time, showing Type, Key, and Fingerprinted Date.
    • Integrity Monitoring Detailed Change Report: Details about the changes detected
    • Integrity Monitoring Report: Summary of the changes detected.
    • Intrusion Prevention Report: Record of intrusion prevention rule activity.
    • Log Inspection Detailed Report: Details of log data that has been collected.
    • Log Inspection Report: Summary of log data that has been collected.
    • Recommendation Report: Record of recommendation scan activity.
    • Security Module Usage Cumulative Report: Current computer usage of protection modules, including a cumulative total and the total in blocks of 100.
    • Security Module Usage Report: Current computer usage of protection modules.
    • Summary Report: Consolidated summary of Deep Security activity.
    • Suspicious Application Activity Report: Information about suspected malicious activity.
    • System Event Report: Record of system (non-security) activity.
    • System Report: Overview of computers, contacts, and users.
    • Tenant Report: Overview of tenants.
    • User and Contact Report: Content and activity detail for users and contacts.
    • Web Reputation Report: List of computers with the most web reputation events.
  3. Select the Format for the report, either PDF or RTF. Note that the Security Module Usage Report and Security Module Usage Cumulative Report are exceptions and are always output as CSV files.
  4. You can also add an optional Classification to PDF or RTF reports: BLANK, TOP SECRET, SECRET, CONFIDENTIAL, FOR OFFICIAL USE ONLY, LAW ENFORCEMENT SENSITIVE (LES), LIMITED DISTRIBUTION, UNCLASSIFIED, INTERNAL USE ONLY, CUSTOM.
    If you specify CUSTOM, the Name field is displayed, allowing you to enter a custom string. For example, "Alert report classification".
  5. You can use the Tag Filter area to filter the report data using event tags (if you have selected a report that contains event data). Select All for all events, Untagged for only untagged events, or select Tag(s) and specify one or more tags to include only those events with your selected tags.
    If you apply multiple contradicting tags, the tags will counteract each other, rather than combine. For example, if you select User Signed In and User Signed Out, there will be no system events.
  1. You can use the Time Filter area to set a time filter for any period for which records exist. This is useful for security audits. The following are time filter options:
    • Last 24 Hours: Includes events from the past 24 hours, starting and ending at the top of the hour. For example, if you generate a report on December 5th at 10:14am, you will get a report for events that occurred between December 4th at 10:00am and December 5th at 10:00am.
    • Last 7 Days: Includes events from the past week. Weeks start and end at midnight (00:00). For example, if you generate a report on December 5th at 10:14am, you will get a report for events that occurred between November 28th at 0:00am and December 5th at 0:00am.
    • Previous Month: Includes events from the last full calendar month, starting and ending at midnight (00:00). For example, if you select this option on November 15, you will receive a report for events that occurred between midnight October 1 to midnight November 1.
    • Custom Range: Enables you to specify your own date and time range for the report. In the report, the start time may be changed to midnight if the start date is more than two days ago.
      Note that reports use data stored in counters. Counters are data aggregated periodically from Events. Counter data is aggregated on an hourly basis for the most recent three days. Data from the current hour is not included in reports. Data older than three days is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last three days can be specified at an hourly level of granularity, but beyond three days, the time period can only be specified on a daily level of granularity.
  2. In the Computer Filter area, select the computers whose data will be included in the report:
    • All Computers: Every computer in Deep Security Manager.
    • My Computers: If the signed in user has restricted access to computers based on their user role's rights settings, these are the computers to which the signed-in user has view access.
    • In Group: The computers in a Deep Security group.
    • Using Policy: The computers using a specific protection Policy.
    • Computer: A single computer.
      To generate a report on specific computers from multiple computer groups, create a user who has viewing rights only to the computers in question and then either create a scheduled task to regularly generate an All Computers report for that user or sign in as that user and run an All Computers report. The report includes only the computers to which that user has viewing rights.
  3. In the Encryption area, you can protect the report with the password of the currently signed in user or with a new password for this report only:
    • Disable Report Password: Report is not password protected.
    • Use Current User's Report Password: Use the current user's PDF report password. To view or modify the user's PDF report password, go to Administration > User Management > Users > Properties > Settings > Reports.
    • Use Custom Report Password: Create a one-time-only password for this report. The password does not have any complexity requirements.

Set up a scheduled report

Scheduled reports are scheduled tasks that periodically generate and distribute reports to any number of users and contacts.

To set up a scheduled report, follow these steps:

  1. On the Events & Reports tab, in the left pane, click Generate Reports > Scheduled Reports.
  2. Click New. The New Scheduled Task wizard opens. Most of the options are identical to those for single reports, with the exception of Time Filter:

  • Last [N] Hour(s): When [N] is less than 60, the start and end times will be at the top of the specified hour. When [N] is more than 60, hourly data is not available for the beginning of the time range, so the start time in the report will be changed to midnight (00:00) of the start day.
  • Last [N] Day(s): Includes data from midnight [N] days ago to midnight of the current day.
  • Last [N] Week(s): Includes events from the last [N] weeks, starting and ending at midnight (00:00).
  • Last [N] Month(s): Includes events from the last [N] full calendar month, starting and ending at midnight (00:00). For example, if you select "Last 1 Month(s)" on November 15, you will receive a report for events that occurred between midnight October 1 to midnight November 1.

Reports use data stored in counters. Counters are data aggregated periodically from events. Counter data is aggregated on an hourly basis for the most recent three days. Data from the current hour is not included in reports. Data older than three days is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last three days can be specified at an hourly level of granularity, but beyond three days, the time period can only be specified on a daily level of granularity.

For more information on scheduled tasks, see the Schedule Deep Security to perform tasks.

Footnotes:

1

Due to performance issues related to large amounts of baseline data, in the latest version of Deep Security Manager, it is not possible to access baseline data from the UI. For details, see Database performance issue due to lots of Integrity Monitoring baseline data.