Reporting: Use Variables for Parameterized Reporting

Document created by RSA Information Design and Development on Mar 23, 2017
Version 1Show Document
  • View in full screen mode
  

This topic provides information about using variables for reporting in the RSA Security Analytics Reporting module. Parameterized reporting allows you to specify values dynamically at runtime without changing the rule definition so you can view the results based on a particular value. You can achieve parameterize reporting by using variables in the query or rule. For information on adding a rule, see Define a Rule. At runtime, you can enter the value for the variable or select the value from the list based on which the result set is displayed.

The syntax to specify the variable is as follows:

               
DescriptionExamples of Supported Syntax

Insert $ before a variable.

Enclose a variable within braces.

columnname=${<variable>}

The syntax to define the variable is the same for NetWitness DB, IPDB and Warehouse DB data sources. When you assign the value of the variable in a Run Configuration, you must enclose the value within single quotes: '<value>'.

Some examples where a variable can be used are provided in this section.

View Source IP Addresses for a Specific Destination Country

The following is an example of a NetWitness DB rule to view the source and destination ip addresses for a specific destination country. Here the value for source country is defined as a variable ${local_Country}.

104_Dynamicvar_Netwitness.png

At runtime, you are prompted to enter the value for the variable. The figure below shows the local_Country variable where you can enter the value. If you enter the value as United states, all the source and destination ip addresses with destination country as United states are listed.

102DynamicVariableNWDBResults.png

You can use the above rule to schedule a report. For more information, see Schedule a Report. You can schedule two types of reports:

  • Report with Dynamic Variables
  • Iterative Report

Report with Dynamic Variables

Dynamic variables allows the user to specify the values for a variable defined in a rule while scheduling a report.

To schedule a report with Dynamic Variable:

  1. In the Security Analytics menu, click Administration > Reports.

    The Manage tab is displayed.

  2. Click Reports.

    The Report view is displayed.

  3. On the Build Report page, click to create a report.
  4. Add the rule which has the user defined variable from the Rules tab.
  5. Click Schedule.

    The Schedule Report view tab is displayed.

  6. To execute the reports as per the schedule, select the Enable checkbox.
  7. In the Schedule Name field, enter a name for the schedule report configuration.
  8. From the Data Source field, select the data source.

    Note: If the data source is not listed, then ensure you have Read permissions set for the data source. This is applicable for NWDB and Warehouse data source. For more information, see Configure Data Source Permissions in the Reporting Engine Configuration Guide.

  9. (Optional) From the Warehouse Resource Pool drop-down, select the pools or queues available in the cluster to schedule the report to run on either the pool or queue. This drop-down is available only if you select a Warehouse DB report.

    Note: All the queues or pools you specified in the Explore page for the Reporting Engine are listed. If no pools or queues are configured in the Explorer page, this drop-down is disabled and the jobs are submitted to the clusters without any a queue or pool name.

    Note: If the pool or queue configured in the report schedule is removed from the Cluster, then in the Capacity Scheduler, the queue name remains undefined. However, in the Fair Scheduler, the specified pool name will be created using the property mapred.fairscheduler.allow.undeclared.pool.

  10. From the Time Zone drop-down, select a time zone to display all the time-related data in a report output in the specified format.This setting is configurable from the Reporting Engine Explore view (/com.rsa.soc.re/configuration/reportoutputformatterconfig/reportoutputformatterconfig).
  11. From the Run field, select the type of run schedule. (For example, Now or Hourly). Depending on the type of run schedule, do either of the following:

    • If you select a Later or Monthly run schedule, you must provide a value for the day and time in the respective field provided.

    • If you select an Hourly run schedule, you must specify the minutes in the At Minute field.

    • If you select a Daily run schedule, you must enter a time value in the At field.

    • If you select a Weekly run schedule, you must enter a value in the At field and also select the week days.

    Note: While scheduling a report, if you select Paste option or Range (specific/generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.

  12. In the variables field, click .
  13. Do one of the following:

    • Enter the value for the variable, or
    • Choose the list value for the variable.

  14. Click Select.
  15. Click Schedule.

    The scheduled report executes as scheduled and provides the configured outputs.

The scheduled report executes as scheduled and provides the configured outputs.

View All Destination IP Addresses for a Source IP Address

The following is an example of a Warehouse rule to view all the destination IP addresses for a specific source IP. The source IP address ip_src is defined as a variable ${IP_Address}.

104_Dynamicvar_WarehouseDB.png

At runtime, you are prompted to enter the source IP address. The figure below shows the IP_Address variable, and you can enter a valid source IP address. All the destination IP addresses with the specified source IP are listed.

102DynamicVariableSAWResults.png

Associate a Variable to a List of Values

You can associate the variable to a list. For example, you can create a list called Local_Country and enter all the country names as values. You can select the list Local_Country as the value for the variable Local_Country. At Run Configuration, the Local_Country list is populated and you can select the country based on which results are displayed.

102DynamicVariableNWDBResultsList.png

IPDB Rule to View Device Details Based on the Device Name

The following is an example of a IPDB rule to view the details of a device based on the device name. In the event source specification the device name is specified as a variable ${Device_Name}.

104_Dynamicvar_IPDB.png

At runtime, you are prompted to enter the device name Device_Name. The figure below shows the Device_Name variable and you can enter the event source specification, for example, NIC:ESIPDB:ESIPDB-ES:ciscopix:111.111.111.25. All the device details are displayed.

102DynamicVariableIPDBResults.png

Iterative Report

An iterative report generates a report for every value in the list.

To schedule an iterative report:

  1. In the Security Analytics menu, click Administration > Reports.

    The Manage tab is displayed.

  2. Click Reports.

    The Report view is displayed.

  3. On the Build Report page, click to create a report.
  4. Add the rule which has the user defined variable from the Rules tab.
  5. Click Schedule.

    The Schedule Report view tab is displayed.

  6. To execute the reports as per the schedule, select the Enable checkbox.
  7. In the Schedule Name field, enter a name for the schedule report configuration.
  8. From the Data Source field, select the data source.

    Note: If the data source is not listed, then ensure you have Read permissions set for the data source. This is applicable for NWDB and Warehouse data source. For more information, see Configure Data Source Permissions in the Reporting Engine Configuration Guide.

  9. (Optional) From the Warehouse Resource Pool drop-down, select the pools or queues available in the cluster to schedule the report to run on either the pool or queue. This drop-down is available only if you select a Warehouse DB report.

    Note: All the queues or pools you specified in the Explore page for the Reporting Engine are listed. If no pools or queues are configured in the Explorer page, this drop-down is disabled and the jobs are submitted to the clusters without any a queue or pool name.

    Note: If the pool or queue configured in the report schedule is removed from the Cluster, then in the Capacity Scheduler, the queue name remains undefined. However, in the Fair Scheduler, the specified pool name will be created using the property mapred.fairscheduler.allow.undeclared.pool.

  10. From the Time Zone drop-down, select a time zone to display all the time-related data in a report output in the specified format.This setting is configurable from the Reporting Engine Explore view (/com.rsa.soc.re/configuration/reportoutputformatterconfig/reportoutputformatterconfig).
  11. From the Run field, select the type of run schedule. (For example, Now or Hourly). Depending on the type of run schedule, do either of the following:

    • If you select a Later or Monthly run schedule, you must provide a value for the day and time in the respective field provided.

    • If you select an Hourly run schedule, you must specify the minutes in the At Minute field.

    • If you select a Daily run schedule, you must enter a time value in the At field.

    • If you select a Weekly run schedule, you must enter a value in the At field and also select the week days.

    Note: While scheduling a report, if you select Paste option or Range (specific/generic) option or an end time range very close to the current time, you must ensure that the aggregate data in the data source is returned. If there is an aggregation delay in the data source, the end time you choose must account for the delay, otherwise reports lose non-aggregate data for that time range.

  12. In the variables field, do the following:

    1. To run iterative reports, select the Iterative Report checkbox.

    2. To Iterate on List value, click .

      The List Selection Window opens.

    3. Choose a list and click Select.

      The list item selected gets added to the Iterate on List field.

    4. Select the variable on which the selected list value has to be applied.

  13. Click Schedule.

    The scheduled report executes as scheduled and provides the configured outputs.

The following figure shows the Iterative Report view.

You are here
Table of Contents > Working with Reports in the Reporting Module > Use Variables for Parameterized Reporting

Attachments

    Outcomes