Documentation forSecurity Event Manager

Run or schedule a SEM report

You can run an on-demand report or schedule a report. On-demand reports are reports you generate when you need them. Scheduled reports are reports that automatically run on their own based on a specific schedule you set up for each report.

All reports are sorted by DetectionTime in descending order--from the latest to the earliest events.

These reports are based on the custom and predefined queries in the Historical Events and Reports tab. When the report is no longer required, you can unschedule the report.

Use these reports as a starting point to create rules that respond to security events, monitor and protect specific systems and devices in your network, and create response actions for your network and system events.

After you run an on-demand report, you can:

  • Save the report as a PDF or CSV file.

  • Send the report as an email attachment.

    To minimize email errors regarding attachment size, set the maximum email attachment size setting to notify you when a generated report exceeds the maximum attachment size set by your email provider.
  • Send the report to an external server using an SFTP connection.

Run an on-demand report

  1. Log in to the SEM Console.

  2. Click the Historical Events and Reports tab.

  3. In the left column, click the Queries tab.

  4. Maximize a query category and select a query for the report. For example, All Event Data Last Week.

    If you know the query name, you can enter the name in the Search field.

    After you select a query, the time picker in the toolbar adjusts to the query time range.

  5. In the query name, click the vertical ellipsis and select Generate report.

    You can also click the Options drop-down menu in the toolbar and click Generate report.
  6. In the Name field, enter a name for this report or accept the default name.

  7. In the Format field, select CSV or PDF for the report format.

  8. If you selected CSV, go to the next step.

    If you selected PDF, click the Group by drop-down menu and select an option.

    For example, Event Type.

  9. Click Generate.

    A message displays, stating the report progress.

    Do not close or leave the Historical Events and Reports tab while SEM generates the report.

    When the report is completed, the following message displays. The report is added to a ZIP file and downloaded to your system.

  10. Navigate to the downloaded ZIP file containing the report.

  11. Unzip the file using a file archive utility (such as 7-Zip).

  12. Double-click the file to open the report.

About the PDF report

The PDF report groups the reports by Summary and Details. Click the Bookmarks icon to access all reports in the PDF file.

The Summary reports provide high-level information about the query events in graphical format.

The Detail reports provide in-depth information about the query events in table format. The events are grouped together based on the Group by option you select for your PDF report.

In the following example, the query event data is grouped by the event type. Click an event type to view a report for the selected event type.

If you do not select a Group by option, the query event data for event types is grouped together into one report. Click Details to review the report for all event types.

Below is an example of the Top 10 Event Types summary report included in the All Event Data Last Week query.

To return to the query used for your report, click the report name in the top left corner of the report. For example, All Event Data Last Week.

The SEM Console displays the Refine Results tab with a list of all event data associated with the query.

In the Refine Results tab, you can:

  • Click Export to export the report data to a CSV file.

    You can import this file into a Microsoft Excel spreadsheet.
  • Click More to switch to table view or hide the graph.

  • Click to view the event details and change the historical event limits in the Settings > Event Limits > Historical tab.

  • Use the Search field to filter the event list based on your search term. For example:

Schedule a report

Report schedules automatically email historical event reports to your stakeholders in daily, weekly, or monthly intervals. Use the reports to communicate network trends to your IT security and management personnel. This process can help you respond to network and system events in a timely manner.

  1. Create a list of all stakeholders who require performance or status reports on a daily, weekly, or monthly basis.

  2. Ensure that your SEM deployment is configured to generate and deliver reports to your stakeholders. See Set up the SEM reports for instructions.

  3. Log in to the SEM Console.

  4. Click the Historical Events and Reports tab.

  5. In the left column, click the Queries tab.

  6. Maximize a query category and select a query for the report.

    For example, Maximize Predefined and select All Event Data Last Week.

    After you select a query, the time picker in the toolbar adjusts to the query time range.

  7. Click the vertical ellipsis and select Schedule report.

    You can also click the Options drop-down menu in the toolbar and click Schedule this query.
  8. Under Recurrence Pattern, select a daily, weekly, or monthly report schedule.

    For daily and custom date reports, select Daily and the date value in the drop-down menus.

    For example, every day...

    ...or every five days.

    For weekly reports, select Weekly and the weekly occurrence in the drop-down menus and checkboxes.

    For example, every week on Monday and Friday.

    For monthly reports, select Monthly, the monthly occurrence, and the day or days of the month.

    For example, every month on the 15th day of the month. Click Add day to add additional days to the schedule.

  9. Select an execution time for the report. Click Add time to add one or more execution times.

  10. Enter start and end dates for reporting events that occurred on the SEM Manager. The report will only show those events that occurred on the manager within this period.

  11. Select a file format for the attached report.

    For PDF reports, click Group by and select an option to group the report data. Otherwise, select None.

  12. Choose the report sharing method. You can share the report as an email attachment or to an external server using an SFTP connection.

    To send the report as an email attachment:

    1. Click the Sharing drop-down menu and select Email.

    2. Click the Recipients drop-down menu and select the targeted stakeholders who require this report. Click Add LDAP users to add these users as email recipients, if required.

    3. Verify that the email template is correct for your email recipients.

    To send the report to an external server using an SFTP connection:

    1. Click the Sharing drop-down menu and select SFTP.

    2. Click the SFTP configuration drop-down menu and select an SFTP connection to an external server.

      If a connection is not available, click Manage SFTP to set up a new SFTP connection.

    3. Select the checkbox to be notified by email that the report was generated and sent to the stakeholder(s).

  13. Click Schedule.

    A message displays in the console toolbar, stating that the report query is scheduled.

  14. Repeat step 7 through step 15 to schedule additional query reports.

Unschedule a report

  1. Log in to the SEM Console.

  2. Click the Historical Events and Reports tab.

  3. In the left column, click the Queries tab.

  4. Maximize a query category and select the query you scheduled for a report.

    For example, Maximize Predefined and select All Event Data Last Week.

  5. Click the vertical ellipsis and select Unschedule.

    A message displays in the console toolbar, stating that the report is unscheduled.