This guide describes the features and capabilities of the Reporting module in Security Analytics. The Reporting module pulls Security Analytics rules into a single view to define, schedule and view reports.
The Reporting module enables you to create, manage and view the following:
- Warehouse Analytics
Note: The Reporting Engine (RE) will automatically check for the available disk space before you execute a Rule, Report, Chart and Alert. If the RE disk space (in percentage) is less than the minimum disk space threshold (default value is 5), the RE will stop the current execution and an error message 'Available disk space of Reporting engine home is <5%, please clean up the space to proceed further' is displayed. Additionally, you may also configure the minimum disk space threshold by using the following path: RE>Explore>com.rsa.soc.re>Configuration>CommonConfig>minDiskSpaceThreshold.
You can navigate to different sections (labeled in the figure below) from the Reporting UI.
It uses the Tabbed UI approach where each of the tasks (create, edit, schedule, view) when clicked loads a new tab without having to open multiple windows for each of the different tasks. You can report and alert on the log and packet data collected, and customize the reports and charts to enhance the visual appearance. You can create real-time reports for historical data. You can create charts and dashlets, that can be added in the real-time chart dashlets as well.
The Reporting module relies on the Reporting Engine to provide data for the reports, alerts and charts. Hence, you must configure the Reporting Engine before you can generate the reports. You must also specify the data source in the Reporting Engine from which the data is extracted.
The following table points to the tasks that must be performed on the Reporting module, in the order you must perform them:
Note: Make sure you have access to the components in the Reporting module. See Add a Role and Assign Permissions for Reporting Module.
Define a Job. For details, see the Define a Warehouse Analytics Job in the Warehouse Analytics Guide.
The data that you can report or alert depends on the configuration of Reporting Engine and the data sources that you specify as part of the rule definition.
Note: Make sure you have access to the required data sources. Only privileged users with access to sensitive information have the permission to certain data sources. To manage access control to data sources, see the Add a Role and Assign Permissions for Warehouse Analytics topic in the Warehouse Analytics Guide. However, for the existing reports, alerts and charts, if the user role or permissions are modified for the data sources, then it is not applicable unless you manually update the permissions.
The Reporting Engine is a key component that provides data to the Reporting module. You must add the Reporting Engine as a service to Security Analytics before you generate reports or alerts. When you run the reports, the results are stored in Reporting Engine.
After you generate a report, you can perform the following:
- Send the reports by email to other users by configuring the output actions. You can also configure the output actions before generating a report.
- Download the reports as PDF or Comma-Separated Values (CSV) format files.
Once an alert is created, Security Analytics Incident Management collects this data from the Reporting Engine and displays these alerts on the Security Analytics User Interface.
Note: By default, this option is not enabled. If you want to enable this option, you must enable it from the Reporting Engine Config page.
Note: This module is accessible based on the role based access, defined for the user.